Results 11  20
of
152
EncryptionScheme Security in the Presence of KeyDependent Messages
 In Selected Areas in Cryptography, volume 2595 of LNCS
, 2002
"... Encryption that is only semantically secure should not be used on messages that depend on the underlying secret key; all bets are o# when, for example, one encrypts using a shared key K the value K. Here we introduce a new notion of security, KDM security, appropriate for keydependent messages. ..."
Abstract

Cited by 68 (3 self)
 Add to MetaCart
Encryption that is only semantically secure should not be used on messages that depend on the underlying secret key; all bets are o# when, for example, one encrypts using a shared key K the value K. Here we introduce a new notion of security, KDM security, appropriate for keydependent messages. The notion makes sense in both the publickey and sharedkey settings. For the latter we show that KDM security is easily achievable within the randomoracle model. By developing and achieving stronger notions of encryptionscheme security it is hoped that protocols which are proven secure under "formal" models of security can, in time, be safely realized by generically instantiating their primitives.
Universally composable signature, certification, and authentication
 In CSFW 2004
, 2004
"... Recently some efforts were made towards capturing the security requirements from digital signature schemes as an ideal functionality within a composable security framework. This modeling of digital signatures potentially has some significant analytical advantages (such as enabling componentwise ana ..."
Abstract

Cited by 63 (9 self)
 Add to MetaCart
Recently some efforts were made towards capturing the security requirements from digital signature schemes as an ideal functionality within a composable security framework. This modeling of digital signatures potentially has some significant analytical advantages (such as enabling componentwise analysis of complex systems that use signature schemes, as well as symbolic and automatable analysis of such systems). However, it turns out that formulating ideal functionalities that capture the properties expected from signature schemes in a way that is both sound and enjoys the above advantages is not a trivial task. This work has several contributions. We first correct some flaws in the definition of the ideal signature functionality of Canetti, 2001, and subsequent formulations. Next we provide a minimal formalization of “ideal certification authorities ” and show how authenticated communication can be obtained using ideal signatures and an ideal certification authority. This is done while guaranteeing full modularity (i.e., each component is analyzed as standalone), and in an unconditional and errorless way. This opens the door to symbolic and automated analysis of protocols for these tasks, in a way that is both modular and cryptographically sound.
Universally composable multiparty computation using tamperproof hardware
 In EUROCRYPT, Lecture Notes in Computer Science
, 2007
"... Abstract. Protocols proven secure within the universal composability (UC) framework satisfy strong and desirable security properties. Unfortunately, it is known that within the “plain ” model, secure computation of general functionalities without an honest majority is impossible. This has prompted r ..."
Abstract

Cited by 63 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Protocols proven secure within the universal composability (UC) framework satisfy strong and desirable security properties. Unfortunately, it is known that within the “plain ” model, secure computation of general functionalities without an honest majority is impossible. This has prompted researchers to propose various “setup assumptions ” with which to augment the bare UC framework in order to bypass this severe negative result. Existing setup assumptions seem to inherently require some trusted party (or parties) to initialize the setup in the real world. We propose a new setup assumption — more along the lines of a physical assumption regarding the existence of tamperproof hardware — which also suffices to circumvent the impossibility result mentioned above. We suggest this assumption as potentially leading to an approach that might alleviate the need for trusted parties, and compare our assumption to those proposed previously. 1
Symmetric Encryption in Automatic Analyses for Confidentiality against Active Adversaries
, 2004
"... In this article we present a technique for static analysis, correct with respect to complexitytheoretic definitions of security, of cryptographic protocols for checking whether these protocols satisfy confidentiality properties. The approach is similar to Abadi and Rogaway  we define patterns fo ..."
Abstract

Cited by 57 (3 self)
 Add to MetaCart
(Show Context)
In this article we present a technique for static analysis, correct with respect to complexitytheoretic definitions of security, of cryptographic protocols for checking whether these protocols satisfy confidentiality properties. The approach is similar to Abadi and Rogaway  we define patterns for cryptographic protocols (they did it for formal expressions), such that the protocol is secure iff the patterns are. We then statically analyse the patterns, they should be easier to analyse than the protocols themselves. We consider symmetric encryption as the cryptographic primitive in protocols. Handling this primitive has so far received comparatively less attention in approaches striving to unite the formal and computational models of cryptography.
General Composition and Universal Composability in Secure Multiparty Computation
, 2007
"... Concurrent general composition relates to a setting where a secure protocol is run in anetwork concurrently with other, arbitrary protocols. Clearly, security in such a setting is what is desired, or even needed, in modern computer networks where many different protocols areexecuted concurrently. Ca ..."
Abstract

Cited by 52 (9 self)
 Add to MetaCart
Concurrent general composition relates to a setting where a secure protocol is run in anetwork concurrently with other, arbitrary protocols. Clearly, security in such a setting is what is desired, or even needed, in modern computer networks where many different protocols areexecuted concurrently. Canetti (FOCS 2001) introduced the notion of universal composability, and showed that security under this definition is sufficient for achieving concurrent generalcomposition. However, it is not known whether or not the opposite direction also holds. Our main result is a proof that security under concurrent general composition, when interpreted in the natural way under the simulation paradigm, is equivalent to a variant of universal composability, where the only difference relates to the order of quantifiers in the definition. (Innewer versions of universal composability, these variants are equivalent.) An important corollary of this theorem is that existing impossibility results for universal composability (for all itsvariants) are inherent for definitions that imply security under concurrent general composition, as formulated here. In particular, there are large classes of twoparty functionalities for whichit is impossible to obtain protocols (in the plain model) that remain secure under concurrent general composition. We stress that the impossibility results obtained are not &quot;blackbox&quot;, andapply even to nonblackbox simulation. Our main result also demonstrates that the definition of universal composability is somewhat&quot;minimal&quot;, in that the composition guarantee provided by universal composability implies the definition itself. This indicates that the security definition of universal composability is notoverly restrictive.
Universally Composable Security with Global Setup
 In Proceedings of the 4th Theory of Cryptography Conference
, 2007
"... Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls ..."
Abstract

Cited by 51 (5 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls short of providing the expected security guarantees. A quintessential example of this phenomenon is the deniability concern: there exist natural protocols that meet the strongest known composable security notions, and are still vulnerable to bad interactions with rogue protocols that use the same setup. We extend the notion of universally composable (UC) security in a way that reestablishes its original intuitive guarantee even for protocols that use globally available setup. The new formulation prevents bad interactions even with adaptively chosen protocols that use the same setup. In particular, it guarantees deniability. While for protocols that use no setup the proposed requirements are the same as in traditional UC security, for protocols that use global setup the proposed requirements are significantly stronger. In fact, realizing Zero Knowledge or commitment becomes provably impossible, even in the Common Reference String model.
Universally composable symbolic analysis of mutual authentication and keyexchange protocols
 In Shai Halevi and Tal Rabin, editors, TCC, volume 3876 of LNCS
, 2006
"... Abstract. Symbolic analysis of cryptographic protocols is dramatically simpler than fullfledged cryptographic analysis. In particular, it is simple enough to be automated. However, symbolic analysis does not, by itself, provide any cryptographic soundness guarantees. Following recent work on crypto ..."
Abstract

Cited by 48 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Symbolic analysis of cryptographic protocols is dramatically simpler than fullfledged cryptographic analysis. In particular, it is simple enough to be automated. However, symbolic analysis does not, by itself, provide any cryptographic soundness guarantees. Following recent work on cryptographically sound symbolic analysis, we demonstrate how DolevYao style symbolic analysis can be used to assert the security of cryptographic protocols within the universally composable (UC) security framework. Consequently, our methods enable security analysis that is completely symbolic, and at the same time cryptographically sound with strong composability properties. More specifically, we concentrate on mutual authentication and keyexchange protocols. We restrict attention to protocols that use publickey encryption as their only cryptographic primitive and have a specific restricted format. We define a mapping from such protocols to DolevYao style symbolic protocols, and show that the symbolic protocol satisfies a certain symbolic criterion if and only if the corresponding cryptographic protocol is UCsecure. For mutual authentication, our symbolic criterion is similar to the traditional DolevYao criterion. For key exchange, we demonstrate that the traditional DolevYao style symbolic criterion is insufficient, and formulate an adequate symbolic criterion. Finally, to demonstrate the viability of our treatment, we use an existing tool to automatically verify whether some prominent keyexchange protocols are UCsecure. 1
A probabilistic polynomialtime calculus for analysis of cryptographic protocols
 Electronic Notes in Theoretical Computer Science
, 2001
"... We prove properties of a process calculus that is designed for analyzing security protocols. Our longterm goal is to develop a form of protocol analysis, consistent with standard cryptographic assumptions, that provides a language for expressing probabilistic polynomialtime protocol steps, a spec ..."
Abstract

Cited by 48 (8 self)
 Add to MetaCart
We prove properties of a process calculus that is designed for analyzing security protocols. Our longterm goal is to develop a form of protocol analysis, consistent with standard cryptographic assumptions, that provides a language for expressing probabilistic polynomialtime protocol steps, a specification method based on a compositional form of equivalence, and a logical basis for reasoning about equivalence. The process calculus is a variant of CCS, with bounded replication and probabilistic polynomialtime expressions allowed in messages and boolean tests. To avoid inconsistency between security and nondeterminism, messages are scheduled probabilistically instead of nondeterministically. We prove that evaluation of any process expression halts in probabilistic polynomial time and define a form of asymptotic protocol equivalence that allows security properties to be expressed using observational equivalence, a standard relation from programming language theory that involves quantifying over possible environments that might interact with the protocol. We develop a form of probabilistic bisimulation and use it to establish the soundness of an equational proof system based on observational equivalences. The proof system is illustrated by a formation derivation of the assertion, wellknown in cryptography, that ElGamal encryption’s semantic security is equivalent to the (computational) Decision DiffieHellman assumption. This example demonstrates the power of probabilistic bisimulation and equational reasoning for protocol security.
Protocols for BoundedConcurrent Secure TwoParty Computation in the Plain Model
, 2006
"... Until recently, most research on the topic of secure computation focused on the standalonemodel, where a single protocol execution takes place. In this paper, we construct protocols for the setting of boundedconcurrent selfcomposition, where a (single) secure protocol is run manytimes concurrent ..."
Abstract

Cited by 47 (7 self)
 Add to MetaCart
Until recently, most research on the topic of secure computation focused on the standalonemodel, where a single protocol execution takes place. In this paper, we construct protocols for the setting of boundedconcurrent selfcomposition, where a (single) secure protocol is run manytimes concurrently, and there is a predetermined bound on the number of concurrent executions. In short, we show that any twoparty functionality can be securely computed under boundedconcurrent selfcomposition, in the
Soundness of formal encryption in the presence of keycycles
 In Proc. 10th European Symposium on Research in Computer Security (ESORICS’05), volume 3679 of LNCS
, 2005
"... Abstract. Both the formal and the computational models of cryptography contain the notion of message equivalence or indistinguishability. An encryption scheme provides soundness for indistinguishability if, when mapping formal messages into the computational model, equivalent formal messages are map ..."
Abstract

Cited by 45 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Both the formal and the computational models of cryptography contain the notion of message equivalence or indistinguishability. An encryption scheme provides soundness for indistinguishability if, when mapping formal messages into the computational model, equivalent formal messages are mapped to indistinguishable computational distributions. Previous soundness results are limited in that they do not apply when keycycles are present. We demonstrate that an encryption scheme provides soundness in the presence of keycycles if it satisfies the recentlyintroduced notion of keydependent message (KDM) security. We also show that soundness in the presence of keycycles (and KDM security) neither implies nor is implied by security against chosen ciphertext attack (CCA2). Therefore, soundness for keycycles is possible using a new notion of computational security, not possible using previous such notions, and the relationship between the formal and computational models extends beyond chosenciphertext security. 1