Results 1  10
of
10
TagKEM/DEM: a New Framework for Hybrid Encryption and a New Analysis of KurosawaDesmedt KEM
 in Proc. Eurocrypt
, 2005
"... Abstract This paper presents a novel framework for the generic construction of hybrid encryptionschemes which produces more efficient schemes than the ones known before. A previous ..."
Abstract

Cited by 67 (8 self)
 Add to MetaCart
(Show Context)
Abstract This paper presents a novel framework for the generic construction of hybrid encryptionschemes which produces more efficient schemes than the ones known before. A previous
Efficient Consistency Proofs for Generalized Queries on Committed Database
, 2004
"... A consistent query protocol (CQP) allows a database owner to publish a very short string c which commits her and everybody else to a particular database D, so that any copy of the database can later be used to answer queries and give short proofs that the answers are consistent with the commitmen ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
(Show Context)
A consistent query protocol (CQP) allows a database owner to publish a very short string c which commits her and everybody else to a particular database D, so that any copy of the database can later be used to answer queries and give short proofs that the answers are consistent with the commitment c.
Breaking and Provably Repairing the SSH Authenticated Encryption Scheme: A Case Study of the EncodethenEncryptandMAC Paradigm
 ACM Transactions on Information and System Security
, 2004
"... The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that ..."
Abstract

Cited by 20 (5 self)
 Add to MetaCart
The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosenciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol and to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.
Versatile padding schemes for joint signature and encryption
 In Proceedings of Eleventh ACM Conference on Computer and Communication Security (CCS2004
, 2004
"... We propose several highlypractical and optimized constructions for joint signature and encryption primitives often referred to as signcryption. All our signcryption schemes, built directly from trapdoor permutations such as RSA, share features such as simplicity, efficiency, generality, nearoptima ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
We propose several highlypractical and optimized constructions for joint signature and encryption primitives often referred to as signcryption. All our signcryption schemes, built directly from trapdoor permutations such as RSA, share features such as simplicity, efficiency, generality, nearoptimal exact security, flexible and adhoc key management, key reuse for sending/receiving data, optimallylow message expansion, “backward ” use for plain signature/encryption, long message and associated data support, the strongestknown qualitative security and, finally, complete compatibility with the PKCS#1 infrastructure. Similar to the design of plain RSAbased signature and encryption schemes, such as RSAFDH and RSAOAEP, our signcryption schemes are constructed by designing appropriate padding schemes suitable for use with trapdoor permutations. We build a general and flexible framework for the design and analysis of secure Feistelbased padding schemes, as well as three composition paradigms for using such paddings to build optimized signcryption schemes. To unify many secure padding options offered as special cases of our framework, we construct a single versatile padding scheme PSEP which, by simply adjusting the parameters, can work optimally with any of the three composition paradigms for either signature, encryption, or signcryption. We illustrate the utility of our signcryption schemes by applying them to build a secure keyexchange protocol, with performance results showing 3x–5x speedup compared to standard protocols.
Blockwise Adversarial Model for Online Ciphers and Symmetric Encryption Schemes
 In Selected Areas in Cryptography ’04, LNCS
, 2004
"... Abstract. This paper formalizes the security adversarial games for online symmetric cryptosystems in a unified framework for deterministic and probabilistic encryption schemes. Online encryption schemes allow to encrypt messages even if the whole message is not known at the beginning of the encrypt ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper formalizes the security adversarial games for online symmetric cryptosystems in a unified framework for deterministic and probabilistic encryption schemes. Online encryption schemes allow to encrypt messages even if the whole message is not known at the beginning of the encryption. The new introduced adversaries better capture the online properties than classical ones. Indeed, in the new model, the adversaries are allowed to send messages blockbyblock to the encryption machine and receive the corresponding ciphertext blocks onthefly. This kind of attacker is called blockwise adversary and is stronger than standard one which treats messages as atomic objects. In this paper, we compare the two adversarial models for online encryption schemes. For probabilistic encryption schemes, we show that security is not preserved contrary to for deterministic schemes. We prove in appendix of the full version that in this last case, the two models are polynomially equivalent in the number of encrypted blocks. Moreover in the blockwise model, a polynomial number of concurrent accesses to encryption oracles have to be taken into account. This leads to the strongest security notion in this setting. Furthermore, we show that this notion is valid by exhibiting a scheme secure under this security notion. 1
ABSTRACT Versatile Padding Schemes for Joint Signature and Encryption
"... We propose several highlypractical and optimized constructions for joint signature and encryption primitives often referred to as signcryption. All our signcryption schemes, built directly from trapdoor permutations such as RSA, share features such as simplicity, efficiency, generality, nearoptima ..."
Abstract
 Add to MetaCart
(Show Context)
We propose several highlypractical and optimized constructions for joint signature and encryption primitives often referred to as signcryption. All our signcryption schemes, built directly from trapdoor permutations such as RSA, share features such as simplicity, efficiency, generality, nearoptimal exact security, flexible and adhoc key management, key reuse for sending/receiving data, optimallylow message expansion, “backward ” use for plain signature/encryption, long message and associated data support, the strongestknown qualitative security and, finally, complete compatibility with the PKCS#1 infrastructure. Similar to the design of plain RSAbased signature and encryption schemes, such as RSAFDH and RSAOAEP, our signcryption schemes are constructed by designing appropriate padding schemes suitable for use with trapdoor permutations. We build a general and flexible framework for the design and analysis of secure Feistelbased padding schemes, as well as three composition paradigms for using such paddings to build optimized signcryption schemes. To unify many secure padding options offered as special cases of our framework, we construct a single versatile padding scheme PSEP which, by simply adjusting the parameters, can work optimally with any of the three composition paradigms for either signature, encryption, or signcryption. We illustrate the utility of our signcryption schemes by applying them to build a secure keyexchange protocol, with performance results showing 3x–5x speedup compared to standard protocols.
On the Security of Cryptosystems with AllorNothing Transform
, 2004
"... We study the data privacy of cryptosystems with AllorNothing transform (AONT). An AONT is an efficient computable transform with two properties: Given all the bits of its output, it is easy to retrieve the message. On the other hand, if sufficiently many bits of the output are missing, it is compu ..."
Abstract
 Add to MetaCart
(Show Context)
We study the data privacy of cryptosystems with AllorNothing transform (AONT). An AONT is an efficient computable transform with two properties: Given all the bits of its output, it is easy to retrieve the message. On the other hand, if sufficiently many bits of the output are missing, it is computationally infeasible for an polynomialtime adversary to learn any information about the message. However, in this paper we show that the definition of AONT and construction of “secure ” cryptosystems from AONTs need more careful consideration. Our results are threefold: First we answer an open problem raised in [6], showing that previous definitions are not sufficient to guarantee a provably secure cryptosystem with strong security, namely, indistinguishability against chosen ciphertext attack (INDCCA). Second, we give a new definition to AONT and prove this definition is sufficient to be integrated with any trapdoor function to acquire INDCCA secure cryptosystems. Third, we give constructions that satisfy the new definition. 1
2.2 Symmetric Schemes....................... 8
, 2005
"... This version is an update of the original ..."
A New Authenticated Encryption Technique for Handling Long Ciphertexts in Memory Constrained Devices
"... Abstract. In authenticated encryption schemes, there are two techniques for handling long ciphertexts while working within the constraints of a low buffer size: Releasing unverified plaintext (RUP) or Producing intermediate tags (PIT). In this paper, in addition to the two techniques, we propose ano ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. In authenticated encryption schemes, there are two techniques for handling long ciphertexts while working within the constraints of a low buffer size: Releasing unverified plaintext (RUP) or Producing intermediate tags (PIT). In this paper, in addition to the two techniques, we propose another way to handle a long ciphertext with a low buffer size by storing and releasing only one (generally, or only few) intermediate state without releasing or storing any part of an unverified plaintext and without need of generating any intermediate tag. In this paper we explain this generalized technique using our new construction spAELM. spAELM is a sponge based authenticated encryption scheme that provides support for limited memory devices. We also provide its security proof for privacy and authenticity in an ideal permutation model, using a code based game playing framework. Furthermore, we also present two more variants of spAELM that serve the same purpose and are more efficient than spAELM. The ongoing CAESAR competition has 9 submissions which are based on the Sponge construction. We apply our generalized technique of storing single intermediate state to all these submissions, to determine their suitability with a Crypto module having limited memory. Our findings show that only ASCON and one of the PRIMATE’s mode(namely GIBBON) satisify the limited memory constraint using this technique, while the remaining schemes (namely, Artemia,