The Indistinguishability of the XOR of k permutations

Size: px
Start display at page:

Download "The Indistinguishability of the XOR of k permutations"

Transcription

1 The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,..., f k over {0, 1} n, it is natural to define a pseudorandom function by XORing the permutations: f 1... f k. In [9] Stefan Lucks studied the security of this PRF. In this paper we improve the security bounds of [9] by using different proof techniques. Keywords: Pseudorandom functions, pseudorandom permutations, security beyond the birthday bound, Luby-Rackoff backwards. 1 Introduction Much research dealt with constructing cryptographic operations from other ones: Levin [6] got pseudorandom bit generators from one-way functions, then Goldreich, Goldwasser and Micali [4] constructed pseudorandom functions PRFs) from pseudorandom bit generators. In [1], Aiello and Venkatesan studied how to construct PRFs from smaller PRFs. Luby and Rackoff [7] dealt with the problem of getting pseudorandom permutations PRPs) from PRFs; further work about their construction can be found in [8, 11]. Our article focuses on the reverse problem of converting PRPs into PRFs named Luby-Rackoff backwards which was first considered in [3]. This problem is obvious if we are interested in an asymptotical polynomial versus non polynomial security model since a PRP is then a PRF), but not if we are interested in achieving more optimal and concrete security bounds. More precisely, the loss of security when regarding a PRP as a PRF comes from the birthday attack which can distinguish a random permutation from a random function of n bits to n bits in n operations and n queries. Therefore different ways to build PRF from PRP with a security above n and by performing very few computations have been suggested see [, 3, 5, 9]). One of the simplest way is to XOR k independent pseudorandom permutations with k. In [9] Theorem p.474) Stefan Lucks proved, with a simple proof, that the XOR of k independant PRPs gives a PRF with security at least in O k k+1 n ). In [] and [1] difficult analyses of k = are given, with proofs that the security is good when the number of queries is lower than O ) n n or O n ). For k 3 there is a significant gap between the /3 proven security of [9] and the best attacks of [13]. In this paper we reduce this gap by improving the proven security for the XOR of k permutations, k 3. Constructions with k 3 instead of k =

2 are interesting for various reasons. First, our proofs are much simpler than the proofs of [] and [1]. Second, in many cryptographic applications the size n of the blocks cannot be chosen by the designer of the algorithm since it is imposed by the application. Then it is interesting to have another parameter to decrease the proven advantage of any adversary to a value as small as wanted with a simple construction. Our proof technique is based on the coefficient H technique of Patarin cf [14]). However we only use the first steps and not all the refinements) in order to keep very simple proofs with still better security results than previously known; we could achieve tighter bounds by using the full technique, but it would require more computations such as [15]). Related problems. In [10] the security of the XOR of two public permutations are studied i.e. indifferentiability instead of indistinguishability). Organisation of the paper. Section presents the notations and basic definitions that are used in this paper. In section 3 and 4, two security bounds are shown with different techniques respectively the H σ coefficient technique and the H coefficient technique). Then both these results are compared to the one from [9] in the last section. Preliminaries We denote I n the set of n bits strings and Jn q the subset of In q of values x i ) 1 i q satisfying x i x j, i j. We denote F n the set of functions from I n to I n and B n the set of permutations of I n. The notation x R E stands for x is chosen randomly with a uniform distribution in E. An adversary A trying to distinguish between f 1... f k, where f i R B n for each i {1,..., k}, from a random function F R F n is considered to have access to an oracle Q. This oracle either simulates F or f 1... f k. A chooses inputs x {0, 1} n ; then Q responds Qx) {0, 1} n. After at most q queries, A outputs AQ) {0, 1}. AQ) is then seen as a random variable over {0, 1}. This is an adaptative chosen plaintext attack cpa). To measure the pseudorandomness of the XOR of k permutations one must evaluate the advantage A, of an adversary A which is defined as A, = P r[af 1... f k ) = 1] P r[af ) = 1]. We write for the maximal advantage any adversary can get when trying to distinguish the XOR of k random permutations from a random function. 3 Security Bound from the H σ technique 3.1 Linking the advantage to a combinatorial problem Let k. We use theorem 3 from [14] :

3 Theorem 1. Let α, β R + and q N \ {0}. Let E be a subset of I q n such that E 1 β) nq. Suppose that, for each sequence a i ) 1 i q, b i ) 1 i q J q n, with b i ) 1 i q E: Ha, b) 1 α) B n k nq, with Ha, b) the number of f 1,..., f k ) B k n such that : i, 1 i q, f 1... f k )a i ) = b i. Then: α + β. For every b J q n, let h q b) be the number of sequences x 1, x,..., x k 1 J q n such that x 1... x k 1 b J q n then Lemma 1 For all a, b J q n: B n k Ha, b) = h q b) n n q + 1) ) k. Proof. The number Ha, b) can be seen as the sum, over the sequences x 1, x,..., x k 1 Jn q such that x 1... x k 1 b Jn, q of the number of f 1,..., f k B n satisfying the equations f j a i ) = x j i for all j k 1, i q and f ka i ) = x 1 i... x k 1 i b i, i q. Then, for each choices of x 1,..., x k 1, each f j is a uniformly B random permutation fixed on q points so Ha, b) = h q b) n which also shows that Ha, b) does not depend of a. n n q+1)) k, We now see h q as a random variable over b R I q n. The security of the XOR of k permutations is closely related to the variance and the expectancy of this random variable: Lemma The advantage satisfies: ) 1/3 V [h q ] E [h q ]. 1) Proof. For all a, we define Ha) the random variable over b equal to Ha, b). The Bienayme-Chebyshev s inequality yields: Taking ɛ = αe [Ha)]: ɛ > 0, Pr [ Ha) E [Ha)] ɛ] 1 V [Ha)] ɛ. α > 0, Pr [ Ha) E [Ha)] αe [Ha)]] 1 3 V [Ha)] α E [Ha)].

4 Then α > 0, Pr [Ha) 1 α)e [Ha)]] 1 V [Ha)] α E [Ha)]. Thus, defining E = {b i ) 1 i q Ha, b) 1 α)e [Ha)]}, theorem 1 yields : Then, with α = α > 0, α + V [Ha)] α E [Ha)]. V[Ha)] E[Ha)] ) 1/3: V [Ha)] E [Ha)] ) 1/3 = ) 1/3 V [h q ] E [h q ]. Lemma 3 The mean of h q satisfies: E [h q ] = [ n n 1)... n q + 1) ] k nq. Proof. This result generalizes a theorem found in [1]. We define δ x, with x = x 1,..., x k 1 ) Jn) q k 1, a random variable over b such that δ x = 1 if x 1,..., x k 1, b x 1 x k 1 Jn q and δ x = 0 otherwise. It s clear that h q = δ x, then x Jn) q k 1 E [h q ] = E [δ x ] x Jn) q k 1 = [ the bi x 1 i... x k 1 i are pairwise distinct ] x J q n) k 1 Pr = n n 1)... n q + 1) nq x Jn) q k 1 = Jn q k 1 n n 1)... n q + 1) [ nq n n 1)... n q + 1) ] k = nq. We now focus on the variance of h q. 3. Study of V [h q ] We denote λ q the number of sequences g 1,..., g k J q n such that g 1 g k = 0. These conditions will be referred to as the λ q conditions. This is k sequences 4

5 of q pairwise distinct elements and q equations so, we could expect λ q to be close to U q := n n 1) n q + 1)) k nq. We see in the next lemma that the problem of knowing how close λ q is from U q is at the core of the computation of the advantage. Lemma 4 The advantage satisfies: ) 1/3 λq 1. U q Proof. We know that h q = x δ x with the sum being over x J q n) k 1, so the linearity of the expected value operator yields: ) V [h q ] = E δ x E [h q ] x ) ) = E δ x δ x E [h q ] + E [h q ] x x [ ) )] [ ] = E δ x δ x E δ x E [h q ] + E [h q ] x x = E δ x δ x E [h q ], x,x x the sum being over x, x J q n) k 1. Then: E δ x δ x = 1 nq δ x b)δ x b). x,x b,x,x We know that δ x b)δ x b), with x, x J q n) k 1, equals 1 if and only if b x 1 x k 1 J q n and b x 1 x k 1 J q n. If we change variables like this: g i := x i and g i+k 1 := x i for all 1 i k 1 and g k 1 := b x 1 x k 1, g k := b x 1 x k 1, we see that b,x,x δ xb)δ x b) is equal to λ q. Then: V [h q ] = λ q nq E [h q] = λ q U q nq since E [h q ] = U q nq. 5

6 Moreover, using lemma : V [h q ] E [h q ] λq U q U q ) 1/3 ) 1/3 ) 1/3 λq 1. U q The strategy we follow is to evaluate recursively, more and more accurately, the coefficients λ α for 1 α q. 3.3 First evaluation of λ α By definition, λ α+1 is the number of tuples g 1,..., g k J α+1 n such that : 1. the λ α conditions hold,. for all 1 j k, g j α+1 {gj i, 1 i α}, 3. g 1 α+1 g k α+1 = 0. E α+1 ) Hence there are kα equations that should not be verified. For 1 i kα, we denote β i the i-th such equation. Let B i be the set of tuples g 1,..., g k ) which satisfy the λ α conditions, the equation E α+1 ) and the equation β i, for 1 i kα. Then: kα λ α+1 = k 1)n λ α B i. Using the inclusion-exclusion principle: kα λ α+1 = k 1)n λ α + 1) l l=1 i=1 i 1<...<i l B i1... B il. When more than k + 1 equations β i are considered, at least two of them use the same variable, for example g 1 α+1 = g 1 1 and g 1 α+1 = g 1, which is impossible according to the λ α conditions. Thus: λ α+1 = k 1)n λ α + k l=1 1) l Now, we study every kind of intersection. 1 equation : i 1<...<i l B i1... B il. ) 6

7 The β i equation fixes the value of one new variable, whereas the others are free, so: B i = k )n λ α and there exists kα such sets. l equations l k 1) : Such an intersection is non-empty if every equation β i uses a different new variable. In this case, l new variables are fixed and the others remain free. Thus, B i1... B il = k 1 l)n λ α ) k and there are α l k such non-empty intersections. k equations : Like before, such a set is non-empty if every equation β i uses a different new variable. In this case, the set B i1... B ik is composed of tuples such that gα+1 1 = gi 1 1,..., gα+1 k = gi k k and the equation E α+1 ) implies that: g 1 i 1 g k i k = 0. We denote X this equation and λ αx) the size of B i1... B ik. There are 3 possible cases: If the k indexes in X are equal then X is always true. There are α possibilities and λ αx) = λ α. If k 1 indexes are equal and the last is different, then λ αx) = 0 since X is in contradiction with λ α. There are kαα 1) possibilities. We denote S the set of equations X that are not of the previous types. We denote λ α = max S λ αx). Hence, thanks to ), one has: λ α+1 = k 1)n λ α kαλ α + = kn kα n + k 1 l= k 1 l= k l k l ) 1) l α l k 1 l)n λ α + X ) 1) l α l k l)n ) n α) k α k + n α ) λ α n + α k α kαα 1) ) λ α We denote ɛ α = n λ α λ α n λ α+1 λ α 1, so: λ αx) λ α n + αλ α + λ αx) X S n α) k α k + n α + n λ α λ α α k α kαα 1)) n α) k + n α α kαα 1) + ɛ α α k α kαα 1)) n α) k kα + α n + k 1) + ɛ α α k kα + αk 1)) 7

8 3.4 Relation between the advantage and ɛ α Lemma 5 For every m 1, the advantage satisfies: m 1 α=1 1 + kα + α n + k 1) + ɛ α α k kα ) 1/3 + αk 1)) n α) k 1). Proof. We know that n U α+1 = n α) k, U α and the result of the previous section yields: λ α+1 U α+1 λ α U α λ α U α n α) k kα + α n + k 1) + ɛ α α k kα ) + αk 1)) n α) k 1 + kα + α n + k 1) + ɛ α α k kα + αk 1)) n α) k Since U 1 = λ 1 = k 1)n : λ m U m m 1 α=1 1 + kα + α n + k 1) + ɛ α α k kα ) + αk 1)) n α) k And Lemma 4 ends the proof. ) 3.5 First approximation of ɛ α Before evaluating ɛ α, we need a technical lemma: Lemma 6 For every α {,..., m}, one has: 1 kα n λ α k 1)n λ α ) Proof. We consider g 1,..., g k Jn α satisfying the conditions λ α 1. To satisfy the conditions λ α, there are n α 1)) possibilities for each gα, 1..., gα k and there are α 1) non-equalities left: gα k 1 g k 1 i and gα k gi k for all i α 1. Since g k α equations on g k 1 α choices for g k 1 α = gα 1 gα k 1, one sees these α 1) non-equalities as. So, there are between n α 1) and n α 1) possible and 1 choice for gα k. Then: λ α 1 n α 1)) k n α 1)) λ α λ α 1 n α 1)) k 1 which is equivalent to: 1 α 1 n ) k 1 ) α 1) n λ α 1 α 1 ) k 1 k 1)n λ α 1 n. Since the left term is bigger than 1 kα and the right term is inferior to 1, it n ends the proof. 8

9 Lemma 7 Every value λ αx) with X S satisfies : n λ αx) kα 1 + ) λ α 1 kα. n n Proof. We now express λ α in terms of λ α 1. Without loss of generality, we suppose that X involves gα, 1 otherwise we can just reorder the variables. Let i be any index such that gα i is not involved in X this is possible since X S). Let g 1,..., g k Jn α such that the λ α 1 conditions are satisfied. We now count λ αx). There are at most n α 1) possible choices for each gα, j j 1, i. After we made these choices, there are two variables left: gα 1 and gα. i Since gα i is not involved in X, there is only, at most, one possible choice for gα 1 and there is, at most, one possible choice for gα i using the equation gα 1 gα k = 0. Then: λ αx) n α 1)) k λ α 1. Applying lemma 6, one finds that: ) λ αx) n α 1)) k 1 λ α 1 kα k 1)n n Since n α 1 n 1 kα and = 1 +, this ends the proof. 1 kα n 1 kα n )n Remark: These two technical lemmas formalize the intuition that, when one equation is added to the system, one degree of freedom is lost and this divides the number of possible solutions by around n. Finally kα ɛ α ) 1 kα. n n First notice that if q n k, kα + α n ) 0. Then, from lemma 5, q 1 α=1 1 + kα + α n + k 1) + ɛ α α k kα ) 1/3 + αk 1)) n α) k 1). If q n k, all the terms of the product are greater than 1 and q 1 α=1 q 1 α=1 ) 1 + kα + α n + k 1) n α) k + kα αk kα + αk 1)) ) 1 1 kα n n n α) k ) ) 1/3 α n 1 + n α) k + kα ) k kα n n n α) k q 1 n + n q) k + kq k+1 1 kq n n q) k Thus we have proven that : n ) q 1 1/3. ) 1/3 9

10 Theorem Upper bound of the advantage using H σ ). The maximal advantage an adversary can get using q queries, with q n k verifies: Notice that q 1 n + n q) k + kq k+1 1 kq n n q) k n ) q 1 ) 1/3 q kqk+ k 1)n 1 q + ) k k+1)n 1 6kq. n ) n Since k 3 and q n, the first term is negligible in front of 1. Moreover, when q k+ k+1)n, 1. Hence we have proven that the XOR of k permutations is safe as long as q k+1 k+ n with this first technique. 1/3. 4 Security bound from the standard H technique We now use the standard H technique, i.e. proofs from the general result the corollary 8) below. In this section, E[h q ] is noted h q to lighten the notations. Corollary 8 Let α > 0. If, for every sequence b = b i ) 1 i q I q n h q b) 1 α) h q, then α. Proof. This result comes immediately from theorem 1 with β = 0 and lemmas 1 and First approximation Let us study hα h α. One has: h α+1 = h α n α) k n. We now evaluate h α+1 from h α. From the definition of h α see section 3.1), we see that h α+1 is the number of sequence P j i ) 1 i m,1 j k such that: the h α conditions hold ; P 1 α+1... P k α+1 = b α+1, this equation will be called X ; P j α+1 P j i for every 1 i α, 1 j k. 10

11 Let β i, 1 kα be the kα ) equations which should be false. Let, for 1 i kα, B i be the set of the P j i for which the h α conditions and the 1 i α+1,1 j k equation β i hold. From the inclusion-exclusion principle, we get: h α+1 = k 1)n h α kα i=1 B i = k 1)n h α + 1) l 1 l kα i 1<...<i l B i1... B il. When k + 1 sets are intersected, at least two equations will use the same P j α+1 variable, which is in contradiction with h α. Thus, h α+1 = k 1)n h α + 1) l B i1... B il. 4) i 1<...<i l 1 l k We study the number of possible messages in function of the number of sets in the intersection. l equations, 1 l k 1: If we want B i1... B il 0, every new β i equation should bring a new variable P j α+1. In this case, X and β i fix l + 1 variables, the remaining ones are free, so B i1... B il = k l 1)n h α and ) k B i1... B il = α l k l 1)n h l α i 1<...<i l k equations: As well as above, in order to have B i1... B ik 0, there must be an equation in every new variable: P j α+1 = P j i j, 1 j k. So the condition P 1 α+1... P k α+1 = b α+1 becomes: P 1 i 1... P k i k = b α+1. Let h αb 1,..., b α+1 )i 1,..., i k ) or h αi 1,..., i k ) the number of P j i ) 1 i α,1 j k such that: I kα n the conditions h α hold, P 1 i 1... P k i k = b α+1. Let Y i 1,..., i k ) be this equality. Thus i 1<...<i k B i1... B ik = From 4), we have: 1 i 1,...,i k α h α+1 = n α) k 1) k α k n h α + 1) k h αi 1,..., i k ). 1 i 1,...,i k α h αi 1,..., i k ). 5) 11

12 Remark: if k is even, one has: n α) k α k ) h α+1 h α n. So h α+1 h α α k ) 1 h α+1 h α n α) k. As h 1 = h 1 = k 1)n, q k ) q h q h q 1 n q) k ) h q 1 qk+1 n q) k Then, using corollary 8, qk+1 n q) k. The upper bound we get in this case is in the same order of magnitude as the one from [9]. If we study more closely h α, we will get a better inequality. 4. Second approximation In this section, we suppose that k 3. Let M = {i, 1 i α, b i = b α+1 }. If i M, we have h αi,..., i) = h α and if i M, h αi,..., i) = 0. Furthermore, in order to be compatible with h α, if i M, for each 1 j α, i j, h αj, i,..., i) = h αi, j,..., i) =... = h αi,..., i, j) = 0. Let I be the set of the tuples that do not satisfy these requirements. Then I = α k α k M α 1). By applying 5), one gets: h α+1 = n α) k 1) k α k + 1) k n M n h α + 1) k We now need a technical lemma: Lemma 9 If i = i 1,..., i k ) I, 1 i 1,...,i k ) I 3α n α)1 α ) n h αi 1,..., i k ) 1 h n α 1 3α. n h αi 1,..., i k ). Proof. Without loss of generality, we can suppose that i 1 = α and i = α 1 because we can reorder the queries). Let us evaluate h α and h α from h α. To get h α from h α, we have k new variables P j α 1 and P j α, 1 j k, such that: 6) 1

13 P 1 α... P k α = b α, P 1 α 1... P k α 1 = b α 1, j, 1 j k, i, 1 i α, P j α 1 P j i, j, 1 j k, i, 1 i α 1, P j α P j i. We decide that the first equation will fix P 1 α 1 and the next one P 1 α. For j 3, we have respectively n α ) and n α 1) possibilities for P j α 1 and P j α. When these messages have been chosen, only P α 1 and P α remain, and they must satisfy: P α 1 P i, 1 i α, P α 1 P 1 i b α 1 P 3 α 1... P k α 1, 1 i α, P α P i, 1 i α 1, P α P 1 i b α P 3 α... P k α, 1 i α 1. There are for P α 1 between n α ) and n α ) choices and for P α 1 between n α 1) and n α 1). Thus n α )) k n α 1)) k n α )) n α 1)) hα h α,7) h α h α n α )) k 1 n α 1)) k 1. 8) In order to go from h α to h α, we also have k new variables P j α 1 and P j α, 1 j k, such that: P 1 α 1... P k α 1 = b α 1, P 1 α = b α+1 P α 1 P 3 i 3... P k i k, P 1 α... P k α = b α, j, 1 j k, i, 1 i α, P j α 1 P j i, j, 1 j k, i, 1 i α 1, P j α P j i. We have, for j 4, respectively n α ) and n α 1) possibilities for P j α 1 and P j α. From these 3 equalities, we can fix the following variables: 1. P 1 α 1 = b α 1 P α 1... P k α 1,. P 1 α = b α+1 P α 1 P 3 i 3... P k i k, 3. P α = b α+1 b α ) P α 1 P 3 i 3 P 3 α)... P k i k P k α). Then the condition i, 1 i α, P 1 α 1 P 1 i becomes: i, 1 i α, P α 1 P 1 i b α 1 P 3 α 1... P k α 1, i, 1 i α 1, P 1 α P 1 i becomes: i, 1 i α 1, P α 1 b α+1 P 1 i P 3 i 3... P k i k, i, 1 i α, P α P 1 i becomes: 13

14 i, 1 i α, P α 1 b α+1 b α ) P i P 3 i 3 P 3 α)... P k i k P k α) For P α P α 1, there are two cases. If i 3 =... = i k = α, since i 1,..., i k ) I, we have b α+1 b α and this non-equality is automatically verified. Else, this means that there is an index 3 j k such that i j α, e.g. j = 3. Then P α P α 1 becomes : P 3 α b α+1 b α ) P 3 i 3... P k i k P k α). Thus, after the other messages have been chosen, there are between n α and n α 1) possibilities for P 3 α, n α ) possibilities for P 3 α 1 and finally between n 4α 7) and n α ) possibilities for P α 1. Then n α )) k n α 1)) k 3 n α) n 4α 7)) h α h α 9) n α )) k 1 n α 1)) k h α h α. 10) From 7,9 we can deduce the following inequalities that allow us to get the result we want: n h α h α n n 4α+7) n α) n α )) n α 1)), n h α h α n n α ) n α )) n α 1)). Remark: if we suppose α < n 1, we get One has: h α+1 h α+1 = h α h α 0 < 1 1α n n h αi 1,..., i k ) h α 1 + 3α n 3α. 11) 1 + 1)k+1 α k n α) k + 1)k n M n h α h α n α) k + 1)k n α) k 1) = h α h α 1 A α ) 13) where A α := 1)k α k n α) k n M 1)k n α) k 1)k n h α h α n α) k. Lemma 10 If q < n 1, A α k.n α n α) k + 1 α k+1 n 3α) n α) k. 14

15 Proof. We have to study A α according to the parity of k. k even: A α α k n α) k n M n α) k αk α k M α 1))1 1α n α) k n ) n 1α M α + k M α 1))1 ) α k+1 n + n α) k n α) k + 1 n n α) k k.α n α) k + 1 α k+1 n n α) k k odd: α k A α n α) k + n M n α) k + αk α k M α 1))1 + 3α n α) k So, in both cases, n 3α M α + k M α 1))1 + n α) k n α n α) k + 3α k+1 n α) k n 3α) A α n 3α ) n α) k + n 3α ) 3α k+1 n α) k n 3α) k.n α n α) k + 1 α k+1 n 3α) n α) k, From this lemma and 1, Since h 1 = h 1, we get: h α+1 h α 1 k.n α h α+1 h α n α) k 1 α k+1 ) n 3α) n α) k. h q 1 kn q h q n q) k 1 q k+1 ) q n 3q) n q) k 1 kq. n n q) k 1 q k+ n 3q) n q) k. 15

16 Thus, with corollary 8, we have proven that, when q < n 1 : kq. n n q) k + 1 q k+ n 3q) n q) k 14) Hence we get the following result: kq qk+ k 1)n 1 k q + 1 ) k+1)n 1 k + 3) q n ). 15) n Theorem 3 upper bound for the advantage with the standard H technique). Let k 3 and q < n 1. The advantage to distinguish, with q queries, the XOR of k bijections from a fonction f R F n satisfies: kq qk+ k 1)n 1 k q + 1 ) k+1)n 1 k + 3) q n ). n Since k 3, the first term is negligible when q n. This theorem shows that the XOR of k bijections is indistinguishable when q k+1 k+ n. This upper bound on q is worse than the previous one, but if q k+ k+4 n i.e. for small values of q) this new upper bound on the advantage is actually better. 5 Conclusion This table regroups our results and the previous one from S. Lucks in [9], with order of magnitudes for these bounds beyond the birthday bound : technique upper bound for f 1... f k S. Lucks kn 1) i k H H σ kq k 1)n 1 k q q k 1)n 1 q 0 i<q + 1 k+ q n ) k+1)n 1 k+3) q n ) + k+ kq n ) k k+1)n 1 6kq n ) order of magnitude ) q O k+1 kn 1) ) q O k+ ) k+1)n 1/3 ) ) 1/3 O k qk+ k+1)n Table 1. Comparison of the bounds on the advantage from 3 techniques The upper bound we got with the coefficients H technique is smaller than the one from [9] by a factor q. The one we proved with the coefficients H n σ technique allows us to have 1 when q k+1 k+ n instead of q k k+1 n for [9]. For example with k = 3 we have proven that 1 when q 7 8 n instead of q 3 4 n. However, when q is fixed and k increases, the upper bound from the H technique becomes better than the one from H σ. This graph shows the evolution of the order of magnitude of 16

17 these three upper bounds in function of the logarithm of q, with k = 5 and n = 40: Table. Upper bound plotted versus the logarithm of q Here is a more accurate view of the region where the curves from H and H σ intersect: Table 3. Upper bound plotted versus the logarithm of q : comparison between H and H σ This illustrates that, depending on the value of q, our best bound can be the one from section 3 or the one from section 4. Moreover, the curve from [9] does not appear in this second graph because its values were much higher than ours around whereas the bounds from this article are around in 17

18 this graph). This shows why the two techniques studied in this paper are both useful. References [1] W. Aiello and R. Venkatesan. Foiling Birthday Attacks in Length Doubling Transformations. In Advances in cryptology - EUROCRYPT 96, pages Springer-Verlag, [] M. Bellare and R. Impagliazzo. A Tool for Obtaining Tighter Security Analyses of Pseudorandom Function Based Constructions, with Applications to PRP to PRF Conversion. eprint Archive 1999/04: Listing for 1999, [3] M. Bellare, T. Krovetz, and P. Rogaway. Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-invertible. In K. Nyberg, editor, Advances in cryptology - EUROCRYPT 1998, pages Springer-Verlag, [4] O. Goldreich, S. Goldwasser, and S. Micali. How to Construct Random Functions. Journal of the ACM, 334):79 807, [5] C. Hall, D. Wagner, J. Kelsey, and B. Schneier. Building PRFs from PRPs. In H. Krawcyk, editor, Advances in cryptology - CRYPTO 1998, pages Springer-Verlag, [6] L. Levin. One Way Functions and Pseudorandom Generators. Combinatorica, 74): , [7] M. Luby and C. Rackoff. How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM J. Comput., 17): , [8] S. Lucks. Faster Luby-Rackoff Ciphers. In Fast Software Encryption 1996, pages Springer-Verlag, [9] S. Lucks. The Sum of PRPs Is a Secure PRF. In B. Preneel, editor, Advances in Cryptology - EUROCRYPT 000, pages Springer-Verlag, 000. [10] A. Mandal, V. Nachef, and J. Patarin. Indifferentiability beyond the Birthday Bound for the Xor of Two Public Random Permutations. In Progress in Cryptology - INDOCRYPT 010, pages 69 81, 010. [11] M. Naor and O. Reingold. On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited. Journal of Cryptology, 11):9 66, [1] J. Patarin. A Proof of Security in O n ) for the Xor of Two Random Permutation. In R. Safavi-Naini, editor, ICITS 008, pages Springer-Verlag, 008. [13] J. Patarin. Generic Attacks for the Xor of k Random Permutations. Available on eprint, 008. [14] J. Patarin. The "coefficients H" Technique. In Selected Areas in Cryptography 008, pages Springer-Verlag, 008. [15] J. Patarin. Security in O n ) for the Xor of Two Random Permutations - Proof with the standard H technique -. Available on eprint,

Benes and Butterfly schemes revisited

Benes and Butterfly schemes revisited Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have

More information

Security of Random Feistel Schemes with 5 or more Rounds

Security of Random Feistel Schemes with 5 or more Rounds Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random

More information

The Sum of PRPs is a Secure PRF

The Sum of PRPs is a Secure PRF The Sum of PRPs is a Secure PRF Stefan Lucks Theoretische Informatik, Universität Mannheim 68131 Mannheim, Germany lucks@th.informatik.uni-mannheim.de Abstract. Given d independent pseudorandom permutations

More information

Chapter 2 Balanced Feistel Ciphers, First Properties

Chapter 2 Balanced Feistel Ciphers, First Properties Chapter 2 Balanced Feistel Ciphers, First Properties Abstract Feistel ciphers are named after Horst Feistel who studied these schemes in the 1960s. In this chapter, we will only present classical Feistel

More information

A Pseudo-Random Encryption Mode

A Pseudo-Random Encryption Mode A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of

More information

The Pseudorandomness of Elastic Block Ciphers

The Pseudorandomness of Elastic Block Ciphers The Pseudorandomness of Elastic Block Ciphers Debra L. Cook and Moti Yung and Angelos Keromytis Department of Computer Science, Columbia University {dcook,moti,angelos}@cs.columbia.edu September 28, 2005

More information

A Domain Extender for the Ideal Cipher

A Domain Extender for the Ideal Cipher A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange

More information

From Non-Adaptive to Adaptive Pseudorandom Functions

From Non-Adaptive to Adaptive Pseudorandom Functions From Non-Adaptive to Adaptive Pseudorandom Functions Itay Berman Iftach Haitner January, 202 Abstract Unlike the standard notion of pseudorandom functions (PRF), a non-adaptive PRF is only required to

More information

On the Round Security of Symmetric-Key Cryptographic Primitives

On the Round Security of Symmetric-Key Cryptographic Primitives On the Round Security of Symmetric-Key Cryptographic Primitives Zulfikar Ramzan Leonid Reyzin. November 30, 000 Abstract We put forward a new model for understanding the security of symmetric-key primitives,

More information

Distinguishing a truncated random permutation from a random function

Distinguishing a truncated random permutation from a random function Distinguishing a truncated random permutation from a random function Shoni Gilboa Shay Gueron July 9 05 Abstract An oracle chooses a function f from the set of n bits strings to itself which is either

More information

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department

More information

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes

More information

The Relation Between CENC and NEMO

The Relation Between CENC and NEMO The Relation Between CNC and NMO Bart Mennink Digital Security Group, Radboud University, Nijmegen, The Netherlands b.mennink@cs.ru.nl Abstract. Counter mode encryption uses a blockcipher to generate a

More information

CPA-Security. Definition: A private-key encryption scheme

CPA-Security. Definition: A private-key encryption scheme CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of

More information

A Generic Method to Design Modes of Operation Beyond the Birthday Bound

A Generic Method to Design Modes of Operation Beyond the Birthday Bound A Generic Method to Design Modes of Operation Beyond the Birthday Bound David Lefranc 1, Philippe Painchault 1,Valérie Rouat 2, and Emmanuel Mayer 2 1 Cryptology Laboratory Thales 160 Boulevard de Valmy

More information

The Random Oracle Model and the Ideal Cipher Model are Equivalent

The Random Oracle Model and the Ideal Cipher Model are Equivalent The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN

More information

On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited

On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited Moni Naor Omer Reingold Abstract Luby and Rackoff [26] showed a method for constructing a pseudo-random permutation from a pseudo-random

More information

arxiv: v1 [cs.cr] 16 Dec 2014

arxiv: v1 [cs.cr] 16 Dec 2014 How many ueries are needed to distinguish a truncated random permutation from a random function? Shoni Gilboa 1, Shay Gueron,3 and Ben Morris 4 arxiv:141.504v1 [cs.cr] 16 Dec 014 1 The Open University

More information

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3. COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption

More information

The Random Oracle Model and the Ideal Cipher Model are Equivalent

The Random Oracle Model and the Ideal Cipher Model are Equivalent The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-Sébastien Coron 1, Jacques Patarin 2, and Yannick Seurin 2,3 1 University of Luxembourg 2 University of Versailles 3 Orange Labs Abstract.

More information

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,

More information

Security Analysis of Key-Alternating Feistel Ciphers

Security Analysis of Key-Alternating Feistel Ciphers Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin Abstract. We study the security of key-alternating Feistel ciphers, a class of key-alternating ciphers with a Feistel

More information

Provable Security in Symmetric Key Cryptography

Provable Security in Symmetric Key Cryptography Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X

More information

A Note on Quantum-Secure PRPs

A Note on Quantum-Secure PRPs A Note on Quantum-Secure PRPs Mark Zhandry Princeton University mzhandry@princeton.edu Abstract We show how to construct pseudorandom permutations (PRPs) that remain secure even if the adversary can query

More information

CTR mode of operation

CTR mode of operation CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext

More information

Cascade Encryption Revisited

Cascade Encryption Revisited Cascade Encryption Revisited Peter Gaži 1,2 and Ueli Maurer 1 1 ETH Zürich, Switzerland Department of Computer Science {gazipete,maurer}@inf.ethz.ch 2 Comenius University, Bratislava, Slovakia Department

More information

EME : extending EME to handle arbitrary-length messages with associated data

EME : extending EME to handle arbitrary-length messages with associated data EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher

More information

Block Ciphers/Pseudorandom Permutations

Block Ciphers/Pseudorandom Permutations Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable

More information

From Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.

From Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version. From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs Preliminary Version Moni Naor Omer Reingold y Abstract This paper studies the relationship between

More information

The Random Oracle Model and the Ideal Cipher Model Are Equivalent

The Random Oracle Model and the Ideal Cipher Model Are Equivalent The Random Oracle Model and the Ideal Cipher Model Are Equivalent Jean-Sébastien Coron 1,JacquesPatarin 2, and Yannick Seurin 2,3 1 University of Luxembourg 2 University of Versailles 3 Orange Labs Abstract.

More information

Black-Box Composition Does Not Imply Adaptive Security

Black-Box Composition Does Not Imply Adaptive Security Black-Box Composition Does Not Imply Adaptive Security Steven Myers Department of Computer Science University of Toronto Canada Abstract. In trying to provide formal evidence that composition has security

More information

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

Foundation of Cryptography, Lecture 4 Pseudorandom Functions Foundation of Cryptography, Lecture 4 Pseudorandom Functions Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. March 11, 2014 Iftach Haitner (TAU) Foundation of Cryptography March 11,

More information

Improved security analysis of OMAC

Improved security analysis of OMAC Improved security analysis of OMAC Mridul andi CIVESTAV-IP, Mexico City mridul.nandi@gmail.com Abstract. We present an improved security analysis of OMAC, the construction is widely used as a candidate

More information

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),

More information

Eliminating Random Permutation Oracles in the Even-Mansour Cipher

Eliminating Random Permutation Oracles in the Even-Mansour Cipher Eliminating Random Permutation Oracles in the Even-Mansour Cipher Craig Gentry and Zulfikar Ramzan DoCoMo Communications Laboratories USA, Inc. {cgentry, ramzan}@docomolabs-usa.com Abstract. Even and Mansour

More information

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

CSA E0 235: Cryptography March 16, (Extra) Lecture 3 CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which

More information

Characterization of EME with Linear Mixing

Characterization of EME with Linear Mixing Characterization of EME with Linear Mixing Nilanjan Datta and Mridul Nandi Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata, India 700108 nilanjan isi

More information

Short Exponent Diffie-Hellman Problems

Short Exponent Diffie-Hellman Problems Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and

More information

Computer Science Dept.

Computer Science Dept. A NOTE ON COMPUTATIONAL INDISTINGUISHABILITY 1 Oded Goldreich Computer Science Dept. Technion, Haifa, Israel ABSTRACT We show that following two conditions are equivalent: 1) The existence of pseudorandom

More information

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense

More information

Computer Science A Cryptography and Data Security. Claude Crépeau

Computer Science A Cryptography and Data Security. Claude Crépeau Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)

More information

Semantic Security of RSA. Semantic Security

Semantic Security of RSA. Semantic Security Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against

More information

From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs

From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs Extended Abstract Moni Naor and Omer Reingold Dept. of Applied Mathematics and Computer Science

More information

Public Key Cryptography

Public Key Cryptography Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44

More information

4-3 A Survey on Oblivious Transfer Protocols

4-3 A Survey on Oblivious Transfer Protocols 4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of

More information

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),

More information

Building PRFs from PRPs

Building PRFs from PRPs Building PRFs from PRPs Chris Hall 1, David Wagner 2, John Kelsey 1, and Bruce Schneier 1 1 Counterpane Systems {hall,kelsey,schneier}@counterpane.com 2 U.C. Berkeley daw@cs.berkeley.edu Abstract. We evaluate

More information

Efficient Amplification of the Security of Weak Pseudo-Random Function Generators

Efficient Amplification of the Security of Weak Pseudo-Random Function Generators J. Cryptology (2002) OF1 OF24 DOI: 10.1007/s00145-002-0007-1 2002 International Association for Cryptologic Research Efficient Amplification of the Security of Weak Pseudo-Random Function Generators Steven

More information

III. Pseudorandom functions & encryption

III. Pseudorandom functions & encryption III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:

More information

1 Cryptographic hash functions

1 Cryptographic hash functions CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length

More information

Black-Box Composition Does Not Imply Adaptive Security

Black-Box Composition Does Not Imply Adaptive Security Black-Box Composition Does Not Imply Adaptive Security Steven Myers Department of Computer Science University of Toronto Canada Abstract In trying to provide formal evidence that composition has security

More information

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs Debra L. Cook 1, Moti Yung 2, Angelos Keromytis 3 1 Columbia University, New York, NY USA dcook@cs.columbia.edu 2 Google, Inc. and Columbia

More information

How many rounds can Random Selection handle?

How many rounds can Random Selection handle? How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.

More information

The Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions

The Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions The Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions Scott Ames 1, Rosario Gennaro 2, and Muthuramakrishnan Venkitasubramaniam

More information

State Recovery Attacks on Pseudorandom Generators

State Recovery Attacks on Pseudorandom Generators Appears in WEWoRC 2005 - Western European Workshop on Research in Cryptology, Lecture Notes in Informatics (LNI) P-74 (2005) 53-63. Gesellschaft für Informatik. State Recovery Attacks on Pseudorandom Generators

More information

Revisiting Variable Output Length XOR Pseudorandom Function

Revisiting Variable Output Length XOR Pseudorandom Function Revisiting Variable Output Length XOR Pseudorandom Function Srimanta Bhattacharya, Mridul andi Indian Statistical Institute, Kolkata, India. Abstract. Let σ be some positive integer and C {i, j : 1 i

More information

A Composition Theorem for Universal One-Way Hash Functions

A Composition Theorem for Universal One-Way Hash Functions A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme

More information

KFC - The Krazy Feistel Cipher

KFC - The Krazy Feistel Cipher KFC - The Krazy Feistel Cipher Thomas Baignères and Matthieu Finiasz EPFL CH-1015 Lausanne Switzerland http://lasecwww.epfl.ch Abstract. We introduce KFC, a block cipher based on a three round Feistel

More information

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from

More information

A Note on Negligible Functions

A Note on Negligible Functions Appears in Journal of Cryptology Vol. 15, 2002, pp. 271 284. Earlier version was Technical Report CS97-529, Department of Computer Science and Engineering, University of California at San Diego, March

More information

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer

More information

On Generalized Feistel Networks

On Generalized Feistel Networks On Generalized Feistel Networks Viet Tung Hoang and Phillip Rogaway Dept. of Computer Science, University of California, Davis, USA Abstract. We prove beyond-birthday-bound security for most of the well-known

More information

On Pseudo Randomness from Block Ciphers

On Pseudo Randomness from Block Ciphers SCIS96 The 1996 Symposium on Cryptography and Information Security Komuro, Japan, January 29-31, 1996 The Institute of Electronics, Information and Communication Engineers SCIS96-11C On Pseudo Randomness

More information

Pseudorandom Generators

Pseudorandom Generators 8 Pseudorandom Generators Great Ideas in Theoretical Computer Science Saarland University, Summer 2014 andomness is one of the fundamental computational resources and appears everywhere. In computer science,

More information

A New Paradigm of Hybrid Encryption Scheme

A New Paradigm of Hybrid Encryption Scheme A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida

More information

Domain Extension of Public Random Functions: Beyond the Birthday Barrier

Domain Extension of Public Random Functions: Beyond the Birthday Barrier Domain Extension of Public Random Functions: Beyond the Birthday Barrier Ueli Maurer Stefano Tessaro Department of Computer Science ETH Zurich 8092 Zurich, Switzerland {maurer,tessaros}@inf.ethz.ch Abstract

More information

Cryptanalysis of Tweaked Versions of SMASH and Reparation

Cryptanalysis of Tweaked Versions of SMASH and Reparation Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr

More information

COS598D Lecture 3 Pseudorandom generators from one-way functions

COS598D Lecture 3 Pseudorandom generators from one-way functions COS598D Lecture 3 Pseudorandom generators from one-way functions Scribe: Moritz Hardt, Srdjan Krstic February 22, 2008 In this lecture we prove the existence of pseudorandom-generators assuming that oneway

More information

Building Secure Block Ciphers on Generic Attacks Assumptions

Building Secure Block Ciphers on Generic Attacks Assumptions Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin 1 and Yannick Seurin 1,2 1 University of Versailles, France 2 Orange Labs, Issy-les-Moulineaux, France jacques.patarin@prism.uvsq.fr,

More information

Towards Provable Security of Substitution-Permutation Encryption Networks

Towards Provable Security of Substitution-Permutation Encryption Networks Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,

More information

1 Cryptographic hash functions

1 Cryptographic hash functions CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length

More information

Secret-key Cryptography from Ideal Primitives: A Systematic Overview

Secret-key Cryptography from Ideal Primitives: A Systematic Overview Secret-key Cryptography from Ideal Primitives: A Systematic Overview Peter Gaži Institute of Science and Technology, Austria petergazi@istacat Stefano Tessaro University of California, Santa Barbara tessaro@csucsbedu

More information

Indistinguishability and Pseudo-Randomness

Indistinguishability and Pseudo-Randomness Chapter 3 Indistinguishability and Pseudo-Randomness Recall that one main drawback of the One-time pad encryption scheme and its simple encryption operation Enc k (m) = m k is that the key k needs to be

More information

CBC MAC for Real-Time Data Sources. Abstract. The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an

CBC MAC for Real-Time Data Sources. Abstract. The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an CBC MAC for Real-Time Data Sources Erez Petrank Charles Racko y Abstract The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an authentication method which is widely used in practice.

More information

Building Secure Block Ciphers on Generic Attacks Assumptions

Building Secure Block Ciphers on Generic Attacks Assumptions Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 the context security of symmetric primitives

More information

Lecture 3: Interactive Proofs and Zero-Knowledge

Lecture 3: Interactive Proofs and Zero-Knowledge CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic

More information

Symmetric Encryption

Symmetric Encryption 1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently

More information

On Pseudorandomness w.r.t Deterministic Observers

On Pseudorandomness w.r.t Deterministic Observers On Pseudorandomness w.r.t Deterministic Observers Oded Goldreich Department of Computer Science Weizmann Institute of Science Rehovot, Israel. oded@wisdom.weizmann.ac.il Avi Wigderson The Hebrew University,

More information

Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications

Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Donghoon Chang 1 and Moti Yung 2 1 The Computer Security Division, National Institute of Standards and Technology,

More information

On Generalized Feistel Networks

On Generalized Feistel Networks On Generalized Feistel Networks Viet Tung Hoang and Phillip Rogaway Dept. of Computer Science, University of California, Davis, USA Abstract. We prove beyond-birthday-bound security for most of the well-known

More information

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography 1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to

More information

Efficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading

Efficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading Efficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading Peter Gaži 1,2 and Stefano Tessaro 3,4 1 Department of Computer Science, Comenius University, Bratislava,

More information

Security of Permutation-based Compression Function lp231

Security of Permutation-based Compression Function lp231 Security of Permutation-based Compression Function lp231 Jooyoung Lee 1 and Daesung Kwon 2 1 Sejong University, Seoul, Korea, jlee05@sejong.ac.kr 2 The Attached Institute of Electronics and Telecommunications

More information

A Unified Method for Improving PRF Bounds for a Class of Blockcipher based MACs

A Unified Method for Improving PRF Bounds for a Class of Blockcipher based MACs A Unified Method for Improving PRF Bounds for a Class of Blockcipher based MACs Mridul Nandi National Institute of Standards and Technology mridulnandi@gmailcom Abstract This paper provides a unified framework

More information

Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks

Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks Yodai Watanabe 1, Junji Shikata 2, and Hideki Imai 3 1 RIKEN Brain Science Institute 2-1 Hirosawa, Wako-shi,

More information

A survey on quantum-secure cryptographic systems

A survey on quantum-secure cryptographic systems A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum

More information

Pseudorandom functions and permutations

Pseudorandom functions and permutations Introduction Pseudorandom functions and permutations 15-859I Spring 2003 Informally, a Pseudorandom function family (PRF is a collection of functions which are indistinguishable from random functions PRFs

More information

Lecture 10 - MAC s continued, hash & MAC

Lecture 10 - MAC s continued, hash & MAC Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy

More information

Yale University Department of Computer Science

Yale University Department of Computer Science Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Mike Paterson Ewa Syta YALEU/DCS/TR-1466 October 24, 2012

More information

A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model

A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model Wonil Lee 1, Mridul Nandi 2, Palash Sarkar 2, Donghoon Chang 1, Sangjin Lee 1, and Kouichi Sakurai 3 1 Center for Information

More information

Reset Indifferentiability and its Consequences

Reset Indifferentiability and its Consequences Reset Indifferentiability and its Consequences ASIACRYPT 2013 Paul Baecher, Christina Brzuska, Arno Mittelbach Tel Aviv University & Darmstadt University of Technology; supported by DFG Heisenberg and

More information

Bootstrapping Obfuscators via Fast Pseudorandom Functions

Bootstrapping Obfuscators via Fast Pseudorandom Functions Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator

More information

Feistel Networks made Public, and Applications

Feistel Networks made Public, and Applications Feistel Networks made Public, and Applications Yevgeniy Dodis Prashant Puniya February 11, 2007 Abstract Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient

More information

A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications

A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 03, Lecture Notes in Computer Science Vol.??, E. Biham ed., Springer-Verlag, 2003. This is the full version. A Theoretical

More information

On the Relation Between the Ideal Cipher and the Random Oracle Models

On the Relation Between the Ideal Cipher and the Random Oracle Models On the Relation Between the Ideal Cipher and the Random Oracle Models Yevgeniy Dodis and Prashant Puniya Courant Institute of Mathematical Sciences, New York University {dodis, puniya}@cs.nyu.edu Abstract.

More information

Adaptive Security of Compositions

Adaptive Security of Compositions emester Thesis in Cryptography Adaptive ecurity of Compositions Patrick Pletscher ETH Zurich June 30, 2005 upervised by: Krzysztof Pietrzak, Prof. Ueli Maurer Email: pat@student.ethz.ch In a recent paper

More information

Online Ciphers and the Hash-CBC Construction

Online Ciphers and the Hash-CBC Construction Online Ciphers and the Hash-CBC Construction Mihir Bellare 1, Alexandra Boldyreva 1, Lars Knudsen 2, and Chanathip Namprempre 1 1 Department of Computer Science & Engineering University of California,

More information

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/

More information

A short proof of the unpredictability of cipher block chaining

A short proof of the unpredictability of cipher block chaining A short proof of the unpredictability of cipher block chaining Daniel J. Bernstein Department of Mathematics, Statistics, and Computer Science (M/C 249) The University of Illinois at Chicago Chicago, IL

More information

Improving Upon the TET Mode of Operation

Improving Upon the TET Mode of Operation Improving Upon the TET Mode of Operation Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata India 700108. email: palash@isical.ac.in Abstract. Naor and Reingold

More information