J. Katz, and M. Yung. "Complete Characterization of Security Notions for Probabilistic Private-Key Encryption." Proceedings of the 32nd ACM Annual Symposium on Theory of Computing 2000.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....can show that there exists a deterministic encryption scheme secure under IND CCVA. An example of such a scheme is presented in Appendix D. Since it is well known that deterministic encryption schemes are not secure under existing standard privacy notions (e.g. IND CPA, IND CCA, NMCPA and NM CCA [4, 10, 14]) this means that IND CCVA does not imply any of the standard privacy notions. Thus, schemes proven secure under IND CCVA are not guaranteed to be secure under the standard notions and thus are not guaranteed to provide semantic security. It is easy to see that channel protocols constructed from ....

J. Katz and M. Yung. Complete characterization of security notions for probabilistic privatekey encryption. In ACM, editor, 32nd ACM STOC, pages 245-254. ACM Press, 2000.

....(from the implementation point of view) for breaking the cryptosystem were considered, namely malleability [9] The construction was based on Non interactive Zero Knowledge [5, 4] See more on the variants of chosen ciphertext attacks in Section 1.1. between various types of active attacks [1, 9, 18]. These works have mostly dealt with the security of a single message and when discussing semantic security or indistinguishability of encryptions they have done so while referring to the latter, technical definition of security Note though that the non malleability works have dealt directly with ....

....challenge c, machine A 2 is not allowed to make the query c to the oracle D d . For private key schemes: The definition is identical except that A 1 gets the security parameter instead of the encryption key e. the standard notion of security under passive attacks. All implications are strict [1, 18]. 3 Semantic Security Under Chosen Ciphertext Attacks In this section we provide a definition of semantic security under chosen ciphertext attacks and show that it is equivalent to the existing technical definition of security under chosen ciphertext attacks (i.e. Definition 2.1) Our ....

J. Katz and M. Yung. Complete Characterization of Security Notions for Probabilistic PrivateKey Encryption. In 32nd ACM Symposium on the Theory of Computing, pages 245--254, 2000.

.... of) chosen ciphertext attacks (e.g. 3, 18, 7, 4, 19, 20, 17] These works have all related to the technical definition of security (i.e. the indistinguishability of encryptions) The same holds with respect to works that have explored relation between various types of active attacks (e.g. [1, 7, 16]) In our opinion, this leaves a significant gap in the treatment of the subject, because what one would have liked to see is encryption scheme that are semantically secure under chosen ciphertext attacks. 1.1 Semantic Security Under Chosen Ciphertext Attacks Our first contribution is in ....

....challenge c, machine A 2 is not allowed to make the query c to the oracle D d . For private key schemes: The definition is identical except that A 1 gets the security parameter instead of the encryption key e. the standard notion of security under passive attacks. All implications are strict [1, 16]. 3 Semantic Security Under Chosen Ciphertext Attacks In this section we provide a definition of semantic security under chosen ciphertext attacks and show that it is equivalent to the existing technical definition of security under chosen ciphertext attacks (i.e. Definition 2.1) Our ....

J. Katz and M. Yung. Complete Characterization of Security Notions for Probabilistic Private-Key Encryption. In 32nd ACM Symposium on the Theory of Computing, pages 245--254, 2000.

....this means that an encryption of 0 should be indistinguishable from an encryption of 1 even for adversaries that have access to encryption and decryption oracles prior to receiving the challenge ciphertext, and access to just an encryption oracle after receiving the challenge ciphertext. See [KY00] for formal definitions. We note that such encryptions schemes exist if one way functions exist; indeed, the standard encryption scheme EncK (b) r, f K (r) # b) where r R # 0, 1 K and f K is a pseudorandom function, has this property. Now we consider a homomorphic encryption ....

Jonathan Katz and Moti Yung. Complete characterization of security notions for private-key encryption. In Proceedings of the 32nd Annual ACM Symposium on Theory of Computing, pages 245--254, Portland, OR, May 2000. ACM.

....the result of legitimate encryptions and other forgeries. This has been shown for chosen message attacks against MAC functions [2] but the same argument holds here. To date, this is the strongest of the known goal attack combinations against the integrity (authentication) of encrypted messages [3, 10]. 3 Definition of the XCBC and XCBC XOR Modes We present three XCBC modes, namely (1) stateless, 2) stateful sender, and (3) stateful modes, and some implementation options. In general, the fewer state variables the more robust the mode is in the face of failures (or disconnections) and ....

J. Katz and M. Yung, "Complete characterization of security notions for probabilistic private-key encryption," Proc. of the 32nd Annual Symp. on the Theory of Computing, ACM 2000.

.... prove indistinguishability under chosen plaintext attack [2, 15] and authenticity of ciphertexts [6, 7, 21] As shown in [6, 21] this combination implies indistinguishability under the strongest form of chosen ciphertext attack (CCA) which, in turn, is equivalent to nonmalleability [9] under CCA [3, 22]) Our proof of privacy assumes that the underlying block cipher is good in the sense of a pseudorandom permutation (PRP) 5, 25] while our proof of authenticity assumes that the block cipher is a strong PRP [25] The actual results are quantitative; the security analysis is in the ....

J. Katz and M. Yung. Complete characterization of security notions for probabilistic privatekey encryption. STOC 2000, pp. 245--254, 2000.

.... Specifically, we prove indistinguishability under chosen plaintext attack [3, 16] and authenticity of ciphertexts [7, 8, 22] As shown in [7, 22] this combination implies indistinguishability under chosenciphertext attack (CCA) which, in turn, is equivalent to non malleability [10] under CCA [4, 23]. Non malleability refers to an adversary s inability to modify a ciphertext in a way that makes related the two underlying plaintexts. Our proof of privacy assumes that the underlying block cipher is good in the sense of a pseudorandom permutation (PRP) 6, 26] while our proof of authenticity ....

J. Katz and M. Yung. Complete characterization of security notions for probabilistic private-key encryption. STOC 2000, pp. 245--254, 2000.

.... prove indistinguishability under chosen plaintext attack [3, 16] and authenticity of ciphertexts [7, 8, 22] As shown in [7, 22] this combination implies indistinguishability under the strongest form of chosen ciphertext attack (CCA) which, in turn, is equivalent to nonmalleability [10] under CCA [4, 23]. Non malleability refers to an adversary s inability to modify a ciphertext in a way that makes related the two underlying plaintexts. Our proof of privacy assumes that the underlying block cipher is good in the sense of a pseudorandom permutation (PRP) 6, 26] while our proof of authenticity ....

J. Katz and M. Yung. Complete characterization of security notions for probabilistic privatekey encryption. STOC 2000, pp. 245-254, 2000.

....this means that an encryption of 0 should be indistinguishable from an encryption of 1 even for adversaries that have access to encryption and decryption oracles prior to receiving the challenge ciphertext, and access to just an encryption oracle after receiving the challenge ciphertext. See [KY00] for formal de nitions. We note that such encryptions schemes exist if one way functions exist; indeed, the standard encryption scheme EncK (b) r; f K (r) b) where r R f0; 1g jKj and f K is a pseudorandom function, has this property. Now we consider a homomorphic encryption ....

Jonathan Katz and Moti Yung. Complete characterization of security notions for private-key encryption. In Proceedings of the 32nd Annual ACM Symposium on Theory of Computing, pages 245-254, Portland, OR, May 2000. ACM.

....is 0 in the case of CPA) A ner quanti cation would also consider the total number of bits in these queries. As it is customary we denote the above two notions of encryption security as IND CPA and IND CCA. Extensive treatment of these notions can be found among other works in [13, 12, 2] and [22, 23, 3, 17], respectively. A notion strongly related to IND CCA is non malleability of ciphertexts [10] which we do not use directly here. We also note that we are only concerned with symmetric encryption; asymmetric encryption shares many of the same aspects but there are some important di erences as well ....

J. Katz and M. Yung, \Complete characterization of security notions for probabilistic privatekey encryption", Proceedings of the 32nd Annual ACM Symposium on Theory of Computing, 2000.

....this means that an encryption of 0 should be indistinguishable from an encryption of 1 even for adversaries that have access to encryption and decryption oracles prior to receiving the challenge ciphertext, and access to just an encryption oracle after receiving the challenge ciphertext. See [KY00] for formal de nitions. We note that such encryptions schemes exist if one way functions exist; indeed, the standard encryption scheme EncK (b) r; fK (r) b) where r R f0; 1g jKj and fK is a pseudorandom function, has this property. Now we consider a homomorphic encryption ....

Jonathan Katz and Moti Yung. Complete characterization of security notions for private-key encryption. In Proceedings of the 32nd Annual ACM Symposium on Theory of Computing, pages 245-254, Portland, OR, May 2000. ACM.

.... such as those that compute the keyed MAC of a message using a secret key and encrypting the message with a separate secret key [19, 7] The strongest known goal for message integrity is that of protection against existential forgery (EF) This goal has also been known as existential unforgeability [15] and integrity of ciphertext [7] To defeat this goal, an adversary only needs to find a valid forgery. Knowledge or choice of the plaintext outcome of the forgery is unnecessary to achieve this goal. Formally, an encryption scheme or mode Pi o g is secure against existential forgeries if, for ....

.... Throughout this paper, negligibility is used in the traditional sense [2, 20] In addition to protection against EF goal, two other goals have been defined that have direct applicability to message integrity, namely maintenance of plaintext integrity (PI) 7] and assurance non malleability (NM) [10, 4, 15, 7]. The goal of plaintext integrity (PI) requires it be infeasible for an adversary to create a valid forgery whose decryption is a plaintext not seen before. Formally, an encryption scheme or mode Pi o g is secure in the sense of PI if: P r[ D FK o g) y) 6= Null and (D FK o g) y) x 6= x ....

[Article contains additional citation context not shown here]

J. Katz and M. Yung, "Complete characterization of security notions for probabilistic private-key encryption," Proc. of the 32nd Annual Symp. on the Theory of Computing, ACM 2000.

.... such as those that compute the keyed MAC of a message using a secret key and encrypting the message with a separate secret key [17, 6] The strongest known goal for message integrity is that of protection against existential forgery (EF) This goal has also been known as existential unforgeability [14] and integrity of ciphertext [6] To defeat this goal, an adversary only needs to find a valid forgery. Knowledge or choice of the plaintext outcome of the forgery is unnecessary to achieve this goal. Formally, an encryption scheme or mode Pi o g is secure against existential forgeries if, for ....

.... Throughout this paper, negligibility is used in the traditional sense [2, 18] In addition to protection against EF goal, two other goals have been defined that have direct applicability to message integrity, namely maintenance of plaintext integrity (PI) 6] and assurance non malleability (NM) [9, 3, 14, 6]. The goal of plaintext integrity (PI) requires it be infeasible for an adversary to create a valid forgery whose decryption is a plaintext not seen before. Formally, an encryption scheme or mode Pi o g is secure in the sense of PI if: P r[ D FK o g) y) 6= Null and (D FK o g) y) x 6= x ....

[Article contains additional citation context not shown here]

J. Katz and M. Yung, "Complete characterization of security notions for probabilistic private-key encryption," Proc. of the 32nd Annual Symp. on the Theory of Computing, ACM 2000.

....the result of legitimate encryptions and other forgeries. This has been shown for chosen message attacks against MAC functions [3] but the same argument holds here. To date, this is the strongest of the known goal attack combinations against the integrity (authentication) of encrypted messages [4, 16, 17]. 3 Definition of the XCBC and XCBC XOR Modes In the encryption modes presented below, the key generation algorithm, KG, outputs a random, uniformly distributed, k bit string or key K for the underlying SPRP family F, thereby specifying f = FK and 4 f Gamma1 = F Gamma1 K of l bits to ....

....or just block x 1 of every message, whose output is appended to the end of the message before encryption. However, the VIL cipher uses two sequential passes over its input and, thus, its performance is lower than those of single pass schemes using hash functions or separate key MACs. Katz and Yung [16] proposed an interesting single pass encryption mode, called the Related Plaintext Chaining (RPC) that is EF CPA secure when using a non cryptographic MDC function g consisting only of message start and end tokens. RPC has several important operational advantages, such as full parallelization, ....

J. Katz and M. Yung, "Complete characterization of security notions for probabilistic private-key encryption," Proc. of the 32nd Annual Symp. on the Theory of Computing, ACM 2000.

No context found.

J. Katz and M. Yung. Complete Characterization of Security Notions for Probabilistic Private-Key Encryption. STOC '00.

No context found.

J. Katz and M. Yung, \Complete Characterization of Security Notions for Probabilistic Private-Key Encryption," Proceedings of the 32nd Annual ACM Symposium on Theory of Computing 2000, to appear.

No context found.

J. Katz and M. Yung. Complete characterization of security notions for probabilistic private-key encryption. Proceedings of the 32nd Annual Symposium on Theory of Computing, ACM (2000), pp. 245--254. 29

No context found.

Jonathan Katz and Moti Yung, Complete Characterization of Security Notions for Probabilistic Private-key Encryption, in the Proceedings of the 32nd Annual ACM Symposium on Theory of Computing, ACM, pp. 245--254, 2000.

.... transformation [18] note that the Fujisaki Okamoto transformation only applies to standard PKE and must be appropriately modified for the case of BTE) We propose the following scheme: Let (Enc # , Dec # ) represent any symmetric key encryption scheme secure in the sense of IND P0 C2 (cf. [27]) let Enc denote (the encryption algorithm for) a BTE scheme secure in the sense of SN CPA which encrypts messages at least as long as the security parameter, and let H and G denote independent random oracles which are also independent of any random oracles used by Enc or Enc # . Consider then ....

J. Katz and M. Yung. Complete characterization of security notions for probabilistic privatekey encryption. STOC '00, ACM, 2000.

....1 Introduction We define new integrity (authenticity) notions for message encryption in the customary manner, namely as a combination of integrity goals to be achieved in the face of di#erent attacks, as originally suggested by Naor (viz. 4] Using the typical dominance relation [14], we show that most integrity notions form a lattice. This enables us to characterize the relative strengths of both integrity notions and authenticated encryption schemes supporting them, such as those used in Kerberos V5 and Distributed Computing Environment (DCE) 21, 20, 23] We show that ....

....# Most of this work was performed while this author was on sabbatical leave from the University of Maryland, Electrical and Computer Engineering Department, College Park, Maryland 20742. against the strongest integrity attacks, namely existential forgeries in chosen plaintext attacks (EF CPA) [14, 7]. One of these schemes even achieves optimal performance in terms of block cipher operations and latency in parallel execution [11] Why then define di#erent (e.g. weaker) notions of integrity and study their relative strengths We do this for two practical reasons: first these notions are ....

[Article contains additional citation context not shown here]

J. Katz and M. Yung, "Complete characterization of security notions for probabilistic private-key encryption," Proc. of the 32nd Annual Symp. on the Theory of Computing, ACM 2000.

....K; given K, the recipient can then use symmetric key decryption to determine the original message M . 2.2 Chosen Ciphertext Attack The attack presented here is known in the cryptographic literature as an adaptive chosenciphertext attack. The reader is referred elsewhere for formal definitions [1, 12], but a simple description is provided here. Assume an adversary intercepts ciphertext C and is trying to determine the underlying plaintext P = D(C) where D( refers to decryption of the ciphertext) Under an adaptive chosen ciphertext attack, the adversary may submit ciphertexts C 1 , C 2 ....

J. Katz and M. Yung, "Complete Characterization of Security Notions for Probabilistic Private-Key Encryption," Proceedings of the 32nd Annual ACM Symposium on Theory of Computing 2000, to appear.

....Finally, we note that the security requirements for E and E can be relaxed. One can show that E is only required to be nonmalleable under a chosen plaintext attack (NM CPA) and E need only be indistinguishable under a P0 plaintext attack and an adaptive chosen ciphertext attack (IND PO C2) see [2, 18] for formal definitions) This allows for much greater efficiency since NM CPA secure public key cryptosystems can be constructed more efficiently than IND CCA2 schemes [12] and IND P0 C2 secure private key schemes may be deterministic. We remark that the result in the lemma applies to the public ....

J. Katz and M. Yung. Complete Characterization of Security Notions for Probabilistic Private-Key Encryption. STOC '00.

....we note that the security requirements for E and E can be relaxed. One can show that E is only required to be nonmalleable under a chosen plaintext attack (NM CPA) and E need only be indistinguishable under a P0 plaintext attack and an adaptive chosen ciphertext attack (IND PO C2) see [2, 18] for formal de nitions) This allows for much greater eciency since NM CPA secure public key cryptosystems can be constructed more eciently than IND CCA2 schemes [12] and IND P0 C2 secure private key schemes may be deterministic. We remark that the result in the lemma applies to the public random ....

J. Katz and M. Yung. Complete Characterization of Security Notions for Probabilistic Private-Key Encryption. STOC '00.

No context found.

J. Katz, and M. Yung. "Complete Characterization of Security Notions for Probabilistic Private-Key Encryption." Proceedings of the 32nd ACM Annual Symposium on Theory of Computing 2000.

No context found.

J. Katz and M. Yung. Complete characterization of security notions for probabilistic private-key encryption. In Proc. of the 32nd Annual Symposium on Theory of Computing, pages 245--254. ACM, 2000.

No context found.

J. Katz and M. Yung. Complete Characterization of Security Notions for Probabilistic Private-Key Encryption. In Proc. of the 32nd STOC. ACM Press, New York, 2000. 14

No context found.

J. Katz and M. Yung. Complete characterization of security notions for probabilistic private-key encryption. In Proceedings of the 32nd Annual Symposium on Theory of Computing, pages 245--254. ACM, 2000.

No context found.

J. Katz and M. Yung. Complete characterization of security notions for probabilistic privatekey encryption. STOC 2000.

No context found.

J. Katz and M. Yung. Complete Characterization of Security Notions for Probabilistic Private-Key Encryption. In Proc. of the 32nd STOC. ACM Press, New York, 2000.

No context found.

J. Katz and M. Yung. Complete characterization of security notions for probabilistic private-key encryption. In STOC 2000.

No context found.

J. Katz and M. Yung. Complete Characterization of Security Notions for Probabilistic PrivateKey Encryption. In 32nd ACM Symposium on the Theory of Computing, pages 245-254, 2000.

No context found.

J. Katz and M. Yung, \Complete characterization of security notions for probabilistic private-key encryption", Proceedings of the 32nd Annual ACM Symposium on Theory of Computing, 2000. 41

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC