Results 1  10
of
18
Efficient Trace and Revoke Schemes
 Financial Cryptography  FC 2000
, 2000
"... Our goal is to design encryption schemes for mass distribution of data in which it is possible to (1) deter users from leaking their personal keys, (2) trace which users leaked keys to construct an illegal decryption device, and (3) revoke these keys as to render the device dysfunctional. We start b ..."
Abstract

Cited by 65 (1 self)
 Add to MetaCart
Our goal is to design encryption schemes for mass distribution of data in which it is possible to (1) deter users from leaking their personal keys, (2) trace which users leaked keys to construct an illegal decryption device, and (3) revoke these keys as to render the device dysfunctional. We start by designing an efficient revocation scheme, based on secret sharing. It can remove up to t parties and is secure against coalitions of up to t users. The performance of this scheme is more efficient than that of previous schemes with the same properties. We then show how to enhance the revocation scheme with traitor tracing and self enforcement properties. More precisely, how to construct schemes such that (1) Each user's personal key contains some sensitive information of that user (e.g., the user's credit card number), in order to make users would be reluctant to disclose their keys. (2) An illegal decryption device discloses the identity of users that contributed keys to construct the device. And, (3) it is possible to revoke the keys of corrupt users. For the last point it is important to be able to do so without publicly disclosing the sensitive information.
Authenticatedencryption with associateddata
 In Proc. 9th CCS
, 2002
"... Keywords: Associateddata problem, authenticatedencryption, blockcipher usage, key separation, modes of operation, OCB. ..."
Abstract

Cited by 60 (18 self)
 Add to MetaCart
(Show Context)
Keywords: Associateddata problem, authenticatedencryption, blockcipher usage, key separation, modes of operation, OCB.
On cryptography with auxiliary input
 DKL09] [DS05] [FGK+ 10] [FOR12] [GHV10
, 2009
"... We study the question of designing cryptographic schemes which are secure even if an arbitrary function f(sk) of the secret key is leaked, as long as the secret key sk is still (exponentially) hard to compute from this auxiliary input. This setting of auxiliary input is more general than the more tr ..."
Abstract

Cited by 33 (4 self)
 Add to MetaCart
(Show Context)
We study the question of designing cryptographic schemes which are secure even if an arbitrary function f(sk) of the secret key is leaked, as long as the secret key sk is still (exponentially) hard to compute from this auxiliary input. This setting of auxiliary input is more general than the more traditional setting, which assumes that some of information about the secret key sk may be leaked, but sk still has high minentropy left. In particular, we deal with situations where f(sk) informationtheoretically determines the entire secret key sk. As our main result, we construct CPA/CCA secure symmetric encryption schemes that remain secure with exponentially hardtoinvert auxiliary input. We give several applications of such schemes. • We construct an averagecase obfuscator for the class of point functions, which remains secure with exponentially hardtoinvert auxiliary input, and is reusable. • We construct a reusable and robust extractor that remains secure with exponentially hardtoinvert auxiliary input. Our results rely on a new cryptographic assumption, Learning SubspacewithNoise (LSN), which is related to the well known Learning ParitywithNoise (LPN) assumption.
Universal Padding Schemes for RSA
 Proc. Crypto’02, LNCS
, 2002
"... Abstract. A common practice to encrypt with RSA is to first apply a padding scheme to the message and then to exponentiate the result with the public exponent; an example of this is OAEP. Similarly, the usual way of signing with RSA is to apply some padding scheme and then to exponentiate the result ..."
Abstract

Cited by 23 (1 self)
 Add to MetaCart
Abstract. A common practice to encrypt with RSA is to first apply a padding scheme to the message and then to exponentiate the result with the public exponent; an example of this is OAEP. Similarly, the usual way of signing with RSA is to apply some padding scheme and then to exponentiate the result with the private exponent, as for example in PSS. Usually, the RSA modulus used for encrypting is different from the one used for signing. The goal of this paper is to simplify this common setting. First, we show that PSS can also be used for encryption, and gives an encryption scheme semantically secure against adaptive chosenciphertext attacks, in the random oracle model. As a result, PSS can be used indifferently for encryption or signature. Moreover, we show that PSS allows to safely use the same RSA keypairs for both encryption and signature, in a concurrent manner. More generally, we show that using PSS the same set of keys can be used for both encryption and signature for any trapdoor partialdomain oneway permutation. The practical consequences of our result are important: PKIs and publickey implementations can be significantly simplified. Keywords: Probabilistic Signature Scheme, Provable Security. 1
Cryptographic agility and its relation to circular encryption
, 2010
"... We initiate a provablesecurity treatment of cryptographic agility. A primitive (for example PRFs, authenticated encryption schemes or digital signatures) is agile when multiple, individually secure schemes can securely share the same key. We provide a surprising connection between two seemingly unr ..."
Abstract

Cited by 23 (4 self)
 Add to MetaCart
(Show Context)
We initiate a provablesecurity treatment of cryptographic agility. A primitive (for example PRFs, authenticated encryption schemes or digital signatures) is agile when multiple, individually secure schemes can securely share the same key. We provide a surprising connection between two seemingly unrelated but challenging questions. The first, new to this paper, is whether wPRFs (weakPRFs) are agile. The second, already posed several times in the literature, is whether every secure (INDR) encryption scheme is secure when encrypting cycles. We resolve the second question in the negative and thereby the first as well. We go on to provide a comprehensive treatment of agility, with definitions for various different primitives. We explain the practical motivations for agility. We provide foundational results that show to what extent it is achievable and practical constructions to achieve it to the best extent possible. On the theoretical side our work uncovers new notions and relations and settles stated open questions, and on the practical side it serves to
RKA Security beyond the Linear Barrier: IBE, Encryption and Signatures
, 2012
"... We provide a framework enabling the construction of IBE schemes that are secure under relatedkey attacks (RKAs). Specific instantiations of the framework yield RKAsecure IBE schemes for sets of related key derivation functions that are nonlinear, thus overcoming a current barrier in RKA security. ..."
Abstract

Cited by 19 (4 self)
 Add to MetaCart
(Show Context)
We provide a framework enabling the construction of IBE schemes that are secure under relatedkey attacks (RKAs). Specific instantiations of the framework yield RKAsecure IBE schemes for sets of related key derivation functions that are nonlinear, thus overcoming a current barrier in RKA security. In particular, we obtain IBE schemes that are RKA secure for sets consisting of all affine functions and all polynomial functions of bounded degree. Based on this we obtain the first constructions of RKAsecure schemes for the same sets for the following primitives: CCAsecure publickey encryption, CCAsecure symmetric encryption and Signatures. All our results are in the standard model and hold under reasonable hardness assumptions.
Key Length
 CONTRIBUTION TO “THE HANDBOOK OF INFORMATION SECURITY"
, 2004
"... The key length used for a cryptographic protocol determines the highest security it can offer. If the key is found or ‘broken’, the security is undermined. Thus, key lengths must be chosen in accordance with the desired security. In practice, key lengths are mostly determined by standards, legacy sy ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
The key length used for a cryptographic protocol determines the highest security it can offer. If the key is found or ‘broken’, the security is undermined. Thus, key lengths must be chosen in accordance with the desired security. In practice, key lengths are mostly determined by standards, legacy system compatibility issues, and vendors. From a theoretical point of view selecting key lengths is more involved. Understanding the relation between security and key lengths and the impact of anticipated and unexpected cryptanalytic progress, requires insight into the design of the cryptographic methods and the mathematics involved in the attempts at breaking them. In this chapter practical and theoretical aspects of key size selection are discussed.
Versatile padding schemes for joint signature and encryption
 In Proceedings of Eleventh ACM Conference on Computer and Communication Security (CCS2004
, 2004
"... We propose several highlypractical and optimized constructions for joint signature and encryption primitives often referred to as signcryption. All our signcryption schemes, built directly from trapdoor permutations such as RSA, share features such as simplicity, efficiency, generality, nearoptima ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
We propose several highlypractical and optimized constructions for joint signature and encryption primitives often referred to as signcryption. All our signcryption schemes, built directly from trapdoor permutations such as RSA, share features such as simplicity, efficiency, generality, nearoptimal exact security, flexible and adhoc key management, key reuse for sending/receiving data, optimallylow message expansion, “backward ” use for plain signature/encryption, long message and associated data support, the strongestknown qualitative security and, finally, complete compatibility with the PKCS#1 infrastructure. Similar to the design of plain RSAbased signature and encryption schemes, such as RSAFDH and RSAOAEP, our signcryption schemes are constructed by designing appropriate padding schemes suitable for use with trapdoor permutations. We build a general and flexible framework for the design and analysis of secure Feistelbased padding schemes, as well as three composition paradigms for using such paddings to build optimized signcryption schemes. To unify many secure padding options offered as special cases of our framework, we construct a single versatile padding scheme PSEP which, by simply adjusting the parameters, can work optimally with any of the three composition paradigms for either signature, encryption, or signcryption. We illustrate the utility of our signcryption schemes by applying them to build a secure keyexchange protocol, with performance results showing 3x–5x speedup compared to standard protocols.
The Fairness of Perfect Concurrent Signatures
"... Abstract. In Eurocrypt 2004, Chen, Kudla and Paterson introduced the concept of concurrent signatures, which allow two parties to produce two ambiguous signatures until the initial signer releases an extra piece of information (called keystone). Once the keystone is publicly known, both signatures a ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. In Eurocrypt 2004, Chen, Kudla and Paterson introduced the concept of concurrent signatures, which allow two parties to produce two ambiguous signatures until the initial signer releases an extra piece of information (called keystone). Once the keystone is publicly known, both signatures are bound to their true signers concurrently. In ICICS 2004, Susilo, Mu and Zhang further proposed perfect concurrent signatures to strengthen the ambiguity of concurrent signatures. That is, even if the both signers are known having issued one of the two ambiguous signatures, any third party is still unable to deduce who signed which signature, different from Chen et al.’s scheme. In this paper, we point out that Susilo et al.’s two perfect concurrent signature schemes are actually not concurrent signatures. Specifically, we identify an attack that enables the initial signer to release a carefully prepared keystone that binds the matching signer’s signature, but not the initial signer’s. Therefore, their schemes are unfair for the matching signer. Moreover, we present an effective way to avoid this attack so that the improved schemes are truly perfect concurrent signatures.
On the Joint Security of Encryption and Signature in EMV ⋆
"... Abstract. We provide an analysis of current and future algorithms for signature and encryption in the EMV standards in the case where a single keypair is used for both signature and encryption. We give a theoretical attack for EMV’s current RSAbased algorithms, showing how access to a partial decr ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We provide an analysis of current and future algorithms for signature and encryption in the EMV standards in the case where a single keypair is used for both signature and encryption. We give a theoretical attack for EMV’s current RSAbased algorithms, showing how access to a partial decryption oracle can be used to forge a signature on a freely chosen message. We show how the attack might be integrated into EMV’s CDA protocol flow, enabling an attacker with a wedge device to complete an offline transaction without knowing the cardholder’s PIN. Finally, the elliptic curve signature and encryption algorithms that are likely to be adopted in a forthcoming version of the EMV standards are analyzed in the single keypair setting, and shown to be secure. 1