On All - or - Nothing Transforms and Password - AuthenticatedKey

This thesis provides a formal analysis of two kinds of cryptographic objects that used to be treated with much less rigor: All-or-Nothing Transforms (AONTs) and Password-Authenticated Key Exchange protocols. For both, novel formal deenitions of security are given, and then practical and eecient constructions are proven secure. The constructions for password-authenticated key exchange are novel, and the AONT construction is an application of an existing scheme to a new area. AONTs have been proposed by Rivest as a mode of operation for block ciphers. An AONT is an unkeyed, invertible, randomized transformation, with the property that it is hard to invert unless all of the output is known. Applications of AONTs include improving the security and eeciency of encryption. We give several strong formal deenitions of security for AONTs. We then prove that Optimal Asymmetric Encryption Padding (OAEP) satisses these deenitions (in the random oracle model). This is the rst construction of an AONT that has been proven secure in the strong sense. We also show that no AONT can achieve substantially better security than OAEP. The second part of this thesis is about password-authenticated key exchange protocols. We present a new protocol called PAK which is the rst such Diie-Hellman-based protocol to provide a formal proof of security (in the random oracle model) against active adversaries. In addition to the PAK protocol that provides mutual explicit authentication, we also show a more eecient protocol called PPK that is provably secure in the implicit-authentication model. We then extend PAK to a protocol called PAK-X, in which one side (the client) stores a plaintext version of the password, while the other side (the server) only stores a veriier for the password. We formally prove security of PAK-X, even when the server is compromised. Our formal model for password-authenticated key exchange is new, and may be of independent interest.