Results 1  10
of
10
A Oprea. Proofs of retrievability: Theory and implementation
, 2008
"... A proof of retrievability (POR) is a compact proof by a file system (prover) to a client (verifier) that a target file F is intact, in the sense that the client can fully recover it. As PORs incur lower communication complexity than transmission of F itself, they are an attractive building block for ..."
Abstract

Cited by 32 (1 self)
 Add to MetaCart
A proof of retrievability (POR) is a compact proof by a file system (prover) to a client (verifier) that a target file F is intact, in the sense that the client can fully recover it. As PORs incur lower communication complexity than transmission of F itself, they are an attractive building block for highassurance remote storage systems. In this paper, we propose a theoretical framework for the design of PORs. Our framework improves the previously proposed POR constructions of JuelsKaliski and ShachamWaters, and also sheds light on the conceptual limitations of previous theoretical models for PORs. It supports a fully Byzantine adversarial model, carrying only the restriction—fundamental to all PORs—that the adversary’s error rate ɛ be bounded when the client seeks to extract F. Our techniques support efficient protocols across the full possible range of ɛ, up to ɛ nonnegligibly close to 1. We propose a new variant on the JuelsKaliski protocol and describe a prototype implementation. We demonstrate practical encoding even for files F whose size exceeds that of client main memory. 1
LubyRackoff backwards: Increasing security by making block ciphers noninvertible
 ADVANCES IN CRYPTOLOGYEUROCRYPT '98 PROCEEDINGS
, 1998
"... We argue that the invertibility of a block cipher can reduce the security of schemes that use it, and a better starting point for scheme design is the noninvertible analog of a block cipher, that is, a pseudorandom function (PRF). Since a block cipher may be viewed as a pseudorandom permutation, ..."
Abstract

Cited by 22 (2 self)
 Add to MetaCart
We argue that the invertibility of a block cipher can reduce the security of schemes that use it, and a better starting point for scheme design is the noninvertible analog of a block cipher, that is, a pseudorandom function (PRF). Since a block cipher may be viewed as a pseudorandom permutation, we are led to investigate the reverse of the problem studied by Luby and Rackoff, and ask: "how can one transform a PRP into a PRF in as securitypreserving a way as possible?" The solution we propose is datadependent rekeying. As an illustrative special case, let E:f0; 1g nf0;1g n!f0;1g n be the block cipher. Then we can construct the PRF F from the PRP E by setting F (k; x) =E(E(k; x);x). We generalize this to allow for arbitrary block and key lengths, and to improve e ciency. We prove strong quantitative bounds on the value of datadependent rekeying in the Shannon model of an ideal cipher, and take some initial steps towards an analysis in the standard model.
Building PRFs from PRPs
 Advances in Cryptology—CRYPTO ’98, LNCS 1462
, 1998
"... . We evaluate constructions for building pseudorandom functions (PRFs) from pseudorandom permutations (PRPs). We present two constructions: a slower construction which preserves the security of the PRP and a faster construction which has less security. One application of our construction is to ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
. We evaluate constructions for building pseudorandom functions (PRFs) from pseudorandom permutations (PRPs). We present two constructions: a slower construction which preserves the security of the PRP and a faster construction which has less security. One application of our construction is to build a wider block cipher given a block cipher as a building tool. We do not require any additional constructionse.g. pseudorandom generatorsto create the wider block cipher. The security of the resulting cipher will be as strong as the original block cipher. Keywords. pseudorandom permutations, pseudorandom functions, concrete security, block ciphers, cipher feedback mode. 1 Introduction and Background In this paper we examine building psuedorandom functions from pseudorandom permutations. There are several well known constructions for building pseudorandom permutations from pseudorandom functions, notably [LR88]. However, the only results we are aware of for going in t...
On the Construction of VariableInputLength Ciphers
 In Fast Software Encryption
, 1998
"... We invesitgate how to construct ciphers which operate on messages of various (and effectively arbitrary) lengths. In particular, lengths not necessarily a multiple of some block length. (By a "cipher" we mean a keyindexed family of lengthpreserving permutations, with a "good" cipher being one that ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
We invesitgate how to construct ciphers which operate on messages of various (and effectively arbitrary) lengths. In particular, lengths not necessarily a multiple of some block length. (By a "cipher" we mean a keyindexed family of lengthpreserving permutations, with a "good" cipher being one that resembles a family of random lengthpreserving permutations.) Oddly enough, this question seems not to have been investiaged. We show how to construct variableinput length ciphers starting from any block cipher (ie, a cipher which operates on strings of some fixed length n). We do this by giving a general method starting from a particular kind of pseudorandom function and a particular kind of encryption scheme, and then we give example ways to realize these tools from a block cipher. All of our constructions are proven sound, in the provablesecurity sense of contemporary cryptography. Variableinputlength ciphers can be used to encrypt in the presence of the constraint that the ciphertex...
Towards Making LubyRackoff Ciphers Optimal and Practical
 In Proc. Fast Software Encryption 99, Lecture Notes in Computer Science
, 1999
"... We provide new constructions for LubyRackoff block ciphers which are efficient in terms of computations and key material used. Next, we show that we can make some security guarantees for LubyRackoff block ciphers under much weaker and more practical assumptions about the underlying function; namel ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
We provide new constructions for LubyRackoff block ciphers which are efficient in terms of computations and key material used. Next, we show that we can make some security guarantees for LubyRackoff block ciphers under much weaker and more practical assumptions about the underlying function; namely, that the underlying function is a secure Message Authentication Code. Finally, we provide a SHA1 based example block cipher called Shazam.
LubyRacko backwards: Increasing security by making block ciphers noninvertible
 Advances in CryptologyEUROCRYPT '98 Proceedings
, 1998
"... Phillip Rogaway y We argue that the invertibility of a block cipher can reduce the security of schemes that use it, and a better starting point for scheme design is the noninvertible analog of a block cipher, that is, a pseudorandom function (PRF). Since a block cipher may be viewed as a pseudorand ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
Phillip Rogaway y We argue that the invertibility of a block cipher can reduce the security of schemes that use it, and a better starting point for scheme design is the noninvertible analog of a block cipher, that is, a pseudorandom function (PRF). Since a block cipher may be viewed as a pseudorandom permutation, we are led to investigate the reverse of the problem studied by Luby and Racko, and ask: \how can one transform a PRP into a PRF in as securitypreserving a way as possible? " The solution we propose is datadependent rekeying. As an illustrative special case, let E:f0; 1g nf0;1g n!f0;1g n be the block cipher. Then we can construct the PRF F from the PRP E by setting F (k; x) =E(E(k; x);x). We generalize this to allow for arbitrary block and key lengths, and to improve e ciency. We prove strong quantitative bounds on the value of datadependent rekeying in the Shannon model of an ideal cipher, and take some initial steps towards an analysis in the standard model.
Towards making LubyRacko ciphers optimal and practical
 In Fast Software Encryption
, 1999
"... Abstract. We provide new constructions for LubyRacko � block ciphers which are e�cient in terms of computations and key material used. Next, we show that we can make some security guarantees for LubyRacko� block ciphers under much weaker and more practical assumptions about the underlying function ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. We provide new constructions for LubyRacko � block ciphers which are e�cient in terms of computations and key material used. Next, we show that we can make some security guarantees for LubyRacko� block ciphers under much weaker and more practical assumptions about the underlying function; namely, that the underlying function is a secure Message Authentication Code. Finally, we provide a SHA1 based example block cipher called Shazam. 1
Benes and Butterfly schemes revisited
 in 8th International Conference on Information Security and Cryptology  ICISC 2005
, 2005
"... In [1], W. Aiello and R. Venkatesan have shown how to construct pseudorandom functions of 2n bits → 2n bits from pseudorandom functions of n bits → n bits. They claimed that their construction, called "Benes", reaches the optimal bound (m << 2^n) of security against adversaries with ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
In [1], W. Aiello and R. Venkatesan have shown how to construct pseudorandom functions of 2n bits → 2n bits from pseudorandom functions of n bits → n bits. They claimed that their construction, called "Benes", reaches the optimal bound (m << 2^n) of security against adversaries with unlimited computing power but limited by m queries in an adaptive chosen plaintext attack (CPA2). However a complete proof of this result is not given in [1] since one of the assertions of [1] is wrong. Due to this, the proof given in [1] is valid for most attacks, but not for all the possible chosen plaintext attacks. In this paper we will in a way fix this problem since for all ε > 0, we will prove CPA2 security when m... .
LubyRackoff Ciphers over Finite Algebraic Structures or Why XOR is not so Exclusive
, 2002
"... Luby and Rackoff [7] showed how to construct pseudorandom permutations from pseudorandom functions; their paper formalized the concept of a secure block cipher. The technique is based on composing several Feistel permutations. The traditional definition of a Feistel permutation involves applying a ..."
Abstract
 Add to MetaCart
Luby and Rackoff [7] showed how to construct pseudorandom permutations from pseudorandom functions; their paper formalized the concept of a secure block cipher. The technique is based on composing several Feistel permutations. The traditional definition of a Feistel permutation involves applying a socalled round function to the right half of the input and taking the XOR with the left half of the input. We consider the question of what happens when operations other than the XOR are applied. In particular, this paper initiates a study of LubyRackoff ciphers when the operation in the underlying Feistel network is addition over an arbitrary finite algebraic structure. We obtain the following results: ffl We construct a cipher which can be broken in a constant number of queries when XOR is used, but is completely secure against adaptive chosen plaintext and ciphertext attacks when addition in finite groups of characteristic greater than 2 are considered. This cipher has better time/spa...
Cryptanalysis of Iterated EvenMansour Schemes with Two Keys
"... Abstract. The iterated EvenMansour (EM) scheme is a generalization of the original 1round construction proposed in 1991, and can use one key, two keys, or completely independent keys. In this paper, we methodically analyze the security of all the possible iterated EvenMansour schemes with two nb ..."
Abstract
 Add to MetaCart
Abstract. The iterated EvenMansour (EM) scheme is a generalization of the original 1round construction proposed in 1991, and can use one key, two keys, or completely independent keys. In this paper, we methodically analyze the security of all the possible iterated EvenMansour schemes with two nbit keys and up to four rounds, and show that none of them provides more than nbit security. In particular, we can apply one of our new attacks to 4 steps of the LED128 block cipher, reducing the time complexity of the best known attack on this scheme from 2 96 to 2 64. As another example of the broad applicability of our techniques, we show how to reduce the time complexity of the attack on twokey tripleDES (which is an extremely well studied and widely deployed scheme) when fewer than 2 n known plaintextciphertext pairs are given. Our attacks are based on a novel cryptanalytic technique called multibridge which connects different parts of the cipher such that they can be analyzed independently, exploiting its selfsimilarity properties. Finally, the key suggestions of the different parts are efficiently joined using a meetinthemiddle attack.