Results 1  10
of
225
Relations among notions of security for publickey encryption schemes
, 1998
"... Abstract. We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and nonmalleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove e ..."
Abstract

Cited by 517 (69 self)
 Add to MetaCart
(Show Context)
Abstract. We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and nonmalleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove either an implication (every scheme meeting one notion must meet the other) or a separation (there is a scheme meeting one notion but not the other, assuming the first notion can be met at all). We similarly treat plaintext awareness, a notion of security in the random oracle model. An additional contribution of this paper is a new definition of nonmalleability which we believe is simpler than the previous one.
NonMalleable Cryptography
 SIAM Journal on Computing
, 2000
"... The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. ..."
Abstract

Cited by 480 (20 self)
 Add to MetaCart
(Show Context)
The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zeroknowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.
A Concrete Security Treatment of Symmetric Encryption
 Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE
, 1997
"... We study notions and schemes for symmetric (ie. private key) encryption in a concrete security framework. We give four di erent notions of security against chosen plaintext attack and analyze the concrete complexity ofreductions among them, providing both upper and lower bounds, and obtaining tight ..."
Abstract

Cited by 421 (65 self)
 Add to MetaCart
We study notions and schemes for symmetric (ie. private key) encryption in a concrete security framework. We give four di erent notions of security against chosen plaintext attack and analyze the concrete complexity ofreductions among them, providing both upper and lower bounds, and obtaining tight relations. In this way we classify notions (even though polynomially reducible to each other) as stronger or weaker in terms of concrete security. Next we provide concrete security analyses of methods to encrypt using a block cipher, including the most popular encryption method, CBC. We establish tight bounds (meaning
Slide Attacks
 Proceedings of Fast Software Encryption ’99, Lecture Notes in Computer Science 1636
, 1999
"... Abstract. In this paper we present a new kind of cryptanalytic attack which utilizes bugs in the hardware implementation of computer instructions. The best known example of such a bug is the Intel division bug, which resulted in slightly inaccurate results for extremely rare inputs. Whereas in most ..."
Abstract

Cited by 194 (11 self)
 Add to MetaCart
Abstract. In this paper we present a new kind of cryptanalytic attack which utilizes bugs in the hardware implementation of computer instructions. The best known example of such a bug is the Intel division bug, which resulted in slightly inaccurate results for extremely rare inputs. Whereas in most applications such bugs can be viewed as a minor nuisance, we show that in the case of RSA (even when protected by OAEP), PohligHellman, elliptic curve cryptography, and several other schemes, such bugs can be a security disaster: Decrypting ciphertexts on any computer which multiplies even one pair of numbers incorrectly can lead to full leakage of the secret key, sometimes with a single wellchosen ciphertext. Keywords: Bug attack, Fault attack, RSA, PohligHellman, ECC. 1
NonMalleable NonInteractive Zero Knowledge and Adaptive ChosenCiphertext Security
, 1999
"... We introduce the notion of nonmalleable noninteractive zeroknowledge (NIZK) proof systems. We show how to transform any ordinary NIZK proof system into one that has strong nonmalleability properties. We then show that the elegant encryption scheme of Naor and Yung [NY] can be made secure against ..."
Abstract

Cited by 187 (18 self)
 Add to MetaCart
We introduce the notion of nonmalleable noninteractive zeroknowledge (NIZK) proof systems. We show how to transform any ordinary NIZK proof system into one that has strong nonmalleability properties. We then show that the elegant encryption scheme of Naor and Yung [NY] can be made secure against the strongest form of chosenciphertext attack by using a nonmalleable NIZK proof instead of a standard NIZK proof. Our encryption scheme is simple to describe and works in the standard cryptographic model under general assumptions. The encryption scheme can be realized assuming the existence of trapdoor permutations. 1 Introduction Modern cryptography provides us with several fundamental tools, from encryption schemes to zeroknowledge proofs. For each of these tools, we have some intuition about what they "should" achieve. But we must be careful to understand the gap between our intuition and what we can actually achieve. Indeed, a major goal of cryptography is to refine our tools to br...
RSAOAEP is Secure under the RSA Assumption
, 2002
"... Recently Victor Shoup noted that there is a gap in the widelybelieved security result of OAEP against adaptive chosenciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the onewayness of the underlying trapdoor permutation. This paper establishes another ..."
Abstract

Cited by 149 (20 self)
 Add to MetaCart
(Show Context)
Recently Victor Shoup noted that there is a gap in the widelybelieved security result of OAEP against adaptive chosenciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the onewayness of the underlying trapdoor permutation. This paper establishes another result on the security of OAEP. It proves that OAEP oers semantic security against adaptive chosenciphertext attacks, in the random oracle model, under the partialdomain onewayness of the underlying permutation. Therefore, this uses a formally stronger assumption. Nevertheless, since partialdomain onewayness of the RSA function is equivalent to its (fulldomain) onewayness, it follows that the security of RSA{OAEP can actually be proven under the sole RSA assumption, although the reduction is not tight.
PublicKey Cryptography and Password Protocols
 ACM Transactions on Information and System Security
, 1999
"... We study protocols for strong authentication and key exchange in asymmetric scenarios where the authentication server possesses a pair of private and public keys while the client has only a weak humanmemorizable password as its authentication key. We present and analyze several simple password p ..."
Abstract

Cited by 138 (6 self)
 Add to MetaCart
(Show Context)
We study protocols for strong authentication and key exchange in asymmetric scenarios where the authentication server possesses a pair of private and public keys while the client has only a weak humanmemorizable password as its authentication key. We present and analyze several simple password protocols in this scenario, and show that the security of these protocols can be formally proven based on standard cryptographic assumptions. Remarkably, our analysis shows optimal resistance to offline password guessing attacks under the choice of suitable public key encryption functions. In addition to user authentication, we enhance our protocols to provide twoway authentication, authenticated key exchange, defense against server's compromise, and user anonymity. We complement these results with a proof that public key techniques are unavoidable for password protocols that resist offline guessing attacks. As a further contribution, we introduce the notion of public passwords that...
Proactive Recovery in a ByzantineFaultTolerant System
, 2000
"... This paper describes an asynchronous statemachine replication system that tolerates Byzantine faults, which can be caused by malicious attacks or software errors. Our system is the first to recover Byzantinefaulty replicas proactively and it performs well because it uses symmetric rather than publ ..."
Abstract

Cited by 138 (6 self)
 Add to MetaCart
(Show Context)
This paper describes an asynchronous statemachine replication system that tolerates Byzantine faults, which can be caused by malicious attacks or software errors. Our system is the first to recover Byzantinefaulty replicas proactively and it performs well because it uses symmetric rather than publickey cryptography for authentication. The recovery mechanism allows us to tolerate any number of faults over the lifetime of the system provided fewer than 1/3 of the replicas become faulty within a window of vulnerability that is small under normal conditions. The window may increase under a denialofservice attack but we can detect and respond to such attacks. The paper presents results of experiments showing that overall performance is good and that even a small window of vulnerability has little impact on service latency.
PublicKey Encryption in a Multiuser Setting: Security Proofs and Improvements
"... This paper addresses the security of publickey cryptosystems in a "multiuser" setting, namely in the presence of attacks involving the encryption of related messages under different public keys, as exemplified by Hºastad's classical attacks on RSA. We prove that security in the sin ..."
Abstract

Cited by 133 (7 self)
 Add to MetaCart
(Show Context)
This paper addresses the security of publickey cryptosystems in a "multiuser" setting, namely in the presence of attacks involving the encryption of related messages under different public keys, as exemplified by Hºastad's classical attacks on RSA. We prove that security in the singleuser setting implies security in the multiuser setting as long as the former is interpreted in the strong sense of "indistinguishability," thereby pinpointing many schemes guaranteed to be secure against Hºastadtype attacks. We then highlight the importance, in practice, of considering and improving the concrete security of the general reduction, and present such improvements for two DiffieHellman based schemes, namely El Gamal and CramerShoup.
SKEME: A Versatile Secure Key Exchange Mechanism for Internet
, 1996
"... A secure and versatile key exchange protocol for key management over Internet is presented. SKEME constitutes a compact protocol that supports a variety of realistic scenarios and security models over Internet. It provides clear tradeoffs between security and performance as required by the different ..."
Abstract

Cited by 131 (12 self)
 Add to MetaCart
A secure and versatile key exchange protocol for key management over Internet is presented. SKEME constitutes a compact protocol that supports a variety of realistic scenarios and security models over Internet. It provides clear tradeoffs between security and performance as required by the different scenarios without incurring in unnecessary system complexity. The protocol supports key exchange based on public key, key distribution centers, or manual installation, and provides for fast and secure key refreshment. In addition, SKEME selectively provides perfect forward secrecy, allows for replaceability and negotiation of the underlying cryptographic primitives, and addresses privacy issues as anonymity and repudiatability. 1 Introduction The need to secure the Internet is now clear to everyone. Consequently, more and more mechanisms to provide security at different layers and different applications are being developed. Common to most of these security mechanisms is the need for key ...