Results 1  10
of
15
Indistinguishability of Random Systems
 In Advances in Cryptology — EUROCRYPT ’02, volume 2332 of LNCS
, 2002
"... An (X ; Y)random system takes inputs X1 ; X2 ; : : : 2 X and generates, for each new input X i , an output Y i 2 Y, depending probabilistically on X1 ; : : : ; X i and Y1 ; : : : ; Y i\Gamma1 . Many cryptographic systems like block ciphers, MACschemes, pseudorandom functions, etc., can be mod ..."
Abstract

Cited by 38 (10 self)
 Add to MetaCart
An (X ; Y)random system takes inputs X1 ; X2 ; : : : 2 X and generates, for each new input X i , an output Y i 2 Y, depending probabilistically on X1 ; : : : ; X i and Y1 ; : : : ; Y i\Gamma1 . Many cryptographic systems like block ciphers, MACschemes, pseudorandom functions, etc., can be modeled as random systems, where in fact Y i often depends only on X i , i.e., the system is stateless. The security proof of such a system (e.g.
On the Security of Randomized CBCMAC Beyond the Birthday Paradox Limit  A New Construction
 Fast Software Encryption ’02, Lecture Notes in Computer Science
, 2001
"... . In this paper, we study the security of randomized CBC{MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The proof is done in a new security model that may be of independent interest to study the security of randomized functions. The size ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
. In this paper, we study the security of randomized CBC{MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The proof is done in a new security model that may be of independent interest to study the security of randomized functions. The size of the MAC tags in this construction is optimal, i.e., exactly twice the size of the block cipher. Up to a constant, the security of the proposed randomized CBC{MAC using an n{bit block cipher is the same as the security of the usual encrypted CBC{MAC using a 2n{bit block cipher. Moreover, this construction adds a negligible computational overhead compared to the cost of a plain, nonrandomized CBC{MAC. 1
Increasing the Lifetime of a Key: A Comparative Analysis of the Security of ReKeying Techniques
 in Advances in Cryptology – Asiacrypt 2000 Proceedings
, 2000
"... . Rather than use a shared key directly to cryptographically process (e.g. encrypt or authenticate) data one can use it as a master key to derive subkeys, and use the subkeys for the actual cryptographic processing. This popular paradigm is called rekeying, and the expectation is that it is goo ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
. Rather than use a shared key directly to cryptographically process (e.g. encrypt or authenticate) data one can use it as a master key to derive subkeys, and use the subkeys for the actual cryptographic processing. This popular paradigm is called rekeying, and the expectation is that it is good for security. In this paper we provide concrete security analyses of various rekeying mechanisms and their usage. We show that rekeying does indeed \increase" security, eectively extending the lifetime of the master key and bringing signicant, provable security gains in practical situations. We quantify the security provided by dierent rekeying processes as a function of the security of the primitives they use, thereby enabling a user to choose between dierent rekeying processes given the constraints of some application. 1 Introduction Rekeying (also called keyderivation) is a commonly employed paradigm in computer security systems, about whose security benets users appe...
Uniform Hashing in Constant Time and Linear Space
, 2003
"... Many algorithms and data structures employing hashing have been analyzed under the uniform hashing assumption, i.e., the assumption that hash functions behave like truly random functions. Starting with the discovery of universal hash functions, many researchers have studied to what extent this theor ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
Many algorithms and data structures employing hashing have been analyzed under the uniform hashing assumption, i.e., the assumption that hash functions behave like truly random functions. Starting with the discovery of universal hash functions, many researchers have studied to what extent this theoretical ideal can be realized by hash functions that do not take up too much space and can be evaluated quickly. In this paper we present an almost ideal solution to this problem: A hash function that, on any set of n inputs, behaves like a truly random function with high probability, can be evaluated in constant time on a RAM, and can be stored in O(n) words, which is optimal. For many hashing schemes this is the first hash function that makes their uniform hashing analysis come true, with high probability, without incurring overhead in time or space.
Simulating uniform hashing in constant time and optimal space
, 2003
"... Many algorithms and data structures employing hashing have been analyzed under the uniform hashing assumption, i.e., the assumption that hash functions behave like truly random functions. Starting with the discovery of universal hash functions, many researchers have studied to what extent this theo ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
Many algorithms and data structures employing hashing have been analyzed under the uniform hashing assumption, i.e., the assumption that hash functions behave like truly random functions. Starting with the discovery of universal hash functions, many researchers have studied to what extent this theoretical ideal can be realized by hash functions that do not take up too much space and can be evaluated quickly. In this paper we present an almost ideal solution to this problem: A hash function h: U → V that, on any set of n inputs, behaves like a truly random function with high probability, can be evaluated in constant time on a RAM, and can be stored in (1 + ɛ)n lg V  + O(n + lg lg U) bits. Here ɛ can be chosen to be any positive constant, so this essentially matches the entropy lower bound. For many hashing schemes this is the first hash function that makes their uniform hashing analysis come true, with high probability, without incurring overhead in time or space.
Domain extension of public random functions: Beyond the birthday barrier
 In Advances in Cryptology – CRYPTO ’07 (2007), Lecture Notes in Computer Science
, 2007
"... Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multi ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multicollision attack, Kelsey and Schneier's secondpreimage attack, and Kelsey and Kohno's herding attacks. 1 Introduction 1.1 Secret vs. Public Random Functions Primitives that provide some form of randomness are of central importance in cryptography, both as a primitive assumed to be given (e.g. a secret key), and as a primitive constructed from a weaker one to "behave like " a certain ideal random primitive (e.g. a random function), according to some security notion.
Lcollision attacks against randomized MACs
 In CRYPTO
, 2000
"... Abstract. In order to avoid birthday attacks on message authentication schemes, it has been suggested that one add randomness to the scheme. One must be careful about how randomness is added, however. This paper shows that prefixing randomness to a message before running the message � through an ite ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. In order to avoid birthday attacks on message authentication schemes, it has been suggested that one add randomness to the scheme. One must be careful about how randomness is added, however. This paper shows that prefixing randomness to a message before running the message � through an iterated MAC leads to an attack that takes only O 2 (l+r)/3 + max{2 l/2, 2 r/2 �} queries to break, where l is the size of the MAC iteration output and r is the size of the prefixed randomness.
A Flexible Payment Scheme and Its PermissionRole Assignment
"... A flexible payment scheme and its permissionrole assignments are proposed in this paper. The scheme uses electronic cash for payment transactions. In this protocol, from the viewpoint of banks, consumers can improve anonymity if they are worried about disclosure of their identities. A role called a ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
A flexible payment scheme and its permissionrole assignments are proposed in this paper. The scheme uses electronic cash for payment transactions. In this protocol, from the viewpoint of banks, consumers can improve anonymity if they are worried about disclosure of their identities. A role called anonymity provider agent (AP) provides a high level of anonymity for consumers. The role AP certifies reencrypted data after verifying the validity of the content from consumers, but with no private information of the consumers required. With this method, each consumer can get a required anonymity level, depending on the available time, computation and cost.
Increasing the Lifetime of a Key: A Comparative Analysis of the Security of ReKeying Techniques
, 2001
"... ..."
Untraceable Offline Electronic Cash Flow in ECommerce
"... Electronic cash has been playing an important role in electronic commerce. One of the desirable characteristics is its traceability, which can prevent money laundering and can find the destination of suspicious withdrawals. In this paper we develop a new scheme for untraceable electronic cash, in w ..."
Abstract
 Add to MetaCart
Electronic cash has been playing an important role in electronic commerce. One of the desirable characteristics is its traceability, which can prevent money laundering and can find the destination of suspicious withdrawals. In this paper we develop a new scheme for untraceable electronic cash, in which the bank involvement in the payment transaction between a user and a receiver is eliminated. The user withdraws electronic “coins ” from the bank and uses them to pay to a receiver. The receiver subsequently deposits the coins back to the bank. In the process the user remains anonymous, unless slhe spends a single coin more than once (double spend). The security of the system is based on DLA (Discrete Logarithm Assumption) and the cutandchoose methodology. Keywords: Electroniccash, Hash function, Random or