Results 11  20
of
72
A new paradigm of hybrid encryption scheme
 CRYPTO 2004, volume 3152 of LNCS
, 2004
"... Abstract. In this paper, we show that a key encapsulation mechanism (KEM) does not have to be INDCCA secure in the construction of hybrid encryption schemes, as was previously believed. That is, we present a more efficient hybrid encryption scheme than Shoup [12] by using a KEM which is not necessa ..."
Abstract

Cited by 48 (4 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we show that a key encapsulation mechanism (KEM) does not have to be INDCCA secure in the construction of hybrid encryption schemes, as was previously believed. That is, we present a more efficient hybrid encryption scheme than Shoup [12] by using a KEM which is not necessarily INDCCA secure. Nevertheless, our scheme is secure in the sense of INDCCA under the DDH assumption in the standard model. This result is further generalized to universal2 projective hash families.
Security of Signed ElGamal Encryption
 In Asiacrypt ’2000, LNCS 1976
, 2000
"... . Assuming a cryptographically strong cyclic group G of prime order q and a random hash function H, we show that ElGamal encryption with an added Schnorr signature is secure against the adaptive chosen ciphertext attack, in which an attacker can freely use a decryption oracle except for the target c ..."
Abstract

Cited by 41 (3 self)
 Add to MetaCart
(Show Context)
. Assuming a cryptographically strong cyclic group G of prime order q and a random hash function H, we show that ElGamal encryption with an added Schnorr signature is secure against the adaptive chosen ciphertext attack, in which an attacker can freely use a decryption oracle except for the target ciphertext. We also prove security against the novel onemoredecyption attack. Our security proofs are in a new model, corresponding to a combination of two previously introduced models, the Random Oracle model and the Generic model. The security extends to the distributed threshold version of the scheme. Moreover, we propose a very practical scheme for private information retrieval that is based on blind decryption of ElGamal ciphertexts. 1 Introduction and Summary We analyse a very practical public key cryptosystem in terms of its security against the strong adaptive chosen ciphertext attack (CCA) of [RS92], in which an attacker can access a decryption oracle on arbitrary ciphertexts (ex...
Automated Security Proofs with Sequences of Games
 Proc. 27th IEEE Symposium on Security
, 2006
"... Abstract. This paper presents the first automatic technique for proving not only protocols but also primitives in the exact security computational model. Automatic proofs of cryptographic protocols were up to now reserved to the DolevYao model, which however makes quite strong assumptions on the pr ..."
Abstract

Cited by 40 (7 self)
 Add to MetaCart
Abstract. This paper presents the first automatic technique for proving not only protocols but also primitives in the exact security computational model. Automatic proofs of cryptographic protocols were up to now reserved to the DolevYao model, which however makes quite strong assumptions on the primitives. On the other hand, with the proofs by reductions, in the complexity theoretic framework, more subtle security assumptions can be considered, but security analyses are manual. A process calculus is thus defined in order to take into account the probabilistic semantics of the computational model. It is already rich enough to describe all the usual security notions of both symmetric and asymmetric cryptography, as well as the basic computational assumptions. As an example, we illustrate the use of the new tool with the proof of a quite famous asymmetric primitive: unforgeability under chosenmessage attacks (UFCMA) of the FullDomain Hash signature scheme under the (trapdoor)onewayness of some permutations. 1
CodeBased GamePlaying Proofs and the Security of Triple Encryption
 Eurocrypt 2006, LNCS
"... (Draft 3.0) The gameplaying technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of threekey tripleencryption, a longstanding open problem. Our result, which is in the idealcipher model, demonstrates t ..."
Abstract

Cited by 40 (10 self)
 Add to MetaCart
(Draft 3.0) The gameplaying technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of threekey tripleencryption, a longstanding open problem. Our result, which is in the idealcipher model, demonstrates that for DES parameters (56bit keys and 64bit plaintexts) an adversary’s maximal advantage is small until it asks about 278 queries. Beyond this application, we develop the foundations for game playing, formalizing a general framework for gameplaying proofs and discussing techniques used within such proofs. To further exercise the gameplaying framework we show how to use games to get simple proofs for the PRP/PRF Switching Lemma, the security
Secure Hybrid Encryption from Weakened Key Encapsulation
 Advances in Cryptology – CRYPTO 2007
, 2007
"... Abstract We put forward a new paradigm for building hybrid encryption schemes from constrainedchosenciphertext secure (CCCA) keyencapsulation mechanisms (KEMs) plus authenticated ..."
Abstract

Cited by 39 (8 self)
 Add to MetaCart
(Show Context)
Abstract We put forward a new paradigm for building hybrid encryption schemes from constrainedchosenciphertext secure (CCCA) keyencapsulation mechanisms (KEMs) plus authenticated
A lengthinvariant hybrid mix
 In Advances in Cryptology  ASIACRYPT 2000, LNCS
, 1976
"... Abstract. This paper presents a secure and flexible Mixnet that has the following properties; it efficiently handles long plaintexts that exceed the modulus size of underlying publickey encryption as well as very short ones (lengthflexible), input ciphertext length is not impacted by the number o ..."
Abstract

Cited by 34 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents a secure and flexible Mixnet that has the following properties; it efficiently handles long plaintexts that exceed the modulus size of underlying publickey encryption as well as very short ones (lengthflexible), input ciphertext length is not impacted by the number of mixservers (lengthinvariant), and its security in terms of anonymity is proven in a formal way (provably secure). One can also add robustness i.e. it outputs correct results in the presence of corrupt servers. The security is proved in the random oracle model by showing a reduction from breaking the anonymity of our Mixnet to breaking a sort of indistinguishability of the underlying symmetric encryption scheme or solving the Decision DiffieHellman problem.
Group key agreement efficient in communication
 IEEE Transactions on Computers
, 2004
"... Abstract. In recent years, grouporiented applications and protocols have been gaining popularity. Such applications typically involve communication over open networks where security is an important concern. Group key management is one of the basic building blocks in securing group communication. Mo ..."
Abstract

Cited by 32 (7 self)
 Add to MetaCart
Abstract. In recent years, grouporiented applications and protocols have been gaining popularity. Such applications typically involve communication over open networks where security is an important concern. Group key management is one of the basic building blocks in securing group communication. Most prior research in group key management focused on minimizing computation overhead due mostly to expensive cryptographic operations. Communication cost has been treated as a secondary concern. This has been (and perhaps still is) a reasonable strategy, however, certain changes are looming on the horizon. In particular, recent dramatic advances in computing power motivate a priority shift. As computation becomes faster, communication speeds do not enjoy similar advances and communication latency, especially in highdelay longhaul networks increasingly dominates protocol costs, replacing in some cases computation as the main latency factor. Hence, there is a need to minimize the number of messages, their size and the number of rounds in cryptographic protocols. Since most previously proposed group key management techniques optimize cryptographic overhead, they are particularly impacted by high communication delays. In this work, we discuss and analyze a specific group key agreement technique which supports dynamic group membership and handles network failures, such as group partitions and merges. Our technique is communicationefficient and provably secure against hostile attacks. Furthermore, it is simple, faulttolerant and wellsuited for highdelay networks.
On robust combiners for oblivious transfer and other primitives
 In Proc. Eurocrypt ’05
, 2005
"... At the mouth of two witnesses... shall the matter be establishedDeuteronomy Chapter 19. ..."
Abstract

Cited by 30 (1 self)
 Add to MetaCart
(Show Context)
At the mouth of two witnesses... shall the matter be establishedDeuteronomy Chapter 19.
Hedged PublicKey Encryption: How to Protect against Bad Randomness
 IACR EPRINT
, 2012
"... Publickey encryption schemes rely for their INDCPA security on permessage fresh randomness. In practice, randomness may be of poor quality for a variety of reasons, leading to failure of the schemes. Expecting the systems to improve is unrealistic. What we show in this paper is that we can, inste ..."
Abstract

Cited by 24 (12 self)
 Add to MetaCart
(Show Context)
Publickey encryption schemes rely for their INDCPA security on permessage fresh randomness. In practice, randomness may be of poor quality for a variety of reasons, leading to failure of the schemes. Expecting the systems to improve is unrealistic. What we show in this paper is that we can, instead, improve the cryptography to offset the lack of possible randomness. We provide publickey encryption schemes that achieve INDCPA security when the randomness they use is of high quality, but, when the latter is not the case, rather than breaking completely, they achieve a weaker but still useful notion of security that we call INDCDA. This hedged publickey encryption provides the best possible security guarantees in the face of bad randomness. We provide simple RObased ways to make inpractice INDCPA schemes hedge secure with minimal software changes. We also provide nonRO model schemes relying on lossy trapdoor functions (LTDFs) and techniques from deterministic encryption. They achieve adaptive security by establishing and exploiting the anonymity of LTDFs which we believe is of independent interest. (Preliminary version was presented at AsiaCrypt 2009)
Securely Combining PublicKey Cryptosystems
 Proceedings of the ACM Computer and Security Conference
, 2001
"... It is a maxim of sound computersecurity practice that a cryptographic key should have only a single use. For example, an RSA key pair should be used only for publickey encryption or only for digital signatures, and not for both. In this paper we show that in many cases, the simultaneous use of ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
It is a maxim of sound computersecurity practice that a cryptographic key should have only a single use. For example, an RSA key pair should be used only for publickey encryption or only for digital signatures, and not for both. In this paper we show that in many cases, the simultaneous use of related keys for two cryptosystems, e.g. for a publickey encryption system and for a publickey signature system, does not compromise their security. We demonstrate this for a variety of publickey encryption schemes that are secure against chosenciphertext attacks, and for a variety of digital signature schemes that are secure against forgery under chosenmessage attacks. The precise form of the statement of security that we are able to prove depends on the particular cryptographic schemes in question and on the cryptographic assumptions needed for their proofs of security; but in every case, our proof of security does not require any additional cryptographic assumptions. Among the cryptosystems that we analyze in this manner are the publickey encryption schemes of Cramer and Shoup, Naor and Yung, and Dolev, Dwork, and Naor, which are all defined in the standard model, while in the randomoracle model we analyze plaintextaware encryption schemes (as defined by Bellare and Rogaway) and in particular the OAEP+ cryptosystem. Among publickey signature schemes, we analyze those of Cramer and Shoup and of Gennaro, Halevi, and Rabin in the standard model, while in the randomoracle model we analyze the RSA PSS scheme as well as variants of the El Gamal and Schnorr schemes. (See references within.) 1