Results 1  10
of
53
On the security of joint signature and encryption
, 2002
"... We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of t ..."
Abstract

Cited by 138 (6 self)
 Add to MetaCart
We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [5, 22] might lead one to expect, we show that classical “encryptthensign” (EtS) and “signthenencrypt” (StE) methods are both secure composition methods in the publickey setting. We also present a new composition method which we call “committhenencryptandsign” (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations in parallel, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent “hashsignswitch” technique of [30], leading to efficient online/offline signcryption. Finally and of independent interest, we discuss the definitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2security, which we call generalized CCA2ecurity (gCCA2). We show that gCCA2security suffices for all known uses of CCA2secure encryption, while no longer suffering from the definitional shortcomings of the latter.
RSAOAEP is Secure under the RSA Assumption
, 2002
"... Recently Victor Shoup noted that there is a gap in the widelybelieved security result of OAEP against adaptive chosenciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the onewayness of the underlying trapdoor permutation. This paper establishes another ..."
Abstract

Cited by 128 (20 self)
 Add to MetaCart
Recently Victor Shoup noted that there is a gap in the widelybelieved security result of OAEP against adaptive chosenciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the onewayness of the underlying trapdoor permutation. This paper establishes another result on the security of OAEP. It proves that OAEP oers semantic security against adaptive chosenciphertext attacks, in the random oracle model, under the partialdomain onewayness of the underlying permutation. Therefore, this uses a formally stronger assumption. Nevertheless, since partialdomain onewayness of the RSA function is equivalent to its (fulldomain) onewayness, it follows that the security of RSA{OAEP can actually be proven under the sole RSA assumption, although the reduction is not tight.
The gapproblems: a new class of problems for the security of cryptographic schemes
 Proceedings of PKC 2001, volume 1992 of LNCS
, 1992
"... Abstract. This paper introduces a novel class of computational problems, the gap problems, which can be considered as a dual to the class of the decision problems. We show the relationship among inverting problems, decision problems and gap problems. These problems find a nice and rich practical ins ..."
Abstract

Cited by 122 (11 self)
 Add to MetaCart
Abstract. This paper introduces a novel class of computational problems, the gap problems, which can be considered as a dual to the class of the decision problems. We show the relationship among inverting problems, decision problems and gap problems. These problems find a nice and rich practical instantiation with the DiffieHellman problems. Then, we see how the gap problems find natural applications in cryptography, namely for proving the security of very efficient schemes, but also for solving a more than 10year old open security problem: the Chaum’s undeniable signature.
An Uninstantiable RandomOracleModel Scheme for a HybridEncryption Problem,” Full version of this paper. Available at http://wwwcse.ucsd.edu/users/mihir
"... Abstract. We present a simple, natural randomoracle (RO) model scheme, for a practical goal, that is uninstantiable, meaning is proven in the RO model to meet its goal yet admits no standardmodel instantiation that meets this goal. The goal in question is INDCCApreserving asymmetric encryption w ..."
Abstract

Cited by 78 (5 self)
 Add to MetaCart
Abstract. We present a simple, natural randomoracle (RO) model scheme, for a practical goal, that is uninstantiable, meaning is proven in the RO model to meet its goal yet admits no standardmodel instantiation that meets this goal. The goal in question is INDCCApreserving asymmetric encryption which formally captures security of the most common practical usage of asymmetric encryption, namely to transport a symmetric key in such a way that symmetric encryption under the latter remains secure. The scheme is an ElGamal variant, called Hash ElGamal, that resembles numerous existing ROmodel schemes, and on the surface shows no evidence of its anomalous properties. These results extend our understanding of the gap between the standard and RO models, and bring concerns raised by previous work closer to practice by indicating that the problem of ROmodel schemes admitting no secure instantiation can arise in domains where RO schemes are commonly designed. 1
TagKEM/DEM: a New Framework for Hybrid Encryption and a New Analysis of KurosawaDesmedt KEM
 in Proc. Eurocrypt
, 2005
"... Abstract This paper presents a novel framework for the generic construction of hybrid encryptionschemes which produces more efficient schemes than the ones known before. A previous ..."
Abstract

Cited by 55 (6 self)
 Add to MetaCart
Abstract This paper presents a novel framework for the generic construction of hybrid encryptionschemes which produces more efficient schemes than the ones known before. A previous
Threshold Cryptosystems Secure against ChosenCiphertext Attacks
 IN PROC. OF ASIACRYPT
, 2000
"... Semantic security against chosenciphertext attacks (INDCCA) is widely believed as the correct security level for publickey encryption scheme. On the other hand, it is often dangerous to give to only one people the power of decryption. Therefore, threshold cryptosystems aimed at distributing the ..."
Abstract

Cited by 33 (3 self)
 Add to MetaCart
Semantic security against chosenciphertext attacks (INDCCA) is widely believed as the correct security level for publickey encryption scheme. On the other hand, it is often dangerous to give to only one people the power of decryption. Therefore, threshold cryptosystems aimed at distributing the decryption ability. However, only two efficient such schemes have been proposed so far for achieving INDCCA. Both are El Gamallike schemes and thus are based on the same intractability assumption, namely the Decisional DiffieHellman problem. In this article we rehabilitate the twinencryption paradigm proposed by Naor and Yung to present generic conversions from a large family of (threshold) INDCPA scheme into a (threshold) INDCCA one in the random oracle model. An efficient instantiation is also proposed, which is based on the Paillier cryptosystem. This new construction provides the first example of threshold cryptosystem secure against chosenciphertext attacks based on the factorization problem. Moreover, this construction provides a scheme where the “homomorphic properties” of the original scheme still hold. This is rather cumbersome because homomorphic cryptosystems are known to be malleable and therefore not to be CCA secure. However, we do not build a “homomorphic cryptosystem”, but just keep the homomorphic properties.
Improving Lattice Based Cryptosystems Using the Hermite Normal Form
 In Silverman [Sil01
"... We describe a simple technique that can be used to substantially reduce the key and ciphertext size of various lattice based cryptosystems and trapdoor functions of the kind proposed by Goldreich, Goldwasser and Halevi (GGH). The improvement is signi cant both from the theoretical and practical poin ..."
Abstract

Cited by 28 (7 self)
 Add to MetaCart
We describe a simple technique that can be used to substantially reduce the key and ciphertext size of various lattice based cryptosystems and trapdoor functions of the kind proposed by Goldreich, Goldwasser and Halevi (GGH). The improvement is signi cant both from the theoretical and practical point of view, reducing the size of both key and ciphertext by a factor n equal to the dimension of the lattice (i.e., several hundreds for typical values of the security parameter.) The eciency improvement is obtained without decreasing the security of the functions: we formally prove that the new functions are at least as secure as the original ones, and possibly even better as the adversary gets less information in a strong information theoretical sense. The increased eciency of the new cryptosystems allows the use of bigger values for the security parameter, making the functions secure against the best cryptanalytic attacks, while keeping the size of the key even below the smallest key size for which lattice cryptosystems were ever conjectured to be hard to break.
IntrusionResilient PublicKey Encryption
, 2003
"... Exposure of secret keys seems to be inevitable, and may in practice represent the most likely point of failure in a cryptographic system. Recently, the notion of intrusionresilience [17] (which extends both the notions of forward security [3, 5] and key insulation [11]) was proposed as a means ..."
Abstract

Cited by 24 (6 self)
 Add to MetaCart
Exposure of secret keys seems to be inevitable, and may in practice represent the most likely point of failure in a cryptographic system. Recently, the notion of intrusionresilience [17] (which extends both the notions of forward security [3, 5] and key insulation [11]) was proposed as a means of mitigating the harmful eects that key exposure can have. In this model, time is divided into distinct periods; the public key remains xed throughout the lifetime of the protocol but the secret key is periodically updated. Secret information is stored by both a user and a base; the user performs all cryptographic operations during a given time period, while the base helps the user periodically update his key. Intrusionresilient schemes remain secure in the face of multiple compromises of both the user and the base, as long as they are not both compromised simultaneously. Furthermore, in case the user and base are compromised simultaneously, prior time periods remain secure (as in forwardsecure schemes).
A Simple PublicKey Cryptosystem with a Double Trapdoor Decryption Mechanism and its Applications
 In Asiacrypt ’03, LNCS 2894
, 2003
"... Abstract. At Eurocrypt ’02 Cramer and Shoup [7] proposed a general paradigm to construct practical publickey cryptosystems secure against adaptive chosenciphertext attacks as well as several concrete examples. Among the others they presented a variant of Paillier’s [21] scheme achieving such a str ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
Abstract. At Eurocrypt ’02 Cramer and Shoup [7] proposed a general paradigm to construct practical publickey cryptosystems secure against adaptive chosenciphertext attacks as well as several concrete examples. Among the others they presented a variant of Paillier’s [21] scheme achieving such a strong security requirement and for which two, independent, decryption mechanisms are allowed. In this paper we revisit such scheme and show that by considering a different subgroup, one can obtain a different scheme (whose security can be proved with respect to a different mathematical assumption) that allows for interesting applications. In particular we show how to construct a perfectly hiding commitment schemes that allows for an online / offline efficiency tradeoff. The scheme is computationally binding under the assumption that factoring is hard, thus improving on the previous construction by Catalano et al. [5] whose binding property was based on the assumption that inverting RSA[N, N] (i.e. RSA with the public exponent set to N) is hard. 1
Fully collusion secure dynamic broadcast encryption with constantsize ciphertexts or decryption keys
 In Pairing
, 2007
"... Abstract. This paper puts forward new efficient constructions for publickey broadcast encryption that simultaneously enjoy the following properties: receivers are stateless; encryption is collusionsecure for arbitrarily large collusions of users and security is tight in the standard model; new use ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
Abstract. This paper puts forward new efficient constructions for publickey broadcast encryption that simultaneously enjoy the following properties: receivers are stateless; encryption is collusionsecure for arbitrarily large collusions of users and security is tight in the standard model; new users can join dynamically i.e. without modification of user decryption keys nor ciphertext size and little or no alteration of the encryption key. We also show how to permanently revoke any subgroup of users. Most importantly, our constructions achieve the optimal bound of O(1)size either for ciphertexts or decryption keys, where the hidden constant relates to a couple of elements of a pairingfriendly group. Our broadcastKEM trapdoor technique, which has independent interest, also provides a dynamic broadcast encryption system improving all previous efficiency measures (for both execution time and sizes) in the privatekey setting. 1