Results 1  10
of
57
Relations among notions of security for publickey encryption schemes
, 1998
"... Abstract. We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and nonmalleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove e ..."
Abstract

Cited by 496 (69 self)
 Add to MetaCart
(Show Context)
Abstract. We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and nonmalleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove either an implication (every scheme meeting one notion must meet the other) or a separation (there is a scheme meeting one notion but not the other, assuming the first notion can be met at all). We similarly treat plaintext awareness, a notion of security in the random oracle model. An additional contribution of this paper is a new definition of nonmalleability which we believe is simpler than the previous one.
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
, 2000
"... and analysis of the generic composition paradigm ..."
Abstract

Cited by 263 (24 self)
 Add to MetaCart
(Show Context)
and analysis of the generic composition paradigm
Making mix nets robust for electronic voting by randomized partial checking
 In USENIX Security Symposium
, 2002
"... Symposium ..."
(Show Context)
PublicKey Encryption in a Multiuser Setting: Security Proofs and Improvements," Full version of this paper, available via http://wwwcse.ucsd.edu/users/mihir
"... Abstract. This paper addresses the security of publickey cryptosystems in a \multiuser " setting, namely in the presence of attacks involving the encryption of related messages under di®erent public keys, as exempli¯ed by Hºastad's classical attacks on RSA. We prove that security in t ..."
Abstract

Cited by 120 (7 self)
 Add to MetaCart
(Show Context)
Abstract. This paper addresses the security of publickey cryptosystems in a \multiuser " setting, namely in the presence of attacks involving the encryption of related messages under di®erent public keys, as exempli¯ed by Hºastad's classical attacks on RSA. We prove that security in the singleuser setting implies security in the multiuser setting as long as the former is interpreted in the strong sense of \indistinguishability, " thereby pinpointing many schemes guaranteed to be secure against Hºastadtype attacks. We then highlight the importance, in practice, of considering and improving the concrete security of the general reduction, and present such improvements for two Di±eHellman based schemes, namely El Gamal and CramerShoup. 1
REACT: Rapid Enhancedsecurity Asymmetric Cryptosystem Transform
 CTRSA 2001, volume 2020 of LNCS
, 2001
"... Abstract. Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosenciphertext secure encryption scheme from any trapdoor oneway permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem ..."
Abstract

Cited by 77 (21 self)
 Add to MetaCart
(Show Context)
Abstract. Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosenciphertext secure encryption scheme from any trapdoor oneway permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem, in the random oracle model: it is optimal from both the computational and the security points of view. Indeed, the overload is negligible, since it just consists of two more hashings for both encryption and decryption, and the reduction is very tight. Furthermore, advantages of REACT beyond OAEP are numerous: 1. it is more general since it applies to any partially trapdoor oneway function (a.k.a. weakly secure publickey encryption scheme) and therefore provides security relative to RSA but also to the DiffieHellman problem or the factorization; 2. it is possible to integrate symmetric encryption (block and stream ciphers) to reach very high speed rates; 3. it provides a key distribution with session key encryption, whose overall scheme achieves chosenciphertext security even with weakly secure symmetric scheme. Therefore, REACT could become a new alternative to OAEP, and even reach security relative to factorization, while allowing symmetric integration.
ChosenCiphertext Security for any OneWay Cryptosystem
 In PKC ’00, LNCS 1751
, 2000
"... Abstract. For two years, public key encryption has become an essential topic in cryptography, namely with security against chosenciphertext attacks. This paper presents a generic technique to make a highly secure cryptosystem from any partially trapdoor oneway function, in the random oracle model. ..."
Abstract

Cited by 44 (13 self)
 Add to MetaCart
(Show Context)
Abstract. For two years, public key encryption has become an essential topic in cryptography, namely with security against chosenciphertext attacks. This paper presents a generic technique to make a highly secure cryptosystem from any partially trapdoor oneway function, in the random oracle model. More concretely, any suitable problem providing a oneway cryptosystem can be efficiently derived into a chosenciphertext secure encryption scheme. Indeed, the overhead only consists of two hashing and a XOR. As application, we provide the most efficient El Gamal encryption variant, therefore secure relative to the computational DiffieHellman problem. Furthermore, we present the first scheme whose security is relative to the factorization of large integers, with a perfect reduction (factorization is performed within the same time and with identical probability of success as the security break).
Deterministic Encryption: Definitional Equivalences and Constructions without Random Oracles
, 2008
"... We strengthen the foundations of deterministic publickey encryption via definitional equivalences and standardmodel constructs based on general assumptions. Specifically we consider seven notions of privacy for deterministic encryption, including six forms of semantic security and an indistinguish ..."
Abstract

Cited by 42 (11 self)
 Add to MetaCart
We strengthen the foundations of deterministic publickey encryption via definitional equivalences and standardmodel constructs based on general assumptions. Specifically we consider seven notions of privacy for deterministic encryption, including six forms of semantic security and an indistinguishability notion, and show them all equivalent. We then present a deterministic scheme for the secure encryption of uniformly and independently distributed messages based solely on the existence of trapdoor oneway permutations. We show a generalization of the construction that allows secure deterministic encryption of independent highentropy messages. Finally we show relations between deterministic and standard (randomized) encryption.
PublicKey Cryptography and Password Protocols: The MultiUser Case
 In CCS ’99: Proceedings of the 6th ACM conference on Computer and communications security
, 1999
"... The problem of password authentication over an insecure network when the user holds only a humanmemorizable password has received much attention in the literature. The first rigorous treatment was provided by Halevi and Krawczyk, who studied offline password guessing attacks in the scenario in whi ..."
Abstract

Cited by 33 (0 self)
 Add to MetaCart
(Show Context)
The problem of password authentication over an insecure network when the user holds only a humanmemorizable password has received much attention in the literature. The first rigorous treatment was provided by Halevi and Krawczyk, who studied offline password guessing attacks in the scenario in which the authentication server possesses a pair of private and public keys. In this work we: ffl Show the inadequacy of both the HK formalization and protocol in the case where there is more than a single user: using a simple and realistic attack, we prove failure of the HK solution in the twouser case. ffl Propose a new definition of security for the multiuser case, expressed in terms of transcripts of the entire system, rather than individual protocol executions. ffl Suggest several ways of achieving this security against both static and dynamic adversaries. In a recent revision of their paper, Halevi and Krawczyk again attempted to handle the multiuser case. We expose a weakness in their revised definition. 1
Extended Notions of Security for Multicast Public Key Cryptosystems
 PUBLIC KEY CRYPTOSYSTEMS, ICALP 2000, LNCS 1853
, 2000
"... In this paper we introduce two notions of security: multiuser indistinguishability and multiuser nonmalleability. We believe that they encompass the correct requirements for public key encryption schemes in the context of multicast communications. A precise and nontrivial analysis proves that ..."
Abstract

Cited by 32 (9 self)
 Add to MetaCart
In this paper we introduce two notions of security: multiuser indistinguishability and multiuser nonmalleability. We believe that they encompass the correct requirements for public key encryption schemes in the context of multicast communications. A precise and nontrivial analysis proves that they are equivalent to the former singleuser notions, provided the number of participants is polynomial. We also introduce a new denition for nonmalleability which is simpler than those currently in use. We believe that our results are of practical signicance: especially they support the use of PKCS#1 v.2 based on OAEP in the multicast setting.