Results 1  10
of
80
Universally composable security: A new paradigm for cryptographic protocols
, 2013
"... We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved ..."
Abstract

Cited by 670 (35 self)
 Add to MetaCart
We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved under a general protocol composition operation, called universal composition. The proposed framework with its securitypreserving composition operation allows for modular design and analysis of complex cryptographic protocols from relatively simple building blocks. Moreover, within this framework, protocols are guaranteed to maintain their security in any context, even in the presence of an unbounded number of arbitrary protocol instances that run concurrently in an adversarially controlled manner. This is a useful guarantee, that allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks.
Practical Threshold Signatures
, 1999
"... We present an RSA threshold signature scheme. The scheme enjoys the following properties: 1. it is unforgeable and robust in the random oracle model, assuming the RSA problem is hard ..."
Abstract

Cited by 216 (2 self)
 Add to MetaCart
We present an RSA threshold signature scheme. The scheme enjoys the following properties: 1. it is unforgeable and robust in the random oracle model, assuming the RSA problem is hard
On the security of joint signature and encryption
, 2002
"... We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of t ..."
Abstract

Cited by 143 (6 self)
 Add to MetaCart
We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [5, 22] might lead one to expect, we show that classical “encryptthensign” (EtS) and “signthenencrypt” (StE) methods are both secure composition methods in the publickey setting. We also present a new composition method which we call “committhenencryptandsign” (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations in parallel, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent “hashsignswitch” technique of [30], leading to efficient online/offline signcryption. Finally and of independent interest, we discuss the definitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2security, which we call generalized CCA2ecurity (gCCA2). We show that gCCA2security suffices for all known uses of CCA2secure encryption, while no longer suffering from the definitional shortcomings of the latter.
Provably Authenticated Group DiffieHellman Key Exchange
, 2001
"... Group DiffieHellman protocols for Authenticated Key Exchange (AKE) are designed to provide a pool of players with a shared secret key which may later be used, for example, to achieve multicast message integrity. Over the years, several schemes have been offered. However, no formal treatment for thi ..."
Abstract

Cited by 125 (19 self)
 Add to MetaCart
Group DiffieHellman protocols for Authenticated Key Exchange (AKE) are designed to provide a pool of players with a shared secret key which may later be used, for example, to achieve multicast message integrity. Over the years, several schemes have been offered. However, no formal treatment for this cryptographic problem has ever been suggested. In this paper, we present a security model for this problem and use it to precisely define AKE (with "implicit" authentication) as the fundamental goal, and the entityauthentication goal as well. We then define in this model the execution of an authenticated group DiffieHellman scheme and prove its security.
Scalable Protocols for Authenticated Group Key Exchange
 Advances in Cryptology — Crypto 2003, LNCS
"... We consider the problem of authenticated group key exchange among n parties communicating over an insecure public network. A number of solutions to this problem have been proposed; however, all prior provablysecure solutions do not scale well and, in particular, require O(n) rounds. Our main contri ..."
Abstract

Cited by 110 (2 self)
 Add to MetaCart
We consider the problem of authenticated group key exchange among n parties communicating over an insecure public network. A number of solutions to this problem have been proposed; however, all prior provablysecure solutions do not scale well and, in particular, require O(n) rounds. Our main contribution is the first scalable protocol for this problem along with a rigorous proof of security in the standard model under the DDH assumption; our protocol uses a constant number of rounds and requires only O(1) “full ” modular exponentiations per user. Toward this goal (and adapting work of Bellare, Canetti, and Krawczyk), we first present an efficient compiler that transforms any group keyexchange protocol secure against a passive eavesdropper to an authenticated protocol which is secure against an active adversary who controls all communication in the network. This compiler adds only one round and O(1) communication (per user) to the original scheme. We then prove secure — against a passive adversary — a variant of the tworound group keyexchange protocol of Burmester and Desmedt. Applying our compiler to this protocol results in a provablysecure threeround protocol for authenticated group key exchange which also achieves forward secrecy. 1
Using Hash Functions as a Hedge against Chosen Ciphertext Attack
, 2000
"... The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional DiffieHellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to bas ..."
Abstract

Cited by 70 (7 self)
 Add to MetaCart
The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional DiffieHellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to base a security proof on a weaker assumption, such as the Computational DiffieHellman assumption. Indeed, this cryptosystem in its most basic form is in fact insecure if the Decisional DiffieHellman assumption is false. In this paper we present a practical hybrid scheme that is just as efficient as the scheme of of Cramer and Shoup; we prove that the scheme is secure if the Decisional DiffieHellman assumption is true; we give strong evidence that the scheme is secure if the weaker, Computational DiffieHellman assumption is true by providing a proof of security in the random oracle model.
Dynamic Group DiffieHellman Key Exchange under Standard Assumptions
 EUROCRYPT
, 2002
"... Authenticated DiffieHellman key exchange allows two principals communicating over a public network, and each holding public /private keys, to agree on a shared secret value. In this paper we study the natural extension of this cryptographic problem to a group of principals. We begin from existin ..."
Abstract

Cited by 65 (13 self)
 Add to MetaCart
Authenticated DiffieHellman key exchange allows two principals communicating over a public network, and each holding public /private keys, to agree on a shared secret value. In this paper we study the natural extension of this cryptographic problem to a group of principals. We begin from existing formal security models and refine them to incorporate major missing details (e.g., strongcorruption and concurrent sessions). Within this model we define the execution of a protocol for authenticated dynamic group DiffieHellman and show that it is provably secure under the decisional DiffieHellman assumption. Our security result holds in the standard model and thus provides better security guarantees than previously published results in the random oracle model.
Passwordbased authenticated key exchange in the threeparty setting
 PKC 2005: 8th International Workshop on Theory and Practice in Public Key Cryptography, volume 3386 of Lecture Notes in Computer Science
, 2005
"... Passwordbased authenticated key exchange (PAKE) are protocols which are designed to be secure even when the secret key used for authentication is a humanmemorable password. In this paper, we consider PAKE protocols in the threeparty scenario, in which the users trying to establish a common secret ..."
Abstract

Cited by 57 (15 self)
 Add to MetaCart
Passwordbased authenticated key exchange (PAKE) are protocols which are designed to be secure even when the secret key used for authentication is a humanmemorable password. In this paper, we consider PAKE protocols in the threeparty scenario, in which the users trying to establish a common secret do not share a password between themselves but only with a trusted server. Towards our goal, we recall some of the existing security notions for PAKE protocols and introduce new ones that are more suitable to the case of generic constructions of threeparty protocols. We then present a natural generic construction of a threeparty PAKE protocol from any twoparty PAKE protocol and prove its security. To the best of our knowledge, the new protocol is the first provablysecure PAKE protocol in the threeparty setting.
Secure Reactive Systems
, 2000
"... We introduce a precise definition of the security of reactive systems following the simulatability approach in the synchronous model. No simulatability definition for reactive systems has been worked out in similar detail and generality before. Particular new aspects are a precise switching model th ..."
Abstract

Cited by 48 (10 self)
 Add to MetaCart
We introduce a precise definition of the security of reactive systems following the simulatability approach in the synchronous model. No simulatability definition for reactive systems has been worked out in similar detail and generality before. Particular new aspects are a precise switching model that allows us to discover timing vulnerabilities, a precise treatment of the interaction of users and adversaries, and independence of the trust model. We present several theorems relating the definition to other possible variants. They substantiate which aspects of such a definition do and do not make a real difference, and are useful in larger proofs. We also have a methodology for defining the security of practical systems by simulation of an ideal system, although they typically have imperfections tolerated for efficiency reasons. We sketch several examples to show the range of applicability, and present a very detailed proof of one example, secure reactive message transmission. Its main purpose...
Passwordauthenticated key exchange based on RSA
, 2000
"... Abstract. There have been many proposals in recent years for passwordauthenticated key exchange protocols.Many of these have been shown to be insecure, and the only ones that seemed likely to be proven secure (against active adversaries who may attempt to perform offline dictionary attacks against ..."
Abstract

Cited by 47 (8 self)
 Add to MetaCart
Abstract. There have been many proposals in recent years for passwordauthenticated key exchange protocols.Many of these have been shown to be insecure, and the only ones that seemed likely to be proven secure (against active adversaries who may attempt to perform offline dictionary attacks against the password) were based on the DiffieHellman problem.In fact, some protocols based on DiffieHellman have been recently proven secure in the randomoracle model.We examine how to design a provablysecure passwordauthenticated key exchange protocol based on RSA.We first look at the OKE and protectedOKE protocols (both RSAbased) and show that they are insecure.Then we show how to modify the OKE protocol to obtain a passwordauthenticated key exchange protocol that can be proven secure (in the random oracle model). The resulting protocol is very practical; in fact the basic protocol requires about the same amount of computation as the DiffieHellmanbased protocols or the wellknown ssh protocol.