Results 1  10
of
77
Numbertheoretic constructions of efficient pseudorandom functions
 In 38th Annual Symposium on Foundations of Computer Science
, 1997
"... ..."
Sequences of Games: A Tool for Taming Complexity in Security Proofs
, 2004
"... This paper is brief tutorial on a technique for structuring security proofs as sequences games. ..."
Abstract

Cited by 114 (0 self)
 Add to MetaCart
This paper is brief tutorial on a technique for structuring security proofs as sequences games.
Towards sound approaches to counteract poweranalysis attacks
, 1999
"... Abstract. Side channel cryptanalysis techniques, such as the analysis of instantaneous power consumption, have been extremely e ective in attacking implementations on simple hardware platforms. There are several proposed solutions to resist these attacks, most of which are ad{hoc and can easily be r ..."
Abstract

Cited by 92 (0 self)
 Add to MetaCart
Abstract. Side channel cryptanalysis techniques, such as the analysis of instantaneous power consumption, have been extremely e ective in attacking implementations on simple hardware platforms. There are several proposed solutions to resist these attacks, most of which are ad{hoc and can easily be rendered ine ective. A scienti c approach is to create a model for the physical characteristics of the device, and then design implementations provably secure in that model, i.e, they resist generic attacks with an a priori bound on the number of experiments. We propose an abstract model which approximates power consumption in most devices and in particular small single{chip devices. Using this, we propose a generic technique to create provably resistant implementations for devices where the power model has reasonable properties, and a source of randomness exists. We prove alower bound on the number of experiments required to mount statistical attacks on devices whose physical characteristics satisfy reasonable properties. 1
A tweakable enciphering mode
 of LNCS
, 2003
"... Abstract. We describe a blockcipher mode of operation, CMC, that turns an nbit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m ≥ 2. When the underlying block cipher is secure in the sense of a strong pseudorandom permutation (PRP), our scheme is secure in ..."
Abstract

Cited by 66 (5 self)
 Add to MetaCart
Abstract. We describe a blockcipher mode of operation, CMC, that turns an nbit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m ≥ 2. When the underlying block cipher is secure in the sense of a strong pseudorandom permutation (PRP), our scheme is secure in the sense of tweakable, strong PRP. Such an object can be used to encipher the sectors of a disk, inplace, offering security as good as can be obtained in this setting. CMC makes a pass of CBC encryption, xors in a mask, and then makes a pass of CBC decryption; no universal hashing, nor any other nontrivial operation beyond the blockcipher calls, is employed. Besides proving the security of CMC we initiate a more general investigation of tweakable enciphering schemes, considering issues like the nonmalleability of these objects. 1
Encodethenencipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography
"... We investigate the following approach to symmetric encryption: first encode the message via some keyless transform, and then encipher the encoded message, meaning apply a permutation FK based on a shared key K. We provide conditions on the encoding functions and the cipher which ensure that the resu ..."
Abstract

Cited by 62 (24 self)
 Add to MetaCart
We investigate the following approach to symmetric encryption: first encode the message via some keyless transform, and then encipher the encoded message, meaning apply a permutation FK based on a shared key K. We provide conditions on the encoding functions and the cipher which ensure that the resulting encryption scheme meets strong privacy (eg. semantic security) and/or authenticity goals. The encoding can either be implemented in a simple way (eg. prepend a counter and append a checksum) or viewed as modeling existing redundancy or entropy already present in the messages, whereby encodethenencipher encryption provides a way to exploit structured message spaces to achieve compact ciphertexts.
Privacy Preserving Keyword Searches on Remote Encrypted Data
, 2004
"... We consider the following problem: a user wants to store his files in an encrypted form on a remote file server S. ..."
Abstract

Cited by 61 (0 self)
 Add to MetaCart
We consider the following problem: a user wants to store his files in an encrypted form on a remote file server S.
On cryptographic assumptions and challenges
 in Proceedings of IACR CRYPTO
, 2003
"... Abstract. We deal with computational assumptions needed in order to design secure cryptographic schemes. We suggest a classi£cation of such assumptions based on the complexity of falsifying them (in case they happen not to be true) by creating a challenge (competition) to their validity. As an outco ..."
Abstract

Cited by 50 (2 self)
 Add to MetaCart
Abstract. We deal with computational assumptions needed in order to design secure cryptographic schemes. We suggest a classi£cation of such assumptions based on the complexity of falsifying them (in case they happen not to be true) by creating a challenge (competition) to their validity. As an outcome of this classi£cation we propose several open problems regarding cryptographic tasks that currently do not have a good challenge of that sort. The most outstanding one is the design of an ef£cient block ciphers. 1 The Main Dilemma Alice and Bob are veteran cryptographers (see Dif£e [15] for their history; apparently RSA [38] is their £rst cooperation). One day, while Bob is sitting in his of£ce his colleague Alice enters and says: “I have designed a new signature scheme. It has an 120 bits long public key and the signatures are 160 bits long”. That’s fascinating, says Bob, but what computational assumption is it based on? Well, says Alice, it is based on a new trapdoor permutation fk and a new hash function h and the assumption that after given fk (but not the trapdoor information) and many pairs of the form (mi, f −1
Synthesizers and Their Application to the Parallel Construction of PseudoRandom Functions
, 1995
"... A pseudorandom function is a fundamental cryptographic primitive that is essential for encryption, identification and authentication. We present a new cryptographic primitive called pseudorandom synthesizer and show how to use it in order to get a parallel construction of a pseudorandom function. ..."
Abstract

Cited by 42 (10 self)
 Add to MetaCart
A pseudorandom function is a fundamental cryptographic primitive that is essential for encryption, identification and authentication. We present a new cryptographic primitive called pseudorandom synthesizer and show how to use it in order to get a parallel construction of a pseudorandom function. We show several NC¹ implementations of synthesizers based on concrete intractability assumptions as factoring and the DiffieHellman assumption. This yields the first parallel pseudorandom functions (based on standard intractability assumptions) and the only alternative to the original construction of Goldreich, Goldwasser and Micali. In addition, we show parallel constructions of synthesizers based on other primitives such as weak pseudorandom functions or trapdoor oneway permutations. The security of all our constructions is similar to the security of the underlying assumptions. The connection with problems in Computational Learning Theory is discussed.
Hardness of learning halfspaces with noise
 In Proceedings of the 47th Annual IEEE Symposium on Foundations of Computer Science
, 2006
"... Learning an unknown halfspace (also called a perceptron) from labeled examples is one of the classic problems in machine learning. In the noisefree case, when a halfspace consistent with all the training examples exists, the problem can be solved in polynomial time using linear programming. However ..."
Abstract

Cited by 33 (3 self)
 Add to MetaCart
Learning an unknown halfspace (also called a perceptron) from labeled examples is one of the classic problems in machine learning. In the noisefree case, when a halfspace consistent with all the training examples exists, the problem can be solved in polynomial time using linear programming. However, under the promise that a halfspace consistent with a fraction (1 − ε) of the examples exists (for some small constant ε> 0), it was not known how to efficiently find a halfspace that is correct on even 51 % of the examples. Nor was a hardness result that ruled out getting agreement on more than 99.9 % of the examples known. In this work, we close this gap in our understanding, and prove that even a tiny amount of worstcase noise makes the problem of learning halfspaces intractable in a strong sense. Specifically, for arbitrary ε, δ> 0, we prove that given a set of exampleslabel pairs from the hypercube a fraction (1 − ε) of which can be explained by a halfspace, it is NPhard to find a halfspace that correctly labels a fraction (1/2 + δ) of the examples. The hardness result is tight since it is trivial to get agreement on 1/2 the examples. In learning theory parlance, we prove that weak proper agnostic learning of halfspaces is hard. This settles a question that was raised by Blum et al. in their work on learning halfspaces in the presence of random classification noise [10], and in some more recent works as well. Along the way, we also obtain a strong hardness result for another basic computational problem: solving a linear system over the rationals. 1
Ciphers with Arbitrary Finite Domains
, 2002
"... Abstract. We explore the problem of enciphering members of a finite set M where k = M  is arbitrary (in particular, it need not be a power of two). We want to achieve this goal starting from a block cipher (which requires a message space of size N =2 n, for some n). We look at a few solutions to t ..."
Abstract

Cited by 33 (7 self)
 Add to MetaCart
Abstract. We explore the problem of enciphering members of a finite set M where k = M  is arbitrary (in particular, it need not be a power of two). We want to achieve this goal starting from a block cipher (which requires a message space of size N =2 n, for some n). We look at a few solutions to this problem, focusing on the case when M =[0,k − 1]. We see ciphers with arbitrary domains as a worthwhile primitive in its own right, and as a potentially useful one for making higherlevel protocols.