## Ciphers with Arbitrary Finite Domains (2002)

### Cached

### Download Links

- [www.cs.colorado.edu]
- [www.cs.ucdavis.edu]
- [eprint.iacr.org]
- [www.cs.ucdavis.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 35 - 7 self |

### BibTeX

@INPROCEEDINGS{Black02cipherswith,

author = {John Black and Phillip Rogaway},

title = {Ciphers with Arbitrary Finite Domains},

booktitle = {},

year = {2002},

pages = {114--130},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We explore the problem of enciphering members of a finite set M where k = |M | is arbitrary (in particular, it need not be a power of two). We want to achieve this goal starting from a block cipher (which requires a message space of size N =2 n, for some n). We look at a few solutions to this problem, focusing on the case when M =[0,k − 1]. We see ciphers with arbitrary domains as a worthwhile primitive in its own right, and as a potentially useful one for making higher-level protocols.

### Citations

835 | A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...r right away what is the security goal that we are after. Let's do this by way of an example. Suppose once again that you want to encipher numbers between one and a million: M = [1; 10 6 ]. Following =-=[6, -=-2], we imagine two games. In thesrst game one chooses a random key K from K and hands to an adversary an oracle EK (). In the second game one chooses a random permutation on [1; 10 6 ] and hands the ... |

633 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context .... They use what is essentially our \Method 2," internally iterating the cipher until a proper domain point is reached. Our notion of a pseudorandom function is due to Goldreich, Goldwasser and Mi=-=cali [-=-5]. Pseudorandom permutations are dened and constructed by Luby and Racko [8]. We use the adaptation of these notions to deal withsnite objects, whichsrst appears in Bellare, Kilian and Rogaway [2]. 2... |

353 | Encrypted Key Exchange: PasswordBased Protocols Secure Against Dictionary Attacks
- Bellovin, Merritt
- 1992
(Show Context)
Citation Context ...ed in the manner we have described, the adversary could, once again, usually determine the correct key. As a more realistic example related to that above, consider the Bellovin-Merritt \EKE" prot=-=ocol [4]-=-. This entity-authentication protocol is designed to defeat password-guessing attacks. The protocol involves encrypting, under a possibly weak password K, a string g x mod p, where p is a large prime ... |

286 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
- 1988
(Show Context)
Citation Context ... a 1024-bit number, using a block cipher with block length of 1024 bits. (A block cipher with a long block length, like this, can be constructed from a \standard" block cipher by following works =-=like [8, 10, 3-=-].) 1 Asnal method which we look at chooses an a; b where ab k and performs a Feistel construction on the message m, but uses a left-hand side in Z a and a right-hand side in Z b . Our analysis of th... |

196 | The Security of the Cipher Block Chaining Message Authentication Code
- Bellare, Kilian, et al.
(Show Context)
Citation Context ...r right away what is the security goal that we are after. Let's do this by way of an example. Suppose once again that you want to encipher numbers between one and a million: M = [1; 10 6 ]. Following =-=[6, -=-2], we imagine two games. In thesrst game one chooses a random key K from K and hands to an adversary an oracle EK (). In the second game one chooses a random permutation on [1; 10 6 ] and hands the ... |

148 |
Pseudorandomness and Cryptographic Applications
- Luby
- 1996
(Show Context)
Citation Context ...d(2 n ; 2 n ) : D Fe[3;a;b]() = 1] Pr[ RsRand(k; k) : D () = 1] (q + ab k) 2 2 n+1 (d2 n =ae + d2 n =be) : The proof is a fairly straightforward adaptation of Luby's analysis from Lecture 13 of [7], which is in-turn based on [8]. It can be found in Appendix A. Finally, we must adjust this bound to account for the fact that we have compared Fe[3; a; b] K () with a random function instead of a r... |

93 | On the construction of pseudo-random permutations: Luby-rackoff revisited
- Naor, Reingold
- 1997
(Show Context)
Citation Context ... a 1024-bit number, using a block cipher with block length of 1024 bits. (A block cipher with a long block length, like this, can be constructed from a \standard" block cipher by following works =-=like [8, 10, 3-=-].) 1 Asnal method which we look at chooses an a; b where ab k and performs a Feistel construction on the message m, but uses a left-hand side in Z a and a right-hand side in Z b . Our analysis of th... |

66 |
Two practical and provably secure block ciphers
- Anderson, Biham
- 1996
(Show Context)
Citation Context ... cipher, Bellare and Rogaway [3] construct and analyze a length-preserving cipher with domain f0; 1g n . This is something more than making a block cipher on arbitrary N n bits. Anderson and Biham [1=-=]-=- provide two constructions for a block cipher (BEAR and LION) which use a hash function and a stream cipher. This again uses an unbalanced Feistel network. It is unclear how to make any of the constru... |

25 |
Standards for Efficient Cryptography — SEC 1: Recommended Elliptic Curve Domain Parameters. Available at http://www.secg. org/secg_docs.htm
- research
- 2000
(Show Context)
Citation Context ...points from an elliptic curve group (EC group). There are well-known “compact” representations of the points in EC groups, and these representations form our starting point. For example, one finds in =-=[5]-=- simple algorithms to compress the representation of a point in an EC group. Consider the EC group G over the field Fq where q is either a power ofstwo or a prime. Then any point (x, y) ∈ G may be rep... |

23 | Faster Luby-Rackoff ciphers
- Lucks
- 1996
(Show Context)
Citation Context ...extends a block cipher on n bits to a block cipher on 2ni bits, for any i ≥ 1. A variation on their construction due to Patel, Ramzan and Sundaram [12] yields a cipher on ni bits for any i ≥ 1. Lucks =-=[10]-=- generalizes Luby-Rackoff to consider a three-round unbalanced Feistel network, using hash functions for round functions. This yields a block cipher for any given length N starting with a PRF from r b... |

16 | On the construction of variable-input-length ciphers
- Bellare, Rogaway
- 1999
(Show Context)
Citation Context ... a 1024-bit number, using a block cipher with block length of 1024 bits. (A block cipher with a long block length, like this, can be constructed from a \standard" block cipher by following works =-=like [8, 10, 3-=-].) 1 Asnal method which we look at chooses an a; b where ab k and performs a Feistel construction on the message m, but uses a left-hand side in Z a and a right-hand side in Z b . Our analysis of th... |

11 |
The design of Lucifer: a cryptographic device for data communications
- Smith
- 1971
(Show Context)
Citation Context ...irst, one could construct the block cipher from scratch. But it is probably better to start with a well-studied primitive like SHA-1 or AES. These could then be used within a balanced Feistel network =-=[13-=-], which creates a block cipher for any (even) block length 2n, starting with something that behaves as a pseudorandom function (PRF) from n bits to n bits. Luby and Racko [8] give quantitative bounds... |

11 | Off-line generation of limited-use credit card numbers
- Rubin, Wright
- 2002
(Show Context)
Citation Context ...h finite objects, which first appears in Bellare, Kilian and Rogaway [2]. An application in the credit-card setting, very close to the example we gave above, was recently proposed by Rubin and Wright =-=[13]-=-. 2 Preliminaries Notation. If A and B are sets then Rand(A, B) is the set of all functions from A to B. IfA or B is a positive number, n, then the corresponding set is [0,n− 1]. We write Perm(A) to d... |

10 |
The hasty pudding cipher
- Schroeppel
(Show Context)
Citation Context ...ngs. Probably several of the constructions can modied, and in multiple ways, to deal with a message space M = [0; k 1], or with other message spaces. The Hasty Pudding Cipher of Schroeppel and Orman [=-=12] is a-=- block cipher which works on any domain [0; k 1]. They use what is essentially our \Method 2," internally iterating the cipher until a proper domain point is reached. Our notion of a pseudorandom... |

10 | G.Sundaram, Towards making Luby-Rackoff ciphers optimal and practical
- Patel
- 1999
(Show Context)
Citation Context ...Reingold [11] provide a different construction which extends a block cipher on n bits to a block cipher on 2ni bits, for any i ≥ 1. A variation on their construction due to Patel, Ramzan and Sundaram =-=[12]-=- yields a cipher on ni bits for any i ≥ 1. Lucks [10] generalizes Luby-Rackoff to consider a three-round unbalanced Feistel network, using hash functions for round functions. This yields a block ciphe... |

8 |
Faster Luby-Racko� ciphers
- Lucks
- 1996
(Show Context)
Citation Context ...extends a block cipher on n bits to a block cipher on 2ni bits, for any i 1. A variation on their construction due to Patel, Ramzan and Sundaram [11] yields a cipher on ni bits for any i 1. Lucks [9=-=-=-] generalizes Luby-Racko to consider a three-round unbalanced Feistel network, using hash functions for round functions. This yields a block cipher for any given length N starting with a PRF from r bi... |

5 |
Towards making Luby-Racko ciphers optimal and practical
- Patel, Ramzan, et al.
- 1999
(Show Context)
Citation Context ... Reingold [10] provide a dierent construction which extends a block cipher on n bits to a block cipher on 2ni bits, for any i 1. A variation on their construction due to Patel, Ramzan and Sundaram [1=-=-=-1] yields a cipher on ni bits for any i 1. Lucks [9] generalizes Luby-Racko to consider a three-round unbalanced Feistel network, using hash functions for round functions. This yields a block cipher ... |

3 | Research. Standards for Efficient Cryptography 2 - Certicom - 2010 |

2 | Research. Standards for ecient cryptography. Version 1.0, 2000. Available at url http://www.secg.org - Certicom - 2000 |

1 | The design of Lucifer: A cryptographic device for data communications - edurcshpc - 1998 |