Results 1 
8 of
8
This is the full Pseudorandom Functions and Permutations Provably Secure Against RelatedKey Attacks
, 2010
"... This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) resisting rich and relevant forms of relatedkey attacks (RKA). An RKA allows the adversa ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) resisting rich and relevant forms of relatedkey attacks (RKA). An RKA allows the adversary to query the function not only under the target key but under other keys derived from it in adversaryspecified ways. Based on the NaorReingold PRF we obtain an RKAPRF whose keyspace is a group and that is proven, under DDH, to resist attacks in which the key may be operated on by arbitrary adversaryspecified group elements. Previous work was able only to provide schemes in idealized models (ideal cipher, random oracle), under new, nonstandard assumptions, or for limited classes of attacks. The reason was technical difficulties that we resolve via a new approach and framework that, in addition to the above, yields other RKAPRFs including a DLINbased one derived from the LewkoWaters PRF. Over the last 15 years cryptanalysts and blockcipher designers have routinely and consistently targeted RKAsecurity; it is visibly important for abuseresistant cryptography; and it helps protect against faultinjection sidechannel attacks. Yet ours are the first significant proofs of existence of secure constructs. We warn that our constructs are proofsofconcept
S.: HMAC is a randomness extractor and applications to TLS
, 2008
"... Abstract. In this paper, we study the security of a practical randomness extractor and its application in the tls standard. Randomness extraction is the first stage of key derivation functions since the secret shared between the entities does not always come from a uniformly distributed source. More ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Abstract. In this paper, we study the security of a practical randomness extractor and its application in the tls standard. Randomness extraction is the first stage of key derivation functions since the secret shared between the entities does not always come from a uniformly distributed source. More precisely, we wonder if the Hmac function, used in many standards, can be considered as a randomness extractor? We show that when the shared secret is put in the key space of the Hmac function, there are two cases to consider depending on whether the key is larger than the blocklength of the hash function or not. In both cases, we provide a formal proof that the output is pseudorandom, but under different assumptions. Nevertheless, all the assumptions are related to the fact that the compression function of the underlying hash function behaves like a pseudorandom function. This analysis allows us to prove the tls randomness extractor for DiffieHellman and RSA key exchange. Of independent interest, we study a computational analog to the leftover hash lemma for computational almost universal hash function families: any pseudorandom function family matches the latter definition. 1
Efficient pseudorandom generators based on the ddh assumption, ePrint 2006/321
 In PKC 2007, volume ???? of LNCS
, 2007
"... Abstract. A family of pseudorandom generators based on the decisional DiffieHellman assumption is proposed. The new construction is a modified and generalized version of the Dual Elliptic Curve generator proposed by Barker and Kelsey. Although the original Dual Elliptic Curve generator is shown to ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Abstract. A family of pseudorandom generators based on the decisional DiffieHellman assumption is proposed. The new construction is a modified and generalized version of the Dual Elliptic Curve generator proposed by Barker and Kelsey. Although the original Dual Elliptic Curve generator is shown to be insecure, the modified version is provably secure and very efficient in comparison with the other pseudorandom generators based on discrete log assumptions. Our generator can be based on any group of prime order provided that an additional requirement is met (i.e., there exists an efficiently computable function that in some sense enumerates the elements of the group). Two specific instances are presented. The techniques used to design the instances, for example, the new probabilistic randomness extractor are of independent interest for other applications. 1
Optimal randomness extraction from a DiffieHellman element
 EUROCRYPT 2009, volume 5479 of LNCS
, 2009
"... Abstract. In this paper, we study a quite simple deterministic randomness extractor from random DiffieHellman elements defined over a prime order multiplicative subgroup G of a finite field Zp (the truncation), and over a group of points of an elliptic curve (the truncation of the abscissa). Inform ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. In this paper, we study a quite simple deterministic randomness extractor from random DiffieHellman elements defined over a prime order multiplicative subgroup G of a finite field Zp (the truncation), and over a group of points of an elliptic curve (the truncation of the abscissa). Informally speaking, we show that the least significant bits of a random element in G ⊂ Z ∗ p or of the abscissa of a random point in E(Fp) are indistinguishable from a uniform bitstring. Such an operation is quite efficient, and is a good randomness extractor, since we show that it can extract nearly the same number of bits as the Leftover Hash Lemma can do for most Elliptic Curve parameters and for large subgroups of finite fields. To this aim, we develop a new technique to bound exponential sums that allows us to double the number of extracted bits compared with previous known results proposed at ICALP’06 by Fouque et al. It can also be used to improve previous bounds proposed by Canetti et al. One of the main application of this extractor is to mathematically prove an assumption proposed at Crypto ’07 and used in the security proof of the Elliptic Curve Pseudo Random Generator proposed by the NIST. The second most obvious application is to perform efficient key derivation given DiffieHellman elements. 1
HMAC is a Randomness Extractor and Applications to TLS ABSTRACT
"... In this paper, we study the security of a practical randomness extractor and its application in the tls standard. Randomness extraction is the first stage of key derivation functions since the secret shared between the entities does not always come from a uniformly distributed source. More precisely ..."
Abstract
 Add to MetaCart
In this paper, we study the security of a practical randomness extractor and its application in the tls standard. Randomness extraction is the first stage of key derivation functions since the secret shared between the entities does not always come from a uniformly distributed source. More precisely, we wonder if the Hmac function, used in many standards, can be considered as a randomness extractor? We show that when the shared secret is put in the key space of the Hmac function, there are two cases to consider depending on whether the key is larger than the blocklength of the hash function or not. In both cases, we provide a formal proof that the output is pseudorandom, but under different assumptions. Nevertheless, all the assumptions are related to the fact that the compression function of the underlying hash function behaves like a pseudorandom function. This analysis allows us to prove the tls randomness extractor for DiffieHellman and RSA key exchange. Of independent interest, we study a computational analog to the leftover hash lemma for computational almost universal hash function families: any pseudorandom function family matches the latter definition.
Strong Designated Verifier Signature in a Multiuser Setting
"... The security of strong designated verifier (SDV) signature schemes has thus far been analyzed only in a twouser setting. We observe that security in a twouser setting does not necessarily imply the same in a multiuser setting for SDV signatures. Moreover, we show that existing security notions do ..."
Abstract
 Add to MetaCart
The security of strong designated verifier (SDV) signature schemes has thus far been analyzed only in a twouser setting. We observe that security in a twouser setting does not necessarily imply the same in a multiuser setting for SDV signatures. Moreover, we show that existing security notions do not adequately model the security of SDV signatures even in a twouser setting. We then propose revised notions of security in a multiuser setting and show that no existing scheme satisfies these notions. A new SDV signature scheme is then presented and proven secure under the revised notions in the standard model. For the purpose of constructing the SDV signature scheme, we propose a onepass key establishment protocol in the standard model, which is of independent interest in itself.
Efficient Simultaneous Broadcast
"... We present an efficient simultaneous broadcast protocol νSimCast that allows n players to announce independently chosen values, even if up to t < n players are corrupt. Independence is guaranteed in the partially syn2 chronous communication model, where communication is structured into rounds, whi ..."
Abstract
 Add to MetaCart
We present an efficient simultaneous broadcast protocol νSimCast that allows n players to announce independently chosen values, even if up to t < n players are corrupt. Independence is guaranteed in the partially syn2 chronous communication model, where communication is structured into rounds, while each round is asynchronous. The νSimCast protocol is more efficient than previous constructions. For repeated executions, we reduce the communication and computation complexity by a factor O(n). Combined with a deterministic extractor, νSimCast provides a particularly efficient solution for distributed coinflipping. The protocol does not require any zeroknowledge proofs and is shown to be secure in the standard model under the Decisional Diffie Hellman assumption.
Randomness Extraction in finite fields Fp n
"... Abstract. Many technics for randomness extraction over finite fields was proposed by various authors such as Fouque et al. and Carneti et al.. At eurocrypt’09, these previous works was improved by Chevalier et al., over a finite field Fp, where p is a prime. But their papers don’t study the case whe ..."
Abstract
 Add to MetaCart
Abstract. Many technics for randomness extraction over finite fields was proposed by various authors such as Fouque et al. and Carneti et al.. At eurocrypt’09, these previous works was improved by Chevalier et al., over a finite field Fp, where p is a prime. But their papers don’t study the case where the field is not prime such as binary fields. In this paper, we present a deterministic extractor for a multiplicative subgroup of F ∗ pn, where p is a prime. In particular, we show that the kfirst F2coefficients of a random element in a subgroup of F ∗ 2n are indistinguishable from a random bitstring of the same length. Hence, under the Decisional DiffieHellman assumption over binary fields, one can deterministically derive a uniformly random bitstring from a DiffieHellman key exchange in the standard model. Over Fp, Chevalier et al. use the ”PolyaVinogradov inequality ” to bound incomplete character sums but over F ∗ pn we use ”Winterhof inequality ” to bound incomplete character sums. Our proposition is a good deterministic extractor even if the length of its output is less than those one can have with the leftover hash lemma and universal hash functions. Our extractor can be used in any cryptographic protocol or encryption schemes.