Results 1  10
of
33
A Computationally Sound Mechanized Prover for Security Protocols
 In Proc. 27th IEEE Symposium on Security & Privacy
, 2005
"... We present a new mechanized prover for secrecy properties of cryptographic protocols. ..."
Abstract

Cited by 78 (9 self)
 Add to MetaCart
We present a new mechanized prover for secrecy properties of cryptographic protocols.
Computationally sound implementations of equational theories against . . .
, 2008
"... In this paper we study the link between formal and cryptographic models for security protocols in the presence of passive adversaries. In contrast to other works, we do not consider a fixed set of primitives but aim at results for arbitrary equational theories. We define a framework for comparing a ..."
Abstract

Cited by 54 (17 self)
 Add to MetaCart
In this paper we study the link between formal and cryptographic models for security protocols in the presence of passive adversaries. In contrast to other works, we do not consider a fixed set of primitives but aim at results for arbitrary equational theories. We define a framework for comparing a cryptographic implementation and its idealization with respect to various security notions. In particular, we concentrate on the computational soundness of static equivalence, a standard tool in cryptographic pi calculi. We present a soundness criterion, which for many theories is not only sufficient but also necessary. Finally, to illustrate our framework, we establish the soundness of static equivalence for the exclusive OR and a theory of ciphers and lists.
CircularSecure Encryption from Decision DiffieHellman
, 2008
"... Let E be a publickey encryption system and let (pk i, ski) be public/private key pairs for E for i = 0,..., n. A natural question is whether E remains secure once an adversary obtains an encryption cycle, which consists of the encryption of ski under pk (i mod n)+1 for all i = 1,..., n. Surprisingl ..."
Abstract

Cited by 49 (5 self)
 Add to MetaCart
Let E be a publickey encryption system and let (pk i, ski) be public/private key pairs for E for i = 0,..., n. A natural question is whether E remains secure once an adversary obtains an encryption cycle, which consists of the encryption of ski under pk (i mod n)+1 for all i = 1,..., n. Surprisingly, even strong notions of security such as chosenciphertext security appear to be insufficient for proving security in these settings. Since encryption cycles come up naturally in several applications, it is desirable to construct systems that remain secure in the presence of such cycles. Until now, all known constructions have only be proved secure in the random oracle model. We construct an encryption system that is circularsecure under the Decision DiffieHellman assumption, without relying on random oracles. Our proof of security holds even if the adversary obtains an encryption clique, that is, encryptions of ski under pk j for all 0 ≤ i, j ≤ n. We also construct a circular counterexample: a oneway secure encryption scheme that becomes completely insecure if an encryption cycle of length 2 is published. 1
Fast Cryptographic Primitives and CircularSecure Encryption Based on Hard Learning Problems
"... Abstract. The wellstudied task of learning a linear function with errors is a seemingly hard problem and the basis for several cryptographic schemes. Here we demonstrate additional applications that enjoy strong security properties and a high level of efficiency. Namely, we construct: 1. Publickey ..."
Abstract

Cited by 37 (10 self)
 Add to MetaCart
Abstract. The wellstudied task of learning a linear function with errors is a seemingly hard problem and the basis for several cryptographic schemes. Here we demonstrate additional applications that enjoy strong security properties and a high level of efficiency. Namely, we construct: 1. Publickey and symmetrickey cryptosystems that provide security for keydependent messages and enjoy circular security. Our schemes are highly efficient: in both cases the ciphertext is only a constant factor larger than the plaintext, and the cost of encryption and decryption is only n · polylog(n) bit operations per message symbol in the publickey case, and polylog(n) bit operations in the symmetric case. 2. Two efficient pseudorandom objects: a “weak randomized pseudorandom function ” — a relaxation of standard PRF — that can be computed obliviously via a simple protocol, and a lengthdoubling pseudorandom generator that can be computed by a circuit of n ·
Security under keydependent inputs
 In proceedings of the 14th ACM conference on computer and communications security (CCS
, 2007
"... In this work we revisit the question of building cryptographic primitives that remain secure even when queried on inputs that depend on the secret key. This was investigated by Black, Rogaway, and Shrimpton in the context of randomized encryption schemes and in the random oracle model. We extend th ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
In this work we revisit the question of building cryptographic primitives that remain secure even when queried on inputs that depend on the secret key. This was investigated by Black, Rogaway, and Shrimpton in the context of randomized encryption schemes and in the random oracle model. We extend the investigation to deterministic symmetric schemes (such as PRFs and block ciphers) and to the standard model. We term this notion “security against keydependentinput attack”, or KDIsecurity for short. Our motivation for studying KDI security is the existence of significant realworld implementations of deterministic encryption (in the context of storage encryption) that actually rely on their building blocks to be KDI secure. We consider many natural constructions for PRFs, ciphers, tweakable ciphers and randomized encryption, and examine them with respect to their KDI security. We exhibit inherent limitations of this notion and show many natural constructions that fail to be KDI secure in the standard model, including some schemes that have been proven in the random oracle model. On the positive side, we demonstrate examples where some measure of KDI security can be provably achieved (in particular, we show such examples in the standard model). 1
Keydependent message security under active attacks  BRSIM/UC . . .
 JOURNAL OF OPERATIONS MANAGEMENT
, 2007
"... Keydependent message security, short KDM security, was introduced by Black, Rogaway and Shrimpton to address the case where key cycles occur among encryptions, e.g., a key is encrypted with itself. It was mainly motivated by key cycles in DolevYao models, i.e., symbolic abstractions of cryptograp ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
Keydependent message security, short KDM security, was introduced by Black, Rogaway and Shrimpton to address the case where key cycles occur among encryptions, e.g., a key is encrypted with itself. It was mainly motivated by key cycles in DolevYao models, i.e., symbolic abstractions of cryptography by term algebras, and a corresponding soundness result was later shown by Adão et al. However, both the KDM definition and this soundness result do not allow the general active attacks typical for DolevYao models and for security protocols in general. We extend these definitions so that we can obtain a soundness result under active attacks. We first present a definition AKDM as a KDM equivalent of authenticated symmetric encryption, i.e., it provides chosenciphertext security and integrity of ciphertexts even for key cycles. However, this is not yet sufficient for the desired soundness, and thus we give a definition DKDM that additionally allows limited dynamic revelation of keys. We show that this is sufficient for soundness, even in the strong sense of blackbox reactive simulatability (BRSIM)/UC and including joint terms with other operators. We also present constructions of schemes secure under the new definitions, based on current KDMsecure schemes. Moreover, we explore the relations between the new definitions and existing ones for symmetric encryption in detail, in the sense of implications or separating examples for almost all cases.
Towards keydependent message security in the standard mode
 In Eurocrypt’08
, 2008
"... Abstract. Standard security notions for encryption schemes do not guarantee any security if the encrypted messages depend on the secret key. Yet it is exactly the stronger notion of security in the presence of keydependent messages (KDM security) that is required in a number of applications: most p ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
Abstract. Standard security notions for encryption schemes do not guarantee any security if the encrypted messages depend on the secret key. Yet it is exactly the stronger notion of security in the presence of keydependent messages (KDM security) that is required in a number of applications: most prominently, KDM security plays an important role in analyzing cryptographic multiparty protocols in a formal calculus. But although often assumed, the mere existence of KDM secure schemes is an open problem. The only previously known construction was proven secure in the random oracle model. We present symmetric encryption schemes that are KDM secure in the standard model (i.e., without random oracles). The price we pay is that we achieve only a relaxed (but still useful) notion of keydependent message security. Our work answers (at least partially) an open problem posed by Black, Rogaway, and Shrimpton. More concretely, our contributions are as follows: 1. We present a (stateless) symmetric encryption scheme that is informationtheoretically secure in face of a bounded number and length of encryptions for which the messages depend in an arbitrary way on the secret key. 2. We present a stateful symmetric encryption scheme that is computationally secure in face of an arbitrary number of encryptions for which the messages depend only on the respective current secret state/key of the scheme. The underlying computational assumption is minimal: we assume the existence of oneway functions. 3. We give evidence that the only previously known KDM secure encryption scheme cannot be proven secure in the standard model (i.e., without random oracles). Keywords: Keydependent message security, security proofs, symmetric encryption schemes. 1
Computationally Sound Mechanized Proofs of Correspondence Assertions
, 2007
"... We present a new mechanized prover for showing correspondence assertions for cryptographic protocols in the computational model. Correspondence assertions are useful in particular for establishing authentication. Our technique produces proofs by sequences of games, as standard in cryptography. These ..."
Abstract

Cited by 17 (6 self)
 Add to MetaCart
We present a new mechanized prover for showing correspondence assertions for cryptographic protocols in the computational model. Correspondence assertions are useful in particular for establishing authentication. Our technique produces proofs by sequences of games, as standard in cryptography. These proofs are valid for a number of sessions polynomial in the security parameter, in the presence of an active adversary. Our technique can handle a wide variety of cryptographic primitives, including shared and publickey encryption, signatures, message authentication codes, and hash functions. It has been implemented in the tool CryptoVerif and successfully tested on examples from the literature.
Bounded KeyDependent Message Security
, 2009
"... We construct the first publickey encryption scheme that is proven secure (in the standard model, under standard assumptions) even when the attacker gets access to encryptions of arbitrary efficient functions of the secret key. Specifically, under either the DDH or LWE assumption, for every polynomi ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
We construct the first publickey encryption scheme that is proven secure (in the standard model, under standard assumptions) even when the attacker gets access to encryptions of arbitrary efficient functions of the secret key. Specifically, under either the DDH or LWE assumption, for every polynomials L and N we obtain a publickey encryption scheme that resists keydependent message (KDM) attacks for up to N(k) public keys and functions of circuit size up to L(k), where k denotes the size of the secret key. We call such a scheme bounded KDM secure. Moreover, we show that our scheme suffices for one of the important applications of KDM security: ability to securely instantiate symbolic protocols with axiomatic proofs of security. We also observe that any fully homomorphic encryption scheme which additionally enjoys circular security and circuit privacy is fully KDM secure in the sense that the encryption and decryption algorithms can be independent of the polynomials L and N as above. Thus, the recent fully homomorphic encryption scheme of Gentry (STOC 2009) is fully KDM secure under certain nonstandard hardness assumptions. Previous works obtained either full KDM security in the random oracle model (Black et al., SAC 2002) or security with respect to a very restricted class of functions (e.g., clique/circular security and affine functions, Boneh et al., CRYPTO 2008, and Applebaum et al., CRYPTO 2009). Our main result is based on a combination of the circularsecure encryption scheme of either Boneh et al. or Applebaum et al. with Yao’s garbled circuit construction. Finally, we extend the impossibility result of Haitner and Holenstein (TCC 2009), showing that it is impossible to prove KDM security against a family of query functions that contains exponentially hard pseudorandom functions, using only blackbox access to the query function and the adversary attacking the scheme. This proves that the nonblackbox usage of the query function in our proof of security makes to the KDM query function is inherent. Keywords: KDM/clique/circular security; fully homomorphic encryption; formal security. 1
Deciding key cycles for security protocols
 In Proc. 13th Inter. Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR’06), volume 4246 of LNCS
, 2006
"... Abstract. Many recent results are concerned with interpreting proofs of security done in symbolic models in the more detailed models of computational cryptography. In the case of symmetric encryption, these results stringently demand that no key cycle (e.g. {k}k) can be produced during the execution ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
Abstract. Many recent results are concerned with interpreting proofs of security done in symbolic models in the more detailed models of computational cryptography. In the case of symmetric encryption, these results stringently demand that no key cycle (e.g. {k}k) can be produced during the execution of protocols. While security properties like secrecy or authentication have been proved decidable for many interesting classes of protocols, the automatic detection of key cycles has not been studied so far. In this paper, we prove that deciding the existence of keycycles is NPcomplete for a bounded number of sessions. Next, we observe that the techniques that we use are of more general interest and apply them to reprove the decidability of a significant existing fragment of protocols with timestamps. 1