Results 11  20
of
49
Bounds on the Efficiency of Encryption and Digital Signatures
, 2002
"... A central focus of modern cryptography is to investigate the weakest possible assumptions under which various cryptographic algorithms exist. Typically, a proof that a "weak" primitive (e.g., a oneway function) implies the existence of some "strong" algorithm (e.g., a privateke ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
(Show Context)
A central focus of modern cryptography is to investigate the weakest possible assumptions under which various cryptographic algorithms exist. Typically, a proof that a "weak" primitive (e.g., a oneway function) implies the existence of some "strong" algorithm (e.g., a privatekey encryption scheme) proceeds by giving an explicit construction of the latter from the former. Beyond merely showing such a construction, an equally important research direction is to explore the efficiency of the construction. One might argue that this line of research has become even more important now that minimal assumptions are known for many (but not all) algorithms of interest.
Concealment and its applications to authenticated encryption
 In EUROCRYPT 2003
, 2003
"... Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, b ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals “no information” about m, while (2) the binder b can be “meaningfully opened ” by at most one hider h. While setting b = m, h = ∅ is a trivial concealment, the challenge is to make b  ≪ m, which we call a “nontrivial ” concealment. We show that nontrivial concealments are equivalent to the existence of collisionresistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let AE be an authenticated encryption scheme (either public or symmetrickey) designed
Second Preimage Attacks on Dithered Hash Functions
"... Abstract. We develop a new generic longmessage second preimage attack, based on combining the techniques in the second preimage attacks of Dean [8] and Kelsey and Schneier [16] with the herding attack of Kelsey and Kohno [15]. We show that these generic attacks apply to hash functions using the Mer ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We develop a new generic longmessage second preimage attack, based on combining the techniques in the second preimage attacks of Dean [8] and Kelsey and Schneier [16] with the herding attack of Kelsey and Kohno [15]. We show that these generic attacks apply to hash functions using the MerkleDamgård construction with only slightly more work than the previously known attack, but allow enormously more control of the contents of the second preimage found. Additionally, we show that our new attack applies to several hash function constructions which are not vulnerable to the previously known attack, including the dithered hash proposal of Rivest [25], Shoup’s UOWHF[26] and the ROX hash construction [2]. We analyze the properties of the dithering sequence used in [25], and develop a timememory tradeoff which allows us to apply our second preimage attack to a wide range of dithering sequences, including sequences which are much stronger than those in Rivest’s proposals. Finally, we show that both the existing second preimage attacks [8,16] and our new attack can be applied even more efficiently to multiple target messages; in general, given a set of many target messages with a total of 2 R message blocks, these second preimage attacks can find a second preimage for one of those target messages with no more work than would be necessary to find a second preimage for a single target message of 2 R message blocks.
Domain Extenders for UOWHF: A Generic Lower Bound on Key Expansion And Finite Binary Tree Algorithm
, 2003
"... We obtain a generic lower bound on the key expansion required for securely extending the domain of a UOWHF. Our lower bound holds over a large class of "natural" domain extending algorithms. A consequence of our result is the fact that the key length expansion in Shoup's algorithm is ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
We obtain a generic lower bound on the key expansion required for securely extending the domain of a UOWHF. Our lower bound holds over a large class of "natural" domain extending algorithms. A consequence of our result is the fact that the key length expansion in Shoup's algorithm is optimal for this class. Our second contribution is to obtain a finite binary tree algorithm to extend the domain of a UOWHF. The associated key length expansion is only a constant number of bits more than the minimum possible. Our finite binary tree algorithm is the first practical parallel algorithm to securely extend the domain of a UOWHF. Also the speedup obtained by our algorithm is approximately proportional to the number of processors.
Getting the Best Out of Existing Hash Functions or What if We Are Stuck with
 SHA?. Applied Cryptography and Network Security – ACNS ’08. LNCS
, 2008
"... Cascade chaining is a very efficient and popular mode of operation for building various kinds of cryptographic hash functions. In particular, it is the basis of the most heavily utilized SHA function family. Recently, many researchers pointed out various practical and theoretical deficiencies of thi ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Cascade chaining is a very efficient and popular mode of operation for building various kinds of cryptographic hash functions. In particular, it is the basis of the most heavily utilized SHA function family. Recently, many researchers pointed out various practical and theoretical deficiencies of this mode, which resulted in a renewed interest in building specialized modes of operations and new hash functions with better security. Unfortunately, it appears unlikely that a new hash function (say, based on a new mode of operation) would be widely adopted before being standardized, which is not expected to happen in the foreseeable future. Instead, it seems likely that practitioners would continue to use the cascade chaining, and the SHA family in particular, and try to work around the deficiencies mentioned above. In this paper we provide a thorough treatment of how to soundly design a secure hash function H ′ from a given cascadebased hash function H for various cryptographic applications, such as collisionresistance, onewayness, pseudorandomness, etc. We require each proposed construction of H ′ to satisfy the following “axioms”. 1. The construction should consist of one or two “blackbox ” calls to H. 2. In particular, one is not allowed to know/use anything about the internals of H, such as modifying the initialization vector or affecting the value of the chaining variable. 3. The construction should support variablelength inputs. 4. Compared to a single evaluation of H(M), the evaluation of H ′ (M) should make at most a fixed (small constant) number of extra calls to the underlying compression function of H. In other words, the efficiency of H ′ is negligibly close to that of H. We discuss several popular modes of operation satisfying the above axioms. For each such mode and for each given desired security requirement, we discuss the weakest requirement on the compression function of H which would make this mode secure. We also give the implications of these results for using existing hash functions SHAx, where x ∈ {1,224,256,384,512}.
Universal OneWay Hash Functions via Inaccessible Entropy
, 2010
"... This paper revisits the construction of Universal OneWay Hash Functions (UOWHFs) from any oneway function due to Rompel (STOC 1990). We give a simpler construction of UOWHFs, which also obtains better efficiency and security. The construction exploits a strong connection to the recently introduced ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
This paper revisits the construction of Universal OneWay Hash Functions (UOWHFs) from any oneway function due to Rompel (STOC 1990). We give a simpler construction of UOWHFs, which also obtains better efficiency and security. The construction exploits a strong connection to the recently introduced notion of inaccessible entropy (Haitner et al. STOC 2009). With this perspective, we observe that a small tweak of any oneway function f is already a weak form of a UOWHF: Consider F (x, i) that outputs the ibit long prefix of f(x). If F were a UOWHF then given a random x and i it would be hard to come up with x ′ ̸ = x such that F (x, i) = F (x ′ , i). While this may not be the case, we show (rather easily) that it is hard to sample x ′ with almost full entropy among all the possible such values of x ′. The rest of our construction simply amplifies and exploits this basic property. With this and other recent works, we have that the constructions of three fundamental cryptographic primitives (Pseudorandom Generators, Statistically Hiding Commitments and UOWHFs) out of oneway functions are to a large extent unified. In particular, all three constructions rely on and manipulate computational notions of entropy in similar ways. Pseudorandom Generators rely on the wellestablished notion of pseudoentropy, whereas Statistically Hiding Commitments and UOWHFs rely on the newer notion of inaccessible entropy.
A ThreePropertySecure Hash Function
"... Abstract. This paper proposes a new hash construction based on the widely used MerkleDamg˚ard (MD) iteration [Mer90,Dam90]. It achieves the three basic properties required from a cryptographic hash function: collision (Coll), second preimage (Sec) and preimage (Pre) security. We show property prese ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. This paper proposes a new hash construction based on the widely used MerkleDamg˚ard (MD) iteration [Mer90,Dam90]. It achieves the three basic properties required from a cryptographic hash function: collision (Coll), second preimage (Sec) and preimage (Pre) security. We show property preservation for the first two properties in the standard security model and the third Pre security property is proved in the random oracle model. Similar to earlier known hash constructions that achieve a form of Sec (eSec [RS04]) property preservation [BR97,Sho00], we make use of fixed key material in the iteration. But while these hashes employ keys of size at least logarithmic in the message length (in blocks), we only need a small constant key size. Another advantage of our construction is that the underlying compression function is instantiated as a keyless primitive. The Sec security of our hash scheme, however, relies heavily on the standard definitional assumption that the target messages are sufficiently random. An example of a practical application that requires Sec security and satisfies this definitional premise on the message inputs is the popular CramerShoup encryption scheme [CS03]. Still, in practice we have other hashing applications where the target messages are not sampled from spaces with uniform distribution. And while our scheme is Sec preserving for uniform message distributions, we show that this is not always the case for other distributions. 1
Efficient Threshold and Proactive Cryptography Secure against the Adaptive Adversary (Extended Abstract)
, 1999
"... A threshold cryptosystem or signature scheme is a system with n participants where an honest majority can successfully decrypt a message or issue a signature, but where the security and functionality properties of the system are retained even as the adversary corrupts up to t players. The natural ad ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
A threshold cryptosystem or signature scheme is a system with n participants where an honest majority can successfully decrypt a message or issue a signature, but where the security and functionality properties of the system are retained even as the adversary corrupts up to t players. The natural adversary one can imagine in this setting is the adaptive adversary, i.e. one that chooses which player to corrupt at which step based on all the information available to it at that step. Recently, Canetti et al. [CGJ 99] showed how to implement threshold DSS and RSA secure against such an adversary. We extend their contribution in two main directions: (1) for the first time in threshold cryptography, we propose practical distributed cryptographic systems that are secure against the adaptive adversary in the concurrent setting; and (2) we propose simple and clean methods for achieving security against the adaptive adversary. Our new techniques allow us to implement the threshold version of the CramerShoup cryptosystem such that it withstands active attacks from the adaptive adversary. This is the most secure known practical threshold cryptosystem, since the underlying CramerShoup [CS98] cryptosystem is secure against adaptive chosen ciphertext attack. We note that our techniques apply to transforming virtually any discretelogarithmbased cryptosystem into its threshold counterpart secure against the adaptive adversary.
New Parallel Domain Extenders for UOWHF
 Lecture Notes in Computer Science
"... Abstract. We present two new parallel algorithms for extending the domain of a UOWHF. The first algorithm is complete binary tree based construction and has less key length expansion than Sarkar’s construction which is the previously best known complete binary tree based construction. But only disad ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present two new parallel algorithms for extending the domain of a UOWHF. The first algorithm is complete binary tree based construction and has less key length expansion than Sarkar’s construction which is the previously best known complete binary tree based construction. But only disadvantage is that here we need more key length expansion than that of Shoup’s sequential algorithm. But it is not too large as in all practical situations we need just two more masks than Shoup’s. Our second algorithm is based on noncomplete lary tree and has the same optimal key length expansion as Shoup’s which has the most efficient key length expansion known so far. Using the recent result [9], we can also prove that the key length expansion of this algorithm and Shoup’s sequential algorithm are the minimum possible for any algorithms in a large class of “natural ” domain extending algorithms. But its parallelizability performance is less efficient than complete tree based constructions. However if l is getting larger, then the parallelizability of the construction is also getting near to that of complete tree based constructions. We also give a sufficient condition for valid domain extension in sequential domain extension.
ACE: The Advanced Cryptographic Engine
 Revised, August
, 2000
"... This document describes the Advanced Cryptographic Engine (ACE). It specifies a public key encryption scheme as well as a digital signature scheme with enough detail to ensure interoperability between different implementations. These schemes are almost as efficient as commercially used schemes, yet ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
This document describes the Advanced Cryptographic Engine (ACE). It specifies a public key encryption scheme as well as a digital signature scheme with enough detail to ensure interoperability between different implementations. These schemes are almost as efficient as commercially used schemes, yet unlike such schemes, can be proven secure under reasonable and welldefined intractability assumptions. A concrete security analysis of both schemes is presented.