## ACE: The Advanced Cryptographic Engine (2000)

Venue: | Revised, August |

Citations: | 3 - 1 self |

### BibTeX

@TECHREPORT{Schweinberger00ace:the,

author = {Thomas Schweinberger and Victor Shoup},

title = {ACE: The Advanced Cryptographic Engine},

institution = {Revised, August},

year = {2000}

}

### OpenURL

### Abstract

This document describes the Advanced Cryptographic Engine (ACE). It specifies a public key encryption scheme as well as a digital signature scheme with enough detail to ensure interoperability between different implementations. These schemes are almost as efficient as commercially used schemes, yet unlike such schemes, can be proven secure under reasonable and well-defined intractability assumptions. A concrete security analysis of both schemes is presented.

### Citations

2714 | New directions in cryptography, in
- Diffie, Hellman
(Show Context)
Citation Context .... 2.5 The Computational and Decisional Diffie-Hellman assumption Let G be a group of large prime order q and let g ∈ G be a generator. The Computational Diffie-Hellman (CDH) assumption, introduced b=-=y [DH76]-=-, is the assumption that computing g xy from g x and g y is hard. It is a widely held belief that the security of certain key exchange protocols (such as STS [DvOW92]) is implied by the CDH assumption... |

2466 | S.: Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context ...Also note that in step 2.4 of Algorithm 4.4.1, the quantity c r d ar rem P can be computed faster than two exponentiations, also using standard algorithmic techniques. We refer the reader to §14.6 of=-= [MvOV97]-=- for these algorithmic details. Timing information Note that in step 2.2 in algorithm Algorithm 4.5.1, we set reject to 1, and delay returning from the function until later. We do this to prevent timi... |

1334 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ... that contains a random function which can only be evaluated by making an explicit query. This “random oracle” model for security analysis was informally introduced by [FS87], and later formalized=-= by [BR93]. -=-It has been used to analyze numerous cryptographic systems (see, e.g., [BR94] and [PS96]). However, we must emphasize that making use of random oracles is not just another assumption—a cryptographic... |

1178 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ... hard to recover, and (2) the requirement that individual ciphertexts should be hard to decrypt. The first step towards a workable definition was the formulation of the notion of semantic security by =-=[GM84]-=-. This definition of security captures the notion that a ciphertext 3sleaks no information about the corresponding cleartext to a (computationally bounded) eavesdropper. We sketch this definition in m... |

833 | A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...me, and not, say, an expected value. 2.3 Secure digital signatures The notion of security we want is that of security against existential forgery against adaptive chosen message attack, as defined in =-=[GMR88]-=-. This is the strongest, and most useful notion of security, allowing a signature scheme to be used in an arbitrary application without restrictions. Briefly, security in this sense means that it is i... |

831 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...ndom oracle, i.e., a “black box” that contains a random function which can only be evaluated by making an explicit query. This “random oracle” model for security analysis was informally introd=-=uced by [FS87]-=-, and later formalized by [BR93]. It has been used to analyze numerous cryptographic systems (see, e.g., [BR94] and [PS96]). However, we must emphasize that making use of random oracles is not just an... |

664 | Differential power analysis
- Kocher, Jaffe, et al.
- 1999
(Show Context)
Citation Context ...ntation prevents an adversary from 29spotentially taking advantage of some “crude” timing information, we make absolutely no claims about its security against timing attacks [Koc96] or power analy=-=sis [KJJ99]-=- in general. Early detection of a corrupted ciphertext Note that when encrypting the actual payload, we use a symmetric cipher with an authentication code. The cryptogram is broken up into 1024-byte b... |

461 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...emes, yet unlike such schemes, can be proven secure under reasonable and well-defined intractability assumptions. The schemes implemented are particular variants of the Cramer-Shoup encryption scheme =-=[CS98]-=- and the Cramer-Shoup signature scheme [CS99]. These variants have been finely tuned to strike a good balance between efficiency and security. The papers [CS98] and [CS99], as well as the related back... |

450 | Non-Malleable Cryptography - Dolev, Dwork, et al. - 2000 |

414 | Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
- Kocher
- 1996
(Show Context)
Citation Context ...thm. Although this implementation prevents an adversary from 29spotentially taking advantage of some “crude” timing information, we make absolutely no claims about its security against timing atta=-=cks [Koc96]-=- or power analysis [KJJ99] in general. Early detection of a corrupted ciphertext Note that when encrypting the actual payload, we use a symmetric cipher with an authentication code. The cryptogram is ... |

339 | Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack - Rackoff, Simon - 1992 |

313 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ... appears not to be so well known, and is described in detail in the full-length version of [CS99]. 2.7 SHA-1 second preimage collision resistance The notion of a UOWHF was introduced by Naor and Yung =-=[NY89]-=-. A UOWHF is a keyed hash function with the following property: if an adversary chooses a message x, and then a key K is chosen at random and given to the adversary, it is hard for he adversary to fin... |

264 | Authentication and authenticated key exchanges
- DIFFIE, OORSCHOT, et al.
- 1992
(Show Context)
Citation Context ...man (CDH) assumption, introduced by [DH76], is the assumption that computing g xy from g x and g y is hard. It is a widely held belief that the security of certain key exchange protocols (such as STS =-=[DvOW92]) is-=- implied by the CDH assumption. This is simply false—under any reasonable definition of security—except in the random oracle model of security analysis. What is almost always needed, but often not... |

252 | Public-Key Cryptosystems Provably Secure Against Chosen Ciphertext Attacks - Naor, Yung - 1990 |

248 |
New directions in cryptography
- e, Hellman
- 1976
(Show Context)
Citation Context ...detail. 2.5 The Computational and Decisional Die-Hellman assumption Let G be a group of large prime order q and let g 2 G be a generator. The Computational Die-Hellman (CDH) assumption, introduced by =-=[DH76]-=-, is the assumption that computing g xy from g x and g y is hard. It is a widely held belief that the security of certain key exchange protocols (such as STS [DvOW92]) is implied by the CDH assumption... |

238 | Optimal asymmetric encryption
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...cit query. This “random oracle” model for security analysis was informally introduced by [FS87], and later formalized by [BR93]. It has been used to analyze numerous cryptographic systems (see, e.=-=g., [BR94] a-=-nd [PS96]). However, we must emphasize that making use of random oracles is not just another assumption—a cryptographic hash function is not, and never can be, a random oracle. It is entirely possib... |

237 | Chosen Ciphertext Attacks against Protocols Based on RSA Encryption Standard PKCS #1
- Bleichenbacher
- 1998
(Show Context)
Citation Context ...ken via a “shortcut”—that is, without solving the underlying “hard” problem. One of the more spectacular such examples is Bleichenbacher’s chosen ciphertext attack on RSA’s encryption sc=-=heme, PKCS #1 [Ble98]. E-=-ven though the underlying encryption scheme is based on the RSA problem (see §2.6), Bleichenbacher’s attack cleverly breaks the scheme without solving this problem. This attack rendered insecure th... |

209 | Security proofs for signature schemes
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context ...This “random oracle” model for security analysis was informally introduced by [FS87], and later formalized by [BR93]. It has been used to analyze numerous cryptographic systems (see, e.g., [BR94] =-=and [PS96]).-=- However, we must emphasize that making use of random oracles is not just another assumption—a cryptographic hash function is not, and never can be, a random oracle. It is entirely possible that a c... |

196 | The decision Diffie-Hellman problem - Boneh - 1998 |

183 | How to recycle random bits
- Impagliazzo, Zuckerman
- 1989
(Show Context)
Citation Context ... the decryption oracle is presented with a ciphertext ψ with π = π ′ , it uses the same random key k ′ . By the Entropy Smoothing Theorem (a.k.a., the Leftover Hash Lemma; see Chapter 8 of [Lub=-=96] or [IZ89]), and the fact that ( �-=-� h ′ 1 , ˜ h ′ 2 ) is chosen at random from a set of size at least 2a , where a = 2 × 255 = 256 + 2 × 127, we have � � � � � Pr[S5] − Pr[S4] � ≤ 2 . (13) 2128 Game G6. In the n... |

163 | Collision-free accumulators and fail-stop signature schemes without trees
- Barić, Pfitzmann
- 1997
(Show Context)
Citation Context ...ption than the RSA assumption, but at the present time, the only known method for breaking either assumption is to solve the integer factorization problem. The strong RSA assumption was introduced in =-=[BP97]-=-, and has subsequently been used in the analysis of several cryptographic schemes (see, e.g., [FO99, GHR99]). Concrete security analysis We define AdvRSA(t) to be the maximum over all algorithms that ... |

150 | Signature schemes based on the strong RSA assumption
- Cramer, Shoup
- 1999
(Show Context)
Citation Context ...n be adapted to this somewhat richer attack scenario—we leave the details to the interested reader. 5 Signature Scheme In this section, we describe the signature scheme, which is a variant of that i=-=n [CS99]. 5.-=-1 Signature Key Pair The signature scheme defined in this document employs two key types, whose representation consists of the following tuples: ACE Signature public key: (N, h, x, e ′ , k ′ , s).... |

149 |
Pseudorandomness and Cryptographic Applications
- Luby
- 1996
(Show Context)
Citation Context ... Also, when the decryption oracle is presented with a ciphertext ψ with π = π ′ , it uses the same random key k ′ . By the Entropy Smoothing Theorem (a.k.a., the Leftover Hash Lemma; see Chapte=-=r 8 of [Lub96] or [IZ89]), and the fac-=-t that ( ˜ h ′ 1 , ˜ h ′ 2 ) is chosen at random from a set of size at least 2a , where a = 2 × 255 = 256 + 2 × 127, we have � � � � � Pr[S5] − Pr[S4] � ≤ 2 . (13) 2128 Game G6... |

149 | Number-theoretic constructions of efficient pseudo-random functions
- Naor, Reingold
(Show Context)
Citation Context ...), random g1, g2 ∈ G\{1}; x ∈ Zq are computationally indistinguishable under the DDH assumption. This random selfreducibility property was first observed by Stadler [Sta96] (and also independently=-= in [NR97]). 7-=-sConcrete security analysis In order to facilitate concrete security analysis, we define AdvDDH(t) to be the maximum over all statistical tests T that run in time at most t and output 0, 1 of � � ... |

136 | An efficient off-line electronic cash system based on the representation problem
- Brands
- 1993
(Show Context)
Citation Context ... only known method for breaking either assumption is to solve the Discrete Logarithm problem. The DDH assumption appears to have first surfaced in the cryptographic literature in a paper by S. Brands =-=[Bra93]-=-. See [Bon98, CS98, NR97, Sta96] for further applications of and discussions about the DDH assumption. The groups G that are used in ACE are prime-order subgroups of the multiplicative group of units ... |

132 | Statistical Zero Knowledge Protocols to Prove Modular - Fujisaki, Okamoto - 1997 |

121 | Secure hash-and-sign signatures without the random oracle - Gennaro, Halevi, et al. - 1999 |

119 | Publicly verifiable secret sharing
- Stadler
- 1996
(Show Context)
Citation Context ...y ∈ Zq, D : (g1, g2, g x 1 , g x 2 ), random g1, g2 ∈ G\{1}; x ∈ Zq are computationally indistinguishable under the DDH assumption. This random selfreducibility property was first observed by St=-=adler [Sta96]-=- (and also independently in [NR97]). 7sConcrete security analysis In order to facilitate concrete security analysis, we define AdvDDH(t) to be the maximum over all statistical tests T that run in time... |

118 |
LFSR based hashing and authentication
- Krawczyk
- 1994
(Show Context)
Citation Context ...tion of Lemma 4.10.1 yields � � � Pr[Y (3) ] − Pr[Y (2) � � ] � ≤ AdvSHA(O(t)) · ⌈l/64⌉. (19) Finally, using standard arguments for message authentication codes based on universal=-= hashing (see, e.g., [Kra94]), -=-one sees that Pr[Y (3) ] ≤ κ . (20) 2128 Inequality (14) now follows directly from in inequalities (16), (17), (18), (19), and (20). Game G7. In the final transformation, game G7, we simply modify ... |

104 | Public-key encryption in a multi-user setting: Security proofs and improvements
- Bellare, Boldyreva, et al.
- 2000
(Show Context)
Citation Context ... is well known that they are essentially equivalent to just about any reasonable generalization one might consider in a multi-user/multi-message environment. For a detailed account of this issue, see =-=[BBM00]-=-. view. 1 A user might encrypt a zero length message, but this is not interesting from a security point of 4sConcrete security analysis In this document, we want to carry out a concrete (or exact) exa... |

96 | Collision free hash functions and public key signature schemes - Damgard - 1988 |

89 | How to Protect DES Against Exhaustive Key Search
- Kilian, Rogaway
- 1996
(Show Context)
Citation Context ... oracle model, our signature scheme can be proved secure under the RSA assumption, instead of the strong RSA assumption. Actually, to be a bit more precise, we need to use the ideal cipher model (see =-=[KR96]-=-), which is a closely related, but slightly different model of analysis. This is discussed in [CS99]. 6 ASN.1 Key Syntax For applications that use ASN.1 descriptions, like for example X.509 or PKCS#8 ... |

75 | The Status of MD5 After a Recent Attack - Dobbertin - 1996 |

72 | Finding collisions on a one-way street: Can secure hash functions be based on general assumptions
- Simon
- 1998
(Show Context)
Citation Context ...building digital signature schemes, a UOWHF is sufficient. As evidence for claim (1), we point out the recent attacks on MD5 [dBB93, Dob96]. We also point out the complexity-theoretic result of Simon =-=[Sim98]-=- that shows that there exists an oracle relative to which UOWHFs exist but CRHFs do not. CRHFs can be constructed based on the hardness of specific number-theoretic problems, like the discrete logarit... |

67 | Using Hash function s as a hedge against chosen ciphertext attack
- Shoup
- 2000
(Show Context)
Citation Context ...acles As we have already mentioned in §2.4, in the random oracle model, one can replace the DDH assumption by the potentially weaker CDH assumption. The security analysis in this case can be found in=-= [Sho00b]-=-. We do not carry out a concrete security analysis in this case, but we note that the reduction in this case is not very efficient. But since the random oracle model is anyway a heuristic, we do not v... |

55 | Collisions for the Compression function of MD5 - Boer, Bosselaers - 1995 |

53 | Rogaway: “DHAES: an encryption scheme based on the Diffie-Hellman problem”, preprint
- Abdalla, Bellare, et al.
- 1999
(Show Context)
Citation Context ... nice way. As one can see, by our standards, this is not a reasonable intractability assumption—it is really just a proof of security against a restricted class of adversaries. As another example, i=-=n [ABR98]-=-, the authors make intractability assumptions that are interactive; indeed, these intractability assumptions amount to little more than a restatement of the definition of security in terms of the part... |

48 | Fast construction of irreducible polynomials over finite fields
- Shoup
- 1994
(Show Context)
Citation Context ...i=1 ei. Given w ∈ {0, . . . , N − 1}, we have to compute wE/ei rem N for 1 ≤ i ≤ κ. Naively, one could do this in time O(Teκ2 ). However, using a simple divide-and-conquer algorithm (see, e.=-=g., §6 of [Sho94]),-=- one can do this in time O(Teκ log κ). The theorem now follows from (24), (28), (30), and (31). 40s5.9 Further discussion and implementation notes Optimizations In Algorithm 5.4.1, the exponentiatio... |

48 |
Authentication and authenticated key exchanges
- e, Oorschot, et al.
- 1992
(Show Context)
Citation Context ...man (CDH) assumption, introduced by [DH76], is the assumption that computing g xy from g x and g y is hard. It is a widely held belief that the security of certain key exchange protocols (such as STS =-=[DvOW92-=-]) is implied by the CDH assumption. This is simply false|under any reasonable denition of security|except in the random oracle model of security analysis. What is almost always needed, but often not ... |

45 | A Composition Theorem for Universal One-Way Hash Functions
- Shoup
- 2000
(Show Context)
Citation Context ...r-Shoup signature scheme [CS99]. These variants have been finely tuned to strike a good balance between efficiency and security. The papers [CS98] and [CS99], as well as the related background papers =-=[Sho00a]-=-, [Sho00b], and also [Sho98] are available on line at the following URL: http://www.zurich.ibm.com/Technology/Security/extern/ace In this document, we specify these schemes with enough detail to ensur... |

38 | Abstract Cryptography
- Maurer, Renner
(Show Context)
Citation Context ...oblems, the solutions are generally quite impractical, and require a very special set of physical assumptions. Wr refer the reader to Maurer’s survey on this area of informationtheoretic cryptograph=-=y [Mau99]-=-. 1sThe next most ambitious goal for proving security would be to prove that a scheme can not be broken without the use of an inordinate amount of computing resources. Unfortunately, given the current... |

38 | The Decision Die-Hellman Problem - Boneh - 1998 |

36 |
Reingold.Number-theoretic construc-tions of efficient pseudo-random functions
- Naor, O
- 2004
(Show Context)
Citation Context ... random g 1 ; g 2 2 Gnf1g; x 2 Z q are computationally indistinguishable under the DDH assumption. This random selfreducibility property wassrst observed by Stadler [Sta96] (and also independently in =-=[NR97-=-]). 7 Concrete security analysis In order to facilitate concrete security analysis, we dene AdvDDH(t) to be the maximum over all statistical tests T that run in time at most t and output 0; 1 ofsPr[T ... |

33 | a candidate cipher for AES - Burwick, Coppersmith, et al. - 1998 |

33 |
Average case error estimates for the strong probable prime test
- Landrock, Pomerance
(Show Context)
Citation Context ... random numbers and apply an iterated Miller-Rabin test. To get a small error probability, one must iterate the Miller-Rabin test sufficiently many times. For this purpose, one can use the results in =-=[DLP93]. -=-Once q has been generated, we can iteratively choose P at random of the desired length, subject to P ≡ 1 (mod q), and apply an iterated Miller-Rabin test to P . Note that the results in [DLP93] are ... |

29 | Why Chosen Ciphertext Security Matters
- Shoup
- 1998
(Show Context)
Citation Context ...9]. These variants have been finely tuned to strike a good balance between efficiency and security. The papers [CS98] and [CS99], as well as the related background papers [Sho00a], [Sho00b], and also =-=[Sho98]-=- are available on line at the following URL: http://www.zurich.ibm.com/Technology/Security/extern/ace In this document, we specify these schemes with enough detail to ensure interoperability between d... |

29 |
Timing Attacks on Implementations of Di e-Hellman, RSA, DSS, and Other Systems
- Kocher
- 1996
(Show Context)
Citation Context ...thm. Although this implementation prevents an adversary from 29 potentially taking advantage of some \crude" timing information, we make absolutely no claims about its security against timing att=-=acks [Koc96]-=- or power analysis [KJJ99] in general. Early detection of a corrupted ciphertext Note that when encrypting the actual payload, we use a symmetric cipher with an authentication code. The cryptogram is ... |

23 | Practical Approaches to Attaining Security Against Adaptively Chosen Ciphertext Attacks
- Zheng, Seberry
- 1992
(Show Context)
Citation Context ...me discussing what we believe constitutes a “reasonable and natural” intractability assumption is that some researchers apparently have a much more liberal interpretation of the term. For example,=-= in [ZS92]-=-, the authors prove the security of an encryption scheme based on an assumption of the form: an arbitrary adversary can be replaced by an essentially equivalent adversary that behaves in a certain nic... |

22 | On RSA padding - Coron, Naccache, et al. |

22 |
An Ecient O-line Electronic Cash Systems Based on the Representation Problem," C.W.I
- Brands
- 1993
(Show Context)
Citation Context ...he only known method for breaking either assumption is to solve the Discrete Logarithm problem. The DDH assumption appears to havesrst surfaced in the cryptographic literature in a paper by S. Brands =-=[Bra93]-=-. See [Bon98, CS98, NR97, Sta96] for further applications of and discussions about the DDH assumption. The groups G that are used in ACE are prime-order subgroups of the multiplicative group of units ... |