Results 1  10
of
44
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
, 2000
"... and analysis of the generic composition paradigm ..."
Abstract

Cited by 222 (22 self)
 Add to MetaCart
and analysis of the generic composition paradigm
On the security of joint signature and encryption
, 2002
"... We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of t ..."
Abstract

Cited by 138 (6 self)
 Add to MetaCart
We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [5, 22] might lead one to expect, we show that classical “encryptthensign” (EtS) and “signthenencrypt” (StE) methods are both secure composition methods in the publickey setting. We also present a new composition method which we call “committhenencryptandsign” (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations in parallel, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent “hashsignswitch” technique of [30], leading to efficient online/offline signcryption. Finally and of independent interest, we discuss the definitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2security, which we call generalized CCA2ecurity (gCCA2). We show that gCCA2security suffices for all known uses of CCA2secure encryption, while no longer suffering from the definitional shortcomings of the latter.
OCB: A BlockCipher Mode of Operation for Efficient Authenticated Encryption
, 2001
"... We describe a parallelizable blockcipher mode of operation that simultaneously provides privacy and authenticity. OCB encryptsandauthenticates a nonempty string M # {0, 1} # using #M /n# + 2 blockcipher invocations, where n is the block length of the underlying block cipher. Additional ov ..."
Abstract

Cited by 136 (19 self)
 Add to MetaCart
We describe a parallelizable blockcipher mode of operation that simultaneously provides privacy and authenticity. OCB encryptsandauthenticates a nonempty string M # {0, 1} # using #M /n# + 2 blockcipher invocations, where n is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Jutla [20]. Desirable properties of OCB include: the ability to encrypt a bit string of arbitrary length into a ciphertext of minimal length; cheap o#set calculations; cheap session setup, a single underlying cryptographic key; no extendedprecision addition; a nearly optimal number of blockcipher calls; and no requirement for a random IV. We prove OCB secure, quantifying the adversary's ability to violate privacy or authenticity in terms of the quality of the block cipher as a pseudorandom permutation (PRP) or as a strong PRP, respectively. Keywords: AES, authenticity, block ciphers, cryptography, encryption, integrity, modes of operation, provable security, standards . # Department of Computer Science, Eng. II Building, University of California at Davis, Davis, California 95616 USA; and Department of Computer Science, Faculty of Science, Chiang Mai University, Chiang Mai 50200 Thailand. email: rogaway@cs.ucdavis.edu web: www.cs.ucdavis.edu/~rogaway + Department of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093 USA. email: mihir@cs.ucsd.edu web: wwwcse.ucsd.edu/users/mihir # Department of Computer Science, University of Nevada, Reno, Nevada 89557 USA. email: jrb@cs.unr.edu web: www.cs.unr.edu/~jrb Digital Fountain, 600 Alabama Street, San Francisco, CA 94110 USA. email: tdk@acm.org 1
Symmetric Encryption in a Simulatable DolevYao Style Cryptographic Library
 In Proc. 17th IEEE Computer Security Foundations Workshop (CSFW
, 2004
"... Recently we solved the longstanding open problem of justifying a DolevYao type model of cryptography as used in virtually all automated protocol provers under active attacks. The justification was done by defining an ideal system handling DolevYaostyle terms and a cryptographic realization wi ..."
Abstract

Cited by 58 (17 self)
 Add to MetaCart
Recently we solved the longstanding open problem of justifying a DolevYao type model of cryptography as used in virtually all automated protocol provers under active attacks. The justification was done by defining an ideal system handling DolevYaostyle terms and a cryptographic realization with the same user interface, and by showing that the realization is as secure as the ideal system in the sense of reactive simulatability. This definition encompasses arbitrary active attacks and enjoys general composition and propertypreservation properties. Security holds in the standard model of cryptography and under standard assumptions of adaptively secure primitives.
A BlockCipher Mode of Operation for Parallelizable Message Authentication
 Advances in Cryptology  EUROCRYPT 2002. Lecture Notes in Computer Science
, 2002
"... We define and analyze a simple and fully parallelizable blockcipher mode of operation for message authentication. Parallelizability does not come at the expense of serial e#ciency: in a conventional, serial environment, the algorithm's speed is within a few percent of the (inherently sequential) CB ..."
Abstract

Cited by 58 (7 self)
 Add to MetaCart
We define and analyze a simple and fully parallelizable blockcipher mode of operation for message authentication. Parallelizability does not come at the expense of serial e#ciency: in a conventional, serial environment, the algorithm's speed is within a few percent of the (inherently sequential) CBC MAC. The new mode, PMAC, is deterministic, resembles a standard mode of operation (and not a CarterWegman MAC), works for strings of any bit length, employs a single blockcipher key, and uses just max{1, #M /n#} blockcipher calls to MAC a string M # {0, 1} # using an nbit block cipher. We prove PMAC secure, quantifying an adversary's forgery probability in terms of the quality of the block cipher as a pseudorandom permutation. Key words: blockcipher modes, message authentication codes, modes of operation, provable security. 1
CircularSecure Encryption from Decision DiffieHellman
, 2008
"... Let E be a publickey encryption system and let (pk i, ski) be public/private key pairs for E for i = 0,..., n. A natural question is whether E remains secure once an adversary obtains an encryption cycle, which consists of the encryption of ski under pk (i mod n)+1 for all i = 1,..., n. Surprisingl ..."
Abstract

Cited by 49 (5 self)
 Add to MetaCart
Let E be a publickey encryption system and let (pk i, ski) be public/private key pairs for E for i = 0,..., n. A natural question is whether E remains secure once an adversary obtains an encryption cycle, which consists of the encryption of ski under pk (i mod n)+1 for all i = 1,..., n. Surprisingly, even strong notions of security such as chosenciphertext security appear to be insufficient for proving security in these settings. Since encryption cycles come up naturally in several applications, it is desirable to construct systems that remain secure in the presence of such cycles. Until now, all known constructions have only be proved secure in the random oracle model. We construct an encryption system that is circularsecure under the Decision DiffieHellman assumption, without relying on random oracles. Our proof of security holds even if the adversary obtains an encryption clique, that is, encryptions of ski under pk j for all 0 ≤ i, j ≤ n. We also construct a circular counterexample: a oneway secure encryption scheme that becomes completely insecure if an encryption cycle of length 2 is published. 1
Authenticatedencryption with associateddata
 In Proc. 9th CCS
, 2002
"... Keywords: Associateddata problem, authenticatedencryption, blockcipher usage, key separation, modes of operation, OCB. ..."
Abstract

Cited by 33 (9 self)
 Add to MetaCart
Keywords: Associateddata problem, authenticatedencryption, blockcipher usage, key separation, modes of operation, OCB.
A provablesecurity treatment of the keywrap problem
 EUROCRYPT 2006, LNCS 4004
, 2006
"... Abstract. We give a provablesecurity treatment for the keywrap problem, providing definitions, constructions, and proofs. We suggest that keywrap’s goal is security in the sense of deterministic authenticatedencryption (DAE), a notion that we put forward. We also provide an alternative notion, a ..."
Abstract

Cited by 25 (4 self)
 Add to MetaCart
Abstract. We give a provablesecurity treatment for the keywrap problem, providing definitions, constructions, and proofs. We suggest that keywrap’s goal is security in the sense of deterministic authenticatedencryption (DAE), a notion that we put forward. We also provide an alternative notion, a pseudorandom injection (PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze its concrete security, develop a blockcipherbased instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard. The construction incorporates a method to turn a PRF that operates on a string into an equally efficient PRF that operates on a vector of strings, a problem of independent interest. Finally, we consider IVbased authenticatedencryption (AE) schemes that are maximally forgiving of repeated IVs, a goal we formalize as misuseresistant AE. We show that a DAE scheme with a vectorvalued header, such as SIV, directly realizes this goal. 1
A cryptographically sound DolevYao style security proof of the OtwayRees protocol
 In Proc. 9th European Symposium on Research in Computer Security (ESORICS
, 2004
"... We present the first cryptographically sound DolevYaostyle security proof of a comprehensive electronic payment system. The payment system is a slightly simplified variant of the 3KP payment system and comprises a variety of different security requirements ranging from basic ones like the impossibi ..."
Abstract

Cited by 24 (10 self)
 Add to MetaCart
We present the first cryptographically sound DolevYaostyle security proof of a comprehensive electronic payment system. The payment system is a slightly simplified variant of the 3KP payment system and comprises a variety of different security requirements ranging from basic ones like the impossibility of unauthorized payments to more sophisticated properties like disputability. We show that the payment system is secure against arbitrary active attacks, including arbitrary concurrent protocol runs and arbitrary manipulation of bitstrings within polynomial time if the protocol is implemented using provably secure cryptographic primitives. Although we achieve security under cryptographic definitions, our proof does not have to deal with probabilistic aspects of cryptography and is hence within the scope of current proof tools. The reason is that we exploit a recently proposed DolevYaostyle cryptographic library with a provably secure cryptographic implementation. Together with composition and preservation theorems of the underlying model, this allows us to perform the actual proof effort in a deterministic setting corresponding to a slightly extended DolevYao model. 1.
The Security of AllorNothing Encryption: Protecting against Exhaustive Key Search
 In Advances in Cryptology – CRYPTO ’00 (2000
, 2000
"... Abstract. We investigate the allornothing encryption paradigm which was introduced by Rivest as a new mode of operation for block ciphers. The paradigm involves composing an allornothing transform (AONT) with an ordinary encryption mode. The goal is to have secure encryption modes with the addit ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
Abstract. We investigate the allornothing encryption paradigm which was introduced by Rivest as a new mode of operation for block ciphers. The paradigm involves composing an allornothing transform (AONT) with an ordinary encryption mode. The goal is to have secure encryption modes with the additional property that exhaustive keysearch attacks on them are slowed down by a factor equal to the number of blocks in the ciphertext. We give a new notion concerned with the privacy of keys that provably captures this keysearch resistance property. We suggest a new characterization of AONTs and establish that the resulting allornothing encryption paradigm yields secure encryption modes that also meet this notion of key privacy. A consequence of our new characterization is that we get more efficient ways of instantiating the allornothing encryption paradigm. We describe a simple blockcipherbased AONT and prove it secure in the Shannon Model of a block cipher. We also give attacks against alternate paradigms that were believed to have the above keysearch resistance property. 1