## CryptoDB

### Phillip Rogaway

#### Publications

Year
Venue
Title
2021
JOFC
We describe OCB3, the final version of OCB, a blockcipher mode for authenticated encryption (AE). We prove the construction secure, up to the birthday bound, assuming its underlying blockcipher is secure as a strong-PRP. We study the scheme’s software performance, comparing its speed, on multiple platforms, to a variety of other AE schemes. We reflect on the history and development of the mode.
2019
ASIACRYPT
The customary formulation of authenticated encryption (AE) requires the decrypting party to supply the correct nonce with each ciphertext it decrypts. To enable this, the nonce is often sent in the clear alongside the ciphertext. But doing this can forfeit anonymity and degrade usability. Anonymity can also be lost by transmitting associated data (AD) or a session-ID (used to identify the operative key). To address these issues, we introduce anonymous AE, wherein ciphertexts must conceal their origin even when they are understood to encompass everything needed to decrypt (apart from the receiver’s secret state). We formalize a type of anonymous AE we call anAE, anonymous nonce-based AE, which generalizes and strengthens conventional nonce-based AE, nAE. We provide an efficient construction for anAE, NonceWrap, from an nAE scheme and a blockcipher. We prove NonceWrap secure. While anAE does not address privacy loss through traffic-flow analysis, it does ensure that ciphertexts, now more expansively construed, do not by themselves compromise privacy.
2018
JOFC
2018
CRYPTO
Often the simplest way of specifying game-based cryptographic definitions is apparently barred because the adversary would have some trivial win. Disallowing or invalidating these wins can lead to complex or unconvincing definitions. We suggest a generic way around this difficulty. We call it indistinguishability up to correctness, or IND$\vert$C. Given games ${{\text {G}}}$ and ${{\text {H}}}$ and a correctness condition ${{\text {C}}}$ we define an advantage measure ${\mathbf {Adv}_{{{\text {G}}},{{\text {H}}},{{\text {C}}}}^{{\text {indc}}}}$ wherein ${{{\text {G}}}}$/${{{\text {H}}}}$ distinguishing attacks are effaced to the extent that they are inevitable due to ${{\text {C}}}$. We formalize this in the language of oracle silencing, an alternative to exclusion-style and penalty-style definitions. We apply our ideas to a domain where game-based definitions have been cumbersome: stateful authenticated-encryption (sAE). We rework existing sAE notions and encompass new ones, like replay-free AE permitting a specified degree of out-of-order message delivery.
2016
CRYPTO
2015
EUROCRYPT
2015
CRYPTO
2015
ASIACRYPT
2014
CRYPTO
2014
EUROCRYPT
2014
EUROCRYPT
2012
CRYPTO
2012
ASIACRYPT
2012
FSE
2011
FSE
2011
CRYPTO
2010
JOFC
2010
CRYPTO
2009
CRYPTO
2009
EUROCRYPT
2008
EUROCRYPT
2008
CRYPTO
2007
FSE
2007
JOFC
2006
EUROCRYPT
2006
EUROCRYPT
2005
CRYPTO
2005
JOFC
2004
ASIACRYPT
2004
FSE
2004
FSE
2004
FSE
2003
CRYPTO
2002
CRYPTO
2002
EUROCRYPT
2002
JOFC
2001
JOFC
2000
ASIACRYPT
2000
CRYPTO
2000
EUROCRYPT
1999
CRYPTO
1999
FSE
1999
JOFC
1998
CRYPTO
1998
EUROCRYPT
1998
JOFC
1997
CRYPTO
1997
JOFC
1996
CRYPTO
1996
EUROCRYPT
1995
CRYPTO
1995
CRYPTO
1994
CRYPTO
1994
EUROCRYPT
1993
CRYPTO
1993
FSE
1991
CRYPTO
1990
CRYPTO
1988
CRYPTO

#### Program Committees

TCC 2015
Eurocrypt 2013
Crypto 2011 (Program chair)
Eurocrypt 2010
Asiacrypt 2009
Asiacrypt 2008
Asiacrypt 2006
FSE 2006
Eurocrypt 2004
PKC 2002
Asiacrypt 2000
Crypto 2000
Crypto 1999
Crypto 1998