Secure Integration of Asymmetric and Symmetric Encryption Schemes
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform
CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
Observability Analysis - Detecting When Improved Cryptosystems Fail
CT-RSA '02 Proceedings of the The Cryptographer's Track at the RSA Conference on Topics in Cryptology
An IND-CCA2 Public-Key Cryptosystem with Fast Decryption
ICISC '01 Proceedings of the 4th International Conference Seoul on Information Security and Cryptology
RSA-OAEP Is Secure under the RSA Assumption
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Proceedings of the 8th IMA International Conference on Cryptography and Coding
A survey of homomorphic encryption for nonspecialists
EURASIP Journal on Information Security
On the security of public key cryptosystems with a double decryption mechanism
Information Processing Letters
A New Rabin-type Trapdoor Permutation Equivalent to Factoring
Electronic Notes in Theoretical Computer Science (ENTCS)
A reject timing attack on an IND-CCA2 public-key cryptosystem
ICISC'02 Proceedings of the 5th international conference on Information security and cryptology
Rethinking chosen-ciphertext security under Kerckhoffs'assumption
CT-RSA'03 Proceedings of the 2003 RSA conference on The cryptographers' track
Provably secure public-key encryption for length-preserving chaumian mixes
CT-RSA'03 Proceedings of the 2003 RSA conference on The cryptographers' track
Improved efficiency for CCA-secure cryptosystems built using identity-based encryption
CT-RSA'05 Proceedings of the 2005 international conference on Topics in Cryptology
On CCA-Secure somewhat homomorphic encryption
SAC'11 Proceedings of the 18th international conference on Selected Areas in Cryptography
| Hi-index | 0.00 |
Nowadays, since modern cryptography deals with careful modeling and careful proofs, there may be two levels of cryptanalysis. One, the traditional breaking or weakness demonstration in schemes which are not provably secure. The second level of cryptanalysis, geared towards provably secure schemes, has to do with refining models and showing that a model was either insufficient or somewhat unclear and vague when used in proving systems secure. The best techniques to perform this second type of investigation are still traditional cryptanalysis followed by corrections. In this work, we put forth the second type of cryptanalysis.We demonstrate that in some of the recent works modeling chosen ciphertext security (non-malleability), the notion of validity of ciphertext was left vague. It led to systems where under the model as defined/ understood, it was shown provably secure. Yet, under another (natural) behavior of the adversary, the "provably secure system" is totally broken, since key recovery attack is made possible. We show that this behavior of an adversary is possible and further there are settings (the context of escrowed public key cryptosystems) where it is even highly relevant.We mount the attack against systems which are chosen-ciphertext secure and non-malleable (assuming the adversary probes with valid messages), yet they are "universally" insecure against this attack: namely, the trapdoor key gets known by the adversary (as in Rabin's system under chosen ciphertext attacks). Specifically, the attack works against EPOC which has been considered for standardization by IEEE P1363 (the authors have already been informed of the attack and our fix to it and will consider this issue in future works). This re-emphasizes that when proving chosen-ciphertext security, allowing invalid ciphertext probes increases the adversary's power and should be considered as part of the model and in proofs.