-
Chapter and Conference Paper
When Messages Are Keys: Is HMAC a Dual-PRF?
In Internet security protocols including TLS 1.3, KEMTLS, MLS and Noise, \(\textsf{HMAC}\) HMAC ...
-
Chapter and Conference Paper
Hardening Signature Schemes via Derive-then-Derandomize: Stronger Security Proofs for EdDSA
We consider a transform, called Derive-then-Derandomize, that hardens a given signature scheme against randomness failure and implementation error. We prove that it works. We then give a general lemma showing ...
-
Chapter and Conference Paper
Flexible Password-Based Encryption: Securing Cloud Storage and Provably Resisting Partitioning-Oracle Attacks
We introduce flexible password-based encryption (FPBE), an extension of traditional password-based encryption designed to meet the operational and security needs of contemporary applications like end-to-end se...
-
Chapter and Conference Paper
Efficient Schemes for Committing Authenticated Encryption
This paper provides efficient authenticated-encryption (AE) schemes in which a ciphertext is a commitment to the key. These are extended, at minimal additional cost, to schemes where the ciphertext is a commit...
-
Chapter and Conference Paper
Better than Advertised Security for Non-interactive Threshold Signatures
We give a unified syntax, and a hierarchy of definitions of security of increasing strength, for non-interactive threshold signature schemes. These are schemes having a single-round signing protocol, possibly ...
-
Chapter and Conference Paper
Chain Reductions for Multi-signatures and the HBMS Scheme
Existing proofs for existing Discrete Log (DL) based multi-signature schemes give only weak guarantees if the schemes are implemented, as they are in practice, in 256-bit groups. This is because the underlying...
-
Chapter and Conference Paper
The Multi-Base Discrete Logarithm Problem: Tight Reductions and Non-rewinding Proofs for Schnorr Identification and Signatures
We introduce the Multi-Base Discrete Logarithm (MBDL) problem. We use this to give reductions, for Schnorr and Okamoto identification and signatures, that are non-rewinding and, by avoiding the notorious squ...
-
Chapter and Conference Paper
Incremental Cryptography Revisited: PRFs, Nonces and Modular Design
This paper gives the first definitions and constructions for incremental pseudo-random functions (IPRFs). The syntax is nonce based. (Algorithms are deterministic but may take as input a non-repeating quantity...
-
Chapter and Conference Paper
Dual-Mode NIZKs: Possibility and Impossibility Results for Property Transfer
This paper formulates, and studies, the problem of property transference in dual-mode NIZKs. We say that a property P (such as soundness, ZK or WI) transfers, if, one of the modes having P allows us to prove t...
-
Chapter and Conference Paper
Separate Your Domains: NIST PQC KEMs, Oracle Cloning and Read-Only Indifferentiability
It is convenient and common for schemes in the random oracle model to assume access to multiple random oracles (ROs), leaving to implementations the task—we call it oracle cloning—of constructing them from a ...
-
Chapter and Conference Paper
Security Under Message-Derived Keys: Signcryption in iMessage
At the core of Apple’s iMessage is a signcryption scheme that involves symmetric encryption of a message under a key that is derived from the message itself. This motivates us to formalize a primitive we call ...
-
Chapter and Conference Paper
Nonces Are Noticed: AEAD Revisited
We draw attention to a gap between theory and usage of nonce-based symmetric encryption, under wh...
-
Chapter and Conference Paper
The Local Forking Lemma and Its Application to Deterministic Encryption
We bypass impossibility results for the deterministic encryption of public-key-dependent messages, showing that, in this setting, the classical Encrypt-with-Hash scheme provides message-recovery security, acro...
-
Article
Robust Encryption
We provide a provable-security treatment of “robust” encryption. Robustness means it is hard to produce a ciphertext that is valid for two different users. Robustness makes explicit a property that has been im...
-
Chapter and Conference Paper
Public-Key Encryption Resistant to Parameter Subversion and Its Realization from Efficiently-Embeddable Groups
We initiate the study of public-key encryption (PKE) schemes and key-encapsulation mechanisms (KEMs) that retain security even when public parameters (primes, curves) they use may be untrusted and subverted. W...
-
Chapter and Conference Paper
Forward-Security Under Continual Leakage
Current signature and encryption schemes secure against continual leakage fail completely if the key in any time period is fully exposed. We suggest forward security as a second line of defense, so that in the...
-
Chapter and Conference Paper
The Fiat-Shamir Zoo: Relating the Security of Different Signature Variants
The Fiat-Shamir paradigm encompasses many different ways of turning a given identification scheme into a signature scheme. Security proofs pertain sometimes to one variant, sometimes to another. We systematica...
-
Chapter and Conference Paper
Deterring Certificate Subversion: Efficient Double-Authentication-Preventing Signatures
We present highly efficient double authentication preventing signatures (DAPS). In a DAPS, signing two messages with the same first part and differing second parts reveals the signing key. In the context of PK...
-
Chapter and Conference Paper
Ratcheted Encryption and Key Exchange: The Security of Messaging
We aim to understand, formalize and provably achieve the goals underlying the core key-ratcheting technique of Borisov, Goldberg and Brewer, extensions of which are now used in secure messaging systems. We giv...
-
Chapter and Conference Paper
The Multi-user Security of Authenticated Encryption: AES-GCM in TLS 1.3
We initiate the study of multi-user (mu) security of authenticated encryption (AE) schemes as a way to rigorously formulate, and answer, questions about the “randomized nonce” mechanism proposed for the use of...
