Results 1 
5 of
5
Extending Oblivious Transfers Efficiently
, 2003
"... We consider the problem of extending oblivious transfers: Given a small number of oblivious transfers \for free," can one implement a large number of oblivious transfers? Beaver has shown how to extend oblivious transfers given a oneway function. However, this protocol is inecient in practice, ..."
Abstract

Cited by 57 (1 self)
 Add to MetaCart
We consider the problem of extending oblivious transfers: Given a small number of oblivious transfers \for free," can one implement a large number of oblivious transfers? Beaver has shown how to extend oblivious transfers given a oneway function. However, this protocol is inecient in practice, in part due to its nonblackbox use of the underlying oneway function.
Limits on the Efficiency of OneWay PermutationBased Hash Functions
 In Proceedings of the 40th Annual IEEE Symposium on Foundations of Computer Science
, 1999
"... Naor and Yung ([NY89]) show that a onebit compressing universal oneway hash function (UOWHF) can be constructed based on a oneway permutation. This construction can be iterated to build a UOWHF which compresses by "n bits, at the cost of "n invocations of the oneway permutation. We show that thi ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
Naor and Yung ([NY89]) show that a onebit compressing universal oneway hash function (UOWHF) can be constructed based on a oneway permutation. This construction can be iterated to build a UOWHF which compresses by "n bits, at the cost of "n invocations of the oneway permutation. We show that this construction is not far from optimal, in the following sense: there exists an oracle relative to which there exists a oneway permutation with inversion probability 2 \Gammap(n) (for any p(n) 2 !(log n)), but any construction of an "nbitcompressing UOWHF requires \Omega\Gamma p n=p(n)) invocations of the oneway permutation, on average. (For example, there exists in this relativized world a oneway permutation with inversion probability n \Gamma!(1) , but no UOWHF that invokes it fewer than \Omega\Gamma p n= log n) times.) Thus any proof that a more efficient UOWHF can be derived from a oneway permutation is necessarily nonrelativizing; in particular, no provable construction...
Message Authentication Codes from Unpredictable Block Ciphers
, 2009
"... We design an efficient mode of operation on block ciphers, SSNMAC. Our mode has the following properties, when instantiated with a block cipher f to yield a variablelength, keyed hash function H: (1) MAC Preservation. H is a secure message authentication code (MAC) with birthday security, as long ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
We design an efficient mode of operation on block ciphers, SSNMAC. Our mode has the following properties, when instantiated with a block cipher f to yield a variablelength, keyed hash function H: (1) MAC Preservation. H is a secure message authentication code (MAC) with birthday security, as long as f is unpredictable. (2) PRF Preservation. H is a secure pseudorandom function (PRF) with birthday security, as long as f is pseudorandom. (3) Security against SideChannels. As long as the block cipher f does not leak sidechannel information about its internals to the attacker, properties (1) and (2) hold even if the remaining implementation of H is completely leaky. In particular, if the attacker can learn the transcript of all block cipher calls and other auxiliary information needed to implement our mode of operation. Our mode is the first to satisfy the MAC preservation property (1) with birthday security, solving the main open problem of Dodis et al. [8] from Eurocrypt 2008. Combined with the PRF preservation (2), our mode provides a hedge against the case when the block cipher f is more secure as a MAC than as a PRF: if it is false, as we hope, we get a secure variablelength PRF; however, even if true, we still “salvage ” a secure MAC, which might be enough for a given application. We also remark that no prior mode of operation offered birthday security against side channel attacks, even if the block cipher was assumed pseudorandom. Although very efficient, our mode is three times slower than many of the prior modes, such as CBC, which do not enjoy properties (1) and (3). Thus, our work motivates further research to understand the gap between unpredictability and pseudorandomness of the existing block ciphers, such as AES.
A new mode of operation for block ciphers and lengthpreserving MACs
 of Lecture Notes in Computer Science
, 2008
"... Abstract. We propose a new mode of operation, enciphered CBC, for domain extension of lengthpreserving functions (like block ciphers), which is a variation on the popular CBC mode of operation. Our new mode is twice slower than CBC, but has many (propertypreserving) properties not enjoyed by CBC a ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
Abstract. We propose a new mode of operation, enciphered CBC, for domain extension of lengthpreserving functions (like block ciphers), which is a variation on the popular CBC mode of operation. Our new mode is twice slower than CBC, but has many (propertypreserving) properties not enjoyed by CBC and other known modes. Most notably, it yields the first constantrate Variable Input Length (VIL) MAC from any length preserving Fixed Input Length (FIL) MAC. This answers the question of Dodis and Puniya from Eurocrypt 2007. Further, our mode is a secure domain extender for PRFs (with basically the same security as encrypted CBC). This provides a hedge against the security of the block cipher: if the block cipher is pseudorandom, one gets a VILPRF, while if it is “only ” unpredictable, one “at least ” gets a VILMAC. Additionally, our mode yields a VIL random oracle (and, hence, a collisionresistant hash function) when instantiated with lengthpreserving random functions, or even random permutations (which can be queried from both sides). This means that one does not have to rekey the block cipher during the computation, which was critically used in most previous constructions (analyzed in the ideal cipher model). 1
On the Power of Nonuniformity in Proofs of Security ABSTRACT
"... Nonuniform proofs of security are common in cryptography, but traditional blackbox separations consider only uniform security reductions. In this paper, we initiate a formal study of the power and limits of nonuniform blackbox proofs of security. We first show that a known protocol (based on the e ..."
Abstract
 Add to MetaCart
Nonuniform proofs of security are common in cryptography, but traditional blackbox separations consider only uniform security reductions. In this paper, we initiate a formal study of the power and limits of nonuniform blackbox proofs of security. We first show that a known protocol (based on the existence of oneway permutations) that uses a nonuniform proof of security, and it cannot be proven secure through a uniform security reduction. Therefore, nonuniform proofs of security are indeed provably more powerful than uniform ones. We complement this result by showing that many known blackbox separations in the uniform regime actually do extend to the nonuniform regime. We prove our results by providing general techniques for extending certain types of blackbox separations to handle nonuniformity.