Results 1  10
of
34
Using Secure Coprocessors
, 1994
"... The views and conclusions in this document are those of the authors and do not necessarily represent the official policies or endorsements of any of the research sponsors. How do we build distributed systems that are secure? Cryptographic techniques can be used to secure the communications between p ..."
Abstract

Cited by 165 (8 self)
 Add to MetaCart
(Show Context)
The views and conclusions in this document are those of the authors and do not necessarily represent the official policies or endorsements of any of the research sponsors. How do we build distributed systems that are secure? Cryptographic techniques can be used to secure the communications between physically separated systems, but this is not enough: we must be able to guarantee the privacy of the cryptographic keys and the integrity of the cryptographic functions, in addition to the integrity of the security kernel and access control databases we have on the machines. Physical security is a central assumption upon which secure distributed systems are built; without this foundation even the best cryptosystem or the most secure kernel will crumble. In this thesis, I address the distributed security problem by proposing the addition of a small, physically secure hardware module, a secure coprocessor, to standard workstations and PCs. My central axiom is that secure coprocessors are able to maintain the privacy of the data they process. This thesis attacks the distributed security problem from multiple sides. First, I analyze the security properties of existing system components, both at the hardware and
Security for a High Performance Commodity Storage Subsystem
, 1999
"... and the United States Postal Service. The views and conclusions in this document are my own and should not be interpreted as representing the official policies, either expressed or implied, of any supporting organization or the U.S. Government. ..."
Abstract

Cited by 44 (1 self)
 Add to MetaCart
(Show Context)
and the United States Postal Service. The views and conclusions in this document are my own and should not be interpreted as representing the official policies, either expressed or implied, of any supporting organization or the U.S. Government.
Efficient ChosenCiphertext Security via Extractable Hash
"... Abstract. We introduce the notion of an extractable hash proof system. Essentially, this is a special kind of noninteractive zeroknowledge proof of knowledge system where the secret keys may be generated in one of two modes to allow for either simulation or extraction. – We show how to derive effi ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce the notion of an extractable hash proof system. Essentially, this is a special kind of noninteractive zeroknowledge proof of knowledge system where the secret keys may be generated in one of two modes to allow for either simulation or extraction. – We show how to derive efficient CCAsecure encryption schemes via extractable hash proofs in a simple and modular fashion. Our construction clarifies and generalizes the recent factoringbased cryptosystem of Hofheinz and Kiltz (Eurocrypt ’09), and is reminiscent of an approach proposed by Rackoff and Simon (Crypto ’91). We show how to instantiate extractable hash proof system for hard search problems, notably factoring and computational DiffieHellman. Using our framework, we obtain the first CCAsecure encryption scheme based on CDH where the public key is a constant number of group elements and a more modular and conceptually simpler variant of the HofheinzKiltz cryptosystem (though less efficient). – We introduce adaptive trapdoor relations, a relaxation of the adaptive trapdoor functions considered by Kiltz, Mohassel and O’Neil (Eurocrypt ’10), but nonetheless imply CCAsecure encryption schemes. We show how to construct such relations using extractable hash proofs, which in turn yields realizations from hardness of factoring and CDH.
Cryptographic Secure PseudoRandom Bits Generation: The BlumBlumShub Generator
, 1999
"... ..."
(Show Context)
Analysis of QUAD
 THE PROCEEDINGS OF FAST SOFTWARE ENCRYPTION
, 2007
"... ... introduced QUAD, a parametrized family of stream ciphers. Speed reports were presented for QUAD instances with 160bit state and output block over the fields GF(2), GF(16), and GF(256). A security reduction was seemingly implied provable for all fields, but “for simplicity” a proof was given for ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
... introduced QUAD, a parametrized family of stream ciphers. Speed reports were presented for QUAD instances with 160bit state and output block over the fields GF(2), GF(16), and GF(256). A security reduction was seemingly implied provable for all fields, but “for simplicity” a proof was given for GF(2) only. This reduction deduces the infeasibility of attacks on QUAD from the hypothesized infeasibility (with an extra looseness factor) of attacks on the wellknown hard problem of solving systems of multivariate quadratic equations over finite fields. This paper discusses both theoretical and practical aspects of attacking QUAD and of attacking the underlying hard problem. For example, this paper shows how to use XLWiedemann to break the GF(256) instance QUAD(256, 20, 20) in approximately 2 66 Opteron cycles, and to break the underlying hard problem in approximately 2 45 cycles. The analysis shows, for each of the QUAD parameters mentioned in the paper or the talk (as implementation reports), the implications and limitations of the security proofs, pointing out which QUAD instances are not, and which ones will never be proven secure. Empirical data backs up the theoretical conclusions; in particular, the 2 45cycle attack was carried out successfully.
Practical Secure Logging: Seekable Sequential Key Generators
"... Abstract. In computer forensics, log files are indispensable resources that support auditors in identifying and understanding system threats and security breaches. If such logs are recorded locally, i.e., stored on the monitored machine itself, the problem of log authentication arises: if a system i ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In computer forensics, log files are indispensable resources that support auditors in identifying and understanding system threats and security breaches. If such logs are recorded locally, i.e., stored on the monitored machine itself, the problem of log authentication arises: if a system intrusion takes place, the intruder might be able to manipulate the log entries and cover her traces. Mechanisms that cryptographically protect collected log messages from manipulation should ideally have two properties: they should be forwardsecure (the adversary gets no advantage from learning current keys when aiming at forging past log entries), and they should be seekable (the auditor can verify the integrity of log entries in any order or access pattern, at virtually no computational cost). We propose a new cryptographic primitive, a seekable sequential key generator (SSKG), that combines these two properties and has direct application in secure logging. We rigorously formalize the required security properties and give a provablysecure construction based on the integer factorization problem. We further optimize the scheme in various ways, preparing it for realworld deployment. As a byproduct, we develop the notion of a shortcut oneway permutation (SCP), which might be of independent interest. Our work is highly relevant in practice. Indeed, our SSKG implementation has become part of the logging service of the systemd system manager, a core component of many modern commercial Linuxbased operating systems. 1
Efficient Cryptosystems From 2^kth Power Residue Symbols
, 2013
"... Goldwasser and Micali (1984) highlighted the importance of randomizing the plaintext for publickey encryption and introduced the notion of semantic security. They also realized a cryptosystem meeting this security notion under the standard complexity assumption of deciding quadratic residuosity mo ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Goldwasser and Micali (1984) highlighted the importance of randomizing the plaintext for publickey encryption and introduced the notion of semantic security. They also realized a cryptosystem meeting this security notion under the standard complexity assumption of deciding quadratic residuosity modulo a composite number. The GoldwasserMicali cryptosystem is simple and elegant but is quite wasteful in bandwidth when encrypting large messages. A number of works followed to address this issue and proposed various modifications. This paper revisits the original GoldwasserMicali cryptosystem using 2 kth power residue symbols. The soobtained cryptosystems appear as a very natural generalization for k ≥ 2 (the case k = 1 corresponds exactly to the GoldwasserMicali cryptosystem). Advantageously, they are efficient in both bandwidth and speed; in particular, they allow for fast decryption. Further, the cryptosystems described in this paper inherit the useful features of the original cryptosystem (like its homomorphic property) and are shown to be secure under a similar complexity assumption. As a prominent application, this paper describes an efficient lossy trapdoor function based thereon.
Syndrome based collision resistant hashing
"... Abstract. Hash functions are a hot topic at the moment in cryptography. Many proposals are going to be made for SHA3, and among them, some provably collision resistant hash functions might also be proposed. These do not really compete with “standard ” designs as they are usually much slower and not ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. Hash functions are a hot topic at the moment in cryptography. Many proposals are going to be made for SHA3, and among them, some provably collision resistant hash functions might also be proposed. These do not really compete with “standard ” designs as they are usually much slower and not well suited for constrained environments. However, they present an interesting alternative when speed is not the main objective. As always when dealing with provable security, hard problems are involved, and the fast syndromebased cryptographic hash function proposed by Augot, Finiasz and Sendrier at Mycrypt 2005 relies on the problem of Syndrome Decoding, a well known “Post Quantum ” problem from coding theory. In this article we review the different variants and attacks against it so as to clearly point out which choices are secure and which are not.
Secure PRNGs from Specialized Polynomial Maps over Any Fq
"... Abstract. Berbain, Gilbert, and Patarin presented QUAD, a pseudo random number generator (PRNG) at Eurocrypt 2006. QUAD (as PRNG and stream cipher) may be proved secure based on an interesting hardness assumption about the onewayness of multivariate quadratic polynomial systems over F2. The origina ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Berbain, Gilbert, and Patarin presented QUAD, a pseudo random number generator (PRNG) at Eurocrypt 2006. QUAD (as PRNG and stream cipher) may be proved secure based on an interesting hardness assumption about the onewayness of multivariate quadratic polynomial systems over F2. The original BGP proof only worked for F2 and left a gap to general Fq. We show that the result can be generalized to any arbitrary finite field Fq, and thus produces a stream cipher with alphabets in Fq. Further, we generalize the underlying hardness assumption to specialized systems in Fq (including F2) that can be evaluated more efficiently. Barring breakthroughs in the current stateoftheart for systemsolving, a rough implementation of a provably secure instance of our new PRNG is twice as fast and takes 1/10 the storage of an instance of QUAD with the same level of provable security. Recent results on specialization on security are also examined. And we conclude that our ideas are consistent with these new developments and complement them. This gives a clue that we may build secure primitives based on specialized polynomial maps which are more efficient.
More Efficient Cryptosystems From k th Power Residues ⋆
"... Abstract. At Eurocrypt 2013, Joye and Libert proposed a method for constructing public key cryptosystems (PKCs) and lossy trapdoor functions (LTDFs) from (2 α) thpower residue symbols. Their work can be viewed as nontrivial extensions of the wellknown PKC scheme due to Goldwasser and Micali, and ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. At Eurocrypt 2013, Joye and Libert proposed a method for constructing public key cryptosystems (PKCs) and lossy trapdoor functions (LTDFs) from (2 α) thpower residue symbols. Their work can be viewed as nontrivial extensions of the wellknown PKC scheme due to Goldwasser and Micali, and the LTDF scheme due to Freeman et al., respectively. In this paper, we will demonstrate that this kind of work can be extended more generally: all related constructions can work for any k th residues if k only contains small prime factors, instead of (2 α) thpower residues only. The resultant PKCs and LTDFs are more efficient than that from JoyeLibert method in terms of decryption speed with the same message length.