Results 1  10
of
18
Encodethenencipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography
"... We investigate the following approach to symmetric encryption: first encode the message via some keyless transform, and then encipher the encoded message, meaning apply a permutation FK based on a shared key K. We provide conditions on the encoding functions and the cipher which ensure that the resu ..."
Abstract

Cited by 64 (24 self)
 Add to MetaCart
We investigate the following approach to symmetric encryption: first encode the message via some keyless transform, and then encipher the encoded message, meaning apply a permutation FK based on a shared key K. We provide conditions on the encoding functions and the cipher which ensure that the resulting encryption scheme meets strong privacy (eg. semantic security) and/or authenticity goals. The encoding can either be implemented in a simple way (eg. prepend a counter and append a checksum) or viewed as modeling existing redundancy or entropy already present in the messages, whereby encodethenencipher encryption provides a way to exploit structured message spaces to achieve compact ciphertexts.
Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation
 In FSE ’00
, 1978
"... Abstract. We find certain neglected issues in the study of privatekey encryption schemes. For one, privatekey encryption is generally held to the same standard of security as publickey encryption (i.e., indistinguishability) even though usage of the two is very different. Secondly, though the imp ..."
Abstract

Cited by 38 (2 self)
 Add to MetaCart
Abstract. We find certain neglected issues in the study of privatekey encryption schemes. For one, privatekey encryption is generally held to the same standard of security as publickey encryption (i.e., indistinguishability) even though usage of the two is very different. Secondly, though the importance of secure encryption of single blocks is well known, the security of modes of encryption (used to encrypt multiple blocks) is often ignored. With this in mind, we present definitions of a new notion of security for privatekey encryption called encryption unforgeability which captures an adversary’s inability to generate valid ciphertexts. We show applications of this definition to authentication protocols and adaptive chosen ciphertext security. Additionally, we present and analyze a new mode of encryption, RPC (for Related Plaintext Chaining), which is unforgeable in the strongest sense of the above definition. This gives the first mode provably secure against chosen ciphertext attacks. Although RPC is slightly less efficient than, say, CBC mode (requiring about 33 % more block cipher applications and having ciphertext expansion of the same amount when using a block cipher with 128bit blocksize), it has highly parallelizable encryption and decryption operations.
Ciphers with Arbitrary Finite Domains
, 2002
"... Abstract. We explore the problem of enciphering members of a finite set M where k = M  is arbitrary (in particular, it need not be a power of two). We want to achieve this goal starting from a block cipher (which requires a message space of size N =2 n, for some n). We look at a few solutions to t ..."
Abstract

Cited by 37 (7 self)
 Add to MetaCart
Abstract. We explore the problem of enciphering members of a finite set M where k = M  is arbitrary (in particular, it need not be a power of two). We want to achieve this goal starting from a block cipher (which requires a message space of size N =2 n, for some n). We look at a few solutions to this problem, focusing on the case when M =[0,k − 1]. We see ciphers with arbitrary domains as a worthwhile primitive in its own right, and as a potentially useful one for making higherlevel protocols.
The Security of AllorNothing Encryption: Protecting against Exhaustive Key Search
 In Advances in Cryptology – CRYPTO ’00 (2000
, 2000
"... Abstract. We investigate the allornothing encryption paradigm which was introduced by Rivest as a new mode of operation for block ciphers. The paradigm involves composing an allornothing transform (AONT) with an ordinary encryption mode. The goal is to have secure encryption modes with the addit ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
Abstract. We investigate the allornothing encryption paradigm which was introduced by Rivest as a new mode of operation for block ciphers. The paradigm involves composing an allornothing transform (AONT) with an ordinary encryption mode. The goal is to have secure encryption modes with the additional property that exhaustive keysearch attacks on them are slowed down by a factor equal to the number of blocks in the ciphertext. We give a new notion concerned with the privacy of keys that provably captures this keysearch resistance property. We suggest a new characterization of AONTs and establish that the resulting allornothing encryption paradigm yields secure encryption modes that also meet this notion of key privacy. A consequence of our new characterization is that we get more efficient ways of instantiating the allornothing encryption paradigm. We describe a simple blockcipherbased AONT and prove it secure in the Shannon Model of a block cipher. We also give attacks against alternate paradigms that were believed to have the above keysearch resistance property. 1
Mercy: A fast large block cipher for disk sector encryption
 Proc. Fast Software Encryption 2000, LNCS 1978
, 2000
"... Abstract. We discuss the special requirements imposed on the underlying cipher of systems which encrypt each sector of a disk partition independently, and demonstrate a certificational weakness in some existing block ciphers including Bellare and Rogaway’s 1999 proposal, proposing a new quantitative ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
Abstract. We discuss the special requirements imposed on the underlying cipher of systems which encrypt each sector of a disk partition independently, and demonstrate a certificational weakness in some existing block ciphers including Bellare and Rogaway’s 1999 proposal, proposing a new quantitative measure of avalanche. To address these needs, we present Mercy, a new block cipher accepting large (4096bit) blocks, which uses a keydependent state machine to build a bijective F function for a Feistel cipher. Mercy achieves 9 cycles/byte on a Pentium compatible processor.
AESCBC + Elephant diffuser: A disk encryption algorithm for Windows Vista
 TECHNICAL REPORT
, 2006
"... The Bitlocker Drive Encryption feature of Windows Vista poses an interesting set of security and performance requirements on the encryption algorithm used for the disk data. We discuss why no existing cipher satisfies the requirements of this application and document our solution which consists of u ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
The Bitlocker Drive Encryption feature of Windows Vista poses an interesting set of security and performance requirements on the encryption algorithm used for the disk data. We discuss why no existing cipher satisfies the requirements of this application and document our solution which consists of using AES in CBC mode with a dedicated diffuser to improve the security against manipulation attacks.
New methods in hard disk encryption
, 2005
"... This work investigates the state of the art in hard disk cryptography. As the choice of the cipher mode is essential for the security of hard disk data, we discuss the recent cipher mode developments at two standardisation bodies, NIST and IEEE. It is a necessity to consider new developments, as the ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
This work investigates the state of the art in hard disk cryptography. As the choice of the cipher mode is essential for the security of hard disk data, we discuss the recent cipher mode developments at two standardisation bodies, NIST and IEEE. It is a necessity to consider new developments, as the most common cipher mode – namely CBC – has many security problems. This work devotes a chapter to the analysis of CBC weaknesses. Next to others, the main contributions of this work are (1) efficient algorithms for series of multiplications in a finite field (Galois Field), (2) analysis of the security of passwordbased cryptography with respect to low entropy attacks and (3) a design template for secure key management, namely TKS1. For the latter, it is assumed that key management has to be done on regular user hardware in the absence of any special security hardware like key tokens. We solve the problems arising from magnetic storage by introducing a method called antiforensic information splitter. This work is complemented by the presentation of a system implementing a variant
Concrete security characterizations of PRFs and PRPs: Reductions and applications
 ADVANCES IN CRYPTOLOGY—ASIACRYPT 2000, LECTURE NOTES IN COMPUTER SCIENCE
, 2000
"... We investigate several alternate characterizations of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) in a concrete security setting. By analyzing the concrete complexity of the reductions between the standard notions and the alternate ones, we show that the latter, while equivale ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
We investigate several alternate characterizations of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) in a concrete security setting. By analyzing the concrete complexity of the reductions between the standard notions and the alternate ones, we show that the latter, while equivalent under polynomialtime reductions, are weaker in the concrete security sense. With these alternate notions, we argue that it is possible to get better concrete security bounds for certain PRF/PRPbased schemes. As an example, we show how using an alternate characterization of a PRF could result in tighter security bounds for some types of message authentication codes. We also use this method to give a simple concrete security analysis of the counter mode of encryption. In addition, our results provide some insight into how injectivity impacts pseudorandomness.
Blockwise Adversarial Model for Online Ciphers and Symmetric Encryption Schemes
 In Selected Areas in Cryptography ’04, LNCS
, 2004
"... Abstract. This paper formalizes the security adversarial games for online symmetric cryptosystems in a unified framework for deterministic and probabilistic encryption schemes. Online encryption schemes allow to encrypt messages even if the whole message is not known at the beginning of the encrypt ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. This paper formalizes the security adversarial games for online symmetric cryptosystems in a unified framework for deterministic and probabilistic encryption schemes. Online encryption schemes allow to encrypt messages even if the whole message is not known at the beginning of the encryption. The new introduced adversaries better capture the online properties than classical ones. Indeed, in the new model, the adversaries are allowed to send messages blockbyblock to the encryption machine and receive the corresponding ciphertext blocks onthefly. This kind of attacker is called blockwise adversary and is stronger than standard one which treats messages as atomic objects. In this paper, we compare the two adversarial models for online encryption schemes. For probabilistic encryption schemes, we show that security is not preserved contrary to for deterministic schemes. We prove in appendix of the full version that in this last case, the two models are polynomially equivalent in the number of encrypted blocks. Moreover in the blockwise model, a polynomial number of concurrent accesses to encryption oracles have to be taken into account. This leads to the strongest security notion in this setting. Furthermore, we show that this notion is valid by exhibiting a scheme secure under this security notion. 1
On Message Integrity in Symmetric Encryption
, 2000
"... Distinct notions of message integrity (authenticity) for blockoriented symmetric encryption are defined by integrity goals to be achieved in the face of different types of attacks. These notions are partially ordered by a "dominance" relation. When chosenplaintext attacks are considered, ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Distinct notions of message integrity (authenticity) for blockoriented symmetric encryption are defined by integrity goals to be achieved in the face of different types of attacks. These notions are partially ordered by a "dominance" relation. When chosenplaintext attacks are considered, most integrity goals form a lattice. The lattice is extended when knownplaintext and ciphertextonly attacks are also included. The practical use of the dominance relation and lattice in defining the relative strength of different integrity notions is illustrated with common modes of encryption, such as the "infinite garble extension" modes, and simple, noncryptographic, manipulation detection code functions, such as bitwise exclusiveor and constant functions.