Learn More
We argue that the random oracle model&#8212;where all parties have access to a public random oracle&#8212;provides a bridge between cryptographic theory and cryptographic practice. In the paradigm we suggest, a practical protocol <italic>P</italic> is produced by first devising and proving correct a protocol <italic>P<supscrpt>R</supscrpt></italic> for the(More)
Entity authentication and key distribution are central cryptographic problems in distributed computing|but up until now, they have lacked even a meaningful de nition. One consequence is that incorrect and ine cient protocols have proliferated. This paper provides the rst treatment of these problems in the complexity-theoretic framework of modern(More)
An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity. We consider two possible notions of authenticity for such schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them, when coupled with IND-CPA (indistinguishability under chosen-plaintext attack), to the(More)
We compare the relative strengths of popular notions of security for public-key encryption schemes. We consider the goals of privacy and non-malleability, each under chosen-plaintext attack and two kinds of chosen-ciphertext attack. For each of the resulting pairs of definitions we prove either an implication (every scheme meeting one notion must meet the(More)
We describe an RSA-based signing scheme which combines essentially optimal e ciency with attractive security properties. Signing takes one RSA decryption plus some hashing, veri cation takes one RSA encryption plus some hashing, and the size of the signature is the size of the modulus. Assuming the underlying hash functions are ideal, our schemes are not(More)
We describe a parallelizable block-cipher mode of operation that simultaneously provides privacy and authenticity. OCB encrypts-and-authenticates a nonempty string <i>M</i> &#949; {0,1}&#149; using \lceil |M|/n\rceil + 2 block-cipher invocations, where <i>n</i> is the block length of the underlying block cipher. Additional overhead is small. OCB refines a(More)
Let F be some block cipher (eg., DES) with block length l. The Cipher Block Chaining Message Authentication Code (CBC MAC) speci es that an m-block message x = x1 xm be authenticated among parties who share a secret key a for the block cipher by tagging x with a pre x of ym, where y0 = 0 l and yi = Fa(mi yi 1) for i = 1; 2; : : : ;m. This method is a(More)
We study session key distribution in the three party set ting of Needham and Schroeder This is the trust model assumed by the popular Kerberos authentication system Such protocols are basic building blocks for contemporary distributed systems yet the underlying problem has up un til now lacked a de nition or provably good solution One consequence is that(More)