## Practice-Oriented Provable-Security (1997)

Venue: | in First International Workshop on Information Security(ISW97 |

Citations: | 41 - 0 self |

### BibTeX

@INPROCEEDINGS{Bellare97practice-orientedprovable-security,

author = {Mihir Bellare},

title = {Practice-Oriented Provable-Security},

booktitle = {in First International Workshop on Information Security(ISW97},

year = {1997},

pages = {221--231},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

This article is intended to provide some background and tell you about the bigger picture. the plaintext M to create a ciphertext C, which is transmitted to the receiver. The latter applies

### Citations

1425 | Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...nt enough for practice. This is true for example in the case of public key encryption or signatures. In such cases, we turn to the random oracle paradigm. The random oracle paradigm was introduced in =-=[9]-=- as a bridge between theory and practice. The idea is a simple one: namely, provide all parties ---good and bad alike--- with access to a (public) function h; prove correct a protocol assuming h is tr... |

1241 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ... in such a way that protocols can "inherit" this strength, not loose it! 2.2 Provable security: Reductions The idea of provable security was introduced in the pioneering work of Goldwasser a=-=nd Micali [18]-=-. They developed it in the particular context of asymmetric encryption, but it soon spread to be applied to other tasks. (Of these, the most basic were pseudorandomness [14, 28, 17] and digital signat... |

869 | Rivest: A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...y developed it in the particular context of asymmetric encryption, but it soon spread to be applied to other tasks. (Of these, the most basic were pseudorandomness [14, 28, 17] and digital signatures =-=[19]-=-). What is provable security? The paradigm is as follows. Take some goal, like achieving privacy via encryption. The first step is to make a formal adversarial model and define what it means for an en... |

665 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...k of Goldwasser and Micali [18]. They developed it in the particular context of asymmetric encryption, but it soon spread to be applied to other tasks. (Of these, the most basic were pseudorandomness =-=[14, 28, 17]-=- and digital signatures [19]). What is provable security? The paradigm is as follows. Take some goal, like achieving privacy via encryption. The first step is to make a formal adversarial model and de... |

623 |
How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits
- Blum, Micali
- 1984
(Show Context)
Citation Context ...k of Goldwasser and Micali [18]. They developed it in the particular context of asymmetric encryption, but it soon spread to be applied to other tasks. (Of these, the most basic were pseudorandomness =-=[14, 28, 17]-=- and digital signatures [19]). What is provable security? The paradigm is as follows. Take some goal, like achieving privacy via encryption. The first step is to make a formal adversarial model and de... |

529 |
Theory and applications of trapdoor functions
- Yao
- 1982
(Show Context)
Citation Context ...k of Goldwasser and Micali [18]. They developed it in the particular context of asymmetric encryption, but it soon spread to be applied to other tasks. (Of these, the most basic were pseudorandomness =-=[14, 28, 17]-=- and digital signatures [19]). What is provable security? The paradigm is as follows. Take some goal, like achieving privacy via encryption. The first step is to make a formal adversarial model and de... |

496 | Entity authentication and key distribution
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...n an academic complaint: it is an area in which an informal approach has often lead to work which has subsequently been found to be wrong, and in some cases the flaws have taken years to discover. In =-=[8]-=- we address the two party setting of the problem. It achieves provable security by providing a model, definitions, protocols, and proofs of correctness for these protocols under standard assumptions. ... |

375 | A Concrete Security Treatment of Symmetric Encryption
- Bellare, Desai, et al.
- 1997
(Show Context)
Citation Context ...://www-cse.ucsd.edu/users/mihir. Supported in part by NSF CAREER Award CCR-9624439 and a 1996 Packard Foundation Fellowship in Science and Engineering. 1 The bulk of my talk was about the materiel in =-=[5]-=-. This article is intended to provide some background and tell you about the bigger picture. the plaintext M to create a ciphertext C, which is transmitted to the receiver. The latter applies D, which... |

352 | The Exact Security of Digital Signatures – How to Sign with RSA and Rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...e underlying atomic primitive, and this means slower protocols. If the reduction is strong, shorter keys will suffice and the protocol is more efficient. Reduction quality plays a significant role in =-=[7, 6, 10, 12, 4, 5]-=- all of which achieve tight or close to tight reductions. We found that improving the concrete security was a rich and rewarding line of work, and thinking about it greatly increases understanding of ... |

303 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
- 1988
(Show Context)
Citation Context ... our analyses of the CBC MAC [7] and analyses of various modes of operation of a block cipher [5]. In the second category are constructions like the XOR MAC [6] or the cascade [4]. 2 Luby and Rackoff =-=[21]-=- studied the Feistel structure behind DES, but what I am talking about is to look at protocols that use DES and ask about their security. 3 Typically the gap relative to what is desirable in practice ... |

219 | Provably secure session key distribution: the three party case
- Bellare, Rogaway
- 1995
(Show Context)
Citation Context ...s first addressed by Needham and Schroeder in 1978. Its most popular incarnation is the Kerberos system. However this system, and existing solutions, suffer from the same problems discussed above. In =-=[11]-=- we provide provably secure protocols for the three party session key distribution problem. All our protocols are efficient and practical, viable alternatives to current systems. Some have been implem... |

216 | Optimal Asymmetric Encryption – How to Encrypt with RSA
- Bellare, Rogaway
- 1995
(Show Context)
Citation Context ...e underlying atomic primitive, and this means slower protocols. If the reduction is strong, shorter keys will suffice and the protocol is more efficient. Reduction quality plays a significant role in =-=[7, 6, 10, 12, 4, 5]-=- all of which achieve tight or close to tight reductions. We found that improving the concrete security was a rich and rewarding line of work, and thinking about it greatly increases understanding of ... |

157 | The security of cipher block chaining
- Bellare, Kilian, et al.
- 1994
(Show Context)
Citation Context ...dy this by appropriate paradigm shifts. 3 Practice-oriented provable security Practice-oriented provable security as I discuss it was introduced in a set of papers authored by myself and Phil Rogaway =-=[8, 7, 6]-=-. We preserve and focus on the two central ideas of the provable security approach: the introduction of notions, or definitions that enable us to think about protocols and atomic primitives in a syste... |

129 | XOR MACs: new methods for message authentication using block ciphers - Bellare, Gu¶erin, et al. - 1995 |

121 | RIPEMD-160, a strengthened version of RIPEMD, Fast Software Encryption
- Dobbertin, Bosselaers, et al.
- 1996
(Show Context)
Citation Context ...ocol assuming h is truly random, ie. a random oracle; later, in practice, set h to some specific function derived in some way from a standard cryptographic hash function like SHA-1 [23] or RIPEMD-160 =-=[15]-=-. We used the random oracle paradigm most importantly to design OAEP [10] and PSS [12]. These are schemes for (public key) encryption and signature (respectively) based on RSA. They are as efficient a... |

96 | Pseudorandom functions revisited: The cascade construction and its concrete security," Proc. 37th Annual Symposium on the Foundations of Computer 2This section has not been discussed in the lectures
- Bellare, Canetti, et al.
- 1997
(Show Context)
Citation Context ...n the first category are our analyses of the CBC MAC [7] and analyses of various modes of operation of a block cipher [5]. In the second category are constructions like the XOR MAC [6] or the cascade =-=[4]-=-. 2 Luby and Rackoff [21] studied the Feistel structure behind DES, but what I am talking about is to look at protocols that use DES and ask about their security. 3 Typically the gap relative to what ... |

85 | A new paradigm for collision-free hashing: Incrementality at reduced cost
- Bellare, Micciancio
- 1997
(Show Context)
Citation Context ...9] as a "bridge between theory and practice." Since we introduced this model, it has been used in other places, for example in the design and analysis of signature schemes [24, 25] and hash =-=functions [13]. 3.5 New -=-notions: session key distribution "Entity authentication" is the process by which a party gains confidence in the identity of a communication partner. It is usually coupled with the distribu... |

70 | Provably secure blind signature schemes
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context ... oracle model is viewed in [9] as a "bridge between theory and practice." Since we introduced this model, it has been used in other places, for example in the design and analysis of signatur=-=e schemes [24, 25] and hash -=-functions [13]. 3.5 New notions: session key distribution "Entity authentication" is the process by which a party gains confidence in the identity of a communication partner. It is usually c... |

48 |
American National Standard for Information Systems { Data Encryption Algorithm { Modes of Operation
- 106
- 1983
(Show Context)
Citation Context ...on block ciphers: only number-theoretic atomic primitives were deemed adequate as a basis for protocol design. In particular some of the world's most used protocols, such as CBC MAC [1] or encryption =-=[22, 2]-=-, seemed to be viewed as outside the domain of provable security. 2 The main generic disadvantage of the schemes delivered by the traditional provable security approach is that they are inefficient. 3... |

43 | Session key distribution using smart cards
- Shoup, Rubin
- 1996
(Show Context)
Citation Context ...All our protocols are efficient and practical, viable alternatives to current systems. Some have been implemented. Our models have been used to study related key distribution problems, for example in =-=[27]-=-. 4 Symmetric encryption The above has discussed provable security and its practice oriented variant in a general way. Here I would like to illustrate the ideas by looking in more depth at a central p... |

24 | On the foundations of modern cryptography
- Goldreich
- 1997
(Show Context)
Citation Context ...up with definitions for many central cryptographic primitives, and constructions based on "minimal assumptions." For a brief introduction to this body of work, refer to the recent survey by =-=Goldreich [16]-=-. In practice? The potential for the idea of provable security to impact practice is large. Yet its actual impact had been disappointingly small, in the sense that these ideas were reflected almost no... |

22 |
Security of proofs for signatures
- Pointecheval, Stern
- 1996
(Show Context)
Citation Context ... oracle model is viewed in [9] as a "bridge between theory and practice." Since we introduced this model, it has been used in other places, for example in the design and analysis of signatur=-=e schemes [24, 25] and hash -=-functions [13]. 3.5 New notions: session key distribution "Entity authentication" is the process by which a party gains confidence in the identity of a communication partner. It is usually c... |

17 |
American National Standard for Financial Institution Message Authentication (Wholesale
- 9
- 1981
(Show Context)
Citation Context ... of schemes based on block ciphers: only number-theoretic atomic primitives were deemed adequate as a basis for protocol design. In particular some of the world's most used protocols, such as CBC MAC =-=[1]-=- or encryption [22, 2], seemed to be viewed as outside the domain of provable security. 2 The main generic disadvantage of the schemes delivered by the traditional provable security approach is that t... |

12 |
Oorschot, "MD-x MAC and building fast MACs from hash functions
- Preneel, van
- 1995
(Show Context)
Citation Context ...n the two meet, we have completely characterized the security of the protocol. For example, the security of the CBC MAC shown in [7] is the flip-side of attacks like those of Preneel and Van Oorschot =-=[26]-=-. (The latter say that the CBC MAC can be broken once 2 l=2 messages have been MACed, where l is the block length of the underlying cipher. We say, roughly, that it can't be broken when fewer than thi... |

8 | Information processing { Modes of operation for a 64-bit block cipher algorithm," International Organization for Standardization - ISO - 1987 |