Results 1  10
of
98
Signature Schemes Based on the Strong RSA Assumption
 ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY
, 1998
"... We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreove ..."
Abstract

Cited by 163 (8 self)
 Add to MetaCart
We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreover, a hash function can be incorporated into the scheme in such a way that it is also secure in the random oracle model under the standard RSA Assumption.
Sequences of Games: A Tool for Taming Complexity in Security Proofs
, 2004
"... This paper is brief tutorial on a technique for structuring security proofs as sequences games. ..."
Abstract

Cited by 125 (0 self)
 Add to MetaCart
This paper is brief tutorial on a technique for structuring security proofs as sequences games.
The security of triple encryption and a framework for codebased gameplaying proofs
 EUROCRYPT 2006, volume 4004 of LNCS
, 2006
"... Abstract. We show that, in the idealcipher model, triple encryption (the cascade of three independentlykeyed blockciphers) is more secure than single or double encryption, thereby resolving a longstanding open problem. Our result demonstrates that for DES parameters (56bit keys and 64bit plaint ..."
Abstract

Cited by 115 (30 self)
 Add to MetaCart
(Show Context)
Abstract. We show that, in the idealcipher model, triple encryption (the cascade of three independentlykeyed blockciphers) is more secure than single or double encryption, thereby resolving a longstanding open problem. Our result demonstrates that for DES parameters (56bit keys and 64bit plaintexts) an adversary’s maximal advantage against triple encryption is small until it asks about 2 78 queries. Our proof uses codebased gameplaying in an integral way, and is facilitated by a framework for such proofs that we provide. 1
CBC MACs for arbitrarylength messages: The threekey constructions
 Advances in Cryptology – CRYPTO ’00, Lecture Notes in Computer Science
, 2000
"... Abstract. We suggest some simple variants of the CBC MAC that let you efficiently MAC messages of arbitrary lengths. Our constructions use three keys, K1, K2, K3, to avoid unnecessary padding and MAC any message M ∈ {0, 1} ∗ using max{1, ⌈M/n⌉} applications of the underlying nbit block cipher. O ..."
Abstract

Cited by 73 (17 self)
 Add to MetaCart
(Show Context)
Abstract. We suggest some simple variants of the CBC MAC that let you efficiently MAC messages of arbitrary lengths. Our constructions use three keys, K1, K2, K3, to avoid unnecessary padding and MAC any message M ∈ {0, 1} ∗ using max{1, ⌈M/n⌉} applications of the underlying nbit block cipher. Our favorite construction, XCBC, works like this: if M  is a positive multiple of n then XOR the nbit key K2 with the last block of M and compute the CBC MAC keyed with K1; otherwise, extend M’s length to the next multiple of n by appending minimal 10 i padding (i ≥ 0), XOR the nbit key K3 with the last block of the padded message, and compute the CBC MAC keyed with K1. We prove the security of this and other constructions, giving concrete bounds on an adversary’s inability to forge in terms of her inability to distinguish the block cipher from a random permutation. Our analysis exploits new ideas which simplify proofs compared to prior work. 1
Extending Oblivious Transfers Efficiently
, 2003
"... We consider the problem of extending oblivious transfers: Given a small number of oblivious transfers \for free," can one implement a large number of oblivious transfers? Beaver has shown how to extend oblivious transfers given a oneway function. However, this protocol is inecient in pract ..."
Abstract

Cited by 64 (1 self)
 Add to MetaCart
(Show Context)
We consider the problem of extending oblivious transfers: Given a small number of oblivious transfers \for free," can one implement a large number of oblivious transfers? Beaver has shown how to extend oblivious transfers given a oneway function. However, this protocol is inecient in practice, in part due to its nonblackbox use of the underlying oneway function.
Survey and Benchmark of Block Ciphers for Wireless Sensor Networks
 ACM Transactions on Sensor Networks
, 2004
"... Choosing the most storage and energye#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphe ..."
Abstract

Cited by 58 (1 self)
 Add to MetaCart
Choosing the most storage and energye#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphers suitable for WSNs based on existing literature.
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 58 (8 self)
 Add to MetaCart
(Show Context)
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
EncryptionScheme Security in the Presence of KeyDependent Messages
 In Selected Areas in Cryptography, volume 2595 of LNCS
, 2002
"... Encryption that is only semantically secure should not be used on messages that depend on the underlying secret key; all bets are o# when, for example, one encrypts using a shared key K the value K. Here we introduce a new notion of security, KDM security, appropriate for keydependent messages. ..."
Abstract

Cited by 52 (3 self)
 Add to MetaCart
Encryption that is only semantically secure should not be used on messages that depend on the underlying secret key; all bets are o# when, for example, one encrypts using a shared key K the value K. Here we introduce a new notion of security, KDM security, appropriate for keydependent messages. The notion makes sense in both the publickey and sharedkey settings. For the latter we show that KDM security is easily achievable within the randomoracle model. By developing and achieving stronger notions of encryptionscheme security it is hoped that protocols which are proven secure under "formal" models of security can, in time, be safely realized by generically instantiating their primitives.
Antigone: A Flexible Framework for Secure Group Communication
 In Proceedings of the 8th USENIX Security Symposium
, 1999
"... Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. ..."
Abstract

Cited by 52 (14 self)
 Add to MetaCart
(Show Context)
Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein.
Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC
, 2003
"... We describe highly efficient constructions, XE and XEX, that turn a blockcipher E: K × {0, 1}^n → {0, 1}^n into a tweakable blockcipher... ..."
Abstract

Cited by 47 (4 self)
 Add to MetaCart
We describe highly efficient constructions, XE and XEX, that turn a blockcipher E: K &times; {0, 1}^n &rarr; {0, 1}^n into a tweakable blockcipher...