Showing papers on "Plaintext-aware encryption published in 2004"
••
TL;DR: The two-dimensional chaotic cat map is generalized to 3D for designing a real-time secure symmetric encryption scheme that uses the 3D cat map to shuffle the positions of image pixels and uses another chaotic map to confuse the relationship between the cipher-image and the plain-image, thereby significantly increasing the resistance to statistical and differential attacks.
Abstract: Encryption of images is different from that of texts due to some intrinsic features of images such as bulk data capacity and high redundancy, which are generally difficult to handle by traditional methods. Due to the exceptionally desirable properties of mixing and sensitivity to initial conditions and parameters of chaotic maps, chaos-based encryption has suggested a new and efficient way to deal with the intractable problem of fast and highly secure image encryption. In this paper, the two-dimensional chaotic cat map is generalized to 3D for designing a real-time secure symmetric encryption scheme. This new scheme employs the 3D cat map to shuffle the positions (and, if desired, grey values as well) of image pixels and uses another chaotic map to confuse the relationship between the cipher-image and the plain-image, thereby significantly increasing the resistance to statistical and differential attacks. Thorough experimental tests are carried out with detailed analysis, demonstrating the high security and fast encryption speed of the new scheme.
1,904 citations
••
TL;DR: In this paper, a new public-key encryption scheme, along with several variants, is proposed and analyzed, and its variants are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions.
Abstract: A new public-key encryption scheme, along with several variants, is proposed and analyzed. The scheme and its variants are quite practical and are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions. These appear to be the first public-key encryption schemes in the literature that are simultaneously practical and provably secure.
936 citations
••
02 May 2004TL;DR: This work proposes a simple and efficient construction of a CCA-secure public-key encryption scheme from any CPA-secure identity-based encryption (IBE) scheme, which avoids non-interactive proofs of “well-formedness” which were shown to underlie most previous constructions.
Abstract: We propose a simple and efficient construction of a CCA-secure public-key encryption scheme from any CPA-secure identity-based encryption (IBE) scheme. Our construction requires the underlying IBE scheme to satisfy only a relatively “weak” notion of security which is known to be achievable without random oracles; thus, our results provide a new approach for constructing CCA-secure encryption schemes in the standard model. Our approach is quite different from existing ones; in particular, it avoids non-interactive proofs of “well-formedness” which were shown to underlie most previous constructions. Furthermore, applying our conversion to some recently-proposed IBE schemes results in CCA-secure schemes whose efficiency makes them quite practical.
889 citations
••
15 Aug 2004TL;DR: It is shown that a key encapsulation mechanism (KEM) does not have to be IND-CCA secure in the construction of hybrid encryption schemes, as was previously believed, and this result is further generalized to universal2 projective hash families.
Abstract: In this paper, we show that a key encapsulation mechanism (KEM) does not have to be IND-CCA secure in the construction of hybrid encryption schemes, as was previously believed. That is, we present a more efficient hybrid encryption scheme than Shoup [12] by using a KEM which is not necessarily IND-CCA secure. Nevertheless, our scheme is secure in the sense of IND-CCA under the DDH assumption in the standard model. This result is further generalized to universal2 projective hash families.
396 citations
•
TL;DR: The game-playing technique is a powerful tool for analyzing cryptographic constructions as mentioned in this paper, and games can be used to prove the security of three-key tripleencryption, a long-standing open problem.
Abstract: The game-playing technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of three-key tripleencryption, a long-standing open problem. Our result, which is in the ideal-cipher model, demonstrates that for DES parameters (56-bit keys and 64-bit plaintexts) an adversary’s maximal advantage is small until it asks about 2 queries. Beyond this application, we develop the foundations for game playing, formalizing a general framework for game-playing proofs and discussing techniques used within such proofs. To further exercise the game-playing framework we show how to use games to get simple proofs for the PRP/PRF Switching Lemma, the security of the basic CBC MAC, and the chosen-plaintext-attack security of OAEP.
234 citations
•
TL;DR: This work investigates an alternative syntax for an encryption scheme, where the encryption process e is a deterministic function that surfaces an initialization vector (IV) that is guaranteed to be a nonce-something that takes on a new value with every message one encrypts.
Abstract: Symmetric encryption schemes are usually formalized so as to make the encryption operation a probabilistic or state-dependent function e of the message M and the key K: the user supplies M and K and the encryption process does the rest, flipping coins or modifying internal state in order to produce a ciphertext C. Here we investigate an alternative syntax for an encryption scheme, where the encryption process e is a deterministic function that surfaces an initialization vector (IV). The user supplies a message M, key K, and initialization vector N, getting back the (one and only) associated ciphertext C = e N K(M). We concentrate on the case where the IV is guaranteed to be a nonce-something that takes on a new value with every message one encrypts. We explore definitions, constructions, and properties for nonce-based encryption. Symmetric encryption with a surfaced IV more directly captures real-word constructions like CBC mode, and encryption schemes constructed to be secure under nonce-based security notions may be less prone to misuse.
195 citations
••
25 Oct 2004TL;DR: In this paper, a scalable forward-secure hierarchical identity-based encryption (fs-HIBE) scheme was proposed, which is based on the bilinear Diffie-Hellman assumption in the random oracle model.
Abstract: A forward-secure encryption scheme protects secret keys from exposure by evolving the keys with time. Forward security has several unique requirements in hierarchical identity-based encryption (HIBE) scheme: (1) users join dynamically; (2) encryption is joining-time-oblivious; (3) users evolve secret keys autonomously.We present a scalable forward-secure HIBE (fs-HIBE) scheme satisfying the above properties. We also show how our fs-HIBE scheme can be used to construct a forward-secure public-key broadcast encryption scheme, which protects the secrecy of prior transmissions in the broadcast encryption setting. We further generalize fs-HIBE into a collusion-resistant multiple hierarchical ID-based encryption scheme, which can be used for secure communications with entities having multiple roles in role-based access control. The security of our schemes is based on the bilinear Diffie-Hellman assumption in the random oracle model.
156 citations
••
22 Aug 2004TL;DR: A quantum encryption scheme is a one-time pad for quantum messages as discussed by the authors, where two parties share a classical random string, one of them can transmit a quantum state to the other so that an eavesdropper gets little or no information about the state being transmitted.
Abstract: A quantum encryption scheme (also called private quantum channel, or state randomization protocol) is a one-time pad for quantum messages. If two parties share a classical random string, one of them can transmit a quantum state to the other so that an eavesdropper gets little or no information about the state being transmitted. Perfect encryption schemes leak no information at all about the message. Approximate encryption schemes leak a non-zero (though small) amount of information but require a shorter shared random key. Approximate schemes with short keys have been shown to have a number of applications in quantum cryptography and information theory [8].
103 citations
••
TL;DR: This work proposes public-key encryption algorithms based on chaotic maps, which are generalization of well-known and commercially used algorithms: Rivest-Shamir-Adleman, ElGamal, and Rabin, and shows that this algorithm is as secure as RSA algorithm.
Abstract: We propose public-key encryption algorithms based on chaotic maps, which are generalization of well-known and commercially used algorithms: Rivest–Shamir–Adleman (RSA), ElGamal, and Rabin. For the case of generalized RSA algorithm we discuss in detail its software implementation and properties. We show that our algorithm is as secure as RSA algorithm.
76 citations
••
23 Feb 2004
TL;DR: This work generalizes previous work and presents a more generic construction for intrusion-resilient public-key encryption from any forward-secure public- key encryption scheme satisfying a certain homomorphic property.
Abstract: In an intrusion-resilient cryptosystem [10], two entities (a user and a base) jointly evolve a secret decryption key; this provides very strong protection against an active attacker who can break into the user and base repeatedly and even simultaneously. Recently, a construction of an intrusion-resilient public-key encryption scheme based on specific algebraic assumptions has been shown [6]. We generalize this previous work and present a more generic construction for intrusion-resilient public-key encryption from any forward-secure public-key encryption scheme satisfying a certain homomorphic property.
64 citations
••
19 Feb 2004TL;DR: A cryptosystem that is RCCA secure has full CCA2 security except for the little detail that it may be possible to modify a ciphertext into another ciphertext containing the same plaintext.
Abstract: Recently Canetti, Krawczyk and Nielsen defined the notion of replayable adaptive chosen ciphertext attack (RCCA) secure encryption. Essentially a cryptosystem that is RCCA secure has full CCA2 security except for the little detail that it may be possible to modify a ciphertext into another ciphertext containing the same plaintext.
•
TL;DR: Boneh and Franklin this paper presented a fully secure identity based encryption scheme whose proof of security does not rely on the random oracle heuristic. Security is based on the Decision Bilinear Diffie-Hellman assumption.
Abstract: We present a fully secure Identity Based Encryption scheme whose proof of security does not rely on the random oracle heuristic. Security is based on the Decision Bilinear Diffie-Hellman assumption. This solves an open problem posed by Boneh and Franklin in 2001.
••
01 Mar 2004TL;DR: This paper defines an extended model of (standard) CCA called chosen ciphertext attack for multiple encryption (ME-CCA) emulating partial breaking of assumptions, and gives constructions of multiple encryption satisfying ME- CCA-security, proving ME-wCCA- security can be acquired by combining IND-ccA-secure component ciphers together.
Abstract: In a practical system, a message is often encrypted more than once by different encryptions, here called multiple encryption, to enhance its security. Additionally, new features may be achieved by multiple encrypting a message, such as the key-insulated cryptosystems and anonymous channels. Intuitively, a multiple encryption should remain “secure”, whenever there is one component cipher unbreakable in it. In NESSIE’s latest Portfolio of recommended cryptographic primitives (Feb. 2003), it is suggested to use multiple encryption with component ciphers based on different assumptions to acquire long term security. However, in this paper we show this needs careful discussion, especially, this may not be true according to adaptive chosen ciphertext attack (CCA), even with all component ciphers CCA-secure. We define an extended model of (standard) CCA called chosen ciphertext attack for multiple encryption (ME-CCA) emulating partial breaking of assumptions, and give constructions of multiple encryption satisfying ME-CCA-security. We further relax CCA by introducing weak ME-CCA (ME-wCCA) and study the relations among these definitions, proving ME-wCCA-security can be acquired by combining IND-CCA-secure component ciphers together. We then apply these results to key-insulated cryptosystem.
•
TL;DR: In this article, the authors investigate the authenticated encryption paradigm and its security against blockwise adaptive adversaries, mounting chosen ciphertext attacks on on-the-fly cryptographic devices and propose a generic construction called Decrypt-Then-Mask, and prove its security in the blockwise adversarial model.
Abstract: In this paper, we investigate the authenticated encryption paradigm, and its security against blockwise adaptive adversaries, mounting chosen ciphertext attacks on on-the-fly cryptographic devices. We remark that most of the existing solutions are insecure in this context, since they provide a decryption oracle for any ciphertext. We then propose a generic construction called Decrypt-Then-Mask, and prove its security in the blockwise adversarial model. The advantage of this proposal is to apply minimal changes to the encryption protocol. In fact, in our solution, only the decryption protocol is modified, while the encryption part is left unchanged. Finally, we propose an instantiation of this scheme, using the encrypted CBC-MAC algorithm, a secure pseudorandom number generator and the Delayed variant of the CBC encryption scheme.
••
13 Jul 2004TL;DR: It is shown that MAC can be eliminated from DHIES if the underlying symmetric-key encryption scheme is secure in the sense of IND-CCA, and ElGamal encryption part of DHIES without MAC is generalized to Half-Recovery (HR) schemes.
Abstract: In this paper, we show that MAC can be eliminated from DHIES if the underlying symmetric-key encryption scheme is secure in the sense of IND-CCA. Further, ElGamal encryption part of DHIES without MAC is generalized to Half-Recovery (HR) schemes. Dependent-RSA encryption scheme [12] and Blum-Goldwasser encryption scheme [6] can be used as an HR scheme, for exmaple. Our construction also offers the first secure public-key encryption schemes with no redundancy in the standard model.
•
20 Jan 2004
TL;DR: In this paper, a method for preparing enciphered message transmission over a network architecture is described, which involves receiving plain text data corresponding to the message, passing the plaintext data to a multi-tiered encryption engine, encrypting the ciphertext message data according to a first encryption scheme to generate first ciphertext data, and then encrypting first cipher text message data under a second encryption scheme for transmission.
Abstract: A method for preparing enciphered message transmission over a network architecture entails receiving plain text data corresponding to the message, passing the plaintext data to a multi-tiered encryption engine, encrypting the plaintext data according to a first encryption scheme to generate first ciphertext message data, and encrypting the first ciphertext message data according to a second encryption scheme to generate second ciphertext message data intended for transmission. Also provided is a cryptographic system, multi-tiered encryption/decryption engine(s) and a computerized method for enciphered message transmission.
•
TL;DR: A variation of the standard definition of chosen-ciphertext security is introduced, which is called IND-CCA3, and it is proved that IND- CCA3 is equivalent to authenticated-encryption.
Abstract: In this note we introduce a variation of the standard definition of chosen-ciphertext security, which we call IND-CCA3, and prove that IND-CCA3 is equivalent to authenticated-encryption.
••
09 Aug 2004TL;DR: This paper compares the two adversarial models for on-line encryption schemes and shows that security is not preserved contrary to for deterministic schemes, and proves that the two models are polynomially equivalent in the number of encrypted blocks.
Abstract: This paper formalizes the security adversarial games for on-line symmetric cryptosystems in a unified framework for deterministic and probabilistic encryption schemes. On-line encryption schemes allow to encrypt messages even if the whole message is not known at the beginning of the encryption. The new introduced adversaries better capture the on-line properties than classical ones. Indeed, in the new model, the adversaries are allowed to send messages block-by-block to the encryption machine and receive the corresponding ciphertext blocks on-the-fly. This kind of attacker is called blockwise adversary and is stronger than standard one which treats messages as atomic objects.
In this paper, we compare the two adversarial models for on-line encryption schemes. For probabilistic encryption schemes, we show that security is not preserved contrary to for deterministic schemes. We prove in appendix of the full version that in this last case, the two models are polynomially equivalent in the number of encrypted blocks. Moreover in the blockwise model, a polynomial number of concurrent accesses to encryption oracles have to be taken into account. This leads to the strongest security notion in this setting. Furthermore, we show that this notion is valid by exhibiting a scheme secure under this security notion.
••
01 Mar 2004
TL;DR: A cryptanalysis of a public-key encryption scheme based on the polynomial reconstruction problem, published at Eurocrypt 2003 by Augot and Finiasz, was described in this paper.
Abstract: We describe a cryptanalysis of a public-key encryption scheme based on the polynomial reconstruction problem, published at Eurocrypt 2003 by Augot and Finiasz. Given the public-key and a ciphertext, we recover the corresponding plaintext in polynomial time. Our technique is a variant of the Berlekamp-Welsh algorithm. We also describe a cryptanalysis of the reparation published by the authors on the IACR eprint archive, using a variant of the previous attack. Both attacks are practical as given the public-key and a ciphertext, one recovers the plaintext in a few minutes on a single PC.
•
01 Jan 2004TL;DR: In this article, the authors demonstrate that this particular algorithm is vulnerable to a known-plaintext attack, and hence its use should be carefully considered, and discuss modifications that can make the algorithm resistant to our attack.
Abstract: One of the approaches to deliver real-time video encryption is to apply permutations to the bytes within a frame of a fully encoded MPEG stream as presented in [2]. We demonstrate that this particular algorithm is vulnerable to a known-plaintext attack, and hence its use should be carefully considered. We also discuss modifications that can make the algorithm resistant to our attack.
••
TL;DR: A block encryption algorithm which is designed for each encryption key value to be applied to each round block with a different value is proposed, which needs a short processing time in encryption and decryption, has a high intensity, can apply to electronic commerce and various applications of data protection.
•
04 Feb 2004
TL;DR: In this paper, a method of designing an optimum encryption algorithm and an optimized encryption apparatus is described. But the method is not applicable to the problem of finding the optimal ciphertext.
Abstract: A method of designing an optimum encryption algorithm and an optimized encryption apparatus are disclosed. In the encryption apparatus, a function block produces a first ciphertext of length 2n by encrypting a first plaintext of length 2n with an encryption code of length 4n generated from a key scheduler, and a second ciphertext of length m by encrypting the first ciphertext with a second plaintext of length m under the control of a controller. A memory stores the second ciphertext.
••
13 Jul 2004TL;DR: A formalism for unconditionally secure single sender single receiver encryption under strong attacks is developed, and bounds on the keysize for systems secure under the various security notions are given.
Abstract: We develop a formalism for unconditionally secure single sender single receiver encryption under strong attacks. We consider coping with adversarial goals assuring secrecy and non–malleability, combined with adversarial power similar to those used in computationally secure systems: ciphertext only, chosen plaintext, and chosen ciphertext. We relate the various security notions described, and give bounds on the keysize for systems secure under the various security notions. In addition to defining systems with perfect secrecy, a la Shannon, we consider weaker e–secure systems.
•
26 Feb 2004
TL;DR: In this paper, a pseudo random number generator is used to generate random numbers whose length is shorter than 2 N with reference to the message length N. The random numbers are generated so as to perform an encryption processing and an authentication processing.
Abstract: The random numbers are generated so as to perform an encryption processing and an authentication processing, thereby accomplishing an in-advance computation and a parallel computation. Also, the encryption processing and the authentication processing are performed, using the generated random numbers whose length is shorter than 2 N with reference to the message length N. Concretely, the random numbers are generated using a pseudo random-number generator, and the generated random numbers are divided on each block basis. Also, a plaintext is divided on each block basis as well. Next, the exclusive-OR logical sums of random-number blocks R i (1≦i≦N+1) and plaintext blocks P i (1≦i≦N) are figured out, thereby acquiring ciphertext blocks C i (1≦i≦N+2). Moreover, a hash function performs a key-accompanying input of the random-number blocks R i (1≦i≦N+1), thereby generating the message authentication code of the generated ciphertext.
•
TL;DR: This paper formally defines and analyzes the security notions of authenticated encryption in unconditional security setting, and shows that the strongest security notion is the combined notion of APS and IntC.
Abstract: In this paper, we formally define and analyze the security notions of authenticated encryption in unconditional security setting. For confidentiality, we define the notions, APS (almost perfect secrecy) and NM (non-malleability), in terms of an information-theoretic viewpoint along with our model where multiple senders and receivers exist. For authenticity, we define the notions, IntC (integrity of ciphertexts) and IntP (integrity of plaintexts), from a view point of information theory. And then we combine the above notions to define the security notions of unconditionally secure authenticated encryption. Then, we analyze relations among the security notions. In particular, it is shown that the strongest security notion is the combined notion of APS and IntC. Finally, we formally define and analyze the following generic composition methods in the unconditional security setting along with our model: Encrypt-and-Sign, Sign-then-Encrypt and Encrypt-then-Sign. Consequently, it is shown that: the Encrypt-and-Sign composition method is not always secure; the Sign-then-Encrypt composition method is not always secure; and the Encrypt-then-Sign composition method is always secure, if a given encryption meets APS and a given signature is secure. key words: unconditional security, encryption, authenticated encryption, signcryption
•
TL;DR: In this paper, the existed MPEG video encryption algorithms are classified into four types according to the relationship between encryption process and compression process, and each is evaluated from the four aspects: security, compression ratio, computing complexity and operationality.
Abstract: Video encryption is a suitable method to protect video data. In this paper, the existed MPEG video encryption algorithms are classified into four types according to the relationship between encryption process and compression process. They are complete encryption algorithm, partial encryption algorithm, DCT coefficient encryption algorithm and entropy encoding encryption algorithm. Each of them is evaluated from the four aspects: security, compression ratio, computing complexity and operationality. Theoretical analyses and experimental results are presented to compare these algorithms. And their application fields are given, which are consistent with their properties. According to the development direction of video application, the encryption algorithms combining with encoding process will be studied deeply in the future, such as DCT coefficient encryption algorithm, entropy encoding encryption algorithm or novel algorithm combining with error correcting code and so on.
••
TL;DR: These techniques—encryption, decryption and digital signature—are integrated in a new authenticated encryption scheme based on the elliptic curve cryptosystem, to achieve the confidentiality and authenticity of information.
•
TL;DR: It is concluded that Micciancio's cryptosystem can be securely used only in lattice dimensions ≥ 782 and that it requires key sizes of 1MByte and more and that the key generation as well as the decryption take inacceptibly long.
Abstract: We report experiments on the security of the GGH-like cryptosystem proposed by Micciancio Based on these experiments, we conclude that the system can be securely used only in lattice dimensions ≥ 782 Further experiments on the efficiency of the system show that it requires key sizes of 1MByte and more and that the key generation as well as the decryption take inacceptibly long Therefore, Micciancio’s cryptosystem seems currently far from being practical
••
23 May 2004TL;DR: In this article, the authors proposed a public-key encryption algorithm based on torus automorphisms, which is secure, practical, and can be used for both encryption and digital signature.
Abstract: We propose a public-key encryption algorithm based on torus automorphisms, which is secure, practical, and can be used for both encryption and digital signature. Software implementation and properties of the algorithm are discussed in detail. We show that our algorithm is as secure as RSA algorithm. In this paper we have generalized RSA algorithm replacing powers with matrix powers, choosing the matrix to be a matrix which defines a two-torus automorphisms, an example of strongly chaotic system.