The Indistinguishability of the XOR of k permutations
|
|
- Magnus Manning
- 5 years ago
- Views:
Transcription
1 The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,..., f k over {0, 1} n, it is natural to define a pseudorandom function by XORing the permutations: f 1... f k. In [9] Stefan Lucks studied the security of this PRF. In this paper we improve the security bounds of [9] by using different proof techniques. Keywords: Pseudorandom functions, pseudorandom permutations, security beyond the birthday bound, Luby-Rackoff backwards. 1 Introduction Much research dealt with constructing cryptographic operations from other ones: Levin [6] got pseudorandom bit generators from one-way functions, then Goldreich, Goldwasser and Micali [4] constructed pseudorandom functions PRFs) from pseudorandom bit generators. In [1], Aiello and Venkatesan studied how to construct PRFs from smaller PRFs. Luby and Rackoff [7] dealt with the problem of getting pseudorandom permutations PRPs) from PRFs; further work about their construction can be found in [8, 11]. Our article focuses on the reverse problem of converting PRPs into PRFs named Luby-Rackoff backwards which was first considered in [3]. This problem is obvious if we are interested in an asymptotical polynomial versus non polynomial security model since a PRP is then a PRF), but not if we are interested in achieving more optimal and concrete security bounds. More precisely, the loss of security when regarding a PRP as a PRF comes from the birthday attack which can distinguish a random permutation from a random function of n bits to n bits in n operations and n queries. Therefore different ways to build PRF from PRP with a security above n and by performing very few computations have been suggested see [, 3, 5, 9]). One of the simplest way is to XOR k independent pseudorandom permutations with k. In [9] Theorem p.474) Stefan Lucks proved, with a simple proof, that the XOR of k independant PRPs gives a PRF with security at least in O k k+1 n ). In [] and [1] difficult analyses of k = are given, with proofs that the security is good when the number of queries is lower than O ) n n or O n ). For k 3 there is a significant gap between the /3 proven security of [9] and the best attacks of [13]. In this paper we reduce this gap by improving the proven security for the XOR of k permutations, k 3. Constructions with k 3 instead of k =
2 are interesting for various reasons. First, our proofs are much simpler than the proofs of [] and [1]. Second, in many cryptographic applications the size n of the blocks cannot be chosen by the designer of the algorithm since it is imposed by the application. Then it is interesting to have another parameter to decrease the proven advantage of any adversary to a value as small as wanted with a simple construction. Our proof technique is based on the coefficient H technique of Patarin cf [14]). However we only use the first steps and not all the refinements) in order to keep very simple proofs with still better security results than previously known; we could achieve tighter bounds by using the full technique, but it would require more computations such as [15]). Related problems. In [10] the security of the XOR of two public permutations are studied i.e. indifferentiability instead of indistinguishability). Organisation of the paper. Section presents the notations and basic definitions that are used in this paper. In section 3 and 4, two security bounds are shown with different techniques respectively the H σ coefficient technique and the H coefficient technique). Then both these results are compared to the one from [9] in the last section. Preliminaries We denote I n the set of n bits strings and Jn q the subset of In q of values x i ) 1 i q satisfying x i x j, i j. We denote F n the set of functions from I n to I n and B n the set of permutations of I n. The notation x R E stands for x is chosen randomly with a uniform distribution in E. An adversary A trying to distinguish between f 1... f k, where f i R B n for each i {1,..., k}, from a random function F R F n is considered to have access to an oracle Q. This oracle either simulates F or f 1... f k. A chooses inputs x {0, 1} n ; then Q responds Qx) {0, 1} n. After at most q queries, A outputs AQ) {0, 1}. AQ) is then seen as a random variable over {0, 1}. This is an adaptative chosen plaintext attack cpa). To measure the pseudorandomness of the XOR of k permutations one must evaluate the advantage A, of an adversary A which is defined as A, = P r[af 1... f k ) = 1] P r[af ) = 1]. We write for the maximal advantage any adversary can get when trying to distinguish the XOR of k random permutations from a random function. 3 Security Bound from the H σ technique 3.1 Linking the advantage to a combinatorial problem Let k. We use theorem 3 from [14] :
3 Theorem 1. Let α, β R + and q N \ {0}. Let E be a subset of I q n such that E 1 β) nq. Suppose that, for each sequence a i ) 1 i q, b i ) 1 i q J q n, with b i ) 1 i q E: Ha, b) 1 α) B n k nq, with Ha, b) the number of f 1,..., f k ) B k n such that : i, 1 i q, f 1... f k )a i ) = b i. Then: α + β. For every b J q n, let h q b) be the number of sequences x 1, x,..., x k 1 J q n such that x 1... x k 1 b J q n then Lemma 1 For all a, b J q n: B n k Ha, b) = h q b) n n q + 1) ) k. Proof. The number Ha, b) can be seen as the sum, over the sequences x 1, x,..., x k 1 Jn q such that x 1... x k 1 b Jn, q of the number of f 1,..., f k B n satisfying the equations f j a i ) = x j i for all j k 1, i q and f ka i ) = x 1 i... x k 1 i b i, i q. Then, for each choices of x 1,..., x k 1, each f j is a uniformly B random permutation fixed on q points so Ha, b) = h q b) n which also shows that Ha, b) does not depend of a. n n q+1)) k, We now see h q as a random variable over b R I q n. The security of the XOR of k permutations is closely related to the variance and the expectancy of this random variable: Lemma The advantage satisfies: ) 1/3 V [h q ] E [h q ]. 1) Proof. For all a, we define Ha) the random variable over b equal to Ha, b). The Bienayme-Chebyshev s inequality yields: Taking ɛ = αe [Ha)]: ɛ > 0, Pr [ Ha) E [Ha)] ɛ] 1 V [Ha)] ɛ. α > 0, Pr [ Ha) E [Ha)] αe [Ha)]] 1 3 V [Ha)] α E [Ha)].
4 Then α > 0, Pr [Ha) 1 α)e [Ha)]] 1 V [Ha)] α E [Ha)]. Thus, defining E = {b i ) 1 i q Ha, b) 1 α)e [Ha)]}, theorem 1 yields : Then, with α = α > 0, α + V [Ha)] α E [Ha)]. V[Ha)] E[Ha)] ) 1/3: V [Ha)] E [Ha)] ) 1/3 = ) 1/3 V [h q ] E [h q ]. Lemma 3 The mean of h q satisfies: E [h q ] = [ n n 1)... n q + 1) ] k nq. Proof. This result generalizes a theorem found in [1]. We define δ x, with x = x 1,..., x k 1 ) Jn) q k 1, a random variable over b such that δ x = 1 if x 1,..., x k 1, b x 1 x k 1 Jn q and δ x = 0 otherwise. It s clear that h q = δ x, then x Jn) q k 1 E [h q ] = E [δ x ] x Jn) q k 1 = [ the bi x 1 i... x k 1 i are pairwise distinct ] x J q n) k 1 Pr = n n 1)... n q + 1) nq x Jn) q k 1 = Jn q k 1 n n 1)... n q + 1) [ nq n n 1)... n q + 1) ] k = nq. We now focus on the variance of h q. 3. Study of V [h q ] We denote λ q the number of sequences g 1,..., g k J q n such that g 1 g k = 0. These conditions will be referred to as the λ q conditions. This is k sequences 4
5 of q pairwise distinct elements and q equations so, we could expect λ q to be close to U q := n n 1) n q + 1)) k nq. We see in the next lemma that the problem of knowing how close λ q is from U q is at the core of the computation of the advantage. Lemma 4 The advantage satisfies: ) 1/3 λq 1. U q Proof. We know that h q = x δ x with the sum being over x J q n) k 1, so the linearity of the expected value operator yields: ) V [h q ] = E δ x E [h q ] x ) ) = E δ x δ x E [h q ] + E [h q ] x x [ ) )] [ ] = E δ x δ x E δ x E [h q ] + E [h q ] x x = E δ x δ x E [h q ], x,x x the sum being over x, x J q n) k 1. Then: E δ x δ x = 1 nq δ x b)δ x b). x,x b,x,x We know that δ x b)δ x b), with x, x J q n) k 1, equals 1 if and only if b x 1 x k 1 J q n and b x 1 x k 1 J q n. If we change variables like this: g i := x i and g i+k 1 := x i for all 1 i k 1 and g k 1 := b x 1 x k 1, g k := b x 1 x k 1, we see that b,x,x δ xb)δ x b) is equal to λ q. Then: V [h q ] = λ q nq E [h q] = λ q U q nq since E [h q ] = U q nq. 5
6 Moreover, using lemma : V [h q ] E [h q ] λq U q U q ) 1/3 ) 1/3 ) 1/3 λq 1. U q The strategy we follow is to evaluate recursively, more and more accurately, the coefficients λ α for 1 α q. 3.3 First evaluation of λ α By definition, λ α+1 is the number of tuples g 1,..., g k J α+1 n such that : 1. the λ α conditions hold,. for all 1 j k, g j α+1 {gj i, 1 i α}, 3. g 1 α+1 g k α+1 = 0. E α+1 ) Hence there are kα equations that should not be verified. For 1 i kα, we denote β i the i-th such equation. Let B i be the set of tuples g 1,..., g k ) which satisfy the λ α conditions, the equation E α+1 ) and the equation β i, for 1 i kα. Then: kα λ α+1 = k 1)n λ α B i. Using the inclusion-exclusion principle: kα λ α+1 = k 1)n λ α + 1) l l=1 i=1 i 1<...<i l B i1... B il. When more than k + 1 equations β i are considered, at least two of them use the same variable, for example g 1 α+1 = g 1 1 and g 1 α+1 = g 1, which is impossible according to the λ α conditions. Thus: λ α+1 = k 1)n λ α + k l=1 1) l Now, we study every kind of intersection. 1 equation : i 1<...<i l B i1... B il. ) 6
7 The β i equation fixes the value of one new variable, whereas the others are free, so: B i = k )n λ α and there exists kα such sets. l equations l k 1) : Such an intersection is non-empty if every equation β i uses a different new variable. In this case, l new variables are fixed and the others remain free. Thus, B i1... B il = k 1 l)n λ α ) k and there are α l k such non-empty intersections. k equations : Like before, such a set is non-empty if every equation β i uses a different new variable. In this case, the set B i1... B ik is composed of tuples such that gα+1 1 = gi 1 1,..., gα+1 k = gi k k and the equation E α+1 ) implies that: g 1 i 1 g k i k = 0. We denote X this equation and λ αx) the size of B i1... B ik. There are 3 possible cases: If the k indexes in X are equal then X is always true. There are α possibilities and λ αx) = λ α. If k 1 indexes are equal and the last is different, then λ αx) = 0 since X is in contradiction with λ α. There are kαα 1) possibilities. We denote S the set of equations X that are not of the previous types. We denote λ α = max S λ αx). Hence, thanks to ), one has: λ α+1 = k 1)n λ α kαλ α + = kn kα n + k 1 l= k 1 l= k l k l ) 1) l α l k 1 l)n λ α + X ) 1) l α l k l)n ) n α) k α k + n α ) λ α n + α k α kαα 1) ) λ α We denote ɛ α = n λ α λ α n λ α+1 λ α 1, so: λ αx) λ α n + αλ α + λ αx) X S n α) k α k + n α + n λ α λ α α k α kαα 1)) n α) k + n α α kαα 1) + ɛ α α k α kαα 1)) n α) k kα + α n + k 1) + ɛ α α k kα + αk 1)) 7
8 3.4 Relation between the advantage and ɛ α Lemma 5 For every m 1, the advantage satisfies: m 1 α=1 1 + kα + α n + k 1) + ɛ α α k kα ) 1/3 + αk 1)) n α) k 1). Proof. We know that n U α+1 = n α) k, U α and the result of the previous section yields: λ α+1 U α+1 λ α U α λ α U α n α) k kα + α n + k 1) + ɛ α α k kα ) + αk 1)) n α) k 1 + kα + α n + k 1) + ɛ α α k kα + αk 1)) n α) k Since U 1 = λ 1 = k 1)n : λ m U m m 1 α=1 1 + kα + α n + k 1) + ɛ α α k kα ) + αk 1)) n α) k And Lemma 4 ends the proof. ) 3.5 First approximation of ɛ α Before evaluating ɛ α, we need a technical lemma: Lemma 6 For every α {,..., m}, one has: 1 kα n λ α k 1)n λ α ) Proof. We consider g 1,..., g k Jn α satisfying the conditions λ α 1. To satisfy the conditions λ α, there are n α 1)) possibilities for each gα, 1..., gα k and there are α 1) non-equalities left: gα k 1 g k 1 i and gα k gi k for all i α 1. Since g k α equations on g k 1 α choices for g k 1 α = gα 1 gα k 1, one sees these α 1) non-equalities as. So, there are between n α 1) and n α 1) possible and 1 choice for gα k. Then: λ α 1 n α 1)) k n α 1)) λ α λ α 1 n α 1)) k 1 which is equivalent to: 1 α 1 n ) k 1 ) α 1) n λ α 1 α 1 ) k 1 k 1)n λ α 1 n. Since the left term is bigger than 1 kα and the right term is inferior to 1, it n ends the proof. 8
9 Lemma 7 Every value λ αx) with X S satisfies : n λ αx) kα 1 + ) λ α 1 kα. n n Proof. We now express λ α in terms of λ α 1. Without loss of generality, we suppose that X involves gα, 1 otherwise we can just reorder the variables. Let i be any index such that gα i is not involved in X this is possible since X S). Let g 1,..., g k Jn α such that the λ α 1 conditions are satisfied. We now count λ αx). There are at most n α 1) possible choices for each gα, j j 1, i. After we made these choices, there are two variables left: gα 1 and gα. i Since gα i is not involved in X, there is only, at most, one possible choice for gα 1 and there is, at most, one possible choice for gα i using the equation gα 1 gα k = 0. Then: λ αx) n α 1)) k λ α 1. Applying lemma 6, one finds that: ) λ αx) n α 1)) k 1 λ α 1 kα k 1)n n Since n α 1 n 1 kα and = 1 +, this ends the proof. 1 kα n 1 kα n )n Remark: These two technical lemmas formalize the intuition that, when one equation is added to the system, one degree of freedom is lost and this divides the number of possible solutions by around n. Finally kα ɛ α ) 1 kα. n n First notice that if q n k, kα + α n ) 0. Then, from lemma 5, q 1 α=1 1 + kα + α n + k 1) + ɛ α α k kα ) 1/3 + αk 1)) n α) k 1). If q n k, all the terms of the product are greater than 1 and q 1 α=1 q 1 α=1 ) 1 + kα + α n + k 1) n α) k + kα αk kα + αk 1)) ) 1 1 kα n n n α) k ) ) 1/3 α n 1 + n α) k + kα ) k kα n n n α) k q 1 n + n q) k + kq k+1 1 kq n n q) k Thus we have proven that : n ) q 1 1/3. ) 1/3 9
10 Theorem Upper bound of the advantage using H σ ). The maximal advantage an adversary can get using q queries, with q n k verifies: Notice that q 1 n + n q) k + kq k+1 1 kq n n q) k n ) q 1 ) 1/3 q kqk+ k 1)n 1 q + ) k k+1)n 1 6kq. n ) n Since k 3 and q n, the first term is negligible in front of 1. Moreover, when q k+ k+1)n, 1. Hence we have proven that the XOR of k permutations is safe as long as q k+1 k+ n with this first technique. 1/3. 4 Security bound from the standard H technique We now use the standard H technique, i.e. proofs from the general result the corollary 8) below. In this section, E[h q ] is noted h q to lighten the notations. Corollary 8 Let α > 0. If, for every sequence b = b i ) 1 i q I q n h q b) 1 α) h q, then α. Proof. This result comes immediately from theorem 1 with β = 0 and lemmas 1 and First approximation Let us study hα h α. One has: h α+1 = h α n α) k n. We now evaluate h α+1 from h α. From the definition of h α see section 3.1), we see that h α+1 is the number of sequence P j i ) 1 i m,1 j k such that: the h α conditions hold ; P 1 α+1... P k α+1 = b α+1, this equation will be called X ; P j α+1 P j i for every 1 i α, 1 j k. 10
11 Let β i, 1 kα be the kα ) equations which should be false. Let, for 1 i kα, B i be the set of the P j i for which the h α conditions and the 1 i α+1,1 j k equation β i hold. From the inclusion-exclusion principle, we get: h α+1 = k 1)n h α kα i=1 B i = k 1)n h α + 1) l 1 l kα i 1<...<i l B i1... B il. When k + 1 sets are intersected, at least two equations will use the same P j α+1 variable, which is in contradiction with h α. Thus, h α+1 = k 1)n h α + 1) l B i1... B il. 4) i 1<...<i l 1 l k We study the number of possible messages in function of the number of sets in the intersection. l equations, 1 l k 1: If we want B i1... B il 0, every new β i equation should bring a new variable P j α+1. In this case, X and β i fix l + 1 variables, the remaining ones are free, so B i1... B il = k l 1)n h α and ) k B i1... B il = α l k l 1)n h l α i 1<...<i l k equations: As well as above, in order to have B i1... B ik 0, there must be an equation in every new variable: P j α+1 = P j i j, 1 j k. So the condition P 1 α+1... P k α+1 = b α+1 becomes: P 1 i 1... P k i k = b α+1. Let h αb 1,..., b α+1 )i 1,..., i k ) or h αi 1,..., i k ) the number of P j i ) 1 i α,1 j k such that: I kα n the conditions h α hold, P 1 i 1... P k i k = b α+1. Let Y i 1,..., i k ) be this equality. Thus i 1<...<i k B i1... B ik = From 4), we have: 1 i 1,...,i k α h α+1 = n α) k 1) k α k n h α + 1) k h αi 1,..., i k ). 1 i 1,...,i k α h αi 1,..., i k ). 5) 11
12 Remark: if k is even, one has: n α) k α k ) h α+1 h α n. So h α+1 h α α k ) 1 h α+1 h α n α) k. As h 1 = h 1 = k 1)n, q k ) q h q h q 1 n q) k ) h q 1 qk+1 n q) k Then, using corollary 8, qk+1 n q) k. The upper bound we get in this case is in the same order of magnitude as the one from [9]. If we study more closely h α, we will get a better inequality. 4. Second approximation In this section, we suppose that k 3. Let M = {i, 1 i α, b i = b α+1 }. If i M, we have h αi,..., i) = h α and if i M, h αi,..., i) = 0. Furthermore, in order to be compatible with h α, if i M, for each 1 j α, i j, h αj, i,..., i) = h αi, j,..., i) =... = h αi,..., i, j) = 0. Let I be the set of the tuples that do not satisfy these requirements. Then I = α k α k M α 1). By applying 5), one gets: h α+1 = n α) k 1) k α k + 1) k n M n h α + 1) k We now need a technical lemma: Lemma 9 If i = i 1,..., i k ) I, 1 i 1,...,i k ) I 3α n α)1 α ) n h αi 1,..., i k ) 1 h n α 1 3α. n h αi 1,..., i k ). Proof. Without loss of generality, we can suppose that i 1 = α and i = α 1 because we can reorder the queries). Let us evaluate h α and h α from h α. To get h α from h α, we have k new variables P j α 1 and P j α, 1 j k, such that: 6) 1
13 P 1 α... P k α = b α, P 1 α 1... P k α 1 = b α 1, j, 1 j k, i, 1 i α, P j α 1 P j i, j, 1 j k, i, 1 i α 1, P j α P j i. We decide that the first equation will fix P 1 α 1 and the next one P 1 α. For j 3, we have respectively n α ) and n α 1) possibilities for P j α 1 and P j α. When these messages have been chosen, only P α 1 and P α remain, and they must satisfy: P α 1 P i, 1 i α, P α 1 P 1 i b α 1 P 3 α 1... P k α 1, 1 i α, P α P i, 1 i α 1, P α P 1 i b α P 3 α... P k α, 1 i α 1. There are for P α 1 between n α ) and n α ) choices and for P α 1 between n α 1) and n α 1). Thus n α )) k n α 1)) k n α )) n α 1)) hα h α,7) h α h α n α )) k 1 n α 1)) k 1. 8) In order to go from h α to h α, we also have k new variables P j α 1 and P j α, 1 j k, such that: P 1 α 1... P k α 1 = b α 1, P 1 α = b α+1 P α 1 P 3 i 3... P k i k, P 1 α... P k α = b α, j, 1 j k, i, 1 i α, P j α 1 P j i, j, 1 j k, i, 1 i α 1, P j α P j i. We have, for j 4, respectively n α ) and n α 1) possibilities for P j α 1 and P j α. From these 3 equalities, we can fix the following variables: 1. P 1 α 1 = b α 1 P α 1... P k α 1,. P 1 α = b α+1 P α 1 P 3 i 3... P k i k, 3. P α = b α+1 b α ) P α 1 P 3 i 3 P 3 α)... P k i k P k α). Then the condition i, 1 i α, P 1 α 1 P 1 i becomes: i, 1 i α, P α 1 P 1 i b α 1 P 3 α 1... P k α 1, i, 1 i α 1, P 1 α P 1 i becomes: i, 1 i α 1, P α 1 b α+1 P 1 i P 3 i 3... P k i k, i, 1 i α, P α P 1 i becomes: 13
14 i, 1 i α, P α 1 b α+1 b α ) P i P 3 i 3 P 3 α)... P k i k P k α) For P α P α 1, there are two cases. If i 3 =... = i k = α, since i 1,..., i k ) I, we have b α+1 b α and this non-equality is automatically verified. Else, this means that there is an index 3 j k such that i j α, e.g. j = 3. Then P α P α 1 becomes : P 3 α b α+1 b α ) P 3 i 3... P k i k P k α). Thus, after the other messages have been chosen, there are between n α and n α 1) possibilities for P 3 α, n α ) possibilities for P 3 α 1 and finally between n 4α 7) and n α ) possibilities for P α 1. Then n α )) k n α 1)) k 3 n α) n 4α 7)) h α h α 9) n α )) k 1 n α 1)) k h α h α. 10) From 7,9 we can deduce the following inequalities that allow us to get the result we want: n h α h α n n 4α+7) n α) n α )) n α 1)), n h α h α n n α ) n α )) n α 1)). Remark: if we suppose α < n 1, we get One has: h α+1 h α+1 = h α h α 0 < 1 1α n n h αi 1,..., i k ) h α 1 + 3α n 3α. 11) 1 + 1)k+1 α k n α) k + 1)k n M n h α h α n α) k + 1)k n α) k 1) = h α h α 1 A α ) 13) where A α := 1)k α k n α) k n M 1)k n α) k 1)k n h α h α n α) k. Lemma 10 If q < n 1, A α k.n α n α) k + 1 α k+1 n 3α) n α) k. 14
15 Proof. We have to study A α according to the parity of k. k even: A α α k n α) k n M n α) k αk α k M α 1))1 1α n α) k n ) n 1α M α + k M α 1))1 ) α k+1 n + n α) k n α) k + 1 n n α) k k.α n α) k + 1 α k+1 n n α) k k odd: α k A α n α) k + n M n α) k + αk α k M α 1))1 + 3α n α) k So, in both cases, n 3α M α + k M α 1))1 + n α) k n α n α) k + 3α k+1 n α) k n 3α) A α n 3α ) n α) k + n 3α ) 3α k+1 n α) k n 3α) k.n α n α) k + 1 α k+1 n 3α) n α) k, From this lemma and 1, Since h 1 = h 1, we get: h α+1 h α 1 k.n α h α+1 h α n α) k 1 α k+1 ) n 3α) n α) k. h q 1 kn q h q n q) k 1 q k+1 ) q n 3q) n q) k 1 kq. n n q) k 1 q k+ n 3q) n q) k. 15
16 Thus, with corollary 8, we have proven that, when q < n 1 : kq. n n q) k + 1 q k+ n 3q) n q) k 14) Hence we get the following result: kq qk+ k 1)n 1 k q + 1 ) k+1)n 1 k + 3) q n ). 15) n Theorem 3 upper bound for the advantage with the standard H technique). Let k 3 and q < n 1. The advantage to distinguish, with q queries, the XOR of k bijections from a fonction f R F n satisfies: kq qk+ k 1)n 1 k q + 1 ) k+1)n 1 k + 3) q n ). n Since k 3, the first term is negligible when q n. This theorem shows that the XOR of k bijections is indistinguishable when q k+1 k+ n. This upper bound on q is worse than the previous one, but if q k+ k+4 n i.e. for small values of q) this new upper bound on the advantage is actually better. 5 Conclusion This table regroups our results and the previous one from S. Lucks in [9], with order of magnitudes for these bounds beyond the birthday bound : technique upper bound for f 1... f k S. Lucks kn 1) i k H H σ kq k 1)n 1 k q q k 1)n 1 q 0 i<q + 1 k+ q n ) k+1)n 1 k+3) q n ) + k+ kq n ) k k+1)n 1 6kq n ) order of magnitude ) q O k+1 kn 1) ) q O k+ ) k+1)n 1/3 ) ) 1/3 O k qk+ k+1)n Table 1. Comparison of the bounds on the advantage from 3 techniques The upper bound we got with the coefficients H technique is smaller than the one from [9] by a factor q. The one we proved with the coefficients H n σ technique allows us to have 1 when q k+1 k+ n instead of q k k+1 n for [9]. For example with k = 3 we have proven that 1 when q 7 8 n instead of q 3 4 n. However, when q is fixed and k increases, the upper bound from the H technique becomes better than the one from H σ. This graph shows the evolution of the order of magnitude of 16
17 these three upper bounds in function of the logarithm of q, with k = 5 and n = 40: Table. Upper bound plotted versus the logarithm of q Here is a more accurate view of the region where the curves from H and H σ intersect: Table 3. Upper bound plotted versus the logarithm of q : comparison between H and H σ This illustrates that, depending on the value of q, our best bound can be the one from section 3 or the one from section 4. Moreover, the curve from [9] does not appear in this second graph because its values were much higher than ours around whereas the bounds from this article are around in 17
18 this graph). This shows why the two techniques studied in this paper are both useful. References [1] W. Aiello and R. Venkatesan. Foiling Birthday Attacks in Length Doubling Transformations. In Advances in cryptology - EUROCRYPT 96, pages Springer-Verlag, [] M. Bellare and R. Impagliazzo. A Tool for Obtaining Tighter Security Analyses of Pseudorandom Function Based Constructions, with Applications to PRP to PRF Conversion. eprint Archive 1999/04: Listing for 1999, [3] M. Bellare, T. Krovetz, and P. Rogaway. Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-invertible. In K. Nyberg, editor, Advances in cryptology - EUROCRYPT 1998, pages Springer-Verlag, [4] O. Goldreich, S. Goldwasser, and S. Micali. How to Construct Random Functions. Journal of the ACM, 334):79 807, [5] C. Hall, D. Wagner, J. Kelsey, and B. Schneier. Building PRFs from PRPs. In H. Krawcyk, editor, Advances in cryptology - CRYPTO 1998, pages Springer-Verlag, [6] L. Levin. One Way Functions and Pseudorandom Generators. Combinatorica, 74): , [7] M. Luby and C. Rackoff. How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM J. Comput., 17): , [8] S. Lucks. Faster Luby-Rackoff Ciphers. In Fast Software Encryption 1996, pages Springer-Verlag, [9] S. Lucks. The Sum of PRPs Is a Secure PRF. In B. Preneel, editor, Advances in Cryptology - EUROCRYPT 000, pages Springer-Verlag, 000. [10] A. Mandal, V. Nachef, and J. Patarin. Indifferentiability beyond the Birthday Bound for the Xor of Two Public Random Permutations. In Progress in Cryptology - INDOCRYPT 010, pages 69 81, 010. [11] M. Naor and O. Reingold. On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited. Journal of Cryptology, 11):9 66, [1] J. Patarin. A Proof of Security in O n ) for the Xor of Two Random Permutation. In R. Safavi-Naini, editor, ICITS 008, pages Springer-Verlag, 008. [13] J. Patarin. Generic Attacks for the Xor of k Random Permutations. Available on eprint, 008. [14] J. Patarin. The "coefficients H" Technique. In Selected Areas in Cryptography 008, pages Springer-Verlag, 008. [15] J. Patarin. Security in O n ) for the Xor of Two Random Permutations - Proof with the standard H technique -. Available on eprint,
Benes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationSecurity of Random Feistel Schemes with 5 or more Rounds
Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random
More informationThe Sum of PRPs is a Secure PRF
The Sum of PRPs is a Secure PRF Stefan Lucks Theoretische Informatik, Universität Mannheim 68131 Mannheim, Germany lucks@th.informatik.uni-mannheim.de Abstract. Given d independent pseudorandom permutations
More informationChapter 2 Balanced Feistel Ciphers, First Properties
Chapter 2 Balanced Feistel Ciphers, First Properties Abstract Feistel ciphers are named after Horst Feistel who studied these schemes in the 1960s. In this chapter, we will only present classical Feistel
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationThe Pseudorandomness of Elastic Block Ciphers
The Pseudorandomness of Elastic Block Ciphers Debra L. Cook and Moti Yung and Angelos Keromytis Department of Computer Science, Columbia University {dcook,moti,angelos}@cs.columbia.edu September 28, 2005
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationFrom Non-Adaptive to Adaptive Pseudorandom Functions
From Non-Adaptive to Adaptive Pseudorandom Functions Itay Berman Iftach Haitner January, 202 Abstract Unlike the standard notion of pseudorandom functions (PRF), a non-adaptive PRF is only required to
More informationOn the Round Security of Symmetric-Key Cryptographic Primitives
On the Round Security of Symmetric-Key Cryptographic Primitives Zulfikar Ramzan Leonid Reyzin. November 30, 000 Abstract We put forward a new model for understanding the security of symmetric-key primitives,
More informationDistinguishing a truncated random permutation from a random function
Distinguishing a truncated random permutation from a random function Shoni Gilboa Shay Gueron July 9 05 Abstract An oracle chooses a function f from the set of n bits strings to itself which is either
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationThe Relation Between CENC and NEMO
The Relation Between CNC and NMO Bart Mennink Digital Security Group, Radboud University, Nijmegen, The Netherlands b.mennink@cs.ru.nl Abstract. Counter mode encryption uses a blockcipher to generate a
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationA Generic Method to Design Modes of Operation Beyond the Birthday Bound
A Generic Method to Design Modes of Operation Beyond the Birthday Bound David Lefranc 1, Philippe Painchault 1,Valérie Rouat 2, and Emmanuel Mayer 2 1 Cryptology Laboratory Thales 160 Boulevard de Valmy
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN
More informationOn the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited
On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited Moni Naor Omer Reingold Abstract Luby and Rackoff [26] showed a method for constructing a pseudo-random permutation from a pseudo-random
More informationarxiv: v1 [cs.cr] 16 Dec 2014
How many ueries are needed to distinguish a truncated random permutation from a random function? Shoni Gilboa 1, Shay Gueron,3 and Ben Morris 4 arxiv:141.504v1 [cs.cr] 16 Dec 014 1 The Open University
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-Sébastien Coron 1, Jacques Patarin 2, and Yannick Seurin 2,3 1 University of Luxembourg 2 University of Versailles 3 Orange Labs Abstract.
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationSecurity Analysis of Key-Alternating Feistel Ciphers
Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin Abstract. We study the security of key-alternating Feistel ciphers, a class of key-alternating ciphers with a Feistel
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationA Note on Quantum-Secure PRPs
A Note on Quantum-Secure PRPs Mark Zhandry Princeton University mzhandry@princeton.edu Abstract We show how to construct pseudorandom permutations (PRPs) that remain secure even if the adversary can query
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationCascade Encryption Revisited
Cascade Encryption Revisited Peter Gaži 1,2 and Ueli Maurer 1 1 ETH Zürich, Switzerland Department of Computer Science {gazipete,maurer}@inf.ethz.ch 2 Comenius University, Bratislava, Slovakia Department
More informationEME : extending EME to handle arbitrary-length messages with associated data
EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationFrom Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.
From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs Preliminary Version Moni Naor Omer Reingold y Abstract This paper studies the relationship between
More informationThe Random Oracle Model and the Ideal Cipher Model Are Equivalent
The Random Oracle Model and the Ideal Cipher Model Are Equivalent Jean-Sébastien Coron 1,JacquesPatarin 2, and Yannick Seurin 2,3 1 University of Luxembourg 2 University of Versailles 3 Orange Labs Abstract.
More informationBlack-Box Composition Does Not Imply Adaptive Security
Black-Box Composition Does Not Imply Adaptive Security Steven Myers Department of Computer Science University of Toronto Canada Abstract. In trying to provide formal evidence that composition has security
More informationFoundation of Cryptography, Lecture 4 Pseudorandom Functions
Foundation of Cryptography, Lecture 4 Pseudorandom Functions Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. March 11, 2014 Iftach Haitner (TAU) Foundation of Cryptography March 11,
More informationImproved security analysis of OMAC
Improved security analysis of OMAC Mridul andi CIVESTAV-IP, Mexico City mridul.nandi@gmail.com Abstract. We present an improved security analysis of OMAC, the construction is widely used as a candidate
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationEliminating Random Permutation Oracles in the Even-Mansour Cipher
Eliminating Random Permutation Oracles in the Even-Mansour Cipher Craig Gentry and Zulfikar Ramzan DoCoMo Communications Laboratories USA, Inc. {cgentry, ramzan}@docomolabs-usa.com Abstract. Even and Mansour
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationCharacterization of EME with Linear Mixing
Characterization of EME with Linear Mixing Nilanjan Datta and Mridul Nandi Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata, India 700108 nilanjan isi
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationComputer Science Dept.
A NOTE ON COMPUTATIONAL INDISTINGUISHABILITY 1 Oded Goldreich Computer Science Dept. Technion, Haifa, Israel ABSTRACT We show that following two conditions are equivalent: 1) The existence of pseudorandom
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationSemantic Security of RSA. Semantic Security
Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against
More informationFrom Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs
From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs Extended Abstract Moni Naor and Omer Reingold Dept. of Applied Mathematics and Computer Science
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationBuilding PRFs from PRPs
Building PRFs from PRPs Chris Hall 1, David Wagner 2, John Kelsey 1, and Bruce Schneier 1 1 Counterpane Systems {hall,kelsey,schneier}@counterpane.com 2 U.C. Berkeley daw@cs.berkeley.edu Abstract. We evaluate
More informationEfficient Amplification of the Security of Weak Pseudo-Random Function Generators
J. Cryptology (2002) OF1 OF24 DOI: 10.1007/s00145-002-0007-1 2002 International Association for Cryptologic Research Efficient Amplification of the Security of Weak Pseudo-Random Function Generators Steven
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationBlack-Box Composition Does Not Imply Adaptive Security
Black-Box Composition Does Not Imply Adaptive Security Steven Myers Department of Computer Science University of Toronto Canada Abstract In trying to provide formal evidence that composition has security
More informationConstructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs
Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs Debra L. Cook 1, Moti Yung 2, Angelos Keromytis 3 1 Columbia University, New York, NY USA dcook@cs.columbia.edu 2 Google, Inc. and Columbia
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More informationThe Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions
The Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions Scott Ames 1, Rosario Gennaro 2, and Muthuramakrishnan Venkitasubramaniam
More informationState Recovery Attacks on Pseudorandom Generators
Appears in WEWoRC 2005 - Western European Workshop on Research in Cryptology, Lecture Notes in Informatics (LNI) P-74 (2005) 53-63. Gesellschaft für Informatik. State Recovery Attacks on Pseudorandom Generators
More informationRevisiting Variable Output Length XOR Pseudorandom Function
Revisiting Variable Output Length XOR Pseudorandom Function Srimanta Bhattacharya, Mridul andi Indian Statistical Institute, Kolkata, India. Abstract. Let σ be some positive integer and C {i, j : 1 i
More informationA Composition Theorem for Universal One-Way Hash Functions
A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme
More informationKFC - The Krazy Feistel Cipher
KFC - The Krazy Feistel Cipher Thomas Baignères and Matthieu Finiasz EPFL CH-1015 Lausanne Switzerland http://lasecwww.epfl.ch Abstract. We introduce KFC, a block cipher based on a three round Feistel
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationA Note on Negligible Functions
Appears in Journal of Cryptology Vol. 15, 2002, pp. 271 284. Earlier version was Technical Report CS97-529, Department of Computer Science and Engineering, University of California at San Diego, March
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationOn Generalized Feistel Networks
On Generalized Feistel Networks Viet Tung Hoang and Phillip Rogaway Dept. of Computer Science, University of California, Davis, USA Abstract. We prove beyond-birthday-bound security for most of the well-known
More informationOn Pseudo Randomness from Block Ciphers
SCIS96 The 1996 Symposium on Cryptography and Information Security Komuro, Japan, January 29-31, 1996 The Institute of Electronics, Information and Communication Engineers SCIS96-11C On Pseudo Randomness
More informationPseudorandom Generators
8 Pseudorandom Generators Great Ideas in Theoretical Computer Science Saarland University, Summer 2014 andomness is one of the fundamental computational resources and appears everywhere. In computer science,
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationDomain Extension of Public Random Functions: Beyond the Birthday Barrier
Domain Extension of Public Random Functions: Beyond the Birthday Barrier Ueli Maurer Stefano Tessaro Department of Computer Science ETH Zurich 8092 Zurich, Switzerland {maurer,tessaros}@inf.ethz.ch Abstract
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationCOS598D Lecture 3 Pseudorandom generators from one-way functions
COS598D Lecture 3 Pseudorandom generators from one-way functions Scribe: Moritz Hardt, Srdjan Krstic February 22, 2008 In this lecture we prove the existence of pseudorandom-generators assuming that oneway
More informationBuilding Secure Block Ciphers on Generic Attacks Assumptions
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin 1 and Yannick Seurin 1,2 1 University of Versailles, France 2 Orange Labs, Issy-les-Moulineaux, France jacques.patarin@prism.uvsq.fr,
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationSecret-key Cryptography from Ideal Primitives: A Systematic Overview
Secret-key Cryptography from Ideal Primitives: A Systematic Overview Peter Gaži Institute of Science and Technology, Austria petergazi@istacat Stefano Tessaro University of California, Santa Barbara tessaro@csucsbedu
More informationIndistinguishability and Pseudo-Randomness
Chapter 3 Indistinguishability and Pseudo-Randomness Recall that one main drawback of the One-time pad encryption scheme and its simple encryption operation Enc k (m) = m k is that the key k needs to be
More informationCBC MAC for Real-Time Data Sources. Abstract. The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an
CBC MAC for Real-Time Data Sources Erez Petrank Charles Racko y Abstract The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an authentication method which is widely used in practice.
More informationBuilding Secure Block Ciphers on Generic Attacks Assumptions
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 the context security of symmetric primitives
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationOn Pseudorandomness w.r.t Deterministic Observers
On Pseudorandomness w.r.t Deterministic Observers Oded Goldreich Department of Computer Science Weizmann Institute of Science Rehovot, Israel. oded@wisdom.weizmann.ac.il Avi Wigderson The Hebrew University,
More informationAdaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications
Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Donghoon Chang 1 and Moti Yung 2 1 The Computer Security Division, National Institute of Standards and Technology,
More informationOn Generalized Feistel Networks
On Generalized Feistel Networks Viet Tung Hoang and Phillip Rogaway Dept. of Computer Science, University of California, Davis, USA Abstract. We prove beyond-birthday-bound security for most of the well-known
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationEfficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading
Efficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading Peter Gaži 1,2 and Stefano Tessaro 3,4 1 Department of Computer Science, Comenius University, Bratislava,
More informationSecurity of Permutation-based Compression Function lp231
Security of Permutation-based Compression Function lp231 Jooyoung Lee 1 and Daesung Kwon 2 1 Sejong University, Seoul, Korea, jlee05@sejong.ac.kr 2 The Attached Institute of Electronics and Telecommunications
More informationA Unified Method for Improving PRF Bounds for a Class of Blockcipher based MACs
A Unified Method for Improving PRF Bounds for a Class of Blockcipher based MACs Mridul Nandi National Institute of Standards and Technology mridulnandi@gmailcom Abstract This paper provides a unified framework
More informationEquivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks
Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks Yodai Watanabe 1, Junji Shikata 2, and Hideki Imai 3 1 RIKEN Brain Science Institute 2-1 Hirosawa, Wako-shi,
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationPseudorandom functions and permutations
Introduction Pseudorandom functions and permutations 15-859I Spring 2003 Informally, a Pseudorandom function family (PRF is a collection of functions which are indistinguishable from random functions PRFs
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationYale University Department of Computer Science
Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Mike Paterson Ewa Syta YALEU/DCS/TR-1466 October 24, 2012
More informationA Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model
A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model Wonil Lee 1, Mridul Nandi 2, Palash Sarkar 2, Donghoon Chang 1, Sangjin Lee 1, and Kouichi Sakurai 3 1 Center for Information
More informationReset Indifferentiability and its Consequences
Reset Indifferentiability and its Consequences ASIACRYPT 2013 Paul Baecher, Christina Brzuska, Arno Mittelbach Tel Aviv University & Darmstadt University of Technology; supported by DFG Heisenberg and
More informationBootstrapping Obfuscators via Fast Pseudorandom Functions
Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator
More informationFeistel Networks made Public, and Applications
Feistel Networks made Public, and Applications Yevgeniy Dodis Prashant Puniya February 11, 2007 Abstract Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient
More informationA Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications
An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 03, Lecture Notes in Computer Science Vol.??, E. Biham ed., Springer-Verlag, 2003. This is the full version. A Theoretical
More informationOn the Relation Between the Ideal Cipher and the Random Oracle Models
On the Relation Between the Ideal Cipher and the Random Oracle Models Yevgeniy Dodis and Prashant Puniya Courant Institute of Mathematical Sciences, New York University {dodis, puniya}@cs.nyu.edu Abstract.
More informationAdaptive Security of Compositions
emester Thesis in Cryptography Adaptive ecurity of Compositions Patrick Pletscher ETH Zurich June 30, 2005 upervised by: Krzysztof Pietrzak, Prof. Ueli Maurer Email: pat@student.ethz.ch In a recent paper
More informationOnline Ciphers and the Hash-CBC Construction
Online Ciphers and the Hash-CBC Construction Mihir Bellare 1, Alexandra Boldyreva 1, Lars Knudsen 2, and Chanathip Namprempre 1 1 Department of Computer Science & Engineering University of California,
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationA short proof of the unpredictability of cipher block chaining
A short proof of the unpredictability of cipher block chaining Daniel J. Bernstein Department of Mathematics, Statistics, and Computer Science (M/C 249) The University of Illinois at Chicago Chicago, IL
More informationImproving Upon the TET Mode of Operation
Improving Upon the TET Mode of Operation Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata India 700108. email: palash@isical.ac.in Abstract. Naor and Reingold
More information