Results 1  10
of
47
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
, 2000
"... and analysis of the generic composition paradigm ..."
Abstract

Cited by 284 (23 self)
 Add to MetaCart
(Show Context)
and analysis of the generic composition paradigm
The security of triple encryption and a framework for codebased gameplaying proofs
 EUROCRYPT 2006, volume 4004 of LNCS
, 2006
"... Abstract. We show that, in the idealcipher model, triple encryption (the cascade of three independentlykeyed blockciphers) is more secure than single or double encryption, thereby resolving a longstanding open problem. Our result demonstrates that for DES parameters (56bit keys and 64bit plaint ..."
Abstract

Cited by 156 (37 self)
 Add to MetaCart
(Show Context)
Abstract. We show that, in the idealcipher model, triple encryption (the cascade of three independentlykeyed blockciphers) is more secure than single or double encryption, thereby resolving a longstanding open problem. Our result demonstrates that for DES parameters (56bit keys and 64bit plaintexts) an adversary’s maximal advantage against triple encryption is small until it asks about 2 78 queries. Our proof uses codebased gameplaying in an integral way, and is facilitated by a framework for such proofs that we provide. 1
A provablesecurity treatment of the keywrap problem
 EUROCRYPT 2006, LNCS 4004
, 2006
"... Abstract. We give a provablesecurity treatment for the keywrap problem, providing definitions, constructions, and proofs. We suggest that keywrap’s goal is security in the sense of deterministic authenticatedencryption (DAE), a notion that we put forward. We also provide an alternative notion, a ..."
Abstract

Cited by 50 (12 self)
 Add to MetaCart
(Show Context)
Abstract. We give a provablesecurity treatment for the keywrap problem, providing definitions, constructions, and proofs. We suggest that keywrap’s goal is security in the sense of deterministic authenticatedencryption (DAE), a notion that we put forward. We also provide an alternative notion, a pseudorandom injection (PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze its concrete security, develop a blockcipherbased instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard. The construction incorporates a method to turn a PRF that operates on a string into an equally efficient PRF that operates on a vector of strings, a problem of independent interest. Finally, we consider IVbased authenticatedencryption (AE) schemes that are maximally forgiving of repeated IVs, a goal we formalize as misuseresistant AE. We show that a DAE scheme with a vectorvalued header, such as SIV, directly realizes this goal. 1
Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol
"... Abstract. We analyze the security of the TLS Record Protocol, a MACthenEncodethenEncrypt (MEE) scheme whose design targets confidentiality and integrity for application layer communications on the Internet. Our main results are twofold. First, we give a new distinguishing attack against TLS when ..."
Abstract

Cited by 31 (4 self)
 Add to MetaCart
Abstract. We analyze the security of the TLS Record Protocol, a MACthenEncodethenEncrypt (MEE) scheme whose design targets confidentiality and integrity for application layer communications on the Internet. Our main results are twofold. First, we give a new distinguishing attack against TLS when variable length padding and short (truncated) MACs are used. This combination will arise when standardized TLS 1.2 extensions (RFC 6066) are implemented. Second, we show that when tags are longer, the TLS Record Protocol meets a new lengthhiding authenticated encryption security notion that is stronger than INDCCA. 1
Hedged PublicKey Encryption: How to Protect against Bad Randomness
 IACR EPRINT
, 2012
"... Publickey encryption schemes rely for their INDCPA security on permessage fresh randomness. In practice, randomness may be of poor quality for a variety of reasons, leading to failure of the schemes. Expecting the systems to improve is unrealistic. What we show in this paper is that we can, inste ..."
Abstract

Cited by 29 (13 self)
 Add to MetaCart
(Show Context)
Publickey encryption schemes rely for their INDCPA security on permessage fresh randomness. In practice, randomness may be of poor quality for a variety of reasons, leading to failure of the schemes. Expecting the systems to improve is unrealistic. What we show in this paper is that we can, instead, improve the cryptography to offset the lack of possible randomness. We provide publickey encryption schemes that achieve INDCPA security when the randomness they use is of high quality, but, when the latter is not the case, rather than breaking completely, they achieve a weaker but still useful notion of security that we call INDCDA. This hedged publickey encryption provides the best possible security guarantees in the face of bad randomness. We provide simple RObased ways to make inpractice INDCPA schemes hedge secure with minimal software changes. We also provide nonRO model schemes relying on lossy trapdoor functions (LTDFs) and techniques from deterministic encryption. They achieve adaptive security by establishing and exploiting the anonymity of LTDFs which we believe is of independent interest. (Preliminary version was presented at AsiaCrypt 2009)
McOE: A Family of Almost Foolproof OnLine Authenticated Encryption Schemes
, 2012
"... OnLine Authenticated Encryption (OAE) combines privacy with data integrity and is online computable. Most block cipherbased schemes for Authenticated Encryption can be run online and are provably secure against noncerespecting adversaries. But they fail badly for more general adversaries. Thi ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
(Show Context)
OnLine Authenticated Encryption (OAE) combines privacy with data integrity and is online computable. Most block cipherbased schemes for Authenticated Encryption can be run online and are provably secure against noncerespecting adversaries. But they fail badly for more general adversaries. This is not a theoretical observation only – in practice, the reuse of nonces is a frequent issue. In recent years, cryptographers developed misuse resistant schemes for Authenticated Encryption. These guarantee excellent security even against general adversaries which are allowed to reuse nonces. Their disadvantage is that encryption can be performed in an offline way, only. This paper introduces a nw family of OAE schemes –called McOE – dealing both with noncerespecting and with general adversaries. Furthermore, we present three family members, i.e., McOEX, McOED, and McOEG. All of these members are based on a ’simple ’ block cipher. In contrast to all other OAE schemes known so far, they provably guarantee reasonable security against general adversaries as well as standard security against noncerespecting adversaries.
A framework for gamebased security proofs
 ICICS. Volume 4861 of Lecture Notes in Computer Science
, 2007
"... Abstract. The gamebased approach to security proofs in cryptography is a widelyused methodology for writing proofs rigorously. However a unifying language for writing games is still missing. In this paper we show how CSLR, a probabilistic lambdacalculus with a type system that guarantees that com ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
(Show Context)
Abstract. The gamebased approach to security proofs in cryptography is a widelyused methodology for writing proofs rigorously. However a unifying language for writing games is still missing. In this paper we show how CSLR, a probabilistic lambdacalculus with a type system that guarantees that computations are probabilistic polynomial time, can be equipped with a notion of game indistinguishability. This allows us to define cryptographic constructions, effective adversaries, security notions, computational assumptions, game transformations, and gamebased security proofs in the unified framework provided by CSLR. Our code for cryptographic constructions is close to implementation in the sense that we do not assume primitive uniform distributions but use a realistic algorithm to approximate them. We illustrate our calculus on cryptographic constructions for publickey encryption and pseudorandom bit generation.
An Optimally Fair Coin Toss
"... We address one of the foundational problems in cryptography: the bias of coinflipping protocols. Coinflipping protocols allow mutually distrustful parties to generate a common unbiased random bit, guaranteeing that even if one of the parties is malicious, it cannot significantly bias the output of ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
We address one of the foundational problems in cryptography: the bias of coinflipping protocols. Coinflipping protocols allow mutually distrustful parties to generate a common unbiased random bit, guaranteeing that even if one of the parties is malicious, it cannot significantly bias the output of the honest party. A classical result by Cleve [STOC ’86] showed that for any twoparty rround coinflipping protocol there exists an efficient adversary that can bias the output of the honest party by Ω(1/r). However, the best previously known protocol only guarantees O(1 / √ r) bias, and the question of whether Cleve’s bound is tight has remained open for more than twenty years. In this paper we establish the optimal tradeoff between the round complexity and the bias of twoparty coinflipping protocols. Under standard assumptions, we show that Cleve’s lower bound is tight: we construct an rround protocol with bias O(1/r).
Stateful publickey cryptosystems: How to encrypt with one 160bit exponentiation
 ACM CCS 06
, 2006
"... We show how to significantly speedup the encryption portion of some publickey cryptosystems by the simple expedient of allowing a sender to maintain state that is reused across different encryptions. In particular we present stateful versions of the DHIES and KurosawaDesmedt schemes that each us ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
(Show Context)
We show how to significantly speedup the encryption portion of some publickey cryptosystems by the simple expedient of allowing a sender to maintain state that is reused across different encryptions. In particular we present stateful versions of the DHIES and KurosawaDesmedt schemes that each use only 1 exponentiation to encrypt, as opposed to 2 and 3 respectively in the original schemes, yielding the fastest discretelog based publickey encryption schemes known in the randomoracle and standard models respectively. The schemes are proven to meet an appropriate extension of the standard definition of INDCCA security that takes into account