V. Boyko. On the Security Properties of the OAEP as an All-or-Nothing Transform. Crypto '99.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....in the private key cryptography. They can also be viewed as very secure pseudorandom generators and have many other applications. To solve the general partial exposure of secrets, we use the (generalized) notion of an All Or Nothing Transform (AONT) introduced by Rivest [51] and re ned by Boyko [16]: an invertible (randomized) transformation T which, nevertheless, reveals no information about x even if almost all the bits of T (x) are known. By applying an AONT to the secret entity (of arbitrary structure) we obtain security against almost total exposure of secrets. AONT s have also many ....

....we obtain security against almost total exposure of secrets. AONT s have also many other diverse applications in the design of block ciphers, secret sharing and secure communication. To date, however, the only known analyses of AONT candidates were made in the random oracle model (by Boyko [16]) In this thesis we construct ERF s and AONT s with nearly optimal parameters in the standard model (without random oracles) in the perfect, statistical and computational settings (the latter based only on one way functions) We also show close relationship between and examine many additional ....

[Article contains additional citation context not shown here]

V. Boyko. On the Security Properties of the OAEP as an All-or-Nothing Transform. In Proc. of Crypto, pp. 503-518, 1999.

.... di erent security concerns arising in the context of block ciphers, introduced an intriguing primitive called the All Or Nothing Transform (AONT) An AONT is an eciently computable transformation T on strings such that: Here we informally present a re nement of the de nition due to Boyko [4]. For any string x, given (all the bits of) T (x) one can eciently recover x. There exists some threshold such that any polynomial time adversary that (adaptively) learns all but bits of T (x) obtains no information about x. The AONT solves the problem of partial key exposure: rather ....

....we seek to achieve. As mentioned above, AONT has many other applications, such as enhancing the security of block ciphers, hash functions and making xed blocksize encryption schemes more ecient (e.g. 14, 22] For an excellent exposition on these and other applications of the AONT, see [4]. Our Results. Until now, the only known analysis of an AONT candidate was carried out by [4] who showed that Bellare and Rogaway s Optimal Asymmetric Encryption Padding (OAEP) 2] yields an AONT in the Random Oracle model. However, analysis in the Random Oracle model provides only a limited ....

[Article contains additional citation context not shown here]

V. Boyko. On the Security Properties of the OAEP as an All-or-Nothing Transform. In Proc. of Crypto, pp. 503-518, 1999.

....can tolerate exposure of any polynomial number of keys. We assume that E operates on messages of length = k) and construct a (t; N) key insulated scheme operating on messages of length L = L(k) Auxiliary Definitions. We need two auxiliary de nitions: that of an all or nothing transform [35, 9] (AONT) and a cover free family [19, 17] Informally, an AONT splits the message M into n secret shares x 1 ; x n (and possibly one public share z) and has the property that (1) the message M can be eciently recovered from all the shares x 1 ; x n ; z, but (2) missing even a ....

....the property that (1) the message M can be eciently recovered from all the shares x 1 ; x n ; z, but (2) missing even a single share x j gives no information about M . As such, it is a generalization of (n 1; n) secret sharing. We formalize this, modifying the conventional de nitions [9, 10] to a form more compatible with our prior notation. 6 De nition 5 An ecient randomized transformation T is called an (L; n) AONT if: 1) on input M 2 f0; 1g , T outputs (X; z) x 1 ; x n ; z) where x j 2 f0; 1g ; 2) there exists an ecient inverse function I such that ....

[Article contains additional citation context not shown here]

V. Boyko. On the Security Properties of the OAEP as an All-or-Nothing Transform. Crypto '99.

....of [18, 23] see Sec. 3. 2 for more detailed discussion, including limitations of these de nitions) Similar ideas of using preprocessing (some special scrambling or an all or nothing transform) with the subsequent encryption of only a small part of the content has been proposed before, see e.g. [10, 1]. The distinguishing feature of our work is that the pre processing step we use is really motivated by other considerations (namely, forward error correction requirements) we need only to slightly modify it, preserving the originally desired features. Thus, the preprocessing step can be ....

....all or nothing transforms [18] in the unconditional security model. In this case, f( x) represents information sent as plaintext but no information about an individual x i is known without additional information (which we send encrypted) Note that later work with all or nothing transforms such as [1] add semantic security guarantees, thus avoiding information leaks about x present in [23] and our scheme. In contrast to the schemes which had to do their own preprocessing [1, 10] we achieve pisecurity in the context of spc encoding without additional overhead. One way to do this is to make ....

[Article contains additional citation context not shown here]

Victor Boyko. On the security properties of OAEP as an all-or-nothing transform. In CRYPTO, pages 503-518, 1999.

....of [19, 5] As a result, we get nearly optimal adaptively secure ERF s and AONT s. Finally, extending the statistical construction we obtain optimal computational adaptive ERF s, publicvalue AONT s and resilient functions. 1 Introduction Recently, there has been an explosion of work [23, 9, 10, 20, 18, 7, 1, 26, 14] surrounding an intriguing notion introduced by Rivest called the All Or Nothing Transform (AONT) 23] Roughly speaking, an AONT is a randomized mapping which can be eciently inverted if given the output in full, but which leaks no information about its input to an adversary even if the adversary ....

....bits of the output. The AONT has been shown to have important cryptographic applications ranging from increasing the eciency of block ciphers [20, 18, 7] to protecting against almost complete exposure of secret keys [10] The rst formalization and constructions for the AONT were given by Boyko [9] in the Random Oracle model. However, recently Canetti et al. 10] were able to formalize and exhibit ecient constructions for the AONT in the standard computational model. They accomplished this goal by reducing the task of constructing AONT s to constructing a related primitive which they ....

[Article contains additional citation context not shown here]

V. Boyko. On the Security Properties of the OAEP as an All-or-Nothing Transform. In Proc. of Crypto, pp. 503-518, 1999.

....an AONT provided in [9] the scheme is insecure. We show that there are example AONTs that meet the definition of [9] but for which there are attacks compromising the privacy of the chaffing and winnowing scheme. It is natural to then try to use Boyko s stronger definition of security for an AONT [5]. In that case the analysis is inconclusive: the stronger property of an AONT still does not appear to suffice to prove security of the chaffing and winnowing scheme, but neither do we exhibit a counter example that confirms this. We would prefer a mechanism for which a proof is possible. ....

....regarding the scattering scheme provided in [8] the probability of breaking the scheme is inversely proportional to Gamma s s 0 s Delta where s is the number of blocks in the output of OAEP and s 0 is the number of chaff blocks. Note that OAEP has been shown to be a secure AONT [5], but given the above we cannot exploit this here. Instead, our proof is direct, based on techniques from [4, 5] 1.4 New schemes Recall that the motivation for the scattering scheme was to reduce bandwidth relative to the bitby bit scheme. The security is provable in a specific case, namely ....

[Article contains additional citation context not shown here]

V. Boyko, "On the Security Properties of OAEP as an All-or-nothing Transform,"Advances in Cryptology -- Crypto 99 Proceedings, Lecture Notes in Computer Science Vol. 1666, M. Wiener ed., Springer-Verlag, 1999.

....also provide the kind of protection we seek to achieve. The AONT has many other applications, as well, such as enhancing the security of block ciphers and making fixed blocksize encryption schemes more efficient [12] For an excellent exposition on these and other applications of the AONT, see [4]. Our Results: Until now, the only known construction of an AONT 3 with provable security was given by Boyko [4] in the random oracle model, who showed that Bellare and Rogaway s Optimal Asymmetric Encryption Padding (OAEP) 2] yields an AONT. In this work, we give the first constructions for ....

.... enhancing the security of block ciphers and making fixed blocksize encryption schemes more efficient [12] For an excellent exposition on these and other applications of the AONT, see [4] Our Results: Until now, the only known construction of an AONT 3 with provable security was given by Boyko [4] in the random oracle model, who showed that Bellare and Rogaway s Optimal Asymmetric Encryption Padding (OAEP) 2] yields an AONT. In this work, we give the first constructions for AONT s with essentially optimal resilience in the standard model, based only on computational assumptions. The key ....

[Article contains additional citation context not shown here]

V. Boyko. On the Security Properties of the OAEP as an All-or-Nothing Transform. In Proc. of Crypto, pp. 503--518, 1999.

....in the private key cryptography. They can also be viewed as very secure pseudorandom generators and have many other applications. To solve the general partial exposure of secrets, we use the (generalized) notion of an All Or Nothing Transform (AONT) introduced by Rivest [51] and re ned by Boyko [16]: an invertible (randomized) transformation T which, nevertheless, reveals no information about x even if almost all the bits of T (x) are known. By applying an AONT to the secret entity (of arbitrary structure) we obtain security against almost total exposure of secrets. AONT s have also many ....

....we obtain security against almost total exposure of secrets. AONT s have also many other diverse applications in the design of block ciphers, secret sharing and secure communication. To date, however, the only known analyses of AONT candidates were made in the random oracle model (by Boyko [16]) In this thesis we construct ERF s and AONT s with nearly optimal parameters in the standard model (without random oracles) in the perfect, statistical and computational settings (the latter based only on one way functions) We also show close relationship between and examine many additional ....

[Article contains additional citation context not shown here]

V. Boyko. On the Security Properties of the OAEP as an All-or-Nothing Transform. In Proc. of Crypto, pp. 503-518, 1999.

....x. 1 Indeed, our techniques can be seen as yielding, for certain parameters, highly efficient gap analogues of computational secret sharing schemes [17] where the share size can be small as 1 bit See Remark 5.5. 2 Here we informally present a refinement of the definition due to Boyko [5]. 1 There exists some threshold such that any polynomial time adversary that (adaptively) learns all but bits of T (x) obtains no information about x (in a computational sense) The AONT solves the problem of partial key exposure: Rather than storing a secret key directly, we store the ....

....also provide the kind of protection we seek to achieve. The AONT has many other applications, as well, such as enhancing the security of block ciphers and making fixed blocksize encryption schemes more efficient [16] For an excellent exposition on these and other applications of the AONT, see [5]. Our Results: Until now, the only known construction of an AONT 3 with provable security was given by Boyko [5] in the random oracle model, who showed that Bellare and Rogaway s Optimal Asymmetric Encryption Padding (OAEP) 2] yields an AONT. In this work, we give the first constructions for ....

[Article contains additional citation context not shown here]

V. Boyko. On the Security Properties of the OAEP as an All-or-Nothing Transform. In Proc. of Crypto, pp. 503--518, 1999.

No context found.

V. Boyko. On the Security Properties of the OAEP as an All-or-Nothing Transform. Crypto '99.

No context found.

Boyko, V. On the security properties of OAEP as an all-or-nothing transform. In CRYPTO (1999), pp. 503--518.

No context found.

V. Boyko. On the security properties of OAEP as an all-or-nothing transform. In Proceedings of CRYPTO '99. Springer-Verlag, 1999.

No context found.

V. Boyko. On the Security Properties of the OAEP as an All-or-Nothing Transform. In Proc. of Crypto, pp. 503--518, 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC