Results 1  10
of
38
TagKEM/DEM: a New Framework for Hybrid Encryption and a New Analysis of KurosawaDesmedt KEM
 in Proc. Eurocrypt
, 2005
"... Abstract This paper presents a novel framework for the generic construction of hybrid encryptionschemes which produces more efficient schemes than the ones known before. A previous ..."
Abstract

Cited by 69 (8 self)
 Add to MetaCart
(Show Context)
Abstract This paper presents a novel framework for the generic construction of hybrid encryptionschemes which produces more efficient schemes than the ones known before. A previous
ChosenCiphertext Secure Proxy ReEncryption
 In Proc. of ACMCCS’007
, 2007
"... In a proxy reencryption (PRE) scheme, a proxy is given special information that allows it to translate a ciphertext under one key into a ciphertext of the same message under a different key. The proxy cannot, however, learn anything about the messages encrypted under either key. PRE schemes have ma ..."
Abstract

Cited by 63 (1 self)
 Add to MetaCart
(Show Context)
In a proxy reencryption (PRE) scheme, a proxy is given special information that allows it to translate a ciphertext under one key into a ciphertext of the same message under a different key. The proxy cannot, however, learn anything about the messages encrypted under either key. PRE schemes have many practical applications, including distributed storage, email, and DRM. Previously proposed reencryption schemes achieved only semantic security; in contrast, applications often require security against chosen ciphertext attacks. We propose a definition of security against chosen ciphertext attacks for PRE schemes, and present a scheme that satisfies the definition. Our construction is efficient and based only on the Decisional Bilinear DiffieHellman assumption in the standard model. We also formally capture CCA security for PRE schemes via both a gamebased definition and simulationbased definitions that guarantee universally composable security. We note that, simultaneously with our work, Green and Ateniese proposed a CCAsecure PRE, discussed herein. 1
Unidirectional ChosenCiphertext Secure Proxy ReEncryption
 In PKC’08, LNCS
"... Abstract. In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy reencryption (PRE) in which a proxy can transform – without seeing the plaintext – a ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recentl ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy reencryption (PRE) in which a proxy can transform – without seeing the plaintext – a ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recently drawn renewed interest. Notably, Canetti and Hohenberger showed how to properly define (and realize) chosenciphertext security for the primitive. Their system is bidirectional as the translation key allows converting ciphertexts in both directions. This paper presents the first unidirectional proxy reencryption schemes with chosenciphertext security in the standard model (i.e. without the random oracle idealization). The first system provably fits a unidirectional extension of the CanettiHohenberger security model. As a second contribution, the paper considers a more realistic adversarial model where attackers may choose dishonest users ’ keys on their own. It is shown how to modify the first scheme to achieve security in the latter scenario. At a moderate expense, the resulting system provides additional useful properties such as noninteractive temporary delegations. Both constructions are efficient and rely on mild complexity assumptions in bilinear groups. Like the CanettiHohenberger scheme, they meet a relaxed flavor of chosenciphertext security introduced by Canetti, Krawczyk and Nielsen. 1
Publickey steganography with active attacks
 Second Theory of Cryptography Conference — TCC 2005, volume 3378 of Lecture Notes in Computer Science
, 2005
"... Abstract. A complexitytheoretic model for publickey steganography with active attacks is introduced. The notion of steganographic security against adaptive chosencovertext attacks (SSCCA) and a relaxation called steganographic security against publiclydetectable replayable adaptive chosencover ..."
Abstract

Cited by 37 (3 self)
 Add to MetaCart
(Show Context)
Abstract. A complexitytheoretic model for publickey steganography with active attacks is introduced. The notion of steganographic security against adaptive chosencovertext attacks (SSCCA) and a relaxation called steganographic security against publiclydetectable replayable adaptive chosencovertext attacks (SSPDRCCA) are formalized. These notions are closely related to CCAsecurity and PDRCCAsecurity for publickey cryptosystems. In particular, it is shown that any SS(PDR)CCA stegosystem is a (PDR)CCAsecure publickey cryptosystem and that an SSPDRCCA stegosystem for any covertext distribution with sufficiently large minentropy can be realized from any PDRCCAsecure publickey cryptosystem with pseudorandom ciphertexts. 1
Targeted malleability: Homomorphic encryption for restricted computations
, 2011
"... We put forward the notion of targeted malleability: given a homomorphic encryption scheme, in various scenarios we would like to restrict the homomorphic computations one can perform on encrypted data. We introduce a precise framework, generalizing the foundational notion of nonmalleability introdu ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
We put forward the notion of targeted malleability: given a homomorphic encryption scheme, in various scenarios we would like to restrict the homomorphic computations one can perform on encrypted data. We introduce a precise framework, generalizing the foundational notion of nonmalleability introduced by Dolev, Dwork, and Naor (SICOMP ’00), ensuring that the malleability of a scheme is targeted only at a specific set of “allowable ” functions. In this setting we are mainly interested in the efficiency of such schemes as a function of the number of repeated homomorphic operations. Whereas constructing a scheme whose ciphertext grows linearly with the number of such operations is straightforward, obtaining more realistic (or merely nontrivial) length guarantees is significantly more challenging. We present two constructions that transform any homomorphic encryption scheme into one that offers targeted malleability. Our constructions rely on standard cryptographic tools and on succinct noninteractive arguments, which are currently known to exist in the standard model based on variants of the knowledgeofexponent assumption. The two constructions offer somewhat different efficiency guarantees, each of which may be preferable depending on the underlying building blocks. Keywords: Homomorphic encryption, Nonmalleable encryption.
Joint State Theorems for PublicKey Encryption and Digitial Signature Functionalities with Local Computation
 In Proc. 21st IEEE Computer Security Foundations Symposium (CSF’08
, 2008
"... Abstract. Composition theorems in simulationbased approaches allow to build complex protocols from subprotocols in a modular way. However, as first pointed out and studied by Canetti and Rabin, this modular approach often leads to impractical implementations. For example, when using a functionalit ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Composition theorems in simulationbased approaches allow to build complex protocols from subprotocols in a modular way. However, as first pointed out and studied by Canetti and Rabin, this modular approach often leads to impractical implementations. For example, when using a functionality for digital signatures within a more complex protocol, parties have to generate new verification and signing keys for every session of the protocol. This motivates to generalize composition theorems to socalled joint state theorems, where different copies of a functionality may share some state, e.g., the same verification and signing keys. In this paper, we present a joint state theorem which is more general than the original theorem of Canetti and Rabin, for which several problems and limitations are pointed out. We apply our theorem to obtain joint state realizations for three functionalities: publickey encryption, replayable publickey encryption, and digital signatures. Unlike most other formulations, our functionalities model that ciphertexts and signatures are computed locally, rather than being provided by the adversary. To obtain the joint state realizations, the functionalities have to be designed carefully. Other formulations are shown to be unsuitable. Our work is based on a recently proposed, rigorous model for simulationbased security by Küsters, called the IITM model. Our definitions and results demonstrate the expressivity and simplicity of this model. For example, unlike Canetti’s UC model, in the IITM model no explicit joint state operator needs to be defined and the joint state theorem follows immediately from the composition theorem in the IITM model.
OAEP 3round: A generic and secure asymmetric encryption padding
 In Asiacrypt ’04, LNCS 3329
, 2004
"... ..."
(Show Context)
Proving the TLS handshake secure (as it is
 BFS + 13] Christina Brzuska, Marc Fischlin, Nigel
, 2013
"... The TLS Internet Standard features a mixed bag of cryptographic algorithms and constructions, letting clients and servers negotiate their use for each run of the handshake. Although many ciphersuites are now wellunderstood in isolation, their composition remains problematic, and yet it is critical ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
The TLS Internet Standard features a mixed bag of cryptographic algorithms and constructions, letting clients and servers negotiate their use for each run of the handshake. Although many ciphersuites are now wellunderstood in isolation, their composition remains problematic, and yet it is critical to obtain practical security guarantees for TLS. We experimentally confirm that all mainstream implementations of TLS share key materials between different algorithms, some of them of dubious strength. We outline attacks in their handling of resumption and renegotiation, stressing the need to model multiple related instances of the handshake. We study the provable security of the TLS handshake, as it is implemented and deployed. To capture the details of the standard and its main extensions, we rely on miTLS, a verified reference implementation of the protocol. miTLS interoperates with mainstream browsers and servers for many protocol versions, configurations, and ciphersuites; and it provides applicationlevel, provable security for some. We propose new agile security definitions and assumptions for the signatures, key encapsulation mechanisms (KEM), and key derivation algorithms used by the TLS handshake. By necessity, our
On the Security of Multiple Encryption or CCAsecurity+CCAsecurity=CCAsecurity?
 Proc. of PKC’04, LNCS 2947
, 2003
"... In a practical system, a message is often encrypted more than once by different encryptions, here called multiple encryption, to enhance its security. Additionally, new features may be achieved by multiple encrypting a message for a scheme, such as the keyinsulated cryptosystems [13] and anonymous ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
In a practical system, a message is often encrypted more than once by different encryptions, here called multiple encryption, to enhance its security. Additionally, new features may be achieved by multiple encrypting a message for a scheme, such as the keyinsulated cryptosystems [13] and anonymous channels [8]. Intuitively, a multiple encryption should remain "secure", whenever there is one component cipher unbreakable in it. In NESSIE's latest Portfolio of recommended cryptographic primitives (Feb. 2003), it is suggested to use multiple encryption with component ciphers based on different assumptions to acquire long term security. However, in this paper we show this needs careful discussion. Especially, this may not be true...