Results 1  10
of
80
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
, 2000
"... and analysis of the generic composition paradigm ..."
Abstract

Cited by 273 (25 self)
 Add to MetaCart
(Show Context)
and analysis of the generic composition paradigm
OCB: A BlockCipher Mode of Operation for Efficient Authenticated Encryption
, 2001
"... We describe a parallelizable blockcipher mode of operation that simultaneously provides privacy and authenticity. OCB encryptsandauthenticates a nonempty string M # {0, 1} # using #M /n# + 2 blockcipher invocations, where n is the block length of the underlying block cipher. Additional ov ..."
Abstract

Cited by 198 (24 self)
 Add to MetaCart
We describe a parallelizable blockcipher mode of operation that simultaneously provides privacy and authenticity. OCB encryptsandauthenticates a nonempty string M # {0, 1} # using #M /n# + 2 blockcipher invocations, where n is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Jutla [20]. Desirable properties of OCB include: the ability to encrypt a bit string of arbitrary length into a ciphertext of minimal length; cheap o#set calculations; cheap session setup, a single underlying cryptographic key; no extendedprecision addition; a nearly optimal number of blockcipher calls; and no requirement for a random IV. We prove OCB secure, quantifying the adversary's ability to violate privacy or authenticity in terms of the quality of the block cipher as a pseudorandom permutation (PRP) or as a strong PRP, respectively. Keywords: AES, authenticity, block ciphers, cryptography, encryption, integrity, modes of operation, provable security, standards . # Department of Computer Science, Eng. II Building, University of California at Davis, Davis, California 95616 USA; and Department of Computer Science, Faculty of Science, Chiang Mai University, Chiang Mai 50200 Thailand. email: rogaway@cs.ucdavis.edu web: www.cs.ucdavis.edu/~rogaway + Department of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093 USA. email: mihir@cs.ucsd.edu web: wwwcse.ucsd.edu/users/mihir # Department of Computer Science, University of Nevada, Reno, Nevada 89557 USA. email: jrb@cs.unr.edu web: www.cs.unr.edu/~jrb Digital Fountain, 600 Alabama Street, San Francisco, CA 94110 USA. email: tdk@acm.org 1
On the security of joint signature and encryption
, 2002
"... We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of t ..."
Abstract

Cited by 150 (6 self)
 Add to MetaCart
(Show Context)
We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [5, 22] might lead one to expect, we show that classical “encryptthensign” (EtS) and “signthenencrypt” (StE) methods are both secure composition methods in the publickey setting. We also present a new composition method which we call “committhenencryptandsign” (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations in parallel, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent “hashsignswitch” technique of [30], leading to efficient online/offline signcryption. Finally and of independent interest, we discuss the definitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2security, which we call generalized CCA2ecurity (gCCA2). We show that gCCA2security suffices for all known uses of CCA2secure encryption, while no longer suffering from the definitional shortcomings of the latter.
A BlockCipher Mode of Operation for Parallelizable Message Authentication
 Advances in Cryptology  EUROCRYPT 2002. Lecture Notes in Computer Science
, 2002
"... We define and analyze a simple and fully parallelizable blockcipher mode of operation for message authentication. Parallelizability does not come at the expense of serial e#ciency: in a conventional, serial environment, the algorithm's speed is within a few percent of the (inherently sequentia ..."
Abstract

Cited by 79 (13 self)
 Add to MetaCart
(Show Context)
We define and analyze a simple and fully parallelizable blockcipher mode of operation for message authentication. Parallelizability does not come at the expense of serial e#ciency: in a conventional, serial environment, the algorithm's speed is within a few percent of the (inherently sequential) CBC MAC. The new mode, PMAC, is deterministic, resembles a standard mode of operation (and not a CarterWegman MAC), works for strings of any bit length, employs a single blockcipher key, and uses just max{1, #M /n#} blockcipher calls to MAC a string M # {0, 1} # using an nbit block cipher. We prove PMAC secure, quantifying an adversary's forgery probability in terms of the quality of the block cipher as a pseudorandom permutation. Key words: blockcipher modes, message authentication codes, modes of operation, provable security. 1
Symmetric Encryption in a Simulatable DolevYao Style Cryptographic Library
 In Proc. 17th IEEE Computer Security Foundations Workshop (CSFW
, 2004
"... Recently we solved the longstanding open problem of justifying a DolevYao type model of cryptography as used in virtually all automated protocol provers under active attacks. The justification was done by defining an ideal system handling DolevYaostyle terms and a cryptographic realization wi ..."
Abstract

Cited by 72 (20 self)
 Add to MetaCart
Recently we solved the longstanding open problem of justifying a DolevYao type model of cryptography as used in virtually all automated protocol provers under active attacks. The justification was done by defining an ideal system handling DolevYaostyle terms and a cryptographic realization with the same user interface, and by showing that the realization is as secure as the ideal system in the sense of reactive simulatability. This definition encompasses arbitrary active attacks and enjoys general composition and propertypreservation properties. Security holds in the standard model of cryptography and under standard assumptions of adaptively secure primitives.
CircularSecure Encryption from Decision DiffieHellman
, 2008
"... Let E be a publickey encryption system and let (pk i, ski) be public/private key pairs for E for i = 0,..., n. A natural question is whether E remains secure once an adversary obtains an encryption cycle, which consists of the encryption of ski under pk (i mod n)+1 for all i = 1,..., n. Surprisingl ..."
Abstract

Cited by 72 (9 self)
 Add to MetaCart
(Show Context)
Let E be a publickey encryption system and let (pk i, ski) be public/private key pairs for E for i = 0,..., n. A natural question is whether E remains secure once an adversary obtains an encryption cycle, which consists of the encryption of ski under pk (i mod n)+1 for all i = 1,..., n. Surprisingly, even strong notions of security such as chosenciphertext security appear to be insufficient for proving security in these settings. Since encryption cycles come up naturally in several applications, it is desirable to construct systems that remain secure in the presence of such cycles. Until now, all known constructions have only be proved secure in the random oracle model. We construct an encryption system that is circularsecure under the Decision DiffieHellman assumption, without relying on random oracles. Our proof of security holds even if the adversary obtains an encryption clique, that is, encryptions of ski under pk j for all 0 ≤ i, j ≤ n. We also construct a circular counterexample: a oneway secure encryption scheme that becomes completely insecure if an encryption cycle of length 2 is published. 1
Authenticatedencryption with associateddata
 In Proc. 9th CCS
, 2002
"... Keywords: Associateddata problem, authenticatedencryption, blockcipher usage, key separation, modes of operation, OCB. ..."
Abstract

Cited by 58 (18 self)
 Add to MetaCart
Keywords: Associateddata problem, authenticatedencryption, blockcipher usage, key separation, modes of operation, OCB.
A provablesecurity treatment of the keywrap problem
 EUROCRYPT 2006, LNCS 4004
, 2006
"... Abstract. We give a provablesecurity treatment for the keywrap problem, providing definitions, constructions, and proofs. We suggest that keywrap’s goal is security in the sense of deterministic authenticatedencryption (DAE), a notion that we put forward. We also provide an alternative notion, a ..."
Abstract

Cited by 50 (12 self)
 Add to MetaCart
(Show Context)
Abstract. We give a provablesecurity treatment for the keywrap problem, providing definitions, constructions, and proofs. We suggest that keywrap’s goal is security in the sense of deterministic authenticatedencryption (DAE), a notion that we put forward. We also provide an alternative notion, a pseudorandom injection (PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze its concrete security, develop a blockcipherbased instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard. The construction incorporates a method to turn a PRF that operates on a string into an equally efficient PRF that operates on a vector of strings, a problem of independent interest. Finally, we consider IVbased authenticatedencryption (AE) schemes that are maximally forgiving of repeated IVs, a goal we formalize as misuseresistant AE. We show that a DAE scheme with a vectorvalued header, such as SIV, directly realizes this goal. 1
A cryptographically sound DolevYao style security proof of the OtwayRees protocol
 In Proc. 9th European Symposium on Research in Computer Security (ESORICS
, 2004
"... We present the first cryptographically sound DolevYaostyle security proof of a comprehensive electronic payment system. The payment system is a slightly simplified variant of the 3KP payment system and comprises a variety of different security requirements ranging from basic ones like the impossibi ..."
Abstract

Cited by 25 (10 self)
 Add to MetaCart
(Show Context)
We present the first cryptographically sound DolevYaostyle security proof of a comprehensive electronic payment system. The payment system is a slightly simplified variant of the 3KP payment system and comprises a variety of different security requirements ranging from basic ones like the impossibility of unauthorized payments to more sophisticated properties like disputability. We show that the payment system is secure against arbitrary active attacks, including arbitrary concurrent protocol runs and arbitrary manipulation of bitstrings within polynomial time if the protocol is implemented using provably secure cryptographic primitives. Although we achieve security under cryptographic definitions, our proof does not have to deal with probabilistic aspects of cryptography and is hence within the scope of current proof tools. The reason is that we exploit a recently proposed DolevYaostyle cryptographic library with a provably secure cryptographic implementation. Together with composition and preservation theorems of the underlying model, this allows us to perform the actual proof effort in a deterministic setting corresponding to a slightly extended DolevYao model. 1.