Ciphers with Arbitrary Finite Domains


 Curtis Parrish
 1 years ago
 Views:
Transcription
1 Cphers wth Arbtrary Fnte Domans John Black 1 and Phllp Rogaway 2 1 Dept. of Computer Scence, Unversty of Nevada, Reno NV 89557, USA, WWW home page: 2 Dept. of Computer Scence, Unversty of Calforna at Davs, Davs, CA 95616, USA, WWW home page: Abstract. We explore the problem of encpherng members of a fnte set M where k = M s arbtrary (n partcular, t need not be a power of two). We want to acheve ths goal startng from a block cpher (whch requres a message space of sze N =2 n, for some n). We look at a few solutons to ths problem, focusng on the case when M =[0,k 1]. We see cphers wth arbtrary domans as a worthwhle prmtve n ts own rght, and as a potentally useful one for makng hgherlevel protocols. Keywords: Cphers, Modes of Operaton, Provable securty, Symmetrc Encrypton. 1 Introducton A Motvatng Example. Consder the followng problem: a company wshes to generate dstnct and unpredctable tendgt credtcard numbers. One way to accomplsh ths nvolves keepng a hstory of all prevouslyssued numbers. But the company wshes to avod storng a large amount of senstve nformaton. Another approach s to use some block cpher E under a randomlyselected key K and then ssue credtcard numbers E K (0),E K (1),. But the domans of contemporary block cphers are nconvenent for ths problem: ths company needs dstnct numbers n [0, ] but block cpher have a doman [0, 2 n 1] for some n such as 64 or 128. Is there an elegant soluton to ths problem? Encpherng wth Arbtrary Domans. More generally now, we have good tools block cphers to encpher ponts when the message space M s strngs of some partcular length, M = {0, 1} n. But what f you want to encpher a number between one and a mllon? Or a pont n Z N or ZN, where N s a 1024bt number? Or a pont from some ellptccurve group? Ths paper looks at the queston of how to construct cphers whose doman s not {0, 1} n. That s, we are nterested n how to make a cpher whch has some desred but werd doman: F : K M Mwhere K s the key space and M s the fnte message space that we have n mnd. A tool from whch we may start our constructon s a block cpher: a map E : K {0, 1} n {0, 1} n where K s the key space and n s the block length. A soluton to ths problem mmedately solves
2 the credtcard problem: for a block cpher F : K [0, ] [0, ], the company chooses a random K Kand ssues the (dstnct) credtcard numbers F K (0),F K (1),F K (2),...,F K (), and has only to remember the last value used. Measurng Success. We would lke to make clear rght away what s the securty goal that we are after. Let s do ths by way of an example. Suppose that you want to encpher numbers between one and a mllon: M =[1, 10 6 ]. Followng [2, 7], we magne two games. In the frst game one chooses a random key K from K and hands to an adversary an oracle E K ( ). In the second game one chooses a random permutaton π on [1, 10 6 ] and hands the adversary an oracle for π( ). The adversary should be unable to dstngush these two types of oracles wthout spendng a huge amount of tme. Note that the doman s so small that the adversary mght well ask for the value of the oracle f( ) {E K ( ), π( )} at every pont n the doman. Ths shouldn t help the adversary wn. So, for example, f the adversary asks the value of E K ( ) at all ponts except 1 and 2 (a total of ponts), then the adversary wll know what are the two mssng numbers, c 1 and c 2, but the adversary won t be able to ascertan f E K (1) = c 1 and E K (2) = c 2,orfE K (1) = c 2 and E K (2) = c 1, nstead. Our Contrbutons. Though the problem of encpherng on an arbtrary doman has been consdered before [13], here we draw attenton to ths problem and gve the frst rgorous treatment, provdng a few solutons together wth ther analyses. Our solutons focus on the case n whch the message space s M =[0,k 1], though we sketch extensons to some other message spaces, lke Z pq and common ellptccurve groups. Our frst method assumes that we have a block cpher E that acts on N =2 n ponts, where N k. To encpher M =[0,k 1] one just encphers these ponts wth block cpher E and uses the orderng of E K (0), E K (1), up to E K (k 1) to name the desred permutaton on [0,k 1]. Ths method s computatonally reasonable only for small k, such as k<2 30. A second method, smlar to known technques used n other settngs, encphers a message m Mby repeatedly applyng the block cpher, startng at m, untl one gets back to a pont n M. (Assume once agan that N k.) Ths method s good f M s dense n the doman of the block cpher, {0, 1} n.so, for example, one can use ths method to encpher a strng n Z N, where N s a 1024bt number, usng a block cpher wth block length of 1024 bts. (A block cpher wth a long block length, lke ths, can be constructed from a standard block cpher by followng works lke [3, 9, 11].) Ths constructon has been suggested before [13]; our man contrbuton here s the analyss of the constructon. A fnal method whch we look at chooses an a, b where ab k and performs a Festel constructon on the message m, but uses a lefthand sde n Z a and a rghthand sde n Z b. Our analyss of ths s an adaptaton of Luby and Rackoff s [9]. Ths method can be qute effcent, though the proven bounds are weak when the message space s small (eg, k<2 128 ). Wth each of our cphers we provde a decpherng algorthm, though ths may not be requred n all domans (eg, n our credtcard example above).
3 Note that the three methods above solve our problem for small and large domans, but there s a gap whch remans: ntermedateszed values where our frst method requres too much space and tme, and our second method requres too many blockcpher nvocatons, and our thrd method may work but the bound s too weak. Ths gap occurs roughly from k =2 30 up to about k =2 60, dependng on your pont of vew. Our credtcard example (k = ) falls nto ths gap. Ths problem remans open. Why Cphers on NonStandard Sets? Popular books on cryptography speak of encpherng the ponts n the message space M, whatever that message space may be, but few seem to have thought much about how to actually do ths when the message space s somethng other than a set of bt strngs, often of one partcular length. Ths omsson s no doubt due to the fact that t s usually fne to embed the desred message space nto a larger one, usng some paddng method, and then apply a standard constructon to encpher n the larger space. For example, suppose you want to encpher a random number m between one and a mllon. Your tool s a 128bt block cpher E. You could encode m as a 128bt strng M by wrtng m usng 20 bts, prependng 108 zerobts, and computng C = E K (M). Ignorng the fact that the cphertext C wastes 108 bts, ths method s usually fne. But not always. One problem wth the method above s that t allows one to tell f a canddate key K mght have been used to produce C. To llustrate the ssue, suppose that the key space s small, say K =2 30. Suppose the adversary sees a pont C = E K (M). Then the adversary has everythng she needs to decrypt cphertext C = E K (M): she just tres all keys K Kuntl she fnds one for whch E 1 K (C) begns wth 108 zeros. Ths s almost certanly the rght key. The objecton that we shouldn t have used a small key space s not a productve one f the pont of our efforts was to make due wth a small key space. If we had used a cpher wth message space M = [1, 10 6 ] we would not have had ths problem. Every cphertext C, under every possble key K, would correspond to a vald message M. The cphertext would reveal nothng about whch key had been used. Of course there are several other solutons to the problem we have descrbed, but many of them have dffcultes of ther own. Suppose, for example, that one pads wth random bts nstead of zero bts. Ths s better, but stll not perfect: n partcular, an adversary can tell that a canddate key K could not have been used to encpher M f decryptng C under K yelds a fnal 20 bts whose decmal value exceeds 1,000,000. If one had 1,000 cphertexts of random plantexts encphered n the manner we have descrbed, the adversary could, once agan, usually determne the correct key. As a more realstc example related to that above, consder the Bellovn Merrtt EKE protocol [4]. Ths enttyauthentcaton protocol s desgned to defeat passwordguessng attacks. The protocol nvolves encryptng, under a possbly weak password K, astrngg x mod p, where p s a large prme number and g s a generator of Zp. In ths context t s crucal that from the resultng cphertext C one can not ascertan f a canddate password K could possbly have
4 produced the cphertext C. Ths can be easly and effcently done by encpherng wth message space M = Z p. Ordnary encrypton methods won t work. Another problem wth cphertextexpanson occurs when we are constraned by an exstng record format: suppose we wsh to encrypt a set of felds n a database, but the cost of changng the record sze s prohbtve. Usng a cpher whose doman s the set of values for the exstng felds allows some measure of added securty wthout requrng a complete restructurng of the database. And f the data have addtonal restrctons beyond sze (eg, the felds must contan prntable characters), we can further restrct the doman as needed. In addton to these (modest) applcatons, the queston s nterestng from a theoretcal standpont: how can we construct new cphers from exstng ones? In partcular, can we construct cphers wth arbtrary domans wthout resortng to creatng new cphers from scratch? It certanly feels lke there should be a good way to construct a block cpher on 32 bts gven a block cpher on 64 bts, but, even for ths case, no one knows how to do ths n a practcal manner wth good securty bounds. Related Work. We assume that one has n hand a good block cpher for any desred block length. Snce standard block cphers come only n convenent block lengths, such as n = 128, here are some ways that one mght create a block cpher for some nonstandard block length. Frst, one could construct the block cpher from scratch. But t s probably better to start wth a wellstuded prmtve lke SHA1 or AES. These could then be used wthn a balanced Festel network [14], whch creates a block cpher for any (even) block length 2n, startng wth somethng that behaves as a pseudorandom functon (PRF) from n bts to n bts. Luby and Rackoff [9] gve quanttatve bounds on the effcacy of ths constructon (when usng three and four rounds), and ther work has spawned much related analyss, too. Naor and Rengold [11] provde a dfferent constructon whch extends a block cpher on n bts to a block cpher on 2n bts, for any 1. A varaton on ther constructon due to Patel, Ramzan and Sundaram [12] yelds a cpher on n bts for any 1. Lucks [10] generalzes LubyRackoff to consder a threeround unbalanced Festel network, usng hash functons for round functons. Ths yelds a block cpher for any gven length N startng wth a PRF from r bts to l bts and another from l bts to r bts, where l + r = N. Startng from an nbt block cpher, Bellare and Rogaway [3] construct and analyze a lengthpreservng cpher wth doman {0, 1} n. Ths s somethng more than makng a block cpher on arbtrary N n bts. Anderson and Bham [1] provde two constructons for a block cpher (BEAR and LION) whch use a hash functon and a stream cpher. Ths agan uses an unbalanced Festel network. It s unclear how to make any of the constructons above apply to message spaces whch are not sets of strngs. Probably several of the constructons can modfed, and n multple ways, to deal wth a message space M =[0,k 1], or wth other message spaces.
5 The Hasty Puddng Cpher of Schroeppel and Orman [13] s a block cpher whch works on any doman [0,k 1]. They use what s essentally Method 2, nternally teratng the cpher untl a proper doman pont s reached. Schroeppel beleves that the dea underlyng ths method dates back to the rotor machnes used n the early 1900 s. Our noton of a pseudorandom functon s due to Goldrech, Goldwasser and Mcal [6]. Pseudorandom permutatons are defned and constructed by Luby and Rackoff [9]. We use the adaptaton of these notons to deal wth fnte objects, whch frst appears n Bellare, Klan and Rogaway [2]. 2 Prelmnares Notaton. If A and B are sets then Rand(A, B) s the set of all functons from A to B. IfA or B s a postve number, n, then the correspondng set s [0,n 1]. We wrte Perm(A) to denote the set of all permutatons on the set A and f n s a postve number then the set s assumed to be [0,n 1]. By x R A we denote the experment of choosng a random element from A. A functon famly s a multset F = {f : A B}, where A, B {0, 1}. Each element f F has a name K, where K Key. So, equvalently, a functon famly F s a functon F : Key A B. We call A the doman of F and B the range of F. The frst argument to F wll be wrtten as a subscrpt. A cpher s a functon famly F : Key A A where F K ( ) s always a permutaton; a block cpher s a functon famly F : Key {0, 1} n {0, 1} n where F K ( ) s always a permutaton. An deal block cpher s a block cpher n whch each permutaton on {0, 1} n s realzed by exactly one K Key. An adversary s an algorthm wth an oracle. The oracle computes some functon. We wrte A f( ) to ndcate an adversary A wth oracle f( ). Adversares are assumed to never ask a query outsde the doman of the oracle, and to never repeat a query. Let F : Key A B be a functon famly and let A be an adversary. In ths paper, we measure securty as the maxmum advantage obtanable by some adversary; we use the followng statstcal measures: Adv prf F = Pr[f R F : A f( ) =1] Pr[R R Rand(A, B): A R( ) =1], and when A = B (A) def Adv prp def F (A) = Pr[f R F : A f( ) =1] Pr[π R Perm(A): A π( ) =1]. Useful Facts. It s often convenent to replace random permutatons wth random functons, or vce versa. The followng proposton lets us easly do ths. For a proof see Proposton 2.5 n [2]. Lemma 1. [PRF/PRP Swtchng] Fx n 1. LetA be an adversary that asks at most p queres. Then Pr[π R Perm(n): A π( ) =1] Pr[ρ R Rand(n, n): A ρ( ) =1] p 2 /2 n+1.
6 Algorthm Int Px K for j 0 to k 1 do I j E K(j) for j 0 to k 1 do J j Ord(I j, {I j} j [0,k 1] ) for j 0 to k 1 do L Jj j Algorthm Px K(m) return J m Algorthm Px 1 K (m) return L m Fg. 1. Algorthms for the Prefx Cpher. Frst the ntalzaton algorthm Int Px K s run. Then encpher wth Px K(m) and decpher wth Px 1 K (m). 3 Method 1: Prefx Cpher Fx some nteger k and let M be the set [0,k 1]. Our goal s to buld a cpher wth doman M. Our frst approach s a smple, practcal method for small values of k. We name ths cpher Px. Our cpher wll use some exstng block cpher E wth keyspace K and whose doman s a superset of M. The key space for Px wll also be K. TocomputePx K (m) for some m Mand K Kwe frst compute the tuple I =(E K (0) E K (1) E K (k 1)). Snce each element of I s a dstnct strng, we may replace each element n I wth ts ordnal poston (startng from zero) to produce tuple J. And now to encpher any m Mwe compute Px K (m) as smply the mth component of J (agan countng from zero). The encpherng and decpherng algorthms are gven n Fgure 1. Example. Suppose we wsh to encpher M = {0, 1, 2, 3, 4}. We choose some random key K for some block cpher E. Let s assume E s an 8bt deal block cpher; therefore E K s a unformly chosen random permutaton on [0, 255]. Next we encpher each element of M. Let s say E K (0) = 166, E K (1) = 6, E K (2) = 130, E K (3) = 201, and E K (4) = 78. So our tuple I s ( ) and J s(30241).wearenowreadytoencpher any m M: we return the mth element from J, countng from zero. For example we encpher 0 as 3, and 1 as 0, etc.. Analyss. Under the assumpton that our underlyng block cpher E s deal, I s equally lkely to be any of the permutatons on M. The proof of ths fact s trval and s omtted. The method remans good when E s secure n the sense of a PRP. The argument s standard and s omtted. Practcal Consderatons. Encpherng and decpherng are constanttme operatons. The cost here s O(k) tme and space used n the ntalzaton step. Ths clearly means that ths method s practcal only for small values of k. A further practcal consderaton s that, although ths ntalzaton s a onetme cost, t results n a table of senstve data whch must be stored somewhere.
7 Algorthm Cy K (m) c E K(m) f c Mreturn c else return Cy K (c) Algorthm Cy 1 K (m) c E 1 K (m) f c Mreturn c else return Cy 1 K (c) Fg. 2. Algorthms for the CycleWalkng Cpher. We encpher wth Cy K ( ) and decpher wth Cy 1 K ( ). 4 Method 2: CycleWalkng Cpher Ths next method uses a block cpher whose doman s larger than M, and then handles those cases where a pont s out of range. Agan we fx an nteger k, let M be the set [0,k 1], and devse a method to encpher M. Let N be the smallest power of 2 larger or equal to k, letn be lg N, and let E K ( ) beannbt block cpher. We construct the block cpher Cy K on the set M by computng t = E K (m) and teratng f c M. The encpherng and decpherng algorthms are shown n Fgure 2. Example. Let M = [0, 10 6 ]. Then N = 2 20 and so n = 20. We use some known method to buld a 20bt block cpher E K ( ) on the set T =[0, ]. Now suppose we wsh to encpher the pont m = ; we compute c 1 = E K (314159) whch yelds some number n T, say Snce c 1 M,we terate by computng c 2 = E K ( ) whch s, say, Snce c 2 M, we output 1729 as Cy K (314159). Decpherment s smply the reverse of ths procedure. Analyss. Let s vew the permutaton E K ( ) as a famly of cycles: any pont m Mles on some cycle and repeated applcatons of E K ( ) can be vewed as a partcle walkng along the cycle, startng at m. In fact, we can now thnk of our constructon as follows: to encpher any pont m Mwalk along the cycle contanng m untl you encounter some pont c M. Then c =Cy K (m). Of course ths method assumes that one can effcently test for membershp n M. Ths s trval for our case when M =[0,k 1], but mght not be for other sets. Now we may easly see that Cy K ( ) s welldefned: gven any pont m M f we apply E K ( ) enough tmes, we wll arrve at a pont n M. Ths s because walkng on m s cycle must eventually arrve back at some pont n M, evenf that pont s m tself. We can also see that Cy K ( ) s nvertble snce nvertng Cy K (m) s equvalent to walkng backwards on m s cycle untl fndng some element n M. Therefore, we know Cy K ( ) s a permutaton on M. However the queston arses, how much securty do we lose n dervng ths permutaton? The fortunate answer s, nothng. Theorem 1. [Securty of CycleWalkng Cpher] Fx k 1 and let M = [0,k 1]. LetE K ( ) be an deal block cpher on the set T where M T. Choose a key K unformly at random and then construct Cy K ( ) usng E K ( ). Then Cy K ( ) s a unform random permutaton on M.
8 Proof. Fx some permutaton π on the set M. We wll show that an equal number of keys K wll gve rse to π; ths wll mply the theorem. We proceed by nducton, showng that the number of permutatons on {0,...,k 1,x} whch gve rse under our constructon to π s constant. Snce M T we can repeatedly add all elements x T Mwhle mantanng that the number of permutatons whch gve rse to π s constant. Decompose π nto r cycles of lengths l 1,l 2,,l r. We count the number of ways to nsert the new element x. There are l ways to nsert x nto the th orbt correspondng to the th cycle, and one way to nsert x nto a new orbt of ts own (e, the permutaton whch fxes x). Therefore there are r =1 l +1 = k ways to add element x to π yeldng a permutaton whch wll gve rse to π by repeated teratons. Ths holds no matter what π we choose. Let T = t. Then by nducton we see that there are exactly t =k keys K under whch our constructon reduces E K ( ) toπ. Smlar to the Prefx Cpher, our constructon has retaned all of the securty of the underlyng block cpher. Theorem 1 s an nformatontheoretc result. Passng to the correspondng complextytheoretc result s standard. Because no securty s lost n the nformatontheoretc settng, and because we apply E an expected two tmes (or fewer), an adversary s maxmal advantage to dstngush E K ( ) fromarandom permutaton of Z 2 n n expected tme 2t approxmately upper bounds an adversary s maxmal advantage to dstngush Cy K ( ) fromarandompermutaton on M n tme t. 5 Method 3: GeneralzedFestel Cpher Our fnal method works as follows: we decompose all the numbers n M nto pars of smlarly szed numbers and then apply the wellknown Festel constructon [14] to produce a cpher. Agan we fx an nteger k, letm be the set [0,k 1], and devse a method to encpher M. We call our cpher Fe[r, a, b] where r s the number of rounds we use n our Festel network and a and b are postve numbers such that ab k. Weusea and b to decompose any m Mnto two numbers for use as the nputs nto the network. Wthn the network we use r random functons F 1,...,F r whose ranges contan M. The algorthms to encpher and decpher are gven n Fgure 3. Notce that f usng the Festel constructon results n a number not n M, we terate just as we dd for the CycleWalkng Cpher. Example. In order to specfy some partcular Fe[r, a, b] K ( ) we must specfy the numbers a and b, the number of Festel rounds r, and the choce of underlyng functons F 1,,F r we wll use. As a concrete example, let s take k = 2 35, r = 3, and a = and b = (methods for fndng a and b wll be dscussed later). Note that ab k as requred. Snce ab s larger than k, our Festel constructon wll be on the set M =[0, (2 35 1) ], meanng there are values
9 Algorthm Fe[r, a, b] K(m) c fe[r, a, b] K(m) f c Mreturn c else return Fe[r, a, b] K(c) Algorthm fe[r, a, b] K(m) L m mod a; R m/a for j 1 to r do f (j s odd) then tmp (L + F j(r)) mod a else tmp (L + F j(r)) mod b L R; R tmp f (r s odd) then return al + R else return ar + L Algorthm Fe[r, a, b] 1 K (m) c fe[r, a, b] 1 K (m) f c Mreturn c else return Fe[r, a, b] 1 K (c) Algorthm fe[r, a, b] 1 K (m) f (r s odd) then R m mod a; L m/a else L m mod a; R m/a for j r to 1 do f (j s odd) then tmp (R F j(l)) mod a else tmp (R F j(l)) mod b R L; L tmp return ar + L Fg. 3. Algorthms for the GeneralzedFestel Cpher. We encpher wth Fe[r, a, b] K( ) and decpher wth Fe[r, a, b] 1 K ( ). Herea and b are the numbers used to bjectvely map all m Mnto L, andr, andr s the number of rounds of Festel we wll apply. The key K s mplctly used to select the r functons F 1,...,F r. whch are n M Mfor whch we wll have to terate (just as we dd for the CycleWalkng Cpher). Let s use DES wth ndependent keys as our underlyng PRFs. DES s a 64bt cpher whch uses a 56bt key; we wll regard the 64bt strngs on whch DES operates as ntegers n the range [0, ] n the natural way. We need three PRFs so our key K = K 1 K 2 K 3 wll be 3 56 = 168 bts. Now to compute Fe[3, , ](m) we compute L = m mod , and R = m/185360, and then perform three rounds of Festel usng DES K1 ( ), DES K2 ( ), and DES K3 ( ) as our underlyng PRFs. The frst round results n L m/ and R (m mod DES K1 ( m/ )) mod , and so on. Analyss. Frst we note that Fe[r, a, b]( ) s a permutaton: t s wellknown that the Festel constructon produces a permutaton, and we showed prevously that
10 teratng any permutaton s a permutaton. We now analyze the how good s ths GeneralzedFestel Cpher for the threeround case. Assumng the underlyng functons F 1, F 2,andF 3 used n our constructon are truly random functons, we wll compare how close Fe[3,a,b]( ) s to a truly random permutaton. Passng to the complextytheoretc settng s then standard, and therefore omtted. Theorem 2. [Securty of GeneralzedFestel Cpher] Fx k 1 and let M =[0,k 1]. Fx two numbers a, b > 0 such that ab k. Let = ab k. Fx an n such that 2 n >aand 2 n >b.letd be an adversary whch asks q queres of her oracle. Then Adv prf Fe (D) =Pr[F R 1,F 2,F 3 Rand(2 n, 2 n ): D Fe[3,a,b]( ) =1] Pr[ρ R Rand(k, k): D ρ( ) =1] (q + )2 2 n+1 ( 2 n /a + 2 n /b ). The proof s an adaptaton of Luby s analyss from Lecture 13 of [8], whch s nturn based on [9]. It can be found n Appendx A. Fnally, we must adjust ths bound to account for the fact that we have compared Fe[3,a,b] K ( ) wth a random functon nstead of a random permutaton. We can nvoke Lemma 1 whch gves us a fnal bound quantfyng the qualty of our constructon: Adv prp Fe (D) =Pr[F R 1,F 2,F 3 Rand(2 n, 2 n ): D Fe[3,a,b]( ) =1] Pr[π R Perm(k): D π( ) =1] (q + )2 + q 2 2 n+1 ( 2 n /a + 2 n /b ). 6 Dscusson Prefx Cpher. Our frst method, the Prefx Cpher, s useful only for sutably small k. Snce encpherng one pont requres encpherng all k ponts n [0,k 1], many applcatons would fnd ths prohbtvely expensve for all but farly small values of k. CycleWalkng Cpher. Our second method, the CycleWalkng Cpher, can be qute practcal. If k s just smaller than some power of 2, the number of ponts we have to walk through durng any gven encpherment s correspondngly small. In the worst case, however, k s one larger than a power of 2, and (wth extremely bad luck) mght requre k calls to the underlyng block cpher to encpher just one pont. But f the underlyng block cpher s good we requre, n the worst case, an expected two calls to t n order to encpher and decpher any pont.
11 GeneralzedFestel Cpher. To get the best bound we should select a and b such that these numbers are somewhat close together and such that = ab k s small. One obvous technque s to try numbers near k; for example, takng a = b = k means that ab k wll never be more than 2 k + 1. But often one can do better. Another way to mprove the bound s to ensure n s sutably large. The tal effects spoken of n the proof are dmnshed as n grows (because as 2 n gets larger 2 n /a /2 n gets closer to 1/a). The OneOff Constructon. Another method, not mentoned above, works well for domans whch are one element larger than a doman we can accommodate effcently. Say we have a cpher E wth doman [0,k 1] and we wsh to construct a cpher E wth doman [0,k]. We choose a key K = {K, r} for E by choosng a key K for E and a random number r [0,k]. We then compute E K (X) as follows: r E K (X) = k E K (X) f X = k f X = E 1 K (r) otherwse The securty of ths constructon s tghtly related to the securty of E and the method for selectng r. The analyss s omtted. Of course we can use ths method to repeatedly extend the doman of any cpher to the sze of choce, but for most settngs t s mpractcal to do ths more than a few tmes. A typcal method for generatng r would be to take r = E K (0) mod (k + 1) where K s a new randomlyselected key. The tal effect here s not too bad, but wll cause a rapd deteroraton of the securty bound when used too often. Also, the scheme begns to become qute neffcent when we extend the doman n ths way too many tmes. Other Domans. Though we have spoken n terms of the doman [0,k 1] the same methods work for other domans, too. For example, to encpher n Z N, where N = pq s a 1024bt product of two prmes, one can use ether cyclewalkng or the generalzedfestel constructon, teratng n the hghly unlkely eventthatapontsnz N but not n Z N. We may also use our methods to encpher ponts from an ellptc curve group (EC group). There are wellknown compact representatons of the ponts n EC groups, and these representatons form our startng pont. For example, one fnds n [5] smple algorthms to compress the representaton of a pont n an EC group. Consder the EC group G over the feld F q where q s ether a power of two or a prme. Then any pont (x, y) G may be represented as a member of F q together wth a sngle bt. Let s consder frst the case where q =2 m wth m>0. The Hasse theorem (see [5], page 8) guarantees at least d(r) =r +1 2 r ponts n G. Snce t s possble to represent any pont n G wth m+1 bts and t s also possble to effcently test for membershp n G, we could use the cyclewalkng constructon over a 2 m+1 bt cpher. The expected number of nvocatons of ths cpher to encpher a pont n G s then 2 m+1 /d(2 m ) 2.
12 If q s nstead a prme p, we can represent any pont n G as a number x [0,p 1] and a sngle bt y. We may agan use any of our methods to encpher these 2p ponts. Here the Hasse theorem ([5], page 7) guarantees at least d(p) ponts n G and once agan an effcent test for membershp n G exsts. Therefore we may use the cyclewalkng constructon over some lg 2p bt cpher. However f 2p s not close to a power of 2, we may wsh to nstead use the generalzedfestel constructon. Open Problems. As mentoned already, we have not provded any constructon whch works well (and provably so) for ntermedateszed values of k. For example, suppose you are gven an deal block cpher Π on 128bt strngs, and you want to approxmate a random permutaton π on, say, 40bt strngs. Probably enough rounds of Festel work, but remember that our securty goal s that even f an adversary nqures about all 2 40 ponts, stll she should be unable to dstngush π from a random permutaton on 40 bts. Known bounds are not nearly so strong. Of course the prefx method works, but spendng 2 40 tme and space to encpher the frst pont s not practcal. Acknowledgments Specal thanks to Rchard Schroeppel who made many useful comments on an earler draft. Thanks also to Mhr Bellare, Davd McGrew, and Slvo Mcal for ther helpful comments. Ths paper was wrtten whle Rogaway was on leave of absence from UC Davs, vstng the Department of Computer Scence, Faculty of Scence, Chang Ma Unversty. Ths work was supported under NSF CAREER award CCR , and by a generous gft from Csco Systems. References 1. Anderson, R., and Bham, E. Two practcal and provably secure block cphers: BEAR and LION. In Fast Software Encrypton (1996), vol of Lecture Notes n Computer Scence, SprngerVerlag, pp Bellare, M., Klan, J., and Rogaway, P. The securty of the cpher block channg message authentcaton code. Journal of Computer and System Scences 61, 3 (2000), Earler verson n CRYPTO 94. See rogaway. 3. Bellare, M., and Rogaway, P. On the constructon of varablenputlength cphers. In Fast Software Encrypton (1999), vol of Lecture Notes n Computer Scence, SprngerVerlag. See rogaway. 4. Bellovn, S., and Merrtt, M. Encrypted key exchange: passwordbased protocols secure aganst dctonary attacks. In 1992 IEEE Computer Socety Symposum on Research n Securty and Prvacy (1992), IEEE Computer Socety Press, pp Certcom Research. Standards for effcent cryptography, SEC1: Ellptc curve cryptography, verson 1, Sept Avalable onlne at 6. Goldrech, O., Goldwasser, S., and Mcal, S. How to construct random functons. Journal of the ACM 33, 4 (1986),
Complete Fairness in Secure TwoParty Computation
Complete Farness n Secure TwoParty Computaton S. Dov Gordon Carmt Hazay Jonathan Katz Yehuda Lndell Abstract In the settng of secure twoparty computaton, two mutually dstrustng partes wsh to compute
More informationDo Firms Maximize? Evidence from Professional Football
Do Frms Maxmze? Evdence from Professonal Football Davd Romer Unversty of Calforna, Berkeley and Natonal Bureau of Economc Research Ths paper examnes a sngle, narrow decson the choce on fourth down n the
More informationBoosting as a Regularized Path to a Maximum Margin Classifier
Journal of Machne Learnng Research 5 (2004) 941 973 Submtted 5/03; Revsed 10/03; Publshed 8/04 Boostng as a Regularzed Path to a Maxmum Margn Classfer Saharon Rosset Data Analytcs Research Group IBM T.J.
More informationMANY of the problems that arise in early vision can be
IEEE TRANSACTIONS ON PATTERN ANALYSIS AND MACHINE INTELLIGENCE, VOL. 26, NO. 2, FEBRUARY 2004 147 What Energy Functons Can Be Mnmzed va Graph Cuts? Vladmr Kolmogorov, Member, IEEE, and Ramn Zabh, Member,
More informationEVERY GOOD REGULATOR OF A SYSTEM MUST BE A MODEL OF THAT SYSTEM 1
Int. J. Systems Sc., 1970, vol. 1, No. 2, 8997 EVERY GOOD REGULATOR OF A SYSTEM MUST BE A MODEL OF THAT SYSTEM 1 Roger C. Conant Department of Informaton Engneerng, Unversty of Illnos, Box 4348, Chcago,
More informationUPGRADE YOUR PHYSICS
Correctons March 7 UPGRADE YOUR PHYSICS NOTES FOR BRITISH SIXTH FORM STUDENTS WHO ARE PREPARING FOR THE INTERNATIONAL PHYSICS OLYMPIAD, OR WISH TO TAKE THEIR KNOWLEDGE OF PHYSICS BEYOND THE ALEVEL SYLLABI.
More information4.3.3 Some Studies in Machine Learning Using the Game of Checkers
4.3.3 Some Studes n Machne Learnng Usng the Game of Checkers 535 Some Studes n Machne Learnng Usng the Game of Checkers Arthur L. Samuel Abstract: Two machnelearnng procedures have been nvestgated n some
More informationAsRigidAsPossible Shape Manipulation
AsRgdAsPossble Shape Manpulaton akeo Igarash 1, 3 omer Moscovch John F. Hughes 1 he Unversty of okyo Brown Unversty 3 PRESO, JS Abstract We present an nteractve system that lets a user move and deform
More information(Almost) No Label No Cry
(Almost) No Label No Cry Gorgo Patrn,, Rchard Nock,, Paul Rvera,, Tbero Caetano,3,4 Australan Natonal Unversty, NICTA, Unversty of New South Wales 3, Ambata 4 Sydney, NSW, Australa {namesurname}@anueduau
More informationFinance and Economics Discussion Series Divisions of Research & Statistics and Monetary Affairs Federal Reserve Board, Washington, D.C.
Fnance and Economcs Dscusson Seres Dvsons of Research & Statstcs and Monetary Affars Federal Reserve Board, Washngton, D.C. Banks as Patent Fxed Income Investors Samuel G. Hanson, Andre Shlefer, Jeremy
More informationTrueSkill Through Time: Revisiting the History of Chess
TrueSkll Through Tme: Revstng the Hstory of Chess Perre Dangauther INRIA Rhone Alpes Grenoble, France perre.dangauther@mag.fr Ralf Herbrch Mcrosoft Research Ltd. Cambrdge, UK rherb@mcrosoft.com Tom Mnka
More informationThe Relationship between Exchange Rates and Stock Prices: Studied in a Multivariate Model Desislava Dimitrova, The College of Wooster
Issues n Poltcal Economy, Vol. 4, August 005 The Relatonshp between Exchange Rates and Stock Prces: Studed n a Multvarate Model Desslava Dmtrova, The College of Wooster In the perod November 00 to February
More informationWhy Don t We See Poverty Convergence?
Why Don t We See Poverty Convergence? Martn Ravallon 1 Development Research Group, World Bank 1818 H Street NW, Washngton DC, 20433, USA Abstract: We see sgns of convergence n average lvng standards amongst
More informationThe Developing World Is Poorer Than We Thought, But No Less Successful in the Fight against Poverty
Publc Dsclosure Authorzed Pol c y Re s e a rc h Wo r k n g Pa p e r 4703 WPS4703 Publc Dsclosure Authorzed Publc Dsclosure Authorzed The Developng World Is Poorer Than We Thought, But No Less Successful
More informationFrom Computing with Numbers to Computing with Words From Manipulation of Measurements to Manipulation of Perceptions
IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS I: FUNDAMENTAL THEORY AND APPLICATIONS, VOL. 45, NO. 1, JANUARY 1999 105 From Computng wth Numbers to Computng wth Words From Manpulaton of Measurements to Manpulaton
More informationAssessing health efficiency across countries with a twostep and bootstrap analysis *
Assessng health effcency across countres wth a twostep and bootstrap analyss * Antóno Afonso # $ and Mguel St. Aubyn # February 2007 Abstract We estmate a semparametrc model of health producton process
More informationWho are you with and Where are you going?
Who are you wth and Where are you gong? Kota Yamaguch Alexander C. Berg Lus E. Ortz Tamara L. Berg Stony Brook Unversty Stony Brook Unversty, NY 11794, USA {kyamagu, aberg, leortz, tlberg}@cs.stonybrook.edu
More informationWhch one should I mtate? Karl H. Schlag Projektberech B Dscusson Paper No. B365 March, 996 I wsh to thank Avner Shaked for helpful comments. Fnancal support from the Deutsche Forschungsgemenschaft, Sonderforschungsberech
More informationDISCUSSION PAPER. Should Urban Transit Subsidies Be Reduced? Ian W.H. Parry and Kenneth A. Small
DISCUSSION PAPER JULY 2007 RFF DP 0738 Should Urban Transt Subsdes Be Reduced? Ian W.H. Parry and Kenneth A. Small 1616 P St. NW Washngton, DC 20036 2023285000 www.rff.org Should Urban Transt Subsdes
More informationMULTIPLE VALUED FUNCTIONS AND INTEGRAL CURRENTS
ULTIPLE VALUED FUNCTIONS AND INTEGRAL CURRENTS CAILLO DE LELLIS AND EANUELE SPADARO Abstract. We prove several results on Almgren s multple valued functons and ther lnks to ntegral currents. In partcular,
More informationWhat to Maximize if You Must
What to Maxmze f You Must Avad Hefetz Chrs Shannon Yoss Spegel Ths verson: July 2004 Abstract The assumpton that decson makers choose actons to maxmze ther preferences s a central tenet n economcs. Ths
More informationIncome per natural: Measuring development as if people mattered more than places
Income per natural: Measurng development as f people mattered more than places Mchael A. Clemens Center for Global Development Lant Prtchett Kennedy School of Government Harvard Unversty, and Center for
More informationDISCUSSION PAPER. Is There a Rationale for OutputBased Rebating of Environmental Levies? Alain L. Bernard, Carolyn Fischer, and Alan Fox
DISCUSSION PAPER October 00; revsed October 006 RFF DP 03 REV Is There a Ratonale for OutputBased Rebatng of Envronmental Leves? Alan L. Bernard, Carolyn Fscher, and Alan Fox 66 P St. NW Washngton, DC
More informationTurbulence Models and Their Application to Complex Flows R. H. Nichols University of Alabama at Birmingham
Turbulence Models and Ther Applcaton to Complex Flows R. H. Nchols Unversty of Alabama at Brmngham Revson 4.01 CONTENTS Page 1.0 Introducton 1.1 An Introducton to Turbulent Flow 11 1. Transton to Turbulent
More informationAlpha if Deleted and Loss in Criterion Validity 1. Appeared in British Journal of Mathematical and Statistical Psychology, 2008, 61, 275285
Alpha f Deleted and Loss n Crteron Valdty Appeared n Brtsh Journal of Mathematcal and Statstcal Psychology, 2008, 6, 275285 Alpha f Item Deleted: A Note on Crteron Valdty Loss n Scale Revson f Maxmsng
More informationcan basic entrepreneurship transform the economic lives of the poor?
can basc entrepreneurshp transform the economc lves of the poor? Orana Bandera, Robn Burgess, Narayan Das, Selm Gulesc, Imran Rasul, Munsh Sulaman Aprl 2013 Abstract The world s poorest people lack captal
More informationShould marginal abatement costs differ across sectors? The effect of lowcarbon capital accumulation
Should margnal abatement costs dffer across sectors? The effect of lowcarbon captal accumulaton Adren VogtSchlb 1,, Guy Meuner 2, Stéphane Hallegatte 3 1 CIRED, NogentsurMarne, France. 2 INRA UR133
More informationEnsembling Neural Networks: Many Could Be Better Than All
Artfcal Intellgence, 22, vol.37, no.2, pp.239263. @Elsever Ensemblng eural etworks: Many Could Be Better Than All ZhHua Zhou*, Janxn Wu, We Tang atonal Laboratory for ovel Software Technology, anng
More informationWHICH SECTORS MAKE THE POOR COUNTRIES SO UNPRODUCTIVE?
MŰHELYTANULMÁNYOK DISCUSSION PAPERS MT DP. 2005/19 WHICH SECTORS MAKE THE POOR COUNTRIES SO UNPRODUCTIVE? BERTHOLD HERRENDORF ÁKOS VALENTINYI Magyar Tudományos Akadéma Közgazdaságtudomány Intézet Budapest
More informationAsRigidAsPossible Image Registration for Handdrawn Cartoon Animations
AsRgdAsPossble Image Regstraton for Handdrawn Cartoon Anmatons Danel Sýkora Trnty College Dubln John Dnglana Trnty College Dubln Steven Collns Trnty College Dubln source target our approach [Papenberg
More information