Phillip Rogaway - Academia.edu (original) (raw)
Uploads
Papers by Phillip Rogaway
Lecture Notes in Computer Science, 1999
Whereas a block cipher enciphers messages of some one particular length (the blocklength), a vari... more Whereas a block cipher enciphers messages of some one particular length (the blocklength), a variable-input-length cipher takes messages of varying (and preferably arbitrary) lengths. Still, the length of the ciphertext must equal the length of the plaintext. This paper introduces the problem of constructing such objects, and provides a practical solution. Our VIL mode of operation makes a variable-input-length cipher from any block cipher. The method is demonstrably secure in the provable-security sense of modern cryptography: we give a quantitative security analysis relating the difficulty of breaking the constructed (variable-input-length) cipher to the difficulty of breaking the underlying block cipher.
Lecture Notes in Computer Science, 2000
Two distinct, rigorous views of cryptography have developed over the years, in two mostly separat... more Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability. There is an uncomfortable and interesting gap between these two approaches to cryptography. This paper starts to bridge the gap, by providing a computational justification for a formal treatment of encryption.
Advances in Cryptology — CRYPTO’ 93, 1994
We provide the first formal treatment of entity authentication and authenticated key distribution... more We provide the first formal treatment of entity authentication and authenticated key distribution appropriate to the distributed emironment. Addressed in detail are the problems of mutual authentication and authenticated key exchange for the symmetric, two-party setting. For each we present a definition, protocol, and proof that the protocol meets its goal, assuming only the existence of a pseudorandom function.
Lecture Notes in Computer Science, 1991
We consider the communication complexity of secure multiparty computations by networks of process... more We consider the communication complexity of secure multiparty computations by networks of processors each with unlimited computing power. Say that an n-party protocol for a function of m bits is efficient if it uses a constant number of rounds of communication and a total number of message bits that is polynomial in max(m, n). We show that any function has an efficient protocol that achieves (rclog n)/m resilience. Ours is the first secure multiparty protocol in which the communication complexity is independent of the computational complexity of the function being computed. We also consider the communication complexity of zero-knowledge proofs of properties of committed bits. We show that every function / of m bits has an efficient notarized envelope scheme; that is, there is a protocol in which a computationally unlimited prover commits a sequence of bits x to a computationally unlimited verifier and then proves in perfect zero-knowledge (without decommitting x) that f(x) = 1, using a constant number of rounds and poly(m) message bits. Ours is the first notarized envelope scheme in which the communication complexity is independent of the computational complexity of /. Finally, we establish a new upper bound on the number of oracles needed in instance-hiding schemes for arbitrary functions. These schemes allow a computationally limited querier to capitalize on the superior power of one or more computationally unlimited oracles in order to obtain f(x) without revealing its private input x to any one of the oracles. We show that every function of m bits has an (m/logm)-oracle instance-hiding scheme. The central technique used in all of these results is locally random reducibility, which was used for the first time in [7] and is formally defined for the first time here. In addition to the applications that we present, locally random reducibility has been applied to interactive proof systems, program checking, and program testing.
Theory and Application of Cryptographic Techniques, 1995
Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12, 2012
Journal of Computer and System Sciences, 2000
IEEE Security & Privacy, 2016
Abstract: this paper [JJV], NIST did a lot of further,independent, design. They ended up with a k... more Abstract: this paper [JJV], NIST did a lot of further,independent, design. They ended up with a kind of object that isn't even a conventional MAC,and isn't supported by any published scientific work. We don't think this is a right way to go. Werecommend abandoning RMAC and choosing a more mature construction
Abstract: We propose a block-cipher mode of operation, called EAX, for authenticated-encryption w... more Abstract: We propose a block-cipher mode of operation, called EAX, for authenticated-encryption with associated-data (AEAD). Given a nonce N, a message M, and a header H, the mode protects the privacy of M and the authenticity of both M and H. Strings N, M, H $ ...
ABSTRACT accounting. OCB uses djM j=ne + 2 block-cipher calls for a nonempty message M . (The emp... more ABSTRACT accounting. OCB uses djM j=ne + 2 block-cipher calls for a nonempty message M . (The empty string takes three block-cipher invocations, the same as a one-block message). We compare with CBC encryption and CBC encryption plus a CBC MAC:
Lecture Notes in Computer Science, 1999
Whereas a block cipher enciphers messages of some one particular length (the blocklength), a vari... more Whereas a block cipher enciphers messages of some one particular length (the blocklength), a variable-input-length cipher takes messages of varying (and preferably arbitrary) lengths. Still, the length of the ciphertext must equal the length of the plaintext. This paper introduces the problem of constructing such objects, and provides a practical solution. Our VIL mode of operation makes a variable-input-length cipher from any block cipher. The method is demonstrably secure in the provable-security sense of modern cryptography: we give a quantitative security analysis relating the difficulty of breaking the constructed (variable-input-length) cipher to the difficulty of breaking the underlying block cipher.
Lecture Notes in Computer Science, 2000
Two distinct, rigorous views of cryptography have developed over the years, in two mostly separat... more Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability. There is an uncomfortable and interesting gap between these two approaches to cryptography. This paper starts to bridge the gap, by providing a computational justification for a formal treatment of encryption.
Advances in Cryptology — CRYPTO’ 93, 1994
We provide the first formal treatment of entity authentication and authenticated key distribution... more We provide the first formal treatment of entity authentication and authenticated key distribution appropriate to the distributed emironment. Addressed in detail are the problems of mutual authentication and authenticated key exchange for the symmetric, two-party setting. For each we present a definition, protocol, and proof that the protocol meets its goal, assuming only the existence of a pseudorandom function.
Lecture Notes in Computer Science, 1991
We consider the communication complexity of secure multiparty computations by networks of process... more We consider the communication complexity of secure multiparty computations by networks of processors each with unlimited computing power. Say that an n-party protocol for a function of m bits is efficient if it uses a constant number of rounds of communication and a total number of message bits that is polynomial in max(m, n). We show that any function has an efficient protocol that achieves (rclog n)/m resilience. Ours is the first secure multiparty protocol in which the communication complexity is independent of the computational complexity of the function being computed. We also consider the communication complexity of zero-knowledge proofs of properties of committed bits. We show that every function / of m bits has an efficient notarized envelope scheme; that is, there is a protocol in which a computationally unlimited prover commits a sequence of bits x to a computationally unlimited verifier and then proves in perfect zero-knowledge (without decommitting x) that f(x) = 1, using a constant number of rounds and poly(m) message bits. Ours is the first notarized envelope scheme in which the communication complexity is independent of the computational complexity of /. Finally, we establish a new upper bound on the number of oracles needed in instance-hiding schemes for arbitrary functions. These schemes allow a computationally limited querier to capitalize on the superior power of one or more computationally unlimited oracles in order to obtain f(x) without revealing its private input x to any one of the oracles. We show that every function of m bits has an (m/logm)-oracle instance-hiding scheme. The central technique used in all of these results is locally random reducibility, which was used for the first time in [7] and is formally defined for the first time here. In addition to the applications that we present, locally random reducibility has been applied to interactive proof systems, program checking, and program testing.
Theory and Application of Cryptographic Techniques, 1995
Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12, 2012
Journal of Computer and System Sciences, 2000
IEEE Security & Privacy, 2016
Abstract: this paper [JJV], NIST did a lot of further,independent, design. They ended up with a k... more Abstract: this paper [JJV], NIST did a lot of further,independent, design. They ended up with a kind of object that isn't even a conventional MAC,and isn't supported by any published scientific work. We don't think this is a right way to go. Werecommend abandoning RMAC and choosing a more mature construction
Abstract: We propose a block-cipher mode of operation, called EAX, for authenticated-encryption w... more Abstract: We propose a block-cipher mode of operation, called EAX, for authenticated-encryption with associated-data (AEAD). Given a nonce N, a message M, and a header H, the mode protects the privacy of M and the authenticity of both M and H. Strings N, M, H $ ...
ABSTRACT accounting. OCB uses djM j=ne + 2 block-cipher calls for a nonempty message M . (The emp... more ABSTRACT accounting. OCB uses djM j=ne + 2 block-cipher calls for a nonempty message M . (The empty string takes three block-cipher invocations, the same as a one-block message). We compare with CBC encryption and CBC encryption plus a CBC MAC: