M. Bellare and P. Rogaway, \On the construction of variable-input-length ciphers," Proceedings of the 6th Workshop on Fast Software Encryption, Ed. L.Knudsen, 1999.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....permutation by D K . We emphasize that since enciphering is lengthpreserving it cannot be randomized and a ciphertext cannot include any sort of authentication tag. It follows that the enciphering cannot meet the usual notion of semantic security [3, 14] nor any strong notion of authenticity [6, 7, 17]. Indeed the best one can hope for is that which is achievable by a deterministic, lengthpreserving, tweak depending transformation. We use the terms enciphering and deciphering, rather than encrypting and decrypting, to emphasize that the transformations are length preserving. Our ....

....work by Schroeppel describes an innovative block cipher that was already designed to incorporate a tweak [26] The first attempt to directly construct an nm bit block cipher from an n bit one is due to Zheng, Matsumoto and Imai [30] who give a Feistel type construction. Bellare and Rogaway [7] give an enciphering mode that works on messages of varying lengths but is not a strong PRP. Another enciphering scheme that is potentially a strong PRP appears in unpublished work of Bleichenbacher and Desai [10] One ad hoc suggestion we have seen [16] is forward then backwards PCBC mode [21] ....

M. Bellare and P. Rogaway. On the construction of variable-input-length ciphers. In Fast Software Encryption---6th International Workshop--- FSE '99, volume 1635 of Lecture Notes in Computer Science, pages 231--244. Springer-Verlag, 1999. www.cs.ucdavis.edu/#rogaway.

....Then there are other schemes, besides those for message authentication and symmetric encryption, to which our techniques could be applied. For example, it may be possible to improve the security bounds of variable length input pseudorandom functions (VI PRFs) 2] and variable inputlength ciphers [6]. Using similar techniques as above, we can also get tighter bounds for PRPbased protocols. In a sense, this is more interesting, given that PRP families provide a more natural model for block ciphers [5] Viewing a block cipher as a PRP family rather than a PRF family itself can lead to tighter ....

M. Bellare and P. Rogaway, \On the construction of variable-input-length ciphers, " Proceedings of the Sixth Workshop on Fast Software Encryption, L. Knudsen ed., 1999.

....there are other protocols, besides those for message authentication and symmetric encryption, to which our techniques could be applied. For example, it may be possible to improve the security bounds of variable length input pseudorandom functions (VI PRFs) 2] and variable input length ciphers [6]. Using similar techniques as above, we can also get tighter bounds for PRPbased protocols. In a sense, this is more interesting given that PRP families provide a more natural model for block ciphers [5] Viewing a block cipher as a PRP family rather than a PRF family itself can also give tighter ....

M. Bellare and P. Rogaway, \On the construction of variable-input-length ciphers," Proceedings of the Sixth Workshop on Fast Software Encryption, Ed. L.Knudsen, 1999.

....6) but not PI CPA and KPFCPA secure (Lemma 7) Hence, NM CPA 6) PI CPA and NM CPA 6) KPF CPA. When implemented with the CBC mode and used to encrypt messages consisting of an integer number of l bit blocks (possibly after padding) the Variable Input Length (VIL) cipher of Bellare and Rogaway [5, 6] can be shown generate at least a random block in the plaintext outcome of any forgery produced in a CPA [11] Hence, the composition of this scheme with the MDC function nzg(x) defined for the BIGE nzg scheme (viz. Section 5) namely VIL CBC nzg, is a PU CPA secure scheme. However, this scheme ....

M. Bellare and P. Rogaway, "On the construction of variable-input-length ciphers," Proceedings of the 6th Workshop on Fast Software Encryption, L. Knudsen (Ed), Springer-Verlag, 1999.

....6) but not PI CPA and KPFCPA secure (Lemma 7) Hence, NM CPA 6) PI CPA and NM CPA 6) KPF CPA. When implemented with the CBC mode and used to encrypt messages consisting of an integer number of l bit blocks (possibly after padding) the Variable Input Length (VIL) cipher of Bellare and Rogaway [4, 5] can be shown generate at least a random block in the plaintext outcome of any forgery produced in a CPA [10] Hence, the composition of this scheme with the MDC function nzg(x) defined for the BIGE nzg scheme (viz. Section 5) namely VIL CBC nzg, is a PU CPA secure scheme. However, this scheme ....

M. Bellare and P. Rogaway, "On the construction of variable-input-length ciphers," Proceedings of the 6th Workshop on Fast Software Encryption, L. Knudsen (Ed), Springer-Verlag, 1999.

....characteristics of most of these modes do not satisfy all our goals, however. For example, when implemented with the CBC mode and used to encrypt messages consisting of an integer number of l bit blocks (possibly after padding) the Variable Input Length (VIL) cipher of Bellare and Rogaway [5, 6] can be shown to be EF CPA secure when using simple non cryptographic MDC functions g, 2 such as those for the bitwise exclusive or, CRCs, addition modulo 2 l Gamma 1, the selection of a single constant filled block or just block x 1 of every message, whose output is appended to the end of ....

M. Bellare and P. Rogaway, "On the construction of variable-input-length ciphers," Proceedings of the 6th Workshop on Fast Software Encryption, L. Knudsen (Ed), Springer-Verlag, 1999.

....to exhaustively search the keyspace. In other words, the theoretical best solution under these constraints is a strong randomised large block cipher. Several proposals exist for building large block ciphers from standard cryptographic components such as hash functions and stream ciphers [1, 11, 2]; however, these are not randomised ciphers, and as Section 2 shows, they have certi cational weaknesses. More seriously, no proposal comes close to o ering the performance needed: bit rates equal to or better than disk transfer rates. Since small improvements in disk access eciency can mean big ....

....of avalanche. This attack can easily be converted to use the memorye cient parallel collision nding techniques of [20] so memory usage does not present a serious obstacle to the practicality of the attack if 2 wp adaptive chosen plaintexts can be encrypted. This attack may be applied to [2] by choosing the rst two blocks of the plaintext as the changing bits, and all of the output except the second two blocks as the target bits. If the blocksize of the underlying cipher is 64 bits, then 2 33 chosen plaintexts should be sucient to induce a collision in , resulting in a ....

[Article contains additional citation context not shown here]

Mihir Bellare and Phillip Rogaway. On the construction of variable-input-length ciphers. In Lars R. Knudsen, editor, Fast Software Encryption: 6th International Workshop, volume 1636 of Lecture Notes in Computer Science, pages 231-244, Rome, Italy, March 1999. Springer-Verlag.

....f0; 1g n . So, for example, one can use this method to encipher a string in ZN , where N is a 1024 bit number, using a block cipher with block length of 1024 bits. A block cipher with a long block length, like this, can be constructed from a standard block cipher by following works like [8, 10, 3]. A nal method which we look at chooses an a; b where ab k and performs a Feistel construction on the message m, but uses a left hand side in Z a and a right hand side in Z b . Our analysis of this is an adaptation of Luby and Racko s [8] This method can be quite ecient, though the proven ....

....to consider a three round unbalanced Feistel network, using hash functions for round functions. This yields a block cipher for any given length N starting with a PRF from r bits to bits and another from bits to r bits, where r = N . Starting from an n bit block cipher, Bellare and Rogaway [3] construct and analyze a 2 length preserving cipher with domain f0; 1g n . This is something more than making a block cipher on arbitrary N n bits. Anderson and Biham [1] provide two constructions for a block cipher (BEAR and LION) which use a hash function and a stream cipher. This again ....

Bellare, M., and Rogaway, P. On the construction of variable-input-length ciphers. In Fast Software Encryption (1999), vol. 1636 of Lecture Notes in Computer Science, SpringerVerlag.

....there are other protocols, besides those for message authentication and symmetric encryption, to which our techniques could be applied. For example, it may be possible to improve the security bounds of variable length input pseudorandom functions (VI PRFs) 2] and variable input length ciphers [6]. Using similar techniques as above, we can also get tighter bounds for PRP based protocols. In a sense, this is more interesting given that PRP families provide a more natural model for block ciphers [5] Viewing a block cipher as a PRP family rather than a PRF family itself can also give tighter ....

M. Bellare and P. Rogaway, \On the construction of variable-input-length ciphers," Proceedings of the 6th Workshop on Fast Software Encryption, Ed. L.Knudsen, 1999.

No context found.

M. Bellare and P. Rogaway, \On the construction of variable-input-length ciphers." Fast Software Encryption '99, Lecture Notes in Computer Science Vol. 1636, L. Knudsen ed., Springer-Verlag, 1999.

No context found.

M. Bellare and P. Rogaway. On the construction of variable-input-length ciphers. In Fast Software Encryption---6th International Workshop---FSE '99, volume 1635 of Lecture Notes in Computer Science, pages 231--244. Springer-Verlag, 1999. www.cs.ucdavis.edu/#rogaway.

No context found.

M. Bellare and P. Rogaway. On the construction of variable-input-length ciphers. In Fast Software Encryption|6th International Workshop|FSE '99, volume 1635 of Lecture Notes in Computer Science, pages 231-244. Springer-Verlag, 1999. www.cs.ucdavis.edu/rogaway.

....construction for a long blocksize strong PRP appears in unpublished work of [5] No proof of correctness was o ered and the scheme uses about 3m block cipher calls the same as [15] with an xor universal hash function built from CBC. Yet another long block size block cipher is constructed by [3], but it does not yield a strong PRP. The notion of a tweaked block cipher is due to Liskov, Rivest and Wagner [10] Earlier work by Schroeppel describes an innovative block cipher that was already designed to incorporate a tweak [19] Pseudorandom permutations (PRPs) were rst de ned and ....

....a strong PRP. 5 Extensions In this section we sketch some forthcoming extensions. Variable input lengths. A tweaked, variable input length (VIL) cipher is a map E : K T M M where M f0; 1g may have strings of various lengths and E K ( is a permutation and jM j = jE K (M)j for all M 2 M [3]. It is straightforward to adapt the notion of a strong, tweaked PRP to give a notion of security for VIL ciphers. Interestingly, EMD, with no changes at all, is already secure as a VIL cipher. The domain of messages M = f0; 1g is all strings having two or more blocks. Dealing with message ....

M. Bellare and P. Rogaway. On the construction of variable-input-length ciphers. In Fast Software Encryption|6th International Workshop|FSE '99, volume 1635 of Lecture Notes in Computer Science, pages 231-244. Springer-Verlag, 1999. www.cs.ucdavis.edu/rogaway.

....f0; 1g n . So, for example, one can use this method to encipher a string in ZN , where N is a 1024 bit number, using a block cipher with block length of 1024 bits. A block cipher with a long block length, like this, can be constructed from a standard block cipher by following works like [3, 9, 11]. This construction has been suggested before [13] our main contribution here is the analysis of the construction. A nal method which we look at chooses an a; b where ab k and performs a Feistel construction on the message m, but uses a left hand side in Z a and a righthand side in Z b . Our ....

....to consider a three round unbalanced Feistel network, using hash functions for round functions. This yields a block cipher for any given length N starting with a PRF from r bits to bits and another from bits to r bits, where r = N . Starting from an n bit block cipher, Bellare and Rogaway [3] construct and analyze a length preserving cipher with domain f0; 1g n . This is something more than making a block cipher on arbitrary N n bits. Anderson and Biham [1] provide two constructions for a block cipher (BEAR and LION) which use a hash function and a stream cipher. This again uses ....

Bellare, M., and Rogaway, P. On the construction of variable-input-length ciphers. In Fast Software Encryption (1999), vol. 1636 of Lecture Notes in Computer Science, Springer-Verlag. See www.cs.ucdavis.edu/~rogaway.

....f0; 1g n . So, for example, one can use this method to encipher a string in ZN , where N is a 1024 bit number, using a block cipher with block length of 1024 bits. A block cipher with a long block length, like this, can be constructed from a standard block cipher by following works like [8, 10, 3]. 1 A nal method which we look at chooses an a; b where ab k and performs a Feistel construction on the message m, but uses a left hand side in Z a and a right hand side in Z b . Our analysis of this is an adaptation of Luby and Racko s [8] This method can be quite ecient, though the ....

....to consider a three round unbalanced Feistel network, using hash functions for round functions. This yields a block cipher for any given length N starting with a PRF from r bits to bits and another from bits to r bits, where r = N . Starting from an n bit block cipher, Bellare and Rogaway [3] construct and analyze a length preserving cipher with domain f0; 1g n . This is something more than making a block cipher on arbitrary N n bits. Anderson and Biham [1] provide two constructions for a block cipher (BEAR and LION) which use a hash function and a stream cipher. This again uses ....

Bellare, M., and Rogaway, P. On the construction of variable-input-length ciphers. In Fast Software Encryption (1999), vol. 1636 of Lecture Notes in Computer Science, SpringerVerlag.

....lengths may vary from one enciphering to the next. The cipher should look like a random length preserving permutation : M M . This may sound just like a block cipher, but it is actually quite di erent, because the domain includes strings of di erent lengths. One construction is given in [5], and others are possible, building on work like [11] and [12] A notion of authenticity for encryption schemes. We note a nal contribution of this paper, which is the notion of authenticity de ned in Section 2. The usual way that message authenticity has been de ned (e.g. 2] assumes that each ....

M. Bellare and P. Rogaway, \On the construction of variable-input-length ciphers." Fast Software Encryption '99, Lecture Notes in Computer Science Vol. 1636, L. Knudsen ed., Springer-Verlag, 1999.

No context found.

M. Bellare and P. Rogaway, \On the construction of variable-input-length ciphers," Proceedings of the 6th Workshop on Fast Software Encryption, Ed. L.Knudsen, 1999.

No context found.

M. Bellare and P. Rogaway, "On the construction of variable-input-length ciphers," Proceedings of the 6th Workshop on Fast Software Encryption, L. Knudsen (Ed), Springer-Verlag, 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC