Results 1  10
of
11
Formalizing human ignorance: Collisionresistant hashing without the keys
 In Proc. Vietcrypt ’06
, 2006
"... Abstract. There is a foundational problem involving collisionresistant hashfunctions: common constructions are keyless, but formal definitions are keyed. The discrepancy stems from the fact that a function H: {0, 1} ∗ → {0, 1} n always admits an efficient collisionfinding algorithm, it’s just t ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
Abstract. There is a foundational problem involving collisionresistant hashfunctions: common constructions are keyless, but formal definitions are keyed. The discrepancy stems from the fact that a function H: {0, 1} ∗ → {0, 1} n always admits an efficient collisionfinding algorithm, it’s just that us human beings might be unable to write the program down. We explain a simple way to sidestep this difficulty that avoids having to key our hash functions. The idea is to state theorems in a way that prescribes an explicitlygiven reduction, normally a blackbox one. We illustrate this approach using wellknown examples involving digital signatures, pseudorandom functions, and the MerkleDamg˚ard construction. Key words. Collisionfree hash function, Collisionintractable hash function, Collisionresistant hash function, Cryptographic hash function, Provable security. 1
A machinechecked formalization of the generic model and the random oracle model
 in Proceedings of IJCAR’04, vol. 3097, Lecture Notes in Computer Science
"... Abstract. Most approaches to the formal analyses of cryptographic protocols make the perfect cryptography assumption, i.e. the hypothese that there is no way to obtain knowledge about the plaintext pertaining to a ciphertext without knowing the key. Ideally, one would prefer to rely on a weaker hypo ..."
Abstract

Cited by 22 (5 self)
 Add to MetaCart
Abstract. Most approaches to the formal analyses of cryptographic protocols make the perfect cryptography assumption, i.e. the hypothese that there is no way to obtain knowledge about the plaintext pertaining to a ciphertext without knowing the key. Ideally, one would prefer to rely on a weaker hypothesis on the computational cost of gaining information about the plaintext pertaining to a ciphertext without knowing the key. Such a view is permitted by the Generic Model and the Random Oracle Model which provide nonstandard computational models in which one may reason about the computational cost of breaking a cryptographic scheme. Using the proof assistant Coq, we provide a machinechecked account of the Generic Model and the Random Oracle Model. 1
Security of Signature Schemes in a MultiUser Setting
, 2001
"... This paper considers the security of signature schemes in the multiuser setting. We argue that the wellaccepted notion of security for signature schemes, namely existential unforgeability against adaptive chosenmessage attacks, is not adequate for the multiuser setting. We extend this securi ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
This paper considers the security of signature schemes in the multiuser setting. We argue that the wellaccepted notion of security for signature schemes, namely existential unforgeability against adaptive chosenmessage attacks, is not adequate for the multiuser setting. We extend this security notion to the multiuser setting and show that signature schemes proven secure in the singleuser setting can, under reasonable constraints, also be proven secure in the multiuser setting. 1
Machinechecked security proofs of cryptographic signature schemes
 In Proceedings of ESORICS’05, volume 3xxx of Lecture Notes in Computer Science
, 2005
"... Abstract. Formal methods have been extensively applied to the certification of cryptographic protocols. However, most of these works make the perfect cryptography assumption, i.e. the hypothesis that there is no way to obtain knowledge about the plaintext pertaining to a ciphertext without knowing t ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Abstract. Formal methods have been extensively applied to the certification of cryptographic protocols. However, most of these works make the perfect cryptography assumption, i.e. the hypothesis that there is no way to obtain knowledge about the plaintext pertaining to a ciphertext without knowing the key. A model that does not require the perfect cryptography assumption is the generic model and the random oracle model. These models provide nonstandard computational models in which one may reason about the computational cost of breaking a cryptographic scheme. Using the machinechecked account of the Generic Model and the Random Oracle Model formalized in Coq, we prove the safety of cryptosystems that depend on a cyclic group (like ElGamal cryptosystem), against interactive generic attacks and we prove the security of blind signatures against interactive attacks. To prove the last step, we use a generic parallel attack to create a forgery signature. 1
Another look at generic groups
 Advances in Mathematics of Communications
, 2006
"... (Communicated by Andreas Stein) Abstract. Starting with Shoup’s seminal paper [24], the generic group model has been an important tool in reductionist security arguments. After an informal explanation of this model and Shoup’s theorem, we discuss the danger of flaws in proofs. We next describe an on ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Communicated by Andreas Stein) Abstract. Starting with Shoup’s seminal paper [24], the generic group model has been an important tool in reductionist security arguments. After an informal explanation of this model and Shoup’s theorem, we discuss the danger of flaws in proofs. We next describe an ontological difference between the generic group assumption and the random oracle model for hash functions. We then examine some criticisms that have been leveled at the generic group model and raise some questions of our own. 1.
A MachineChecked Formalization of the Random Oracle Model
 in "Proceedings of TYPES’04", Lecture Notes in Computer Science
, 2005
"... Abstract. Most approaches to the formal analysis of cryptography protocols make the perfect cryptographic assumption, which entails for example that there is no way to obtain knowledge about the plaintext pertaining to a ciphertext without knowing the key. Ideally, one would prefer to abandon the pe ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. Most approaches to the formal analysis of cryptography protocols make the perfect cryptographic assumption, which entails for example that there is no way to obtain knowledge about the plaintext pertaining to a ciphertext without knowing the key. Ideally, one would prefer to abandon the perfect cryptography hypothesis and reason about the computational cost of breaking a cryptographic scheme by achieving such goals as gaining information about the plaintext pertaining to a ciphertext without knowing the key. Such a view is permitted by nonstandard computational models such as the Generic Model and the Random Oracle Model. Using the proof assistant Coq, we provide a machinechecked account of the Generic Model and the Random Oracle Model. We exploit this framework to prove the security of the ElGamal cryptosystem against adaptive chosen ciphertexts attacks. 1
A Synthetic Indifferentiability Analysis of Some BlockCipherBased Hash Functions
, 2007
"... At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision resistant PGV and the PBGV hash functions with the prefixfree padding. In this article, a synthetic indifferentiability analysis of some blockcipherbased hash functions is considered. First, a more precise definition is proposed on the indifferentiability adversary in blockcipherbased hash functions. Next, the advantage of indifferentiability is extended by considering whether the hash function is keyed or not. Finally, a limitation is observed in Chang et al.’s indifferentiable attacks on the four PGV and the PBGV hash functions. The formal proofs show the fact that those hash functions are indifferentiable from a random oracle in the ideal cipher model with the prefixfree padding, the NMAC/HMAC and the chop construction.
Noninteractive Manual Channel Message Authentication Based on eTCR Hash Functions
"... Abstract. We present a new noninteractive message authentication protocol in manual channel model (NIMAP, for short) using the weakest assumption on the manual channel (i.e. assuming the strongest adversary). Our protocol uses enhanced target collision resistant (eTCR) hash family and is provably s ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We present a new noninteractive message authentication protocol in manual channel model (NIMAP, for short) using the weakest assumption on the manual channel (i.e. assuming the strongest adversary). Our protocol uses enhanced target collision resistant (eTCR) hash family and is provably secure in the standard model. We compare our protocol with protocols with similar properties and show that the new NIMAP has the same security level as the best previously known NIMAP whilst it is more practical. In particular, to authenticate a message such as a 1024bit public key, we require an eTCR hash family that can be constructed from any offtheshelf MerkleDamg˚ard hash function using randomized hashing mode. The underlying compression function must be evaluated second preimage resistant (eSPR), which is a strictly weaker security property than collision resistance. We also revisit some closely related security notions for hash functions and study their relationships to help understanding our protocol. Key words: Message authentication, manual channel, eTCR hash family, randomized hashing, hash function security. 1
On the Joint Security of Encryption and Signature in EMV ⋆
"... Abstract. We provide an analysis of current and future algorithms for signature and encryption in the EMV standards in the case where a single keypair is used for both signature and encryption. We give a theoretical attack for EMV’s current RSAbased algorithms, showing how access to a partial decr ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. We provide an analysis of current and future algorithms for signature and encryption in the EMV standards in the case where a single keypair is used for both signature and encryption. We give a theoretical attack for EMV’s current RSAbased algorithms, showing how access to a partial decryption oracle can be used to forge a signature on a freely chosen message. We show how the attack might be integrated into EMV’s CDA protocol flow, enabling an attacker with a wedge device to complete an offline transaction without knowing the cardholder’s PIN. Finally, the elliptic curve signature and encryption algorithms that are likely to be adopted in a forthcoming version of the EMV standards are analyzed in the single keypair setting, and shown to be secure. 1
Wide Strong Private RFID Identification based on ZeroKnowledge ⋆
"... Abstract. We present the first widestrong RFID identification protocol that is based on zeroknowledge. Until now this notion has only been achieved by schemes based on INDCCA2 encryption. Rigorous proofs in the standard model are provided for the security and privacy properties of our protocol. F ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. We present the first widestrong RFID identification protocol that is based on zeroknowledge. Until now this notion has only been achieved by schemes based on INDCCA2 encryption. Rigorous proofs in the standard model are provided for the security and privacy properties of our protocol. Furthermore our protocol is the most efficient solution presented in the literature. Using only Elliptic Curve Cryptography (ECC), the required circuit area can be minimized such that our protocol even fits on small RFID tags. Concerning computation on the tag, we only require two scalarEC point multiplications. Keywords. RFID, Private Identification, ZeroKnowledge, Elliptic Curve Cryptography. 1