### Citations

217 | Non-interactive verifiable computing: outsourcing computation to untrusted workers
- Gennaro, Gentry, et al.
- 2010
(Show Context)
Citation Context ...ent instantiations of our primitive with good security bounds. Our proofs use the game-based approach, which is easy to verify. In [6] we show that the proofs of two well-known and influential papers =-=[10, 11]-=- are buggy, because the applications need stronger security guarantee than GCs routinely deliver. These bugs are critical and subtle, collapsing the whole proofs. They also affect several other papers... |

109 | T: Improved garbled circuit: Free XOR gates and applications
- Kolesnikov, Schneider
(Show Context)
Citation Context ...MPC, but there remained no definition of what GCs were supposed to deliver. Consequently, each time developers implemented an instantiation of GCs, they had to prove security for a particular setting =-=[17, 19]-=-, and thus deprived other applications of faster GCs. Moreover, the security bounds were asymptotic, providing no guidance for choosing among practical protocols. On the other hand, since GCs are comp... |

102 | SC: Secure two-party computation is practical
- Pinkas, Schneider, et al.
(Show Context)
Citation Context ...MPC, but there remained no definition of what GCs were supposed to deliver. Consequently, each time developers implemented an instantiation of GCs, they had to prove security for a particular setting =-=[17, 19]-=-, and thus deprived other applications of faster GCs. Moreover, the security bounds were asymptotic, providing no guidance for choosing among practical protocols. On the other hand, since GCs are comp... |

53 | One-time programs
- Goldwasser, Kalai, et al.
(Show Context)
Citation Context ...ent instantiations of our primitive with good security bounds. Our proofs use the game-based approach, which is easy to verify. In [6] we show that the proofs of two well-known and influential papers =-=[10, 11]-=- are buggy, because the applications need stronger security guarantee than GCs routinely deliver. These bugs are critical and subtle, collapsing the whole proofs. They also affect several other papers... |

50 | Foundations of garbled circuits
- Bellare, Hoang, et al.
- 2012
(Show Context)
Citation Context ... one has to use it as a springboard to get new schemes, tighten security analyses, and rev up performance. But the springboard has to come first. Recognition. The material in my doctoral dissertation =-=[5, 6, 7]-=-, in which I established a foundation for a 30-year-old central technique in secure distributed computing, has been used in cryptography classes at MIT, Stanford University, UC Berkeley, Aarhus Univer... |

44 | From secrecy to soundness: Efficient verification via secure computation
- Applebaum, Ishai, et al.
- 2010
(Show Context)
Citation Context ...are buggy, because the applications need stronger security guarantee than GCs routinely deliver. These bugs are critical and subtle, collapsing the whole proofs. They also affect several other papers =-=[1, 16]-=-. Having a clean abstraction of GCs is the cornerstone for realizing the bugs. We then identify the new security notions needed for GCs to handle the two applications above, and then give construction... |

35 | Format-preserving encryption.
- Bellare, Ristenpart
- 2009
(Show Context)
Citation Context ...cilitate easy deployment in legacy applications. The need was realized and ad hoc solutions conceived as early as 1981, but it took 28 years for the problem to receive a proper definitional treatment =-=[8]-=-. Since then, the problem has received much attention from industry and standards organizations. One possible solution, suggested by [8], is to use generalized Feistel networks, but existing analyses ... |

33 | Efficient garbling from a fixed-key blockcipher
- Bellare, Hoang, et al.
(Show Context)
Citation Context ... one has to use it as a springboard to get new schemes, tighten security analyses, and rev up performance. But the springboard has to come first. Recognition. The material in my doctoral dissertation =-=[5, 6, 7]-=-, in which I established a foundation for a 30-year-old central technique in secure distributed computing, has been used in cryptography classes at MIT, Stanford University, UC Berkeley, Aarhus Univer... |

28 | Adaptively secure garbling with applications to one-time programs and secure outsourcing.
- BELLARE, HOANG, et al.
- 2012
(Show Context)
Citation Context ... one has to use it as a springboard to get new schemes, tighten security analyses, and rev up performance. But the springboard has to come first. Recognition. The material in my doctoral dissertation =-=[5, 6, 7]-=-, in which I established a foundation for a 30-year-old central technique in secure distributed computing, has been used in cryptography classes at MIT, Stanford University, UC Berkeley, Aarhus Univer... |

26 | The ffx mode of operation for format-preserving encryption draft 1.1,
- Bellare, Rogaway, et al.
- 2010
(Show Context)
Citation Context ...Our work thus gives ways to find simple, fast, unpatented schemes. 2 3/5 security guarantees. The work provides theoretical support for many existing block-cipher designs. Bellare, Rogaway, and Spies =-=[9]-=- supported our analyses and proposed a standard for format-preserving encryption to NIST. This standard is in draft form within NIST and ANSI X9, and has an industrial implementation by Voltage Securi... |

15 | Garbled Circuits for Leakage-Resilience: Hardware Implementation and Evaluation of One-Time Programs
- Järvinen, Kolesnikov, et al.
(Show Context)
Citation Context ...are buggy, because the applications need stronger security guarantee than GCs routinely deliver. These bugs are critical and subtle, collapsing the whole proofs. They also affect several other papers =-=[1, 16]-=-. Having a clean abstraction of GCs is the cornerstone for realizing the bugs. We then identify the new security notions needed for GCs to handle the two applications above, and then give construction... |

13 | Robust authenticated-encryption AEZ and the problem that it solves.
- HOANG, KROVETZ, et al.
- 2015
(Show Context)
Citation Context ...d papers at CRYPTO, a tier-1 conference in my field. In 2015, I received the Best Paper Honorable Mention at EUROCRYPT, the other tier-1 cryptography venue, for my authenticated-encryption scheme AEZ =-=[13]-=-, and the Best Student Paper Award at ACM CCS, a tier-1 security venue, for my work on computeraided designs of authenticated-encryption schemes [12]. Research details. I have published 13 papers, 10 ... |

13 | On generalized Feistel networks
- Hoang, Rogaway
- 2010
(Show Context)
Citation Context ...SI X9, and has an industrial implementation by Voltage Security Inc. The solutions based on generalized Feistel networks give reasonably good security bounds, but there is no reason to stop there. In =-=[14]-=- we design a new solution, based on a card shuffling method that we call Swap-or-Not. This has about the same running time as the Thorp shuffling, but provides a much better bound. More importantly, S... |

10 | An enciphering scheme based on a card shuffle
- Hoang, Morris, et al.
- 2012
(Show Context)
Citation Context ...ific generalized Feistel network (known as Thorp shuffling), but their proof works for the binary domain only. The credit-card problem, however, demands a scheme that works for the decimal domain. In =-=[15]-=- we extend the coupling method in [18] to provide a unified framework to obtain strong security bounds for all generalized Feistel networks and arbitrary domains. This implies several alternative solu... |

8 | Instantiating random oracles via UCEs
- Bellare, Hoang, et al.
- 2013
(Show Context)
Citation Context ...sity, UC Berkeley, Aarhus University, University of Maryland College Park, Rutgers State University, and Oregon State University. In 2013, my work on security modeling of cryptographic hash functions =-=[3]-=- was invited to Journal of Cryptology as one of the top-ranked papers at CRYPTO, a tier-1 conference in my field. In 2015, I received the Best Paper Honorable Mention at EUROCRYPT, the other tier-1 cr... |

8 | How to encipher messages on a small domain: deterministic encryption and the Thorp shuffle
- Morris, Rogaway, et al.
- 2009
(Show Context)
Citation Context ...ds organizations. One possible solution, suggested by [8], is to use generalized Feistel networks, but existing analyses are weak, stopping at inadequate security bounds. Morris, Rogaway, and Stegers =-=[18]-=- use the coupling technique in Markov chain analysis to derive a good security bound for a specific generalized Feistel network (known as Thorp shuffling), but their proof works for the binary domain ... |

4 |
Resisting randomness subversion: Fast deterministic and hedged publickey encryption in the standard model
- Bellare, Hoang
- 2015
(Show Context)
Citation Context ...oftware and standards, how to build software robust enough to give us meaningful security if a part of the system is compromised, as well as revising security of important software. Our first project =-=[2]-=- studies how to encrypt data properly in the presence of a bad randomness (e.g., if one uses the subverted standard Dual EC in NIST SP 800-90A, or if one happens to use Debian’s buggy random number ge... |

2 | Cryptography from compression functions: The UCE bridge to the ROM
- Bellare, Hoang, et al.
- 2014
(Show Context)
Citation Context ...) hash functions, offering provable security for a dozen practical ROM-based protocols, such as secure deduplication3, deterministic encryption4, or producing cryptographically strong randomness.5 In =-=[4]-=- we show how to build provable and practical UCE-secure hash. All current cryptographic hash designs are one-size-fits-all, aiming for a strong hash that is suitable for all applications. As a result,... |

2 | Blindbox: Deep packet inspection over encrypted traffic. Cryptology ePrint Archive, Report 2015/264, - Sherry, Lan, et al. - 2015 |

1 | Automated analysis and synthesis of authenticated encryption schemes
- Hoang, Malozemoff, et al.
(Show Context)
Citation Context ... venue, for my authenticated-encryption scheme AEZ [13], and the Best Student Paper Award at ACM CCS, a tier-1 security venue, for my work on computeraided designs of authenticated-encryption schemes =-=[12]-=-. Research details. I have published 13 papers, 10 of which are at top cryptography and security venues (EUROCRYPT, CRYPTO, ACM CCS, and IEEE Security & Privacy). Here I’ll describe some selected rese... |