Results 1  10
of
44
Relations among notions of security for publickey encryption schemes
, 1998
"... Abstract. We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and nonmalleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove e ..."
Abstract

Cited by 447 (64 self)
 Add to MetaCart
Abstract. We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and nonmalleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove either an implication (every scheme meeting one notion must meet the other) or a separation (there is a scheme meeting one notion but not the other, assuming the first notion can be met at all). We similarly treat plaintext awareness, a notion of security in the random oracle model. An additional contribution of this paper is a new definition of nonmalleability which we believe is simpler than the previous one.
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
, 2000
"... and analysis of the generic composition paradigm ..."
Abstract

Cited by 222 (22 self)
 Add to MetaCart
and analysis of the generic composition paradigm
Making mix nets robust for electronic voting by randomized partial checking
 In USENIX Security Symposium
, 2002
"... Symposium ..."
REACT: Rapid Enhancedsecurity Asymmetric Cryptosystem Transform
 CTRSA 2001, volume 2020 of LNCS
, 2001
"... Abstract. Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosenciphertext secure encryption scheme from any trapdoor oneway permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem ..."
Abstract

Cited by 76 (21 self)
 Add to MetaCart
Abstract. Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosenciphertext secure encryption scheme from any trapdoor oneway permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem, in the random oracle model: it is optimal from both the computational and the security points of view. Indeed, the overload is negligible, since it just consists of two more hashings for both encryption and decryption, and the reduction is very tight. Furthermore, advantages of REACT beyond OAEP are numerous: 1. it is more general since it applies to any partially trapdoor oneway function (a.k.a. weakly secure publickey encryption scheme) and therefore provides security relative to RSA but also to the DiffieHellman problem or the factorization; 2. it is possible to integrate symmetric encryption (block and stream ciphers) to reach very high speed rates; 3. it provides a key distribution with session key encryption, whose overall scheme achieves chosenciphertext security even with weakly secure symmetric scheme. Therefore, REACT could become a new alternative to OAEP, and even reach security relative to factorization, while allowing symmetric integration.
ChosenCiphertext Security for any OneWay Cryptosystem
 In PKC ’00, LNCS 1751
, 2000
"... Abstract. For two years, public key encryption has become an essential topic in cryptography, namely with security against chosenciphertext attacks. This paper presents a generic technique to make a highly secure cryptosystem from any partially trapdoor oneway function, in the random oracle model. ..."
Abstract

Cited by 40 (12 self)
 Add to MetaCart
Abstract. For two years, public key encryption has become an essential topic in cryptography, namely with security against chosenciphertext attacks. This paper presents a generic technique to make a highly secure cryptosystem from any partially trapdoor oneway function, in the random oracle model. More concretely, any suitable problem providing a oneway cryptosystem can be efficiently derived into a chosenciphertext secure encryption scheme. Indeed, the overhead only consists of two hashing and a XOR. As application, we provide the most efficient El Gamal encryption variant, therefore secure relative to the computational DiffieHellman problem. Furthermore, we present the first scheme whose security is relative to the factorization of large integers, with a perfect reduction (factorization is performed within the same time and with identical probability of success as the security break).
Deterministic Encryption: Definitional Equivalences and Constructions without Random Oracles
, 2008
"... We strengthen the foundations of deterministic publickey encryption via definitional equivalences and standardmodel constructs based on general assumptions. Specifically we consider seven notions of privacy for deterministic encryption, including six forms of semantic security and an indistinguish ..."
Abstract

Cited by 33 (7 self)
 Add to MetaCart
We strengthen the foundations of deterministic publickey encryption via definitional equivalences and standardmodel constructs based on general assumptions. Specifically we consider seven notions of privacy for deterministic encryption, including six forms of semantic security and an indistinguishability notion, and show them all equivalent. We then present a deterministic scheme for the secure encryption of uniformly and independently distributed messages based solely on the existence of trapdoor oneway permutations. We show a generalization of the construction that allows secure deterministic encryption of independent highentropy messages. Finally we show relations between deterministic and standard (randomized) encryption.
PublicKey Cryptography and Password Protocols: The MultiUser Case
 In CCS ’99: Proceedings of the 6th ACM conference on Computer and communications security
, 1999
"... The problem of password authentication over an insecure network when the user holds only a humanmemorizable password has received much attention in the literature. The first rigorous treatment was provided by Halevi and Krawczyk, who studied offline password guessing attacks in the scenario in whi ..."
Abstract

Cited by 30 (0 self)
 Add to MetaCart
The problem of password authentication over an insecure network when the user holds only a humanmemorizable password has received much attention in the literature. The first rigorous treatment was provided by Halevi and Krawczyk, who studied offline password guessing attacks in the scenario in which the authentication server possesses a pair of private and public keys. In this work we: ffl Show the inadequacy of both the HK formalization and protocol in the case where there is more than a single user: using a simple and realistic attack, we prove failure of the HK solution in the twouser case. ffl Propose a new definition of security for the multiuser case, expressed in terms of transcripts of the entire system, rather than individual protocol executions. ffl Suggest several ways of achieving this security against both static and dynamic adversaries. In a recent revision of their paper, Halevi and Krawczyk again attempted to handle the multiuser case. We expose a weakness in their revised definition. 1
Extended Notions of Security for Multicast Public Key Cryptosystems
 PUBLIC KEY CRYPTOSYSTEMS, ICALP 2000, LNCS 1853
, 2000
"... In this paper we introduce two notions of security: multiuser indistinguishability and multiuser nonmalleability. We believe that they encompass the correct requirements for public key encryption schemes in the context of multicast communications. A precise and nontrivial analysis proves that ..."
Abstract

Cited by 29 (9 self)
 Add to MetaCart
In this paper we introduce two notions of security: multiuser indistinguishability and multiuser nonmalleability. We believe that they encompass the correct requirements for public key encryption schemes in the context of multicast communications. A precise and nontrivial analysis proves that they are equivalent to the former singleuser notions, provided the number of participants is polynomial. We also introduce a new denition for nonmalleability which is simpler than those currently in use. We believe that our results are of practical signicance: especially they support the use of PKCS#1 v.2 based on OAEP in the multicast setting.
Chosenciphertext security without redundancy
 In Advances in Cryptology – ASIACRYPT 2003
, 2003
"... Abstract. We propose asymmetric encryption schemes for which all ciphertexts are valid (which means here "reachable": the encryption function is not only a probabilistic injection, but also a surjection). We thus introduce the FullDomain Permutation encryption scheme which uses a random p ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
Abstract. We propose asymmetric encryption schemes for which all ciphertexts are valid (which means here "reachable": the encryption function is not only a probabilistic injection, but also a surjection). We thus introduce the FullDomain Permutation encryption scheme which uses a random permutation. This is the first INDCCA cryptosystem based on any trapdoor oneway permutation without redundancy, and more interestingly, the bandwidth is optimal: the ciphertext is over k more bits only than the plaintext, where 2 \Gamma k is the expected security level. Thereafter, we apply it into the random oracle model by instantiating the random permutation with a Feistel network construction, and thus using OAEP. Unfortunately, the usual 2round OAEP does not seem to be provably secure, but a 3round can be proved INDCCA even without the usual redundancy mk0 k1, under the partialdomain onewayness of any trapdoor permutation.
Does Encryption with Redundancy Provide Authenticity?
 IN ADVANCES IN CRYPTOLOGY — EUROCRYPT 2001, B. PFITZMANN, ED. LECTURE NOTES IN COMPUTER SCIENCE
, 2001
"... A popular paradigm for achieving privacy plus authenticity is to append some “redundancy” to the data before encrypting. We investigate the security of this paradigm at both a general and a specific level. We consider various possible notions of privacy for the base encryption scheme, and for each s ..."
Abstract

Cited by 16 (5 self)
 Add to MetaCart
A popular paradigm for achieving privacy plus authenticity is to append some “redundancy” to the data before encrypting. We investigate the security of this paradigm at both a general and a specific level. We consider various possible notions of privacy for the base encryption scheme, and for each such notion we provide a condition on the redundancy function that is necessary and sufficient to ensure authenticity of the encryptionwithredundancy scheme. We then consider the case where the base encryption scheme is a variant of CBC called NCBC, and find sufficient conditions on the redundancy functions for NCBC encryptionwithredundancy to provide authenticity. Our results highlight an important distinction between public redundancy functions, meaning those that the adversary can compute, and secret ones, meaning those that depend on the shared key between the legitimate parties.