M. Bellare, R. Canetti and H. Krawczyk, "Pseudorandom functions revisited: The cascade construction and its concrete security." Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE, 1996.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....is a hash function. For a given Y it is computationally hard to find a x such that h(x) Y, where x might be a vector. Hash functions have been used in computer science for a long time. They are a major building blocks for several cryptographic protocols, includ ing pseudo random generators [Bellare et al. 1996], digital signatures, and message authentication [Waleffe and Quisquater, 1990] Usually, there are two components in a signature scheme, one is the Signer role played by consumers, service provider, or service; the other is the Verifier role played by service consumers or service providers. As a ....

Bellare M., Canetti R., and Krawczyk H. (1996). Pseudorandom functions re- visited: The cascade construction and its concrete security. Extended abstract. In 37th Annual Symposium on the Foundations of Computer Science, IEEE.

....of VIL functions, therefore these constructions are very useful in practice. Important extensions from FIL to VIL include Cipher Block Chaining (CBC) BKR94,BDJR97] extending pseudo random permutations (ciphers) and MAC functions, and the Merkle Damgrd cascade, extending pseudo random functions [BCK96F] and often used to extend collision resistant hash functions [Da89,Me89,BR97] Most other constructions of advanced cryptographic mechanisms from one way functions, e.g. HILL99,NY89] are too wasteful in resources and security to be of practical use. In this paper we focus on an alternative, ....

M. Bellare, R. Canetti, and H. Krawczyk, Pseudorandom functions revisited: The cascade construction and its concrete security. Proceedings 37th Annual Symposium on the Foundations of Computer Science, IEEE, 1996.

....f 0 from variable length inputs to 256 bit outputs. I show that if f is an unpredictable random function then f 0 is also unpredictable. See section 4. This construction compares favorably with chaining, which was proven unpredictable in [7] and cascading, which was proven unpredictable in [3]. All the ideas in the protected counter sum construction are already present in [5] and [3] My main contribution is the exact security analysis, speci cally Theorem 3.1. Implementation. I wrote a portable C library for protected counter sums, using surf k as the underlying random function. The ....

....random function then f 0 is also unpredictable. See section 4. This construction compares favorably with chaining, which was proven unpredictable in [7] and cascading, which was proven unpredictable in [3] All the ideas in the protected counter sum construction are already present in [5] and [3]. My main contribution is the exact security analysis, speci cally Theorem 3.1. Implementation. I wrote a portable C library for protected counter sums, using surf k as the underlying random function. The library, compiled with gcc 2.6 on a Pentium, occupies 716 bytes. It uses approximately 600 ....

[Article contains additional citation context not shown here]

Mihir Bellare, Ran Canetti, Hugo Krawczyk, Pseudorandom functions revisited: the cascade construction and its concrete security, draft available as [2], newer draft available as http:// www-cse.ucsd.edu/~mihir/papers/cascade.ps.gz.

....in (Z=p) 2 takes one addition modulo p for each bit of input. Conjectural constructions and current practice. If p is a uniform random 512 bit string then m 7 MD5(p; m) appears to have very low collision probability, 18 DANIEL J. BERNSTEIN as pointed out by Bellare et al. in [15] and in [13]. In fact, nobody has been able to exhibit any collisions in MD5. This was the primary goal of MD5. On the other hand, Dobbertin in [34] found matching IV collisions in the compression function of MD5. Authenticators based on MD5 are popular because they are very fast. The implementations of ....

Mihir Bellare, Ran Canetti, Hugo Krawczyk, Pseudorandom functions revisited: the cascade construction and its concrete security, draft available from http://www-cse.ucsd.edu/ ~mihir/papers/cascade.html; previous version in [12].

.... way, Bellare, Kilian and Rogaway began the practice of explicitly specifying the resources determining security and paying particular attention to the quality of security reductions [5] This approach forms the basis of concrete security analysis and has been used in many subsequent works [4, 2, 3]. One bene t of this approach is that it enables the comparison (and classi cation as weaker or stronger) of polynomially equivalent notions in cryptography. Paying attention to the concrete complexity of reductions between notions is important in practice, as inecient reductions translate to a ....

....other message authentication schemes. Then there are other schemes, besides those for message authentication and symmetric encryption, to which our techniques could be applied. For example, it may be possible to improve the security bounds of variable length input pseudorandom functions (VI PRFs) [2] and variable inputlength ciphers [6] Using similar techniques as above, we can also get tighter bounds for PRPbased protocols. In a sense, this is more interesting, given that PRP families provide a more natural model for block ciphers [5] Viewing a block cipher as a PRP family rather than a ....

M. Bellare, R. Canetti and H. Krawczyk, \Pseudorandom functions revisited: The cascade construction and its concrete security," Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE, 1996.

.... way, Bellare, Kilian and Rogaway began the practice of explicitly specifying the resources determining security and paying particular attention to the quality of security reductions [5] This approach forms the basis of concrete security analysis and has been used in many subsequent works [4, 2, 3]. One bene t of this approach is that it enables the comparison (and classi cation as weaker or stronger) of polynomially equivalent notions in cryptography. Paying attention to the concrete complexity of reductions between notions is important in practice, as inecient reductions translate to a ....

....it may be possible for other MACs. Then there are other protocols, besides those for message authentication and symmetric encryption, to which our techniques could be applied. For example, it may be possible to improve the security bounds of variable length input pseudorandom functions (VI PRFs) [2] and variable input length ciphers [6] Using similar techniques as above, we can also get tighter bounds for PRPbased protocols. In a sense, this is more interesting given that PRP families provide a more natural model for block ciphers [5] Viewing a block cipher as a PRP family rather than a ....

M. Bellare, R. Canetti and H. Krawczyk, \Pseudorandom functions revisited: The cascade construction and its concrete security," Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE, 1996.

....function [Menzenes97] Modern iterated hash functions [Menzenes97] have, in practice, been shown to have considerable resistance to attacks and supply many of the properties that I require. Bellare et al. have used iterated hash functions as the basis for pseudo random function families [Bellare96b]. Unlike many applications of pseudo random functions, NASD does not evaluate F on a previous output of F in order to generate a sequence of random numbers. Instead, NASD uses a given seed exactly once to generate a single random value and does not evaluate F on results of previous results of ....

Bellare, M., Canetti, R., and Krawczyk, H.,"Pseudorandom functions revisited: The cascade construction and its concrete security," Extended abstract in Proceedings of the 37th Annual Symposium on the Foundations of Computer Science, IEEE, 1996.

....(see [5] 21] and the references therein) It thus seems that a theoretical framework incorporating the notion of rounds would be desirable. This paper proposes such a framework. Although our model is a simple extension of the classical models of security for symmetric primitives ( 14] 12] [2]) it allows one to obtain a number of interesting results not captured by the traditional models. In particular, we analyze the security of the original Luby Racko construction, some of its variants, and UHF MACs within our framework. 1.3 Our Contributions 1.3.1 A New Model The de nition of a ....

....the relevant de nitions and prior constructions. Our presentation is in the concrete (or exact ) security model as opposed to the asymptotic model (though our results can be made to hold for either) Our treatment follows that of Bellare, Kilian, and Rogaway [3] and Bellare, Canetti, Krawczyk [2]. 2.1 De nitions 2.1.1 Notation For a bit string x, we let jxj denote its length. If x has even length, then x L and x R denote the left and right halves of the bits respectively; we sometimes write x = x L ; x R ) If x and y are two bit strings of the same length, x y denotes their ....

Mihir Bellare, Ran Canetti, and Hugo Krawczyk. Pseudorandom functions revisited: The cascade construction and its concrete security. In 37th Annual Symposium on Foundations of Computer Science, pages 514-523. IEEE, 1996.

....message is randomized before RSA (or the other schemes) is applied (cf. 15] Thus, the randomization paradigm (see Section 5) seems pivotal here too. 16 6. 2 Constructions Message authentication schemes can be constructed using pseudorandom functions (see [64] or the better constructions in [10, 9, 3]) However, as noted in [4] an extensive usage of pseudorandom functions seem an overkill for achieving message authentication, and more efficient schemes may be obtained based on other cryptographic primitives. We mention two approaches: 1. Fingerprinting the message using a scheme which is ....

M. Bellare, R. Canetti and H. Krawczyk. Pseudorandom functions Revisited: The Cascade Construction and its Concrete Security. In 37th IEEE Symposium on Foundations of Computer Science, pages 514--523, 1996.

.... and Rogaway started the practice of explicitly specifying the resources determining the security and paying particular attention to the quality of the security reductions [5] This approach forms the basis of what is called concrete security analysis and has been used in many subsequent works [4, 2, 3]. One of the bene ts of this approach is to enable the comparison and 3 pseudorandom function indistinguishable uniform function indistinguishable point function pseudorandom permutation indistinguishable uniform permutation indistinguishable point permutation 2 2 q 2 q 2 1 Figure 1: Relating ....

....it may be possible for other MACs. Then there are other protocols, besides those for message authentication and symmetric encryption, to which our techniques could be applied. For example, it may be possible to improve the security bounds of variable length input pseudorandom functions (VI PRFs) [2] and variable input length ciphers [6] Using similar techniques as above, we can also get tighter bounds for PRP based protocols. In a sense, this is more interesting given that PRP families provide a more natural model for block ciphers [5] Viewing a block cipher as a PRP family rather than a ....

M. Bellare, R. Canetti and H. Krawczyk, \Pseudorandom functions revisited: The cascade construction and its concrete security," Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE, 1996.

....is randomized before RSA (or the other schemes) is applied (cf. 15] Thus, the randomization paradigm (see Section 5) seems pivotal here too. 6. 2 Constructions Message authentication schemes can be constructed using pseudorandom functions (see [92] or the more efficient constructions in [10, 9, 3]) However, as noted in [4] an extensive usage of pseudorandom functions seem an overkill for achieving message authentication, and more efficient schemes may be obtained based on other cryptographic primitives. We mention two approaches, each consisting of a two stage process: 1. Fingerprinting ....

M. Bellare, R. Canetti and H. Krawczyk. Pseudorandom functions Revisited: The Cascade Construction and its Concrete Security. In 37th IEEE Symposium on Foundations of Computer Science, pages 514--523, 1996.

No context found.

M. Bellare, R. Canetti and H. Krawczyk. Pseudorandom functions revisited: The cascade construction and its concrete security. http://www-cse.ucsd.edu/users/mihir. (Preliminary version in Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE, 1996.)

....past. This is in sharp contrast with encryption, where information encrypted today may suffer from exposure in the future if, and when, the encryption algorithm is broken. The strongest attack known against HMAC is based on the frequency of collisions for the hash function H ( birthday attack ) [PV,BCK2], and is totally impractical for minimally reasonable hash functions. As an example, if we consider a hash function like MD5 where the output length equals L=16 bytes (128 bits) the attacker needs to acquire the correct message authentication tags computed (with the same secret key K ) on about ....

M. Bellare, R. Canetti, and H. Krawczyk, "Pseudorandom Functions Revisited: The Cascade Construction", Proceedings of FOCS'96.

....these functions (often nicknamed cryptographic hash functions ) are used in a variety of settings where far stronger properties than collision resistance are required. Some of these properties are better understood and can be rigorously formulated (e.g. the use as pseudorandom functions [BCK1], or as message authentication functions [BCK2] Often, however, these extra properties are not precisely specified; even worse, it is often unclear whether the attributed properties can at all be formalized in a meaningful way. We very roughly sketch two salient such properties. One is total ....

....fi = 160 for SHA seems appropriate. Verification (and the Completeness property) are straightforward. Correctness follows directly from the collision resistance of h. The Secrecy requirement imposes the following requirement on h. Following the concrete (i.e. non asymptotic) security approach of [BKR, BGR, BCK1] we say that: Definition 9 A hash function h is ( ffi) secure with respect to the H(x; r) r; h(r; x) construction and some distribution Delta on f0; 1g if for any adversary A and distinguisher D, each running in time , we have jProb(D(x; A(r; h(r; x) 1) Gamma Prob(D(x; A(r; h(r; y) ....

M. Bellare, R. Canetti and H. Krawczyk, "Pseudorandom functions revisited: The cascade construction and its concrete security", 37th FOCS, 1996.

No context found.

M. Bellare, R. Canetti and H. Krawczyk, "Pseudorandom functions revisited: The cascade construction and its concrete security." Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE, 1996.

No context found.

M. Bellare, R. Canetti, and H. Krawczyk, Pseudorandom Functions Re-visited: The Cascade Construction and Its Concrete Security, In Proc. 37th FOCS, pages 514-523. IEEE, 1996.

No context found.

M. Bellare, R. Canetti and H. Krawczyk, \Pseudorandom functions revisited: The cascade construction and its concrete security," Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE, 1996.

No context found.

M . Bellare, R. Canetti, H. Krawczyk, " Pseudorandom Functions Revisited: The Cascade Construction and its Concrete Security", Proc. IEEE FOCS 1996.

No context found.

M. Bellare, R. Canetti and H. Krawczyk, Pseudorandom functions revisited: the cascade construction, Proc. 37th IEEE Symp. on Foundations of Computer Science, 1996, pp. 514-523.

No context found.

M. Bellare, R. Canetti and H. Krawczyk. Pseudorandom Functions Revisited: The Cascade Construction and Its Concrete Security. In Proc. of the 37th Annual IEEE Symposium on Foundations of Computer Science, pages 514--523, 1996.

No context found.

M. Bellare, R. Canetti, H. Krawczyk, \Pseudorandom Functions Revisited: The Cascade Construction and its Concrete Security," Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE, 1996.

No context found.

Bellare, M., Canetti, R., Krawczyk, H.: Pseudorandom Functions Re-Visited: The Cascade Construction and its Concrete Security. In: Proceedings of Foundations of Computer Science, IEEE. (1996)

No context found.

M. Bellare, R. Canetti, and H. Krawczyk. Pseudorandom Functions Re-Visited: The Cascade Construction and its Concrete Security. In Proceedings of Foundations of Computer Science, IEEE, 1996.

No context found.

Mihir Bellare, Ran Canetti, Hugo Krawczyk, Pseudorandom functions revisited: the cascade construction and its concrete security, in [1], 514-523.

No context found.

Mihir Bellare, Ran Canetti, Hugo Krawczyk, Pseudorandom functions revisited: the cascade construction and its concrete security, in [5] (1996), 514-523.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC