Results 1  10
of
26
A Digital Signature Scheme Secure Against Adaptive ChosenMessage Attacks
, 1995
"... We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosenmessage attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a ..."
Abstract

Cited by 940 (43 self)
 Add to MetaCart
We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosenmessage attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) can not later forge the signature of even a single additional message. This may be somewhat surprising, since the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosenmessage attack were considered in the folklore to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a "clawfree" pair of permutations  a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.
On the Construction of VariableInputLength Ciphers
 In Fast Software Encryption
, 1998
"... We invesitgate how to construct ciphers which operate on messages of various (and effectively arbitrary) lengths. In particular, lengths not necessarily a multiple of some block length. (By a "cipher" we mean a keyindexed family of lengthpreserving permutations, with a "good" c ..."
Abstract

Cited by 23 (7 self)
 Add to MetaCart
We invesitgate how to construct ciphers which operate on messages of various (and effectively arbitrary) lengths. In particular, lengths not necessarily a multiple of some block length. (By a "cipher" we mean a keyindexed family of lengthpreserving permutations, with a "good" cipher being one that resembles a family of random lengthpreserving permutations.) Oddly enough, this question seems not to have been investiaged. We show how to construct variableinput length ciphers starting from any block cipher (ie, a cipher which operates on strings of some fixed length n). We do this by giving a general method starting from a particular kind of pseudorandom function and a particular kind of encryption scheme, and then we give example ways to realize these tools from a block cipher. All of our constructions are proven sound, in the provablesecurity sense of contemporary cryptography. Variableinputlength ciphers can be used to encrypt in the presence of the constraint that the ciphertex...
An Application of a Fast Data Encryption Standard Implementation
 Computing Systems
, 1988
"... ABSTRACT: The Data Encryption Standard is used as the basis for the UNIX password encryption scheme. Some of the security of that scheme depends on the speed of the implementation. This paper presents a mathematical formulation of a fast implementation of the DES in software, discusses how the mathe ..."
Abstract

Cited by 21 (5 self)
 Add to MetaCart
(Show Context)
ABSTRACT: The Data Encryption Standard is used as the basis for the UNIX password encryption scheme. Some of the security of that scheme depends on the speed of the implementation. This paper presents a mathematical formulation of a fast implementation of the DES in software, discusses how the mathematics can be translated into code, and then analyzes the UNIX password scheme to show how these results can be used to implement it. Experimental results are provided for several computers to show that the given method speeds up the computation of a password by roughly 20 times (depending on the specifrc computer).
Key Scheduling in DES Type Cryptosystems
 in Advances in Cryptology: Auscrypt '90 (Lecture Notes in Computer Science
, 1990
"... This paper reviews some possible design criteria for the key schedule in a DES style cryptosystem. The key schedule involves a Key Rotation component, and the permutation PC2. Together these provide for a diffusion of dependency ofciphertext bits on key bits. Some empirical rules which seem to accou ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
(Show Context)
This paper reviews some possible design criteria for the key schedule in a DES style cryptosystem. The key schedule involves a Key Rotation component, and the permutation PC2. Together these provide for a diffusion of dependency ofciphertext bits on key bits. Some empirical rules which seem to account for the derivation of the key schedule used in the DES are first presented. Anumber of trials were run with various key schedules, and some further design rules were derived. An alternative form of key schedule was then tested. This used either a null PC2, or one in which permutations only occurred within the inputs to a given Sbox, and a much larger rotation schedule than used in the DES. This was found to be as effective as the key schedule used in the current DES, and is proposed for use in new cryptosystems. 1.
A Proposed Design For An Extended DES
, 1999
"... The Data Encryption standard (DES) has achieved wide utilization, especially in the financial industry. Whilst DES is a standard, the design criteria used in its development have been classified by the US government. This paper reviews what is known about the design criteria for the Sboxes, Pboxes ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
The Data Encryption standard (DES) has achieved wide utilization, especially in the financial industry. Whilst DES is a standard, the design criteria used in its development have been classified by the US government. This paper reviews what is known about the design criteria for the Sboxes, Pboxes, and key scheduling in the current DES. It then indicates how this information could be used to design an extended scheme with a double length key. There are two main objectives indoing this. One is because of increasing doubts about the ability of DES to withstand an attack based on exhaustive keyspace searches, using specialized hardware. The other is to develop an encryption scheme for which the design rules used are known, and hence open to analysis and criticism. 1.
How to Enrich the Message Space of a Cipher
 Fast Software Encryption – FSE ’07, LNCS
, 2007
"... Abstract. Given (deterministic) ciphers E and E that can encipher messages of l and n bits, respectively, we construct a cipher E ∗ = XLS[E, E] that can encipher messages of l+ s bits for any s < n. Enciphering such a string will take one call to E and two calls to E. We prove that E ∗ is a str ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Given (deterministic) ciphers E and E that can encipher messages of l and n bits, respectively, we construct a cipher E ∗ = XLS[E, E] that can encipher messages of l+ s bits for any s < n. Enciphering such a string will take one call to E and two calls to E. We prove that E ∗ is a strong pseudorandom permutation as long as E and E are. Our construction works even in the tweakable and VIL (variableinputlength) settings. It makes use of a multipermutation (a pair of orthogonal Latin squares), a combinatorial object not previously used to get a provablesecurity result.
On the Design of Permutation P in DES Type Cryptosystems
 Advances in Cryptology: Proceedings of EUROCRYPT ’89
, 1990
"... This paper reviews some possible design criteria for the permutation P in a DES style cryptosystem. These permutations provide the diffusion component in a substitutionpermutation network. Some empirical rules which seem to account for the derivation of the permutation used in the DES are first pre ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
This paper reviews some possible design criteria for the permutation P in a DES style cryptosystem. These permutations provide the diffusion component in a substitutionpermutation network. Some empirical rules which seem to account for the derivation of the permutation used in the DES are first presented. Then it is noted that these permutations may be regarded as latinsquares which link the outputs of Sboxes to their inputs at the next stage. A subset of these with an extremely regular structure, and which perform well in a dependency analysis are then presented and suggested for use in future schemes of both current and extended versions of the DES. 1.
Online Ciphers from Tweakable Blockciphers
"... Abstract. Online ciphers are deterministic lengthpreserving permutations EK: ({0, 1} n) + → ({0, 1} n) + where the ith block of ciphertext depends only on the first i blocks of plaintext. Definitions, constructions, and applications for these objects were first given by Bellare, Boldyreva, Knudsen ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Online ciphers are deterministic lengthpreserving permutations EK: ({0, 1} n) + → ({0, 1} n) + where the ith block of ciphertext depends only on the first i blocks of plaintext. Definitions, constructions, and applications for these objects were first given by Bellare, Boldyreva, Knudsen, and Namprempre. We simplify and generalize their work, showing that online ciphers are rather trivially constructed from tweakable blockciphers, a notion of Liskov, Rivest, and Wagner. We go on to show how to define and achieve online ciphers for settings in which messages need not be a multiple of n bits. Key words: Online ciphers, modes of operation, provable security, symmetric encryption, tweakable blockciphers. 1
The Security of Ciphertext Stealing
"... Abstract. We prove the security of CBC encryption with ciphertext stealing. Our results cover all versions of ciphertext stealing recently recommended by NIST. The complexity assumption is that the underlying blockcipher is a good PRP, and the security notion achieved is the strongest one commonly c ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We prove the security of CBC encryption with ciphertext stealing. Our results cover all versions of ciphertext stealing recently recommended by NIST. The complexity assumption is that the underlying blockcipher is a good PRP, and the security notion achieved is the strongest one commonly considered for chosenplaintext attacks, indistinguishability from random bits (ind$security). We go on to generalize these results to show that, when intermediate outputs are slightly delayed, one achieves ind$security in the sense of an online encryption scheme, a notion we formalize that focuses on what is delivered across an online API, generalizing prior notions of blockwiseadaptive attacks. Finally, we pair our positive results with the observation that the version of ciphertext stealing described in Meyer and Matyas’s wellknown book (1982) is not secure.
New Integrated proof method on Iterated Hash Structure and New Structures
, 2006
"... A secure hash structure in Random Oracle Model may not be a secure model in true design. In this paper, we give an integrated proof method on security proof of iterated hash structure. Based on the proof method, we can distinguish the security of MerkelDamagård structure, widepipe hash, doublepi ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
A secure hash structure in Random Oracle Model may not be a secure model in true design. In this paper, we give an integrated proof method on security proof of iterated hash structure. Based on the proof method, we can distinguish the security of MerkelDamagård structure, widepipe hash, doublepipe hash and 3c hash and know the requirement of true design on compression function, and give a new recommend structure. At last, we give new hash structure, MAC structure, encryption model, which use same block cipher round function and key schedule algorithm, the security proofs on those structures are given.