I. Damgard. Towards practical public key cryptosystems secure against chosen ciphertext attacks. In Advances in Cryptology--Crypto '91, pages 445--456, 1991.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....long numbers. Perhaps their scheme can be optimized somewhat, but it seems likely that it will remain hopelessly impractical. Besides Bellare and Rogaway s OAEP, there have been several other proposals for practical cryptosystems that attempt to provide security against chosen ciphertext attack [12, 25, 18, 23]. However, none of these schemes have been proven secure, and some have been broken [16] Thus, an obvious goal is to find a practical cryptosystem that is provably secure against chosen ciphertext attack. This goal was first achieved with the Cramer Shoup cryptosystem. We will describe this ....

I. Damgard. Towards practical public key cryptosystems secure against chosen ciphertext attacks. In Advances in Cryptology--Crypto '91, pages 445--456, 1991.

....rely on theoretical constructions of non interactive zero knowledge proofs [4] and as such are quite impractical. Practical schemes. Again in the context of non threshold cryptosystems, practical cryptosystems intended to be secure against chosen ciphertext attack were proposed by Damgard [8], Zheng and Seberry [28] and Bellare and Rogaway [2, 3] The schemes in [28, 2, 3] are all known to be chosen ciphertext secure in the random hash function model. 2.2 Threshold cryptosystems Threshold cryptosystems are part of a general approach known as threshold cryptography, introduced by ....

....all this by straightaway assuming an on line knowledge extractor; that is, we simply assume that any algorithm that can create create a valid proof of knowledge can be transformed into an algorithm that simultaneously outputs a corresponding witness. A similar type of assumption is made by Damgard [8] and Zheng and Seberry [28] This type of assumption, however, is not very acceptable: it is completely nonstandard, and it is not at all clear how it is related to any kind of intractability assumption. 3 A Formal Security Model A k out of n threshold cryptosystem consists of the following ....

I. Damgard. Towards practical public key cryptosystems secure against chosen ciphertext attacks. In Advances in Cryptology--Crypto '91, pages 445--456, 1991.

....rely on theoretical constructions of non interactive zero knowledge proofs [4] and as such are quite impractical. Practical schemes. Again in the context of non threshold cryptosystems, practical cryptosystems intended to be secure against chosen ciphertext attack were proposed by Damgard [8], Zheng and Seberry [28] and Bellare and Rogaway [2, 3] The schemes in [28, 2, 3] are all known to be chosen ciphertext secure in the random hash function model. The scheme in [8] is known to be insecure against chosen ciphertext attack, and its security against lunch time attacks is not well ....

....practical cryptosystems intended to be secure against chosen ciphertext attack were proposed by Damgard [8] Zheng and Seberry [28] and Bellare and Rogaway [2, 3] The schemes in [28, 2, 3] are all known to be chosen ciphertext secure in the random hash function model. The scheme in [8] is known to be insecure against chosen ciphertext attack, and its security against lunch time attacks is not well understood. 2.2 Threshold cryptosystems Threshold cryptosystems are part of a general approach known as threshold cryptography, introduced by Boyd [5] Desmedt [11] and Desmedt and ....

[Article contains additional citation context not shown here]

I. Damgard. Towards practical public key cryptosystems secure against chosen ciphertext attacks. In Advances in Cryptology--Crypto '91, pages 445--456, 1991.

....ciphertext attack. Unfortunately, all of the known schemes provably secure under standard intractability assumptions are completely impractical (albeit polynomial time) as they rely on general and expensive constructions for noninteractive zero knowledge proofs. Practical Schemes. Damgard [4] proposed a practical scheme that he conjectured to be secure against lunch time attacks; however, this scheme is not known to be provably secure, and is in fact demonstrably insecure against adaptive chosen ciphertext attack. Zheng and Seberry [16] propose practical schemes that are conjectured ....

I. Damgard. Towards practical public key cryptosystems secure against chosen ciphertext attacks. In Advances in Cryptology--Crypto '91, pages 445--456, 1991.

....above provably secure schemes rely on theoretical constructions of non interactive zero knowledge proofs [4] and as such are quite impractical. To overcome the above inefficiency problem some practical cryptosystems intended to be secure against chosen ciphertext attack were proposed by Damgard [10], Zheng and Seberry [32] and Bellare and Rogaway [2, 3] The schemes in [32, 2, 3] are all known to be chosen ciphertext secure in the random hash function model. Finally, very recently, building on some ideas from this paper, Cramer and Shoup [9] presented a new scheme which is quite efficient ....

....all this by straightaway assuming an on line knowledge extractor; that is, we simply assume that any algorithm that can create a valid proof of knowledge can be transformed into an algorithm that simultaneously outputs a corresponding witness. A similar type of assumption is made by Damgard [10] and Zheng and Seberry [32] This type of assumption, however, is not very acceptable: it is completely nonstandard, and it is not at all clear how it is related to any kind of intractability assumption. 3 A Formal Security Model A k out of n threshold cryptosystem consists of the following ....

I. Damgard. Towards practical public key cryptosystems secure against chosen ciphertext attacks. In Advances in Cryptology--Crypto '91, pages 445--456, 1991.

....on long numbers. Perhaps their scheme can be optimized somewhat, but it seems likely that it will remain hopelessly impractical. Besides Bellare and Rogaway s OAEP, there have been several other proposals for practical cryptosystems that attempt to provide security against chosen ciphertext attack [12, 25, 18, 23]. However, none of these schemes have been proven secure, and some have been broken [16] Thus, an obvious goal is to find a practical cryptosystem that is provably secure against chosen ciphertext attack. This goal was first achieved with the Cramer Shoup cryptosystem. We will describe this ....

I. Damgard. Towards practical public key cryptosystems secure against chosen ciphertext attacks. In Advances in Cryptology--Crypto '91, pages 445--456, 1991.

....rely on theoretical constructions of non interactive zero knowledge proofs [4] and as such are quite impractical. Practical schemes. Again in the context of non threshold cryptosystems, practical cryptosystems intended to be secure against chosen ciphertext attack were proposed by Damgard [8], Zheng and Seberry [28] and Bellare and Rogaway [2, 3] The schemes in [28, 2, 3] are all known to be chosenciphertext secure in the random hash function model. The scheme in [8] is known to be insecure against chosen ciphertext attack, and its security against lunch time attacks is not well ....

....cryptosystems, practical cryptosystems intended to be secure against chosen ciphertext attack were proposed by Damgard [8] Zheng and Seberry [28] and Bellare and Rogaway [2, 3] The schemes in [28, 2, 3] are all known to be chosenciphertext secure in the random hash function model. The scheme in [8] is known to be insecure against chosen ciphertext attack, and its security against lunch time attacks is not well understood. 2.2 Threshold cryptosystems Threshold cryptosystems are part of a general approach known as threshold cryptography, introduced by Boyd [5] Desmedt [11] and Desmedt and ....

[Article contains additional citation context not shown here]

I. Damgard. Towards practical public key cryptosystems secure against chosen ciphertext attacks. In Advances in Cryptology--Crypto '91, pages 445--456, 1991.

....secure under standard intractability assumptions are completely impractical (albeit polynomial time) as they rely on general and expensive constructions for non interactive zeroknowledge proofs. This includes non standard schemes like Rackoff and Simon s as well. Practical Schemes. Damgard [8] proposed a practical scheme that he conjectured to be secure against lunch time attacks; however, this scheme is not known to be provably secure, and is in fact demonstrably insecure against adaptive chosen ciphertext attack. Zheng and Seberry [24] proposed practical schemes that are conjectured ....

I. Damgard. Towards practical public key cryptosystems secure against chosen ciphertext attacks. In Advances in Cryptology--Crypto '91, pages 445--456, 1991.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC