Results 11  20
of
75
LubyRackoff backwards: Increasing security by making block ciphers noninvertible
 ADVANCES IN CRYPTOLOGYEUROCRYPT '98 PROCEEDINGS
, 1998
"... We argue that the invertibility of a block cipher can reduce the security of schemes that use it, and a better starting point for scheme design is the noninvertible analog of a block cipher, that is, a pseudorandom function (PRF). Since a block cipher may be viewed as a pseudorandom permutation, ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
We argue that the invertibility of a block cipher can reduce the security of schemes that use it, and a better starting point for scheme design is the noninvertible analog of a block cipher, that is, a pseudorandom function (PRF). Since a block cipher may be viewed as a pseudorandom permutation, we are led to investigate the reverse of the problem studied by Luby and Rackoff, and ask: "how can one transform a PRP into a PRF in as securitypreserving a way as possible?" The solution we propose is datadependent rekeying. As an illustrative special case, let E:f0; 1g nf0;1g n!f0;1g n be the block cipher. Then we can construct the PRF F from the PRP E by setting F (k; x) =E(E(k; x);x). We generalize this to allow for arbitrary block and key lengths, and to improve e ciency. We prove strong quantitative bounds on the value of datadependent rekeying in the Shannon model of an ideal cipher, and take some initial steps towards an analysis in the standard model.
Stronger security bounds for WegmanCarterShoup authenticators
 In EUROCRYPT
, 2005
"... Abstract. Shoup proved that various messageauthentication codes of the form (n, m) ↦ → h(m) + f(n) are secure against all attacks that see at most � 1/ɛ authenticated messages. Here m is a message; n is a nonce chosen from a public group G; f is a secret uniform random permutation of G; h is a secr ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
Abstract. Shoup proved that various messageauthentication codes of the form (n, m) ↦ → h(m) + f(n) are secure against all attacks that see at most � 1/ɛ authenticated messages. Here m is a message; n is a nonce chosen from a public group G; f is a secret uniform random permutation of G; h is a secret random function; and ɛ is a differential probability associated with h. Shoup’s result implies that if AES is secure then various stateoftheart messageauthentication codes of the form (n, m) ↦ → h(m) + AESk(n) are secure up to � 1/ɛ authenticated messages. Unfortunately, � 1/ɛ is only about 2 50 for some stateoftheart systems, so Shoup’s result provides no guarantees for longterm keys. This paper proves that security of the same systems is retained up to √ #G authenticated messages. In a typical stateoftheart system, √ #G is 2 64. The heart of the paper is a very general “onesided ” security theorem: (n, m) ↦ → h(m) + f(n) is secure if there are small upper bounds on differential probabilities for h and on interpolation probabilities for f. Keywords: mode of operation, authentication, MAC, WegmanCarter, provable security
HCTR: A variableinputlength enciphering mode
 In Information Security and Cryptology
, 2005
"... Abstract. This paper proposes a blockcipher mode of operation, HCTR, which is a lengthpreserving encryption mode. HCTR turns an nbit blockcipher into a tweakable blockcipher that supports arbitrary variable input length which is no less than n bits. The tweak length of HCTR is fixed and can be zer ..."
Abstract

Cited by 20 (0 self)
 Add to MetaCart
Abstract. This paper proposes a blockcipher mode of operation, HCTR, which is a lengthpreserving encryption mode. HCTR turns an nbit blockcipher into a tweakable blockcipher that supports arbitrary variable input length which is no less than n bits. The tweak length of HCTR is fixed and can be zero. We prove that HCTR is a strong tweakable pseudorandom permutation (sprp), when the underlying blockcipher is a strong pseudorandom permutation (sprp). HCTR is shown to be a very efficient mode of operation when some precomputations are taken into consideration. Arbitrary variable input length brings much flexibility in various application environments. HCTR can be used in disk sector encryption, and other lengthpreserving encryptions, especially for the message that is not multiple of n bits.
How to Stretch Random Functions: The Security of Protected Counter Sums
 Journal of Cryptology
, 1999
"... . Let f be an unpredictable random function taking (b + c)bit inputs to bbit outputs. This paper presents an unpredictable random function f 0 taking variablelength inputs to bbit outputs. This construction has several advantages over chaining, which was proven unpredictable by Bellare, Ki ..."
Abstract

Cited by 19 (7 self)
 Add to MetaCart
. Let f be an unpredictable random function taking (b + c)bit inputs to bbit outputs. This paper presents an unpredictable random function f 0 taking variablelength inputs to bbit outputs. This construction has several advantages over chaining, which was proven unpredictable by Bellare, Kilian, and Rogaway, and cascading, which was proven unpredictable by Bellare, Canetti, and Krawczyk. The highlight here is a very simple proof of security. 1.
OnLine Ciphers and the HashCBC constructions
 Advances in Cryptology  CRYPTO 2000. Lecture Notes in Computer Science
, 2001
"... Abstract We initiate a study of online ciphers. These are ciphers that can take input plaintexts oflarge and varying lengths and will output the ith block of the ciphertext after having processedonly the first i blocks of the plaintext. Such ciphers permit lengthpreserving encryption of adata stre ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
Abstract We initiate a study of online ciphers. These are ciphers that can take input plaintexts oflarge and varying lengths and will output the ith block of the ciphertext after having processedonly the first i blocks of the plaintext. Such ciphers permit lengthpreserving encryption of adata stream with only a single pass through the data. We provide security definitions for this primitive and study its basic properties. We then provide attacks on some possible candidates,including CBC with fixed IV. We then provide two constructions, HCBC1 and HCBC2, basedon a given block cipher E and a family of computationally AXU functions. HCBC1 is provensecure against chosenplaintext attacks assuming that E is a PRP secure against chosenplaintextattacks, while HCBC2 is proven secure against chosenciphertext attacks assuming that E is aPRP secure against chosenciphertext attacks.
Remote Data Checking for Network Codingbased Distributed Stroage Systems
 in the Proceedings of ACM CCSW 2010, 2010
"... Remote Data Checking (RDC) is a technique by which clients can establish that data outsourced at untrusted servers remains intact over time. RDC is useful as a prevention tool, allowing clients to periodically check if data has been damaged, and as a repair tool whenever damage has been detected. In ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Remote Data Checking (RDC) is a technique by which clients can establish that data outsourced at untrusted servers remains intact over time. RDC is useful as a prevention tool, allowing clients to periodically check if data has been damaged, and as a repair tool whenever damage has been detected. Initially proposed in the context of a single server, RDC was later extended to verify data integrity in distributed storage systems that rely on replication and on erasure coding to store data redundantly at multiple servers. Recently, a technique was proposed to add redundancy based on network coding, which offers interesting tradeoffs because of its remarkably low communication overhead to repair corrupt servers. Unlike previous work on RDC which focused on minimizing the costs of the prevention phase, we take a holistic look and initiate the investigation of RDC schemes for distributed systems that rely on network coding to minimize the combined costs of both the prevention and repair phases. We propose RDCNC, a novel secure and efficient RDC scheme for network codingbased distributed storage systems. RDCNC mitigates new attacks that stem from the underlying principle of network coding. The scheme is able to preserve in an adversarial setting the minimal communication overhead of the repair component achieved by network coding in a benign setting. We implement our scheme and experimentally show that it is computationally inexpensive for both clients and servers.
Verifying distributed erasurecoded data
 In Proceedings of the 26 th ACM Symposium on Principles of Distributed Computing
, 2007
"... Erasure coding can reduce the space and bandwidth overheads of redundancy in faulttolerant data storage and delivery systems. But it introduces the fundamental difficulty of ensuring that all erasurecoded fragments correspond to the same block of data. Without such assurance, a different block may ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Erasure coding can reduce the space and bandwidth overheads of redundancy in faulttolerant data storage and delivery systems. But it introduces the fundamental difficulty of ensuring that all erasurecoded fragments correspond to the same block of data. Without such assurance, a different block may be reconstructed from different subsets of fragments. This paper develops a technique for providing this assurance without the bandwidth and computational overheads associated with current approaches. The core idea is to distribute with each fragment what we call homomorphic fingerprints. These fingerprints preserve the structure of the erasure code and allow each fragment to be independently verified as corresponding to a specific block. We demonstrate homomorphic fingerprinting functions that are secure, efficient, and compact.
Efficient Tweakable Enciphering Schemes from (BlockWise) Universal Hash Functions
"... Abstract. We present several constructions of tweakable enciphering schemes which use a single encryption layer between two layers of universal hash function computation. The earliest known construction of this type is due to Naor and Reingold, where the encryption layer is the electronic codebook m ..."
Abstract

Cited by 12 (5 self)
 Add to MetaCart
Abstract. We present several constructions of tweakable enciphering schemes which use a single encryption layer between two layers of universal hash function computation. The earliest known construction of this type is due to Naor and Reingold, where the encryption layer is the electronic codebook mode. A more recent work of this type is TET and is due to Halevi at Crypto 2007. We present a new construction Ψ of an invertible blockwise almost universal hash function. Using this we construct a tweakable enciphering scheme HEH. For variable length messages HEH has better efficiency than TET, while for fixed length messages HEH provides better key agility. HEH can only handle messages whose lengths are multiples of the block length. To tackle this, we define variants of Ψ and present a construction HEH ∗ which can handle partial blocks. We show that the basic universal hash function can be combined with the counter mode of operation and the output feedback (OFB) mode to obtain new tweakable enciphering schemes of the hashCtrhash and the hashOFBhash type. The hashCtrhash type construction improves upon previous work, while the hashOFBhash construction is the first proposal using the OFB mode. An important feature of our work is to show that a new class of polynomials defined by Bernstein can be used to construct the universal hash function. This results in an improvement of efficiency of the hashing layers by almost a factor of two. From a practical point of view, our constructions provide the currently best known algorithms for disk encryption protocols. 1
NEON crypto
"... Abstract. NEON is a vector instruction set included in a large fraction of new ARMbased tablets and smartphones. This paper shows that NEON supports highsecurity cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptogr ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
Abstract. NEON is a vector instruction set included in a large fraction of new ARMbased tablets and smartphones. This paper shows that NEON supports highsecurity cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptography. In particular, this paper explains how to use a single 800MHz Cortex A8 core to compute the existing NaCl suite of highsecurity cryptographic primitives at the following speeds: 5.60 cycles per byte (1.14 Gbps) to encrypt using a shared secret key, 2.30 cycles per byte (2.78 Gbps) to authenticate using a shared secret key, 527102 cycles (1517/second) to compute a shared secret key for a new public key, 650102 cycles (1230/second) to verify a signature, and 368212 cycles (2172/second) to sign a message. These speeds make no use of secret branches and no use of secret memory addresses.