Blaze, M., Feigenbauma, J., Naor, M.: A Formal Treatment of Remotely Keyed Encryption. Advances in Cryptology - EUROCRYPT'98, Lecture Notes in Computer Science, vol. 1403, Springer, Berlin, pp. 251-265, 1998.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....is called the Remotely Keyed Encryption Protocol (RKEP) and has been recently studied in academic fields. The first scheme of this type was introduced by Blaze in [Bla96] No model and no security proof were given. This has led to some formal work (model and security proof) done in [Luc97, BFN98, LW99, Luc99] With somewhat di#erent goals, Jakobsson et al. obtained in [JSY99] a scheme that is also useful in our case. We will briefly describe three di#erent schemes: the BFN scheme from [BFN98] the ARK scheme from [Luc99] and the SAES scheme from [JSY99] We will discuss their respective ....

....proof were given. This has led to some formal work (model and security proof) done in [Luc97, BFN98, LW99, Luc99] With somewhat di#erent goals, Jakobsson et al. obtained in [JSY99] a scheme that is also useful in our case. We will briefly describe three di#erent schemes: the BFN scheme from [BFN98] the ARK scheme from [Luc99] and the SAES scheme from [JSY99] We will discuss their respective advantages and disadvantages. Formally, Lucks pointed formal requirements for the security of such a scheme in [Luc97] Forgery Security. If the pirate has controlled the host computer for q 1 ....

[Article contains additional citation context not shown here]

M. Blaze, J. Feigenbaum, and M. Naor. A Formal Treatment of Remotely Keyed Encryption. In K. Nyber, editor, Advances in Cryptology -- EUROCRYPT '98, volume 1403 of Lectures Notes in Computer Science (LNCS), pages 251--265. Springer-Verlag, 1998. 109, 110

....long messages. Namely, to encrypt long m, one uses a concealment scheme to get h and b, and outputs authenticated ciphertext hAE(b) hi. More surprisingly, the above paradigm leads to a very simple and general solution to the problem of remotely keyed (authenticated) encryption (RKAE) [12, 13]. In this problem, one wishes to split the task of high bandwidth authenticated encryption between a secure, but low bandwidth computationally limited device, and an insecure, but computationally powerful host. We give formal definitions for RKAE, which we believe are simpler and more natural ....

....(very strong) definition. Namely, for authenticated encryption, the host simply sends a short value b to the device (which stores the actual secret key for AE ) gets back AE(b) and outputs hAE(b) hi (authenticated decryption is similar) Finally, we also observe that the particular schemes of [13, 18] are all special examples of our general paradigm. 1 Introduction AUTHENTICATED ENCRYPTION. The notions of privacy and authenticity are well understood in the cryptographic community. Interestingly, until very recently they have been viewed and analyzed as important but distinct building blocks ....

[Article contains additional citation context not shown here]

M. BLAZE, J. FEIGENBAUM, M. NAOR, "A Formal Treatment of Remotely Keyed Encryption," In Eurocrypt '98, pp. 251--265, LNCS Vol. 1403, 1998.

....becomes known to the adversary. Exposure does not imply that the secrets become publicly known. Moreover, nobody except the adversary is aware of the exposure taking place. and references include threshold [DF89,Ped91,BF97] pro active [OY91,HJJ 97,CHH00] remotelykeyed [Bla95,Bla96,Luc97,BFN98] key insulated [DKXY02,DKXY] intrusion resilient [IR02,Itk02] all or nothing protection [CDH 00] etc. In these methods, secrets are typically protected by being distributed (shared among multiple modules) thus minimizing the e ect of partial exposures. In this paper, however, we focus on ....

M. Blaze, J. Feigenbaum, and M. Naor. A formal treatment of remotely keyed encryption. In Advances in Cryptology { EUROCRYPT '98, pages 251-265, 1998.

....with common 100 Mbit s Ethernet infrastructure. Note that in our approach the client must trust the cryptoserver with knowledge of his private key, and thus our approach is quite different from the harder and generally unsolved problems of server aided cryptography, remotely keyed encryption [2, 3, 22] or computing with encrypted data [14] We do this for practical reasons, as we seek performance levels as close to available hardware as possible. If truly practical server aided cryptographic techniques become available, then we are ideally positioned to accommodate them. 7. Future Work ....

M. Blaze, J. Feigenbaum, and M. Naor. A formal treatment of remotely keyed encryption. In K. Nyberg, editor, Proceedings of EUROCRYPT'98, number 1403 in Lecure Notes in Computer Science, pages 251--265. SpringerVerlag, 1998.

....has to be secure against a master key recovery attack. It must be infeasible to decrypt a ciphertext packet without breaking the host cipher or the pseudorandom function on the card. There are much stronger security models by Lucks [Luck97] s.a. Weis99b] and Blaze, Naor and Feigenbaum [BFN98]. But all of their protocols require a much greater amount of operations on the host side and on the smart card system. In the next section we present a very fast and easy to understand encryption protocol. 4.2 OpenPGP Key Generation In the Passphrase Only scenario we use the StringToKey (S2K) ....

Blaze, M., Feigenbaum, J., and Naor, M., "A Formal Treatment of Remotely Keyed Encryption" , Eurocrypt '98, Springer LNCS 1403, 1998.

....believed that there exist PRFGs (we will present a candidate in section 4) i.e. P poly is supposed to be cryptographically strong. Pseudorandom function generators are of great interest in cryptography, e.g. as building blocks for block ciphers [20, 21] for remotely keyed encryption schemes [22, 3], for message authentication [2] and others. As the existence of PRFGs obviously implies P 6= NP , recent pseudorandomness proofs refer to unproven cryptographic hardness assumptions. In the following we will detect cryptographical strength or weakness for most of the basic nonuniform ....

M. Blaze, J. Feigenbaum, M. Naor. A Formal Treatment of Remotely Keyed Encryption. Eurocrypt '98, Springer LNCS, 1998.

....server(or several servers) on line and receive information which allows the user to recover the cleartext. Yet, neither the servers nor anyone else listening on line can get any information about the cleartext. This functionality has been introduced and (very different) constructions were given in [7]. This variant is secure against lunch time attacks only. Proactiveness. Our techniques can be proactivized (i.e. modified to withstand mobile faults, as suggested in [34, 11] in standard ways [29] See more discussion in [12] 2 Security of threshold cryptosystems We present a measure of ....

....The output of the decryption algorithm on an invalid ciphertext, being a random number, has the right format with probability that can be made negligibly small. On Remotely Keyed Encryption: As a side remark, one can trivially change cs and m cs to qualify as a remotely keyed encryption scheme [7] secured against lunch time attacks. Simply, drop d from the public key, and let enc(m; r) g r 1 ; g r 2 ; h r m; c r ) 5 Then the user sends to be decrypted remotely only (g r 1 ; g r 2 ; c r ) dropping the third component of the ciphertext. To decrypt, the server who gets (u ....

M. Blaze, J. Feigenbaum and M. Naor, "A formal treatment of remotely keyed encryption", Eurocrypt '98, 1998, pp. 251-165.

....describes an new scheme, the length preserving accelerated remotely keyed (ARK) encryption scheme and, in a formal model, provides a proof of security. For the sake of practical usability, our model avoids asymptotics. Blaze, Feigenbaum, and Naor gave a general de nition for secure RKESs [3]. Compared to their length preserving scheme, the ARK scheme is more ecient but satis es the same security requirements. 1 Introduction A remotely keyed encryption scheme (RKES) distributes the computational burden for a block cipher with large blocks between two parties, a host and a card. We ....

....on its own. Since (at least) a part of the input is not handled by the smartcard, and, for the same reasons, at least) a part of the output is generated by the host, an insider adversary can easily decide that the output generated by herself is not random. Recently, Blaze, Feigenbaum, and Naor [3] found a better formalism to de ne the pseudorandomness of RKESs. Their idea is based on the adversary gaining direct access to the card for a certain amount of time, making q h interactions with the card. For the adversary having lost direct access to the card, the encryption function should ....

[Article contains additional citation context not shown here]

M. Blaze, J. Feigenbaum, M. Naor, \A Formal Treatment of Remotely Keyed Encryption ". in Eurocrypt '98, Springer LNCS.

.... their encryption model was deterministic, and thus, their de nition required the introduction of an arbiter to lter the choice of A in the second phase (whereas in our case, internal randomization may allow oracle style probing on the challenge) In a recent extended version of their paper [BFN99], a formal model and treatment of length increasing functions was given as well; it formalized an indistinguishability attack. Our indistinguishability attack is of a similar nature. 4 Basic Tools Ideal hash function We assume the existence of an ideal hash function (a function whose behavior is ....

Matt Blaze, Joan Feigenbaum, and Moni Naor. A formal treatment of remotely keyed encryption. Full version of Eurocrypt 98.

....and a trusted but weak device (the master) This problem, which in its encryption incarnation is known as remotely keyed encryption schemes (RKES) was proposed in [Bla96] with no model or proof and with certain subtle problems. Several solutions have already been suggested to solve this problem [Bla96, Luc97, BFN98]. If we momentarily disregard the security issues, the common aspect of these three schemes is that they ask a smartcard to generate a temporary key, which depends on the message, and which is used to encrypt the largest part of the message. This generates a binding between the message and the ....

....which depends on the message, and which is used to encrypt the largest part of the message. This generates a binding between the message and the device via the encryption. They later ask to hide this key. A formal model and secure solution for this (based on pseudorandom functions) was given in [BFN98]; their solution requires two accesses to the smartcard per operation. While our system provides the same functionality, the use of the scramble all, encrypt small notion is di erent: in our scheme, the host does not perform any encryption. It simply scrambles the message in a publicly ....

[Article contains additional citation context not shown here]

Matt Blaze, Joan Feigenbaum, and Moni Naor. A formal treatment of remotely keyed encryption. In Kaisa Nyberg, editor, Advances in Cryptology| EUROCRYPT 98, number 1403 in LNCS, pages 251-265. Springer-Verlag, 1998.

....encryption of a message M is f(M) then the only information this encryption leaks on M is whether or not M is equal to a previously encrypted message. For further discussion on the usage of pseudo random permutations for encryption (and on the usage of length preserving encryption in general) see [3, 5, 9]. This note describes a mode of operation for block ciphers that achieves a strong notion of security: If the original block cipher is a pseudo random permutation then we get a pseudo random permutation on the entire message (see a more quantitative statement below) The description is extracted ....

M. Blaze, J. Feigenbaum and M. Naor, A formal treatment of remotely keyed encryption, manuscript.

....encrypter, but may be used by the adversary. The resulting cryptosystem is still non malleable but not self validating, since the adversary can create ciphertexts of random messages. For a recent application of the above construction to the security of remotely keyed encryption see Blaze et al. [10]. Interactive Encryption 31 The second setting resembles the one studied by Goldwasser, Micali, and Tong [46] in which they constructed an interactive public key cryptosystem secure against chosen ciphertext attack (see also [34, 67] An interactive public key cryptosystem requires a ....

M. Blaze, J. Feigenbaum and M. Naor, A Formal Treatment of Remotely Keyed Encryption, Advances in Cryptology { Eurocrypt'98 Proceeding, Lecture Notes in Computer Science No. 1403, Springer-Verlag, 1998, pp. 251-265.

....encrypter, but may be used by the adversary. The resulting cryptosystem is still non malleable but not self validating, since the adversary can create ciphertexts of random messages. For a recent application of the above construction to the security of remotely keyed encryption see Blaze et al. [10]. Interactive Encryption The second setting resembles the one studied by Goldwasser, Micali, and Tong [45] in which they constructed an interactive public key cryptosystem secure against chosen ciphertext attack (see also [34, 66] An interactive public key cryptosystem requires a public ....

M. Blaze, J. Feigenbaum and M. Naor, A Formal Treatment of Remotely Keyed Encryption, Advances in Cryptology -- Eurocrypt'98 Proceeding, Lecture Notes in Computer Science No. 1403, Springer-Verlag, 1998, pp. 251--265.

....one wishes to store encrypted information so that it remains safe for many years. A problem that immediately arises is where to store the keys used for the encryption so that they would not be leaked or lost. Note that the question of storing keys safely arises in many other scenarios, e.g. [8]. One possibility is to use a DPRF as a long term key repository. We add to the system a collection of n servers that act as the servers of the DPRF. These servers are trusted in the sense that no more than k of them become faulty 5 . We should also have some way to specify the policy ....

Blaze M,, Feigenbaum J. and Naor M., "A Formal Treatment of Remotely Keyed Encryption", Advances in Cryptology -- Eurocrypt'98, LNCS 1403, Springer-Verlag, 1998, pp. 251--265.

No context found.

Blaze, M., Feigenbauma, J., Naor, M.: A Formal Treatment of Remotely Keyed Encryption. Advances in Cryptology - EUROCRYPT'98, Lecture Notes in Computer Science, vol. 1403, Springer, Berlin, pp. 251-265, 1998.

No context found.

Blaze, Feigenbaum, and Naor. A formal treatment of remotely keyed encryption. In EUROCRYPT: Advances in Cryptology: Proceedings of EUROCRYPT, 1998.

No context found.

Matt Blaze, Joan Feigenbaum, and Moni Naor. A formal treatment of remotely keyed encryption. In Kaisa Nyberg, editor, Advances in Cryptology| EUROCRYPT 98, number 1403 in LNCS, pages 251-265. Springer-Verlag, 1998.

No context found.

M. Blaze, J. Feigenbaum and M. Naor, A Formal Treatment of Remotely Keyed Encryption, Proceedings of EUROCRYPT '98, LNCS 1403, Springer-Verlag, pages 251-265, 1998.

No context found.

Matt Blaze, Joan Feigenbaum, and Moni Naor. A formal treatment of remotely keyed encryption. In Kaisa Nyberg, editor, Advances in Cryptology| EUROCRYPT 98, number 1403 in LNCS, pages 251-265. Springer-Verlag, 1998.

No context found.

Blaze, M., Feigenbauma, J., Naor, M.: A Formal Treatment of Remotely Keyed Encryption. Advances in Cryptology - EUROCRYPT'98, Lecture Notes in Computer Science, vol. 1403, Springer, Berlin, pp. 251-265, 1998.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC