Linguistic Replacement in the Movies

Bleichenbacher, Lukas

doi:10.2478/v10010-008-0008-9

Cited by 8 publications

(15 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…9 The first scheme is E k (m) = H(k) ⊕ m, where H() is a hash function with output that is the same length as m (and assumed to behave like a random oracle -see below) and where ⊕ is taken as a bit-wise exclusive OR operation. Note that this encryption scheme is inherently malleable.…”

Section: Preliminariesmentioning

confidence: 99%

“…Since the PAKE problem was introduced, it has been studied extensively, and many PAKE protocols have been proposed, e.g., [24,23,26,34,48,32]. Many of these protocols have been shown to be insecure [9,45]. More recent protocols, e.g., [3,10,1,37,51,19], have proofs of security, based on certain well-known cryptographic assumptions, in the random oracle and/or ideal cipher models.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Method for Making Password-Based Key Exchange Resilient to Server Compromise

Gentry

MacKenzie

Ramzan

2006

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. This paper considers the problem of password-authenticated key exchange (PAKE) in a client-server setting, where the server authenticates using a stored password file, and it is desirable to maintain some degree of security even if the server is compromised. A PAKE scheme is said to be resilient to server compromise if an adversary who compromises the server must at least perform an offline dictionary attack to gain any advantage in impersonating a client. (Of course, offline dictionary attacks should be infeasible in the absence of server compromise.) One can see that this is the best security possible, since by definition the password file has enough information to allow one to play the role of the server, and thus to verify passwords in an offline dictionary attack. While some previous PAKE schemes have been proven resilient to server compromise, there was no known general technique to take an arbitrary PAKE scheme and make it provably resilient to server compromise. This paper presents a practical technique for doing so which requires essentially one extra round of communication and one signature computation/verification. We prove security in the universal composability framework by (1) defining a new functionality for PAKE with resilience to server compromise, (2) specifying a protocol combining this technique with a (basic) PAKE functionality, and (3) proving (in the random oracle model) that this protocol securely realizes the new functionality.

show abstract

Section: Preliminariesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

A Method for Making Password-Based Key Exchange Resilient to Server Compromise

Gentry

MacKenzie

Ramzan

2006

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Several crypt-analytical results regarding E 0 ( [1], [2], [3], [4], [5], [6], [7], [8]) have appeared over past years. We distinguish between two types of attacks:…”

Section: B Related Workmentioning

confidence: 99%

“…Bleichenbacher has shown in [1] that an attacker can guess the content of the registers of the three smaller LFSRs and of the E 0 combiner state registers with a probability of 2 −93 . Then the attacker can compute the the contents of the largest LFSR (of length 39 bit) by "reverse engineering" it from the outputs of the other LFSRs and the combiner states.…”

Section: ) Short Key Attacks: Dmentioning

confidence: 99%

“…Our attacks can be viewed as a generalization of Bleichenbacher's attack [1] and Fluhrer and Lucks attack [3]: guessing the initial states of some of the LFSRs, backtracking through the different possible states of the Combiner logic, solving sets of linear equations, and checking for consistency with the given output stream cipher. Our best attack can recover the initial state of the LFSRs after solving 2 85.38 boolean linear systems of equations, which is roughly equivalent to the results obtained by Fluhrer and Lucks.…”

Section: Contributionmentioning

confidence: 99%

See 1 more Smart Citation

Uniform Framework for Cryptanalysis of the Bluetooth E₀ Cipher

Levy

Wool

First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05)

View full text Add to dashboard Cite

Abstract-In this paper we analyze the E 0 cipher, which is the encryption system used in the Bluetooth specification. We suggest a uniform framework for cryptanalysis of the E 0 cipher. Our method requires 128 known bits of the keystream in order to recover the initial state of the LFSRs, which reflects the secret key of this encryption engine. In one setting, our framework reduces to an attack of D. Bleichenbacher. In another setting, our framework is equivalent to an attack presented by Fluhrer and Lucks. Our best attack can recover the initial state of the LFSRs after solving 2 86 boolean linear systems of equations, which is roughly equivalent to the results obtained by Fluhrer and Lucks.

show abstract