Results 1  10
of
34
Simultaneous hardcore bits and cryptography against memory attacks
 IN TCC
, 2009
"... This paper considers two questions in cryptography. Cryptography Secure Against Memory Attacks. A particularly devastating sidechannel attack against cryptosystems, termed the “memory attack”, was proposed recently. In this attack, a significant fraction of the bits of a secret key of a cryptograp ..."
Abstract

Cited by 75 (8 self)
 Add to MetaCart
This paper considers two questions in cryptography. Cryptography Secure Against Memory Attacks. A particularly devastating sidechannel attack against cryptosystems, termed the “memory attack”, was proposed recently. In this attack, a significant fraction of the bits of a secret key of a cryptographic algorithm can be measured by an adversary if the secret key is ever stored in a part of memory which can be accessed even after power has been turned off for a short amount of time. Such an attack has been shown to completely compromise the security of various cryptosystems in use, including the RSA cryptosystem and AES. We show that the publickey encryption scheme of Regev (STOC 2005), and the identitybased encryption scheme of Gentry, Peikert and Vaikuntanathan (STOC 2008) are remarkably robust against memory attacks where the adversary can measure a large fraction of the bits of the secretkey, or more generally, can compute an arbitrary function of the secretkey of bounded output length. This is done without increasing the size of the secretkey, and without introducing any
A.: On notions of security for deterministic encryption, and efficient constructions without random oracles. Full version of this paper
, 2008
"... Abstract. The study of deterministic publickey encryption was initiated by Bellare et al. (CRYPTO ’07), who provided the “strongest possible ” notion of security for this primitive (called PRIV) and constructions in the random oracle (RO) model. We focus on constructing efficient deterministic encr ..."
Abstract

Cited by 45 (0 self)
 Add to MetaCart
Abstract. The study of deterministic publickey encryption was initiated by Bellare et al. (CRYPTO ’07), who provided the “strongest possible ” notion of security for this primitive (called PRIV) and constructions in the random oracle (RO) model. We focus on constructing efficient deterministic encryption schemes without random oracles. To do so, we propose a slightly weaker notion of security, saying that no partial information about encrypted messages should be leaked as long as each message is apriori hardtoguess given the others (while PRIV did not have the latter restriction). Nevertheless, we argue that this version seems adequate for many practical applications. We show equivalence of this definition to singlemessage and indistinguishabilitybased ones, which are easier to work with. Then we give general constructions of both chosenplaintext (CPA) and chosenciphertextattack (CCA) secure deterministic encryption schemes, as well as efficient instantiations of them under standard numbertheoretic assumptions. Our constructions build on the recentlyintroduced framework of Peikert and Waters (STOC ’08) for constructing CCAsecure probabilistic encryption schemes, extending it to the deterministicencryption setting as well.
OrderPreserving Symmetric Encryption
"... We initiate the cryptographic study of orderpreserving symmetric encryption (OPE), a primitive suggested in the database community by Agrawal et al. (SIGMOD ’04) for allowing efficient range queries on encrypted data. Interestingly, we first show that a straightforward relaxation of standard securi ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
We initiate the cryptographic study of orderpreserving symmetric encryption (OPE), a primitive suggested in the database community by Agrawal et al. (SIGMOD ’04) for allowing efficient range queries on encrypted data. Interestingly, we first show that a straightforward relaxation of standard security notions for encryption such as indistinguishability against chosenplaintext attack (INDCPA) is unachievable by a practical OPE scheme. Instead, we propose a security notion in the spirit of pseudorandom functions (PRFs) and related primitives asking that an OPE scheme look “asrandomaspossible ” subject to the orderpreserving constraint. We then design an efficient OPE scheme and prove its security under our notion based on pseudorandomness of an underlying blockcipher. Our construction is based on a natural relation we uncover between a random orderpreserving function and the hypergeometric probability distribution. In particular, it makes blackbox use of an efficient sampling algorithm for the latter. 1
Hedged PublicKey Encryption: How to Protect against Bad Randomness
 IACR EPRINT
, 2012
"... Publickey encryption schemes rely for their INDCPA security on permessage fresh randomness. In practice, randomness may be of poor quality for a variety of reasons, leading to failure of the schemes. Expecting the systems to improve is unrealistic. What we show in this paper is that we can, inste ..."
Abstract

Cited by 21 (11 self)
 Add to MetaCart
Publickey encryption schemes rely for their INDCPA security on permessage fresh randomness. In practice, randomness may be of poor quality for a variety of reasons, leading to failure of the schemes. Expecting the systems to improve is unrealistic. What we show in this paper is that we can, instead, improve the cryptography to offset the lack of possible randomness. We provide publickey encryption schemes that achieve INDCPA security when the randomness they use is of high quality, but, when the latter is not the case, rather than breaking completely, they achieve a weaker but still useful notion of security that we call INDCDA. This hedged publickey encryption provides the best possible security guarantees in the face of bad randomness. We provide simple RObased ways to make inpractice INDCPA schemes hedge secure with minimal software changes. We also provide nonRO model schemes relying on lossy trapdoor functions (LTDFs) and techniques from deterministic encryption. They achieve adaptive security by establishing and exploiting the anonymity of LTDFs which we believe is of independent interest. (Preliminary version was presented at AsiaCrypt 2009)
FormatPreserving Encryption
"... Abstract. Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid creditcard number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous ..."
Abstract

Cited by 17 (6 self)
 Add to MetaCart
Abstract. Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid creditcard number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous treatment. We provide one, starting off by formally defining FPE and security goals for it. We investigate the natural approach for achieving FPE on complex domains, the “rankthenencipher ” approach, and explore what it can and cannot do. We describe two flavors of unbalanced Feistel networks that can be used for achieving FPE, and we prove new security results for each. We revisit the cyclewalking approach for enciphering on a nonsparse subset of an encipherable domain, showing that the timing information that may be divulged by cycle walking is not a damaging thing to leak. 1
A unified approach to deterministic encryption: New constructions and a connection to computational entropy
 TCC 2012, volume 7194 of LNCS
, 2012
"... We propose a general construction of deterministic encryption schemes that unifies prior work and gives novel schemes. Specifically, its instantiations provide: • A construction from any trapdoor function that has sufficiently many hardcore bits. • A construction that provides “bounded ” multimessa ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
We propose a general construction of deterministic encryption schemes that unifies prior work and gives novel schemes. Specifically, its instantiations provide: • A construction from any trapdoor function that has sufficiently many hardcore bits. • A construction that provides “bounded ” multimessage security from lossy trapdoor functions. The security proofs for these schemes are enabled by three tools that are of broader interest: • A weaker and more precise sufficient condition for semantic security on a highentropy message distribution. Namely, we show that to establish semantic security on a distribution M of messages, it suffices to establish indistinguishability for all conditional distribution ME, where E is an event of probability at least 1/4. (Prior work required indistinguishability on all distributions of a given entropy.) • A result about computational entropy of conditional distributions. Namely, we show that conditioning on an event E of probability p reduces the quality of computational entropy by a factor of p and its quantity by log 2 1/p. • A generalization of leftover hash lemma to correlated distributions. We also extend our result about computational entropy to the average case, which is useful in reasoning about leakageresilient cryptography: leaking λ bits of information reduces the quality of computational entropy by a factor of 2 λ and its quantity by λ.
Better security for deterministic publickey encryption: The auxiliaryinput setting
 CRYPTO 2011, volume 6841 of LNCS
, 2011
"... Deterministic publickey encryption, introduced by Bellare, Boldyreva, and O’Neill (CRYPTO ’07), provides an alternative to randomized publickey encryption in various scenarios where the latter exhibits inherent drawbacks. A deterministic encryption algorithm, however, cannot satisfy any meaningful ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Deterministic publickey encryption, introduced by Bellare, Boldyreva, and O’Neill (CRYPTO ’07), provides an alternative to randomized publickey encryption in various scenarios where the latter exhibits inherent drawbacks. A deterministic encryption algorithm, however, cannot satisfy any meaningful notion of security when the plaintext is distributed over a small set. Bellare et al. addressed this difficulty by requiring semantic security to hold only when the plaintext has high minentropy from the adversary’s point of view. In many applications, however, an adversary may obtain auxiliary information that is related to the plaintext. Specifically, when deterministic encryption is used as a building block of a larger system, it is rather likely that plaintexts do not have high minentropy from the adversary’s point of view. In such cases, the framework of Bellare et al. might fall short from providing robust security guarantees. We formalize a framework for studying the security of deterministic publickey encryption schemes with respect to auxiliary inputs. Given the trivial requirement that the plaintext should not be efficiently recoverable from the auxiliary input, we focus on hardtoinvert auxiliary inputs.
CorrelatedInput Secure Hash Functions
"... Abstract. We undertake a general study of hash functions secure under correlated inputs, meaning that security should be maintained when the adversary sees hash values of many related highentropy inputs. Such a property is satisfied by a random oracle, and its importance is illustrated by study of ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Abstract. We undertake a general study of hash functions secure under correlated inputs, meaning that security should be maintained when the adversary sees hash values of many related highentropy inputs. Such a property is satisfied by a random oracle, and its importance is illustrated by study of the “avalanche effect, ” a wellknown heuristic in cryptographic hash function design. One can interpret “security ” in different ways: e.g., asking for onewayness or that the hash values look uniformly and independently random; the latter case can be seen as a generalization of correlationrobustness introduced by Ishai et al. (CRYPTO 2003). We give specific applications of these notions to passwordbased login and efficient search on encrypted data. Our main construction achieves them (without random oracles) for inputs related by polynomials over the input space (namely Zp), based on corresponding variants of the qDiffie Hellman Inversion assumption. Additionally, we show relations between correlatedinput secure hash functions and cryptographic primitives secure under relatedkey attacks. Using our techniques, we are also able to obtain a host of new results for such relatedkey attack secure cryptographic primitives. 1
Careful with composition: Limitations of the indifferentiability framework
 EUROCRYPT 2011, volume 6632 of LNCS
, 2011
"... We exhibit a hashbased storage auditing scheme which is provably secure in the randomoracle model (ROM), but easily broken when one instead uses typical indifferentiable hash constructions. This contradicts the widely accepted belief that the indifferentiability composition theorem applies to any ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
We exhibit a hashbased storage auditing scheme which is provably secure in the randomoracle model (ROM), but easily broken when one instead uses typical indifferentiable hash constructions. This contradicts the widely accepted belief that the indifferentiability composition theorem applies to any cryptosystem. We characterize the uncovered limitation of the indifferentiability framework by showing that the formalizations used thus far implicitly exclude security notions captured by experiments that have multiple, disjoint adversarial stages. Examples include deterministic publickey encryption (PKE), passwordbased cryptography, hash function nonmalleability, keydependent message security, and more. We formalize a stronger notion, reset indifferentiability, that enables an indifferentiabilitystyle composition theorem covering such multistage security notions, but then show that practical hash constructions cannot be reset indifferentiable. We discuss how these limitations also affect the universal composability framework. We finish by showing the chosendistribution attack security (which requires a multistage game) of some important publickey encryption schemes built using a hash construction paradigm introduced by Dodis, Ristenpart, and Shrimpton. 1
Adaptive Trapdoor Functions and ChosenCiphertext Security
"... We introduce the notion of adaptive trapdoor functions (ATDFs); roughly, ATDFs remain oneway even when the adversary is given access to an inversion oracle. Our main application is the blackbox construction of chosenciphertext secure publickey encryption (CCAsecure PKE). Namely, we give a black ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
We introduce the notion of adaptive trapdoor functions (ATDFs); roughly, ATDFs remain oneway even when the adversary is given access to an inversion oracle. Our main application is the blackbox construction of chosenciphertext secure publickey encryption (CCAsecure PKE). Namely, we give a blackbox construction of CCASecure PKE from ATDFs, as well as a construction of ATDFs from correlationsecure TDFs introduced by Rosen and Segev (TCC ’09). Moreover, by an extension of a recent result of Vahlis (TCC ’10), we show that ATDFs are strictly weaker than the latter (in a blackbox sense). Thus, adaptivity appears to be the weakest condition on a TDF currently known to yield the first implication. We also give a blackbox construction of CCAsecure PKE from a natural generalization of ATDFs we call tagbased ATDFs that, when applied to our constructions of the latter from either correlationsecure TDFs, or lossy TDFs introduced by Peikert and Waters (STOC ’08), yield precisely the CCAsecure PKE schemes in these works. This helps to unify and clarify their schemes. Finally, we show how to realize tagbased ATDFs from an assumption on RSA inversion not known to yield correlationsecure TDFs. 1