Results 1  10
of
13
The Classification of Hash Functions
, 1993
"... When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explai ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explains why researchers have not managed to find many interesting consequences of this property. We also prove Okamoto's conjecture that correlation freedom is strictly stronger than collision freedom. We go on to show that there are actually rather many properties which hash functions may need. Hash functions for use with RSA must be multiplication free, in the sense that one cannot find X , Y and Z such that h(X)h(Y ) = h(Z); and more complex requirements hold for other signature schemes. Universal principles can be proposed from which all the freedom properties follow, but like most theoretical principles, they do not seem to give much value to a designer; at the practical level, the main imp...
Almost Uniform Density of Power Residues and the Provable Security of ESIGN
, 2003
"... ESIGN is an ecient signature scheme that has been proposed in the early nineties (see [14]). Recently, an eort was made to lay ESIGN on rm foundations, using the methodology of provable security. A security proof [15] in the random oracle model, along the lines of [2], appeared in support for ES ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
ESIGN is an ecient signature scheme that has been proposed in the early nineties (see [14]). Recently, an eort was made to lay ESIGN on rm foundations, using the methodology of provable security. A security proof [15] in the random oracle model, along the lines of [2], appeared in support for ESIGN. However, several unexpected diculties were found. Firstly, it was observed in [20], that the proof from [15] holds in a more restricted model of security than claimed. Even if it is quite easy to restore the usual security level, as suggested in [9], this shows that the methodology of security proofs is more subtle than it at rst appears. Secondly, it was found that the proof needs the additional assumption that e is prime to '(n), thus excluding the case where e is a small power of two, a very attractive parameter choice. The diculty here lies in the simulation of the random oracle, since it relies on the distribution of eth powers, which is not completely understood from a mathematical point of view, at least when e is not prime to '(n). In this paper, we prove that the set of eth power modulo an RSA modulus n, which is a product of two equal size integers p,q, is almost uniformly distributed on any large enough interval. This property allows to complete the security proof of ESIGN. We actually oer two proofs of our result: one is based on twodimensional lattice reduction, and the the other uses Dirichlet characters. Besides yielding better bounds, the latter is one new example of the use of analytic number theory in cryptography.
Accountable Virtual Machines
"... In this paper, we introduce accountable virtual machines (AVMs). Like ordinary virtual machines, AVMs can execute binary software images in a virtualized copy of a computer system; in addition, they can record nonrepudiable information that allows auditors to subsequently check whether the software ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
In this paper, we introduce accountable virtual machines (AVMs). Like ordinary virtual machines, AVMs can execute binary software images in a virtualized copy of a computer system; in addition, they can record nonrepudiable information that allows auditors to subsequently check whether the software behaved as intended. AVMs provide strong accountability, which is important, for instance, in distributed systems where different hosts and organizations do not necessarily trust each other, or where software is hosted on thirdparty operated platforms. AVMs can provide accountability for unmodified binary images and do not require trusted hardware. To demonstrate that AVMs are practical, we have designed and implemented a prototype AVM monitor based on VMware Workstation, and used it to detect several existing cheats in Counterstrike, a popular online multiplayer game. 1
How Risky is the RandomOracle Model?
"... Abstract. RSAFDH and many other schemes secure in the RandomOracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the randomoracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Be ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Abstract. RSAFDH and many other schemes secure in the RandomOracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the randomoracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Bellare and Rogaway from 1993 and 1996, and the ones implicit in IEEE P1363 and PKCS standards: for instance, we obtain a practical preimage attack on BR93 for 1024bit digests (with complexity less than 2 30). Next, we study the security impact of hash function defects for ROM signatures. As an extreme case, we note that any hash collision would suffice to disclose the master key in the IDbased cryptosystem by Boneh et al. from FOCS ’07, and the secret key in the RabinWilliams signature for which Bernstein proved tight security at EUROCRYPT ’08. We also remark that collisions can be found as a precomputation for any instantiation of the ROM, and this violates the security definition of the scheme in the standard model. Hence, this gives an example of a natural scheme that is proven secure in the ROM but that in insecure for any instantiation by a single function. Interestingly, for both of these schemes, a slight modification can prevent these attacks, while preserving the ROM security result. We give evidence that in the case of RSA and Rabin/RabinWilliams, an appropriate PSS padding is more robust than all other paddings known. 1
New Semantically Secure PublicKey Cryptosystems from the RSAPrimitive
 PKC 2002, LNCS 2274
, 2002
"... Abstract. We analyze the security of the simplified Paillier (SPaillier) cryptosystem, which was proposed by Catalano et al. We prove that the onewayness of the SPaillier scheme is as intractable as the standard RSA problem. We also prove that an adversary, which breaks the semantic security, can ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
Abstract. We analyze the security of the simplified Paillier (SPaillier) cryptosystem, which was proposed by Catalano et al. We prove that the onewayness of the SPaillier scheme is as intractable as the standard RSA problem. We also prove that an adversary, which breaks the semantic security, can compute the least significant bits of the nonce. This observation is interesting, because the least significant bit of the nonce is the hard core bit of the encryption function. Moreover, we proposed a novel semantically secure cryptosystem, based on the oneway function f e,n MSBZ(l) (r) =(r−MSBl(r)) e mod n, where (e, n) is the RSA publickey and r − MSBl(r) means that the l most significant bits of r are zeroed. We proved that the onewayness of the proposed scheme is as intractable as the standard RSA problem. An adversary, which breaks the semantic security of the proposed scheme, can break the least significant bits of the nonce. These security results of the proposed scheme are similar to those of the SPaillier cryptosystem. However, the proposed scheme is more efficient than the SPaillier cryptosystem. 1
Unconditionally secure digital signature schemes admitting transferability
 In Proc. ASIACRYPT’00, Kyoto, December 3–7
, 2000
"... Abstract. A potentially serious problem with current digital signature schemes is that their underlying hard problems from number theory may be solved by an innovative technique or a new generation of computing devices such as quantum computers. Therefore while these signature schemes represent an e ..."
Abstract

Cited by 8 (5 self)
 Add to MetaCart
Abstract. A potentially serious problem with current digital signature schemes is that their underlying hard problems from number theory may be solved by an innovative technique or a new generation of computing devices such as quantum computers. Therefore while these signature schemes represent an efficient solution to the short term integrity (unforgeability and nonrepudiation) of digital data, they provide no confidence on the long term (say of 20 years) integrity of data signed by these schemes. In this work, we focus on signature schemes whose security does not rely on any unproven assumption. More specifically, we establish a model for unconditionally secure digital signatures in a group, and demonstrate practical schemes in that model. An added advantage of the schemes is that they allow unlimited transfer of signatures without compromising the security of the schemes. Our scheme represents the first unconditionally secure signature that admits provably secure transfer of signatures. 1
A New PublicKey Cryptosystem over Quadratic Orders with Quadratic Decryption Time
, 2000
"... We present a new cryptosystem based on ideal arithmetic in quadratic orders. The method of our trapdoor is different from the DiffieHellman key distribution scheme or the RSA cryptosystem. The plaintext m is encrypted by mp r , where p is a fixed element and r is a random integer, so our proposed ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
We present a new cryptosystem based on ideal arithmetic in quadratic orders. The method of our trapdoor is different from the DiffieHellman key distribution scheme or the RSA cryptosystem. The plaintext m is encrypted by mp r , where p is a fixed element and r is a random integer, so our proposed cryptosystem is a probabilistic encryption scheme and has the homomorphy property. The most prominent property of our cryptosystem is the cost of the decryption, which is of quadratic bit complexity in the length of the public key. Our implementation shows that it is comparably as fast as the encryption time of the RSA cryptosystem with e = 2 16 + 1. The security of our cryptosystem is closely related to factoring the discriminant of a quadratic order. When we choose appropriate sizes of the parameters, the currently known fast algorithms, for examples, the elliptic curve method, the number field sieve, the HafnerMcCurley algorithm, are not applicable. We also discuss that the chosen cip...
Evaluation of security level of cryptography: ESIGN signature scheme
 CRYPTREC Project
, 2001
"... to be existentially unforgeable against chosenmessage attacks assuming that the approximate eth root (AER) problem is hard and that the employed hash function is a random function. While the AER problem has been studied by some researchers, it has not received as much attention as the integer fact ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
to be existentially unforgeable against chosenmessage attacks assuming that the approximate eth root (AER) problem is hard and that the employed hash function is a random function. While the AER problem has been studied by some researchers, it has not received as much attention as the integer factorization problem or the discrete logarithm problem. One way to p solve the AER problem is to factor the integer n, where n 2 q and p and q are primes of the same bitlength. The parameters recommended ensure that ESIGN resists all known attacks for factoring integers of this form. 2 Protocol specification 2.1 ESIGN key pairs For the security parameter pLen, k each entity does the following: 1. Randomly select two distinct primes, p, q, each of bitsize k and compute p n 2. Select an integer 4. 3. A’s public key is¢n£e£k¤; A’s private key is¢p£q¤. e¡ In addition, one needs to specify a hash function H¥whose output length is k bits. 2.2 ESIGN signature generation To sign a message m, an entity A with the private key¢p£q¤does the following: 1. Compute H¥¦¢m¤,and let be bit. H¢m¤ obtained from by H¥¦¢m¤ 2 q. deleting the most significant 2. Pick r uniformly from§r ¨ at random gcd¢r£p ¤ Zpq: 1©.
Practical Experiences with ATM Encryption
 Proceedings of the 2001 NDSS Symposium, February 2001
, 2001
"... CellCase is a commercial highspeed encryptor for Asynchronous Transfer Mode (ATM) networks, available since 1997. It provides data confidentiality and entity authentication at the ATM layer, encrypting ATM cell payloads at rates from T1 (1.5 Mb/s) to OC12c (622 Mb/s). Though deployed prior to the ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
CellCase is a commercial highspeed encryptor for Asynchronous Transfer Mode (ATM) networks, available since 1997. It provides data confidentiality and entity authentication at the ATM layer, encrypting ATM cell payloads at rates from T1 (1.5 Mb/s) to OC12c (622 Mb/s). Though deployed prior to the adoption of the ATM Forum Security Specification (1999), CellCase implements many of the mechanisms defined by that standard. In this paper, we describe how CellCase is deployed in actual networks, as well as customer experience with services such as countermode encryption, key exchange, and key update. Based on this experience, we also discuss possible changes to the ATM Forum specification.
New Subliminal Channel Embedded in the ESIGN
, 1999
"... This paper proposes a new broadband subliminal channel embedded in the ESIGN. The bandwidth of the proposed subliminal channel is wider than that of the previous one, and it exceeds the upper bound that Simmons has conjectured. Namely, we disprove the conjectures due to Simmons. We also show that i ..."
Abstract
 Add to MetaCart
This paper proposes a new broadband subliminal channel embedded in the ESIGN. The bandwidth of the proposed subliminal channel is wider than that of the previous one, and it exceeds the upper bound that Simmons has conjectured. Namely, we disprove the conjectures due to Simmons. We also show that it is possible to construct the subliminal channel even if the transmitter and the subliminal receiver do not have any key in common.