Results 1  10
of
352
Random Oracles are Practical: A Paradigm for Designing Efficient Protocols
, 1995
"... We argue that the random oracle model  where all parties have access to a public random oracle  provides a bridge between cryptographic theory and cryptographic practice. In the paradigm we suggest, a practical protocol P is produced by first devising and proving correct a protocol P R for the ..."
Abstract

Cited by 1360 (64 self)
 Add to MetaCart
We argue that the random oracle model  where all parties have access to a public random oracle  provides a bridge between cryptographic theory and cryptographic practice. In the paradigm we suggest, a practical protocol P is produced by first devising and proving correct a protocol P R for the random oracle model, and then replacing oracle accesses by the computation of an "appropriately chosen" function h. This paradigm yields protocols much more efficient than standard ones while retaining many of the advantages of provable security. We illustrate these gains for problems including encryption, signatures, and zeroknowledge proofs.
IdentityBased Encryption from the Weil Pairing
, 2001
"... We propose a fully functional identitybased encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational DiffieHellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic ..."
Abstract

Cited by 1166 (24 self)
 Add to MetaCart
We propose a fully functional identitybased encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational DiffieHellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic curves is an example of such a map. We give precise definitions for secure identity based encryption schemes and give several applications for such systems.
A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
 CRYPTO '98
, 1998
"... A new public key cryptosystem is proposed and analyzed. The scheme is quite practical, and is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions. There appears to be no previous cryptosystem in the literature that enjoys both of these properties simu ..."
Abstract

Cited by 469 (16 self)
 Add to MetaCart
A new public key cryptosystem is proposed and analyzed. The scheme is quite practical, and is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions. There appears to be no previous cryptosystem in the literature that enjoys both of these properties simultaneously.
Relations among notions of security for publickey encryption schemes
, 1998
"... Abstract. We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and nonmalleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove e ..."
Abstract

Cited by 457 (65 self)
 Add to MetaCart
Abstract. We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and nonmalleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove either an implication (every scheme meeting one notion must meet the other) or a separation (there is a scheme meeting one notion but not the other, assuming the first notion can be met at all). We similarly treat plaintext awareness, a notion of security in the random oracle model. An additional contribution of this paper is a new definition of nonmalleability which we believe is simpler than the previous one.
NonMalleable Cryptography
 SIAM Journal on Computing
, 2000
"... The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. ..."
Abstract

Cited by 454 (22 self)
 Add to MetaCart
The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zeroknowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.
A Concrete Security Treatment of Symmetric Encryption
 Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE
, 1997
"... We study notions and schemes for symmetric (ie. private key) encryption in a concrete security framework. We give four di erent notions of security against chosen plaintext attack and analyze the concrete complexity ofreductions among them, providing both upper and lower bounds, and obtaining tight ..."
Abstract

Cited by 361 (58 self)
 Add to MetaCart
We study notions and schemes for symmetric (ie. private key) encryption in a concrete security framework. We give four di erent notions of security against chosen plaintext attack and analyze the concrete complexity ofreductions among them, providing both upper and lower bounds, and obtaining tight relations. In this way we classify notions (even though polynomially reducible to each other) as stronger or weaker in terms of concrete security. Next we provide concrete security analyses of methods to encrypt using a block cipher, including the most popular encryption method, CBC. We establish tight bounds (meaning
Optimistic fair exchange of digital signatures
 IEEE Journal on Selected Areas in Communications
, 1998
"... Abstract. We present a new protocol that allows two players to exchange digital signatures over the Internet in a fair way, so that either each player gets the other’s signature, or neither player does. The obvious application is where the signatures represent items of value, for example, an elect ..."
Abstract

Cited by 241 (10 self)
 Add to MetaCart
Abstract. We present a new protocol that allows two players to exchange digital signatures over the Internet in a fair way, so that either each player gets the other’s signature, or neither player does. The obvious application is where the signatures represent items of value, for example, an electronic check or airline ticket. The protocol can also be adapted to exchange encrypted data. The protocol relies on a trusted third party, but is “optimistic, ” in that the third party is only needed in cases where one player attempts to cheat or simply crashes. A key feature of our protocol is that a player can always force a timely and fair termination, without the cooperation of the other player. 1
A modular approach to the design and analysis of authentication and key exchange protocols
, 1998
"... We present a general framework for constructing and analyzing authentication protocols in realistic models of communication networks. This framework provides a sound formalization for the authentication problem and suggests simple and attractive design principles for general authentication and key e ..."
Abstract

Cited by 227 (19 self)
 Add to MetaCart
We present a general framework for constructing and analyzing authentication protocols in realistic models of communication networks. This framework provides a sound formalization for the authentication problem and suggests simple and attractive design principles for general authentication and key exchange protocols. The key element in our approach is a modular treatment of the authentication problem in cryptographic protocols; this applies to the definition of security, to the design of the protocols, and to their analysis. In particular, following this modular approach, we show how to systematically transform solutions that work in a model of idealized authenticated communications into solutions that are secure in the realistic setting of communication channels controlled by an active adversary. Using these principles we construct and prove the security of simple and practical authentication and keyexchange protocols. In particular, we provide a security analysis of some wellknown key exchange protocols (e.g. authenticated DiffieHellman key exchange), and of some of the techniques underlying the design of several authentication protocols that are currently being
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
, 2000
"... and analysis of the generic composition paradigm ..."
Abstract

Cited by 225 (22 self)
 Add to MetaCart
and analysis of the generic composition paradigm
ChosenCiphertext Security from IdentityBased Encryption. Adv
 in Cryptology — Eurocrypt 2004, LNCS
, 2004
"... We propose simple and efficient CCAsecure publickey encryption schemes (i.e., schemes secure against adaptive chosenciphertext attacks) based on any identitybased encryption (IBE) scheme. Our constructions have ramifications of both theoretical and practical interest. First, our schemes give a n ..."
Abstract

Cited by 209 (11 self)
 Add to MetaCart
We propose simple and efficient CCAsecure publickey encryption schemes (i.e., schemes secure against adaptive chosenciphertext attacks) based on any identitybased encryption (IBE) scheme. Our constructions have ramifications of both theoretical and practical interest. First, our schemes give a new paradigm for achieving CCAsecurity; this paradigm avoids “proofs of wellformedness ” that have been shown to underlie previous constructions. Second, instantiating our construction using known IBE constructions we obtain CCAsecure encryption schemes whose performance is competitive with the most efficient CCAsecure schemes to date. Our techniques extend naturally to give an efficient method for securing also IBE schemes (even hierarchical ones) against adaptive chosenciphertext attacks. Coupled with previous work, this gives the first efficient constructions of CCAsecure IBE schemes. 1