O. Goldreich, S. Goldwasser and S. Micali, "On the cryptographic applications of random functions," Advances in Cryptology -- Crypto 84 Proceedings, Lecture Notes in Computer Science Vol. 196, R. Blakely ed., Springer-Verlag, 1984.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....it says that the CBC MAC transform is PRF preserving. Namely, the CBC MAC of a pseudorandom function (or permutation) F is itself a pseudorandom function. The security of the CBC MAC as a MAC follows because it is a well known observation that any PRF is a secure message authentication code [10, 11] see Section 2.4 for details. STATEMENT. To illustrate the main result, let F be the given block cipher with block length l. The concrete security statement of one version of our theorem is the following: for any integers q, t, m 1, prf Advcsc i, q, t) where q = mq and t = t O(mql) ....

....queries made by the adversary plus the length of the message in the forgery output by the adversary. This quantity becomes an additional input to the insecurity function. Pseudorandom functions make good message authentication codes. As we remarked in the introduction the reduction is standard [10, 11]. We determine the exact security of this reduction. The following shows that the reduction is almost tight security hardly degrades at all. This relation means that to prove the security of the CBC MAC as a MAC it is enough to show that the CBC transform preserves pseudorandomness. Proposition ....

O. Goldreich, S. Goldwasser and S. Micali, On the cryptographic applications of random functions, Advances in Cryptology - Crypro 84 Proceedings, Lecture Notes in Computer Science Vol. 196, R. Blakely ed., Springer-Verlag, 1984.

....notion is in general stronger than the standard notion of unforgeability [3] we note that any pseudorandom function is a strongly unforgeable MAC, and most practical MACs seem to be strongly unforgeable. Pseudorandom functions. We formalize pseudorandom functions and their security following [14, 3]. Suppose F is a family of functions from some message space M to f0; 1g , and let Rand denote the family of all functions from M to f0; 1g . We de ne Adv F (D) as the advantage of a distinguisher D in distinguishing a random instance of F from a random instance of Rand . ....

O. Goldreich, S. Goldwasser, and S. Micali. On the cryptographic applications of random functions. In R. Blakely, editor, CRYPTO '84, volume 196 of LNCS, pages 276-288. Springer-Verlag, 1985.

....notion is in general stronger than the standard notion of unforgeability [3] we note that any pseudorandom function is a strongly unforgeable MAC, and most practical MACs seem to be strongly unforgeable. Pseudorandom functions. We formalize pseudorandom functions and their security following [14, 3]. Suppose F is a family of functions from some message space M to f0; 1g , and let Rand . We de ne Adv (D) as the advantage of a distinguisher D in distinguishing a random instance of F from a random instance of Rand . Collision resistance of encoding schemes. The security of a ....

O. Goldreich, S. Goldwasser, and S. Micali. On the cryptographic applications of random functions. In G. R. Blakley and D. C. Chaum, editors, Advances in Cryptology { CRYPTO '84, volume 196 of Lecture Notes in Computer Science, pages 276-288. Springer-Verlag, Berlin Germany, 1985.

....P must be independent from the hash function h. The authors of [2] then state that it is their thesis that this method, when properly caried out, leads to secure and e cient protocols . The idea of using a random oracle and then substituting it with an appropriate primitive appears rst in [6, 7]. However, in their model the oracle is not available to the adversary, because the computation of the function replacing the oracle would re1 qure knowing the seed and thus the function would not seem random at all. Fiat and Shamir [5] were the rst to use a emphpublic random oracle, i.e. the ....

Oded Goldreich, Sha Goldwasser, and Silvio Micali, On the cryptographic applications of random functions, CRYPTO 85 Proceedings, LNCS 196, Springer, 1985.

....the DDH Assumption (which was recently used in quite a few interesting applications) to be one of the contributions of this paper. Properties of Our Pseudo Random Functions Pseudo random functions were introduced by Goldreich, Goldwasser and Micali [34] and have innumerable applications (e.g. [3, 9, 22, 32, 39, 35, 48, 57]) A distribution of functions is pseudo random if: 1) It is easy to sample functions according to the distribution and to compute their value. 2) It is hard to tell apart a function sampled according to this distribution from a uniformly distributed function given access to the function as a ....

....in many applications. Probably, the most notable applications of pseudo random functions are in private key cryptography. They provide parties who share a common key straightforward protocols for sending secret messages to each other, for identifying themselves and for authenticating messages [15, 35, 47]. As shown by Luby and Racko [48] it is possible to eciently construct pseudo random permutations (which, in particular, can be used as block ciphers) from pseudo random functions (also see [57] for an optimal construction) However, pseudo random functions have many other applications ....

O. Goldreich, S. Goldwasser and S. Micali, On the cryptographic applications of random functions, Advances in Cryptology - CRYPTO '84, LNCS, vol. 196, Springer, 1985, pp. 276-288.

....what we will show is actually stronger: if F is a pseudorandom function family then F (m) the family of functions f (m) for f 2 F , is itself shown to be a pseudorandom function family. That a PRF automatically makes a secure message authentication code is a well known observation due to [7, 8] see Section 6 for details. Exact security We wish to obtain results which are meaningful for practice. In particular, we aim to say something about the correct and incorrect use of DES. Since DES is a finite function there are no asymptotics present. We are thus led to avoid asymptotics and ....

....after making this extension. 6 From PRFs to MACs Since justifying the CBC MAC is a primary aim of this paper, to complete this project we need one more step to show that pseudorandom functions make good message authentication codes. As we remarked in the introduction the reduction is standard [7, 8]. But we need to see what is the exact security. The following shows that the reduction is almost tight security hardly degrades at all. Let G be a finite function family whose keys name functions in R k l . Let MAC G be defined by MAC G g (y) g(y) for all g 2 G and all y 2 f0; 1g k . ....

[Article contains additional citation context not shown here]

O. Goldreich, S. Goldwasser and S. Micali, "On the cryptographic applications of random functions," Advances in Cryptology -- Crypto 84 Proceedings, Lecture Notes in Computer Science Vol. 196, R. Blakely ed., Springer-Verlag, 1984.

....what we will show is actually stronger: if F is a pseudorandom function family then F (m) the family of functions f (m) for f 2 F , is itself shown to be a pseudorandom function family. That a PRF automatically makes a secure message authentication code is a well known observation due to [9, 10] see Section 6 for details. Exact security We wish to obtain results which are meaningful for practice. In particular, in our setting we need to say something about the correct or incorrect use of DES, where there are no asymptotics present. This demands not only that we avoid asymptotics and ....

....6 From PRFs to MACs Recall that justifying the CBC MAC was the primary motivation of this paper. To formally complete this project we need one more step to show that pseudorandom functions make good message authentication codes. As we remarked in the introduction the reduction is standard [9, 10]. But we need to see what is the exact security. The following shows that the reduction is almost tight security hardly degrades at all. Let G be a finite function family whose keys name functions in R k l . Let MAC G be defined by MAC G g (y) g(y) for all g 2 G and all y 2 f0; 1g k . ....

[Article contains additional citation context not shown here]

O. Goldreich, S. Goldwasser and S. Micali, "On the cryptographic applications of random functions," Advances in Cryptology -- Crypto 84 Proceedings, Lecture Notes in Computer Science Vol. 196, Springer-Verlag, B. Blakley, ed., 1985.

....provide inputs of his choice and gets to see the value of the function on these inputs) Pseudo random functions are the key component of private key cryptography. They allow parties who share a common key to send secret messages to each other, to identify themselves and to authenticate messages [16, 27, 40]. In addition, they have many other applications, essentially in any setting that calls for a random function that is provided as a black box [9, 12, 19, 23, 24, 41, 51] Goldreich, Goldwasser and Micali provided a construction of such functions. For roughly a decade, this was the only known ....

O. Goldreich, S. Goldwasser and S. Micali, On the cryptographic applications of random functions, Advances in Cryptology - CRYPTO '84, Lecture Notes in Computer Science, vol. 196, Springer-Verlag, 1985, pp. 276-288.

....by an object like a hash function. We stress that the proof is in the random oracle model and the last step is heuristic in nature. It is a thesis of this paper that significant assurance benefits nonetheless remain. The idea of such a paradigm builds on work of Goldreich, Goldwasser and Micali [20, 21] and Fiat Shamir [14] It is guided by many previous unjustified uses of hash functions. Finally, it incorporates viewpoints which, shared and verbally articulated by many members of our community, should be regarded as folklore. In this light, we view our contribution as follows. First, we ....

....3 Definitions and proofs of these results are omitted for lack of space. 1. 3 Background and Related Work The basic idea of proving correct a protocol in a model where the parties have a random oracle and then instantiating that oracle with an appropriate cryptographic primitive originates in [20, 21]. The cryptographic primitive suggested and constructed for this purpose by [20] is the pseudo random 2 Personal communication, via S. Micali and S. Rudich. 3 In this application it does not suffice to replace the pseudorandom generator used in [1] by a random generator. function (PRF) For ....

O. Goldreich, S. Goldwasser and S. Micali, "On the cryptographic applications of random functions," Advances in Cryptology -- CRYPTO 85 Proceedings, Lecture Notes in Computer Science Vol. 196, Springer-Verlag (1985). B Blakley, ed.

....a function sampled according to this distribution from a uniformly distributed function given an adaptive access to the function as a black box. Pseudo random functions have numerous applications in practically any scenario where a large amount of randomness need to be shared or fixed (see e.g. [4, 6, 8, 9, 10, 11, 14, 17, 18, 20]) In this paper we concentrate on the application to authentication (and also on the applications to identification and encryption) A pseudo random function f s can be used as a MAC (message authentication code) by letting the authentication tag of a message m be f s (m) where the key, s, of f ....

O. Goldreich, S. Goldwasser and S. Micali, On the cryptographic applications of random functions, Advances in Cryptology - CRYPTO '84, LNCS, vol. 196, Springer, 1985, pp. 276-288.

....4.2 Efficient pseudo random functions Naor and Reingold [24] describe a beautiful application of ddh. They show how to construct a collection of efficient pseudo random functions. Such functions can be used as the basis of many cryptographic schemes including symmetric encryption, authentication [14] and digital signatures [1] Prior to these results, existing constructions [15, 23] based on number theoretic primitives were by far less efficient. Pseudo random functions were first introduced by Goldreich, Goldwasser and Micali [15] At a high level, a set F n of functions A n 7 B n is called ....

O. Goldreich, S. Goldwasser, S. Micali, "On the cryptographic applications of random functions ", Crypto' 84, pp. 276--288.

.... computable functions that are indistinguishable from random functions under all (efficient) black box attacks (see Section 2 for a formal definition) Pseudo random functions play a major role in private key cryptography and have many additional applications (for some of these applications, see [10, 17, 25]) Luby and Rackoff [26] provided a construction of strong pseudo random permutations, LR Construction) which was motivated by the structure of DES. The basic building block is the so called Feistel permutation 1 based on a pseudo random function defined by the key. Their construction ....

O. Goldreich, S. Goldwasser and S. Micali, On the cryptographic applications of random functions, Advances in Cryptology - CRYPTO '84, Lecture Notes in Computer Science, vol. 196, Springer-Verlag, 1985, pp. 276-288.

.... computable functions that are indistinguishable from random functions under all (efficient) black box attacks (see Section 2 for a formal definition) Pseudo random functions play a major role in private key cryptography and have many additional applications (for some of these applications, see [11, 18, 26]) Luby and Rackoff [27] provided a construction of strong pseudo random permutations, LR Construction) which was motivated by the structure of DES. The basic building block is the so called Feistel permutation 1 based on a pseudo random function defined by the key. Their construction ....

O. Goldreich, S. Goldwasser and S. Micali, On the cryptographic applications of random functions, Advances in Cryptology - CRYPTO '84, Lecture Notes in Computer Science, vol. 196, Springer-Verlag, 1985, pp. 276-288.

....against a priori chosen ciphertext attacks also known as lunch break attack . Rackoff and Simon [24] defined the stronger type of attack, a posteriori chosen ciphertext attacks and Dolev, Dwork and Naor [9] constructed cryptosystems resistant to such attacks. Other constructions where given in [14, 6, 21, 22, 19]. Other works have explored the relationship This specific formulation was first suggested by Goldreich [10] and is equivalent to the one presented in [15] Consider, for instance, the attack Bleichenbacher suggested on PKCS # 1 [3] Also stronger requirements (from the implementation ....

O. Goldreich, S. Goldwasser, and S. Micali. On the Cryptographic Applications of Random Functions. In Crypto84, Springer-Verlag Lecture Notes in Computer Science (Vol. 263), pages 276--288, 1985.

....communication protocol. This left open the question of whether a standard (uni directional) encryption scheme may be secure under chosen ciphertext attacks, a question that turned out to be very difficult in the case of public key schemes (but solved quite easily in the private key case [11, 12]) Subsequent research focused on constructing public key schemes that are secure under (two non equivalent types of) chosen ciphertext attacks (e.g. 3, 18, 7, 4, 19, 20, 17] These works have all related to the technical definition of security (i.e. the indistinguishability of encryptions) ....

O. Goldreich, S. Goldwasser, and S. Micali. On the Cryptographic Applications of Random Functions. In Crypto84, Springer-Verlag Lecture Notes in Computer Science (Vol. 263), pages 276--288, 1985.

....in ff s : s2f0; 1g n g. We stress that in the latter case the distinguisher is not given the description of the function f s (i.e. the seed s) but rather may obtain the value of f s on any n bit string of its choice. 5 Pseudorandom functions are a very useful cryptographic tool (cf. [64, 60] and Section 5) One may first design a cryptographic scheme assuming that the legitimate users have black box access to a random function, and next implement the random function using a pseudorandom function. From pseudorandom generators to pseudorandom functions [63] Let G be a pseudorandom ....

....However, it may be secure if the message is randomized before RSA (or the other schemes) is applied (cf. 15] Thus, the randomization paradigm (see Section 5) seems pivotal here too. 16 6. 2 Constructions Message authentication schemes can be constructed using pseudorandom functions (see [64] or the better constructions in [10, 9, 3] However, as noted in [4] an extensive usage of pseudorandom functions seem an overkill for achieving message authentication, and more efficient schemes may be obtained based on other cryptographic primitives. We mention two approaches: 1. ....

O. Goldreich, S. Goldwasser, and S. Micali. On the Cryptographic Applications of Random Functions. In Crypto84, Springer-Verlag Lecture Notes in Computer Science (Vol. 263), pages 276--288, 1985.

....in ff s : s2f0; 1g n g. We stress that in the latter case the distinguisher is not given the description of the function f s (i.e. the seed s) but rather may obtain the value of f s on any n bit string of its choice. 5 Pseudorandom functions are a very useful cryptographic tool (cf. [92, 86] and Section 5) One may first design a cryptographic scheme assuming that the legitimate users have black box access to a random function, and next implement the random function using a pseudorandom function. From pseudorandom generators to pseudorandom functions [91] Let G be a pseudorandom ....

....However, it may be secure if the message is randomized before RSA (or the other schemes) is applied (cf. 15] Thus, the randomization paradigm (see Section 5) seems pivotal here too. 6. 2 Constructions Message authentication schemes can be constructed using pseudorandom functions (see [92] or the more efficient constructions in [10, 9, 3] However, as noted in [4] an extensive usage of pseudorandom functions seem an overkill for achieving message authentication, and more efficient schemes may be obtained based on other cryptographic primitives. We mention two approaches, each ....

O. Goldreich, S. Goldwasser, and S. Micali. On the Cryptographic Applications of Random Functions. In Crypto84, Springer-Verlag Lecture Notes in Computer Science (Vol. 263), pages 276--288, 1985.

No context found.

O. Goldreich, S. Goldwasser and S. Micali, "On the cryptographic applications of random functions," Advances in Cryptology -- Crypto 84 Proceedings, Lecture Notes in Computer Science Vol. 196, R. Blakely ed., Springer-Verlag, 1984.

No context found.

O. Goldreich, S. Goldwasser and S. Micali, On the cryptographic applications of random functions, Advances in Cryptology { Crypto 84 Proceedings, Lecture Notes in Computer Science Vol. 196, R. Blakely ed., Springer-Verlag, 1984.

No context found.

O. Goldreich, S. Goldwasser and S. Micali, On the cryptographic applications of random functions, 1985, pp. 276-288.

No context found.

O. Goldreich, S. Goldwasser, and S. Micali. On the cryptographic applications of random functions. In Advances in Cryptology --- Crypto '84, volume 196 of Lecture Notes in Computer Science, pages 276--288. Springer, 1985.

No context found.

O. Goldreich, S. Goldwasser, and S. Micali. On the Cryptographic Applications of Random Functions. Adv. in Cryptology --- Crypto '84, LNCS vol. 263, Springer-Verlag, pp. 276--288, 1985.

No context found.

O. Goldreich, S. Goldwasser, and S. Micali. On the cryptographic applications of random functions. Advances in Cryptology --- Crypto '84, Lecture Notes in Computer Science, vol. 196, G.R. Blakley and D. Chaum, eds., Springer-Verlag (1984), pp. 276-- 288.

No context found.

O. Goldreich, S. Goldwasser, and S. Micali. On the Cryptographic Applications of Random Functions. Adv. in Cryptology --- Crypto '84, LNCS vol. 263, Springer-Verlag, pp. 276--288, 1985.

No context found.

O. Goldreich and S. Goldwasser and S. Micali, "On the Cryptographic Applications of Random Functions", Advances in Cryptology --CRYPTO84, pp.276--288, Proceedings, Lecture Notes in Computer Science No. 196, Springer, 1985.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC