Code-based game-playing proofs and the security of triple encryption. (2004)

by M Bellare, P Rogaway
Venue:Cryptology ePrint Archive, Report
Add To MetaCart
Results 1 - 10 of 47

Authenticated encryption: Relations among notions and analysis of the generic composition paradigm

by Mihir Bellare, Chanathip Namprempre , 2000
"... and analysis of the generic composition paradigm ..."
Abstract - Cited by 284 (23 self) - Add to MetaCart
and analysis of the generic composition paradigm
(Show Context)

The security of triple encryption and a framework for code-based game-playing proofs

by Mihir Bellare, Phillip Rogaway - EUROCRYPT 2006, volume 4004 of LNCS , 2006
"... Abstract. We show that, in the ideal-cipher model, triple encryption (the cascade of three independently-keyed blockciphers) is more secure than single or double encryption, thereby resolving a long-standing open problem. Our result demonstrates that for DES parameters (56-bit keys and 64-bit plaint ..."
Abstract - Cited by 156 (37 self) - Add to MetaCart
Abstract. We show that, in the ideal-cipher model, triple encryption (the cascade of three independently-keyed blockciphers) is more secure than single or double encryption, thereby resolving a long-standing open problem. Our result demonstrates that for DES parameters (56-bit keys and 64-bit plaintexts) an adversary’s maximal advantage against triple encryption is small until it asks about 2 78 queries. Our proof uses codebased game-playing in an integral way, and is facilitated by a framework for such proofs that we provide. 1
(Show Context)

A provable-security treatment of the key-wrap problem

by Phillip Rogaway, Thomas Shrimpton - EUROCRYPT 2006, LNCS 4004 , 2006
"... Abstract. We give a provable-security treatment for the key-wrap problem, providing definitions, constructions, and proofs. We suggest that key-wrap’s goal is security in the sense of deterministic authenticated-encryption (DAE), a notion that we put forward. We also provide an alternative notion, a ..."
Abstract - Cited by 50 (12 self) - Add to MetaCart
Abstract. We give a provable-security treatment for the key-wrap problem, providing definitions, constructions, and proofs. We suggest that key-wrap’s goal is security in the sense of deterministic authenticated-encryption (DAE), a notion that we put forward. We also provide an alternative notion, a pseudorandom injection (PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze its concrete security, develop a blockcipher-based instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard. The construction incorporates a method to turn a PRF that operates on a string into an equally efficient PRF that operates on a vector of strings, a problem of independent interest. Finally, we consider IVbased authenticated-encryption (AE) schemes that are maximally forgiving of repeated IVs, a goal we formalize as misuse-resistant AE. We show that a DAE scheme with a vector-valued header, such as SIV, directly realizes this goal. 1
(Show Context)

Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol

by Kenneth G. Paterson, Thomas Ristenpart, Thomas Shrimpton
"... Abstract. We analyze the security of the TLS Record Protocol, a MACthen-Encode-then-Encrypt (MEE) scheme whose design targets confidentiality and integrity for application layer communications on the Internet. Our main results are twofold. First, we give a new distinguishing attack against TLS when ..."
Abstract - Cited by 31 (4 self) - Add to MetaCart
Abstract. We analyze the security of the TLS Record Protocol, a MACthen-Encode-then-Encrypt (MEE) scheme whose design targets confidentiality and integrity for application layer communications on the Internet. Our main results are twofold. First, we give a new distinguishing attack against TLS when variable length padding and short (truncated) MACs are used. This combination will arise when standardized TLS 1.2 extensions (RFC 6066) are implemented. Second, we show that when tags are longer, the TLS Record Protocol meets a new length-hiding authenticated encryption security notion that is stronger than IND-CCA. 1

Hedged Public-Key Encryption: How to Protect against Bad Randomness

by Mihir Bellare, Zvika Brakerski, Moni Naor, Thomas Ristenpart, Gil Segev, Hovav Shacham, Scott Yilek - IACR EPRINT , 2012
"... Public-key encryption schemes rely for their IND-CPA security on per-message fresh randomness. In practice, randomness may be of poor quality for a variety of reasons, leading to failure of the schemes. Expecting the systems to improve is unrealistic. What we show in this paper is that we can, inste ..."
Abstract - Cited by 29 (13 self) - Add to MetaCart
Public-key encryption schemes rely for their IND-CPA security on per-message fresh randomness. In practice, randomness may be of poor quality for a variety of reasons, leading to failure of the schemes. Expecting the systems to improve is unrealistic. What we show in this paper is that we can, instead, improve the cryptography to offset the lack of possible randomness. We provide public-key encryption schemes that achieve IND-CPA security when the randomness they use is of high quality, but, when the latter is not the case, rather than breaking completely, they achieve a weaker but still useful notion of security that we call IND-CDA. This hedged public-key encryption provides the best possible security guarantees in the face of bad randomness. We provide simple RO-based ways to make in-practice IND-CPA schemes hedge secure with minimal software changes. We also provide non-RO model schemes relying on lossy trapdoor functions (LTDFs) and techniques from deterministic encryption. They achieve adaptive security by establishing and exploiting the anonymity of LTDFs which we believe is of independent interest. (Preliminary version was presented at AsiaCrypt 2009)
(Show Context)

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

by Ewan Fleischmann, Christian Forler, Stefan Lucks, Jakob Wenzel , 2012
"... On-Line Authenticated Encryption (OAE) combines privacy with data integrity and is on-line computable. Most block cipher-based schemes for Authenticated Encryption can be run on-line and are provably secure against nonce-respecting adversaries. But they fail badly for more general adversaries. Thi ..."
Abstract - Cited by 19 (2 self) - Add to MetaCart
On-Line Authenticated Encryption (OAE) combines privacy with data integrity and is on-line computable. Most block cipher-based schemes for Authenticated Encryption can be run on-line and are provably secure against nonce-respecting adversaries. But they fail badly for more general adversaries. This is not a theoretical observation only – in practice, the reuse of nonces is a frequent issue. In recent years, cryptographers developed misuse resistant schemes for Authenticated Encryption. These guarantee excellent security even against general adversaries which are allowed to reuse nonces. Their disadvantage is that encryption can be performed in an off-line way, only. This paper introduces a nw family of OAE schemes –called McOE – dealing both with nonce-respecting and with general adversaries. Furthermore, we present three family members, i.e., McOE-X, McOE-D, and McOE-G. All of these members are based on a ’simple ’ block cipher. In contrast to all other OAE schemes known so far, they provably guarantee reasonable security against general adversaries as well as standard security against nonce-respecting adversaries.
(Show Context)

Unrestricted Aggregate Signatures

by Mihir Bellare, Chanathip Namprempre , Gregory Neven , 2006
"... ..."
Abstract - Cited by 16 (2 self) - Add to MetaCart
Abstract not found

A framework for game-based security proofs

by David Nowak, Yu Zhang - ICICS. Volume 4861 of Lecture Notes in Computer Science , 2007
"... Abstract. The game-based approach to security proofs in cryptography is a widely-used methodology for writing proofs rigorously. However a unifying language for writing games is still missing. In this paper we show how CSLR, a probabilistic lambda-calculus with a type system that guarantees that com ..."
Abstract - Cited by 16 (4 self) - Add to MetaCart
Abstract. The game-based approach to security proofs in cryptography is a widely-used methodology for writing proofs rigorously. However a unifying language for writing games is still missing. In this paper we show how CSLR, a probabilistic lambda-calculus with a type system that guarantees that computa-tions are probabilistic polynomial time, can be equipped with a notion of game indistinguishability. This allows us to define cryptographic constructions, effective adversaries, security notions, computational assumptions, game transformations, and game-based security proofs in the unified framework provided by CSLR. Our code for cryptographic constructions is close to implementation in the sense that we do not assume primitive uniform distributions but use a realistic algorithm to approximate them. We illustrate our calculus on cryptographic constructions for public-key encryption and pseudorandom bit generation.
(Show Context)

An Optimally Fair Coin Toss

by Tal Moran, Moni Naor, Gil Segev
"... We address one of the foundational problems in cryptography: the bias of coin-flipping protocols. Coin-flipping protocols allow mutually distrustful parties to generate a common unbiased random bit, guaranteeing that even if one of the parties is malicious, it cannot significantly bias the output of ..."
Abstract - Cited by 15 (0 self) - Add to MetaCart
We address one of the foundational problems in cryptography: the bias of coin-flipping protocols. Coin-flipping protocols allow mutually distrustful parties to generate a common unbiased random bit, guaranteeing that even if one of the parties is malicious, it cannot significantly bias the output of the honest party. A classical result by Cleve [STOC ’86] showed that for any two-party r-round coin-flipping protocol there exists an efficient adversary that can bias the output of the honest party by Ω(1/r). However, the best previously known protocol only guarantees O(1 / √ r) bias, and the question of whether Cleve’s bound is tight has remained open for more than twenty years. In this paper we establish the optimal trade-off between the round complexity and the bias of two-party coin-flipping protocols. Under standard assumptions, we show that Cleve’s lower bound is tight: we construct an r-round protocol with bias O(1/r).

Stateful public-key cryptosystems: How to encrypt with one 160-bit exponentiation

by Mihir Bellare, Tadayoshi Kohno, Victor Shoup - ACM CCS 06 , 2006
"... We show how to significantly speed-up the encryption portion of some public-key cryptosystems by the simple expedient of allowing a sender to maintain state that is re-used across different encryptions. In particular we present stateful versions of the DHIES and Kurosawa-Desmedt schemes that each us ..."
Abstract - Cited by 14 (2 self) - Add to MetaCart
We show how to significantly speed-up the encryption portion of some public-key cryptosystems by the simple expedient of allowing a sender to maintain state that is re-used across different encryptions. In particular we present stateful versions of the DHIES and Kurosawa-Desmedt schemes that each use only 1 exponentiation to encrypt, as opposed to 2 and 3 respectively in the original schemes, yielding the fastest discrete-log based public-key encryption schemes known in the random-oracle and standard models respectively. The schemes are proven to meet an appropriate extension of the standard definition of IND-CCA security that takes into account
(Show Context)