Results 1  10
of
159
A Concrete Security Treatment of Symmetric Encryption
 Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE
, 1997
"... We study notions and schemes for symmetric (ie. private key) encryption in a concrete security framework. We give four di erent notions of security against chosen plaintext attack and analyze the concrete complexity ofreductions among them, providing both upper and lower bounds, and obtaining tight ..."
Abstract

Cited by 375 (61 self)
 Add to MetaCart
(Show Context)
We study notions and schemes for symmetric (ie. private key) encryption in a concrete security framework. We give four di erent notions of security against chosen plaintext attack and analyze the concrete complexity ofreductions among them, providing both upper and lower bounds, and obtaining tight relations. In this way we classify notions (even though polynomially reducible to each other) as stronger or weaker in terms of concrete security. Next we provide concrete security analyses of methods to encrypt using a block cipher, including the most popular encryption method, CBC. We establish tight bounds (meaning
Multicast security: A taxonomy and some efficient constructions
, 1999
"... Abstract—Multicast communication is becoming the basis for a growing number of applications. It is therefore critical to provide sound security mechanisms for multicast communication. Yet, existing security protocols for multicast offer only partial solutions. We first present a taxonomy of multicas ..."
Abstract

Cited by 210 (9 self)
 Add to MetaCart
(Show Context)
Abstract—Multicast communication is becoming the basis for a growing number of applications. It is therefore critical to provide sound security mechanisms for multicast communication. Yet, existing security protocols for multicast offer only partial solutions. We first present a taxonomy of multicast scenarios on the Internet and point out relevant security concerns. Next we address two major security problems of multicast communication: source authentication, and key revocation. Maintaining authenticity in multicast protocols is a much more complex problem than for unicast; in particular, known solutions are prohibitively inefficient in many cases. We present a solution that is reasonable for a range of scenarios. Our approach can be regarded as a ‘midpoint ’ between traditional Message Authentication Codes and digital signatures. We also present an improved solution to the key revocation problem. I.
Privacy Preserving Auctions and Mechanism Design
, 1999
"... We suggest an architecture for executing protocols for auctions and, more generally, mechanism design. Our goal is to preserve the privacy of the inputs of the participants (so that no nonessential information about them is divulged, even a posteriori) while maintaining communication and computation ..."
Abstract

Cited by 198 (12 self)
 Add to MetaCart
We suggest an architecture for executing protocols for auctions and, more generally, mechanism design. Our goal is to preserve the privacy of the inputs of the participants (so that no nonessential information about them is divulged, even a posteriori) while maintaining communication and computational efficiency. We achieve this goal by adding another party  the auction issuer  that generates the programs for computing the auctions but does not take an active part in the protocol. The auction issuer is not a trusted party, but is assumed not to collude with the auctioneer. In the case of auctions, barring collusion between the auctioneer and the auction issuer, neither party gains any information about the bids, even after the auction is over. Moreover, bidders can verify that the auction was performed correctly. The protocols do not require any communication between the bidders and the auction issuer and the computational efficiency is very reasonable. This architecture can be used to implement any mechanism design where the important factor is the complexity of the decision procedure.
Multimedia dataembedding and watermarking technologies
 Proceedings of the IEEE
, 1998
"... In this paper, we review recent developments in transparent data embedding and watermarking for audio, image, and video. Dataembedding and watermarking algorithms embed text, binary streams, audio, image, or video in a host audio, image, or video signal. The embedded data are perceptually inaudible ..."
Abstract

Cited by 192 (2 self)
 Add to MetaCart
(Show Context)
In this paper, we review recent developments in transparent data embedding and watermarking for audio, image, and video. Dataembedding and watermarking algorithms embed text, binary streams, audio, image, or video in a host audio, image, or video signal. The embedded data are perceptually inaudible or invisible to maintain the quality of the source data. The embedded data can add features to the host multimedia signal, e.g., multilingual soundtracks in a movie, or provide copyright protection. We discuss the reliability of dataembedding procedures and their ability to deliver new services such as viewing a movie in a given rated version from a single multicast stream. We also discuss the issues and problems associated with copy and copyright protections and assess the viability of current watermarking algorithms as a means for protecting copyrighted data. Keywords—Copyright protection, data embedding, steganography, watermarking. I.
Signature Schemes Based on the Strong RSA Assumption
 ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY
, 1998
"... We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreove ..."
Abstract

Cited by 163 (8 self)
 Add to MetaCart
We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreover, a hash function can be incorporated into the scheme in such a way that it is also secure in the random oracle model under the standard RSA Assumption.
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption
, 2001
"... We present several new and fairly practical publickey encryption schemes and prove them secure against adaptive chosen ciphertext attack. One scheme is based on Paillier's Decision Composite Residuosity (DCR) assumption [7], while another is based in the classical Quadratic Residuosity (QR) ..."
Abstract

Cited by 149 (7 self)
 Add to MetaCart
We present several new and fairly practical publickey encryption schemes and prove them secure against adaptive chosen ciphertext attack. One scheme is based on Paillier's Decision Composite Residuosity (DCR) assumption [7], while another is based in the classical Quadratic Residuosity (QR) assumption. The analysis is in the standard cryptographic model, i.e., the security of our schemes does not rely on the Random Oracle model. We also introduce the notion of a universal hash proof system. Essentially, this is a special kind of noninteractive zeroknowledge proof system for an NP language. We do not show that universal hash proof systems exist for all NP languages, but we do show how to construct very ecient universal hash proof systems for a general class of grouptheoretic language membership problems. Given an ecient universal hash proof system for a language with certain natural cryptographic indistinguishability properties, we show how to construct an ecient publickey encryption schemes secure against adaptive chosen ciphertext attack in the standard model. Our construction only uses the universal hash proof system as a primitive: no other primitives are required, although even more ecient encryption schemes can be obtained by using hash functions with appropriate collisionresistance properties. We show how to construct ecient universal hash proof systems for languages related to the DCR and QR assumptions. From these we get corresponding publickey encryption schemes that are secure under these assumptions. We also show that the CramerShoup encryption scheme (which up until now was the only practical encryption scheme that could be proved secure against adaptive chosen ciphertext attack under a reasonable assumption, namely, the Decision...
Randomness Requirements for Security
 BCP 106, RFC 4086
, 2005
"... This document is intended to become a Best Current Practice. Comments should be sent to the authors. Distribution is unlimited. This document is an InternetDraft and is in full conformance with all provisions of Section 10 of RFC 2026. InternetDrafts are working documents of the Internet Engineeri ..."
Abstract

Cited by 129 (0 self)
 Add to MetaCart
This document is intended to become a Best Current Practice. Comments should be sent to the authors. Distribution is unlimited. This document is an InternetDraft and is in full conformance with all provisions of Section 10 of RFC 2026. InternetDrafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as InternetDrafts. InternetDrafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use InternetDrafts as reference material or to cite them other than as "work in progress. " The list of current InternetDrafts can be accessed at http://www.ietf.org/ietf/1idabstracts.txt The list of InternetDraft Shadow Directories can be accessed at
Towards sound approaches to counteract poweranalysis attacks
, 1999
"... Abstract. Side channel cryptanalysis techniques, such as the analysis of instantaneous power consumption, have been extremely e ective in attacking implementations on simple hardware platforms. There are several proposed solutions to resist these attacks, most of which are ad{hoc and can easily be r ..."
Abstract

Cited by 120 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Side channel cryptanalysis techniques, such as the analysis of instantaneous power consumption, have been extremely e ective in attacking implementations on simple hardware platforms. There are several proposed solutions to resist these attacks, most of which are ad{hoc and can easily be rendered ine ective. A scienti c approach is to create a model for the physical characteristics of the device, and then design implementations provably secure in that model, i.e, they resist generic attacks with an a priori bound on the number of experiments. We propose an abstract model which approximates power consumption in most devices and in particular small single{chip devices. Using this, we propose a generic technique to create provably resistant implementations for devices where the power model has reasonable properties, and a source of randomness exists. We prove alower bound on the number of experiments required to mount statistical attacks on devices whose physical characteristics satisfy reasonable properties. 1
Finding Hard Instances of the Satisfiability Problem: A Survey
, 1997
"... . Finding sets of hard instances of propositional satisfiability is of interest for understanding the complexity of SAT, and for experimentally evaluating SAT algorithms. In discussing this we consider the performance of the most popular SAT algorithms on random problems, the theory of average case ..."
Abstract

Cited by 119 (1 self)
 Add to MetaCart
. Finding sets of hard instances of propositional satisfiability is of interest for understanding the complexity of SAT, and for experimentally evaluating SAT algorithms. In discussing this we consider the performance of the most popular SAT algorithms on random problems, the theory of average case complexity, the threshold phenomenon, known lower bounds for certain classes of algorithms, and the problem of generating hard instances with solutions.
Parallelizable Encryption Mode with Almost Free Message Integrity
, 2000
"... this documentwe propose a new mode of operation for symmetric key block cipher algorithms. The main feature distinguishing the proposed mode from existing modes is that along with providing confidentiality of the message, it also provides message integrity. In other words, the new mode is not just a ..."
Abstract

Cited by 116 (4 self)
 Add to MetaCart
(Show Context)
this documentwe propose a new mode of operation for symmetric key block cipher algorithms. The main feature distinguishing the proposed mode from existing modes is that along with providing confidentiality of the message, it also provides message integrity. In other words, the new mode is not just a mode of operation for encryption, but a mode of operation for authenticated encryption. As the title of the document suggests, the new mode achieves the additional property with little extra overhead, as will be explained below. The new mode is also highly parallelizable. In fact, it has critical path of only two block cipher invocations. By one estimate, a hardware implementation of this mode on a single board (housing 1000 block cipher units) achieves terabits/sec (10 12 bits/sec) of authenticated encryption. Moreover, there is no penalty for doing a serial implementation of this mode. The new mode also comes with proofs of security, assuming that the underlying block ciphers are secure. For confidentiality,themode achieves the same provable security bound as CBC. For authentication, the mode achieves the same provable security bound as CBCMAC. The new parallelizable mode removes chaining from the well known CBC mode, and instead does an input whitening (as well an output whitening) with a pairwise independent sequence. Thus, it becomes similar to the ECB mode. However, with the input whitening with the pairwise independent sequence the new mode has provable security similar to CBC (Note: ECB does not have security guarantees like CBC). Also, the output whitening with the pairwise independent sequence guarantees message integrity. The pairwise independent sequence can be generated with little overhead. In fact, the input and output whitening sequence need only be pairwi...