#### DMCA

## Honey Encryption: Security Beyond the Brute-Force Bound (2014)

Citations: | 4 - 0 self |

### Citations

10600 | Introduction to Algorithms
- Cormen, Leiserson, et al.
- 2001
(Show Context)
Citation Context ...coding that we call a distribution-transforming encoder (DTE). A DTE is designed 2 with an estimate of the message distribution pm in mind, making it conceptually similar to arithmetic/Huffman coding =-=[20]-=-. The message space for a DTE is exactly the support of pm (messages with non-zero probability). Encoding a message sampled from pm yields a “seed” value distributed (approximately) uniformly. It is o... |

1379 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...pm and pk are independent of the RO. Semantic security. In the case that keys are sufficiently unpredictable and adversaries are computationally bounded, our HE schemes will achieve semantic security =-=[25]-=-. Our schemes will therefore never provide worse confidentiality than conventional encryption, and in particular the MR advantage in this case equals the min-entropy of the message distribution pm plu... |

1221 |
Communication Theory of Secrecy Systems
- Shannon
- 1949
(Show Context)
Citation Context ...ovide a form of information-theoretic encryption, as their MR security does not rely on any computational hardness assumption. Information-theoretic encryption schemes, starting with the one-time pad =-=[40]-=-, have seen extensive study. Most closely related is entropic security [22, 39], where the idea is to exploit high-entropy messages to perform encryption that leaks no predicate on the plaintext even ... |

324 | Balanced allocations
- Azar, Broder, et al.
- 1999
(Show Context)
Citation Context ...enote a conventional symmetric encryption scheme, but note that the syntax and semantics match those of an HE scheme. Message and key distributions. We denote a distribution on set S by a map p : S → =-=[0, 1]-=- and require that∑ s∈S p(s) = 1. The min-entropy of a distribution is defined to be − logmaxs∈S p(s). Sampling according to such a distribution is written s←p S, and we assume all sampling is efficien... |

284 | Authenticated Encryption: Relations Among Notions and Analysis of the Generic Composition Paradigm,” - Bellare, Namprempre - 1976 |

226 | Some problems of ‘partitio numerorum’ III, On the expression of a number as a sum of primes - Hardy, Littlewood - 1922 |

214 |
Honeypots: Tracking Hackers.
- Spitzner
- 2002
(Show Context)
Citation Context ...ted to HE is a rich literature on deception and decoys in computer security. Honeypots, fake computer systems intended to attract and study attacks, are a stock-in-trade of computer security research =-=[42]-=-. Researchers have proposed honeytokens [21, 43], which are data objects whose use signals a compromise, and honeywords [29], a system that uses passwords as honeytokens. Additional proposals include ... |

204 | OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption”, - Rogaway - 2001 |

167 | A computational introduction to number theory and algebra. Cambridge university press
- Shoup
- 2009
(Show Context)
Citation Context ...J-DTE be the scheme described above. Then AdvdteRSA-REJ-DTE,pm(A) ≤ (1− 2/(3ℓ))t−1 for any adversary A. Proof: Let π(x) be the number of primes less than or equal to x. Then Bertrand’s postulate (cf. =-=[41]-=-) states that π(2ℓ) − π(2ℓ−1) > 2ℓ−13ℓ for ℓ > 2. Thus the probability of each sample from {0, 1}ℓ−2 being a prime is at least 2/3ℓ. One can verify that the SAMP1RSA-REJ-DTE,pm and SAMP0RSA-REJ-DTE,pm... |

152 |
O’Neill A.: Deterministic and Efficiently Searchable Encryption. In:
- Bellare, Boldyreva
- 2007
(Show Context)
Citation Context ...rovides useful bounds (by targeting MR security) even when the combined entropy of messages and keys is insufficient to achieve entropic security. See also the discussion in Appendix A. Deterministic =-=[2, 4, 12]-=- and hedged [3, 37] public-key encryption rely on entropy in messages to offset having no or only poor randomness during encryption. HE similarly exploits adversarial uncertainty about messages in the... |

111 |
Probabilistic algorithms. In
- Rabin
- 1976
(Show Context)
Citation Context ...ration algorithm generates an RSA key of bit-length 2ℓ via rejection sampling of random values p, q ∈ [2ℓ−1, 2ℓ). The rejection criterion for either p or q is failure of a Miller-Rabin primality test =-=[32, 36]-=-; the resulting distribution of primes is (essentially) uniform over the range. The private exponent is computed as d = e−1 mod (p − 1)(q − 1) for some fixed e (typically 65537), yielding secret key (... |

95 | Adaptively secure multi-party computation
- Canetti, Feige, et al.
- 1996
(Show Context)
Citation Context ... which it is relatively easy to find inverses and thus hard to identify the original, correct password (as opposed to identifying a correct message). Under (non-interactive) non-committing encryption =-=[18,34]-=-, a ciphertext can be “opened” to an arbitrary message under a suitably selected key. (For example, a one-time pad is non-committing.) HE has a different requirement, namely that decrypting a fixed ci... |

93 | Separating random oracle proofs from complexity theoretic proofs: The noncommitting encryption case
- Nielsen
(Show Context)
Citation Context ... which it is relatively easy to find inverses and thus hard to identify the original, correct password (as opposed to identifying a correct message). Under (non-interactive) non-committing encryption =-=[18,34]-=-, a ciphertext can be “opened” to an arbitrary message under a suitably selected key. (For example, a one-time pad is non-committing.) HE has a different requirement, namely that decrypting a fixed ci... |

86 | The science of guessing: analyzing an anonymized corpus of 70 million passwords.
- Bonneau
- 2012
(Show Context)
Citation Context ...tribution with min-entropy µ. This brute-force bound is the best possible for in-use schemes. Unfortunately empirical studies show this level of security to frequently be insufficient. A recent study =-=[13]-=- reports µ < 7 for passwords observed in a real-world population of 69+ million users. (1.08% of users chose the same password.) For any slowdown c small enough to support timely decryption in normal ... |

71 | The security and performance of the Galois/Counter Mode (GCM) of operation. In: - McGrew, Viega - 2005 |

70 | Deniable encryption
- Canetti, Dwork, et al.
- 1997
(Show Context)
Citation Context ...ferent keys yields independent-looking samples of the message space. Note that unlike non-committing encryption [34], HE is achievable in the non-programmable random oracle model. Deniable encryption =-=[17]-=- also allows ciphertexts to be opened to chosen messages; HE schemes do not in general offer deniability. Canetti, Halevi, and Steiner [19] propose a protocol in which a password specifies a subset of... |

62 | On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles.
- Boldyreva, Fehr, et al.
- 2008
(Show Context)
Citation Context ...rovides useful bounds (by targeting MR security) even when the combined entropy of messages and keys is insufficient to achieve entropic security. See also the discussion in Appendix A. Deterministic =-=[2, 4, 12]-=- and hedged [3, 37] public-key encryption rely on entropy in messages to offset having no or only poor randomness during encryption. HE similarly exploits adversarial uncertainty about messages in the... |

55 |
Uri Feige, Oded Goldreich and Moni Naor. Adaptively Secure Multi-party Computation. In:
- Canetti
- 1996
(Show Context)
Citation Context ...es for which it is relatively easy to find inverses and thus hard to identify the original, correct password (as opposed to identifying a correct message). (Non-interactive) non-committing encryption =-=[14, 29]-=- are schemes for which a ciphertext can be “opened” to an arbitrary message by finding an appropriate key to do so. (For example, a one-time-pad is non-committing.) HE has no such requirement, rather ... |

45 | Ristenpart T.: Deterministic Encryption: Definitional Equivalences and Constructions without Random Oracles.
- Bellare, Fischlin, et al.
- 2008
(Show Context)
Citation Context ...rovides useful bounds (by targeting MR security) even when the combined entropy of messages and keys is insufficient to achieve entropic security. See also the discussion in Appendix A. Deterministic =-=[2, 4, 12]-=- and hedged [3, 37] public-key encryption rely on entropy in messages to offset having no or only poor randomness during encryption. HE similarly exploits adversarial uncertainty about messages in the... |

41 | Baiting Inside Attackers Using Decoy Documents.
- Bowen, Hershkop, et al.
- 2009
(Show Context)
Citation Context ...ve proposed honeytokens [21, 43], which are data objects whose use signals a compromise, and honeywords [29], a system that uses passwords as honeytokens. Additional proposals include false documents =-=[15]-=-, false network traffic [14], and many variants. The Kamouflage system [11] is particularly relevant. It conceals a true password vault encrypted under a true master password among N bogus vaults encr... |

35 | Format-preserving encryption.
- Bellare, Ristenpart
- 2009
(Show Context)
Citation Context ...ndomness. In natural applications of HE, the message space M must encompass messages of special format, rather than just bitstrings. In this sense, HE is related to format-preserving encryption (FPE) =-=[6]-=-, although HE is randomized and has no preservation requirement (our ciphertexts are unstructured bit strings). An implication of our approach, however, is that some FPE constructions (e.g., for credi... |

32 | Entropic security and the encryption of high entropy messages,” in
- Dodis
- 2005
(Show Context)
Citation Context ... not rely on any computational hardness assumption. Information-theoretic encryption schemes, starting with the one-time pad [40], have seen extensive study. Most closely related is entropic security =-=[22, 39]-=-, where the idea is to exploit high-entropy messages to perform encryption that leaks no predicate on the plaintext even against unbounded attackers (and hence beyond the brute-force bound). Their goa... |

29 | Hedged public-key encryption: How to protect against bad randomness
- Bellare, Brakerski, et al.
- 2009
(Show Context)
Citation Context ...(by targeting MR security) even when the combined entropy of messages and keys is insufficient to achieve entropic security. See also the discussion in Appendix A. Deterministic [2, 4, 12] and hedged =-=[3, 37]-=- public-key encryption rely on entropy in messages to offset having no or only poor randomness during encryption. HE similarly exploits adversarial uncertainty about messages in the case that keys are... |

28 | How to fool an unbounded adversary with a short key
- Russell, Wang
(Show Context)
Citation Context ... not rely on any computational hardness assumption. Information-theoretic encryption schemes, starting with the one-time pad [40], have seen extensive study. Most closely related is entropic security =-=[22, 39]-=-, where the idea is to exploit high-entropy messages to perform encryption that leaks no predicate on the plaintext even against unbounded attackers (and hence beyond the brute-force bound). Their goa... |

26 |
Cynthia Dwork, Moni Naor, and Rafail Ostrovsky. Deniable encryption.
- Canetti
- 1997
(Show Context)
Citation Context ...keys gives rise to independent-looking samples of the message space. Note that unlike non-committing encryption [29], HE is achievable in the non-programmable random oracle model. Deniable encryption =-=[15]-=- also allows opening a ciphertext to a chosen message; HE schemes do not in general provide deniability. Canetti, Halevi, and Steiner [13] propose a protocol in which a password specifies a subset of ... |

25 | Hardness amplification of weakly verifiable puzzles
- Canetti, Halevi, et al.
- 2005
(Show Context)
Citation Context ...he non-programmable random oracle model. Deniable encryption [17] also allows ciphertexts to be opened to chosen messages; HE schemes do not in general offer deniability. Canetti, Halevi, and Steiner =-=[19]-=- propose a protocol in which a password specifies a subset of CAPTCHAs that must be solved to decrypt a credential store. Their scheme creates ambiguity around where human effort can be most effective... |

20 | When good randomness goes bad: Virtual machine reset vulnerabilities and hedging deployed cryptography,”
- Ristenpart, Yilek
- 2010
(Show Context)
Citation Context ...(by targeting MR security) even when the combined entropy of messages and keys is insufficient to achieve entropic security. See also the discussion in Appendix A. Deterministic [2, 4, 12] and hedged =-=[3, 37]-=- public-key encryption rely on entropy in messages to offset having no or only poor randomness during encryption. HE similarly exploits adversarial uncertainty about messages in the case that keys are... |

19 |
Strong Primes are Easy to Find.
- GORDON
- 1985
(Show Context)
Citation Context ...n smaller encodings. Some prime number generators do not produce uniform prime numbers. A classic algorithm picks a random integer in [2ℓ−1, 2ℓ) and increments it by two until a prime is found (c.f., =-=[16, 26]-=-). In this case, a DTE can be constructed that requires only 2(ℓ − 2)-bit seeds, and so is space-optimal. The OpenSSL library does something between the two approaches so-far described (c.f., [33]). I... |

19 | Software smart cards via cryptographic camouflage
- Hoover, Kausik
- 1999
(Show Context)
Citation Context ...simply by decrypting C using the key with the highest probability, which is at most 1/2µ. Previously proposed security tools have exploited exactly this intuition for special cases. Hoover and Kausik =-=[28]-=- consider the problem of encrypting a (uniformly-chosen) RSA or DSA secret exponent for authenticating a user to a remote system. Only the remote system holds the associated public key. To hedge again... |

18 | Honeywords: Making password-cracking detectable.
- Juels, Rivest
- 2013
(Show Context)
Citation Context ...to foil offline brute-force attacks, but mainly by means of hiding valid authentication credentials in an explicitly stored list of plausible-looking fake ones (often called “decoys” or “honeywords”) =-=[11, 29]-=-. Similarly, detection of system breaches using “honeytokens,” such as fake credit-card numbers, is a common industry practice [43]. Honey encryption (HE). Inspired by such decoy systems, we set out t... |

17 | On generation of probable primes by incremental search
- Brandt, Damgård
- 1992
(Show Context)
Citation Context ...n smaller encodings. Some prime number generators do not produce uniform prime numbers. A classic algorithm picks a random integer in [2ℓ−1, 2ℓ) and increments it by two until a prime is found (c.f., =-=[16, 26]-=-). In this case, a DTE can be constructed that requires only 2(ℓ − 2)-bit seeds, and so is space-optimal. The OpenSSL library does something between the two approaches so-far described (c.f., [33]). I... |

14 | D.: Kamouflage: Loss-resistant Password Management
- Bojinov, Bursztein, et al.
- 2010
(Show Context)
Citation Context ...to foil offline brute-force attacks, but mainly by means of hiding valid authentication credentials in an explicitly stored list of plausible-looking fake ones (often called “decoys” or “honeywords”) =-=[11, 29]-=-. Similarly, detection of system breaches using “honeytokens,” such as fake credit-card numbers, is a common industry practice [43]. Honey encryption (HE). Inspired by such decoy systems, we set out t... |

13 | Multi-instance Security and Its Application to Password-Based Cryptography.
- Bellare, Ristenpart, et al.
- 2012
(Show Context)
Citation Context ...a salting, which slows attacks against multiple users, and iterated application of one-way functions, which slows decryption and thus attacks by a constant factor c (e.g., c = 10,000). Recent results =-=[7]-=- prove that for conventional PBE schemes (e.g., [35]), work q suffices to crack a single ciphertext with probability q/c2µ for passwords selected from a distribution with min-entropy µ. This brute-for... |

12 |
On weighted balls-into-bins games.
- Berenbrink, Friedetzky, et al.
- 2008
(Show Context)
Citation Context ...however, are unlikely to coincide with this special case, and so we seek other bounds. Majorization. To analyze more general settings, we exploit a result due to Berenrink, Friedetzky, Hu, and Martin =-=[8]-=- that builds on a technique called “majorization” earlier used for the balls-and-bins setting by Azar, Broder, Karlin, and Upfal [1]. Distributions such as pk and pd can be viewed as vectors of approp... |

12 | Random oracles with(out) programmability.
- Fischlin, Lehmann, et al.
- 2010
(Show Context)
Citation Context ...theorem 3Convention is to have m balls and n bins, but we use a balls and b bins to avoid confusion since m connotes messages. 4Technically speaking we only require the non-programmable random oracle =-=[23, 34]-=-. 9 from [8, Cor. 3.5], slightly recast to use our terminology. We also extend our definition of load to include the i highest loaded bins: let Lipk,pd be the random variable which is the total weight... |

8 | S.J.: Automating the injection of believable decoys to detect snooping. In:
- Bowen, Kemerlis, et al.
- 2010
(Show Context)
Citation Context ... 43], which are data objects whose use signals a compromise, and honeywords [29], a system that uses passwords as honeytokens. Additional proposals include false documents [15], false network traffic =-=[14]-=-, and many variants. The Kamouflage system [11] is particularly relevant. It conceals a true password vault encrypted under a true master password among N bogus vaults encrypted under bogus master pas... |

7 |
collisionful hash functions
- Secure
- 1993
(Show Context)
Citation Context ...PE constructions (e.g., for credit-card encryption) can be shown to achieve HE-like security guarantees when message distributions are uniform. HE is also conceptually related to collisionful hashing =-=[10]-=-, the idea of creating password hashes for which it is relatively easy to find inverses and thus hard to identify the original, correct password (as opposed to identifying a correct message). Under (n... |

5 |
Honeytokens: The other honeypot,” Symantec Connect Security article,
- Spitzner
- 2010
(Show Context)
Citation Context ...usible-looking fake ones (often called “decoys” or “honeywords”) [11, 29]. Similarly, detection of system breaches using “honeytokens,” such as fake credit-card numbers, is a common industry practice =-=[43]-=-. Honey encryption (HE). Inspired by such decoy systems, we set out to build HE schemes that provide security beyond the brute-force barrier. These schemes yield candidate messages during brute-force ... |

2 |
Method and apparatus for cryptographically camouflaged cryptographic key
- Kausik
(Show Context)
Citation Context ...yields valid-looking exponents, and that an attacker can at best use each candidate exponent in a brute-force online attack against the remote system. Their work led to a commercially deployed system =-=[30]-=-. Other systems similarly seek to foil offline brute-force attacks, but mainly by means of hiding valid authentication credentials in an explicitly stored list of plausible-looking fake ones (often ca... |

2 |
Factoring RSA moduli
- Mironov
(Show Context)
Citation Context ...[16, 26]). In this case, a DTE can be constructed that requires only 2(ℓ − 2)-bit seeds, and so is space-optimal. The OpenSSL library does something between the two approaches so-far described (c.f., =-=[33]-=-). It first picks a random, odd integer p. If p or p−1 is divisible 1We could also output bottom, but we would then need to permit errors in decoding and HE decryption. 2Doing so would also require ou... |

1 |
PIN analysis. DataGenetics blog
- Berry
- 2012
(Show Context)
Citation Context ...fication Values (CVVs), and (user-selected) PINs. Encryption of PINs requires a DTE that handles a non-uniform distribution over messages, as empirical studies show a heavy user bias in PIN selection =-=[9]-=-. The resulting analysis consequently involves a balls-and-bins game with non-uniform bin capacities, a somewhat unusual setup in the literature. In each of the cases above we are able to prove close ... |

1 |
de Barros. Ids mailing list, “RES: Protocol anomaly detection
- Paes
- 2003
(Show Context)
Citation Context ...and decoys in computer security. Honeypots, fake computer systems intended to attract and study attacks, are a stock-in-trade of computer security research [42]. Researchers have proposed honeytokens =-=[21, 43]-=-, which are data objects whose use signals a compromise, and honeywords [29], a system that uses passwords as honeytokens. Additional proposals include false documents [15], false network traffic [14]... |

1 | Close to uniform prime number generation with fewer random bits. Cryptology ePrint Archive, Report 2011/481
- Fouque, Tibouchi
- 2011
(Show Context)
Citation Context ...seed values that map to particular messages (prime pairs), effectively inverting the PRG, which is infeasible. One could instead attempt to use more randomness-efficient rejection-sampling techniques =-=[24]-=- to obtain smaller encodings. Some prime number generators do not produce uniform prime numbers. A classic algorithm picks a random integer in [2ℓ−1, 2ℓ) and increments it by two until a prime is foun... |

1 |
Riemann’s hypothesis and tests for primality. Journal of computer and system sciences
- Miller
- 1976
(Show Context)
Citation Context ...ration algorithm generates an RSA key of bit-length 2ℓ via rejection sampling of random values p, q ∈ [2ℓ−1, 2ℓ). The rejection criterion for either p or q is failure of a Miller-Rabin primality test =-=[32, 36]-=-; the resulting distribution of primes is (essentially) uniform over the range. The private exponent is computed as d = e−1 mod (p − 1)(q − 1) for some fixed e (typically 65537), yielding secret key (... |