16 research outputs found
The Melbourne Shuffle: Improving Oblivious Storage in the Cloud
We present a simple, efficient, and secure data-oblivious randomized shuffle
algorithm. This is the first secure data-oblivious shuffle that is not based on
sorting. Our method can be used to improve previous oblivious storage solutions
for network-based outsourcing of data
A new hardware-assisted PIR with O(n) shuffle cost
Ministry of Education, Singapore under its Academic Research Funding Tier
Keep That Card in Mind: Card Guessing with Limited Memory
A card guessing game is played between two players, Guesser and Dealer. At
the beginning of the game, the Dealer holds a deck of cards (labeled ). For turns, the Dealer draws a card from the deck, the Guesser
guesses which card was drawn, and then the card is discarded from the deck. The
Guesser receives a point for each correctly guessed card. With perfect memory,
a Guesser can keep track of all cards that were played so far and pick at
random a card that has not appeared so far, yielding in expectation
correct guesses. With no memory, the best a Guesser can do will result in a
single guess in expectation. We consider the case of a memory bounded Guesser
that has memory bits. We show that the performance of such a memory
bounded Guesser depends much on the behavior of the Dealer. In more detail, we
show that there is a gap between the static case, where the Dealer draws cards
from a properly shuffled deck or a prearranged one, and the adaptive case,
where the Dealer draws cards thoughtfully, in an adversarial manner.
Specifically:
1. We show a Guesser with memory bits that scores a near
optimal result against any static Dealer.
2. We show that no Guesser with bits of memory can score better than
correct guesses, thus, no Guesser can score better than , i.e., the above Guesser is optimal.
3. We show an efficient adaptive Dealer against which no Guesser with
memory bits can make more than correct guesses in
expectation.
These results are (almost) tight, and we prove them using compression
arguments that harness the guessing strategy for encoding.Comment: 51 pages, 12 figure
Pseudorandom Functions: Three Decades Later
In 1984, Goldreich, Goldwasser and Micali formalized the concept of pseudorandom functions and proposed a construction based on any length-doubling pseudorandom generator. Since then, pseudorandom functions have turned out to be an extremely influential abstraction, with applications ranging from message authentication to barriers in proving computational complexity lower bounds.
In this tutorial we survey various incarnations of pseudorandom functions, giving self-contained proofs of key results from the literature. Our main focus is on feasibility results and constructions, as well as on limitations of (and induced by) pseudorandom functions. Along the way we point out some open questions that we believe to be within reach of current techniques
Randomized stopping times and provably secure pseudorandom permutation generators
Conventionally, key-scheduling algorithm (KSA) of a cryptographic scheme runs for predefined number of steps. We suggest a different approach by utilization of randomized stopping rules to generate permutations which are indistinguishable from uniform ones. We explain that if the stopping time of such a shuffle is a Strong Stationary Time and bits of the secret key are not reused then these algorithms are immune against timing attacks.
We also revisit the well known paper of Mironov~\cite{Mironov2002} which analyses a card shuffle which models KSA of RC4. Mironov states that expected time till reaching uniform distribution is while we prove that steps are enough (by finding a new strong stationary time for the shuffle).
Nevertheless, both cases require bits of randomness while one can replace the shuffle used in RC4 (and in Spritz) with a better shuffle which is optimal and needs only bits
FastPRP: Fast Pseudo-Random Permutations for Small Domains
We propose a novel small-domain pseudo-random permutation, also referred to as a small-domain cipher or small-domain (deterministic) encryption. We prove that our construction achieves strong security , i.e., is indistinguishable from a random permutation even when an adversary has observed all possible input-output pairs. More importantly, our construction is 1,000 to 8,000 times faster in most realistic scenarios, in comparison with the best known construction (also achieving strong security). Our implementation leverages the extended instruction sets of modern processors, and we also introduce a smart caching strategy to freely tune the tradeoff between time and space
Stadium: A Distributed Metadata-Private Messaging System
Private communication over the Internet remains a challenging problem. Even if messages are encrypted, it is hard to deliver them without revealing metadata about which pairs of users are communicating. Scalable anonymity systems, such as Tor, are susceptible to traffic analysis attacks that leak metadata. In contrast, the largest-scale systems with metadata privacy require passing all messages through a small number of providers, requiring a high operational cost for each provider and limiting their deployability in practice.
This paper presents Stadium, a point-to-point messaging system that provides metadata and data privacy while scaling its work efficiently across hundreds of low-cost providers operated by different organizations. Much like Vuvuzela, the current largest-scale metadata-private system, Stadium achieves its provable guarantees through differential privacy and the addition of noisy cover traffic. The key challenge in Stadium is limiting the information revealed from the many observable traffic links of a highly distributed system, without requiring an overwhelming amount of noise. To solve this challenge, Stadium introduces techniques for distributed noise generation and differentially private routing as well as a verifiable parallel mixnet design where the servers collaboratively check that others follow the protocol. We show that Stadium can scale to support 4X more users than Vuvuzela using servers that cost an order of magnitude less to operate than Vuvuzela nodes
On generalized Feistel networks
We prove beyond-birthday-bound security for the well-known types of
generalized Feistel networks, including: (1) unbalanced Feistel networks, where the -bit to -bit round functions may have ; (2) alternating Feistel networks, where the round functions alternate between contracting and expanding; (3) type-1, type-2, and type-3 Feistel networks, where -bit to -bit round functions are used to encipher -bit strings for some ; and (4) numeric variants of any of the above, where one enciphers numbers in some given range rather than strings of some given size. Using a unified analytic framework we show that, in any of these settings, for
any , with enough rounds, the subject scheme can tolerate CCA attacks of up to adversarial queries, where is the size of the round functions\u27 domain (the size of the larger domain for alternating Feistel). This is asymptotically optimal. Prior analyses for generalized Feistel networks established security to only adversarial queries