Results 1 
9 of
9
A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
 CRYPTO '98
, 1998
"... A new public key cryptosystem is proposed and analyzed. The scheme is quite practical, and is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions. There appears to be no previous cryptosystem in the literature that enjoys both of these properties simu ..."
Abstract

Cited by 460 (16 self)
 Add to MetaCart
A new public key cryptosystem is proposed and analyzed. The scheme is quite practical, and is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions. There appears to be no previous cryptosystem in the literature that enjoys both of these properties simultaneously.
Signature Schemes Based on the Strong RSA Assumption
 ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY
, 1998
"... We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreove ..."
Abstract

Cited by 150 (8 self)
 Add to MetaCart
We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreover, a hash function can be incorporated into the scheme in such a way that it is also secure in the random oracle model under the standard RSA Assumption.
A Proposal for an ISO Standard for Public Key Encryption (version 2.0)
, 2001
"... This document should be viewed less as a first draft of a standard for publickey encryption, and more as a proposal for what such a draft standard should contain. It is hoped that this proposal will serve as a basis for discussion, from which a consensus for a standard may be formed. ..."
Abstract

Cited by 111 (3 self)
 Add to MetaCart
This document should be viewed less as a first draft of a standard for publickey encryption, and more as a proposal for what such a draft standard should contain. It is hoped that this proposal will serve as a basis for discussion, from which a consensus for a standard may be formed.
OAEP Reconsidered
 Journal of Cryptology
, 2000
"... The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94, and is widely believed to be secure against adaptive chosen ciphertext attack. The main justification for this belief is a proof of security in the random oracle model. This paper shows conclusively that this justific ..."
Abstract

Cited by 96 (4 self)
 Add to MetaCart
The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94, and is widely believed to be secure against adaptive chosen ciphertext attack. The main justification for this belief is a proof of security in the random oracle model. This paper shows conclusively that this justification is invalid. First, it observes that there appears to be a nontrivial gap in the proof. Second, it proves a theorem that essentially says that this gap cannot be filled using standard proof techniques of the type used in Bellare and Rogaway's paper, and elsewhere in the cryptographic literature. It should be stressed that these results do not imply that RSAOAEP in insecure. They simply undermine the justification that no attacks are possible in general. In fact, we make the observation that RSAOAEP with encryption exponent 3 actually is provably secure in the random oracle model, but the argument makes use of special properties of the RSA function. However, this should not necessarily be...
Why Chosen Ciphertext Security Matters
, 1998
"... This article motivates the importance of publickey cryptosystems that are secure against chosen ciphertext attack, and of rigorous security proofs. It also discusses the new cryptosystem developed by Cramer and Shoup, and its relevance in this regard. ..."
Abstract

Cited by 29 (2 self)
 Add to MetaCart
This article motivates the importance of publickey cryptosystems that are secure against chosen ciphertext attack, and of rigorous security proofs. It also discusses the new cryptosystem developed by Cramer and Shoup, and its relevance in this regard.
ACE: The Advanced Cryptographic Engine
 Revised, August
, 2000
"... This document describes the Advanced Cryptographic Engine (ACE). It specifies a public key encryption scheme as well as a digital signature scheme with enough detail to ensure interoperability between different implementations. These schemes are almost as efficient as commercially used schemes, yet ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
This document describes the Advanced Cryptographic Engine (ACE). It specifies a public key encryption scheme as well as a digital signature scheme with enough detail to ensure interoperability between different implementations. These schemes are almost as efficient as commercially used schemes, yet unlike such schemes, can be proven secure under reasonable and welldefined intractability assumptions. A concrete security analysis of both schemes is presented.
OAEP Reconsidered (Extended Abstract)
 IN PROC. OF CRYPTO 2001
"... The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt ’94. It converts any trapdoor permutation scheme into a publickey encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a sup ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt ’94. It converts any trapdoor permutation scheme into a publickey encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justification is invalid. First, it observes that there appears to be a nontrivial gap in the OAEP security proof. Second, it proves that this gap cannot be filled, in the sense that there can be no standard “black box ” security reduction for OAEP. This is done by proving that there exists an oracle relative to which the general OAEP scheme is insecure. The paper also presents a new scheme OAEP+, along with a complete proof of security in the random oracle model. OAEP+ is essentially just as efficient as OAEP, and even has a tighter security reduction. It should be stressed that these results do not imply that a particular instantiation of OAEP, such as RSAOAEP, is insecure. They simply undermine the original justification for its security. In fact, it turns out— essentially by accident, rather than by design—that RSAOAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.
ACE Encrypt: The Advanced Cryptographic Engine’s Public Key Encryption Scheme ∗
, 2000
"... This document describes the part of the Advanced Cryptographic Engine (ACE) pertaining to public key encryption. It specifies a public key encryption scheme with enough detail to ensure interoperability between different implementations. This scheme is almost as efficient as commercially used scheme ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
This document describes the part of the Advanced Cryptographic Engine (ACE) pertaining to public key encryption. It specifies a public key encryption scheme with enough detail to ensure interoperability between different implementations. This scheme is almost as efficient as commercially used schemes, yet unlike such schemes, can be proven secure under reasonable and welldefined intractability assumptions. A concrete security analysis of the scheme is presented. ∗ Change log:
Lecture 14 CCA Security
, 2007
"... Key exchange Suppose we have following situation: Alice wants to buy something from the well known website Bob.com Since they will exchange private information (Alice’s credit card, address etc.) they want to use encryption. However, they do not share a key between them. Using a key exchange protoco ..."
Abstract
 Add to MetaCart
Key exchange Suppose we have following situation: Alice wants to buy something from the well known website Bob.com Since they will exchange private information (Alice’s credit card, address etc.) they want to use encryption. However, they do not share a key between them. Using a key exchange protocol. It seems that we already learned a protocol to do that: Alice and Bob can run a key exchange protocol. One such protocol is the DiffieHellman protocol, but they can also run the following RSAbased protocol: A ← B Bob chooses a pair of RSA keys (e, d) and sends e to Alice. A → B Alice chooses a key k ← R {0, 1} n and sends Ee(k) to Bob. A ⇆ B Bob and Alice can now can now continue their interaction with the shared secret key k. Insecurity of basic key exchange protocol: This protocol is secure for a passive / eavesdropping adversary, but it is not secure against an active adversary. Indeed, a maninthemiddle Charlie can play Bob to Alice and Alice to Bob. That is, Charlie will receive (e, d) from Bob but will not pass this on to Alice. Rather he will choose his own RSA pair (e′, d ′) and send