• Documents
  • Authors
  • Tables
  • Log in
  • Sign up
  • MetaCart
  • DMCA
  • Donate

CiteSeerX logo

Advanced Search Include Citations
Advanced Search Include Citations | Disambiguate

OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption”, (2001)

by Phillip Rogaway
Add To MetaCart

Tools

Sorted by:
Results 1 - 10 of 204
Next 10 →

Authenticated encryption: Relations among notions and analysis of the generic composition paradigm

by Mihir Bellare, Chanathip Namprempre , 2000
"... and analysis of the generic composition paradigm ..."
Abstract - Cited by 284 (23 self) - Add to MetaCart
and analysis of the generic composition paradigm
(Show Context)

Citation Context

...ns of security that require protection against replay attacks. Dedicated schemes. Dedicated schemes are ones that attempt to directly achieve IND-CPA ^ INT-CTXT. These include IACBC [32, 28, 29], OCB =-=[44]-=-, XCBC [24], CCM [47], Helix [22], GCM [39], CWC [36] and EAX [13]. Some of these are more efficient than schemes obtained by generic composition, having effectively the same cost as privacy-only sche...

Architectural Support for Copy and Tamper Resistant Software

by David Lie, Chandramohan Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell, Mark Horowitz , 2000
"... ..."
Abstract - Cited by 279 (5 self) - Add to MetaCart
Abstract not found

Scalable and efficient provable data possession

by Roberto Di Pietro, Luigi V. Mancini, Gene Tsudik - Proceedings of SecureComm 2008
"... Storage outsourcing is a rising trend which prompts a number of interesting security issues, many of which have been extensively investigated in the past. However, Provable Data Possession (PDP) is a topic that has only recently appeared in the research literature. The main issue is how to frequentl ..."
Abstract - Cited by 158 (3 self) - Add to MetaCart
Storage outsourcing is a rising trend which prompts a number of interesting security issues, many of which have been extensively investigated in the past. However, Provable Data Possession (PDP) is a topic that has only recently appeared in the research literature. The main issue is how to frequently, efficiently and securely verify that a storage server is faithfully storing its client’s (potentially very large) outsourced data. The storage server is assumed to be untrusted in terms of both security and reliability. (In other words, it might maliciously or accidentally erase hosted data; it might also relegate it to slow or off-line storage.) The problem is exacerbated by the client being a small computing device with limited resources. Prior work has addressed this problem using either public key cryptography or requiring the client to outsource its data in encrypted form. In this paper, we construct a highly efficient and provably secure PDP technique based entirely on symmetric key cryptography, while not requiring any bulk encryption. Also, in contrast with its predecessors, our PDP technique allows outsourcing of dynamic data, i.e, it efficiently supports operations, such as block modification, deletion and append. 1.
(Show Context)

Citation Context

...de (MAC) on the result. However, a less expensive alternative is to use a mode of operation for the cipher that provides authenticity in addition to privacy in a single pass, such as OCB, XCBC, IAPM, =-=[17]-=-. • AE −1 key (·) – decryption operation for the scheme introduced above. • fkey(·) – pseudo-random function (PRF) indexed on some (usually secret) key. In practice, a ”good” block cipher acts as a PR...

SANE: A Protection Architecture for Enterprise Networks

by Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman, Dan Boneh, Nick Mckeown, Scott Shenker - SECURITY '06 , 2006
"... Connectivity in today’s enterprise networks is regulated by a combination of complex routing and bridging policies, along with various interdiction mechanisms such as ACLs, packet filters, and other middleboxes that attempt to retrofit access control onto an otherwise permissive network architecture ..."
Abstract - Cited by 95 (19 self) - Add to MetaCart
Connectivity in today’s enterprise networks is regulated by a combination of complex routing and bridging policies, along with various interdiction mechanisms such as ACLs, packet filters, and other middleboxes that attempt to retrofit access control onto an otherwise permissive network architecture. This leads to enterprise networks that are inflexible, fragile, and difficult to manage. To address these limitations, we offer SANE, a protection architecture for enterprise networks. SANE defines a single protection layer that governs all connectivity within the enterprise. All routing and access control decisions are made by a logically-centralized server that grants access to services by handing out capabilities (encrypted source routes) according to declarative access control policies (e.g., “Alice can access
(Show Context)

Citation Context

...d update the DC’s network map. The only dynamic state maintained on each switch is a hash table of capability revocations, containing the Cap-IDs and their associated expiration times. We use OCB-AES =-=[42]-=- for capability construction and decryption with 128-bit keys. OCB provides both confidentiality and data integrity using a single pass over the data, while generating ciphertext that is exactly only ...

Formal Proofs for the Security of Signcryption

by Joonsang Baek, Ron Steinfeld, Yuliang Zheng - In PKC ’02 , 2002
"... Signcryption is a public key or asymmetric cryptographic method that provides simultaneously both message confidentiality and unforgeability at a lower computational and communication overhead. ..."
Abstract - Cited by 85 (3 self) - Add to MetaCart
Signcryption is a public key or asymmetric cryptographic method that provides simultaneously both message confidentiality and unforgeability at a lower computational and communication overhead.
(Show Context)

Citation Context

...dentiality and authenticity was relatively more active in the symmetric setting. A series of research works appeared on using modes of block ciphers to give both message confidentiality and integrity =-=[17, 25]-=-. Also, security issues related to the composition of symmetric key encryption and message authentication code (MAC) were considered by Bellare and Namprepre [6]. They concluded that only “Encrypt-the...

Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC

by Phillip Rogaway , 2003
"... We describe highly efficient constructions, XE and XEX, that turn a blockcipher E: K × {0, 1}^n → {0, 1}^n into a tweakable blockcipher... ..."
Abstract - Cited by 80 (9 self) - Add to MetaCart
We describe highly efficient constructions, XE and XEX, that turn a blockcipher E: K × {0, 1}^n → {0, 1}^n into a tweakable blockcipher...
(Show Context)

Citation Context

...ed, our constructions, XE and XEX, add just a few machine instructions to the cost of computing E. We illustrate the use of these constructions by improving on the authenticated-encryption scheme OCB =-=[15]-=- and the message authentication code PMAC [4]. Tweakable blockciphers. Schroeppel [16] designed a blockcipher, Hasty Pudding, wherein the user supplies a non-secret spice and changing this spice produ...

MiniSec: a secure sensor network communication architecture

by Mark Luk, Ghita Mezzour, Adrian Perrig, Virgil Gligor - IN PROC. OF THE 6TH INT’L CONF. ON INFORMATION PROCESSING IN SENSOR NETWORKS , 2007
"... Secure sensor network communication protocols need to provide three basic properties: data secrecy, authentication, and replay protection. Secure sensor network link layer protocols such as Tiny-Sec [13] and ZigBee [28] enjoy significant attention in the community. However, TinySec achieves low ener ..."
Abstract - Cited by 78 (1 self) - Add to MetaCart
Secure sensor network communication protocols need to provide three basic properties: data secrecy, authentication, and replay protection. Secure sensor network link layer protocols such as Tiny-Sec [13] and ZigBee [28] enjoy significant attention in the community. However, TinySec achieves low energy consumption by reducing the level of security provided. In contrast, ZigBee enjoys high security, but suffers from high energy consumption. MiniSec is a secure network layer that obtains the best of both worlds: low energy consumption and high security. MiniSec has two operating modes, one tailored for single-source communication, and another tailored for multi-source broadcast communication. The latter does not require per-sender state for replay protection and thus scales to large networks. We present a publicly available implementation of MiniSec for the Telos platform, and experimental results demonstrate our low energy utilization.

The Security and Performance of the Galois/Counter Mode (GCM) of Operation

by David A. McGrew, John Viega - In INDOCRYPT, volume 3348 of LNCS , 2004
"... The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing based on multiplication in a binary finite field. We analyze its security and performance, and show that it is the most e#cient mode of op ..."
Abstract - Cited by 71 (4 self) - Add to MetaCart
The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing based on multiplication in a binary finite field. We analyze its security and performance, and show that it is the most e#cient mode of operation for high speed packet networks, by using a realistic model of a network crypto module and empirical data from studies of Internet tra#c in conjunction with software experiments and hardware designs. GCM has several useful features: it can accept IVs of arbitrary length, can act as a stand-alone message authentication code (MAC), and can be used as an incremental MAC. We show that GCM is secure in the standard model of concrete security, even when these features are used. We also consider several of its important system-security aspects.

Authenticated-encryption with associated-data

by Phillip Rogaway - In Proc. 9th CCS , 2002
"... Keywords: Associated-data problem, authenticated-encryption, block-cipher usage, key separation, modes of operation, OCB. ..."
Abstract - Cited by 60 (18 self) - Add to MetaCart
Keywords: Associated-data problem, authenticated-encryption, block-cipher usage, key separation, modes of operation, OCB.
(Show Context)

Citation Context

... was the development of techniques that provide privacy+authenticity without using the generic composition paradigm. Beginning with Jutla [15] and continuing with Gligor et al. [9] and Rogaway et al. =-=[22]-=- there emerged new block-cipher modes that entwined privacy and authenticity in a single, compact mode. Such "integrated" authenticated-encryption (AE) schemes promised improved efficiency compared to...

Secure Hybrid Encryption from Weakened Key Encapsulation

by Dennis Hofheinz, Eike Kiltz , 2007
"... We put forward a new paradigm for building hybrid encryption schemes from constrained chosen-ciphertext secure (CCCA) key-encapsulation mechanisms (KEMs) plus authenticated symmetric encryption. Constrained chosen-ciphertext security is a new security notion for KEMs that we propose. CCCA has less d ..."
Abstract - Cited by 57 (9 self) - Add to MetaCart
We put forward a new paradigm for building hybrid encryption schemes from constrained chosen-ciphertext secure (CCCA) key-encapsulation mechanisms (KEMs) plus authenticated symmetric encryption. Constrained chosen-ciphertext security is a new security notion for KEMs that we propose. CCCA has less demanding security requirements than standard chosen-ciphertext (CCA) security (since it requires the adversary to have a certain plaintext-knowledge when making a decapsulation query) yet we can prove that CCCA is sufficient for secure hybrid encryption. Our notion is not only useful to express the Kurosawa-Desmedt public-key encryption scheme and its generalizations to hash-proof systems in an abstract KEM/DEM security framework. It also has a very constructive appeal, which we demonstrate with a new encryption scheme whose security relies on a class of intractability assumptions that we show (in the generic group model) strictly weaker than the Decision Diffie-Hellman (DDH) assumption. This appears to be the first practical public-key encryption scheme in the literature from an algebraic assumption strictly weaker than DDH.
(Show Context)

Citation Context

...encryption is a quite general symmetric primitive and examples include "encrypt-then-mac" schemes (based on computationally secure primitives), and also more efficient single-pass schemes (see, e.g., =-=[31]-=-). 2 This is reminiscent to the notion of "plaintext awareness" for public-key encryption [6] where it is infeasible for an adversary to come up with a valid ciphertext without being aware of the corr...

Powered by: Apache Solr
  • About CiteSeerX
  • Submit and Index Documents
  • Privacy Policy
  • Help
  • Data
  • Source
  • Contact Us

Developed at and hosted by The College of Information Sciences and Technology

© 2007-2019 The Pennsylvania State University