Results 1 
7 of
7
Mixminion: Design of a Type III Anonymous Remailer Protocol
 In Proceedings of the 2003 IEEE Symposium on Security and Privacy
, 2003
"... Abstract. We present Mixminion, a messagebased anonymous remailer protocol that supports secure singleuse reply blocks. MIX nodes cannot distinguish Mixminion forward messages from reply messages, so forward and reply messages share the same anonymity set. We add directory servers that allow users ..."
Abstract

Cited by 219 (40 self)
 Add to MetaCart
Abstract. We present Mixminion, a messagebased anonymous remailer protocol that supports secure singleuse reply blocks. MIX nodes cannot distinguish Mixminion forward messages from reply messages, so forward and reply messages share the same anonymity set. We add directory servers that allow users to learn public keys and performance statistics of participating remailers, and we describe nymservers that allow users to maintain longterm pseudonyms using singleuse reply blocks as a primitive. Our design integrates link encryption between remailers to provide forward anonymity. Mixminion brings together the best solutions from previous work to create a conservative design that protects against most known attacks. Keywords: anonymity, MIXnet, peertopeer, remailer, nymserver, reply block 1
A tweakable enciphering mode
 of LNCS
, 2003
"... Abstract. We describe a blockcipher mode of operation, CMC, that turns an nbit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m ≥ 2. When the underlying block cipher is secure in the sense of a strong pseudorandom permutation (PRP), our scheme is secure in ..."
Abstract

Cited by 66 (5 self)
 Add to MetaCart
Abstract. We describe a blockcipher mode of operation, CMC, that turns an nbit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m ≥ 2. When the underlying block cipher is secure in the sense of a strong pseudorandom permutation (PRP), our scheme is secure in the sense of tweakable, strong PRP. Such an object can be used to encipher the sectors of a disk, inplace, offering security as good as can be obtained in this setting. CMC makes a pass of CBC encryption, xors in a mask, and then makes a pass of CBC decryption; no universal hashing, nor any other nontrivial operation beyond the blockcipher calls, is employed. Besides proving the security of CMC we initiate a more general investigation of tweakable enciphering schemes, considering issues like the nonmalleability of these objects. 1
Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation
 In FSE ’00
, 1978
"... Abstract. We find certain neglected issues in the study of privatekey encryption schemes. For one, privatekey encryption is generally held to the same standard of security as publickey encryption (i.e., indistinguishability) even though usage of the two is very different. Secondly, though the imp ..."
Abstract

Cited by 37 (1 self)
 Add to MetaCart
Abstract. We find certain neglected issues in the study of privatekey encryption schemes. For one, privatekey encryption is generally held to the same standard of security as publickey encryption (i.e., indistinguishability) even though usage of the two is very different. Secondly, though the importance of secure encryption of single blocks is well known, the security of modes of encryption (used to encrypt multiple blocks) is often ignored. With this in mind, we present definitions of a new notion of security for privatekey encryption called encryption unforgeability which captures an adversary’s inability to generate valid ciphertexts. We show applications of this definition to authentication protocols and adaptive chosen ciphertext security. Additionally, we present and analyze a new mode of encryption, RPC (for Related Plaintext Chaining), which is unforgeable in the strongest sense of the above definition. This gives the first mode provably secure against chosen ciphertext attacks. Although RPC is slightly less efficient than, say, CBC mode (requiring about 33 % more block cipher applications and having ciphertext expansion of the same amount when using a block cipher with 128bit blocksize), it has highly parallelizable encryption and decryption operations.
The Security of AllorNothing Encryption: Protecting against Exhaustive Key Search
 In Advances in Cryptology – CRYPTO ’00 (2000
, 2000
"... Abstract. We investigate the allornothing encryption paradigm which was introduced by Rivest as a new mode of operation for block ciphers. The paradigm involves composing an allornothing transform (AONT) with an ordinary encryption mode. The goal is to have secure encryption modes with the addit ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
Abstract. We investigate the allornothing encryption paradigm which was introduced by Rivest as a new mode of operation for block ciphers. The paradigm involves composing an allornothing transform (AONT) with an ordinary encryption mode. The goal is to have secure encryption modes with the additional property that exhaustive keysearch attacks on them are slowed down by a factor equal to the number of blocks in the ciphertext. We give a new notion concerned with the privacy of keys that provably captures this keysearch resistance property. We suggest a new characterization of AONTs and establish that the resulting allornothing encryption paradigm yields secure encryption modes that also meet this notion of key privacy. A consequence of our new characterization is that we get more efficient ways of instantiating the allornothing encryption paradigm. We describe a simple blockcipherbased AONT and prove it secure in the Shannon Model of a block cipher. We also give attacks against alternate paradigms that were believed to have the above keysearch resistance property. 1
On the Construction of VariableInputLength Ciphers
 In Fast Software Encryption
, 1998
"... We invesitgate how to construct ciphers which operate on messages of various (and effectively arbitrary) lengths. In particular, lengths not necessarily a multiple of some block length. (By a "cipher" we mean a keyindexed family of lengthpreserving permutations, with a "good" cipher being one that ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
We invesitgate how to construct ciphers which operate on messages of various (and effectively arbitrary) lengths. In particular, lengths not necessarily a multiple of some block length. (By a "cipher" we mean a keyindexed family of lengthpreserving permutations, with a "good" cipher being one that resembles a family of random lengthpreserving permutations.) Oddly enough, this question seems not to have been investiaged. We show how to construct variableinput length ciphers starting from any block cipher (ie, a cipher which operates on strings of some fixed length n). We do this by giving a general method starting from a particular kind of pseudorandom function and a particular kind of encryption scheme, and then we give example ways to realize these tools from a block cipher. All of our constructions are proven sound, in the provablesecurity sense of contemporary cryptography. Variableinputlength ciphers can be used to encrypt in the presence of the constraint that the ciphertex...
New paradigms for constructing symmetric encryption schemes secure against chosen ciphertext attack
 Advances in Cryptology  CRYPTO 2000
, 2000
"... Abstract. The paradigms currently used to realize symmetric encryption schemes secure against adaptive chosen ciphertext attack (CCA) try to make it infeasible for an attacker to forge “valid ” ciphertexts. This is achieved by either encoding the plaintext with some redundancy before encrypting or b ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Abstract. The paradigms currently used to realize symmetric encryption schemes secure against adaptive chosen ciphertext attack (CCA) try to make it infeasible for an attacker to forge “valid ” ciphertexts. This is achieved by either encoding the plaintext with some redundancy before encrypting or by appending a MAC to the ciphertext. We suggest schemes which are provably secure against CCA, and yet every string is a “valid ” ciphertext. Consequently, our schemes have a smaller ciphertext expansion than any other scheme known to be secure against CCA. Our most efficient scheme is based on a novel use of “variablelength ” pseudorandom functions and can be efficiently implemented using block ciphers. We relate the difficulty of breaking our schemes to that of breaking the underlying primitives in a precise and quantitative way. 1
A Chosen Ciphertext Attack against Several EMail Encryption Protocols
 9th USENIX Security Symposium
, 2000
"... Several security protocols (PGP, PEM, MOSS, S/MIME, PKCS#7, CMS, etc.) have been developed to provide confidentiality and authentication of electronic mail. These protocols are widely used and trusted for private communication over the Internet. We point out a potentially serious security hole in ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Several security protocols (PGP, PEM, MOSS, S/MIME, PKCS#7, CMS, etc.) have been developed to provide confidentiality and authentication of electronic mail. These protocols are widely used and trusted for private communication over the Internet. We point out a potentially serious security hole in these protocols: any encrypted message can be decrypted using a onemessage, adaptive chosenciphertext attack. Although such attacks have been formalized mainly for theoretical interest, we argue that they are feasible in the networked systems in which these email protocols are used.