Results 1  10
of
15
NonMalleable Cryptography
 SIAM Journal on Computing
, 2000
"... The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. ..."
Abstract

Cited by 450 (22 self)
 Add to MetaCart
The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zeroknowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.
Multicast security: A taxonomy and some efficient constructions
, 1999
"... Abstract—Multicast communication is becoming the basis for a growing number of applications. It is therefore critical to provide sound security mechanisms for multicast communication. Yet, existing security protocols for multicast offer only partial solutions. We first present a taxonomy of multicas ..."
Abstract

Cited by 197 (9 self)
 Add to MetaCart
Abstract—Multicast communication is becoming the basis for a growing number of applications. It is therefore critical to provide sound security mechanisms for multicast communication. Yet, existing security protocols for multicast offer only partial solutions. We first present a taxonomy of multicast scenarios on the Internet and point out relevant security concerns. Next we address two major security problems of multicast communication: source authentication, and key revocation. Maintaining authenticity in multicast protocols is a much more complex problem than for unicast; in particular, known solutions are prohibitively inefficient in many cases. We present a solution that is reasonable for a range of scenarios. Our approach can be regarded as a ‘midpoint ’ between traditional Message Authentication Codes and digital signatures. We also present an improved solution to the key revocation problem. I.
On cryptographic assumptions and challenges
 in Proceedings of IACR CRYPTO
, 2003
"... Abstract. We deal with computational assumptions needed in order to design secure cryptographic schemes. We suggest a classi£cation of such assumptions based on the complexity of falsifying them (in case they happen not to be true) by creating a challenge (competition) to their validity. As an outco ..."
Abstract

Cited by 51 (2 self)
 Add to MetaCart
Abstract. We deal with computational assumptions needed in order to design secure cryptographic schemes. We suggest a classi£cation of such assumptions based on the complexity of falsifying them (in case they happen not to be true) by creating a challenge (competition) to their validity. As an outcome of this classi£cation we propose several open problems regarding cryptographic tasks that currently do not have a good challenge of that sort. The most outstanding one is the design of an ef£cient block ciphers. 1 The Main Dilemma Alice and Bob are veteran cryptographers (see Dif£e [15] for their history; apparently RSA [38] is their £rst cooperation). One day, while Bob is sitting in his of£ce his colleague Alice enters and says: “I have designed a new signature scheme. It has an 120 bits long public key and the signatures are 160 bits long”. That’s fascinating, says Bob, but what computational assumption is it based on? Well, says Alice, it is based on a new trapdoor permutation fk and a new hash function h and the assumption that after given fk (but not the trapdoor information) and many pairs of the form (mi, f −1
Distributed PseudoRandom Functions and KDCs
 ADVANCES IN CRYPTOLOGY: EUROCRYPT '99, VOLUME 1592 OF LECTURE NOTES IN COMPUTER SCIENCE
, 1999
"... This work describes schemes for distributing between n servers the evaluation of a function f which is an approximation to a random function, such that only authorized subsets of servers are able to compute the function. A user who wants to compute f(x) should send x to the members of an authorize ..."
Abstract

Cited by 29 (0 self)
 Add to MetaCart
This work describes schemes for distributing between n servers the evaluation of a function f which is an approximation to a random function, such that only authorized subsets of servers are able to compute the function. A user who wants to compute f(x) should send x to the members of an authorized subset and receive information which enables him to compute f(x). We require that such a scheme is consistent, i.e. that given an input x all authorized subsets compute the same value f(x). The solutions we present enable the operation of many servers, preventing bottlenecks or single points of failure. There are also no single entities which can compromise the security of the entire network. The solutions can be used to distribute the operation of a Key Distribution Center (KDC). They are far better than the known partitioning to domains or replication solutions to this problem, and are especially suited to handle users of multicast groups.
PseudoRandom Functions and Factoring
 Proc. 32nd ACM Symp. on Theory of Computing
, 2000
"... The computational hardness of factoring integers is the most established assumption on which cryptographic primitives are based. This work presents an efficient construction of pseudorandom functions whose security is based on the intractability of factoring. In particular, we are able to constru ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
The computational hardness of factoring integers is the most established assumption on which cryptographic primitives are based. This work presents an efficient construction of pseudorandom functions whose security is based on the intractability of factoring. In particular, we are able to construct efficient lengthpreserving pseudorandom functions where each evaluation requires only a (small) constant number of modular multiplications per output bit. This is substantially more efficient than any previous construction of pseudorandom functions based on factoring, and matches (up to a constant factor) the efficiency of the best known factoringbased pseudorandom bit generators.
Towards Making LubyRackoff Ciphers Optimal and Practical
 In Proc. Fast Software Encryption 99, Lecture Notes in Computer Science
, 1999
"... We provide new constructions for LubyRackoff block ciphers which are efficient in terms of computations and key material used. Next, we show that we can make some security guarantees for LubyRackoff block ciphers under much weaker and more practical assumptions about the underlying function; namel ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
We provide new constructions for LubyRackoff block ciphers which are efficient in terms of computations and key material used. Next, we show that we can make some security guarantees for LubyRackoff block ciphers under much weaker and more practical assumptions about the underlying function; namely, that the underlying function is a secure Message Authentication Code. Finally, we provide a SHA1 based example block cipher called Shazam.
Concrete security characterizations of PRFs and PRPs: Reductions and applications
 ADVANCES IN CRYPTOLOGY—ASIACRYPT 2000, LECTURE NOTES IN COMPUTER SCIENCE
, 2000
"... We investigate several alternate characterizations of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) in a concrete security setting. By analyzing the concrete complexity of the reductions between the standard notions and the alternate ones, we show that the latter, while equivale ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
We investigate several alternate characterizations of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) in a concrete security setting. By analyzing the concrete complexity of the reductions between the standard notions and the alternate ones, we show that the latter, while equivalent under polynomialtime reductions, are weaker in the concrete security sense. With these alternate notions, we argue that it is possible to get better concrete security bounds for certain PRF/PRPbased schemes. As an example, we show how using an alternate characterization of a PRF could result in tighter security bounds for some types of message authentication codes. We also use this method to give a simple concrete security analysis of the counter mode of encryption. In addition, our results provide some insight into how injectivity impacts pseudorandomness.
Key Derivation and Randomness Extraction
 In Crypto ’05
, 2005
"... Key derivation refers to the process by which an agreed upon large random number, often named master secret, is used to derive keys to encrypt and authenticate data. Practitioners and standardization bodies have usually used the random oracle model to get key material from a Di#eHellman key exch ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Key derivation refers to the process by which an agreed upon large random number, often named master secret, is used to derive keys to encrypt and authenticate data. Practitioners and standardization bodies have usually used the random oracle model to get key material from a Di#eHellman key exchange. However, proofs in the standard model require randomness extractors to formally extract the entropy of the random master secret into a seed prior to derive other keys.
Towards making LubyRacko ciphers optimal and practical
 In Fast Software Encryption
, 1999
"... Abstract. We provide new constructions for LubyRacko � block ciphers which are e�cient in terms of computations and key material used. Next, we show that we can make some security guarantees for LubyRacko� block ciphers under much weaker and more practical assumptions about the underlying function ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. We provide new constructions for LubyRacko � block ciphers which are e�cient in terms of computations and key material used. Next, we show that we can make some security guarantees for LubyRacko� block ciphers under much weaker and more practical assumptions about the underlying function; namely, that the underlying function is a secure Message Authentication Code. Finally, we provide a SHA1 based example block cipher called Shazam. 1
A Fast and KeyEfficient Reduction of Chosen Ciphertext to KnownPlaintext Security ⋆
"... Abstract. Motivated by the quest for reducing assumptions in security proofs in cryptography, this paper is concerned with designing efficient symmetric encryption and authentication schemes based on any weak pseudorandom function (PRF) which can be much more efficiently implemented than PRFs. Damg˚ ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. Motivated by the quest for reducing assumptions in security proofs in cryptography, this paper is concerned with designing efficient symmetric encryption and authentication schemes based on any weak pseudorandom function (PRF) which can be much more efficiently implemented than PRFs. Damg˚ard and Nielsen (CRYPTO ’02) have shown how to construct an efficient symmetric encryption scheme based on any weak PRF that is provably secure against chosenplaintext attacks. The main ingredient is a rangeextension construction for weak PRFs. By using wellknown techniques, they also showed how their scheme can be made secure against the stronger chosenciphertext attacks. The results of our paper are threefold. First, we give a rangeextension construction for weak PRFs that is optimal within a large and natural class of reductions (especially all known today). Second, we propose a strengthening of a weak PRF to a PRF. Third, these two results imply a (for long messages) much more efficient chosenciphertext secure encryption scheme than the one proposed by Damg˚ard and Nielsen. The results also give answers to open questions posed by Naor and Reingold (CRYPTO ’98) and by Damg˚ard and Nielsen.