Results 1  10
of
67
Pseudorandom generators for spacebounded computation
 Combinatorica
, 1992
"... Pseudorandom generators are constructed which convert O(SlogR) truly random bits to R bits that appear random to any algorithm that runs in SPACE(S). In particular, any randomized polynomial time algorithm that runs in space S can be simulated using only O(Slogn) random bits. An application of these ..."
Abstract

Cited by 187 (12 self)
 Add to MetaCart
Pseudorandom generators are constructed which convert O(SlogR) truly random bits to R bits that appear random to any algorithm that runs in SPACE(S). In particular, any randomized polynomial time algorithm that runs in space S can be simulated using only O(Slogn) random bits. An application of these generators is an explicit construction of universal traversal sequences (for arbitrary graphs) of length n O(l~ The generators constructed are technically stronger than just appearing random to spacebounded machines, and have several other applications. In particular, applications are given for "deterministic amplification " (i.e. reducing the probability of error of randomized algorithms), as well as generalizations of it. 1.
How to Recycle Random Bits
, 1989
"... We show that modified versions of the linear congruential generator and the shift register generator are provably good for amplifying the correctness of a probabilistic algorithm. More precisely, if r random bits are needed for a BPP algorithm to be correct with probability at least 2=3, then O(r + ..."
Abstract

Cited by 183 (12 self)
 Add to MetaCart
We show that modified versions of the linear congruential generator and the shift register generator are provably good for amplifying the correctness of a probabilistic algorithm. More precisely, if r random bits are needed for a BPP algorithm to be correct with probability at least 2=3, then O(r + k 2 ) bits are needed to improve this probability to 1 \Gamma 2 \Gammak . We also present a different pseudorandom generator that is optimal, up to a constant factor, in this regard: it uses only O(r + k) bits to improve the probability to 1 \Gamma 2 \Gammak . This generator is based on random walks on expanders. Our results do not depend on any unproven assumptions. Next we show that our modified versions of the shift register and linear congruential generators can be used to sample from distributions using, in the limit, the informationtheoretic lower bound on random bits. 1. Introduction Randomness plays a vital role in almost all areas of computer science, both in theory and in...
Secure hashandsign signatures without the random oracle
, 1999
"... We present a new signature scheme which is existentially unforgeable under chosen message attacks, assuming some variant of the RSA conjecture. This scheme is not based on "signature trees", and instead it uses the so called "hashandsign" paradigm. It is unique in that the assumptions made on the ..."
Abstract

Cited by 121 (9 self)
 Add to MetaCart
We present a new signature scheme which is existentially unforgeable under chosen message attacks, assuming some variant of the RSA conjecture. This scheme is not based on "signature trees", and instead it uses the so called "hashandsign" paradigm. It is unique in that the assumptions made on the cryptographic hash function in use are well defined and reasonable (although nonstandard). In particular, we do not model this function as a random oracle. We construct our proof of security in steps. First we describe and prove a construction which operates in the random oracle model. Then we show that the random oracle in this construction can be replaced by a hash function which satisfies some strong (but well defined!) computational assumptions. Finally,we demonstrate that these assumptions are reasonable, by proving that a function satisfying them exists under standard intractability assumptions.
UMAC: Fast and Secure Message Authentication
, 1999
"... Abstract. We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMACSHA1), and about twice as fast as times previously reported for the universal hashfunction f ..."
Abstract

Cited by 111 (14 self)
 Add to MetaCart
Abstract. We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMACSHA1), and about twice as fast as times previously reported for the universal hashfunction family MMH. To achieve such speeds, UMAC uses a new universal hashfunction family, NH, and a design which allows effective exploitation of SIMD parallelism. The “cryptographic ” work of UMAC is done using standard primitives of the user’s choice, such as a block cipher or cryptographic hash function; no new heuristic primitives are developed here. Instead, the security of UMAC is rigorously proven, in the sense of giving exact and quantitatively strong results which demonstrate an inability to forge UMACauthenticated messages assuming an inability to break the underlying cryptographic primitive. Unlike conventional, inherently serial MACs, UMAC is parallelizable, and will have everfaster implementation speeds as machines offer up increasing amounts of parallelism. We envision UMAC as a practical algorithm for nextgeneration message authentication. 1
On the Construction of PseudoRandom Permutations: LubyRackoff Revisited
 JOURNAL OF CRYPTOLOGY
, 1997
"... Luby and Rackoff [27] showed a method for constructing a pseudorandom permutation from a pseudorandom function. The method is based on composing four (or three for weakened security) so called Feistel permutations, each of which requires the evaluation of a pseudorandom function. We reduce somewh ..."
Abstract

Cited by 93 (8 self)
 Add to MetaCart
Luby and Rackoff [27] showed a method for constructing a pseudorandom permutation from a pseudorandom function. The method is based on composing four (or three for weakened security) so called Feistel permutations, each of which requires the evaluation of a pseudorandom function. We reduce somewhat the complexity of the construction and simplify its proof of security by showing that two Feistel permutations are sufficient together with initial and final pairwise independent permutations. The revised construction and proof provide a framework in which similar constructions may be brought up and their security can be easily proved. We demonstrate this by presenting some additional adjustments of the construction that achieve the following:  Reduce the success probability of the adversary.  Provide a construction of pseudorandom permutations with large input size using pseudorandom functions with small input size.
Pseudorandom functions revisited: The cascade construction and its concrete security
 Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE
, 1996
"... Abstract Pseudorandom function families are a powerful cryptographic primitive, yielding, in particular, simple solutions for the main problems in private key cryptography. Their existence based on general assumptions (namely, the existence of oneway functions) has been established.In this work we ..."
Abstract

Cited by 92 (20 self)
 Add to MetaCart
Abstract Pseudorandom function families are a powerful cryptographic primitive, yielding, in particular, simple solutions for the main problems in private key cryptography. Their existence based on general assumptions (namely, the existence of oneway functions) has been established.In this work we investigate new ways of designing pseudorandom function families. The goal is to find constructions that are both efficient and secure, and thus eventually to bring thebenefits of pseudorandom functions to practice.
Selftesting/correcting for polynomials and for approximate functions
 in Proceedings of the 23rd Annual Symposium on Theory of Computing (STOC
, 1991
"... The study of selftesting/correcting programs was introduced in [8] in order to allow one to use program P to compute function f without trusting that P works correctly. A selftester for f estimates the fraction of x for which P (x) = f(x); and a selfcorrector for f takes a program that is correc ..."
Abstract

Cited by 81 (15 self)
 Add to MetaCart
The study of selftesting/correcting programs was introduced in [8] in order to allow one to use program P to compute function f without trusting that P works correctly. A selftester for f estimates the fraction of x for which P (x) = f(x); and a selfcorrector for f takes a program that is correct on most inputs and turns it into a program that is correct on every input with high probability 1. Both access P only as a blackbox and in some precise way are not allowed to compute the function f. Selfcorrecting is usually easy when the function has the random selfreducibility property. One class of such functions that has this property is the class of multivariate polynomials over finite fields [4] [12]. We extend this result in two directions. First, we show that polynomials are random selfreducible over more general domains: specifically, over the rationals and over noncommutative rings. Second, we show that one can get selfcorrectors even when the program satisfies weaker conditions, i.e. when the program has more errors, or when the program behaves in a more adversarial manner by changing the function it computes between successive calls. Selftesting is a much harder task. Previously it was known how to selftest for a few special examples of functions, such as the class of linear functions. We show that one can selftest the whole class of polynomial functions over Zp for prime p.
HAIL: A HighAvailability and Integrity Layer for Cloud Storage
, 2009
"... We introduce HAIL (HighAvailability and Integrity Layer), a distributed cryptographic system that permits a set of servers to prove to a client that a stored file is intact and retrievable. HAIL strengthens, formally unifies, and streamlines distinct approaches from the cryptographic and distribute ..."
Abstract

Cited by 79 (1 self)
 Add to MetaCart
We introduce HAIL (HighAvailability and Integrity Layer), a distributed cryptographic system that permits a set of servers to prove to a client that a stored file is intact and retrievable. HAIL strengthens, formally unifies, and streamlines distinct approaches from the cryptographic and distributedsystems communities. Proofs in HAIL are efficiently computable by servers and highly compact— typically tens or hundreds of bytes, irrespective of file size. HAIL cryptographically verifies and reactively reallocates file shares. It is robust against an active, mobile adversary, i.e., one that may progressively corrupt the full set of servers. We propose a strong, formal adversarial model for HAIL, and rigorous analysis and parameter choices. We show how HAIL improves on the security and efficiency of existing tools, like Proofs of Retrievability (PORs) deployed on individual servers. We also report on a prototype implementation. 1
REACT: Rapid Enhancedsecurity Asymmetric Cryptosystem Transform
 CTRSA 2001, volume 2020 of LNCS
, 2001
"... Abstract. Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosenciphertext secure encryption scheme from any trapdoor oneway permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem ..."
Abstract

Cited by 76 (21 self)
 Add to MetaCart
Abstract. Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosenciphertext secure encryption scheme from any trapdoor oneway permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem, in the random oracle model: it is optimal from both the computational and the security points of view. Indeed, the overload is negligible, since it just consists of two more hashings for both encryption and decryption, and the reduction is very tight. Furthermore, advantages of REACT beyond OAEP are numerous: 1. it is more general since it applies to any partially trapdoor oneway function (a.k.a. weakly secure publickey encryption scheme) and therefore provides security relative to RSA but also to the DiffieHellman problem or the factorization; 2. it is possible to integrate symmetric encryption (block and stream ciphers) to reach very high speed rates; 3. it provides a key distribution with session key encryption, whose overall scheme achieves chosenciphertext security even with weakly secure symmetric scheme. Therefore, REACT could become a new alternative to OAEP, and even reach security relative to factorization, while allowing symmetric integration.
SIGMA: the ‘SIGnandMAc’ Approach to Authenticated DiffieHellman and its
 Use in the IKE Protocols”, full version. http://www.ee.technion.ac.il/~hugo/sigma.html
"... Abstract. We present the SIGMA family of keyexchange protocols and the “SIGnandMAc ” approach to authenticated DiffieHellman underlying its design. The SIGMA protocols provide perfect forward secrecy via a DiffieHellman exchange authenticated with digital signatures, and are specifically design ..."
Abstract

Cited by 73 (5 self)
 Add to MetaCart
Abstract. We present the SIGMA family of keyexchange protocols and the “SIGnandMAc ” approach to authenticated DiffieHellman underlying its design. The SIGMA protocols provide perfect forward secrecy via a DiffieHellman exchange authenticated with digital signatures, and are specifically designed to ensure sound cryptographic key exchange while providing a variety of features and tradeoffs required in practical scenarios (such as optional identity protection and reduced number of protocol rounds). As a consequence, the SIGMA protocols are very well suited for use in actual applications and for standardized key exchange. In particular, SIGMA serves as the cryptographic basis for the signaturebased modes of the standardized Internet Key Exchange (IKE) protocol (versions 1 and 2). This paper describes the design rationale behind the SIGMA approach and protocols, and points out to many subtleties surrounding the design of secure keyexchange protocols in general, and identityprotecting protocols in particular. We motivate the design of SIGMA by comparing it to other protocols, most notable the STS protocol and its variants. In particular, it is shown how SIGMA solves some of the security shortcomings found in previous protocols. 1