Results 1  10
of
289
Relations among notions of security for publickey encryption schemes
, 1998
"... Abstract. We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and nonmalleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove e ..."
Abstract

Cited by 517 (69 self)
 Add to MetaCart
(Show Context)
Abstract. We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and nonmalleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove either an implication (every scheme meeting one notion must meet the other) or a separation (there is a scheme meeting one notion but not the other, assuming the first notion can be met at all). We similarly treat plaintext awareness, a notion of security in the random oracle model. An additional contribution of this paper is a new definition of nonmalleability which we believe is simpler than the previous one.
NonMalleable Cryptography
 SIAM Journal on Computing
, 2000
"... The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. ..."
Abstract

Cited by 480 (20 self)
 Add to MetaCart
(Show Context)
The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zeroknowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.
Remote Timing Attacks are Practical
"... Timing attacks are usually used to attack weak computing devices such as smartcards. We show that timing attacks apply to general software systems. Specifically, we devise a timing attack against OpenSSL. Our experiments show that we can extract private keys from an OpenSSLbased web server running ..."
Abstract

Cited by 248 (4 self)
 Add to MetaCart
Timing attacks are usually used to attack weak computing devices such as smartcards. We show that timing attacks apply to general software systems. Specifically, we devise a timing attack against OpenSSL. Our experiments show that we can extract private keys from an OpenSSLbased web server running on a machine in the local network. Our results demonstrate that timing attacks against network servers are practical and therefore security systems should defend against them.
Design and Analysis of Practical PublicKey Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack
 SIAM Journal on Computing
, 2001
"... A new public key encryption scheme, along with several variants, is proposed and analyzed. The scheme and its variants are quite practical, and are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions. These appear to be the first publickey encryption sc ..."
Abstract

Cited by 231 (11 self)
 Add to MetaCart
(Show Context)
A new public key encryption scheme, along with several variants, is proposed and analyzed. The scheme and its variants are quite practical, and are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions. These appear to be the first publickey encryption schemes in the literature that are simultaneously practical and provably secure.
OCB: A BlockCipher Mode of Operation for Efficient Authenticated Encryption
, 2001
"... We describe a parallelizable blockcipher mode of operation that simultaneously provides privacy and authenticity. OCB encryptsandauthenticates a nonempty string M # {0, 1} # using #M /n# + 2 blockcipher invocations, where n is the block length of the underlying block cipher. Additional ov ..."
Abstract

Cited by 204 (24 self)
 Add to MetaCart
We describe a parallelizable blockcipher mode of operation that simultaneously provides privacy and authenticity. OCB encryptsandauthenticates a nonempty string M # {0, 1} # using #M /n# + 2 blockcipher invocations, where n is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Jutla [20]. Desirable properties of OCB include: the ability to encrypt a bit string of arbitrary length into a ciphertext of minimal length; cheap o#set calculations; cheap session setup, a single underlying cryptographic key; no extendedprecision addition; a nearly optimal number of blockcipher calls; and no requirement for a random IV. We prove OCB secure, quantifying the adversary's ability to violate privacy or authenticity in terms of the quality of the block cipher as a pseudorandom permutation (PRP) or as a strong PRP, respectively. Keywords: AES, authenticity, block ciphers, cryptography, encryption, integrity, modes of operation, provable security, standards . # Department of Computer Science, Eng. II Building, University of California at Davis, Davis, California 95616 USA; and Department of Computer Science, Faculty of Science, Chiang Mai University, Chiang Mai 50200 Thailand. email: rogaway@cs.ucdavis.edu web: www.cs.ucdavis.edu/~rogaway + Department of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093 USA. email: mihir@cs.ucsd.edu web: wwwcse.ucsd.edu/users/mihir # Department of Computer Science, University of Nevada, Reno, Nevada 89557 USA. email: jrb@cs.unr.edu web: www.cs.unr.edu/~jrb Digital Fountain, 600 Alabama Street, San Francisco, CA 94110 USA. email: tdk@acm.org 1
The order of encryption and authentication for protecting communications (or: how Secure is SSL?)
, 2001
"... We study the question of how to generically compose symmetric encryption and authentication when building “secure channels” for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combination of secure encryption (against chose ..."
Abstract

Cited by 152 (7 self)
 Add to MetaCart
We study the question of how to generically compose symmetric encryption and authentication when building “secure channels” for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combination of secure encryption (against chosen plaintext attacks) and secure MAC must use the encryptthenauthenticate method. We demonstrate this by showing that the other common methods of composing encryption and authentication, including the authenticatethenencrypt method used in SSL, are not generically secure. We show an example of an encryption function that provides (Shannon’s) perfect secrecy but when combined with any MAC function under the authenticatethenencrypt method yields a totally insecure protocol (for example, finding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encryptandauthenticate method used in SSH. On the positive side we show that the authenticatethenencrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current practical implementations of the protocol that use the above modes of encryption are safe.
RSAOAEP is Secure under the RSA Assumption
, 2002
"... Recently Victor Shoup noted that there is a gap in the widelybelieved security result of OAEP against adaptive chosenciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the onewayness of the underlying trapdoor permutation. This paper establishes another ..."
Abstract

Cited by 149 (20 self)
 Add to MetaCart
Recently Victor Shoup noted that there is a gap in the widelybelieved security result of OAEP against adaptive chosenciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the onewayness of the underlying trapdoor permutation. This paper establishes another result on the security of OAEP. It proves that OAEP oers semantic security against adaptive chosenciphertext attacks, in the random oracle model, under the partialdomain onewayness of the underlying permutation. Therefore, this uses a formally stronger assumption. Nevertheless, since partialdomain onewayness of the RSA function is equivalent to its (fulldomain) onewayness, it follows that the security of RSA{OAEP can actually be proven under the sole RSA assumption, although the reduction is not tight.
PublicKey Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC 3447
, 2003
"... This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. IESG Note The IESG thanks RSA Laboratories for transferring change control to the IETF. Enhancements to this specification that preserve backward c ..."
Abstract

Cited by 115 (0 self)
 Add to MetaCart
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. IESG Note The IESG thanks RSA Laboratories for transferring change control to the IETF. Enhancements to this specification that preserve backward compatibility are expected in an upcoming IETF standards track document. This document represents a republication of PKCS #8 v1.2 from RSA Laboratories ’ Public Key Cryptography Standard (PKCS) series. Change control is transferred to the IETF. The body of this document, except for the security considerations section, is taken directly from the PKCS #8 v1.2 specification. This document describes a syntax for privatekey information.
How to Enhance the Security of PublicKey Encryption at Minimum Cost
, 1999
"... This paper presents a simple and generic conversion from a publickey encryption scheme which is indistinguishable against chosenplaintext attacks into a publickey encryption scheme which is indistinguishable against adaptive chosenciphertext attacks in the random oracle model. The scheme obtained ..."
Abstract

Cited by 92 (8 self)
 Add to MetaCart
This paper presents a simple and generic conversion from a publickey encryption scheme which is indistinguishable against chosenplaintext attacks into a publickey encryption scheme which is indistinguishable against adaptive chosenciphertext attacks in the random oracle model. The scheme obtained by the conversion is as efficient as the original encryption scheme and the security reduction is very tight in the exact security manner.