scispace - formally typeset
Open AccessJournal Article

A provable-security treatment of the key-wrap problem

Phillip Rogaway, +1 more
- 01 Jan 2006 - 
- pp 373-390
Reads0
Chats0
TLDR
It is suggested that key-wrap's goal is security in the sense of deterministic authenticated-encryption (DAE), and it is shown that a DAE scheme with a vector-valued header, such as SIV, directly realizes this goal.
Abstract
We give a provable-security treatment for the key-wrap problem, providing definitions, constructions, and proofs. We suggest that key-wrap's goal is security in the sense of deterministic authenticated-encryption (DAE), a notion that we put forward. We also provide an alternative notion, a pseudorandom injection (PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze its concrete security, develop a blockcipher-based instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard. The construction incorporates a method to turn a PRF that operates on a string into an equally efficient PRF that operates on a vector of strings, a problem of independent interest. Finally, we consider IV-based authenticated-encryption (AE) schemes that are maximally forgiving of repeated IVs, a goal we formalize as misuse-resistant AE. We show that a DAE scheme with a vector-valued header, such as SIV, directly realizes this goal.

read more

Content maybe subject to copyright    Report

Citations
More filters
Book ChapterDOI

Order-Preserving Symmetric Encryption

Alexandra Boldyreva, +3 more
TL;DR: The notion of order-preserving symmetric encryption (OPE) was introduced by Agrawal et al. as mentioned in this paper, who showed that a straightforward relaxation of standard security notions for encryption such as indistinguishability against chosen-plaintext attack (IND-CPA) is unachievable by a practical OPE scheme.
Posted Content

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm.

Mihir Bellare, +1 more
- 01 Jan 2000 - 
TL;DR: This work considers two possible notions of authenticity for authenticated encryption schemes, namely integrity of plaintexts and integrity of ciphertexts, and relates them to the standard notions of privacy IND-CCA and NM-CPA by presenting implications and separations between all notions considered.
Proceedings Article

DupLESS: server-aided encryption for deduplicated storage

Mihir Bellare, +2 more
TL;DR: In this article, the authors propose an architecture that provides secure deduplicated storage resisting brute-force attacks, and realize it in a system called DupLESS, where clients encrypt under message-based keys obtained from a key-server via an oblivious PRF protocol.
Book ChapterDOI

Duplexing the sponge: single-pass authenticated encryption and other applications

Guido Bertoni, +3 more
TL;DR: In this paper, the authors proposed a duplex construction, which is closely related to the sponge construction, that accepts message blocks to be hashed and provides digests on the input blocks received so far.
Book ChapterDOI

The software performance of authenticated-encryption modes

Ted Krovetz, +1 more
TL;DR: OCB is found to be substantially faster than either GCM or GCM across a variety of platforms, and there is room for algorithmic improvements to OCB, showing how to trim one blockcipher call and reduce latency.
References
More filters
Journal ArticleDOI

How to construct random functions

Oded Goldreich, +2 more
- 10 Aug 1986 - 
TL;DR: In this paper, a constructive theory of randomness for functions, based on computational complexity, is developed, and a pseudorandom function generator is presented, which is a deterministic polynomial-time algorithm that transforms pairs (g, r), where g is any one-way function and r is a random k-bit string, to computable functions.
Book ChapterDOI

How to construct random functions

Oded Goldreich, +2 more
TL;DR: A constructive theory of randomness for functions, based on computational complexity, is developed, and a pseudorandom function generator is presented that has applications in cryptography, random constructions, and complexity theory.
Proceedings ArticleDOI

A concrete security treatment of symmetric encryption

Mihir Bellare, +3 more
TL;DR: This work studies notions and schemes for symmetric (ie. private key) encryption in a concrete security framework and gives four different notions of security against chosen plaintext attack, providing both upper and lower bounds, and obtaining tight relations.
Journal ArticleDOI

How to construct pseudorandom permutations from pseudorandom functions

Michael Luby, +1 more
- 01 Apr 1988 - 
TL;DR: Any pseudorandom bit generator can be used to construct a block private key cryptos system which is secure against chosen plaintext attack, which is one of the strongest known attacks against a cryptosystem.
Journal Article

Relations among notions of security for public-key encryption schemes

Mihir Bellare, +4 more
- 01 Jan 1998 - 
TL;DR: In this article, the relative strengths of popular notions of security for public key encryption schemes are compared under chosen plaintext attack and two kinds of chosen ciphertext attack, and the goals of privacy and non-malleability are considered.
Related Papers (5)

Formalizing human ignorance : Collision-resistant hashing without the keys

Phillip Rogaway
- 01 Jan 2006 - 

Functional Encryption: New Perspectives and Lower Bounds

Shweta Agrawal, +3 more

Reconciling Non-malleability with Homomorphic Encryption

Manoj Prabhakaran, +1 more
- 01 Jul 2017 - 

Order-Preserving Encryption Secure Beyond One-Wayness.

Tal Malkin, +2 more
- 01 Jan 2013 - 

On the Power of Public-key Functional Encryption with Function Privacy.

Vincenzo Iovino, +2 more
- 01 Jan 2015 -