Results 1  10
of
30
Design and Analysis of Practical PublicKey Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack
 SIAM Journal on Computing
, 2001
"... A new public key encryption scheme, along with several variants, is proposed and analyzed. The scheme and its variants are quite practical, and are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions. These appear to be the first publickey encryption sc ..."
Abstract

Cited by 222 (11 self)
 Add to MetaCart
(Show Context)
A new public key encryption scheme, along with several variants, is proposed and analyzed. The scheme and its variants are quite practical, and are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions. These appear to be the first publickey encryption schemes in the literature that are simultaneously practical and provably secure.
The gapproblems: a new class of problems for the security of cryptographic schemes
 Proceedings of PKC 2001, volume 1992 of LNCS
, 1992
"... Abstract. This paper introduces a novel class of computational problems, the gap problems, which can be considered as a dual to the class of the decision problems. We show the relationship among inverting problems, decision problems and gap problems. These problems find a nice and rich practical ins ..."
Abstract

Cited by 139 (12 self)
 Add to MetaCart
(Show Context)
Abstract. This paper introduces a novel class of computational problems, the gap problems, which can be considered as a dual to the class of the decision problems. We show the relationship among inverting problems, decision problems and gap problems. These problems find a nice and rich practical instantiation with the DiffieHellman problems. Then, we see how the gap problems find natural applications in cryptography, namely for proving the security of very efficient schemes, but also for solving a more than 10year old open security problem: the Chaum’s undeniable signature.
Pairingbased Cryptography at High Security Levels
 Proceedings of Cryptography and Coding 2005, volume 3796 of LNCS
, 2005
"... Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the secur ..."
Abstract

Cited by 92 (3 self)
 Add to MetaCart
(Show Context)
Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128, 192, or 256bit AES keys. In this paper we examine the implications of heightened security needs for pairingbased cryptosystems. We first describe three different reasons why highsecurity users might have concerns about the longterm viability of these systems. However, in our view none of the risks inherent in pairingbased systems are sufficiently serious to warrant pulling them from the shelves. We next discuss two families of elliptic curves E for use in pairingbased cryptosystems. The first has the property that the pairing takes values in the prime field Fp over which the curve is defined; the second family consists of supersingular curves with embedding degree k = 2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k = 1 and k = 24. Let E be the elliptic curve 1.
REACT: Rapid Enhancedsecurity Asymmetric Cryptosystem Transform
 CTRSA 2001, volume 2020 of LNCS
, 2001
"... Abstract. Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosenciphertext secure encryption scheme from any trapdoor oneway permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem ..."
Abstract

Cited by 82 (22 self)
 Add to MetaCart
(Show Context)
Abstract. Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosenciphertext secure encryption scheme from any trapdoor oneway permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem, in the random oracle model: it is optimal from both the computational and the security points of view. Indeed, the overload is negligible, since it just consists of two more hashings for both encryption and decryption, and the reduction is very tight. Furthermore, advantages of REACT beyond OAEP are numerous: 1. it is more general since it applies to any partially trapdoor oneway function (a.k.a. weakly secure publickey encryption scheme) and therefore provides security relative to RSA but also to the DiffieHellman problem or the factorization; 2. it is possible to integrate symmetric encryption (block and stream ciphers) to reach very high speed rates; 3. it provides a key distribution with session key encryption, whose overall scheme achieves chosenciphertext security even with weakly secure symmetric scheme. Therefore, REACT could become a new alternative to OAEP, and even reach security relative to factorization, while allowing symmetric integration.
Networked Cryptographic Devices Resilient to Capture
 Preliminary version in IEEE Security and Privacy
, 2003
"... We present a simple technique by which a device that performs private key operations (signatures or decryptions) in networked applications, and whose local private key is activated with a password or PIN, can be immunized to offline dictionary attacks in case the device is captured. Our techniques d ..."
Abstract

Cited by 55 (13 self)
 Add to MetaCart
(Show Context)
We present a simple technique by which a device that performs private key operations (signatures or decryptions) in networked applications, and whose local private key is activated with a password or PIN, can be immunized to offline dictionary attacks in case the device is captured. Our techniques do not assume tamper resistance of the device, but rather exploit the networked nature of the device, in that the device’s private key operations are pe formed using a simple interaction with a remote sewer: This sewer; however; is untrustedits compromise does not reduce the securiv of the device’s private key unless the device is also capturedand need not have a prior relationship with the device. We further extend this approach with support for key disabling, by which the rightj‘ul owner of a stolen device can disable the device’s private key even if the attacker already knows the user’s password. 1.
Efficiency Improvements for Signature Schemes with Tight Security Reductions
, 2003
"... Much recent work has focused on constructing efficient digital signature schemes whose security is tightly related to the hardness of some underlying cryptographic assumption. With this motivation in mind, we show here two approaches which improve both the computational efficiency and signature leng ..."
Abstract

Cited by 39 (0 self)
 Add to MetaCart
Much recent work has focused on constructing efficient digital signature schemes whose security is tightly related to the hardness of some underlying cryptographic assumption. With this motivation in mind, we show here two approaches which improve both the computational efficiency and signature length of some recentlyproposed schemes: DiffieHellman signatures. Goh and Jarecki [18] recently analyzed a signature scheme which has a tight security reduction to the computational DiffieHellman problem. Unfortunately, their scheme is less efficient in both computation and bandwidth than previous schemes relying on the (related) discrete logarithm assumption. We present a modification of their scheme in which signing is 33% more efficient and signatures are 75% shorter; the security of this scheme is tightly related to the decisional DiffieHellman problem. PSS. The...
Another look at nonstandard discrete log and DiffieHellman problems
 J. Math. Cryptology
"... Abstract. We examine several versions of the onemorediscretelog and onemoreDiffieHellman problems. In attempting to evaluate their intractability, we find conflicting evidence of the relative hardness of the different problems. Much of this evidence comes from natural families of groups associ ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We examine several versions of the onemorediscretelog and onemoreDiffieHellman problems. In attempting to evaluate their intractability, we find conflicting evidence of the relative hardness of the different problems. Much of this evidence comes from natural families of groups associated with curves of genus 2, 3, 4, 5, and 6. This leads to questions about how to interpret reductionist security arguments that rely on these nonstandard problems. 1.
Efficient signature schemes with tight reductions to the DiffieHellman problems
 Journal of Cryptology
"... We propose and analyze two efficient signature schemes whose security is tightly related to the DiffieHellman problems in the random oracle model. Security of our first scheme relies on the hardness of the computational DiffieHellman problem; security of our second scheme — which is more efficient ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
We propose and analyze two efficient signature schemes whose security is tightly related to the DiffieHellman problems in the random oracle model. Security of our first scheme relies on the hardness of the computational DiffieHellman problem; security of our second scheme — which is more efficient than the first — is based on the hardness of the decisional DiffieHellman problem, a stronger assumption. Given current state of the art, it is as difficult to solve the DiffieHellman problems as it is to solve the discrete logarithm problem in many groups of cryptographic interest. Thus, the signature schemes shown here can currently offer substantially better efficiency (for a given level of provable security) than existing schemes based on the discrete logarithm assumption. The techniques we introduce can be also applied in a wide variety of settings to yield more efficient cryptographic schemes (based on various numbertheoretic assumptions) with tight security reductions. 1
The Equivalence Between The Dhp And Dlp For Elliptic Curves Used In Practical Applications
, 2004
"... We reexamine the reduction of Maurer and Wolf of the Discrete Logarithm problem to the Di#eHellman problem. We give a precise estimate for the number of operations required in the reduction and use this to estimate the exact security of the elliptic curve variant of the Di#eHellman protocol for ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
We reexamine the reduction of Maurer and Wolf of the Discrete Logarithm problem to the Di#eHellman problem. We give a precise estimate for the number of operations required in the reduction and use this to estimate the exact security of the elliptic curve variant of the Di#eHellman protocol for various elliptic curves defined in standards. 1.
On the static DiffieHellman problem on elliptic curves over extension fields, available at http://eprint.iacr.org/2010/177
"... Abstract. We show that for any elliptic curve E(Fqn), if an adversary has access to a Static DiffieHellman Problem (Static DHP) oracle, then by making O(q1− 1 n+1) Static DHP oracle queries during an initial learning phase, for fixed n> 1 and q → ∞ the adversary can solve any further instance o ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We show that for any elliptic curve E(Fqn), if an adversary has access to a Static DiffieHellman Problem (Static DHP) oracle, then by making O(q1− 1 n+1) Static DHP oracle queries during an initial learning phase, for fixed n> 1 and q → ∞ the adversary can solve any further instance of the Static DHP in heuristic time Õ(q1− 1 n+1). Our proposal also solves the Delayed Target DHP as defined by Freeman, and naturally extends to provide algorithms for solving the Delayed Target DLP, the OneMore DHP and OneMore DLP, as studied by Koblitz and Menezes in the context of Jacobians of hyperelliptic curves of small genus. We also argue that for any group in which index calculus can be effectively applied, the above problems have a natural relationship, and will always be easier than the DLP. While practical only for very small n, our algorithm reduces the security provided by the elliptic curves defined over Fp2 and Fp4 proposed by Galbraith, Lin and Scott at EUROCRYPT 2009, should they be used in any protocol where a user can be made to act as a proxy Static DHP oracle, or if used in protocols whose security is related to any of the above problems. 1