We consider a novel security requirement of encryption schemes that we call “key-privacy” or “anonymity”.It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning the receiver is anonymous from the point of view of the adversary.We investigate the anonymity of known encryption schemes.We prove that the El Gamal scheme provides anonymity under chosen-plaintext attack assuming the Decision Diffie-Hellman problem is hard and that the Cramer-Shoup scheme provides anonymity under chosen-ciphertext attack under the same assumption.We also consider anonymity for trapdoor permutations.Known attacks indicate that the RSA trapdoor permutation is not anonymous and neither are the standard encryption schemes based on it.We provide a variant of RSA-OAEP that provides anonymity in the random oracle model assuming RSA is one-way.We also give constructions of anonymous trapdoor permutations, assuming RSA is one-way, which yield anonymous encryption schemes in the standard model.

. We consider the question of adaptive security for two related

We develop the notion of Exposure-Resilient Cryptography. While standard cryptographic definitions and constructions do not guarantee any security even if a tiny fraction of the secret entity (e.g., cryptographic key) is compromised, the objective of Exposure-Resilient Cryptography is to build information structures such that almost complete (intentional or unintentional) exposure of such a structure still protects the secret information embedded in this structure. The key to our approach is a new primitive of independent interest, which we call an Exposure-Resilient Function (ERF) -- a deterministic function whose output appears random (in a perfect, statistical or computational sense) even if almost all the bits of the input are known. ERF's by themselves eciently solve the partial exposure of secrets in the setting where the secret is simply a random value, like in the private-key cryptography. They can also be viewed as very secure pseudorandom generators and have many other applica...

The Ideal-Cipher Model of a blockcipher is a well-known and widely-used model dating back to Shannon [24] and has seen frequent use in proving the security of various cryptographic objects and protocols. But very little discussion has transpired regarding the meaning of proofs conducted in this model or regarding the model's validity.

Abstract. The Random Oracle Model and the Ideal Cipher Model are two of the most popular idealized models in cryptography. It is a fundamentally important practical and theoretical problem to compare the relative strengths of these models and to see how they relate to each other. Recently, Coron et al. [8] proved that one can securely instantiate a random oracle in the ideal cipher model. In this paper, we investigate if it is possible to instantiate an ideal block cipher in the random oracle model, which is a considerably more challenging question. We conjecture that the Luby-Rackoff construction [19] with a sufficient number of rounds should suffice to show this implication. This does not follow from the famous Luby-Rackoff result [19] showing that 4 rounds are enough to turn a pseudorandom function into a pseudorandom permutation, since the results of the intermediate rounds are known to everybody. As a partial step toward resolving this conjecture, we show that random oracles imply ideal ciphers in the honest-but-curious model, where all the participants are assumed to follow the protocol, but keep all their intermediate results. Namely, we show that the Luby-Rackoff construction with a superlogarithmic number of rounds can be used to instantiate the ideal block cipher in any honest-but-curious cryptosystem, and result in a similar honest-but-curious cryptosystem in the random oracle model. We also show that securely instantiating the ideal cipher using the Luby Rackoff construction with upto a logarithmic number of rounds is equivalent in the honest-but-curious and malicious models. 1

This paper takes a closer look at Rivest's cha ng-and-winnowing paradigm for data privacy. We begin with a de nition which enables one to determine whether a given scheme quali es as \cha ng-and-winnowing. " We then analyze Rivest's schemes to see what quality of data privacy they provide. His bit-by-bit scheme is easily proven to meet a standard notion of privacy under chosen-plaintext attack, but is ine cient. His more e cient scheme |based on all-or-nothing transforms (AONTs) | can be attacked under Rivest's de nition of security ofan AONT. However we show that by using OAEP as the AONT one can prove security, and also present a di erent scheme, still using AONTs, that is equally e cient and easily proven secure even under a relatively weak notion of security ofAONTs.

We present the design and rationale of a practical system for passing confidential messages. The mechanism is an adaptation of Rivest's "chaffing and winnowing", which has the legal advantage of using authentication keys to provide privacy. We identify a weakness in Rivest's particular choice of his "package transform" as an "all-or-nothing" element within his scheme. We extend the basic system to allow the passing of several messages concurrently. Only some of these messages need be divulged under legal duress, the other messages will be plausibly deniable.

We say that an encryption scheme or a signature scheme provides anonymity when it is infeasible to determine which user generated a ciphertext or a signature. To construct the schemes with anonymity, it is necessary that the space of ciphertexts or signatures is common to each user. In this paper, we focus on the techniques which can be used to obtain this anonymity property, and propose a new technique for obtaining the anonymity property on RSA-based cryptosystem, which we call “sampling twice. ” It generates the uniform distribution over [0, 2 k) by sampling the two elements from ZN where |N | = k. Then, by applying the sampling twice technique, we construct the schemes for encryption, undeniable and confirmer signature, and ring signature, which have some advantages to the previous schemes.

Modern financial institutions have cashed in on the electronic business opportunities of the Internet by developing numerous payment systems to meet various payment service requirements. Advanced computer systems and telecommunications technology are being used to offer fast, convenient, and secure ways to conduct financial transactions at service and security levels that are hardly or never achieved by traditional payment systems. In this paper, we examine the function and operation flow of the electronic funds transfer process as well as its security control mechanism. To evaluate telecommunication and data security techniques, a standard-leading inter-bank payment system called the Society for Worldwide Inter-bank Financial Telecommunications System is introduced. Some important security features are investigated in detail. 1.

Abstract—EDA vendors have proposed a standard for the sharing of IP among vendors to be used in the design and development of IP for FPGAs. Although, we do not propose any attacks, we show that there are easy ways in which the security of the whole process can be enhanced by using standard cryptographic techniques such as secret sharing and public-key based key exchange. We also explore the advantages that newer primitives have such as All-Or-Nothing Transforms and Physical Unclonable Functions. We show that the protocols proposed would significantly reduce the effects that the leakage of a single key would have over the whole system.