• Documents
  • Authors
  • Tables
  • Log in
  • Sign up
  • MetaCart
  • DMCA
  • Donate

CiteSeerX logo

Advanced Search Include Citations
Advanced Search Include Citations

A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract (1998)

by Mihir Bellare, Ran Canetti, Hugo Krawczyk
Venue:In STOC
Add To MetaCart

Tools

Sorted by:
Results 1 - 10 of 245
Next 10 →

Universally composable security: A new paradigm for cryptographic protocols

by Ran Canetti , 2013
"... We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved ..."
Abstract - Cited by 833 (37 self) - Add to MetaCart
We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved under a general protocol composition operation, called universal composition. The proposed framework with its security-preserving composition operation allows for modular design and analysis of complex cryptographic protocols from relatively simple building blocks. Moreover, within this framework, protocols are guaranteed to maintain their security in any context, even in the presence of an unbounded number of arbitrary protocol instances that run concurrently in an adversarially controlled manner. This is a useful guarantee, that allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks.

A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack

by Ronald Cramer, Victor Shoup - CRYPTO '98 , 1998
"... A new public key cryptosystem is proposed and analyzed. The scheme is quite practical, and is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions. There appears to be no previous cryptosystem in the literature that enjoys both of these properties simu ..."
Abstract - Cited by 540 (17 self) - Add to MetaCart
A new public key cryptosystem is proposed and analyzed. The scheme is quite practical, and is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions. There appears to be no previous cryptosystem in the literature that enjoys both of these properties simultaneously.
(Show Context)

Citation Context

...werful cryptographic primitive. It is essential in designing protocols that are secure against active adversaries. For example, this primitive is used in protocols for authentication and key exchange =-=[11, 10, 2]-=- and in protocols for escrow, certified e-mail, and more general fair exchange [1, 22]. The practical importance of this primitive is also highlighted by the adoption of Bellare and Rogaway's OAEP sch...

Relations among notions of security for public-key encryption schemes

by Mihir Bellare, David Pointcheval, Phillip Rogaway , 1998
"... Abstract. We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and non-malleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove e ..."
Abstract - Cited by 517 (69 self) - Add to MetaCart
Abstract. We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and non-malleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove either an implication (every scheme meeting one notion must meet the other) or a separation (there is a scheme meeting one notion but not the other, assuming the first notion can be met at all). We similarly treat plaintext awareness, a notion of security in the random oracle model. An additional contribution of this paper is a new definition of non-malleability which we believe is simpler than the previous one.
(Show Context)

Citation Context

...ols for designing higher level protocols. For example, encryption schemes meeting IND-CCA2 appear to be the right tools in the design of authenticated key exchange protocols in the public-key setting =-=[1]-=-. As another example, the designers of SET (Secure Electronic Transactions) selected an encryption scheme which achieves more than IND-CPA [25]. This was necessary, insofar as the SET protocols would ...

Security and Composition of Multi-party Cryptographic Protocols

by Ran Canetti - JOURNAL OF CRYPTOLOGY , 1998
"... We present general definitions of security for multi-party cryptographic protocols, with focus on the task of evaluating a probabilistic function of the parties' inputs. We show that, with respect to these definitions, security is preserved under a natural composition operation. The definiti ..."
Abstract - Cited by 463 (19 self) - Add to MetaCart
We present general definitions of security for multi-party cryptographic protocols, with focus on the task of evaluating a probabilistic function of the parties' inputs. We show that, with respect to these definitions, security is preserved under a natural composition operation. The definitions follow the general paradigm of known definitions; yet some substantial modifications and simplifications are introduced. The composition operation is the natural `subroutine substitution' operation, formalized by Micali and Rogaway. We consider several standard settings for multi-party protocols, including the cases of eavesdropping, Byzantine, non-adaptive and adaptive adversaries, as well as the information-theoretic and the computational models. In particular, in the computational model we provide the first definition of security of protocols that is shown to be preserved under composition.

Authenticated Key Exchange Secure Against Dictionary Attacks

by Mihir Bellare, David Pointcheval, Phillip Rogaway , 2000
"... Password-based protocols for authenticated key exchange (AKE) are designed to work despite the use of passwords drawn from a space so small that an adversary might well enumerate, off line, all possible passwords. While several such protocols have been suggested, the underlying theory has been laggi ..."
Abstract - Cited by 402 (35 self) - Add to MetaCart
Password-based protocols for authenticated key exchange (AKE) are designed to work despite the use of passwords drawn from a space so small that an adversary might well enumerate, off line, all possible passwords. While several such protocols have been suggested, the underlying theory has been lagging. We begin by defining a model for this problem, one rich enough to deal with password guessing, forward secrecy, server compromise, and loss of session keys. The one model can be used to define various goals. We take AKE (with "implicit" authentication) as the "basic" goal, and we give definitions for it, and for entity-authentication goals as well. Then we prove correctness for the idea at the center of the Encrypted Key-Exchange (EKE) protocol of Bellovin and Merritt: we prove security, in an ideal-cipher model, of the two-flow protocol at the core of EKE.
(Show Context)

Citation Context

...zie and Swaminathan [18], building on [3, 14], give definitions and proofs for a password-based MA protocol, and then a protocol that combines MA and AKE. Boyko, MacKenzie and Patel [10], building on =-=[1, 20]-=-, give definitions and a proof for a Diffie-Hellman based protocol. In both papers the authors' motivation is fundamentally the same as our own: to have practical and provably secure password-based pr...

Analysis of key-exchange protocols and their use for building secure channels

by Ran Canetti, Hugo Krawczyk , 2001
"... Abstract. We present a formalism for the analysis of key-exchange protocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any key-exchange protocol that satisfies the security definition can be composed with ..."
Abstract - Cited by 330 (20 self) - Add to MetaCart
Abstract. We present a formalism for the analysis of key-exchange protocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any key-exchange protocol that satisfies the security definition can be composed with symmetric encryption and authentication functions to provide provably secure communication channels (as defined here); and (ii) the definition allows for simple modular proofs of security: one can design and prove security of key-exchange protocols in an idealized model where the communication links are perfectly authenticated, and then translate them using general tools to obtain security in the realistic setting of adversary-controlled links. We exemplify the usability of our results by applying them to obtain the proof of two classes of key-exchange protocols, Diffie-Hellman and key-transport, authenticated via symmetric or asymmetric techniques. 1
(Show Context)

Citation Context

...emporary examples include SSL, IPSec, SSH, among others). The design and analysis of secure ke protocols has proved to be a non-trivial task, with a large body of work written on the topic, including =-=[15, 30, 10, 7, 16, 5, 6, 26, 2, 34]-=- and many more. In fact, even today, after two decades of research, some important issues remain without satisfactory treatment. One such issue is how to guarantee the adequacy of ke protocols for the...

Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security

by Amit Sahai , 1999
"... We introduce the notion of non-malleable noninteractive zero-knowledge (NIZK) proof systems. We show how to transform any ordinary NIZK proof system into one that has strong non-malleability properties. We then show that the elegant encryption scheme of Naor and Yung [NY] can be made secure against ..."
Abstract - Cited by 187 (18 self) - Add to MetaCart
We introduce the notion of non-malleable noninteractive zero-knowledge (NIZK) proof systems. We show how to transform any ordinary NIZK proof system into one that has strong non-malleability properties. We then show that the elegant encryption scheme of Naor and Yung [NY] can be made secure against the strongest form of chosen-ciphertext attack by using a non-malleable NIZK proof instead of a standard NIZK proof. Our encryption scheme is simple to describe and works in the standard cryptographic model under general assumptions. The encryption scheme can be realized assuming the existence of trapdoor permutations. 1 Introduction Modern cryptography provides us with several fundamental tools, from encryption schemes to zeroknowledge proofs. For each of these tools, we have some intuition about what they "should" achieve. But we must be careful to understand the gap between our intuition and what we can actually achieve. Indeed, a major goal of cryptography is to refine our tools to br...
(Show Context)

Citation Context

...ingly provide attackers with decryptions of selected ciphertexts. Encryption with this strongest property (CCA2-security) has been proposed as a component in authentication and key exchange protocols =-=[BCK]-=-, electronic payment [SET], and deniable authentication protocols [DNS]. For more discussion on the importance of chosen-ciphertext security, see [Sho98]. Prior Work on CCA-Secure Encryption. Much wor...

The Elliptic Curve Digital Signature Algorithm (ECDSA)

by Don Johnson, Alfred Menezes , 1999
"... The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideratio ..."
Abstract - Cited by 183 (5 self) - Add to MetaCart
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideration for inclusion in some other ISO standards. Unlike the ordinary discrete logarithm problem and the integer factorization problem, no subexponential-time algorithm is known for the elliptic curve discrete logarithm problem. For this reason, the strength-per-key-bit is substantially greater in an algorithm that uses elliptic curves. This paper describes the ANSI X9.62 ECDSA, and discusses related security, implementation, and interoperability issues. Keywords: Signature schemes, elliptic curve cryptography, DSA, ECDSA.
(Show Context)

Citation Context

...ilson and Menezes [10], ANSI X9.63 [4], and ISO/IEC 11770-3 [41]), and authenticated key agreement (e.g., ISO/IEC 11770-3 [41], Diffie, van Oorschot and Wiener [21], and Bellare, Canetti and Krawczyk =-=[8]-=-). CLASSIFICATION. The digital signature schemes in use today can be classified according to the hard underlying mathematical problem which provides the basis for their security: �s1. Integer Factoriz...

A Model for Asynchronous Reactive Systems and its Application to Secure Message Transmission

by Birgit Pfitzmann, Michael Waidner , 2000
"... We present the first rigorous model for secure reactive systems in asynchronous networks with a sound cryptographic semantics, supporting abstract specifications and the composition of secure systems. This enables modular proofs of security, which is essential in bridging the gap between the rigorou ..."
Abstract - Cited by 176 (20 self) - Add to MetaCart
We present the first rigorous model for secure reactive systems in asynchronous networks with a sound cryptographic semantics, supporting abstract specifications and the composition of secure systems. This enables modular proofs of security, which is essential in bridging the gap between the rigorous proof techniques of cryptography and tool-supported formal proof techniques. The model follows the general simulatability approach of modern cryptography. A variety of network structures and trust models can be described, such as static and adaptive adversaries. As an example of our specification methodology we provide the first abstract and complete specification for Secure Message Transmission, improving on recent results by Lynch, and verify one concrete implementation. Our proof is based on a general theorem on the security of encryption in a reactive multi-user setting, generalizing a recent result by Bellare et al.

Composition and Integrity Preservation of Secure Reactive Systems

by Birgit Pfitzmann, Michael Waidner - In Proc. 7th ACM Conference on Computer and Communications Security , 2000
"... We consider compositional properties of reactive systems that are secure in a cryptographic sense. We follow the well-known simulatability approach, i.e., the specification is an ideal system and a real system should in some sense simulate it. We recently presented the first detailed general definit ..."
Abstract - Cited by 152 (16 self) - Add to MetaCart
We consider compositional properties of reactive systems that are secure in a cryptographic sense. We follow the well-known simulatability approach, i.e., the specification is an ideal system and a real system should in some sense simulate it. We recently presented the first detailed general definition of this concept for reactive systems that allows abstraction and enables proofs of efficient real-life systems like secure channels or certified mail. We proce two important properties...
Powered by: Apache Solr
  • About CiteSeerX
  • Submit and Index Documents
  • Privacy Policy
  • Help
  • Data
  • Source
  • Contact Us

Developed at and hosted by The College of Information Sciences and Technology

© 2007-2019 The Pennsylvania State University