Showing papers on "Plaintext-aware encryption published in 1998"
23 Aug 1998
TL;DR: In this paper, a new public key cryptosystem is proposed and analyzed, which is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions. But the scheme is quite practical, and is not provable to be used in practice.
Abstract: A new public key cryptosystem is proposed and analyzed. The scheme is quite practical, and is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions. There appears to be no previous cryptosystem in the literature that enjoys both of these properties simultaneously.
1,373 citations
Journal Article•
TL;DR: In this article, a new public key cryptosystem is proposed and analyzed, which is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions. But the scheme is quite practical, and is not provable to be used in practice.
Abstract: A new public key cryptosystem is proposed and analyzed. The scheme is quite practical, and is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions. There appears to be no previous cryptosystem in the literature that enjoys both of these properties simultaneously.
1,228 citations
Journal Article•
TL;DR: In this article, the relative strengths of popular notions of security for public key encryption schemes are compared under chosen plaintext attack and two kinds of chosen ciphertext attack, and the goals of privacy and non-malleability are considered.
Abstract: We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and non-malleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove either an implication (every scheme meeting one notion must meet the other) or a separation (there is a scheme meeting one notion but not the other, assuming the first notion can be met at all). We similarly treat plaintext awareness, a notion of security in the random oracle model. An additional contribution of this paper is a new definition of non-malleability which we believe is simpler than the previous one.
1,057 citations
31 May 1998
TL;DR: In this paper, the authors proposed a probabilistic public-key cryptosystem which is provably secure under the p-subgroup assumption, which is comparable to the quadratic residue and higher degree residue assumptions.
Abstract: This paper proposes a novel public-key cryptosystem, which is practical, provably secure and has some other interesting properties as follows:
1.
Its trapdoor technique is essentially different from any other previous schemes including RSA-Rabin and Diffie-Hellman.
2.
It is a probabilistic encryption scheme.
3.
It can be proven to be as secure as the intractability of factoring n = p2q (in the sense of the security of the whole plaintext) against passive adversaries.
4.
It is semantically secure under the p-subgroup assumption, which is comparable to the quadratic residue and higher degree residue assumptions.
5.
Under the most practical environment, the encryption and decryption speeds of our scheme are comparable to (around twice slower than) those of elliptic curve cryptosystems.
6.
It has a homomorphic property: E(m0, r0)E(m1, r1) mod n = E(@#@ m0 + m1, r2), where E(m, r) means a ciphertext of plaintext m as randomized by r and m0+ m1 < p.
7.
Anyone can change a ciphertext, C = E(m, r), into another ciphertext, C′ = Chr' mod n, while preserving plaintext of C (i.e., C′ = E(m,r″)), and the relationship between C and C′ can be concealed.
740 citations
23 Aug 1998
TL;DR: In this article, the relative strengths of popular notions of security for public key encryption schemes are compared under chosen plaintext attack and two kinds of chosen ciphertext attack, and the goals of privacy and non-malleability are considered.
Abstract: We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and non-malleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove either an implication (every scheme meeting one notion must meet the other) or a separation (there is a scheme meeting one notion but not the other, assuming the first notion can be met at all). We similarly treat plaintext awareness, a notion of security in the random oracle model. An additional contribution of this paper is a new definition of non-malleability which we believe is simpler than the previous one.
564 citations
05 Feb 1998
TL;DR: It is shown directly that the decision Diffie-Hellman assumption implies the security of the original ElGamal encryption scheme (with messages from a subgroup) without modification.
Abstract: The ElGamal encryption scheme has been proposed several years ago and is one of the few probabilistic encryption schemes. However, its security has never been concretely proven based on clearly understood and accepted primitives. Here we show directly that the decision Diffie-Hellman assumption implies the security of the original ElGamal encryption scheme (with messages from a subgroup) without modification. In addition, we show that the opposite direction holds, i.e., the semantic security of the ElGamal encryption is actually equivalent to the decision Diffie-Hellman problem. We also present an exact analysis of the efficiency of the reduction.
395 citations
01 Nov 1998
TL;DR: The probabilistic version of the scheme is an homomorphic encryption scheme whose expansion rate is much better than previously proposed such systems and has se- mantic security, relative to the hardness of computing higher residues for suitable moduli.
Abstract: This paper describes a new public-key cryptosystem based on the hardness of computing higher residues modulo a composite RSA integer. We introduce two versions of our scheme, one deterministic and the other probabilistic. The deterministic version is practically oriented: encryption amounts to a single exponentiation w.r.t. a modulus with at least 768 bits and a 160-bit exponent. Decryption can be suitably opti- mized so as to become less demanding than a couple RSA decryptions. Although slower than RSA, the new scheme is still reasonably compet- itive and has several specific applications. The probabilistic version ex- hibits an homomorphic encryption scheme whose expansion rate is much better than previously proposed such systems. Furthermore, it has se- mantic security, relative to the hardness of computing higher residues for suitable moduli.
381 citations
Journal Article•
TL;DR: This work chooses an appropriate modulus p k q which resists two of the fastest factoring algorithms, namely the number field sieve and the elliptic curve method, which is faster than the RSA cryptosystem using Chinese remainder theorem.
Abstract: We propose a cryptosystem modulo p k q based on the RSA cryptosystem. We choose an appropriate modulus p k q which resists two of the fastest factoring algorithms, namely the number field sieve and the elliptic curve method. We also apply the fast decryption algorithm modulo p k proposed in [22]. The decryption process of the proposed cryptosystems is faster than the RSA cryptosystem using Chinese remainder theorem, known as the Quisquater-Couvreur method [17]. For example, if we choose the 768-bit modulus p 2 q for 256-bit primes p and q, then the decryption process of the proposed cryptosystem is about 3 times faster than that of RSA cryptosystem using Quisquater-Couvreur method.
173 citations
23 Aug 1998
TL;DR: In this article, the authors proposed a cryptosystem modulo p k q based on the RSA algorithm, which resists two of the fastest factoring algorithms, namely the number field sieve and the elliptic curve method.
Abstract: We propose a cryptosystem modulo p k q based on the RSA cryptosystem. We choose an appropriate modulus p k q which resists two of the fastest factoring algorithms, namely the number field sieve and the elliptic curve method. We also apply the fast decryption algorithm modulo p k proposed in [22]. The decryption process of the proposed cryptosystems is faster than the RSA cryptosystem using Chinese remainder theorem, known as the Quisquater-Couvreur method [17]. For example, if we choose the 768-bit modulus p 2 q for 256-bit primes p and q, then the decryption process of the proposed cryptosystem is about 3 times faster than that of RSA cryptosystem using Quisquater-Couvreur method.
129 citations
01 Mar 1998
TL;DR: This document describes a method for encrypting data using the RSA public-key cryptosystem to specify an Internet standard of any kind.
Abstract: This document describes a method for encrypting data using the RSA
public-key cryptosystem. This memo provides information for the
Internet community. It does not specify an Internet standard of any
kind.
118 citations
Patent•
13 Jul 1998
TL;DR: In this paper, a preset master key is used to obtain a set of round subkeys, and each of the plaintext data blocks is encrypted by using the master key and combining the encrypted blocks.
Abstract: In order to encrypt plaintext data while maintaining high security, the plaintext data is received and divided into a plurality of plaintext data blocks, each of which has the same bit length. A preset master key is used to obtain a set of round subkeys, and each of the plaintext data blocks is encrypted by using the preset master key and combining the encrypted blocks to thereby provide cipheitext data having a bit length which is identical to that of the plaintext data.
14 Sep 1998
TL;DR: In this paper, an efficient verifiable encryption scheme for discrete logarithm was proposed and proved to be secure for e-th roots, which is a special case of our scheme.
Abstract: A verifiable encryption scheme (VES) is useful for many cryptographic protocols. A VES may be either for (encryption of) discrete logarithms or for (encryption of) e-th roots. So far, all the VESs for discrete logarithms are inefficient, but there exists an efficient VES for e-th roots. In this paper, we presents an efficient VES for discrete logarithms and prove its security.
01 Jan 1998
TL;DR: Under the most practical environment in which public-key cryptosystems would be used, the encryption and decryption speeds of EPOC are comparable (several times slower) to those of elliptic curve cryptosSystems.
Abstract: We describe a novel public-key cryptosystem, EPOC (Efficient Probabilistic Public-Key Encryption), which has two versions: EPOC-1 and EPOC-2. EPOC-1 is a public-key encryption system that uses a one-way trapdoor function and a random function (hash function). EPOC-2 is a public-key encryption system that uses a one-way trapdoor function, two random functions (hash functions) and a symmetric-key encryption (e.g., one-time padding and block-ciphers). EPOC has several outstanding properties as follows: 1. EPOC-1 is semantically secure or non-malleable against chosen ciphertext attacks (IND-CCA2 or NM-CCA2) in the random oracle model under the p-subgroup assumption, which is comparable to the quadratic residue and higher degree residue assumptions. 2. EPOC-2 with one-time padding is semantically secure or non-malleable against chosen ciphertext attacks (IND-CCA2 or NM-CCA2) in the random oracle model under the factoring assumption. 3. EPOC-2 with symmetric encryption is semantically secure or non-malleable against chosen ciphertext attacks (IND-CCA2 or NM-CCA2) in the random oracle model under the factoring assumption, if the underlying symmetric encryption is secure against passive attacks. 4. The trapdoor technique with EPOC is fundamentally different from any other previous scheme including RSA-Rabin and Diffie-Hellman-ElGamal. 5. Under the most practical environment in which public-key cryptosystems would be used, the encryption and decryption speeds of EPOC are comparable (several times slower) to those of elliptic curve cryptosystems. Compared with OAEP (RSA) with small e (e.g.,2 + 1), although the encryption speed of EPOC is slower than that of OAEP, the decryption speed is faster than that of OAEP. The encryption scheme described in this contribution is obtained by combining three results: one [25] on the trapdoor function technique is by Okamoto and Uchiyama, and the others [13, 14] on conversion techniques using random functions are by Fujisaki and Okamoto.
Patent•
27 Jan 1998TL;DR: In this paper, the authors proposed a method of evaluating a cryptosystem to determine whether the crypto-system can withstand a fault analysis attack, which includes the steps of providing a cryptographic system having an encrypting process to encrypt a plaintext into a ciphertext, introducing a fault into the encryption process to generate a cipher text with faults, and comparing the ciphertext with the corrupted ciphertext in an attempt to recover a key of the cryptographic system.
Abstract: A method of evaluating a cryptosystem to determine whether the cryptosystem can withstand a fault analysis attack, the method includes the steps of providing a cryptosystem having an encrypting process to encrypt a plaintext into a ciphertext, introducing a fault into the encrypting process to generate a ciphertext with faults, and comparing the ciphertext with the ciphertext with faults in an attempt to recover a key of the cryptosystem.
TL;DR: A data mixing method for encrypting a plaintext block using a block encryption algorithm (such as Elliptic Curve, RSA, etc.) having a block size smaller than that of the Plaintext block is described.
Journal Article•
TL;DR: A modified ElGamal cryptosystem which can broadcast communicate by encrypting every different plaintext (same plaintext is also acceptable) for plural users, and is also applicable to the systems which have hierarchical structures.
Abstract: We propose a modified ElGamal cryptosystem which can broadcast communicate by encrypting every different plaintext (same plaintext is also acceptable) for plural users, and is also applicable to the systems which have hierarchical structures. And, we show that the security of this cryptosystem is based on difficulties of solving discrete logarithm problems, it maintains equivalent security with the original ElGamal cryptosystem. The transmission efficiency of this cryptosystem is improved.
TL;DR: A method is presented for encoding a message in the lattice of the GGH public-key cryptosystem that is more efficient than the authors' original contribution and also has a stronger notion of plaintext awareness.
Abstract: A method is presented for encoding a message in the lattice of the GGH public-key cryptosystem. The approach is more efficient than the authors' original contribution and also has a stronger notion of plaintext awareness. With the encoding scheme, encryption of a given message has a computational requirement of only O(n), which is superior to the original scheme which requires O(n/sup 2/).
TL;DR: It is shown that the broadcasting cryptosystem proposed by Wu and Wu is an example of a modification of a trivial unconditionally secure one-time broadcast encryption system.
Abstract: It is shown that the broadcasting cryptosystem proposed by Wu and Wu is an example of a modification of a trivial unconditionally secure one-time broadcast encryption system. Simplifications and generalisations of this scheme are discussed.