Citations: the Power of Misbehaving Adversaries and Security Analysis of EPOC

22 citations found. Retrieving documents...

Marc Joye, Jean-Jacques Quisquater, and Moti Yung. On the power of misbehaving adversaries and security analysis of the original EPOC. In D. Naccache, ed., Topics in Cryptology -- CT-RSA 2001, vol. 2020 of Lecture Notes in Computer Science, pp. 208--222, Springer-Verlag, 2001.

Home/Search Document Not in Database Summary Related Articles Check

This paper is cited in the following contexts:

Fujisaki-Okamoto IND-CCA hybrid encryption revisited - Galindo, Martín.. (2003) (2 citations) (Correct)

....primitive is probabilistic. In this paper we revisit the generic conversion by Fujisaki and Okamoto (FO) presented at Crypto 99. The particular instantiation of this conversion with the Okamoto Uchiyama scheme [15] known as EPOC 2 [9] has found practical attacks that lead to a total break [12, 8, 18]. The most serious flaw was found in [12] where the secret key was recovered in the IND CCA game itself. The authors of [12] pointed out that such a surprising result was related to the vagueness of the IND CCA model when dealing with invalid ciphertexts. In the case of the original ....

....we revisit the generic conversion by Fujisaki and Okamoto (FO) presented at Crypto 99. The particular instantiation of this conversion with the Okamoto Uchiyama scheme [15] known as EPOC 2 [9] has found practical attacks that lead to a total break [12, 8, 18] The most serious flaw was found in [12], where the secret key was recovered in the IND CCA game itself. The authors of [12] pointed out that such a surprising result was related to the vagueness of the IND CCA model when dealing with invalid ciphertexts. In the case of the original especification of EPOC 2, an attacker could obtain ....

[Article contains additional citation context not shown here]

M. Joye, J. J. Quisquater and M. Yung. On the Power of Misbehaving Adversaries and Security Analysis of the Original EPOC. CT-RSA' 01, LNCS 2020 208--222 (2001). 14

RSA-OAEP is Secure under the RSA Assumption - Fujisaki, Okamoto.. (2001) (55 citations) (Correct)

....the message m. This attack has been named the Plaintext Checking Attack [11] a validity checking oracle which, on input of a ciphertext c, just answers whether it is a valid ciphertext. This weak oracle (involved in the reaction attacks [8] had been enough to break some famous encryption schemes [4, 9], namely PKCS #1 v1.5; or the decryption oracle itself, which on the input of any ciphertext, except the challenge ciphertext, responds with the corresponding plaintext (non adaptive adaptive chosen ciphertext attacks [10, 12] The latter, the adaptive chosen ciphertext attack denoted CCA2, is ....

M. Joye, J. J. Quisquater, and M. Yung. On the Power of Misbehaving Adversaries and Security Analysis of the Original EPOC. In CT -- RSA '2001, LNCS 2020, pages 208--222. Springer-Verlag, Berlin, 2001.

A Designers Guide to KEMs - Dent (2002) (Correct)

....will be weak even if the underlying encryption scheme is one way. is said to be secure in model if it is one way even when the attacker has access to an oracle that decides if a ciphertext C lies in pk) This follows an idea first proposed in a paper by Joye, Quisquater and Yung [4]. There paper attacks an early version of EPOC 2, which is a hybrid cipher based on the Okamoto Uchiyama cryptosystem [6] This underlying cipher is secure in the OW CPA model but not in the OW CPA model. Given a scheme model then the same construction given above can be used to construct a ....

.... this out of the formal model, as before, partly to respect the model defined by Joye et al. and partly because this oracle is usually easily simulated in the random oracle model or available to the attacker due to the intractability assumption (as is the case in the Gap Di#e Hellman assumption [4]) We define a generic KEM based on a key agreement protocol (G, as follows. Key generation is given by the key generation algorithm of the keyagreement protocol. The encapsulation algorithm is given by: R. 2. Set (K raw , C) sk) 3. Set K : KDF ( K raw K raw is a ....

M. Joye, J. Quisquater, and M. Yung. On the power of misbehaving adversaries and security analysis of the original EPOC. In Topics in Cryptography -- CT-RSA 2001, LNCS 2020, pages 208--222. Springer-Verlag, 2001.

RSA-OAEP is Secure under the RSA Assumption - Fujisaki, Okamoto.. (2001) (55 citations) (Correct)

....the message m. This attack has been named the Plaintext Checking Attack [11] a validity checking oracle which, on input of a ciphertext c, just answers whether it is a valid ciphertext. This weak oracle (involved in the reaction attacks [8] had been enough to break some famous encryption schemes [4, 9], namely PKCS 1 vl.5; or the decryption oracle itself, which on the input of any ciphertext, except the challenge ciphertext, responds with the corresponding plaintext (non adaptive adaptive chosen ciphertext attacks [10, 12] The latter, the adaptive chosen ciphertext attack denoted CCA2, is ....

M. Joye, J. J. Quisquater, and M. Yung. On the Power of Misbehaving Adversaries and Security Analysis of the Original EPOC. In CT - RSA '2001, LNCS 2020, pages 208-222. Springer-Verlag, Berlin, 2001.

EPOC: Efficient Probabilistic Public-Key Encryption - Fujisaki, Kobayashi.. (Correct)

....2: To prove the security (in the sense of IND CCA2 or NM CCA2) of EPOC 1 and EPOC2, it is necessary in decryption to check whether X 2 for EPOC 1 and 2 for EPOC 2. If this check is omitted, an active attack is possible (i.e. IND CCA2, especially plaintext awareness does not hold) [20]. q Although it is not known whether n = p q is more tractable to factor than n = pq, some special algorithms to factor n = p q have been studied [35, 36, 37, 2] However, such techniques are specific on the elliptic curve factoring method (ECM) and the fastest algorithm for factoring ....

Joye, M., Quisquater, J.J., and Yung, M.: On the Power of Misbehaving Adversaries and Security Analysis of EPOC, Manuscript (February 2000).

EPOC: Efficient Probabilistic Public-Key Encryption - Fujisaki, Kobayashi.. (Correct)

....2: To prove the security (in the sense of IND CCA2 or NM CCA2) of EPOC 1 and EPOC2, it is necessary in decryption to check whether X 2 for EPOC 1 and 2 for EPOC 2. If this check is omitted, an active attack is possible (i.e. IND CCA2, especially plaintext awareness does not hold) [16]. 4.4 On the Intractability of Factoring n = p q Although it is not known whether n = p q is more tractable to factor than n = pq, some special algorithms to factor n = p q have been studied [21, 22, 23, 2] However, such techniques are specific on the elliptic curve factoring method ....

Joye, M., Quisquater, J.J., and Yung, M.: On the Power of Misbehaving Adversaries and Security Analysis of EPOC, Manuscript (February 2000).

RSA-REACT: An Alternative to RSA-OAEP - Okamoto, Pointcheval (2001) (3 citations) (Correct)

....m. This attack has been named the Plaintext Checking Attack (PCA) 22] a validity checking oracle which, on input of a ciphertext c, just answers whether it is a valid ciphertext. This weak oracle (involved in the reaction attacks [18] had been enough to break some famous encryption schemes [7, 20], namely PKCS #1 v1.5; or the decryption oracle itself, which on the input of any ciphertext, except the challenge ciphertext, responds with the corresponding plaintext (non adaptive adaptive chosen ciphertext attacks [21, 27] The latter, the adaptive chosen ciphertext attack denoted CCA2, ....

M. Joye, J. J. Quisquater, and M. Yung. On the Power of Misbehaving Adversaries and Security Analysis of the Original EPOC. In CT -- RSA '2001, LNCS 2020, pages 208--222. Springer-Verlag, Berlin, 2001.

PSEC-3: Provably Secure Elliptic Curve Encryption Scheme - .. - Okamoto, Pointcheval (2000) (2 citations) (Correct)

....by the parameters of qLen and others, only R is accepted by the decryption procedure, D. Note that the domains of G and H in the conversion of [22] are fixed by the domain of the underlying encryption function and other parameters. More explicitly, in D, check if R (see a recent remark [18]) 6 3 Security Assessment of PSEC 3 This section reviews some results on the security of PSEC 3. They are easily obtained from [22] Definition 1 (EC DH Assumption) Let G be the setup algorithm of PSEC 3, and (q; a; b; p; P ) be a part of the common parameters. Let r and s be uniformly ....

M. Joye, J. J. Quisquater, and M. Yung. On the Power of Misbehaving Adversaries and Security Analysis of EPOC. Manuscript, February 2000.

RSA-OAEP is Secure under the RSA Assumption - Fujisaki, Okamoto.. (2001) (55 citations) (Correct)

....message m. This attack has been named the Plaintext Checking Attack [11] a validity checking oracle which, on input of a ciphertext c, just answers whether it is a valid ciphertext. This weak oracle (involved in the reaction attacks [8] had been enough to break some famous encryption schemes [4, 9], namely PKCS #1 v1.5; or the decryption oracle itself, which on the input of any ciphertext, except the challenge ciphertext, responds with the corresponding plaintext (non adaptive adaptive chosen ciphertext attacks [10, 12] The latter, the adaptive chosen ciphertext attack denoted CCA2, is ....

M. Joye, J. J. Quisquater, and M. Yung. On the Power of Misbehaving Adversaries and Security Analysis of the Original EPOC. In CT -- RSA '2001, LNCS 2020, pages 208--222. Springer-Verlag, Berlin, 2001.

Observability Analysis - Detecting When Improved Self-citation (Joye Quisquater Yung) (Correct)

No context found.

Marc Joye, Jean-Jacques Quisquater, and Moti Yung. On the power of misbehaving adversaries and security analysis of the original EPOC. In D. Naccache, ed., Topics in Cryptology -- CT-RSA 2001, vol. 2020 of Lecture Notes in Computer Science, pp. 208--222, Springer-Verlag, 2001.

Observability Analysis - Detecting When Improved Self-citation (Joye Quisquater Yung) (Correct)

Observability Analysis - Detecting When Improved Cryptosystems.. - Joye, al. (2002) (2 citations) Self-citation (Joye Quisquater Yung) (Correct)

Characterization of Security Notions for Probabilistic.. - Katz, Yung (1 citation) Self-citation (Yung) (Correct)

No context found.

M. Joye, J.-J. Quisquater, and M. Yung. On the power of misbehaving adversaries and security analysis of the original EPOC. Topics in Cryptology --- CT-RSA

Observability Analysis - Detecting When Improved Cryptosystems.. - Joye, al. (2002) (2 citations) Self-citation (Joye Quisquater Yung) (Correct)

Observability Analysis - Detecting When Improved.. - Joye, Quisquater, Yen.. (2002) (2 citations) Self-citation (Joye Quisquater Yung) (Correct)

....knows whether a ciphertext can be decrypted or not, but in no way, can she get access to a decrypted value. However, we allow her to choose ciphertexts. The attack demonstrates our principle of observing behavior under an oracle. Technically, it follows the basic properties shown in [13] see also [18]) Since the plaintexts being encrypted must be smaller than p, we set k = 2 (p)# in the OAEP description given by Eq. 4) OAEP(m) m 0 for a message m and a random r , where G : The adversary can fix the value of the (k 1 k 1 ) most significant bits of ....

Marc Joye, Jean-Jacques Quisquater, and Moti Yung. On the power of misbehaving adversaries and security analysis of the original EPOC. In D. Naccache, ed., Topics in Cryptology -- CT-RSA 2001, vol. 2020 of Lecture Notes in Computer Science, pp. 208--222, Springer-Verlag, 2001.

Observability Analysis - Detecting When Improved.. - Joye, Quisquater, Yen.. (2002) (2 citations) Self-citation (Joye Quisquater Yung) (Correct)

....knows whether a ciphertext can be decrypted or not, but in no way, she can get access to a decrypted value. However, we allow her to choose ciphertexts. The attack demonstrates our principle of observing behavior under an oracle. Technically, it follows the basic properties shown in [13] see also [18]) Since the plaintexts being encrypted must be smaller than p, we set k = 2 (p)# in the OAEP description given by Eq. 4) OAEP(m) m 0 for a message m and a random r , where G : The adversary can fix the value of the (k 1 k 1 ) most significant ....

Marc Joye, Jean-Jacques Quisquater, and Moti Yung. On the power of misbehaving adversaries and security analysis of the original EPOC. In D. Naccache, ed., Topics in Cryptology -- CT-RSA 2001, vol. 2020 of Lecture Notes in Computer Science, pp. 208--222, Springer-Verlag, 2001.

Generic Constructions of Identity-Based and.. - Bentahar, Farshim.. (2005) (8 citations) (Correct)

No context found.

M. Joye, J. Quisquater and M. Yung. On the power of misbehaving adversaries and security analysis of the original EPOC. In Topics in Cryptography -- CT-RSA 2001, Springer-Verlag LNCS 2020, 208--222, 2001.

An IND-CCA2 Public-Key Cryptosystem with Fast Decryption - Buchmann, Sakurai, Takagi (2001) (Correct)

No context found.

M. Joye, J.-J. Quisquater, and M. Yung, \On the power of misbehaving adversaries and security analysis of the original EPOC," In Proceedings of the Cryptographers ' Track at RSA Conference '

Improved Efficiency for CCA-Secure Cryptosystems Built Using.. - Boneh, Katz (2004) (Correct)

No context found.

M. Joye, J.-J. Quisquater, and M. Yung. On the Power of Misbehaving Adversaries and Security Analysis of the Original EPOC. Cryptographers' Track --- RSA 2001.

From System Goals to Intruder Anti-Goals: Attack.. - van Lamsweerde.. (2003) (Correct)

No context found.

M. Joye, J.J. Quisquater and Y. Moti, "On the power of misbehaving adversaries and security analysis of EPOC", in Progress in Cryptology - CT-RSA 2001, Lectures Notes in Computer Science, Vol. 2020, April 2001.

Online articles have much greater impact More about CiteSeer.IST Add search form to your site Submit documents Feedback

CiteSeer.IST - Copyright Penn State and NEC