Results 1  10
of
68
A Concrete Security Treatment of Symmetric Encryption
 Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE
, 1997
"... We study notions and schemes for symmetric (ie. private key) encryption in a concrete security framework. We give four di erent notions of security against chosen plaintext attack and analyze the concrete complexity ofreductions among them, providing both upper and lower bounds, and obtaining tight ..."
Abstract

Cited by 423 (64 self)
 Add to MetaCart
(Show Context)
We study notions and schemes for symmetric (ie. private key) encryption in a concrete security framework. We give four di erent notions of security against chosen plaintext attack and analyze the concrete complexity ofreductions among them, providing both upper and lower bounds, and obtaining tight relations. In this way we classify notions (even though polynomially reducible to each other) as stronger or weaker in terms of concrete security. Next we provide concrete security analyses of methods to encrypt using a block cipher, including the most popular encryption method, CBC. We establish tight bounds (meaning
Analysis of keyexchange protocols and their use for building secure channels
, 2001
"... Abstract. We present a formalism for the analysis of keyexchange protocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any keyexchange protocol that satisfies the security definition can be composed with ..."
Abstract

Cited by 328 (21 self)
 Add to MetaCart
Abstract. We present a formalism for the analysis of keyexchange protocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any keyexchange protocol that satisfies the security definition can be composed with symmetric encryption and authentication functions to provide provably secure communication channels (as defined here); and (ii) the definition allows for simple modular proofs of security: one can design and prove security of keyexchange protocols in an idealized model where the communication links are perfectly authenticated, and then translate them using general tools to obtain security in the realistic setting of adversarycontrolled links. We exemplify the usability of our results by applying them to obtain the proof of two classes of keyexchange protocols, DiffieHellman and keytransport, authenticated via symmetric or asymmetric techniques. 1
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
, 2000
"... and analysis of the generic composition paradigm ..."
Abstract

Cited by 281 (25 self)
 Add to MetaCart
(Show Context)
and analysis of the generic composition paradigm
OCB: A BlockCipher Mode of Operation for Efficient Authenticated Encryption
, 2001
"... We describe a parallelizable blockcipher mode of operation that simultaneously provides privacy and authenticity. OCB encryptsandauthenticates a nonempty string M # {0, 1} # using #M /n# + 2 blockcipher invocations, where n is the block length of the underlying block cipher. Additional ov ..."
Abstract

Cited by 204 (24 self)
 Add to MetaCart
We describe a parallelizable blockcipher mode of operation that simultaneously provides privacy and authenticity. OCB encryptsandauthenticates a nonempty string M # {0, 1} # using #M /n# + 2 blockcipher invocations, where n is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Jutla [20]. Desirable properties of OCB include: the ability to encrypt a bit string of arbitrary length into a ciphertext of minimal length; cheap o#set calculations; cheap session setup, a single underlying cryptographic key; no extendedprecision addition; a nearly optimal number of blockcipher calls; and no requirement for a random IV. We prove OCB secure, quantifying the adversary's ability to violate privacy or authenticity in terms of the quality of the block cipher as a pseudorandom permutation (PRP) or as a strong PRP, respectively. Keywords: AES, authenticity, block ciphers, cryptography, encryption, integrity, modes of operation, provable security, standards . # Department of Computer Science, Eng. II Building, University of California at Davis, Davis, California 95616 USA; and Department of Computer Science, Faculty of Science, Chiang Mai University, Chiang Mai 50200 Thailand. email: rogaway@cs.ucdavis.edu web: www.cs.ucdavis.edu/~rogaway + Department of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093 USA. email: mihir@cs.ucsd.edu web: wwwcse.ucsd.edu/users/mihir # Department of Computer Science, University of Nevada, Reno, Nevada 89557 USA. email: jrb@cs.unr.edu web: www.cs.unr.edu/~jrb Digital Fountain, 600 Alabama Street, San Francisco, CA 94110 USA. email: tdk@acm.org 1
The order of encryption and authentication for protecting communications (or: how Secure is SSL?)
, 2001
"... We study the question of how to generically compose symmetric encryption and authentication when building “secure channels” for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combination of secure encryption (against chose ..."
Abstract

Cited by 154 (7 self)
 Add to MetaCart
(Show Context)
We study the question of how to generically compose symmetric encryption and authentication when building “secure channels” for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combination of secure encryption (against chosen plaintext attacks) and secure MAC must use the encryptthenauthenticate method. We demonstrate this by showing that the other common methods of composing encryption and authentication, including the authenticatethenencrypt method used in SSL, are not generically secure. We show an example of an encryption function that provides (Shannon’s) perfect secrecy but when combined with any MAC function under the authenticatethenencrypt method yields a totally insecure protocol (for example, finding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encryptandauthenticate method used in SSH. On the positive side we show that the authenticatethenencrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current practical implementations of the protocol that use the above modes of encryption are safe.
Efficient and NonInteractive NonMalleable Commitment
, 2001
"... . We present new constructions of nonmalleable commitment schemes, in the public parameter model (where a trusted party makes parameters available to all parties), based on the discrete logarithm or RSA assumptions. The main features of our schemes are: they achieve nearoptimal communication f ..."
Abstract

Cited by 69 (9 self)
 Add to MetaCart
. We present new constructions of nonmalleable commitment schemes, in the public parameter model (where a trusted party makes parameters available to all parties), based on the discrete logarithm or RSA assumptions. The main features of our schemes are: they achieve nearoptimal communication for arbitrarilylarge messages and are noninteractive. Previous schemes either required (several rounds of) interaction or focused on achieving nonmalleable commitment based on general assumptions and were thus efficient only when committing to a single bit. Although our main constructions are for the case of perfectlyhiding commitment, we also present a communicationefficient, noninteractive commitment scheme (based on general assumptions) that is perfectly binding. 1
Nonmalleable encryption: Equivalence between two notions, and an indistinguishabilitybased characterization
, 1999
"... Keywords: Asymmetric encryption, Nonmalleability, Indistinguishability, equivalence between notions, semantic security. ..."
Abstract

Cited by 58 (8 self)
 Add to MetaCart
(Show Context)
Keywords: Asymmetric encryption, Nonmalleability, Indistinguishability, equivalence between notions, semantic security.
Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation
 In FSE ’00
, 1978
"... Abstract. We find certain neglected issues in the study of privatekey encryption schemes. For one, privatekey encryption is generally held to the same standard of security as publickey encryption (i.e., indistinguishability) even though usage of the two is very different. Secondly, though the imp ..."
Abstract

Cited by 45 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We find certain neglected issues in the study of privatekey encryption schemes. For one, privatekey encryption is generally held to the same standard of security as publickey encryption (i.e., indistinguishability) even though usage of the two is very different. Secondly, though the importance of secure encryption of single blocks is well known, the security of modes of encryption (used to encrypt multiple blocks) is often ignored. With this in mind, we present definitions of a new notion of security for privatekey encryption called encryption unforgeability which captures an adversary’s inability to generate valid ciphertexts. We show applications of this definition to authentication protocols and adaptive chosen ciphertext security. Additionally, we present and analyze a new mode of encryption, RPC (for Related Plaintext Chaining), which is unforgeable in the strongest sense of the above definition. This gives the first mode provably secure against chosen ciphertext attacks. Although RPC is slightly less efficient than, say, CBC mode (requiring about 33 % more block cipher applications and having ciphertext expansion of the same amount when using a block cipher with 128bit blocksize), it has highly parallelizable encryption and decryption operations.
Provablysecure timebound hierarchical key assignment schemes
 In ACM Conference on Computer and Communications Security (CCS’06
, 2006
"... Abstract A timebound hierarchical key assignment scheme is a method to assign timedependentencryption keys to a set of classes in a partially ordered hierarchy, in such a way that each class can compute the keys of all classes lower down in the hierarchy, according to temporalconstraints. In this ..."
Abstract

Cited by 36 (4 self)
 Add to MetaCart
(Show Context)
Abstract A timebound hierarchical key assignment scheme is a method to assign timedependentencryption keys to a set of classes in a partially ordered hierarchy, in such a way that each class can compute the keys of all classes lower down in the hierarchy, according to temporalconstraints. In this paper we design and analyze timebound hierarchical key assignment schemes whichare provablysecure and efficient. We consider both the unconditionally secure and the computationally secure settings and distinguish between two different goals: security with respect tokey indistinguishability and against key recovery. * We first present definitions of security with respect to both goals in the unconditionallysecure setting and we show tight lower bounds on the size of the private information distributed to each class. * Then, we consider the computational setting and we further distinguish security againststatic and adaptive adversarial behaviors. We explore the relations between all possible combinations of security goals and adversarial behaviors and, in particular, we prove thatsecurity against adaptive adversaries is (polynomially) equivalent to security against static adversaries. * Afterwards, we prove that a recently proposed scheme is insecure against key recovery. * Finally, we propose two different constructions for timebound key assignment schemes.The first one is based on symmetric encryption schemes, whereas, the second one makes
Security under keydependent inputs
 In proceedings of the 14th ACM conference on computer and communications security (CCS
, 2007
"... In this work we revisit the question of building cryptographic primitives that remain secure even when queried on inputs that depend on the secret key. This was investigated by Black, Rogaway, and Shrimpton in the context of randomized encryption schemes and in the random oracle model. We extend th ..."
Abstract

Cited by 31 (1 self)
 Add to MetaCart
(Show Context)
In this work we revisit the question of building cryptographic primitives that remain secure even when queried on inputs that depend on the secret key. This was investigated by Black, Rogaway, and Shrimpton in the context of randomized encryption schemes and in the random oracle model. We extend the investigation to deterministic symmetric schemes (such as PRFs and block ciphers) and to the standard model. We term this notion “security against keydependentinput attack”, or KDIsecurity for short. Our motivation for studying KDI security is the existence of significant realworld implementations of deterministic encryption (in the context of storage encryption) that actually rely on their building blocks to be KDI secure. We consider many natural constructions for PRFs, ciphers, tweakable ciphers and randomized encryption, and examine them with respect to their KDI security. We exhibit inherent limitations of this notion and show many natural constructions that fail to be KDI secure in the standard model, including some schemes that have been proven in the random oracle model. On the positive side, we demonstrate examples where some measure of KDI security can be provably achieved (in particular, we show such examples in the standard model). 1