Results 1  10
of
14
A Proposal for an ISO Standard for Public Key Encryption (version 2.0)
, 2001
"... This document should be viewed less as a first draft of a standard for publickey encryption, and more as a proposal for what such a draft standard should contain. It is hoped that this proposal will serve as a basis for discussion, from which a consensus for a standard may be formed. ..."
Abstract

Cited by 128 (3 self)
 Add to MetaCart
(Show Context)
This document should be viewed less as a first draft of a standard for publickey encryption, and more as a proposal for what such a draft standard should contain. It is hoped that this proposal will serve as a basis for discussion, from which a consensus for a standard may be formed.
An Uninstantiable RandomOracleModel Scheme for a HybridEncryption Problem,” Full version of this paper. Available at http://wwwcse.ucsd.edu/users/mihir
"... Abstract. We present a simple, natural randomoracle (RO) model scheme, for a practical goal, that is uninstantiable, meaning is proven in the RO model to meet its goal yet admits no standardmodel instantiation that meets this goal. The goal in question is INDCCApreserving asymmetric encryption w ..."
Abstract

Cited by 82 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We present a simple, natural randomoracle (RO) model scheme, for a practical goal, that is uninstantiable, meaning is proven in the RO model to meet its goal yet admits no standardmodel instantiation that meets this goal. The goal in question is INDCCApreserving asymmetric encryption which formally captures security of the most common practical usage of asymmetric encryption, namely to transport a symmetric key in such a way that symmetric encryption under the latter remains secure. The scheme is an ElGamal variant, called Hash ElGamal, that resembles numerous existing ROmodel schemes, and on the surface shows no evidence of its anomalous properties. These results extend our understanding of the gap between the standard and RO models, and bring concerns raised by previous work closer to practice by indicating that the problem of ROmodel schemes admitting no secure instantiation can arise in domains where RO schemes are commonly designed. 1
version. The Twin DiffieHellman Problem and Applications
, 2008
"... We propose a new computational problem called the twin DiffieHellman problem. This problem is closely related to the usual (computational) DiffieHellman problem and can be used in many of the same cryptographic constructions that are based on the DiffieHellman problem. Moreover, the twin DiffieH ..."
Abstract

Cited by 40 (4 self)
 Add to MetaCart
(Show Context)
We propose a new computational problem called the twin DiffieHellman problem. This problem is closely related to the usual (computational) DiffieHellman problem and can be used in many of the same cryptographic constructions that are based on the DiffieHellman problem. Moreover, the twin DiffieHellman problem is at least as hard as the ordinary DiffieHellman problem. However, we are able to show that the twin DiffieHellman problem remains hard, even in the presence of a decision oracle that recognizes solutions to the problem — this is a feature not enjoyed by the ordinary DiffieHellman problem. In particular, we show how to build a certain “trapdoor test ” that allows us to effectively answer such decision oracle queries without knowing any of the corresponding discrete logarithms. Our new techniques have many applications. As one such application, we present a new variant of ElGamal encryption with very short ciphertexts, and with a very simple and tight security proof, in the random oracle model, under the assumption that the ordinary DiffieHellman problem is hard. We present several other applications as well, including: a new variant of Diffie and Hellman’s noninteractive key exchange protocol; a new variant of CramerShoup encryption, with a very simple proof in the standard model; a new variant of BonehFranklin identitybased encryption, with very short ciphertexts; a more robust version of a passwordauthenticated key exchange protocol of Abdalla and Pointcheval. 1
Efficient Signcryption with Key Privacy from Gap DiffieHellman Groups
 PKC 2004. LNCS
, 2004
"... This paper proposes a new public key authenticated encryption (signcryption) scheme based on the DiffieHellman problem in Gap DiffieHellman groups. This scheme is built on the scheme proposed by Boneh, Lynn and Shacham in 2001 to produce short signatures. The idea is to introduce some randomness ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
(Show Context)
This paper proposes a new public key authenticated encryption (signcryption) scheme based on the DiffieHellman problem in Gap DiffieHellman groups. This scheme is built on the scheme proposed by Boneh, Lynn and Shacham in 2001 to produce short signatures. The idea is to introduce some randomness into this signature to increase its level of security in the random oracle model and to reuse that randomness to perform encryption. This results in a signcryption protocol that is more efficient than any combination of that signature with an El Gamal like encryption scheme. The new scheme is also shown to satisfy really strong security notions and its strong unforgeability is tightly related to the DiffieHellman assumption in Gap DiffieHellman groups.
Strong Adaptive ChosenCiphertext Attacks with Memory Dump (or: The Importance of the Order of Decryption and Validation
 Cryptography and Coding, 8th IMA International Conference, LNCS 2260
, 2001
"... Abstract. This paper presents a new type of powerful cryptanalytic attacks on publickey cryptosystems, extending the more commonly studied adaptive chosenciphertext attacks. In the new attacks, an adversary is not only allowed to submit to a decryption oracle (valid or invalid) ciphertexts of her ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents a new type of powerful cryptanalytic attacks on publickey cryptosystems, extending the more commonly studied adaptive chosenciphertext attacks. In the new attacks, an adversary is not only allowed to submit to a decryption oracle (valid or invalid) ciphertexts of her choice, but also to emit a “dump query ” prior to the completion of a decryption operation. The dump query returns intermediate results that have not been erased in the course of the decryption operation, whereby allowing the adversary to gain vital advantages in breaking the cryptosystem. We believe that the new attack model approximates more closely existing security systems. We examine its power by demonstrating that most existing publickey cryptosystems, including OAEPRSA, are vulnerable to our extended attacks.
Formal Indistinguishability extended to the Random Oracle Model
"... Several generic constructions for transforming oneway functions to asymmetric encryption schemes have been proposed. Oneway functions only guarantee the weak secrecy of their arguments. That is, given the image by a oneway function of a random value, an adversary has only negligible probability ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Several generic constructions for transforming oneway functions to asymmetric encryption schemes have been proposed. Oneway functions only guarantee the weak secrecy of their arguments. That is, given the image by a oneway function of a random value, an adversary has only negligible probability to compute this random value. Encryption schemes must guarantee a stronger secrecy notion. They must be at least resistant against indistinguishabilityattacks under chosen plaintext text (INDCPA). Most practical constructions have been proved in the random oracle model (ROM for short). Such computational proofs turn out to be complex and error prone. Bana et al. have introduced Formal Indistinguishability Relations (FIR), as an abstraction of computational indistinguishability. In this paper, we extend the notion of FIR to cope with the ROM on one hand and adaptive adversaries on the other hand. Indeed, when dealing with hash functions in the ROM and oneway functions, it is important to correctly abstract the notion of weak secrecy. Moreover, one needs to extend frames to include adversaries in order to capture security notions as INDCPA. To fix these problems, we consider pairs of formal indistinguishability relations and formal nonderivability relations. We provide a general framework along with general theorems, that ensure soundness of our approach and then we use our new framework to verify several examples of encryption schemes among which the construction of Bellare Rogaway and Hashed ElGamal.
Design and Implementation of Revocable Electronic Cash System based on Elliptic Curve Discrete Logarithm Problem
"... We have designed and implemented a revocable electronic cash system whose main security is based on ECDLP (Elliptic Curve Discrete Logarithm Problem). To achieve this, we employed a known secure electronic cash system based on DLP (Discrete Logarithm Problem) suggested by Petersen and Poupard [19] a ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
We have designed and implemented a revocable electronic cash system whose main security is based on ECDLP (Elliptic Curve Discrete Logarithm Problem). To achieve this, we employed a known secure electronic cash system based on DLP (Discrete Logarithm Problem) suggested by Petersen and Poupard [19] and extended it on an elliptic curve over the finite field GF (2 n ). This naturally reduces the message size to 85% compared with the original scheme and makes it possible to handle a smart card. Furthermore, we have achieved more secure and efficient electronic cash system by using Song and Kim's key agreement protocol [21] and Baek et al.'s provably secure public key encryption scheme [1]. To the best of our knowledge, this is the first trial to implement revocable electronic cash system based on ECDLP having provable security.
2 ICU (Information and Communications Univ.),
"... Abstract. This paper presents a new type of powerful cryptanalytic attacks on publickey cryptosystems, extending the more commonly studied adaptive chosenciphertext attacks. In the new attacks, an adversary is not only allowed to submit to a decryption oracle (valid or invalid) ciphertexts of her ..."
Abstract
 Add to MetaCart
Abstract. This paper presents a new type of powerful cryptanalytic attacks on publickey cryptosystems, extending the more commonly studied adaptive chosenciphertext attacks. In the new attacks, an adversary is not only allowed to submit to a decryption oracle (valid or invalid) ciphertexts of her choice, but also to emit a "dump query " prior to the completion of a decryption operation. The dump query returns intermediate results that have not been erased in the course of the decryption operation, whereby allowing the adversary to gain vital advantages in breaking the cryptosystem. We believe that the new attack model approximates more closely existing security systems. We examine its power by demonstrating that most existing publickey cryptosystems, including OAEPRSA, are vulnerable to our extended attacks. Keywords. Encryption, provable security, chosenciphertext security, ciphertext validity, OAEPRSA, ElGamal encryption.
Computational soundness of static equivalence
"... Abstract. Privacy related properties in electronic voting are naturally expressed as indistinguishability properties. This motivates the study of observational equivalence, as well as static equivalence in the context of the AVOTÉ project. In this report we survey the existing results on the computa ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Privacy related properties in electronic voting are naturally expressed as indistinguishability properties. This motivates the study of observational equivalence, as well as static equivalence in the context of the AVOTÉ project. In this report we survey the existing results on the computational soundness of symbolic indistinguishability relations in the presence of a passive adversary, for which several results were obtained by the members of the AVOTÉ project. This report is based on a recent survey [CKW09] on computational soundness of symbolic methods for analysing security protocols, carried out in the context of the AVOTÉ project. 1
Soundness in presence of active adversaries
"... Summary Security protocols are short programs that aim at securing communication over a public network. Their design is known to be errorprone with flaws found years later. That is why they deserve a careful security analysis, with rigorous proofs. Two main lines of research have been (independentl ..."
Abstract
 Add to MetaCart
Summary Security protocols are short programs that aim at securing communication over a public network. Their design is known to be errorprone with flaws found years later. That is why they deserve a careful security analysis, with rigorous proofs. Two main lines of research have been (independently) developed to analyze the security of protocols. On the one hand, formal methods provide with symbolic models and often automatic proofs. On the other hand, cryptographic models propose a tighter modeling but proofs are more difficult to write and to check. There are two competing approaches to the verification of cryptographic protocols. In the socalled formal (also called DolevYao) model, data are specified using abstract data types (algebraic specification) and are manipulated by honest agents and adversaries according to the operations of the abstract data types. In other words, the abstract data types give an abstract specification of the cryptographic primitives and of the computational power of the adversaries that try to break the security properties. The verification techniques discussed in the previous tasks are based on this model. On the other hand, in the complexitytheoretic model, also called the computational model, the adversary can be any polynomialtime probabilistic algorithm. That is, data manipulation is not restricted to programs that are sequences of operations taken from a fixed finite set of operations but can