Results 1  10
of
31
CodeBased GamePlaying Proofs and the Security of Triple Encryption
 Eurocrypt 2006, LNCS
"... (Draft 3.0) The gameplaying technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of threekey tripleencryption, a longstanding open problem. Our result, which is in the idealcipher model, demonstrates t ..."
Abstract

Cited by 47 (10 self)
 Add to MetaCart
(Draft 3.0) The gameplaying technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of threekey tripleencryption, a longstanding open problem. Our result, which is in the idealcipher model, demonstrates that for DES parameters (56bit keys and 64bit plaintexts) an adversary’s maximal advantage is small until it asks about 278 queries. Beyond this application, we develop the foundations for game playing, formalizing a general framework for gameplaying proofs and discussing techniques used within such proofs. To further exercise the gameplaying framework we show how to use games to get simple proofs for the PRP/PRF Switching Lemma, the security
ChosenCiphertext Security of Multiple Encryption
 In TCC’05, LNCS 3378
, 2005
"... Abstract. Encryption of data using multiple, independent encryption schemes (“multiple encryption”) has been suggested in a variety of contexts, and can be used, for example, to protect against partial key exposure or cryptanalysis, or to enforce threshold access to data. Most prior work on this sub ..."
Abstract

Cited by 47 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Encryption of data using multiple, independent encryption schemes (“multiple encryption”) has been suggested in a variety of contexts, and can be used, for example, to protect against partial key exposure or cryptanalysis, or to enforce threshold access to data. Most prior work on this subject has focused on the security of multiple encryption against chosenplaintext attacks, and has shown constructions secure in this sense based on the chosenplaintext security of the component schemes. Subsequent work has sometimes assumed that these solutions are also secure against chosenciphertext attacks when component schemes with stronger security properties are used. Unfortunately, this intuition is false for all existing multiple encryption schemes. Here, in addition to formalizing the problem of chosenciphertext security for multiple encryption, we give simple, efficient, and generic constructions of multiple encryption schemes secure against chosenciphertext attacks (based on any component schemes secure against such attacks) in the standard model. We also give a more efficient construction from any (hierarchical) identitybased encryption scheme secure against selectiveidentity chosen plaintext attacks. Finally, we discuss a wide range of applications for our proposed schemes. 1
The Strong Secret Key Rate of Discrete Random Triples
 COMMUNICATION AND CRYPTOGRAPHY
, 1994
"... Three parties, Alice, Bob and Eve, know the sequences of random variables X N = [X 1 ; X 2 ; : : : XN ], Y N = [Y 1 ; Y 2 ; : : : Y N ] and Z N = [Z 1 ; Z 2 ; : : : ZN ], respectively, where the triples (X i Y i Z i ), for 1 i N , are generated by a discrete memoryless source according ..."
Abstract

Cited by 46 (6 self)
 Add to MetaCart
Three parties, Alice, Bob and Eve, know the sequences of random variables X N = [X 1 ; X 2 ; : : : XN ], Y N = [Y 1 ; Y 2 ; : : : Y N ] and Z N = [Z 1 ; Z 2 ; : : : ZN ], respectively, where the triples (X i Y i Z i ), for 1 i N , are generated by a discrete memoryless source according to some probability distribution PXY Z . Motivated by Wyner's and Csisz'ar and Korner's pioneering definition of, and work on, the secrecy capacity of a broadcast channel, the secret key rate of PXY Z was defined by Maurer as the maximal rate M=N at which Alice and Bob can generate secret shared random key bits S 1 ; : : : ; SM by exchanging messages over an insecure public channel accessible to Eve, such that the rate at which Eve obtains information about the key is arbitrarily small, i.e., such that lim N!1 I(S 1 ; : : : ; SM ; Z N ; C t )=N = 0, where C t is the collection of messages exchanged between Alice and Bob over the public channel. However, this definition is n...
Security Amplification by Composition: The case of DoublyIterated, Ideal Ciphers
, 1998
"... We investigate, in the Shannon model, the security of constructions corresponding to double and (twokey) triple DES. That is, we consider Fk1 (Fk2(\Delta)) and Fk1(F \Gamma 1 k2 (Fk1 (\Delta))) with the component functions being ideal ciphers. This models the resistance of these constructions to & ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
We investigate, in the Shannon model, the security of constructions corresponding to double and (twokey) triple DES. That is, we consider Fk1 (Fk2(\Delta)) and Fk1(F \Gamma 1 k2 (Fk1 (\Delta))) with the component functions being ideal ciphers. This models the resistance of these constructions to "generic" attacks like meet in the middle attacks. We obtain
NonTrivial BlackBox Combiners for CollisionResistant HashFunctions don’t Exist
 Advances in Cryptology — Eurocrypt 2007, Lecture Notes in Computer Science
"... Abstract. A (k, `)robust combiner for collisionresistant hashfunctions is a construction which from ` hashfunctions constructs a hashfunction which is collisionresistant if at least k of the components are collisionresistant. One trivially gets a (k, `)robust combiner by concatenating the ou ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
Abstract. A (k, `)robust combiner for collisionresistant hashfunctions is a construction which from ` hashfunctions constructs a hashfunction which is collisionresistant if at least k of the components are collisionresistant. One trivially gets a (k, `)robust combiner by concatenating the output of any ` − k + 1 of the components, unfortunately this is not very practical as the length of the output of the combiner is quite large. We show that this is unavoidable as no blackbox (k, `)robust combiner whose output is significantly shorter than what can be achieved by concatenation exists. This answers a question of Boneh and Boyen (Crypto’06). 1
Robuster Combiners for Oblivious Transfer
"... Abstract. A(k; n)robust combiner for a primitive F takes as input n candidate implementations of F and constructs an implementation of F, which is secure assuming that at least k of the input candidates are secure. Such constructions provide robustness against insecure implementations and wrong ass ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Abstract. A(k; n)robust combiner for a primitive F takes as input n candidate implementations of F and constructs an implementation of F, which is secure assuming that at least k of the input candidates are secure. Such constructions provide robustness against insecure implementations and wrong assumptions underlying the candidate schemes. In a recent work Harnik et al. (Eurocrypt 2005) have proposed a (2; 3)robust combiner for oblivious transfer (OT), and have shown that (1; 2)robust OTcombiners of a certain type are impossible. In this paper we propose new, generalized notions of combiners for twoparty primitives, which capture the fact that in many twoparty protocols the security of one of the parties is unconditional, or is based on an assumption independent of the assumption underlying the security of the other party. This finegrained approach results in OTcombiners strictly stronger than the constructions known before. In particular, we propose an OTcombiner which guarantees secure OT even when only one candidate is secure for both parties, and every remaining candidate is flawed for one of the parties. Furthermore, we present an efficient uniform OTcombiner, i.e., a single combiner which is secure simultaneously for a wide range of candidates ’ failures. Finally, our definition allows for a very simple impossibility result, which shows that the proposed OTcombiners achieve optimal robustness.
Cascade Encryption Revisited
"... Abstract. The security of cascade blockcipher encryption is an important and wellstudied problem in theoretical cryptography with practical implications. It is wellknown that double encryption improves the security only marginally, leaving triple encryption as the shortest reasonable cascade. In a ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Abstract. The security of cascade blockcipher encryption is an important and wellstudied problem in theoretical cryptography with practical implications. It is wellknown that double encryption improves the security only marginally, leaving triple encryption as the shortest reasonable cascade. In a recent paper, Bellare and Rogaway showed that in the ideal cipher model, triple encryption is significantly more secure than single and double encryption, stating the security of longer cascades as an open question. In this paper, we propose a new lemma on the indistinguishability of systems extending Maurer’s theory of random systems. In addition to being of independent interest, it allows us to compactly rephrase Bellare and Rogaway’s proof strategy in this framework, thus making the argument more abstract and hence easy to follow. As a result, this allows us to address the security of longer cascades as well as some errors in their paper. Our result implies that for blockciphers with smaller key space than message space (e.g. DES), longer cascades improve the security of the encryption up to a certain limit. This partially answers the open question mentioned above.
The MainintheMiddle Defence
 2006 International Workshop on Security Protocols
"... Abstract. Eliminating middlemen from security protocols helps less than one would think. EMV electronic payments, for example, can be made fairer by adding an electronic attorney – a middleman which mediates access to a customer’s card. We compare middlemen in crypto protocols and APIs with those in ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. Eliminating middlemen from security protocols helps less than one would think. EMV electronic payments, for example, can be made fairer by adding an electronic attorney – a middleman which mediates access to a customer’s card. We compare middlemen in crypto protocols and APIs with those in the real world, and show that a maninthemiddle defence is helpful in many circumstances. We suggest that the middleman has been unfairly demonised. 1
MinEntropy as a Resource
"... Secrecy is fundamental to computer security, but real systems often cannot avoid leaking some secret information. For this reason, it is useful to model secrecy quantitatively, thinking of it as a “resource ” that may be gradually “consumed ” by a system. In this paper, we explore this intuition thr ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
Secrecy is fundamental to computer security, but real systems often cannot avoid leaking some secret information. For this reason, it is useful to model secrecy quantitatively, thinking of it as a “resource ” that may be gradually “consumed ” by a system. In this paper, we explore this intuition through several dynamic and static models of secrecy consumption, ultimately focusing on (average) vulnerability and minentropy leakage as especially useful models of secrecy consumption. We also consider several composition operators that allow smaller systems to be combined into a larger system, and explore the extent to which the secrecy consumption of a combined system is constrained by the secrecy consumption of its constituents.
Monkey: BlackBox Symmetric Ciphers Designed for MONopolizing KEYs
 Fast Software Encryption 1998, Springer LNCS 1372
"... Abstract. We consider the problem of designing a blackbox symmetric cipher that leaks information subliminally and exclusively to the designer. We show how to construct a cipher which we call ‘Monkey’ that leaks one key bit per output block to the designer of the system (in any mode). This key bit ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. We consider the problem of designing a blackbox symmetric cipher that leaks information subliminally and exclusively to the designer. We show how to construct a cipher which we call ‘Monkey’ that leaks one key bit per output block to the designer of the system (in any mode). This key bit is leaked only if a particular plaintext bit is known to the designer (known bit/message attack which is typically available in plain ASCII). The attack is of kleptographic nature as it gives a unique advantage to the designer while using strong (e.g., externally supplied) keys. The basic new difficulty with the design of spoofable block ciphers is that it is a deterministic function (previous attacks exploited randomness in key generation or message encryption/signature), and the fact that we do not want easy (statistical) observability of the spoofing (e.g., the variability of ciphertexts should be noticeable when keys change etc.). We distinguish between three entities: the designer, the reverseengineer and the user. We show a design methodology that assures that: (1) if the device is not reverseengineered, the attack is secure (namely, the cipher is good) and undetectable, (2) if the device is reverseengineered, then the reverseengineer learns at most one plaintext bit from every ciphertext (but no past/future keys), and (3) the designer learns one plaintext bit and one key bit from each ciphertext block (say in ECB mode). The method is therefore highly robust against reverseengineering. Key words: design methodologies for symmetric ciphers, secret cryptographic algorithms, spoofing, kleptographic attacks, trust, software vs. tamperproof hardware designs, tamperproof reverse engineering, public scrutiny. 1