We argue that the invertibility of a block cipher can reduce the security of schemes that use it, and a better starting point for scheme design is the non-invertible analog of a block cipher, that is, a pseudorandom function (PRF). Since a block cipher may be viewed as a pseudorandom permutation, we are led to investigate the reverse of the problem studied by Luby and Rackoff, and ask: "how can one transform a PRP into a PRF in as security-preserving a way as possible?" The solution we propose is data-dependent re-keying. As an illustrative special case, let E:f0; 1g nf0;1g n!f0;1g n be the block cipher. Then we can construct the PRF F from the PRP E by setting F (k; x) =E(E(k; x);x). We generalize this to allow for arbitrary block and key lengths, and to improve e ciency. We prove strong quantitative bounds on the value of data-dependent re-keying in the Shannon model of an ideal cipher, and take some initial steps towards an analysis in the standard model.

. We evaluate constructions for building pseudo-random functions (PRFs) from pseudo-random permutations (PRPs). We present two constructions: a slower construction which preserves the security of the PRP and a faster construction which has less security. One application of our construction is to build a wider block cipher given a block cipher as a building tool. We do not require any additional constructions---e.g. pseudo-random generators---to create the wider block cipher. The security of the resulting cipher will be as strong as the original block cipher. Keywords. pseudo-random permutations, pseudo-random functions, concrete security, block ciphers, cipher feedback mode. 1 Introduction and Background In this paper we examine building psuedo-random functions from pseudo-random permutations. There are several well known constructions for building pseudorandom permutations from pseudo-random functions, notably [LR88]. However, the only results we are aware of for going in t...

We invesitgate how to construct ciphers which operate on messages of various (and effectively arbitrary) lengths. In particular, lengths not necessarily a multiple of some block length. (By a "cipher" we mean a key-indexed family of length-preserving permutations, with a "good" cipher being one that resembles a family of random length-preserving permutations.) Oddly enough, this question seems not to have been investiaged. We show how to construct variableinput -length ciphers starting from any block cipher (ie, a cipher which operates on strings of some fixed length n). We do this by giving a general method starting from a particular kind of pseudorandom function and a particular kind of encryption scheme, and then we give example ways to realize these tools from a block cipher. All of our constructions are proven sound, in the provable-security sense of contemporary cryptography. Variable-input-length ciphers can be used to encrypt in the presence of the constraint that the ciphertex...

A proof of retrievability (POR) is a compact proof by a file system (prover) to a client (verifier) that a target file F is intact, in the sense that the client can fully recover it. As PORs incur lower communication complexity than transmission of F itself, they are an attractive building block for high-assurance remote storage systems. In this paper, we propose a theoretical framework for the design of PORs. Our framework improves the previously proposed POR constructions of Juels-Kaliski and Shacham-Waters, and also sheds light on the conceptual limitations of previous theoretical models for PORs. It supports a fully Byzantine adversarial model, carrying only the restriction—fundamental to all PORs—that the adversary’s error rate ɛ be bounded when the client seeks to extract F. Our techniques support efficient protocols across the full possible range of ɛ, up to ɛ non-negligibly close to 1. We propose a new variant on the Juels-Kaliski protocol and describe a prototype implementation. We demonstrate practical encoding even for files F whose size exceeds that of client main memory. 1

We provide new constructions for Luby-Rackoff block ciphers which are efficient in terms of computations and key material used. Next, we show that we can make some security guarantees for Luby-Rackoff block ciphers under much weaker and more practical assumptions about the underlying function; namely, that the underlying function is a secure Message Authentication Code. Finally, we provide a SHA-1 based example block cipher called Sha-zam.

Phillip Rogaway y We argue that the invertibility of a block cipher can reduce the security of schemes that use it, and a better starting point for scheme design is the non-invertible analog of a block cipher, that is, a pseudorandom function (PRF). Since a block cipher may be viewed as a pseudorandom permutation, we are led to investigate the reverse of the problem studied by Luby and Racko, and ask: \how can one transform a PRP into a PRF in as security-preserving a way as possible? " The solution we propose is data-dependent re-keying. As an illustrative special case, let E:f0; 1g nf0;1g n!f0;1g n be the block cipher. Then we can construct the PRF F from the PRP E by setting F (k; x) =E(E(k; x);x). We generalize this to allow for arbitrary block and key lengths, and to improve e ciency. We prove strong quantitative bounds on the value of data-dependent re-keying in the Shannon model of an ideal cipher, and take some initial steps towards an analysis in the standard model.

Abstract. We provide new constructions for Luby-Racko � block ciphers which are e�cient in terms of computations and key material used. Next, we show that we can make some security guarantees for Luby-Racko� block ciphers under much weaker and more practical assumptions about the underlying function; namely, that the underlying function is a secure Message Authentication Code. Finally, we provide a SHA-1 based example block cipher called Sha-zam. 1

In [1], W. Aiello and R. Venkatesan have shown how to construct pseudo-random functions of 2n bits → 2n bits from pseudo-random functions of n bits → n bits. They claimed that their construction, called "Benes", reaches the optimal bound (m &lt< 2^n) of security against adversaries with unlimited computing power but limited by m queries in an adaptive chosen plaintext attack (CPA-2). However a complete proof of this result is not given in [1] since one of the assertions of [1] is wrong. Due to this, the proof given in [1] is valid for most attacks, but not for all the possible chosen plaintext attacks. In this paper we will in a way fix this problem since for all ε > 0, we will prove CPA-2 security when m... .

Luby and Rackoff [7] showed how to construct pseudo-random permutations from pseudo-random functions; their paper formalized the concept of a secure block cipher. The technique is based on composing several Feistel permutations. The traditional definition of a Feistel permutation involves applying a so-called round function to the right half of the input and taking the XOR with the left half of the input. We consider the question of what happens when operations other than the XOR are applied. In particular, this paper initiates a study of Luby-Rackoff ciphers when the operation in the underlying Feistel network is addition over an arbitrary finite algebraic structure. We obtain the following results: ffl We construct a cipher which can be broken in a constant number of queries when XOR is used, but is completely secure against adaptive chosen plaintext and ciphertext attacks when addition in finite groups of characteristic greater than 2 are considered. This cipher has better time/spa...