Learn More
The use of cryptographic hash functions like MD5 or SHA for message authentication has become a standard approach i n m a n y I n ternet applications and protocols. Though very easy to implement, these mechanisms are usually based on ad hoc techniques that lack a sound security analysis. We present new constructions of message authentication schemes based(More)
We argue that the random oracle model&#8212;where all parties have access to a public random oracle&#8212;provides a bridge between cryptographic theory and cryptographic practice. In the paradigm we suggest, a practical protocol <italic>P</italic> is produced by first devising and proving correct a protocol <italic>P<supscrpt>R</supscrpt></italic> for the(More)
An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity. We consider two possible notions of authenticity for such schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them, when coupled with IND-CPA (indistinguishability under chosen-plaintext attack), to the(More)
We formalize a new cryptographic primitive, Message-Locked Encryption (MLE), where the key under which encryption and decryption are performed is itself derived from the message. MLE provides a way to achieve secure deduplication (space-efficient secure outsourced storage), a goal currently targeted by numerous cloud-storage providers. We provide(More)
We identify and fill some gaps with regard to consistency (the extent to which false positives are produced) for public-key encryption with keyword search (PEKS). We define computational and statistical relaxations of the existing notion of perfect consistency, show that the scheme of Boneh et al. (Advances in Cryptology—EUROCRYPT 2004, ed. by C. Cachin, J.(More)
We describe a parallelizable block-cipher mode of operation that simultaneously provides privacy and authenticity. OCB encrypts-and-authenticates a nonempty string <i>M</i> &#949; {0,1}&#149; using \lceil |M|/n\rceil + 2 block-cipher invocations, where <i>n</i> is the block length of the underlying block cipher. Additional overhead is small. OCB refines a(More)
We compare the relative strengths of popular notions of security for public-key encryption schemes. We consider the goals of privacy and non-malleability, each under chosen-plaintext attack and two kinds of chosen-ciphertext attack. For each of the resulting pairs of definitions we prove either an implication (every scheme meeting one notion must meet the(More)
The Cipher Block Chaining Message Authentication Code (CBC MAC) speciies that a message x = x 1 x m be authenticated among parties who share a secret key a by tagging x with a preex of f (m) a (x) def = f a (f a (f a (f a (x 1)x 2) x m?1)x m) ; where f is some underlying block cipher (e.g., the Data Encryption Standard) and a is its key. This method is a(More)
This paper provides theoretical foundations for the group signature primitive. We introduce strong, formal definitions for the core requirements of anonymity and traceability. We then show that these imply the large set of sometimes ambiguous existing informal requirements in the literature, thereby unifying and simplifying the requirements for this(More)