Robust Key-Evolving Public Key Encryption Schemes

Tzeng, Wen-Guey; Tzeng, Zhi-Jia

doi:10.1007/3-540-36159-6_6

Cited by 11 publications

(12 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…. , i t at the outset of the protocol (which is the model of [36,30,2]). For example, it is easy to see that we no longer lose the factor t in the security of our reduction in Theorem 2.…”

Section: Theorem 1 ([18 29 24]) For Any N and T One Can Ef£cientlmentioning

confidence: 99%

“…However, [21] does not present any formal de£nitions, nor does it present schemes which are provably secure. Recently and concurrently with our work, other attempts at formalizing key-insulated public-key encryption have been made [36,30]. However, these works consider only a non-adaptive adversary who chooses which time periods to expose at the outset of the protocol, whereas we consider the more natural and realistic case of an adaptive adversary who may choose which time periods to expose at any point during protocol execution.…”

Section: Introductionmentioning

confidence: 99%

“…However, these works consider only a non-adaptive adversary who chooses which time periods to expose at the outset of the protocol, whereas we consider the more natural and realistic case of an adaptive adversary who may choose which time periods to expose at any point during protocol execution. Furthermore, the solution of [36] for achieving chosen-ciphertext security is proven secure in the random oracle model; our construction of Section 5 is proven secure against chosen-ciphertext attacks in the standard model ( [30] does not address chosen-ciphertext security at all). Finally, our de£nition of security is stronger than that considered in [36,30].…”

Section: Introductionmentioning

confidence: 99%

“…Furthermore, the solution of [36] for achieving chosen-ciphertext security is proven secure in the random oracle model; our construction of Section 5 is proven secure against chosen-ciphertext attacks in the standard model ( [30] does not address chosen-ciphertext security at all). Finally, our de£nition of security is stronger than that considered in [36,30]. Neither work considers the case of an untrusted, physicallysecure device.…”

Section: Introductionmentioning

confidence: 99%

“…It is important to note that, in running the experiment, we can answer all of A's key exposure requests correctly since all secret keys are known. Thus, in contrast to [36,30], we may handle an adaptive adversary who chooses when to make key exposure requests based on all information seen during the experiment.…”

mentioning

confidence: 99%

See 4 more Smart Citations

Key-Insulated Public Key Cryptosystems

Dodis

Katz

et al. 2002

Lecture Notes in Computer Science

279

213

View full text Add to dashboard Cite

Abstract. Cryptographic computations (decryption, signature generation, etc.) are often performed on a relatively insecure device (e.g., a mobile device or an Internet-connected host) which cannot be trusted to maintain secrecy of the private key. We propose and investigate the notion of key-insulated security whose goal is to minimize the damage caused by secret-key exposures. In our model, the secret key(s) stored on the insecure device are refreshed at discrete time periods via interaction with a physically-secure -but computationally-limiteddevice which stores a "master key". All cryptographic computations are still done on the insecure device, and the public key remains unchanged. In a (t, N )-keyinsulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods of his choice is unable to violate the security of the cryptosystem for any of the remaining N − t periods. Furthermore, the scheme remains secure (for all time periods) against an adversary who compromises only the physically-secure device.We focus primarily on key-insulated public-key encryption. We construct a (t, N )-key-insulated encryption scheme based on any (standard) public-key encryption scheme, and give a more ef£cient construction based on the DDH assumption. The latter construction is then extended to achieve chosen-ciphertext security.

show abstract

“…. , i t at the outset of the protocol (which is the model of [36,30,2]). For example, it is easy to see that we no longer lose the factor t in the security of our reduction in Theorem 2.…”

Section: Theorem 1 ([18 29 24]) For Any N and T One Can Ef£cientlmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

See 3 more Smart Citations

Key-Insulated Public Key Cryptosystems

Dodis

Katz

et al. 2002

Lecture Notes in Computer Science

279

213

View full text Add to dashboard Cite

show abstract

Strong Key-Insulated Signature Schemes

Dodis

Katz

et al. 2002

Lecture Notes in Computer Science

179

166

View full text Add to dashboard Cite

Abstract. Signature computation is frequently performed on insecure devices -e.g., mobile phones -operating in an environment where the private (signing) key is likely to be exposed. Strong key-insulated signature schemes are one way to mitigate the damage done when this occurs. In the key-insulated model [6], the secret key stored on an insecure device is refreshed at discrete time periods via interaction with a physically-secure device which stores a "master key". All signing is still done by the insecure device, and the public key remains fixed throughout the lifetime of the protocol. In a strong (t, N )-key-insulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods is unable to forge signatures for any of the remaining N −t periods. Furthermore, the physically-secure device (or an adversary who compromises only this device) is unable to forge signatures for any time period. We present here constructions of strong key-insulated signature schemes based on a variety of assumptions. First, we demonstrate a generic construction of a strong (N − 1, N)-key-insulated signature scheme using any standard signature scheme. We then give a construction of a strong (t, N )-signature scheme whose security may be based on the discrete logarithm assumption in the random oracle model. This construction offers faster signing and verification than the generic construction, at the expense of O(t) key update time and key length. Finally, we construct strong (N − 1, N)-key-insulated schemes based on any "trapdoor signature scheme" (a notion we introduce here); our resulting construction in fact serves as an identity-based signature scheme as well. This leads to very efficient solutions based on, e.g., the RSA assumption in the random oracle model.

show abstract

Secure Key-Evolving Protocols for Discrete Logarithm Schemes

Shieh

2002

Topics in Cryptology — CT-RSA 2002

View full text Add to dashboard Cite

Robust Key-Evolving Public Key Encryption Schemes

Cited by 11 publications

References 13 publications

Key-Insulated Public Key Cryptosystems

Key-Insulated Public Key Cryptosystems

Strong Key-Insulated Signature Schemes

Secure Key-Evolving Protocols for Discrete Logarithm Schemes

Contact Info

Product

Resources

About