Results 1  10
of
28
Pors: proofs of retrievability for large files
 In CCS ’07: Proceedings of the 14th ACM conference on Computer and communications security
, 2007
"... Abstract. In this paper, we define and explore proofs of retrievability (PORs). A POR scheme enables an archive or backup service (prover) to produce a concise proof that a user (verifier) can retrieve a target file F, that is, that the archive retains and reliably transmits file data sufficient fo ..."
Abstract

Cited by 197 (9 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we define and explore proofs of retrievability (PORs). A POR scheme enables an archive or backup service (prover) to produce a concise proof that a user (verifier) can retrieve a target file F, that is, that the archive retains and reliably transmits file data sufficient for the user to recover F in its entirety. A POR may be viewed as a kind of cryptographic proof of knowledge (POK), but one specially designed to handle a large file (or bitstring) F. We explore POR protocols here in which the communication costs, number of memory accesses for the prover, and storage requirements of the user (verifier) are small parameters essentially independent of the length of F. In addition to proposing new, practical POR constructions, we explore implementation considerations and optimizations that bear on previously explored, related schemes. In a POR, unlike a POK, neither the prover nor the verifier need actually have knowledge of F. PORs give rise to a new and unusual security definition whose formulation is another contribution of our work. We view PORs as an important tool for semitrusted online archives. Existing cryptographic techniques help users ensure the privacy and integrity of files they retrieve. It is also natural, however, for users to want to verify that archives do not delete or modify files prior to retrieval. The goal of a POR is to accomplish these checks without users having to download the files themselves. A POR can also provide qualityofservice guarantees, i.e., show that a file is retrievable within a certain time bound. Key words: storage systems, storage security, proofs of retrievability, proofs of knowledge 1
Numbertheoretic constructions of efficient pseudorandom functions
 In 38th Annual Symposium on Foundations of Computer Science
, 1997
"... ..."
On MemoryBound Functions for Fighting Spam
 In Crypto
, 2002
"... In 1992, Dwork and Naor proposed that email messages be accompanied by easytocheck proofs of computational effort in order to discourage junk email, now known as spam. They proposed specific CPUbound functions for this purpose. Burrows suggested that, since memory access speeds vary across ma ..."
Abstract

Cited by 97 (2 self)
 Add to MetaCart
(Show Context)
In 1992, Dwork and Naor proposed that email messages be accompanied by easytocheck proofs of computational effort in order to discourage junk email, now known as spam. They proposed specific CPUbound functions for this purpose. Burrows suggested that, since memory access speeds vary across machines much less than do CPU speeds, memorybound functions may behave more equitably than CPUbound functions; this approach was first explored by Abadi, Burrows, Manasse, and Wobber [8].
On cryptographic assumptions and challenges
 in Proceedings of IACR CRYPTO
, 2003
"... Abstract. We deal with computational assumptions needed in order to design secure cryptographic schemes. We suggest a classi£cation of such assumptions based on the complexity of falsifying them (in case they happen not to be true) by creating a challenge (competition) to their validity. As an outco ..."
Abstract

Cited by 73 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We deal with computational assumptions needed in order to design secure cryptographic schemes. We suggest a classi£cation of such assumptions based on the complexity of falsifying them (in case they happen not to be true) by creating a challenge (competition) to their validity. As an outcome of this classi£cation we propose several open problems regarding cryptographic tasks that currently do not have a good challenge of that sort. The most outstanding one is the design of an ef£cient block ciphers. 1 The Main Dilemma Alice and Bob are veteran cryptographers (see Dif£e [15] for their history; apparently RSA [38] is their £rst cooperation). One day, while Bob is sitting in his of£ce his colleague Alice enters and says: “I have designed a new signature scheme. It has an 120 bits long public key and the signatures are 160 bits long”. That’s fascinating, says Bob, but what computational assumption is it based on? Well, says Alice, it is based on a new trapdoor permutation fk and a new hash function h and the assumption that after given fk (but not the trapdoor information) and many pairs of the form (mi, f −1
A formal treatment of onion routing
 In Advances in Cryptology—CRYPTO 2005, Lecture Notes in Computer Science 3621
, 2005
"... Abstract. Anonymous channels are necessary for a multitude of privacyprotecting protocols. Onion routing is probably the best known way to achieve anonymity in practice. However, the cryptographic aspects of onion routing have not been sufficiently explored: no satisfactory definitions of security ..."
Abstract

Cited by 47 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Anonymous channels are necessary for a multitude of privacyprotecting protocols. Onion routing is probably the best known way to achieve anonymity in practice. However, the cryptographic aspects of onion routing have not been sufficiently explored: no satisfactory definitions of security have been given, and existing constructions have only had adhoc security analysis for the most part. We provide a formal definition of onionrouting in the universally composable framework, and also discover a simpler definition (similar to CCA2 security for encryption) that implies security in the UC framework. We then exhibit an efficient and easy to implement construction of an onion routing scheme satisfying this definition. 1
Synthesizers and Their Application to the Parallel Construction of PseudoRandom Functions
, 1995
"... A pseudorandom function is a fundamental cryptographic primitive that is essential for encryption, identification and authentication. We present a new cryptographic primitive called pseudorandom synthesizer and show how to use it in order to get a parallel construction of a pseudorandom function. ..."
Abstract

Cited by 47 (10 self)
 Add to MetaCart
A pseudorandom function is a fundamental cryptographic primitive that is essential for encryption, identification and authentication. We present a new cryptographic primitive called pseudorandom synthesizer and show how to use it in order to get a parallel construction of a pseudorandom function. We show several NC¹ implementations of synthesizers based on concrete intractability assumptions as factoring and the DiffieHellman assumption. This yields the first parallel pseudorandom functions (based on standard intractability assumptions) and the only alternative to the original construction of Goldreich, Goldwasser and Micali. In addition, we show parallel constructions of synthesizers based on other primitives such as weak pseudorandom functions or trapdoor oneway permutations. The security of all our constructions is similar to the security of the underlying assumptions. The connection with problems in Computational Learning Theory is discussed.
Cryptographic Hash Functions: A Survey
, 1995
"... This paper gives a survey on cryptographic hash functions. It gives an overview of all types of hash functions and reviews design principals and possible methods of attacks. It also focuses on keyed hash functions and provides the applications, requirements, and constructions of keyed hash functions ..."
Abstract

Cited by 44 (7 self)
 Add to MetaCart
(Show Context)
This paper gives a survey on cryptographic hash functions. It gives an overview of all types of hash functions and reviews design principals and possible methods of attacks. It also focuses on keyed hash functions and provides the applications, requirements, and constructions of keyed hash functions.
From unpredictability to indistinguishability: A simple construction of pseudorandom functions from MACs
 Advances in Cryptology  CRYPTO '98, LNCS
, 1998
"... Abstract. This paper studies the relationship between unpredictable functions (which formalize the concept of a MAC) and pseudorandom functions. We show an efficient transformation of the former to the latter using a unique application of the GoldreichLevin hardcore bit (taking the innerproduct ..."
Abstract

Cited by 22 (8 self)
 Add to MetaCart
(Show Context)
Abstract. This paper studies the relationship between unpredictable functions (which formalize the concept of a MAC) and pseudorandom functions. We show an efficient transformation of the former to the latter using a unique application of the GoldreichLevin hardcore bit (taking the innerproduct with a random vector r): While in most applications of the GLbit the random vector r may be public, in our setting this is not the case. The transformation is only secure when r is secret and treated as part of the key. In addition, we consider weaker notions of unpredictability and their relationship to the corresponding notions of pseudorandomness. Using these weaker notions we formulate the exact requirements of standard protocols for privatekey encryption, authentication and identification. In particular, this implies a simple construction of a privatekey encryption scheme from the standard challengeresponse identification scheme. 1
Derandomized constructions of kwise (almost) independent permutations
 In Proceedings of the 9th Workshop on Randomization and Computation (RANDOM
, 2005
"... Abstract Constructions of kwise almost independent permutations have been receiving a growingamount of attention in recent years. However, unlike the case of kwise independent functions,the size of previously constructed families of such permutations is far from optimal. This paper gives a new met ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
(Show Context)
Abstract Constructions of kwise almost independent permutations have been receiving a growingamount of attention in recent years. However, unlike the case of kwise independent functions,the size of previously constructed families of such permutations is far from optimal. This paper gives a new method for reducing the size of families given by previous constructions. Ourmethod relies on pseudorandom generators for spacebounded computations. In fact, all we need is a generator, that produces &quot;pseudorandom walks &quot; on undirected graphs with a consistent labelling. One such generator is implied by Reingold's logspace algorithm for undirected connectivity [35, 36]. We obtain families of kwise almost independent permutations, with anoptimal description length, up to a constant factor. More precisely, if the distance from uniform for any k tuple should be at most ffi, then the size of the description of a permutation inthe family is O(kn + log 1ffi). 1 Introduction In explicit constructions of pseudorandom objects, we are interested in simulating a large randomobject using a succinct one and would like to capture some essential properties of the former. A natural way to phrase such a requirement is via limited access. Suppose the object that we areinterested in simulating is a random function f: {0, 1}n 7! {0, 1}n and we want to come up witha small family of functions G that simulates it. The kwise independence requirement in this caseis that a function g chosen at random from G be completely indistinguishable from a function fchosen at random from the set of all functions, for any process that receives the value of either
Provable security of KASUMI and 3GPP encryption mode f8
 Proceedings of ASIACRYPT 2001, LNCS 2248
, 2001
"... Abstract. Within the security architecture of the 3GPP system there is a standardised encryption mode f8 based on the block cipher KASUMI. In this work we examine the pseudorandomness of the block cipher KASUMI and the provable security of f8. First we show that the three round KASUMI is not a pseu ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Within the security architecture of the 3GPP system there is a standardised encryption mode f8 based on the block cipher KASUMI. In this work we examine the pseudorandomness of the block cipher KASUMI and the provable security of f8. First we show that the three round KASUMI is not a pseudorandom permutation ensemble but the four round KASUMI is a pseudorandom permutation ensemble under the adaptive distinguisher model by investigating the properties of the round functions in a clear way. Second we provide the upper bound on the security of f8 mode under the reasonable assumption from the first result by means of the leftorright security notion. 1