Results 1  10
of
77
Numbertheoretic constructions of efficient pseudorandom functions
 In 38th Annual Symposium on Foundations of Computer Science
, 1997
"... ..."
Sequences of Games: A Tool for Taming Complexity in Security Proofs
, 2004
"... This paper is brief tutorial on a technique for structuring security proofs as sequences games. ..."
Abstract

Cited by 114 (0 self)
 Add to MetaCart
This paper is brief tutorial on a technique for structuring security proofs as sequences games.
Towards sound approaches to counteract poweranalysis attacks
, 1999
"... Abstract. Side channel cryptanalysis techniques, such as the analysis of instantaneous power consumption, have been extremely e ective in attacking implementations on simple hardware platforms. There are several proposed solutions to resist these attacks, most of which are ad{hoc and can easily be r ..."
Abstract

Cited by 92 (0 self)
 Add to MetaCart
Abstract. Side channel cryptanalysis techniques, such as the analysis of instantaneous power consumption, have been extremely e ective in attacking implementations on simple hardware platforms. There are several proposed solutions to resist these attacks, most of which are ad{hoc and can easily be rendered ine ective. A scienti c approach is to create a model for the physical characteristics of the device, and then design implementations provably secure in that model, i.e, they resist generic attacks with an a priori bound on the number of experiments. We propose an abstract model which approximates power consumption in most devices and in particular small single{chip devices. Using this, we propose a generic technique to create provably resistant implementations for devices where the power model has reasonable properties, and a source of randomness exists. We prove alower bound on the number of experiments required to mount statistical attacks on devices whose physical characteristics satisfy reasonable properties. 1
A tweakable enciphering mode
 of LNCS
, 2003
"... Abstract. We describe a blockcipher mode of operation, CMC, that turns an nbit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m ≥ 2. When the underlying block cipher is secure in the sense of a strong pseudorandom permutation (PRP), our scheme is secure in ..."
Abstract

Cited by 66 (5 self)
 Add to MetaCart
Abstract. We describe a blockcipher mode of operation, CMC, that turns an nbit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m ≥ 2. When the underlying block cipher is secure in the sense of a strong pseudorandom permutation (PRP), our scheme is secure in the sense of tweakable, strong PRP. Such an object can be used to encipher the sectors of a disk, inplace, offering security as good as can be obtained in this setting. CMC makes a pass of CBC encryption, xors in a mask, and then makes a pass of CBC decryption; no universal hashing, nor any other nontrivial operation beyond the blockcipher calls, is employed. Besides proving the security of CMC we initiate a more general investigation of tweakable enciphering schemes, considering issues like the nonmalleability of these objects. 1
Encodethenencipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography
"... We investigate the following approach to symmetric encryption: first encode the message via some keyless transform, and then encipher the encoded message, meaning apply a permutation FK based on a shared key K. We provide conditions on the encoding functions and the cipher which ensure that the resu ..."
Abstract

Cited by 62 (24 self)
 Add to MetaCart
We investigate the following approach to symmetric encryption: first encode the message via some keyless transform, and then encipher the encoded message, meaning apply a permutation FK based on a shared key K. We provide conditions on the encoding functions and the cipher which ensure that the resulting encryption scheme meets strong privacy (eg. semantic security) and/or authenticity goals. The encoding can either be implemented in a simple way (eg. prepend a counter and append a checksum) or viewed as modeling existing redundancy or entropy already present in the messages, whereby encodethenencipher encryption provides a way to exploit structured message spaces to achieve compact ciphertexts.
Privacy Preserving Keyword Searches on Remote Encrypted Data
, 2004
"... We consider the following problem: a user wants to store his files in an encrypted form on a remote file server S. ..."
Abstract

Cited by 61 (0 self)
 Add to MetaCart
We consider the following problem: a user wants to store his files in an encrypted form on a remote file server S.
On cryptographic assumptions and challenges
 in Proceedings of IACR CRYPTO
, 2003
"... Abstract. We deal with computational assumptions needed in order to design secure cryptographic schemes. We suggest a classi£cation of such assumptions based on the complexity of falsifying them (in case they happen not to be true) by creating a challenge (competition) to their validity. As an outco ..."
Abstract

Cited by 50 (2 self)
 Add to MetaCart
Abstract. We deal with computational assumptions needed in order to design secure cryptographic schemes. We suggest a classi£cation of such assumptions based on the complexity of falsifying them (in case they happen not to be true) by creating a challenge (competition) to their validity. As an outcome of this classi£cation we propose several open problems regarding cryptographic tasks that currently do not have a good challenge of that sort. The most outstanding one is the design of an ef£cient block ciphers. 1 The Main Dilemma Alice and Bob are veteran cryptographers (see Dif£e [15] for their history; apparently RSA [38] is their £rst cooperation). One day, while Bob is sitting in his of£ce his colleague Alice enters and says: “I have designed a new signature scheme. It has an 120 bits long public key and the signatures are 160 bits long”. That’s fascinating, says Bob, but what computational assumption is it based on? Well, says Alice, it is based on a new trapdoor permutation fk and a new hash function h and the assumption that after given fk (but not the trapdoor information) and many pairs of the form (mi, f −1
Synthesizers and Their Application to the Parallel Construction of PseudoRandom Functions
, 1995
"... A pseudorandom function is a fundamental cryptographic primitive that is essential for encryption, identification and authentication. We present a new cryptographic primitive called pseudorandom synthesizer and show how to use it in order to get a parallel construction of a pseudorandom function. ..."
Abstract

Cited by 41 (10 self)
 Add to MetaCart
A pseudorandom function is a fundamental cryptographic primitive that is essential for encryption, identification and authentication. We present a new cryptographic primitive called pseudorandom synthesizer and show how to use it in order to get a parallel construction of a pseudorandom function. We show several NC¹ implementations of synthesizers based on concrete intractability assumptions as factoring and the DiffieHellman assumption. This yields the first parallel pseudorandom functions (based on standard intractability assumptions) and the only alternative to the original construction of Goldreich, Goldwasser and Micali. In addition, we show parallel constructions of synthesizers based on other primitives such as weak pseudorandom functions or trapdoor oneway permutations. The security of all our constructions is similar to the security of the underlying assumptions. The connection with problems in Computational Learning Theory is discussed.
Ciphers with Arbitrary Finite Domains
, 2002
"... Abstract. We explore the problem of enciphering members of a finite set M where k = M  is arbitrary (in particular, it need not be a power of two). We want to achieve this goal starting from a block cipher (which requires a message space of size N =2 n, for some n). We look at a few solutions to t ..."
Abstract

Cited by 33 (7 self)
 Add to MetaCart
Abstract. We explore the problem of enciphering members of a finite set M where k = M  is arbitrary (in particular, it need not be a power of two). We want to achieve this goal starting from a block cipher (which requires a message space of size N =2 n, for some n). We look at a few solutions to this problem, focusing on the case when M =[0,k − 1]. We see ciphers with arbitrary domains as a worthwhile primitive in its own right, and as a potentially useful one for making higherlevel protocols.
ConstantRound Oblivious Transfer in the Bounded Storage Model
, 2004
"... We present a constant round protocol for Oblivious Transfer in Maurer's bounded storage model. In this model, a long random string R is initially transmitted and each of the parties interacts based on a small portion of R. Even though the portions stored by the honest parties are small, security ..."
Abstract

Cited by 31 (5 self)
 Add to MetaCart
We present a constant round protocol for Oblivious Transfer in Maurer's bounded storage model. In this model, a long random string R is initially transmitted and each of the parties interacts based on a small portion of R. Even though the portions stored by the honest parties are small, security is guaranteed against any malicious party that remembers almost all of the string R.