Results 1  10
of
14
Keyprivacy in publickey encryption
, 2001
"... We consider a novel security requirement of encryption schemes that we call “keyprivacy” or “anonymity”.It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning t ..."
Abstract

Cited by 94 (8 self)
 Add to MetaCart
We consider a novel security requirement of encryption schemes that we call “keyprivacy” or “anonymity”.It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning the receiver is anonymous from the point of view of the adversary.We investigate the anonymity of known encryption schemes.We prove that the El Gamal scheme provides anonymity under chosenplaintext attack assuming the Decision DiffieHellman problem is hard and that the CramerShoup scheme provides anonymity under chosenciphertext attack under the same assumption.We also consider anonymity for trapdoor permutations.Known attacks indicate that the RSA trapdoor permutation is not anonymous and neither are the standard encryption schemes based on it.We provide a variant of RSAOAEP that provides anonymity in the random oracle model assuming RSA is oneway.We also give constructions of anonymous trapdoor permutations, assuming RSA is oneway, which yield anonymous encryption schemes in the standard model.
On Perfect and Adaptive Security in ExposureResilient Cryptography
, 2001
"... . We consider the question of adaptive security for two related ..."
Abstract

Cited by 39 (11 self)
 Add to MetaCart
. We consider the question of adaptive security for two related
ExposureResilient Cryptography
, 2000
"... We develop the notion of ExposureResilient Cryptography. While standard cryptographic definitions and constructions do not guarantee any security even if a tiny fraction of the secret entity (e.g., cryptographic key) is compromised, the objective of ExposureResilient Cryptography is to build infor ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
We develop the notion of ExposureResilient Cryptography. While standard cryptographic definitions and constructions do not guarantee any security even if a tiny fraction of the secret entity (e.g., cryptographic key) is compromised, the objective of ExposureResilient Cryptography is to build information structures such that almost complete (intentional or unintentional) exposure of such a structure still protects the secret information embedded in this structure. The key to our approach is a new primitive of independent interest, which we call an ExposureResilient Function (ERF)  a deterministic function whose output appears random (in a perfect, statistical or computational sense) even if almost all the bits of the input are known. ERF's by themselves eciently solve the partial exposure of secrets in the setting where the secret is simply a random value, like in the privatekey cryptography. They can also be viewed as very secure pseudorandom generators and have many other applica...
The IdealCipher Model, Revisited: An Uninstantiable BlockcipherBased Hash Function
 FSE’06, LNCS 4047
, 2005
"... The IdealCipher Model of a blockcipher is a wellknown and widelyused model dating back to Shannon [24] and has seen frequent use in proving the security of various cryptographic objects and protocols. But very little discussion has transpired regarding the meaning of proofs conducted in this m ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
The IdealCipher Model of a blockcipher is a wellknown and widelyused model dating back to Shannon [24] and has seen frequent use in proving the security of various cryptographic objects and protocols. But very little discussion has transpired regarding the meaning of proofs conducted in this model or regarding the model's validity.
On the relation between the ideal cipher and the random oracle models
 In: TCC 2006. LNCS
, 2006
"... Abstract. The Random Oracle Model and the Ideal Cipher Model are two of the most popular idealized models in cryptography. It is a fundamentally important practical and theoretical problem to compare the relative strengths of these models and to see how they relate to each other. Recently, Coron et ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Abstract. The Random Oracle Model and the Ideal Cipher Model are two of the most popular idealized models in cryptography. It is a fundamentally important practical and theoretical problem to compare the relative strengths of these models and to see how they relate to each other. Recently, Coron et al. [8] proved that one can securely instantiate a random oracle in the ideal cipher model. In this paper, we investigate if it is possible to instantiate an ideal block cipher in the random oracle model, which is a considerably more challenging question. We conjecture that the LubyRackoff construction [19] with a sufficient number of rounds should suffice to show this implication. This does not follow from the famous LubyRackoff result [19] showing that 4 rounds are enough to turn a pseudorandom function into a pseudorandom permutation, since the results of the intermediate rounds are known to everybody. As a partial step toward resolving this conjecture, we show that random oracles imply ideal ciphers in the honestbutcurious model, where all the participants are assumed to follow the protocol, but keep all their intermediate results. Namely, we show that the LubyRackoff construction with a superlogarithmic number of rounds can be used to instantiate the ideal block cipher in any honestbutcurious cryptosystem, and result in a similar honestbutcurious cryptosystem in the random oracle model. We also show that securely instantiating the ideal cipher using the Luby Rackoff construction with upto a logarithmic number of rounds is equivalent in the honestbutcurious and malicious models. 1
Edition Security Control in Interbank Fund Transfer
 Journal of Electronic Commerce Research
, 2002
"... Modern financial institutions have cashed in on the electronic business opportunities of the Internet by developing numerous payment systems to meet various payment service requirements. Advanced computer systems and telecommunications technology are being used to offer fast, convenient, and secure ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Modern financial institutions have cashed in on the electronic business opportunities of the Internet by developing numerous payment systems to meet various payment service requirements. Advanced computer systems and telecommunications technology are being used to offer fast, convenient, and secure ways to conduct financial transactions at service and security levels that are hardly or never achieved by traditional payment systems. In this paper, we examine the function and operation flow of the electronic funds transfer process as well as its security control mechanism. To evaluate telecommunication and data security techniques, a standardleading interbank payment system called the Society for Worldwide Interbank Financial Telecommunications System is introduced. Some important security features are investigated in detail. 1.
The security of chang and winnowing
 In Proc. of Asiacrypt
, 2000
"... This paper takes a closer look at Rivest's cha ngandwinnowing paradigm for data privacy. We begin with a de nition which enables one to determine whether a given scheme quali es as \cha ngandwinnowing. " We then analyze Rivest's schemes to see what quality of data privacy they provide. His ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
This paper takes a closer look at Rivest's cha ngandwinnowing paradigm for data privacy. We begin with a de nition which enables one to determine whether a given scheme quali es as \cha ngandwinnowing. " We then analyze Rivest's schemes to see what quality of data privacy they provide. His bitbybit scheme is easily proven to meet a standard notion of privacy under chosenplaintext attack, but is ine cient. His more e cient scheme based on allornothing transforms (AONTs)  can be attacked under Rivest's de nition of security ofan AONT. However we show that by using OAEP as the AONT one can prove security, and also present a di erent scheme, still using AONTs, that is equally e cient and easily proven secure even under a relatively weak notion of security ofAONTs.
Chaffinch: Confidentiality in the Face of Legal Threats
 of LNCS
, 2003
"... We present the design and rationale of a practical system for passing confidential messages. The mechanism is an adaptation of Rivest's "chaffing and winnowing", which has the legal advantage of using authentication keys to provide privacy. We identify a weakness in Rivest's particular choice of his ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We present the design and rationale of a practical system for passing confidential messages. The mechanism is an adaptation of Rivest's "chaffing and winnowing", which has the legal advantage of using authentication keys to provide privacy. We identify a weakness in Rivest's particular choice of his "package transform" as an "allornothing" element within his scheme. We extend the basic system to allow the passing of several messages concurrently. Only some of these messages need be divulged under legal duress, the other messages will be plausibly deniable.
The Sampling Twice Technique for the RSAbased Cryptosystems with Anonymity
 In Public Key Cryptography – PKC 2005, 8th International Workshop on Theory and Practice in Public Key Cryptography (Les Diablerets
, 2005
"... We say that an encryption scheme or a signature scheme provides anonymity when it is infeasible to determine which user generated a ciphertext or a signature. To construct the schemes with anonymity, it is necessary that the space of ciphertexts or signatures is common to each user. In this paper, w ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
We say that an encryption scheme or a signature scheme provides anonymity when it is infeasible to determine which user generated a ciphertext or a signature. To construct the schemes with anonymity, it is necessary that the space of ciphertexts or signatures is common to each user. In this paper, we focus on the techniques which can be used to obtain this anonymity property, and propose a new technique for obtaining the anonymity property on RSAbased cryptosystem, which we call “sampling twice. ” It generates the uniform distribution over [0, 2 k) by sampling the two elements from ZN where N  = k. Then, by applying the sampling twice technique, we construct the schemes for encryption, undeniable and confirmer signature, and ring signature, which have some advantages to the previous schemes.
A Closer Look at Anonymity and Robustness in Encryption Schemes
"... Abstract. In this work, we take a closer look at anonymity and robustness in encryption schemes. Roughly speaking, an anonymous encryption scheme hides the identity of the secretkey holder, while a robust encryption scheme guarantees that every ciphertext can only be decrypted to a valid plaintext ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. In this work, we take a closer look at anonymity and robustness in encryption schemes. Roughly speaking, an anonymous encryption scheme hides the identity of the secretkey holder, while a robust encryption scheme guarantees that every ciphertext can only be decrypted to a valid plaintext under the intended recipient’s secret key. In case of anonymous encryption, we show that if an anonymous PKE or IBE scheme (in presence of CCA attacks) is used in a hybrid encryption, all bets regarding the anonymity of the resulting encryption are off. We show that this is the case even if the symmetrickey component is anonymous. On the positive side, however, we prove that if the keyencapsulation method is, additionally weakly robust the resulting hybrid encryption remains anonymous. Some of the existing anonymous encryption schemes are known to be weakly robust which makes them more desirable in practice. In case of robust encryption, we design several efficient constructions for transforming any PKE/IBE scheme into weakly and strongly robust ones. Our constructions only add a minor computational overhead to the original schemes, while achieving better ciphertext sizes compared to the previous constructions. An important property of our transformations is that they are nonkeyed and do not require any modifications to the public parameters of the original schemes. We also introduce a relaxation of the notion of robustness we call collisionfreeness. We primarily use collisionfreeness as an intermediate notion by showing a more efficient construction for transforming any collisionfree encryption scheme into a strongly robust one. We believe that this simple notion can be a plausible replacement for robustness in some scenarios in practice. The advantage is that most existing schemes seem to satisfy collisionfreeness without any modifications. 1