Results 1  10
of
118
Blackbox analysis of the blockcipherbased hashfunction constructions from pgv
 In Advances in Cryptology – CRYPTO ’02 (2002
, 2002
"... Abstract. Preneel, Govaerts, and Vandewalle [6] considered the 64 most basic ways to construct a hash function H: {0, 1} ∗ →{0, 1} n from a block cipher E: {0, 1} n ×{0, 1} n →{0, 1} n. They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. The remaining 52 sc ..."
Abstract

Cited by 114 (15 self)
 Add to MetaCart
(Show Context)
Abstract. Preneel, Govaerts, and Vandewalle [6] considered the 64 most basic ways to construct a hash function H: {0, 1} ∗ →{0, 1} n from a block cipher E: {0, 1} n ×{0, 1} n →{0, 1} n. They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. The remaining 52 schemes were shown to be subject to various attacks. Here we provide a formal and quantitative treatment of the 64 constructions considered by PGV. We prove that, in a blackbox model, the 12 schemes that PGV singled out as secure really are secure: we give tight upper and lower bounds on their collision resistance. Furthermore, by stepping outside of the MerkleDamg˚ard approach to analysis, we show that an additional 8 of the 64 schemes are just as collision resistant (up to a small constant) as the first group of schemes. Nonetheless, we are able to differentiate among the 20 collisionresistant schemes by bounding their security as oneway functions. We suggest that proving blackbox bounds, of the style given here, is a feasible and useful step for understanding the security of any blockcipherbased hashfunction construction. 1
MultiPropertyPreserving Hash Domain Extension and the EMD Transform
 Advances in Cryptology – ASIACRYPT 2006
, 2006
"... Abstract We point out that the seemingly strong pseudorandom oracle preserving (PROPr) propertyof hash function domainextension transforms defined and implemented by Coron et. al. [12] can actually weaken our guarantees on the hash function, in particular producing a hash functionthat fails to be ..."
Abstract

Cited by 63 (7 self)
 Add to MetaCart
(Show Context)
Abstract We point out that the seemingly strong pseudorandom oracle preserving (PROPr) propertyof hash function domainextension transforms defined and implemented by Coron et. al. [12] can actually weaken our guarantees on the hash function, in particular producing a hash functionthat fails to be even collisionresistant (CR) even though the compression function to which the transform is applied is CR. Not only is this true in general, but we show that all the transformspresented in [12] have this weakness. We suggest that the appropriate goal of a domain extension transform for the next generation of hash functions is to be multiproperty preserving, namelythat one should have a single transform that is simultaneously at least collisionresistance preserving, pseudorandom function preserving and PROPr. We present an efficient new transformthat is proven to be multiproperty preserving in this sense.
Deterministic Encryption: Definitional Equivalences and Constructions without Random Oracles
, 2008
"... We strengthen the foundations of deterministic publickey encryption via definitional equivalences and standardmodel constructs based on general assumptions. Specifically we consider seven notions of privacy for deterministic encryption, including six forms of semantic security and an indistinguish ..."
Abstract

Cited by 36 (9 self)
 Add to MetaCart
We strengthen the foundations of deterministic publickey encryption via definitional equivalences and standardmodel constructs based on general assumptions. Specifically we consider seven notions of privacy for deterministic encryption, including six forms of semantic security and an indistinguishability notion, and show them all equivalent. We then present a deterministic scheme for the secure encryption of uniformly and independently distributed messages based solely on the existence of trapdoor oneway permutations. We show a generalization of the construction that allows secure deterministic encryption of independent highentropy messages. Finally we show relations between deterministic and standard (randomized) encryption.
From identification to signatures via the FiatShamir transform: Minimizing assumptions for security and forwardsecurity
 Proceedings of Eurocrypt 2002, volume 2332 of LNCS
, 2002
"... The FiatShamir paradigm for transforming identification schemes into signature schemes has been popular since its introduction because it yields efficient signature schemes, and has been receiving renewed interest of late as the main tool in deriving forwardsecure signature schemes. In this paper, ..."
Abstract

Cited by 34 (6 self)
 Add to MetaCart
(Show Context)
The FiatShamir paradigm for transforming identification schemes into signature schemes has been popular since its introduction because it yields efficient signature schemes, and has been receiving renewed interest of late as the main tool in deriving forwardsecure signature schemes. In this paper, minimal (meaning necessary and sufficient) conditions on the identification scheme to ensure security of the signature scheme in the random oracle model are determined, both in the usual and in the forwardsecure cases. Specifically, it is shown that the signature scheme is secure (resp. forwardsecure) against chosenmessage attacks in the random oracle model if and only if the underlying identification scheme is secure (resp. forwardsecure) against impersonation under passive (i.e., eavesdropping only) attacks, and has its commitments drawn at random from a large space. An extension is proven incorporating a random seed into the FiatShamir transform so that the commitment space assumption may be removed. Keywords: Signature schemes, identification schemes, FiatShamir transform, forward security,
Béguelin, S.: Computeraided security proofs for the working cryptographer
 In: Advances in Cryptology – CRYPTO 2011. Lecture Notes in Computer Science
, 2011
"... Abstract. We present EasyCrypt, an automated tool for elaborating security proofs of cryptographic systems from proof sketches—compact, formal representations of the essence of a proof as a sequence of games and hints. Proof sketches are checked automatically using offtheshelf SMT solvers and auto ..."
Abstract

Cited by 29 (15 self)
 Add to MetaCart
Abstract. We present EasyCrypt, an automated tool for elaborating security proofs of cryptographic systems from proof sketches—compact, formal representations of the essence of a proof as a sequence of games and hints. Proof sketches are checked automatically using offtheshelf SMT solvers and automated theorem provers, and then compiled into verifiable proofs in the CertiCrypt framework. The tool supports most common reasoning patterns and is significantly easier tousethanits predecessors. Weargue thatEasyCryptisaplausible candidate foradoption by working cryptographers and illustrate its application to security proofs of the CramerShoup and Hashed ElGamal cryptosystems. Keywords: Provable security, verifiable security, gamebased proofs, CramerShoup cryptosystem,
OrderPreserving Symmetric Encryption
"... We initiate the cryptographic study of orderpreserving symmetric encryption (OPE), a primitive suggested in the database community by Agrawal et al. (SIGMOD ’04) for allowing efficient range queries on encrypted data. Interestingly, we first show that a straightforward relaxation of standard securi ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
(Show Context)
We initiate the cryptographic study of orderpreserving symmetric encryption (OPE), a primitive suggested in the database community by Agrawal et al. (SIGMOD ’04) for allowing efficient range queries on encrypted data. Interestingly, we first show that a straightforward relaxation of standard security notions for encryption such as indistinguishability against chosenplaintext attack (INDCPA) is unachievable by a practical OPE scheme. Instead, we propose a security notion in the spirit of pseudorandom functions (PRFs) and related primitives asking that an OPE scheme look “asrandomaspossible ” subject to the orderpreserving constraint. We then design an efficient OPE scheme and prove its security under our notion based on pseudorandomness of an underlying blockcipher. Our construction is based on a natural relation we uncover between a random orderpreserving function and the hypergeometric probability distribution. In particular, it makes blackbox use of an efficient sampling algorithm for the latter. 1
FormatPreserving Encryption
"... Abstract. Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid creditcard number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous ..."
Abstract

Cited by 20 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid creditcard number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous treatment. We provide one, starting off by formally defining FPE and security goals for it. We investigate the natural approach for achieving FPE on complex domains, the “rankthenencipher ” approach, and explore what it can and cannot do. We describe two flavors of unbalanced Feistel networks that can be used for achieving FPE, and we prove new security results for each. We revisit the cyclewalking approach for enciphering on a nonsparse subset of an encipherable domain, showing that the timing information that may be divulged by cycle walking is not a damaging thing to leak. 1
Pseudorandom Functions and Permutations Provably Secure Against RelatedKey Attacks
, 2010
"... This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) resisting rich and relevant forms of relatedkey attacks (RKA). An RKA allows the adversa ..."
Abstract

Cited by 19 (4 self)
 Add to MetaCart
This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) resisting rich and relevant forms of relatedkey attacks (RKA). An RKA allows the adversary to query the function not only under the target key but under other keys derived from it in adversaryspecified ways. Based on the NaorReingold PRF we obtain an RKAPRF whose keyspace is a group and that is proven, under DDH, to resist attacks in which the key may be operated on by arbitrary adversaryspecified group elements. Previous work was able only to provide schemes in idealized models (ideal cipher, random oracle), under new, nonstandard assumptions, or for limited classes of attacks. The reason was technical difficulties that we resolve via a new approach and framework that, in addition to the above, yields other RKAPRFs including a DLINbased one derived from the LewkoWaters PRF. Over the last 15 years cryptanalysts and blockcipher designers have routinely and consistently targeted RKAsecurity; it is visibly important for abuseresistant cryptography; and it helps protect against faultinjection sidechannel attacks. Yet ours are the first significant proofs of existence of secure constructs. We warn that our constructs are proofsofconcept
Cryptographic agility and its relation to circular encryption
, 2010
"... We initiate a provablesecurity treatment of cryptographic agility. A primitive (for example PRFs, authenticated encryption schemes or digital signatures) is agile when multiple, individually secure schemes can securely share the same key. We provide a surprising connection between two seemingly unr ..."
Abstract

Cited by 17 (3 self)
 Add to MetaCart
(Show Context)
We initiate a provablesecurity treatment of cryptographic agility. A primitive (for example PRFs, authenticated encryption schemes or digital signatures) is agile when multiple, individually secure schemes can securely share the same key. We provide a surprising connection between two seemingly unrelated but challenging questions. The first, new to this paper, is whether wPRFs (weakPRFs) are agile. The second, already posed several times in the literature, is whether every secure (INDR) encryption scheme is secure when encrypting cycles. We resolve the second question in the negative and thereby the first as well. We go on to provide a comprehensive treatment of agility, with definitions for various different primitives. We explain the practical motivations for agility. We provide foundational results that show to what extent it is achievable and practical constructions to achieve it to the best extent possible. On the theoretical side our work uncovers new notions and relations and settles stated open questions, and on the practical side it serves to
Building a collisionresistant compression function from noncompressing primitives
 In ICALP 2008, Part II
, 2008
"... Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three ..."
Abstract

Cited by 17 (3 self)
 Add to MetaCart
Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three independent nton bit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires Θ(2 n/2 /n c) queries for c ≈ 1. This result remains valid if two of the three random functions are replaced by a fixedkey ideal cipher in DaviesMeyer mode (i.e., EK(x) ⊕ x for permutation EK). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collisionresistant compression function from noncompressing functions. It also relates to an open question from Black et al. (Eurocrypt’05), who showed that compression functions that invoke a single noncompressing random function cannot suffice. We also explore the relationship of our problem with that of doubling the output of a hash function and we show how our compression function can be used to double the output length of ideal hashes.