A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2021; you can also visit the original URL.
The file type is application/pdf.
Filters
Algorithm Substitution Attacks: State Reset Detection and Asymmetric Modifications
2021
IACR Transactions on Symmetric Cryptology
Preserved Fulltext
In this paper, we study algorithm substitution attacks (ASAs), where an algorithm in a cryptographic scheme is substituted for a subverted version. ...
Suppose that PKE is a δ-correct public-key encryption scheme. Let n be the total number of ciphertexts intercepted by the subverter. ...
A signature is subverted by making the randomness used in a signature dependent on the randomness used in the previous signature, in a way that can be reverse-engineered by the subverter. ...
doi:10.46586/tosc.v2021.i2.389-422
fatcat:3p5txsxlgrfr3a3cbsnc36vkym
Substitution Attacks against Message Authentication
2019
IACR Transactions on Symmetric Cryptology
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL.
The file type is application/pdf.
While most prior work focused on subverting encryption systems, we study options to subvert symmetric message authentication protocols. ...
As subverted authentication can act as an enabler for subverted encryption (software updates can be manipulated to include replacements of encryption routines), we consider attacks of the new class highly ...
Note that the Vfy oracle in UDT and the Tag oracle in UDV are redundant. Effects of Subversion on Correctness and Unforgeability. ...
doi:10.13154/tosc.v2019.i3.152-168
dblp:journals/tosc/ArmourP19
fatcat:4dxyuijnz5fkdlyv3journqvka
Substitution Attacks against Message Authentication
2019
IACR Transactions on Symmetric Cryptology
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL.
The file type is application/pdf.
While most prior work focused on subverting encryption systems, we study options to subvert symmetric message authentication protocols. ...
As subverted authentication can act as an enabler for subverted encryption (software updates can be manipulated to include replacements of encryption routines), we consider attacks of the new class highly ...
Note that the Vfy oracle in UDT and the Tag oracle in UDV are redundant. Effects of Subversion on Correctness and Unforgeability. ...
doi:10.46586/tosc.v2019.i3.152-168
fatcat:2rf3eunfebgivbl6png52jcz3y
Subverting Decryption in AEAD
2020
Zenodo
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL.
The file type is application/pdf.
Previous work posited that a particular class of AEAD scheme (satisfying certain correctness and uniqueness properties) is resilient against subversion. ...
An ASA replaces an encryption scheme with a subverted version that aims to reveal information to an adversary engaged in mass surveillance, while remaining undetected by users. ...
The members of this class are deterministic and satisfy certain technical correctness and uniqueness properties.
See Appendix A for definitions of pseudo-random functions and permutations. ...
doi:10.5281/zenodo.3951943
fatcat:ecqgag7y2rhqpk42bk2u27tpem
A More Cautious Approach to Security Against Mass Surveillance
[chapter]
2015
Lecture Notes in Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL.
The file type is application/pdf.
The subverted encryption algorithm E may be randomized, stateful, or both. ...
For instance BPR use this to show that any randomized encryption scheme can be subverted in an undetectable manner. ...
The class of games that we consider here correspond to those that have black-box access to the encryption procedure with respect to a random unknown key. ...
doi:10.1007/978-3-662-48116-5_28
fatcat:dzxl6vs3rjalxbvxlsxnfjj3zu
Subversion-Resilient Signature Schemes
2015
Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2016; you can also visit the original URL.
The file type is application/pdf.
Correctness of a signature scheme says that verifying honestly generated signatures always works (with overwhelming probability over the randomness of all involved algorithms). ...
For each chosen subversion in the class, the adversary can access an oracle that answers (polynomially many) signature queries using the subverted signature algorithm. ...
if both signatures match then with a high probability the target oracle is the real signining oracle. ...
doi:10.1145/2810103.2813635
dblp:conf/ccs/AtenieseMV15
fatcat:rzrzfdsncjairgvhf5shlkugqq
On the Security of Symmetric Encryption Against Mass Surveillance
2020
IEEE Access
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL.
The file type is application/pdf.
Here, the oracle Enc invokesẼ described in Fig. 4 or E described in Definition 4, when the random bit b is 0 or 1. ...
A random bit b and subversion keyK are first sampled. SD then has access to the encryption oracle Enc. Upon receiving (K, M ), the oracle Enc produces (C, σ) either via E (b = 1) or viaẼ (b = 0). ...
doi:10.1109/access.2020.3025848
fatcat:hquck6yddbc5rmllfolrjrk7p4
Security of Symmetric Encryption against Mass Surveillance
[chapter]
2014
Lecture Notes in Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2015; you can also visit the original URL.
The file type is application/pdf.
The lesson that emerges is the danger of choice: randomized, stateless schemes are subject to attack while deterministic, stateful ones are not. ...
The focus is on algorithm-substitution attacks (ASAs), where a subverted encryption algorithm replaces the real one. ...
Correctness. ...
doi:10.1007/978-3-662-44371-2_1
fatcat:k7wqqsx3mffyvkooo7ttgoairy
Mass-surveillance without the State
2015
Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL.
The file type is application/pdf.
First, while prior attacks only broke a sub-class of randomized schemes having a property called coin injectivity, our attacks break all randomized schemes. ...
The April 2017 update of this paper corrects that error. ...
In both, (v c , t c ) is picked at random. However, in I 2 , if it turns out that c was already seen, then the game corrects, resetting (v c , t c ) to its prior value. ...
doi:10.1145/2810103.2813681
dblp:conf/ccs/BellareJK15
fatcat:jjkpgu7zdngvzdana2st7cavti
Cliptography: Clipping the Power of Kleptographic Attacks
[chapter]
2016
Lecture Notes in Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2015; you can also visit the original URL.
The file type is application/pdf.
Remarkably, crippling subliminal theft is possible even if the subverted cryptosystem produces output indistinguishable from a secure "reference implementation." ...
This notably contrasts with previous results of Dodis, Ganesh, Golovnev, Juels, and Ristenpart [Eurocrypt '15], which require an honestly generated random key. ...
Assume a hash function h SPEC is modeled as a random oracle, and h is a (potentially subverted) implementation. ...
doi:10.1007/978-3-662-53890-6_2
fatcat:mu5echv27fgthjgwgzbpk4wmwi
Security of Linear Secret-Sharing Schemes Against Mass Surveillance
[chapter]
2015
Lecture Notes in Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2015; you can also visit the original URL.
The file type is application/pdf.
The subverted scheme is correct. Since S is a valid vector of shares, reconstruction and privacy hold from construction. Theorem 3. Let Π = (Sh, Rec) be a LSSS with γ − l ≥ 2 (this assures t ≥ 2). ...
The advantage of B to detect an ASA is defined as: Remark 2 . 2 The inequality γ > l always holds from the correctness of reconstruction and the usage of randomness (d > 0).For the rest of the paper, ...
We construct Π * = (Sh * , Rec * ) multi-input LSSS that cannot be subverted without violating detectability. Let PRG be a pseudo-random generator that maps a seed in F to an element in F d . Proof. ...
doi:10.1007/978-3-319-26823-1_4
fatcat:dmj2a2t4w5dt7ekk2kevsldzx4
Hidden credential retrieval from a reusable password
2009
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security - ASIACCS '09
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2010; you can also visit the original URL.
The file type is application/pdf.
We also quantify the concrete security of our approach in terms of online and offline password guesses made by outsiders and insiders, in the random-oracle model. ...
Both constructions can be proven secure in the random-oracle model from suitable complexity assumptions. ...
Let then H : {0, 1} n → G × be a cryptographic hash function, which is to be viewed as a random oracle. ...
doi:10.1145/1533057.1533089
dblp:conf/ccs/Boyen09
fatcat:kuke57bvmfas5dllbizrjw2gqq
Sonic
2019
Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security - CCS '19
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL.
The file type is application/pdf.
in the quantum random oracle model [21] remains an open problem. ...
Schemes that use these techniques [2, 9, 23] are typically made non-interactive in the random oracle model, as opposed to the quantum random oracle model, and designing efficient zeroknowledge protocols ...
doi:10.1145/3319535.3339817
dblp:conf/ccs/MallerBKM19
fatcat:7lgvfqmkwjb4dbhlpua4qg5k5y
Message-Locked Encryption for Lock-Dependent Messages
[chapter]
2013
Lecture Notes in Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2016; you can also visit the original URL.
The file type is application/pdf.
We design a fully randomized scheme that supports an equality-testing algorithm defined on the ciphertexts. ...
Definition 4. 1 ( 1 Real-or-random encryption oracle). ...
The functions will be modeled in the proof of security as random oracles. RO is used to break circularity and FS denotes the random oracle required to implement Fiat-Shamir. ...
doi:10.1007/978-3-642-40041-4_21
fatcat:pfjow4homfeonjpk22nirffx5u
Fundamental problems in provable security and cryptography
2006
Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2008; you can also visit the original URL.
The file type is application/pdf.
We also present a new approach to one of the more controversial aspects of provable security: the random oracle model. ...
This interpretation of the random oracle model is correct up to a point. ...
queries are correct. ...
doi:10.1098/rsta.2006.1895
pmid:17090456
fatcat:kbia7avak5dvpl5tgh7h66eosu
« Previous
Showing results 1 — 15 out of 1,036 results