Results 1  10
of
80
Pors: proofs of retrievability for large files
 In CCS ’07: Proceedings of the 14th ACM conference on Computer and communications security
, 2007
"... Abstract. In this paper, we define and explore proofs of retrievability (PORs). A POR scheme enables an archive or backup service (prover) to produce a concise proof that a user (verifier) can retrieve a target file F, that is, that the archive retains and reliably transmits file data sufficient fo ..."
Abstract

Cited by 254 (8 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we define and explore proofs of retrievability (PORs). A POR scheme enables an archive or backup service (prover) to produce a concise proof that a user (verifier) can retrieve a target file F, that is, that the archive retains and reliably transmits file data sufficient for the user to recover F in its entirety. A POR may be viewed as a kind of cryptographic proof of knowledge (POK), but one specially designed to handle a large file (or bitstring) F. We explore POR protocols here in which the communication costs, number of memory accesses for the prover, and storage requirements of the user (verifier) are small parameters essentially independent of the length of F. In addition to proposing new, practical POR constructions, we explore implementation considerations and optimizations that bear on previously explored, related schemes. In a POR, unlike a POK, neither the prover nor the verifier need actually have knowledge of F. PORs give rise to a new and unusual security definition whose formulation is another contribution of our work. We view PORs as an important tool for semitrusted online archives. Existing cryptographic techniques help users ensure the privacy and integrity of files they retrieve. It is also natural, however, for users to want to verify that archives do not delete or modify files prior to retrieval. The goal of a POR is to accomplish these checks without users having to download the files themselves. A POR can also provide qualityofservice guarantees, i.e., show that a file is retrievable within a certain time bound. Key words: storage systems, storage security, proofs of retrievability, proofs of knowledge 1
Least we remember: Cold boot attacks on encryption keys
 In USENIX Security Symposium
, 2008
"... For the most recent version of this paper, answers to frequently asked questions, and videos of demonstration attacks, visit ..."
Abstract

Cited by 205 (3 self)
 Add to MetaCart
(Show Context)
For the most recent version of this paper, answers to frequently asked questions, and videos of demonstration attacks, visit
CodeBased GamePlaying Proofs and the Security of Triple Encryption
 Eurocrypt 2006, LNCS
"... (Draft 3.0) The gameplaying technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of threekey tripleencryption, a longstanding open problem. Our result, which is in the idealcipher model, demonstrates t ..."
Abstract

Cited by 47 (9 self)
 Add to MetaCart
(Draft 3.0) The gameplaying technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of threekey tripleencryption, a longstanding open problem. Our result, which is in the idealcipher model, demonstrates that for DES parameters (56bit keys and 64bit plaintexts) an adversary’s maximal advantage is small until it asks about 278 queries. Beyond this application, we develop the foundations for game playing, formalizing a general framework for gameplaying proofs and discussing techniques used within such proofs. To further exercise the gameplaying framework we show how to use games to get simple proofs for the PRP/PRF Switching Lemma, the security
The Software Performance of AuthenticatedEncryption Modes
, 2011
"... We study the software performance of authenticatedencryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 (“Clarkdale”) processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 c ..."
Abstract

Cited by 35 (6 self)
 Add to MetaCart
(Show Context)
We study the software performance of authenticatedencryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 (“Clarkdale”) processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 cpb, 3.7 cpb, and 1.5 cpb, while CTR mode requires about 1.3 cpb. Still we find room for algorithmic improvements to OCB, showing how to trim one blockcipher call (most of the time, assuming a counterbased nonce) and reduce latency. Our findings contrast with those of McGrew and Viega (2004), who claimed similar performance for GCM and OCB. Key words: authenticated encryption, cryptographic standards, encryption speed, modes of
HCTR: A variableinputlength enciphering mode
 In Information Security and Cryptology
, 2005
"... Abstract. This paper proposes a blockcipher mode of operation, HCTR, which is a lengthpreserving encryption mode. HCTR turns an nbit blockcipher into a tweakable blockcipher that supports arbitrary variable input length which is no less than n bits. The tweak length of HCTR is fixed and can be zer ..."
Abstract

Cited by 32 (0 self)
 Add to MetaCart
Abstract. This paper proposes a blockcipher mode of operation, HCTR, which is a lengthpreserving encryption mode. HCTR turns an nbit blockcipher into a tweakable blockcipher that supports arbitrary variable input length which is no less than n bits. The tweak length of HCTR is fixed and can be zero. We prove that HCTR is a strong tweakable pseudorandom permutation (sprp), when the underlying blockcipher is a strong pseudorandom permutation (sprp). HCTR is shown to be a very efficient mode of operation when some precomputations are taken into consideration. Arbitrary variable input length brings much flexibility in various application environments. HCTR can be used in disk sector encryption, and other lengthpreserving encryptions, especially for the message that is not multiple of n bits.
Pseudorandom Functions and Permutations Provably Secure Against RelatedKey Attacks
, 2010
"... This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) resisting rich and relevant forms of relatedkey attacks (RKA). An RKA allows the adversa ..."
Abstract

Cited by 32 (5 self)
 Add to MetaCart
This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) resisting rich and relevant forms of relatedkey attacks (RKA). An RKA allows the adversary to query the function not only under the target key but under other keys derived from it in adversaryspecified ways. Based on the NaorReingold PRF we obtain an RKAPRF whose keyspace is a group and that is proven, under DDH, to resist attacks in which the key may be operated on by arbitrary adversaryspecified group elements. Previous work was able only to provide schemes in idealized models (ideal cipher, random oracle), under new, nonstandard assumptions, or for limited classes of attacks. The reason was technical difficulties that we resolve via a new approach and framework that, in addition to the above, yields other RKAPRFs including a DLINbased one derived from the LewkoWaters PRF. Over the last 15 years cryptanalysts and blockcipher designers have routinely and consistently targeted RKAsecurity; it is visibly important for abuseresistant cryptography; and it helps protect against faultinjection sidechannel attacks. Yet ours are the first significant proofs of existence of secure constructs. We warn that our constructs are proofsofconcept
Security under keydependent inputs
 In proceedings of the 14th ACM conference on computer and communications security (CCS
, 2007
"... In this work we revisit the question of building cryptographic primitives that remain secure even when queried on inputs that depend on the secret key. This was investigated by Black, Rogaway, and Shrimpton in the context of randomized encryption schemes and in the random oracle model. We extend th ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
(Show Context)
In this work we revisit the question of building cryptographic primitives that remain secure even when queried on inputs that depend on the secret key. This was investigated by Black, Rogaway, and Shrimpton in the context of randomized encryption schemes and in the random oracle model. We extend the investigation to deterministic symmetric schemes (such as PRFs and block ciphers) and to the standard model. We term this notion “security against keydependentinput attack”, or KDIsecurity for short. Our motivation for studying KDI security is the existence of significant realworld implementations of deterministic encryption (in the context of storage encryption) that actually rely on their building blocks to be KDI secure. We consider many natural constructions for PRFs, ciphers, tweakable ciphers and randomized encryption, and examine them with respect to their KDI security. We exhibit inherent limitations of this notion and show many natural constructions that fail to be KDI secure in the standard model, including some schemes that have been proven in the random oracle model. On the positive side, we demonstrate examples where some measure of KDI security can be provably achieved (in particular, we show such examples in the standard model). 1
McOE: A Family of Almost Foolproof OnLine Authenticated Encryption Schemes
, 2012
"... OnLine Authenticated Encryption (OAE) combines privacy with data integrity and is online computable. Most block cipherbased schemes for Authenticated Encryption can be run online and are provably secure against noncerespecting adversaries. But they fail badly for more general adversaries. Thi ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
(Show Context)
OnLine Authenticated Encryption (OAE) combines privacy with data integrity and is online computable. Most block cipherbased schemes for Authenticated Encryption can be run online and are provably secure against noncerespecting adversaries. But they fail badly for more general adversaries. This is not a theoretical observation only – in practice, the reuse of nonces is a frequent issue. In recent years, cryptographers developed misuse resistant schemes for Authenticated Encryption. These guarantee excellent security even against general adversaries which are allowed to reuse nonces. Their disadvantage is that encryption can be performed in an offline way, only. This paper introduces a nw family of OAE schemes –called McOE – dealing both with noncerespecting and with general adversaries. Furthermore, we present three family members, i.e., McOEX, McOED, and McOEG. All of these members are based on a ’simple ’ block cipher. In contrast to all other OAE schemes known so far, they provably guarantee reasonable security against general adversaries as well as standard security against noncerespecting adversaries.
A general construction of tweakable block ciphers and different modes of operations
 IEEE Transactions on Information Theory
"... Abstract—This work builds on earlier work by Rogaway at Asiacrypt 2004 on tweakable block cipher (TBC) and modes of operations. Our first contribution is to generalize Rogaway’s TBC construction by working over a ring and by the use of a masking sequence of functions. The ring can be instantiated ..."
Abstract

Cited by 17 (7 self)
 Add to MetaCart
(Show Context)
Abstract—This work builds on earlier work by Rogaway at Asiacrypt 2004 on tweakable block cipher (TBC) and modes of operations. Our first contribution is to generalize Rogaway’s TBC construction by working over a ring and by the use of a masking sequence of functions. The ring can be instantiated as either GF or as. Further, over GF, efficient instantiations of the masking sequence of functions can be done using either a binary linear feedback shift register (LFSR); a powering construction; a cellular automata map; or by using a wordoriented LFSR. Rogaway’s TBC construction was built from the powering construction over GF. Our second contribution is to use the general TBC construction to instantiate constructions of various modes of operations including authenticated encryption (AE) and message authentication code (MAC). In particular, this gives rise to a family of efficient onepass AE modes of operation. Out of these, the mode of operation obtained by the use of wordoriented LFSR promises to provide a masking method which is more efficient than the one used in the well known AE protocol called OCB1. Index Terms—Authenticated encryption with associated data, message authentication code, modes of operations, tweakable block cipher (TBC). I.
Robust authenticatedencryption: AEZ and the problem that it solves
, 2014
"... Abstract. With a scheme for robust authenticatedencryption a user can select an arbitrary value λ ≥ 0 and then encrypt a plaintext of any length into a ciphertext that’s λ characters longer. The scheme must provide all the privacy and authenticity possible for the requested λ. We formalize and inve ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
(Show Context)
Abstract. With a scheme for robust authenticatedencryption a user can select an arbitrary value λ ≥ 0 and then encrypt a plaintext of any length into a ciphertext that’s λ characters longer. The scheme must provide all the privacy and authenticity possible for the requested λ. We formalize and investigate this idea, and construct a welloptimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCBAES or CTRAES (on Haswell, AEZ has a peak speed of about 0.7 cpb). To accomplish this we employ an approach we call accelerated provable security: the scheme is designed and proven secure in the provablesecurity tradition, but, to improve speed, one instantiates by scaling down most instances of the underlying primitive. Keywords:AEZ, arbitraryinput blockciphers, authenticated encryption, robust AE, misuse resistance,