Concealment and its applications to authenticated encryption
Yevgeniy Dodis,Jee Hea An +1 more
- pp 312-329
Reads0
Chats0
TLDR
In this article, a new cryptographic primitive called concealment is introduced, which is related, but quite different from the notion of commitment, to the concept of commitment and is used for authenticated encryption.Abstract:
We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals "no information" about m, while (2) the binder b can be "meaningfully opened" by at most one hider h. While setting b = m, h = φ is a trivial concealment, the challenge is to make |b| ≪ |m|, which we call a "non-trivial" concealment. We show that non-trivial concealments are equivalent to the existence of collision-resistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations.
We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let AE be an authenticated encryption scheme (either public- or symmetric-key) designed to work on short messages. We show that concealments are exactly the right abstraction allowing one to use AE for encrypting long messages. Namely, to encrypt "long" m, one uses a concealment scheme to get h and b, and outputs authenticated ciphertext 〈AE(b),h〉. More surprisingly, the above paradigm leads to a very simple and general solution to the problem of remotely keyed (authenticated) encryption (RKAE) [12,13]. In this problem, one wishes to split the task of high-bandwidth authenticated encryption between a secure, but low-bandwidth/computationally limited device, and an insecure, but computationally powerful host. We give formal definitions for RKAE, which we believe are simpler and more natural than all the previous definitions. We then show that our composition paradigm satisfies our (very strong) definition. Namely, for authenticated encryption, the host simply sends a short value b to the device (which stores the actual secret key for AE), gets back AE(b), and outputs 〈AE(b), h〉 (authenticated decryption is similar). Finally, we also observe that the particular schemes of [13,17] are all special examples of our general paradigm.read more
Citations
More filters
Book ChapterDOI
sp-AELM: Sponge Based Authenticated Encryption Scheme for Memory Constrained Devices
TL;DR: This paper proposes another way to handle a long ciphertext with a low buffer size by storing and releasing only one intermediate state, without releasing or storing any part of an unverified plaintext and without need of generating any intermediate tag.
References
More filters
Book
Handbook of Applied Cryptography
TL;DR: A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols.
Book ChapterDOI
Keying Hash Functions for Message Authentication
TL;DR: Two new, simple, and practical constructions of message authentication schemes based on a cryptographic hash function, NMAC and HMAC, are proven to be secure as long as the underlying hash function has some reasonable cryptographic strengths.
Book ChapterDOI
Digital Signcryption or How to Achieve Cost(Signature & Encryption) << Cost(Signature) + Cost(Encryption)
TL;DR: Signcryption as discussed by the authors is a new cryptographic primitive which simultaneously fulfills both the functions of digital signature and public key encryption in a logically single step, and with a cost significantly lower than that required by signature-then-encryption.
Proceedings ArticleDOI
Universal one-way hash functions and their cryptographic applications
Moni Naor,Moti Yung +1 more
TL;DR: A Universal One-Way Hash Function family is defined, a new primitive which enables the compression of elements in the function domain and it is proved constructively that universal one- way hash functions exist if any 1-1 one-way functions exist.
Book ChapterDOI
Optimal asymmetric encryption
Mihir Bellare,Phillip Rogaway +1 more
TL;DR: A slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she “knows” the corresponding plaintexts—such a scheme is not only semantically secure but also non-malleable and secure against chosen-ciphertext attack.