Citations: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack

46 citations found. Retrieving documents...

R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. of Computing, vol. 33, pp. 167-- 226, 2003.

Home/Search Document Details and Download Summary Related Articles Check

This paper is cited in the following contexts:

Public Key Trace and Revoke Scheme Secure against Adaptive.. - Dodis, Fazio (2003) (6 citations) (Correct)

....the DDH assumption (with no random oracles) We remark that no CCA2 schemes were known even in the symmetric setting. Moreover, it doesn t seem obvious how to extend current symmetric schemes (e.g. 16] to meet the CCA2 notion. Our public key scheme is based on the regular Cramer Shoup encryption [7, 8], but our extension is non trivial, as we have to resolve some diculties inherent to Broadcast Encryption. Furthermore, we introduce for the rst time a precise formalization of an appropriate notion of adaptive security for Broadcast Encryption (for both the CPA and the CCA2 setting) We also ....

.... public key broadcast encryption is typically used by encrypting a session key s for the privileged users (this encryption is called the enabling block) and then symmetrically encrypting the actual message with s, we will often say that the goal of a Broadcast Encryption Scheme is to encapsulate [8] a session key s, rather than to encrypt a message M . De nition 2 (Broadcast Encryption Scheme) A Broadcast Encryption Scheme BE is a 4 tuple of poly time algorithms (KeyGen, Reg, Enc, Dec) where: KeyGen, the key generation algorithm, is a probabilistic algorithm used by the center to set ....

[Article contains additional citation context not shown here]

R. Cramer and V. Shoup. Design and Analysis of Practical Public-Key Encryption Scheme Secure against Adaptive Chosen Ciphertext Attack. Manuscript, 2001.

Two Birds One Stone: Signcryption using RSA - Malone-Lee, Mao (2003) (4 citations) (Correct)

....party who can verify its validity. 3 Security Notions for Signcryption Schemes 3. 1 IND CCA2 for Signcryption Schemes We take as our starting point the standard definition of indistinguishability of encryptions under adaptive chosen ciphertext attack (IND CCA2) for public key encryption schemes [1, 4, 5, 10, 11]. A public key encryption scheme enjoys INDCCA2 security if it is not possible for an adversary to distinguish the encryptions of two messages of its choice under a particular public key, even when it has access to a decryption oracle for this public key. The adversary is able to query the ....

R. Cramer and V. Shoup. Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack. Available at http://eprint.iacr.org/2001/108/, 2001.

Public Key Trace and Revoke Scheme Secure against Adaptive.. - Dodis, Fazio (2003) (6 citations) (Correct)

....assumption (with no random oracles) We remark that no CCA2 secure schemes were known even in the symmetric setting. Moreover, it doesn t seem obvious how to extend current symmetric schemes (e.g. 18] to meet the CCA2 notion. Our public key scheme is based on the regular Cramer Shoup encryption [7, 8], but our extension is non trivial, as we have to resolve some di#culties inherent to the Broadcast Encryption setting. Our CCA2 secure scheme requires a constant user storage and a public key size proportional to the revocation threshold z. The length of each ciphertext, and the time to encrypt ....

.... public key broadcast encryption is typically used by encrypting a session key s for the privileged users (this encryption is called the enabling block) and then symmetrically encrypting the actual message with s, we will often say that the goal of a Broadcast Encryption Scheme is to encapsulate [8] a session key s, rather than to encrypt a message M . Definition 2 (Broadcast Encryption Scheme) A Broadcast Encryption Scheme BE is a 4 tuple of poly time algorithms (KeyGen, Reg, Enc, Dec) where: KeyGen, the key generation algorithm, is a probabilistic algorithm used by the center to set ....

[Article contains additional citation context not shown here]

R. Cramer and V. Shoup. Design and Analysis of Practical Public-Key Encryption Scheme Secure against Adaptive Chosen Ciphertext Attack. Manuscript, 2001.

A Separation between the Random-Oracle Model and the.. - Bellare, Boldyreva.. (2003) (2 citations) (Correct)

....AS is IND CCA preserving if the mm hybrid associated to AS and symmetric encryption scheme SS is IND CCA secure for every IND CCA secure SS. The goal we consider is IND CCA preserving asymmetric encryption. Note that any IND CCA secure asymmetric encryption scheme is IND CCA preserving (cf. [10, 19]) However IND CCA preservation is actually a weaker requirement on an asymmetric encryption scheme than IND CCA security itself, leading researchers to seek IND CCA preserving asymmetric encryption schemes that are more ecient than existing IND CCA secure ones. These designs tend to be in the RO ....

R. Cramer and V. Shoup, \Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack," IACR ePrint archive Record 2001.

ECIES-KEM vs. PSEC-KEM - Dent (Correct)

....proofs: ECIESKEM reduces to the gap Di#e Hellman problem [5] whilst PSEC KEM reduces to the weaker computational Di#e Hellman problem. We will assume that the reader is familiar with the concepts of KEM DEM constructions and their security proofs. For more information the reader is referred to [3, 4]. Briefly the security of a KEM is defined by the advantage an attacker has in winning a game played against a mythical system. The game is played as follows: 1. The system generates a public and secret key (pk, sk) KEM.KeyGen(#) 2. The attacker runs until it is ready to receive a challenge ....

..... The probability that E occurs is at least # as has advantage # so the probability that succeeds is #. We note that the running time of is approximately equal to the running time of plus the time taken to check all the Di#e Hellman quadruples. Note that a similar proof appears in [3]. 3 Re writing ECIES KEM As it stands ECIES KEM is optimised for implementation, hence the use of the x coordinate x in the evaluation of the key derivation function rather than the representation of the whole point Q. We find that it is convenient, when comparing ECIES KEM to PSEC KEM, to use ....

R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. Technical report, http://shoup.net/, 2002.

Provably Secure Public-Key Encryption for Length-Preserving.. - Möller (2003) (1 citation) (Correct)

....these constructions assume the existence of a shared authenticated bulletin board, whereas in the present paper we are interested in an open system that can be used with point to point communication by e mail or similar means. We use many ideas and techniques described by Cramer and Shoup in [8], but adapt them to fit the new notions of security needed in the context of length preserving mixes. 1.1 Notation Strings are binary, i.e. elements of 1 # . The concatenation of strings s and t is denoted s t. The length of string s is s . For s # w, prefix w (s) denotes the ....

Cramer, R., and Shoup, V. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. Manuscript, http://shoup.net/papers/, 2001.

A Designers Guide to KEMs - Dent (2002) (Correct)

....was not formally studied. This led to papers such as [2] which attacked schemes in which the set of symmetric keys is significantly smaller than the message space of the asymmetric scheme used to encrypt them. This folklore has recently been formalised in terms of a generic or KEM DEM construction [3]. In this construction the encryption scheme is characterised into two parts: an asymmetric KEM and a symmetric DEM. A KEM (or key encapsulation mechanism) is a probabilistic algorithm that produces a random symmetric key and an an encryption of that key. A DEM (or data encapsulation mechanism ) ....

....the encapsulated key K = KEM.Decap(C 1 , sk) 3. Decrypt the message m = DEM.Decrypt(m,K) 4. Output the message m. It has been shown that the generic public key encryption scheme constructed from an IND CCA2 secure KEM and an IND CCA secure DEM is itself INDCCA2 secure in the standard sense [3]. 3 Constructing KEMs from trapdoor one way functions We start by showing that the construction ideas used in RSA KEM [7] generalise to almost all one way public key encryption algorithms. Consider an encryption scheme (G, is a key generation algorithm that takes as input a security ....

R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. Technical report, http://shoup.net/, 2002.

RSA hybrid encryption schemes - Granboulan (2001) (Correct)

....as is, and no guarantee or warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. A complete proof of the general KEM DEM construction can also been found in the full paper of Cramer and Shoup [5, 7], which was not published at the time of this writing. This document makes an extensive comparison of RSA REACT and RSAKEM DEM1. It is part of the open evaluation of cryptographic primitives done by the NESSIE consortium. 2 First assumptions 2.1 Exponent 3 RSA Generic considerations showing ....

R. Cramer and V. Shoup. Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack. Available at http://eprint.iacr.org/2001/108/, December 2001.

Identity-Based Signcryption - Malone-Lee (2002) (2 citations) (Correct)

....constraint that if oe Signcrypt(S IDa ; ID b ; m) then m Unsigncrypt(ID a ; S ID b ; oe) 3 Security of Identity Based Signcryption 3. 1 Confidentiality The de facto definition of security for public key encryption schemes is indistinguishability of encryptions under chosen ciphertext attack [1, 3, 5, 10, 11]. Our definition of security will be a natural adaptation of this to the identity based setting for signcryption schemes. We will call the new form of security indistinguishability of identity based signcryptions under chosen ciphertext attack (INDISC CCA) Definition 1. IND ISC CCA Security ....

R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. Available at http://eprint.iacr.org/search.pl, 2001.

Provably Secure Public-Key Encryption for Length-Preserving.. - Möller (2002) (1 citation) (Correct)

....3 discusses appropriate security notions and gives a provable security result for the construction. This paper shows for the first time how to implement length preserving mixes cryptographically secure against active attacks. We use many ideas and techniques described by Cramer and Shoup in [7], but adapt them to fit the new notions of security needed in the context of length preserving mixes. 1.1 Notation Strings are binary, i.e. elements of 1 # . The concatenation of strings s and t is denoted s t. The length of string s is s . For s # w, prefix w (s) denotes the ....

Cramer, R., and Shoup, V. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. Manuscript, http://shoup.net/papers/, 2001.

A Note on Bounded Chosen Ciphertext Security from.. - Cramer, Hofheinz, Kiltz (2006) (1 citation) Self-citation (Cramer) (Correct)

No context found.

Ronald Cramer and Victor Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing, 33(1):167--226, 2003. (Cited on page 2.)

Cramer-Shoup is Plaintext-Aware in the - Standard Model Alexander (2005) Self-citation (Cramer Shoup) (Correct)

No context found.

R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing, 33(1):167--226, 2004.

Sequences of Games: A Tool for Taming Complexity in Security Proofs - Shoup (2004) (15 citations) Self-citation (Shoup) (Correct)

A Variant of the Cramer-Shoup Cryptosystem for Groups of Unknown.. - Lucks (2002) (1 citation) Self-citation (Cramer Shoup) (Correct)

No context found.

R. Cramer V. Shoup: "Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack", revised and extended version of [5], December 17, 2001, http://eprint.iacr.org/2001/108/.

Code-Based Game-Playing Proofs and the Security of Triple.. - Bellare, Rogaway (2006) (Correct)

No context found.

R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. of Computing, vol. 33, pp. 167-- 226, 2003.

Identity Based Key Encapsulation with Wildcards - James Birkett Alexander (Correct)

An efficient hybrid encryption in standard model - Lu (2006) (Correct)

Revisit of chosen ciphertext secure public key encryption in.. - Lu, He, Li (2006) (Correct)

A Survey of Certificateless Encryption Schemes - And Security Models (2006) (Correct)

Revisiting the Security Model for Timed-Release - Public-Key Encryption With (2006) (Correct)

The Kurosawa-Desmedt Key Encapsulation is not - Chosen-Ciphertext Secure Javier (2006) (Correct)

Fundamental Problems in Provable - Security And Cryptography (2006) (Correct)

No context found.

J. ACM 51(4), 557--594. Cramer, R. and Shoup, V. 2003 Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comp. 33(1), pp.

This is the merged full version of two independent.. - Direct.. (2006) (Correct)

On Anonymity of Group Signatures - Zhou Sujing And (2005) (Correct)

No context found.

R. Cramer and V. Shoup, "Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack," SIAM J. Comput., vol. 33, no. 1, pp. 167--226, 2004.

A Probabilistic Hoare-style Logic for Cryptographic Proofs - Corin, den Hartog (2005) (Correct)

A Verifiable Secret Shuffle of Homomorphic Encryptions - Jens Groth Department (2005) (Correct)

No context found.

Ronald Cramer and Victor Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. In proceedings of CRYPTO '98, LNCS series, volume 1462, pages 13--25, 1998. Full paper available at http://eprint.iacr.org/2001/108.

On Proofs of Security for Certificateless Cryptosystems - Dent, Kudla (2005) (1 citation) (Correct)

Building Better Signcryption Schemes with Tag-KEMs - Bjørstad, Dent (2005) (Correct)

Signcryption with Non-Interactive Non-Repudiation - Malone-Lee (Correct)

No context found.

R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. Available at http://eprint.iacr.org/2001.

Identity-Based Key Agreement with Unilateral Identity.. - Cheng, Chen, Comley.. (2005) (Correct)

One-Wayness/KEM Equivalent to General Factoring - Kurosawa, Takagi (2005) (Correct)

No context found.

R. Cramer and V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack, SIAM Journal on Computing, Volume 33, Number 1, pp. 167-226 (2003) 38

Authenticated Hybrid Encryption for Multiple Recipients - Alt (2006) (Correct)

No context found.

R. Cramer and V. Shoup. Design and analysis of practical public key encryption schemes secure against adaptative chosen ciphertext attack. Cryptology Eprint Archive. http://eprint.iacr.org/2001/108, 2001.

A New Rabin-type Trapdoor Permutation Equivalent to Factoring.. - Schmidt-Samoa (2005) (Correct)

No context found.

R. Cramer and R. Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput., 33(1):167-226, 2004.

Efficient Identity-Based Key Encapsulation to Multiple Parties - Barbosa, Farshim (2005) (Correct)

No context found.

R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen-ciphertext attack. In SIAM Journal of Computing, 33:167-226, 2003.

An Efficient ID-KEM Based on the Sakai-Kasahara Key.. - Chen, Cheng.. (2005) (Correct)

Generic Constructions of Identity-Based and.. - Bentahar, Farshim.. (2005) (8 citations) (Correct)

Efficient Certificateless Public Key Encryption - Cheng, Comley (2005) (Correct)

No context found.

R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal of Computing 33:167-226, 2003.

Tag-KEM/DEM: A New Framework for Hybrid Encryption - Abe, Gennaro, Kurosawa (2005) (1 citation) (Correct)

A new security proof for Damgård's ElGamal - Gjøsteen (2005) (Correct)

The Game-Playing Technique - Bellare, Rogaway (2004) (1 citation) (Correct)

Lower Bounds for Non-Black-Box Zero Knowledge - Barak, Lindell, Vadhan (2004) (1 citation) (Correct)

No context found.

R. Cramer and V. Shoup. Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack. Cryptology ePrint Archive, Report 2001/108, 2001. http://eprint.iacr.org/.

Group Signatures: Better Efficiency and New Theoretical Aspects - Camenisch, Groth (2005) (2 citations) (Correct)

Hybrid Cryptography - Dent (2004) (Correct)

Scalable Public-Key Tracing and Revoking - Dodis, Fazio, Kiayias, Yung (2004) (4 citations) (Correct)

No context found.

R. Cramer and V. Shoup. Design and Analysis of Practical Public-Key Encryption Scheme Secure against Adaptive Chosen Ciphertext Attack. SIAM Journal on Computing, 33(1):167--226, 2003.

A General Construction of IND-CCA2 Secure Public Key Encryption - Kiltz, Malone-Lee (2003) (1 citation) (Correct)

No context found.

R. Cramer and V. Shoup. Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext attack. To appear, SIAM Journal of Computing.

Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack.. - Groth (2004) (Correct)

No context found.

Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. In: proceedings of CRYPTO '98, LNCS series, volume 1462. (1998) 13-25

Online articles have much greater impact More about CiteSeer.IST Add search form to your site Submit documents Feedback

CiteSeer.IST - Copyright Penn State and NEC