Results 11  20
of
24
Tolerant Combiners: Resilient Cryptographic Design
, 2002
"... We investigate how to construct secure cryptographic schemes, from few candidate schemes, some of which may be insecure. Namely, tolerant constructions tolerate the insecurity of some of the component schemes used in the construction. We define tolerant constructions, and investigate folklore, pract ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
We investigate how to construct secure cryptographic schemes, from few candidate schemes, some of which may be insecure. Namely, tolerant constructions tolerate the insecurity of some of the component schemes used in the construction. We define tolerant constructions, and investigate folklore, practical cascade and parallel constructions. We prove cascade of encryption schemes provide tolerance for indistinguishability under chosen ciphertext attacks, including a weak adaptive variant. Similarly, certain parallel constructions ensure tolerance for unforgeability of Signature/MAC schemes, OWF, ERF, AONT and certain collisionresistant hash functions. We present (new) tolerant constructions for (several variants of) commitment schemes. Our constructions are simple, efficient and practical. To ensure practicality, we use concrete security analysis (in addition to the simpler asymptotic analysis).
Efficient and optimally secure keylength extension for block ciphers via randomized cascading
 Advances in Cryptology — EUROCRYPT 2012, volume 7237 of Lecture Notes in Computer Science
, 2012
"... Abstract. We consider the question of efficiently extending the key length of block ciphers. To date, the approach providing highest security is triple encryption (used e.g. in TripleDES), which was proved to have roughly κ + min{n/2, κ/2} bits of security when instantiated with ideal block ciphers ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. We consider the question of efficiently extending the key length of block ciphers. To date, the approach providing highest security is triple encryption (used e.g. in TripleDES), which was proved to have roughly κ + min{n/2, κ/2} bits of security when instantiated with ideal block ciphers with key length κ and block length n, at the cost of three blockcipher calls per message block. This paper presents a new practical keylength extension scheme exhibiting κ + n/2 bits of security – hence improving upon the security of triple encryption – solely at the cost of two block cipher calls and a key of length κ+n. We also provide matching generic attacks showing the optimality of the security level achieved by our approach with respect to a general class of twoquery constructions.
Monkey: BlackBox Symmetric Ciphers Designed for MONopolizing KEYs
 Fast Software Encryption 1998, Springer LNCS 1372
"... Abstract. We consider the problem of designing a blackbox symmetric cipher that leaks information subliminally and exclusively to the designer. We show how to construct a cipher which we call ‘Monkey’ that leaks one key bit per output block to the designer of the system (in any mode). This key bit ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We consider the problem of designing a blackbox symmetric cipher that leaks information subliminally and exclusively to the designer. We show how to construct a cipher which we call ‘Monkey’ that leaks one key bit per output block to the designer of the system (in any mode). This key bit is leaked only if a particular plaintext bit is known to the designer (known bit/message attack which is typically available in plain ASCII). The attack is of kleptographic nature as it gives a unique advantage to the designer while using strong (e.g., externally supplied) keys. The basic new difficulty with the design of spoofable block ciphers is that it is a deterministic function (previous attacks exploited randomness in key generation or message encryption/signature), and the fact that we do not want easy (statistical) observability of the spoofing (e.g., the variability of ciphertexts should be noticeable when keys change etc.). We distinguish between three entities: the designer, the reverseengineer and the user. We show a design methodology that assures that: (1) if the device is not reverseengineered, the attack is secure (namely, the cipher is good) and undetectable, (2) if the device is reverseengineered, then the reverseengineer learns at most one plaintext bit from every ciphertext (but no past/future keys), and (3) the designer learns one plaintext bit and one key bit from each ciphertext block (say in ECB mode). The method is therefore highly robust against reverseengineering. Key words: design methodologies for symmetric ciphers, secret cryptographic algorithms, spoofing, kleptographic attacks, trust, software vs. tamperproof hardware designs, tamperproof reverse engineering, public scrutiny. 1
Security Amplication by Composition: The case of DoublyIterated, Ideal Ciphers
"... Weinvestigate, in the Shannon model, the security of constructions corresponding to double and #twokey# triple DES. That is, we consider F k1 #F k2 #### and F k1 #F ,1 k2 #F k1 ##### with the component functions being ideal ciphers. This models the resistance of these constructions to #gen ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Weinvestigate, in the Shannon model, the security of constructions corresponding to double and #twokey# triple DES. That is, we consider F k1 #F k2 #### and F k1 #F ,1 k2 #F k1 ##### with the component functions being ideal ciphers. This models the resistance of these constructions to #generic" attacks like meet in the middle attacks. We obtain the #rst proof that composition actually increases the security in some meaningful sense. We compute a bound on the probability of breaking the double cipher as a function of the number of computations of the base cipher made, and the number of examples of the composed cipher seen, and show that the success probability is the square of that for a single key cipher. The same bound holds for the twokey triple cipher. The #rst bound is tight and shows that meet in the middle is the best possible generic attack against the double cipher. Keywords: Ciphers, cascaded ciphers, Shannon model, information theory, DES, Double DES, meet i...
Integrity Checks Used for Security Can Also Be Used for Error Control.
"... Communication systems check integrity to protect information against alteration introduced by natural means such as noise and by malicious security attacks. This paper proposes that some integrity checks used for security should also be used for error control, since there are similarities between th ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Communication systems check integrity to protect information against alteration introduced by natural means such as noise and by malicious security attacks. This paper proposes that some integrity checks used for security should also be used for error control, since there are similarities between the functions used for both purposes, and repeated checking can have a high cost. The paper extensively examines where integrity functions should be implemented in a network, and the dependencies between functions implemented in a node, since these limit the extent to which such amalgamation of function is possible. The arguments presented in this paper mean that endsystemtoendsystem (e.g. Transport layer) error checks will need to be cryptographically strengthened if they are to remain justifiable in the future.
Errortolerant combiners for oblivious primitives
"... Abstract. A robust combiner is a construction that combines several implementations of a primitive based on different assumptions, and yields an implementation guaranteed to be secure if at least some assumptions (i.e. sufficiently many but not necessarily all) are valid. In this paper we generalize ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. A robust combiner is a construction that combines several implementations of a primitive based on different assumptions, and yields an implementation guaranteed to be secure if at least some assumptions (i.e. sufficiently many but not necessarily all) are valid. In this paper we generalize this concept by introducing errortolerant combiners, which in addition to protection against insecure implementations provide tolerance to functionality failures: an errortolerant combiner guarantees a secure and correct implementation of the output primitive even if some of the candidates are insecure or faulty. We present simple constructions of errortolerant robust combiners for oblivious linear function evaluation. The proposed combiners are also interesting in the regular (not errortolerant) case, as the construction is much more efficient than the combiners known for oblivious transfer. 1
Cryptology
"... Cryptology has advanced tremendously since 1976; this chapter provides a brief overview of the current stateoftheart in the field. Several major themes predominate in the development. One such theme is the careful elaboration of the definition of security for a cryptosystem. A second theme has be ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Cryptology has advanced tremendously since 1976; this chapter provides a brief overview of the current stateoftheart in the field. Several major themes predominate in the development. One such theme is the careful elaboration of the definition of security for a cryptosystem. A second theme has been the search for provably secure cryptosystems, based on plausible assumptions about the difficulty of specific numbertheoretic problems or on the existence of certain kinds of functions (such as oneway functions). A third theme is the invention of many novel and surprising cryptographic capabilities, such as publickey cryptography, digital signatures, secretsharing, oblivious transfers, and zeroknowledge proofs. These themes have been developed and interwoven so that today theorems of breathtaking generality and power assert the existence of cryptographic techniques capable of solving almost any imaginable cryptographic problem.
Cryptanalysistolerant Commitment and Hashing
, 2002
"... Cryptographic solutions should be cryptanalysistolerant, i.e. avoid dependency on the assumed security of a single cryptographic function. We present the 2/3 composition, a cryptanalysistolerant design for commitment schemes and cryptographic hash functions. Previous cryptanalysistolerant solutio ..."
Abstract
 Add to MetaCart
Cryptographic solutions should be cryptanalysistolerant, i.e. avoid dependency on the assumed security of a single cryptographic function. We present the 2/3 composition, a cryptanalysistolerant design for commitment schemes and cryptographic hash functions. Previous cryptanalysistolerant solutions provided either confidentiality or binding properties; the 2/3 composition provides both properties. The 2/3 composition is simple and efficient, and appropriate for practical applications, either to compose existing functions or to design new functions. Keywords: cryptographic functions; hash functions; oneway functions; collisionresistance; commitment schemes 1.
Plain versus Randomized CascadingBased KeyLength Extension for Block Ciphers
"... Abstract. The security of cascadingbased keylength extending constructions for block ciphers in the idealcipher model has so far received considerable attention. Triple encryption was investigated in [20,9], longer cascades were considered in [15] and a construction with comparable security as tr ..."
Abstract
 Add to MetaCart
Abstract. The security of cascadingbased keylength extending constructions for block ciphers in the idealcipher model has so far received considerable attention. Triple encryption was investigated in [20,9], longer cascades were considered in [15] and a construction with comparable security as triple encryption requiring only 2 blockcipher calls, socalled 2XORcascade, was proposed and analyzed in [17]. In this paper we put these results into perspective by completing the picture of the investigated landscape in various ways. We give the following attacks and security lower bounds for constructions using a block cipher with key length κ and block length n: – For the plain cascade of odd (resp. even) length ℓ we present a generic attack requiring roughly ℓ−1 κ+ 2 ℓ+1 n ℓ−2 κ+ (resp. 2 ℓ n) queries. This is a generalization of both the meetinthemiddle attack on double encryption and the best known attack on triple cascade given in [20]. ℓ−1 κ+ – For the general case of XORcascade of odd (resp. even) length ℓ we prove security up to 2 ℓ+1 n ℓ−2 ℓ−1 κ+ κ+ ℓ ℓ (resp. 2 n) queries and also an improved bound 2 n for the special case ℓ ∈ {3, 4}. This is achieved by relating the problem to an independent line of work on the security of keyalternating ciphers in the randompermutation model. – Finally, for a natural class of sequential constructions where blockcipher encryptions are interleaved with keydependent permutations, we show a generic attack requiring roughly 2 ℓ n queries. Since XORcascades are sequential, this proves tightness of our above result for XORcascades of length ℓ ∈ {3, 4} as well as their optimal security within the class of sequential constructions. These results suggest that XORcascades achieve a better security/efficiency tradeoff than plain cascades and should be preferred. κ+ ℓ−1