Analysis of property-preservation capabilities of the ROX and ESh hash domain extenders
Size: px
Start display at page:

Download "Analysis of property-preservation capabilities of the ROX and ESh hash domain extenders"

Transcription

1 University of Wollongong Researc Online Faculty of Informatics - Papers (Arcive) Faculty of Engineering and Information Sciences 2009 Analysis of property-preservation capabilities of te ROX and ES as domain extenders Reza Reyanitabar University of Wollongong, rezar@uow.edu.au Willy Susilo University of Wollongong, wsusilo@uow.edu.au Yi Mu University of Wollongong, ymu@uow.edu.au Publication Details Reyanitabar, M., Susilo, W. & Mu, Y. (2009). Analysis of property-preservation capabilities of te ROX and ES as domain extenders. C. Boyd & J. Gonzà lez Nieto In Information Security and Privacy, 14t Australasian Conference, ACISP 2009, July 2009, Brisbane, Australia. Lecture Notes in Computer Science, Researc Online is te open access institutional repository for te University of Wollongong. For furter information contact te UOW Library: researc-pubs@uow.edu.au

2 Analysis of property-preservation capabilities of te ROX and ES as domain extenders Abstract Two of te most recent and powerful multi-property preserving (MPP) as domain extension transforms are te Ramdom-Oracle-XOR (ROX) transform and te Enveloped Soup (ES) transform. Te former was proposed by Andreeva et al. at ASIACRYPT 2007 and te latter was proposed by Bellare and Ristenpart at ICALP In te existing literature, ten notions of security for as functions ave been considered in analysis of MPP capabilities of domain extension transforms, namely CR, Sec, asec, esec (TCR), Pre, apre, epre, MAC, PRF, PRO. Andreeva et al. sowed tat ROX is able to preserve seven properties; namely collision resistance (CR), tree flavors of second preimage resistance (Sec, asec, esec) and tree variants of preimage resistance (Pre, apre, epre). Bellare and Ristenpart sowed tat ES is capable of preserving five important security notions; namely CR, message autentication code (MAC), pseudorandom function (PRF), pseudorandom oracle (PRO), and target collision resistance (TCR). Noneteless, tere is no furter study on tese two MPP as domain extension transforms wit regard to te oter properties. Te aim of tis paper is to fill tis gap. Firstly, we sow tat ROX does not preserve two oter widely-used and important security notions, namely MAC and PRO. We also sow a positive result about ROX, namely tat it also preserves PRF. Secondly, we sow tat ES does not preserve oter four properties, namely Sec, asec, Pre, and apre. On te positive side we sow tat ES can preserve epre property. Our results in tis paper provide a full picture of te MPP capabilities of bot ROX and ES transforms by completing te property-preservation analysis of tese transforms in regard to all ten security notions of interest, namely CR, Sec, asec, esec (TCR), Pre, apre, epre, MAC, PRF, PRO. eywords era2015 Disciplines Pysical Sciences and Matematics Publication Details Reyanitabar, M., Susilo, W. & Mu, Y. (2009). Analysis of property-preservation capabilities of te ROX and ES as domain extenders. C. Boyd & J. Gonzà lez Nieto In Information Security and Privacy, 14t Australasian Conference, ACISP 2009, July 2009, Brisbane, Australia. Lecture Notes in Computer Science, Tis journal article is available at Researc Online: ttp://ro.uow.edu.au/infopapers/1836

3 Analysis of Property-Preservation Capabilities of te ROX and ES Has Domain Extenders Moammad Reza Reyanitabar, Willy Susilo, and Yi Mu Centre for Computer and Information Security Researc, Scool of Computer Science and Software Engineering University of Wollongong, Australia {mrr790, wsusilo, Abstract. Two of te most recent and powerful multi-property-preserving (MPP) as domain extension transforms are te Ramdom-Oracle-XOR (ROX) transform and te Enveloped Soup (ES) transform. Te former was proposed by Andreeva et al. at ASIACRYPT 2007 and te latter was proposed by Bellare and Ristenpart at ICALP In te existing literature, ten notions of security for as functions ave been considered in analysis of MPP capabilities of domain extension transforms, namely CR, Sec, asec, esec (TCR), Pre, apre, epre, MAC, PRF, PRO. Andreeva et al. sowed tat ROX is able to preserve seven properties; namely collision resistance (CR), tree flavors of second preimage resistance (Sec, asec, esec) and tree variants of preimage resistance (Pre, apre, epre). Bellare and Ristenpart sowed tat ES is capable of preserving five important security notions; namely CR, message autentication code (MAC), pseudorandom function (PRF), pseudorandom oracle (PRO), and target collision resistance (TCR). Noneteless, tere is no furter study on tese two MPP as domain extension transforms wit regard to te oter properties. Te aim of tis paper is to fill tis gap. Firstly, we sow tat ROX does not preserve two oter widely-used and important security notions, namely MAC and PRO. We also sow a positive result about ROX, namely tat it also preserves PRF. Secondly, we sow tat ES does not preserve oter four properties, namely Sec, asec, Pre, and apre. On te positive side we sow tat ES can preserve epre property. Our results in tis paper provide a full picture of te MPP capabilities of bot ROX and ES transforms by completing te property-preservation analysis of tese transforms in regard to all ten security notions of interest, namely CR, Sec, asec, esec (TCR), Pre, apre, epre, MAC, PRF, PRO. ey words: Has Functions, Domain Extension, MPP, ROX, ES 1 Introduction A cryptograpic as function is a function tat can map variable lengt strings to fixed lengt strings. Has functions ave been used in a vast variety of applications, e.g. digital signature, MAC, PRF, and must provide different security properties depending on te security requirements of te applications. Te most well-known property for a as function is collision resistance (CR). Neverteless, as functions are often asked to provide many oter security properties ranging from merely being a one-way function (i.e. preimage resistance property) to acting as a truly random function (i.e. a random oracle). In a formal study of cryptograpic as functions two different but related settings can be considered. Te first setting is te traditional unkeyed as function setting were a as function refers to a single function H : M {0, 1} n (e.g. SHA-1) tat maps variable lengt messages to a fixed lengt output as value. In te second setting, a as function is considered as a family of functions H : M {0, 1} n,also called a dedicated-key as function [3], indexed by a key space. Te exact role of te as function key is application-dependent; it can be a public parameter, e.g. wen te as function is used in a digital signature, or a secret key like in MAC and PRF applications. In tis paper, we consider as functions and teir security notions in te dedicated-key as function setting. Almost all cryptograpic as functions are designed based on te following two-step approac: first a compression function is designed wic is only capable of asing fixed-input-lengt (FIL) messages and ten a domain extension transform is applied to get a full-fledged as function wic can as variableinput-lengt (VIL) or arbitrary-input-lengt (AIL) messages, depending on te transform. Assume tat we

4 2 M. R. Reyanitabar, W. Susilo and Y. Mu ave a (dedicated-key) compression function : {0, 1} k {0, 1} n+b {0, 1} n tat can only as messages of fixed lengt (n+b) bits. A domain extension transform can use tis compression function (as a black-box) to construct a (dedicated-key) as function H : M {0, 1} n, were te message space M can be eiter {0, 1} (in wic case H is an AIL as function) or {0, 1} <2λ, for some uge positive integer λ, e.g. λ = 64 (in wic case H is a VIL as function). For instance, te strengtened-md domain extension transform [12, 8, 3] yields to a VIL as function wile te Prefix-free domain extension transform [7, 3] yields to an AIL as function. In practice te difference between being VIL or AIL as function will not be of a concern as for typical value of λ = 64 almost all messages will ave lengt less tan 2 64 bits, i.e. will belong to {0, 1} <264. From security viewpoint, te crux sougt from a domain extension transform is its property preserving capability; tat is, if te underlying compression function possesses some security property P, ten te obtained full-fledged as function H sould also provably possess te property P. Te most well-known domain extension transform is te strengtened Merkle-Damgård (MD) construction wic was sown by Merkle [12] and Damgård [8] to be a CR preserving transform. Bellare and Rogaway in [6] sowed tat strengtened MD, despite preserving CR property, is unable to preserve UOWHF property (put fort by Naor and Yung [15]) wic is a weaker tan CR property. Tey renamed UOWHF as target collision resistance (TCR) and provided four domain extension transforms for preserving te TCR property. Soup in [17] provided a transform (improving XLH transform of Bellare-Rogaway in [6]), wic is sown to be UOWHF and CR preserving. Mironov [14] sowed tat Soup s transform is optimal from key expansion viewpoint among masking based serial transforms for TCR preservation. Coron et al. [7] introduced te notion of random oracle preservation and provided prefix-free MD transform wic is capable of preserving (pseudo-)random oracle, wic means tat if te compression function is modeled as a random oracle ten te AIL as function obtained by applying prefix-free MD transform will also be indifferentiable from a random oracle [7, 11]. A new line of researc recently as been initiated by Bellare and Ristenpart in [4], and followed in several oter works, e.g. [3, 1], wit te aim of designing multi-property-preserving (MPP) domain extension transforms. An MPP transform is capable of preserving multiple security properties simultaneously wileextendingtedomainofacompressionfunction. Two of te most recent and powerful MPP transforms are te Enveloped Soup (ES) transform designed by Bellare and Ristenpart in [3] and te Random-Oracle XOR (ROX) transform by Andreeva et al. in [1]. Bot ES and ROX are variants of Soup (S) transform proposed in [17]. ES is a standard model transform and was sown to be te best-performing, in terms of property preserving capability, among te nine transforms studies in [3]. It is sown in [3] tat ESH preserves five security notions; namely CR, TCR, MAC, PRF, and PRO. ROX was sown to be te only transform among te twelve transforms investigated in [1] wic is able to preserve seven security notions; namely CR, Sec, asec, esec, Pre, apre, and epre as put fort by Rogaway and Srimpton in [16]. But unlike to oter transforms, ROX..., quite controversially, uses a random oracle in te iteration. [1], altoug Andreeva et al. in [1] provide arguments justifying te merits of suc a limited application of auxiliary FIL random oracles in teir construction from practical viewpoint. Our Contribution. We complete property-preservation analysis of te ROX and ES transforms by providing new negative and positive results in regard to teir MPP capabilities. Our results complete te property preservation analysis of ROX and ES in regard to all ten security notions of interest, namely CR, Sec,aSec,eSec(TCR),Pre,aPre,ePre,MAC,PRF,PRO.ForteROXtransform,wesowtatitdoes not preserve MAC and PRO. Tis settles te open question of [1] about MAC and PRO preservation capability of te ROX, in a negative way. On te positive side we notice tat te ROX is also a PRF preserving transform. Regarding te ES transform, we sow tat ES does not preserve Sec, asec, Pre, and apre properties. As a positive result about ES we sow tat it also preserves epre property.

5 Analysis of Property-Preservation Capabilities of te ROX and ES 3 Te overview of te results are sown in Table 1. A Yes means tat te property is provably preserved by te transform. A No means tat te property is not preserved and tis is sown eiter by sowing a counterexample compression function or by some attacks benefiting from te structural weakness of te transform in regard to te specific security property. Unreferenced entries are te results sown in tis paper. We leave te question of a ten-property-preserving transform witout any random oracle as an interesting open question. ES ROX CR (Coll) Yes [3] Yes [1] Sec No Yes [1] asec No Yes [1] esec (TCR or UOWHF) Yes [3] Yes [1] Pre No Yes [1] apre No Yes [1] epre Yes Yes [1] MAC Yes [3] No PRF Yes [3] Yes PRO Yes [3] No Table 1. Overview of te MPP capabilities of te ES and ROX as domain extension transforms in regard to ten security notions. Unreferenced entries are te results sown in tis paper. 2 Preliminaries 2.1 Notations If A is a probabilistic algoritm wit access to some oracle f(.) tenbyy $ A f(.) (x 1,,x n )itismeant tat y is te output random variable wic is defined by running A, given inputs x 1,,x n and aving oracle access to f(.). To sow tat an algoritm A is run witout any input, we use te notation y $ A(). By time complexity of an algoritm we mean te running time, relative to some fixed model of computation plus te size of te description of te algoritm using some fixed encoding metod. If X is a finite set, by x $ X it is meant tat x is cosen from X uniformly at random. By X Y it is meant tat te value Y is simply assigned to te variable X. Letx y denote te string obtained from concatenating string y to string x. Let1 m and 0 m, respectively, denote a string of m consecutive 1 and 0 bits, and 1 m 0 n denote te concatenation of 0 n to 1 m.by(x, y) we mean an injective encoding of two strings x and y, from wic one can efficiently recover x and y. For a binary string M, let M denote its lengt in bits and M b M /b denote its lengt in b-bit blocks. Let M[i] denote te i-t bit of M, andm i...j denote te bits from i-t to j-t positions, i.e. M i...j = M[i] M[j]. If S isafinitesetwedenotesizeofs by S. For a positive integer m, let m λ denote its representation as a binary string of lengt exactly λ bits. Te set of all binary strings of lengt n bits (for some positive integer n) is denoted as {0, 1} n, te set of all binary strings wose lengts are variable but upper-bounded by N is denoted by {0, 1} N and te set of all binary strings of arbitrary lengt is denoted by {0, 1}. Te set of all functions f : Dom Rng (from a domain Dom to a range Rng) is denoted by Func(Dom, Rng). 2.2 Definition of Security Notions In tis section, we recall definition of ten security notions for as functions; namely, te seven notions (Coll, Sec, asec, esec, Pre, apre and epre) formalized in [16] as well as PRF, MAC, PRO. All definitions are for a

6 4 M. R. Reyanitabar, W. Susilo and Y. Mu dedicated-key as function H : M C,wereC = {0, 1} n for some positive integer n, tekeyspace is some nonempty set and te message space M {0, 1} suc tat {0, 1} m Mfor at least a positive integer m. For any M Mand,weusetenotationsH (M) andh(, M) intercangeably. Te advantage measures for an adversary A attacking H are defined in Fig. 1 for te ten security notions. [ ] Adv Coll H (A) = Pr ;(M,M $ ) $ A() : M M H (M) =H (M ) [ ] Adv Sec[δ] ; $ M {0, $ 1} δ ; H (A) = Pr M $ A(, M) : M M H (M) =H (M ) (, State) $ A(); H (A) = Pr M {0, $ 1} δ ; M $ A(M,State) : M M H (M) =H (M ) (M,State) $ A(); Adv esec H (A) = Pr ; $ M $ A(, State) : M M H (M) =H (M ) [ ] Adv Pre[δ] ; $ M {0, $ 1} δ ; Y H H (A) = Pr (M); M $ A(, Y ) : H (M )=Y (, State) $ A(); H (A) = Pr M {0, $ 1} δ ; Y H (M); M $ A(Y,State) : H (M )=Y [ ] ep re AdvH (A) = Pr (Y,State) $ A(); ; $ M $ A(, State) : H (M )=Y [ ] Adv MAC H (A) = Pr ;(M,tag) $ $ A H(.) () : H (M) =tag M not queried [ ] [ Adv PRF H (A) = Pr : $ A H(.) () 1 Pr ρ $ Func(M, C) :A ρ(.) () 1] [ ] [ Adv PRO H (A) = Pr : $ A H (.), (.) () 1 Pr : $ A F(.), SF (,.) () 1] Adv asec[δ] ap re[δ] Adv Fig. 1. Definitions of ten security notions for a as function family H [16, 3]. We say tat H is (t, l, ɛ)-xxx, for xxx {Coll, Sec[δ], asec[δ], esec, Pre[δ], apre[δ], epre}, if te advantage of any adversary A wit time complexity at most t and using messages of lengt at most l, islesstanɛ, in attacking H in xxx sense. Note tat four of te notions (namely, Sec[δ], asec[δ], Pre[δ] and apre[δ]) are parameterized by δ were {0, 1} δ M.IfH is a compression function (i.e. an FIL as function), ten parameter δ and te resource parameter l for te adversary will be te same as te fixed input lengt of te compression function and ence omitted from te notations. It is sown in [16] tat te strengt of provisional implications between different notions depends on te relative size of δ and te as size n. For more related details we refer to [16]. For xxx {MAC,PRF}, wesaytath is (t, q, l, ɛ)-xxx if te advantage of any adversary A aving time complexity at most t and making at most q queries wit maximum query lengt of l bits is at most ɛ. PRO Notion. Te definition of pseudorandom oracle preservation for a as function was first considered by Coron et al. in [7] using te indifferentiability framework of Maurer et al. in [11], and furter studied in te following works, e.g. in [4, 3]. Te definition for te dedicated-key setting tat we consider in tis paper, as sown in Fig. 1, is due to Bellare and Ristenpart [3]. PRO is defined formally as follows. Adversary A is given oracles access to eiter te VIL as function H (.) and FIL random oracle (.), or a VIL random oracle F(.) and a simulator S F (,.). A must differentiate between tese two worlds and te simulator s goal is to mimic te FIL random oracle (.) in a way tat convinces adversary A tat H (.) isf(.) (i.e. te two worlds become indifferentiable from A s

7 Analysis of Property-Preservation Capabilities of te ROX and ES 5 view). Te PRO advantage of an adversary A against H is defined as te difference between te probability tat A outputs a one wen given oracle access to H (.) and (.) and te probability tat it outputs a one wen given oracle access to F(.) and te simulator S F (,.). We say tat H is (t A,t S,q 1,q 2,l,ɛ) PRO, if for any adversary A aving time complexity at most t and making at most q 1 queries from its first (left) oracle and q 2 queries from its second (rigt) oracle wit maximal query lengt of l bits, tere exits a simulator S wit time complexity t S suc tat makes Adv PRO H (A) <ɛ. Te Special Case of ROX Construction. In te case of a as function obtained using ROX construction, te VIL as function H utilizes two FIL random oracles RO 1 and RO 2 in its construction as well as a compression function. In tis case te definitions sould be straigtforwardly adapted to consider te existence of tese two auxiliary FIL random oracles, namely adversary A will be also given oracle access to RO 1 and RO 2 and te number of queries from tese oracles sould also be considered as additional resource parameters for te adversary A. One also must use te generalized PRO notion based on te indifferentiability framework of [11] to involve tese additional random oracles. We provide te required generalized definition in section 3.1 of tis paper, following [11, 4]. Briefly saying, te simulator will ave to simulate tree random oracles for te adversary, namely te compression function itself (wic for PRO notion is modeled as an FIL random oracle), as well as te two auxiliary random oracles used by te ROX in addition to. More details are given in section 3.1 of tis paper. 2.3 Has Domain Extension Assume tat we ave a compression function : {0, 1} k {0, 1} n+b {0, 1} n tat can only as messages of fixed lengt (n+b) bits. A domain extension transform can use tis compression function (as a black-box) to construct a as function H : M {0, 1} n, were te message space M can be eiter {0, 1} or {0, 1} <2λ, for some positive integer λ (e.g. λ = 64). Te key space is determined by te construction of a domain extender. Clearly log 2 ( ) k, ash involves at least one invocation of. A domain extension transform comprises two functions: an injective padding function and an iteration function. First, te padding function Pad : M D I is applied to an input message M Mto convert it to te padded message Pad(M) inadomaind I. Ten, te iteration function f : D I {0, 1} n uses te compression function as many times as required, and outputs te final as value. Te full-fledged as function H is obtained by combining te two functions. In te case of ROX transform bot te padding algoritm (rox-pad) and te iteration algoritm need small-input random oracles as well. Te padding functions used in te S, ES and ROX domain extension transforms are Strengtening, Strengtened Cain Sift and rox-pad defined as follows, were 2 λ is te maximum message lengt in bits (typically λ = 64) : Strengtening: pad s : {0, 1} <2λ L 1 {0, 1}Lb, were pad s (M) =M 10 p M λ and p is te minimumnumberof0 srequiredtomaketelengtofpad s (M) a multiple of block lengt. Strengtened Cain Sift: padcs s : {0, 1} <2λ L 1 {0, 1}Lb+b n, were padcs s (M) =M 10 r M λ 0 p, and parameters p and r aredefinedintwowaysdependingonteblocklengtb. Ifb n+λ ten p = 0, oterwise p = b n. Tenr is te minimum number of 0 s required to make te padded message a member of {0, 1} Lb+b n, for some positive integer L. rox-pad: rox-pad RO 2 : {0, 1} <2λ L 1 {0, 1}L.b,wereRO 2 : {0, 1} k {0, 1} λ {0, 1} log b {0, 1} 2n is an auxiliary FIL random oracle, and rox-pad RO 2 (M) =M RO 2 (M 1...k, M λ, 1 ) RO 2 (M 1...k, M λ, 2 ), were te last block of padded message must contain at least 2n bits generated by RO 2 wic implies adding a new final block just for padding if necessary.

8 6 M. R. Reyanitabar, W. Susilo and Y. Mu Te iteration functions for S, ES and ROX transforms are sown in Fig. 2, were IV,IV 1,andIV 2 are some known initial values and IV 1 IV 2. RO 1 : {0, 1} k {0, 1} k {0, 1} log λ {0, 1} n is a random oracle used by te ROX iteration function to generate required key masks. f S : {0, 1} Lb {0, 1} n,were = {0, 1} k+tn t = log 2 (L),ν(i) =max {x :2 x i} M 1 M 2 M 3 M L Algoritm f S ( 0 1 t 1,M): C 0 = IV for i =1toL do C i = ((C i 1 ν(i) ) M i ) return C L f ES : {0, 1} (L 1)b+b n {0, 1} n,were = {0, 1} k+tn t = log 2 (L 1) +1,ν(i) =max {x :2 x i} Algoritm f ES ( 0 1 t 1,M): C 0 = IV 1 ; μ = t 1 for i =1toL 1do C i = ((C i 1 ν(i) ) M i ) C L = ((IV 2 0 ) (C L 1 μ ) M L ) return C L : {0, 1} Lb {0, 1} n,were = {0, 1} k t = log 2 (L),ν(i) =max {x :2 x i} f RO1(.) ROX IV M 1 M 2 IV M 1 M 2 2 M L 1 ν(l 1) M 3 μ IV 2 v(l) M L 0 M L b n C L C L Algoritm f RO1(.) ROX (, M): for i =0tot 1do i = RO 1 (, M 1...k, i ) C L = f S ( 0 1 t 1,M) return C L IV v(l) C L Fig. 2. Iteration functions of Soup (S), Enveloped Soup (ES), and ROX transforms Te variable-input-lengt (VIL) as function H : {0, 1} <2λ {0, 1} n,forh {S,ES,ROX}, obtained by applying S, ES, or ROX domain extension transforms on a fixed-input-lengt (FIL) as function : {0, 1} k {0, 1} n+b {0, 1} n is defined, respectively, as follows: S(,M)=f S (, pad s (M)), were = 0 t 1 {0, 1} k+tn ES(,M)=f ES (, padcs s (M)), were = 0 t 1 {0, 1} k+tn ROX RO 1,RO 2 (, M) =f RO 1(.) ROX (, rox-padro 2(.) (M)), were {0, 1} k 3 Property Preservation Analysis of te Transforms In tis section we analyze property preserving capability of te ROX and ES transforms in terms of te ten security notions defined in section 2.2, namely CR (Coll), Sec, asec, esec(tcr), Pre, apre, epre, MAC, PRF, PRO. ROX was already sown in [1] to be able to preserve seven properties, namely: CR (Coll), Sec, asec, esec, Pre, apre, and epre. We complete a property-preservation analysis of ROX in regard to te oter tree important security notions (i.e. MAC, PRF, PRO) and gater bot negative and positive results. On te negative side we sow tat ROX cannot preserve MAC and PRO notions. As a positive result we note tat ROX can also preserve PRF. Next we investigate ES transform. ES was already sown in [3] to be

9 Analysis of Property-Preservation Capabilities of te ROX and ES 7 abletopreservefiveproperties,namely:cr(coll),mac,prf,pro,andtcr(esec).wecompletete property preservation analysis of ES wit respect to te remaining five properties among te ten notions by sowing, as negative results, tat ES does not preserve four properties, namely Sec, asec, Pre, apre, and as a positive result we sow tat it can also preserve epre. 3.1 Analysis of te ROX Transform In tis section we provide two negative results about PRO and MAC preservation and one positive result about PRF preserving capability of te ROX domain extension transform. Among tese results, te negative result sowing tat ROX does not preserve PRO seems more interesting regarding te fact tat ROX, unlike all oter as domain extension transforms, uses random oracles in its construction. Indifferentiability Analysis of te ROX Construction. Our aim is to sow tat ROX transform does not preserve PRO, i.e., te VIL as function obtained using ROX transform is differentiable from a true VIL random oracle. We first provide te required generalization of PRO notion for te case of ROX construction based on te indifferentiability framework of [11]. Ten we provide our negative result in Teorem 1. For te purpose of PRO analysis (in te dedicated key as setting [3]), te compression function : {0, 1} k {0, 1} n+b {0, 1} n is modeled as a family of FIL random oracles, i.e. : {0, 1} n+b {0, 1} n is assumed to be an FIL random oracle for any value of te key were (.) =(,.). We note tat te ROX transform itself utilizes two additional FIL random oracles, namely RO 1 and RO 2 in generation of te key masks used in te iteration function and padding, respectively. Hence te VIL as function ROX,RO 1,RO 2 : {0, 1} k {0, 1} <2λ {0, 1} n will ave access to tree FIL random oracles, namely (.),RO 1 (.) andro 2 (.). According to te general indifferentiability framework of [11] wic is used to define PRO in [7, 4, 3], adversary A will be given access to four oracles; namely, a VIL oracle O 1 : {0, 1} <2λ {0, 1} n, and tree FIL oracles as O 2 : {0, 1} n+b {0, 1} n, O 3 : {0, 1} k {0, 1} k {0, 1} log λ {0, 1} n and O 4 : {0, 1} k {0, 1} λ {0, 1} log b {0, 1} 2n, and must differentiate between te following two worlds: World 1: A random key {0, $ 1} k is selected. Te oracles are set as O 1 (.) =ROX,RO 1,RO 2 (,.), O 2 (.) = (.), O 3 (.) =RO 1 (.), O 4 (.) =RO 2 (.). A is given as input and as access to te four oracles. World 2: A random key {0, $ 1} k is selected. O 1 (.) =F(.) weref : {0, 1} <2λ {0, 1} n is a true VIL random oracle. A simulator S F () =(S1 F(), SF 2 (), SF 3 ()),avingaccesstoteoraclef(.) and receiving as input, simulates te role of te tree FIL random oracles for te adversary. Tat is, in tis world wen adversary queries te first oracle (i.e. te VIL oracle) O 1 te response comes from te true VIL random oracle F(.), but wen adversary queries any of te tree FIL oracles O 2 (.), O 3 (.) and O 4 (.), te queries are forwarded to te te simulator S. Simulator will respond to tese queries trying to mimic te oracles (.),RO 1 (.) andro 2 (.), respectively, by its sub-algoritms S 1, S 2 and S 3 in a way tat convinces A tat O 1 (.) isrox,ro 1,RO 2 (,.) altougitisnowactuallyf(.). Let H (.) =H(,.) =ROX,RO 1,RO 2 (,.). Te PRO advantage of te adversary in differentiating H from F is defined as follows: Adv PRO H (A) = [ Pr A O 1, O 2, O 3, O 4 () 1 World 1 ] Pr [ A O 1, O 2, O 3, O 4 () 1 World 2 ] [ ] [ = Pr A H (.), (.), RO 1 (.), RO 2 (.) () 1 Pr A F(.), SF 1 (), SF 2 (), SF 3 () () 1] We say tat an adversary A is a (t A,t S,q 1,q 2,q 3,q 4,l,ɛ)-differentiating adversary against H if its PRO advantage is at least ɛ against any simulator S aving time complexity at most t S, were te time complexity

10 8 M. R. Reyanitabar, W. Susilo and Y. Mu of te adversary is at most t A, te number of queries from i-t oracle is at most q i (for 1 i 4) and te lengt of eac query is at most l bits. Now we are ready to state our negative result wic sows te inability of ROX to preserve PRO. Teorem 1 (Negative Result: PRO). ROX domain extension transform does not preserve pseudorandom oracle. Proof. We sow a (c, t S, 2, 1, 1, 2, 3b 2n, 1 2 n )-differentiating adversary against H,i.e.A as overwelming PRO advantage of 1 2 n in differentiating te VIL as function ROX,RO 1,RO 2 : {0, 1} <2λ {0, 1} n from a true VIL random oracle F : {0, 1} <2λ {0, 1} n, wit respect to any simulator S wit arbitrary time complexity t S. A astimecomplexityt A = c, werec is a small constant, and it asks only: two queries from te first oracle O 1, one query from te second oracle O 2, one query from te tird oracle O 3 and two queries from te fourt oracle O 4. Te maximum query lengt is 3b 2n bits. Adversary A acts as follows: 1. M {0, $ 1} 2b 2n and Y O 1 (M); 2. IP O 4 (M 1...k, 2b 2n λ, 1 ); 3. M $ {0, 1} b 2n and Z O 1 (M IP M ); 4. 0 O 3 (, M 1...k, 0 ); 5. OP O 4 (M 1...k, 3b 2n λ, 1 ); 6. Z ( O 2 (Y 0 ) M OP ) ; 7. If Z = Z ten return 1 (i.e. guess tat it is World 1) else return 0 (i.e. guess tat it is World 2 ) From te construction of te ROX as function and te description of te World 1, it can be seen tat Pr [ A H (.), (.), RO 1 (.), RO 2 (.) () 1 ] [ ] = 1. We claim tat Pr A F(.), SF 1 (), SF 2 (), SF 3 () () 1 = 2 min{n,2b 2n k}. Tis can be seen by noting tat in World 2, te only queries tat te simulator S F () = (S1 F(), SF 2 (), SF 3 ()) can see and must respond to are te queries from O 2, O 3,andO 4 oracles. It is wort reminding tat, te simulator cannot see query-response sequence between te adversary A and te first oracle O 1 due to te definition of indifferentiability [7, 4, 3], as tese queries are answered directly by te true VIL random oracle F in World 2. Hence referring to te description of te adversary A, itcan be seen tat te simulator S just is given te first k bits of te first message M, i.e. M 1...k, and as no information about te remaining 2b 2n k bits of te message M. Hence to make A output a one (i.e. to fool A), simulator S must eiter guess tese 2b 2n k unknown bits of M (wit success probability of 2 (2b 2n k) ) or guess te correct value of Z (wit success probability of 2 n ) in order to be able to provide a correct value Z at step 6 of A s differentiating attack. (Note tat te success probability of S in guessing te correct value of tese unknown bits is independent of te time complexity of S, i.e. t S,asS as no information about tese bits.) So, we ave Adv PRO H (A) =1 2 min{n,2b 2n k}. It remains to verify tat 2b 2n k n. According to te construction of rox pad RO 2 it must be te case tat b 2n and referring to [1], typical values for k and n are suggested as k =80bitsandn = 160 bits for an 80-bit security level, i.e. we ave k n/2. Hence min {n, 2b 2n k} = n and Adv PRO H (A) =1 2 n as claimed. MAC Preservation Analysis of te ROX. We sow tat te ROX transform does not preserve MAC (unforgeability). Tis is done by providing as a counterexample, a compression function wic is a secure MAC but for wic te VIL as function obtained by using ROX transform will be insecure in MAC sense. Assume tat tere is a compression function g : {0, 1} k {0, 1} n+b {0, 1} n 1 wic is (t, q, ɛ) MAC. Consider te following construction from [3] for a compression function : {0, 1} k {0, 1} n+b {0, 1} n, were s = log 2 (n) : { g (C M) C[i] if M = i (C M) = s 0 b s for i {1,,n 1} g (C M) C[n] oterwise

11 Analysis of Property-Preservation Capabilities of te ROX and ES 9 Itissownin[3]tatifg is (t, q, ɛ) MAC ten will be (t cq,q,ɛ) MAC, were c is a small constant. Note tat leaks te i-t bit of its caining variable input C to te output if its input block M equals to i s 0 b s,fori {1,,n 1}, and oterwise leaks te n-t (i.e. te last) bit of C. We use tis counterexample to prove te following negative result. Teorem 2 (Negative Result: MAC). ROX domain extension transform does not preserve MAC. Proof. Consider te above counterexample function as an FIL MAC. We sow tat te VIL function H(,.) =ROX,RO 1,RO 2 (,.) obtained by applying te ROX transform on tis FIL MAC will not be asecuremac.tisisdonebydescribinganadversarya wic can break H(,.) in MAC sense, wit success probability 1 4 and wose computational resources are only: one query from te random oracle RO 2 (.), 2(n 1) queries from te function H (.) wit maximum lengt of eac query 4b 2n bits, and a constant time complexity proportional to n. Te idea beind te construction of te adversary A is te same lengt reduction attacks used in [3] to sow tat S transform is not MAC preserving. We adapt te attack for te case of ROX transform by considering te special padding function rox-pad RO 2 used by te ROX. Te algoritm for te adversary A is sown in Fig. 3. It as oracle access to H (.) andro 2 (.). Note tat in definition of te MAC security notion, te key is considered secret from te adversary and ence A cannot compute H (.) directly. It selects an all zero string of lengt 2b 2n bits as M =0 2b 2n, for wic it tries to return a valid tag T under H (.). To tis aim, A first queries RO 2 as IP RO 2 (M 1...k, 2b 2n λ, 1 ) to get te 2n-bit response IP (IP stands for internal padding ). It ten queries oracle H (.) onn 1 messages, eac of lengt 4b 2n bits, constructed as QH i = M IP i s 0 b s 0 b 2n, and it receives te response Y i = H (QH i ), for i {1,,n 1}.Lety i denote te last bit of Y i, i.e. y i = Y i [n]. According to te ROX construction and te structure of te counterexample compression function, te value of te bit y i will be computed as y i = H (M)[i] 0 [i] 2 [n] wit overwelming probability of at least 1 2 min{2n,b s}.tiscanbe seen from (te Top-Rigt diagram in) Fig. 3 noting tat te final block contains 2n bits of random padding string (denoted by OP) as its last bits and ence tis final block input to te compression function is not equal to i s 0 b s wit probability at least 1 2 min{2n,b s},fori {1,,n 1}, and terefore will leak te last bit (i.e. n-t bit) of its caining variable input to te output Y i. Terefore wit probability at least 1 2 min{2n,b s},tevariabley i (for 1 i n 1) contains te i-t bit of te tag T for te message M (i.e. T [i] =H (M)[i]) masked wit te unknown key bits 0 [i] and 2 [n]. For any typical value of b and n (say b = 512,n = 160) we ave 1 2 min{2n,b s} 1 and so we assume tat tis probability is approximately one, to prevent unnecessary complexity in te analysis. Now A triestopeeloffteunknownkeybits 0 [i], for 1 i n 1. It queries H (.) onn 1 messages, eac of lengt 2b 2n bits, constructed as qh i = i s 0 b s 0 b 2n and receives te response Z i = H (qh i ), for i {1,,n 1}. Letz i denote te last bit of te Z i, i.e. z i = Z i [n]. According to te description of H (.) and te structure of te counterexample function, te value of bit z i will be computed as z i = H (qh i )[i] =IV [i] 0 [i] 1 [n] wit overwelming probability of at least 1 2 2n. Tis can be seen from (te Bottom-Rigt diagram in) Fig. 3 noting tat te final block contains 2n bits of random padding string (denoted by OP i ) as its last bits and ence tis final block input to te compression function is not equal to i s 0 b s wit probability at least 1 2 2n, for any i {1,,n 1}, and ence will leak te last bit (i.e. n-t bit) of its caining variable input to te output Z i. For any typical value of n (say n = 160 as in SHA-1) we ave 1 2 2n 1 and so we assume tat tis (overwelming) probability is approximately one. Now for eac i {1,,n 1} adversary builds a variable t i = y i z i IV [i] wose value will be t i = H (M)[i] 1 [n] 2 [n] (wit overwelming probability of at least (1 2 2n ) 2 1 for typical values of n, sayn = 160). Note tat te value of te remaining unknown masking bit 1 [n] 2 [n] is independent of te index i, i.e. it is te same for all t i and terefore adversary can guess tis unknown value wit probability 1/2. Tat is, for a random guess α {0, $ 1} wit probability 1/2 tevaluet i α will be

12 10 M. R. Reyanitabar, W. Susilo and Y. Mu equal to H (M)[i] =T [i] (i.e. te correct tag value), for all i {1,,n 1}. Itjustremainstocompute te last bit of te tag T,i.e.T [n], but A just guesses tis one bit and wit probability 1/2 tis guess will be correct. Hence te adversary A computes a correct MAC tag T for te message M under H (.) wit probability 1/4 (or more precisely wit probability 1 4 (1 (n 1)2 2n+1 ), wic for any typical value of as size n, sayn = 160, will be 1/4). Note tat te message M never is queried from H (.) in te attack and so tis is a valid forgery attack. Referring to te algoritm for A it is seen tat A is quite efficient as its computational resources are: one query from te random oracle RO 2 (.), 2(n 1) queries from te function H (.) wit maximum lengt of eac query 4b 2n bits, and a constant time complexity proportional to n wic can be easily determined from te description of A. Algoritm A H (.),RO 2(.) : M 0 2b 2n IP RO 2 (M 1...k, 2b 2n λ, 1 ) for i =1ton 1do Y i H (M IP i s 0 b s 0 b 2n ) y i Y i [n] for i =1ton 1do Z i H ( i s 0 b s 0 b 2n ) z i Z i [n] α {0, $ 1} for i =1ton 1do t i y i z i IV [i] T [i] t i α $ T [n] {0, 1} T T [1] T[n] return (M,T) IV 0 b 0 b 2n IP 0 <i> s 0 b s 1 0 <i> s 0 b s 0 b 2n OP 2 M =0 2b 2n y i = Y i [n] =H (M)[i] 0 [i] 2 [n] OP = RO 2 (0 k, 4b 2n, 1 ) IV 0 0 b 2n OP i 1 Z i z i = Z i [n] =IV [i] 0 [i] 1 [n] OP i = RO 2( i s 0 k s, 2b 2n, 1 ) Y i Fig. 3. (Left) Description of te algoritm for an adversary A against te VIL function H (.) =ROX RO 1,RO 2 (,.) based on te (counterexample) FIL MAC function. (Rigt) Te structure of te queries from H (.) and computation of te responses according to te ROX construction. Teorem 3 (Positive Result: PRF). ROX domain extension transform preserves PRF. Proof. Tis result is just a straigtforward corollary of a teorem in [3] (Teorem 5, page 407) sowing tat in te dedicated-key as function setting (were te compression function is a keyed as function) Merkle-Damgård transform and all of its variants including Soup are PRF preserving transforms. As sown in[3,5]eveniftekeymasks( 0, 1, ) in Soup construction are made public and only te key () for te compression function is kept secret ten Soup transform will still be PRF preserving. Clearly a special case will be putting te value of all key masks to zero in wic case Soup iteration will be te same as Merkle-Damgård iteration wic is a PRF preserving transform in te dedicated-key as setting [5]. We note tat te iteration function of te ROX transform is exactly te same as Soup were te key masks are generated using a random oracle (Refer to Fig. 2).

13 Analysis of Property-Preservation Capabilities of te ROX and ES Analysis of te ES Transform Te following teorems sow our results about te ES. We sow bot negative results and a positive result about property preservation capability of ES. Teorem 4 (Negative Results: Sec, asec, Pre, and apre). ES domain extension transform does not preserve any of te Sec, asec, Pre, and apre security properties. Proof. Te proof is done by sowing, as a counterexample, a compression function wic is secure in xxx sense for xxx {Sec,aSec,Pre,aPre} but for wic te full-fledged as function obtained using ES domain extension transform is completely insecure in xxx sense for xxx {Sec[δ], asec[δ], Pre[δ], apre[δ]} and for any value of te parameter δ<2 λ (remember tat 2 λ is te maximum input message lengt in bits). Referring to te description of te strengtened cain sift padding function (padcs s )usedines transform, we consider te following two cases depending on te sizes of te parameters b, n and λ (note tat for ES, b n and typical value of λ = 64): Case 1: if b n + λ ten padcs s (M) =M 10 r M λ Case 2: if b<n+ λ ten padcs s (M) =M 10 r M λ 0 b n Assume tat tere is a compression function g : {0, 1} k {0, 1} n+b {0, 1} n 1 wic is (t, ɛ)-xxx, were xxx is any of te four properties in {Sec,aSec,Pre,aPre}. For Case 1 and Case 2, respectively, consider te following two compression functions 1 : {0, 1} k {0, 1} n+b {0, 1} n and 2 : {0, 1} k {0, 1} n+b {0, 1} n : 1 (, M) ={ 0 n if M n+b λ+1...n+b = δ λ g(, M) 1 oterwise { 0 n if M 2 (, M) = 2n+1...n+b =0 b n g(, M) 1 oterwise Construction of te counterexamples 1 and 2 are inspired from te CE 3 counterexample in [1] were we make some modifications in te conditions defining tese two functions as it is necessary to consider te effect of padcs s padding in ES transform. To complete te proof of te teorem we prove and combine te following two lemmas. Te first lemma sows tat te compression functions 1 and 2 inerit security properties xxx {Sec,aSec,Pre,aPre} from te compression function g and te second lemma sows tat ES transform cannot preserve tese four properties wile extending te domain of 1 or 2 compression functions. Note tat only one of tese compression functions are used depending on wic of te two conditions specified in Case 1 and Case 2 above are te case. Lemma 1. If g is (t, ɛ)-xxx ten 1 is (t, ɛ +2 λ )-xxx and 2 is (t, ɛ +2 (b n) )-xxx, for any of te notions xxx {Sec, asec, Pre, apre}. Proof. Te proof is provided in Appendix 1. Lemma 2. For any xxx {Sec[δ], asec[δ], Pre[δ], apre[δ]}, and for any value of δ<2 λ, tere is a simple adversary wic can break te domain extended as function ES(,M)=f ES (, padcs s (M)) using 1 or 2 as te compression function. Proof. Considering te description of te padcs s and counterexample compression functions 1 and 2, we ave ES(,M) = 0 for any M {0, 1} δ. Hence, in Pre[δ] and apre[δ] attacks adversary A just needs to output any arbitrary M {0, 1} δ and wins wit probability one. Similarly, in Sec[δ] and asec[δ] attacks A only needs to output any M {0, 1} δ wic is different from te callenge message M {0, 1} δ and wins wit probability one. Tat is, te VIL as function ES : {0, 1} <2λ {0, 1} n, defined as ES(,M)=f ES (, padcs s (M)) using 1 or 2 is completely insecure in xxx sense for xxx {Sec[δ], asec[δ], Pre[δ], apre[δ]} and for any value of te parameter δ, wereδ<2 λ.

14 12 M. R. Reyanitabar, W. Susilo and Y. Mu Teorem 5 (Positive Result: epre). If te compression function : {0, 1} k {0, 1} n+b {0, 1} n is (t, ɛ) epre ten te full-fledged as function ES : {0, 1} <2λ {0, 1} n defined as ES(,M)=f ES (, padcs s (M)) will be (t,ɛ) epre, were t = t c, for a small constant c. Proof. Assume tat tere is an adversary A against epre property of te as function ES wit time complexity t and advantage ɛ. We construct an adversary B wic can break te compression function in epre sense wit te same advantage (i.e. ɛ = ɛ ) and wose time complexity is tat of A plus a small constant time (i.e. t = t + c). Adversary B runs A and on receiving te value of Y from A outputs te same value Y as its own target as value in te first pase of epre game. B receives (te random key $ for ), generates 0 t 1 {0, 1} t.n,weret = log 2 (2 λ /b) + 1 and sends te key 0 t 1 to adversary A as te key for te full-fledged as function ES. Note tat because B by tis pase just knows te Y and does not know te lengt of te input message to te as function ES, it generates a key string of maximum required lengt for te XOR masks, i.e. t.n bits, for t = log 2 (2 λ /b) +1were 2 λ /b is te maximum possible input lengt in blocks and n is te as size. Now on receiving te message M from A (wic is to be a preimage for Y under ES, i.e. Y = ES( 0 t 1,M ) ), adversary B simplyoutputstevalue(iv 2 0 ) (C L 1 μ ) M L as a preimage for Y (refer to Fig. 2) wic is te input to te final application of te compression function in te construction of ES as function. Clearly B wins wenever A wins. Te time complexity of B is tat of A plus te time required to generate t random n-bit keys, were t = O(λ) (typically λ = 64), and te time to compute te as function ES on a message of lengt M. 4 Can We Preserve All Properties? In te previous section we sowed tat te ROX transform, wic is a random oracle variant of Soup, does not preserve MAC and PRO notions and also we sowed tat te Enveloped Soup (ES) transform does not preserve Sec, asec, Pre, apre notions. An immediate question arises from tis analysis is tat weter we can preserve all te ten properties simultaneously by a new domain extension transform. 4.1 Using FIL Random Oracles If we are allowed to use some FIL Random Oracles in our construction in te same way tat ROX does (i.e. uses FIL random oracles just for padding and generation of masking keys), ten our analysis in te previous section ints us towards a candidate for suc a ten-property-preserving transform by just mixing components from bot ES and ROX. We notice tat, as sown in Fig. 2, ROX utilizes Soup s iteration as its underlying iteration function and uses FIL random oracles for generation of masking keys and padding function. Hence te natural candidate for a ten property preserving transforms seems to be a random oracle variant of ES wit some necessary adaptation in a similar way tat ROX is obtained from S. We call suc a transform as Random-Oracle Enveloped Soup (RO-ES). Te construction of RO-ES can be seen as a mixture of ES and ROX elements and like te ROX construction, RO-ES also needs two small-input FIL random oracles. Te FIL random oracles in RO-ESH are used only, logaritmic number of times in message lengt, for message padding and generation of masking keys from a single key, but te compression function itself is not modeled as a random oracle. Te padding function of te RO-ES domain extension transforms is defined as follows, were 2 λ is te maximum message lengt in bits (typically λ = 64) : RO-ES-pad : {0, 1} <2λ L 1 {0, 1}L.b+b n RO-ES-pad RO 2 (M) =M 10 r RO 2 (M 1...k, M λ )

15 Analysis of Property-Preservation Capabilities of te ROX and ES 13,werer is te minimum number of 0 s required to make te padded message a member of {0, 1} L.b+b n, for some positive integer L, andro 2 : {0, 1} k {0, 1} λ {0, 1} b n is an FIL random oracle. Te iteration function for RO-ES transform is sown in Fig. 4, were IV 1 and IV 2 are known initial values and IV 1 IV 2. RO 1 : {0, 1} k {0, 1} k {0, 1} log λ {0, 1} n is a random oracle used by te RO-ES iteration function to generate required key masks. f RO1(.) RO ES : {0, 1}(L 1).b+b n {0, 1} n,were = {0, 1} k t = log 2 (L 1) +1,ν(i) =max {x :2 x i} M 1 M 2 M L 1 M L Algoritm f RO1(.) RO ES (, M): for i =0tot 1do i = RO 1 (, M 1...k, i ) C L = f ES ( 0 1 t 1,M) return C L IV ν(l 1) μ IV 2 0 b n C L Fig. 4. Iteration function of te RO-ES transform. Te structure of te iteration is te same as ES and only te key masks are generated using an FIL random oracle RO 1. f ES is te iteration function of ES as sown by te diagram on te left and described in Fig. 2. Te VIL as function H : {0, 1} k {0, 1} <2λ {0, 1} n, obtained by applying te RO-ES domain extension transform on an FIL as function : {0, 1} k {0, 1} n+b {0, 1} n is defined as follows: H(, M) =RO-ES RO 1,RO 2 (, M) =f RO 1 RO ES (, RO-ES-padRO 2 (M)) Te proof of te following Teorem is obtained by a straigtforward (but lengty) adaptation of te previous results proved in [1] and [3], for te security of ROX and ES transforms, respectively. Teorem 6. If te compression function : {0, 1} k {0, 1} n+b {0, 1} n as security property P {CR, Sec, asec, T CR, P re, ap re, ep re, MAC, P RF, P RO}, ten te as function H obtained by RO-ES transform will also possess property P, wit te following concrete-security reductions and relations between te resources: 1. if is (t, ɛ)-cr ten H will be (t,l,ɛ )-CR, were ɛ = ɛ + q2 RO 2 2 b n and t = t 2τ(l)T 2. if is (t, ɛ)-tcr ten H will be (t,l,ɛ )-TCR, were ɛ = τ(l)ɛ + q RO 1 2 k + q2 RO 2 2 b n and t = t 2τ(l)T 3. if is (t, ɛ)-asec ten H will be (t,l,ɛ )-asec[m], were ɛ = τ(l)ɛ + q RO 1 2 k + q2 RO 2 2 b n and t = t 2τ(l)T 4. if is (t, ɛ)-sec ten H will be (t,l,ɛ )-Sec[m], were ɛ = τ(l)ɛ + q2 RO 2 2 b n and t = t 2τ(l)T 5. if is (t, ɛ)-apre ten H will be (t,l,ɛ )-apre[m], were ɛ = ɛ + q RO 1 2 k and t = t 2τ(l)T 6. if is (t, ɛ)-pre ten H will be (t,l,ɛ )-Pre[m], were ɛ = ɛ and t = t τ(l)t 7. if is (t, ɛ)-epre ten H will be (t,l,ɛ )-epre, were ɛ = ɛ and t = t τ(l)t 8. if is (t, q, ɛ)-mac ten H will be (t,q,l,ɛ )-MAC, were ɛ =(q 2 /2+3q/2+1)ɛ, t = t c(q +1)τ(l) and q =(q τ(l)+1)/τ(l)

16 14 M. R. Reyanitabar, W. Susilo and Y. Mu 9. if is (t, q, ɛ)-prf ten H will be (t,q,l,ɛ )-PRF, were ɛ = ɛ + q 2 τ(l) 2 /2 n, t = t cqτ(l) and q = q/τ(l) 10. if = RF n+b, n be a random oracle for any arbitrary, tenh will be (t A,t S,q 1,q 2,q 3,q 4,l,ɛ)-PRO, were running time of adversary t A is arbitrary, time complexity for simulator t S = O(q 2 2 ), q i is te number of queries by adversary from i-t oracle (for 1 i 4) and ɛ = τ(l)2 q1 2 + τ(l)q 1q 2 + q2 2 2 n + τ(l)q 1 + q 2 + q3 2 2 n In above relations: τ(l) = (l +1)/b +1 = L is te number of blocks after applying RO-ES-pad function on an l-bit message M, T is te time to compute compression function, q RO1 and q RO2 are, respectively, te number of queries from RO 1 (.) and RO 2 oracles. 4.2 Witout Any Random Oracle As it was sown in analysis of ES, as a standard model transform, te four properties, namely; Pre, apre, Sec, and asec are not preserved by ES. It appears to be a crux to preserve tese four properties (simultaneously) in te standard model. Sec. Andreeva and Preneel in SAC 2008 [2] proposed a keyed transform to extend te domain of a keyless compression function. Te proposed transform yields to a dedicated-key VIL as function wic is CR and Sec secure (were CR and Sec notions are defined for a dedicated-key as function) based on te assumptions tat underlying keyless compression function is, respectively, CR or Sec (ere CR and Sec are defined for a keyless compression function). Te setting is called keyless compression function - keyed iteration in [2]. We note tat te nature of Sec notion for te keyless compression function and tat of keyed as function is different. Unfortunately te proposed sceme cannot be sown to be Pre secure in standard model and only a random oracle argument is provided in [2] for its security in Pre sense. Pre. To te best of our knowledge, te only transform in te standard model tat is pointed out in [1] to be Pre preserving (in te dedicated-key as setting) is te XOR Tree sceme, but it does not preserve apre and asec as sown in [1]. asec and apre. Tere is currently no transform in te literature tat can preserve asec and apre in te standard model. Suc an asec and apre preserving transform in dedicated-key as setting will also yield to a construction in keyless as setting capable of preserving te Second Preimage Resistance and Preimage Resistance (a.k.a One-wayness) of te underlying keyless compression function. Remark. It is wort reminding tat we call a as domain extension transform (eiter in dedicated-key or keyless settings) capable of preserving a security property P (defined eiter for a dedicated-key or keyless as function) if te constructed VIL as function provably possesses te property P assuming tat te underlying compression function satisfies te same property P. Tis is different from a scenario were one proves tat te VIL as function as property P if its underlying compression function satisfies a different property P, e.g. [18], or a collection of different assumptions, e.g. [10, 9].

Similar documents

Analysis of Property-Preservation Capabilities of the ROX and ESh Hash Domain Extenders

Analysis of Property-Preservation Capabilities of the ROX and ESh Hash Domain Extenders Analysis of Property-Preservation Capabilities of te ROX and ES Has Domain Extenders Moammad Reza Reyanitabar, Willy Susilo, and Yi Mu Centre for Computer and Information Security Researc, Scool of Computer

More information

Enhanced Target Collision Resistant Hash Functions Revisited

Enhanced Target Collision Resistant Hash Functions Revisited Enanced Target Collision Resistant Has Functions Revisited Moammad Reza Reyanitabar, Willy Susilo, and Yi Mu Centre for Computer and Information Security Researc, Scool of Computer Science and Software

More information

Provable Security of Cryptographic Hash Functions

Provable Security of Cryptographic Hash Functions Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties

More information

An introduction to Hash functions

An introduction to Hash functions An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27

More information

A Composition Theorem for Universal One-Way Hash Functions

A Composition Theorem for Universal One-Way Hash Functions A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme

More information

University Mathematics 2

University Mathematics 2 University Matematics 2 1 Differentiability In tis section, we discuss te differentiability of functions. Definition 1.1 Differentiable function). Let f) be a function. We say tat f is differentiable at

More information

Security Properties of Domain Extenders for Cryptographic Hash Functions

Security Properties of Domain Extenders for Cryptographic Hash Functions Security Properties of Domain Extenders for Cryptographic Hash Functions Elena Andreeva, Bart Mennink, and Bart Preneel Abstract Cryptographic hash functions reduce inputs of arbitrary or very large length

More information

A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model

A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model Wonil Lee 1, Mridul Nandi 2, Palash Sarkar 2, Donghoon Chang 1, Sangjin Lee 1, and Kouichi Sakurai 3 1 Center for Information

More information

Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications

Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Donghoon Chang 1 and Moti Yung 2 1 The Computer Security Division, National Institute of Standards and Technology,

More information

1 The concept of limits (p.217 p.229, p.242 p.249, p.255 p.256) 1.1 Limits Consider the function determined by the formula 3. x since at this point

1 The concept of limits (p.217 p.229, p.242 p.249, p.255 p.256) 1.1 Limits Consider the function determined by the formula 3. x since at this point MA00 Capter 6 Calculus and Basic Linear Algebra I Limits, Continuity and Differentiability Te concept of its (p.7 p.9, p.4 p.49, p.55 p.56). Limits Consider te function determined by te formula f Note

More information

Near-Optimal conversion of Hardness into Pseudo-Randomness

Near-Optimal conversion of Hardness into Pseudo-Randomness Near-Optimal conversion of Hardness into Pseudo-Randomness Russell Impagliazzo Computer Science and Engineering UC, San Diego 9500 Gilman Drive La Jolla, CA 92093-0114 russell@cs.ucsd.edu Ronen Saltiel

More information

Mix-Compress-Mix Revisited: Dispensing with Non-invertible Random Injection Oracles

Mix-Compress-Mix Revisited: Dispensing with Non-invertible Random Injection Oracles Mix-Compress-Mix Revisited: Dispensing with Non-invertible Random Injection Oracles Mohammad Reza Reyhanitabar and Willy Susilo Centre for Computer and Information Security Research School of Computer

More information

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3. COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption

More information

Construction of universal one-way hash functions: Tree hashing revisited

Construction of universal one-way hash functions: Tree hashing revisited Discrete Applied Mathematics 155 (2007) 2174 2180 www.elsevier.com/locate/dam Note Construction of universal one-way hash functions: Tree hashing revisited Palash Sarkar Applied Statistics Unit, Indian

More information

Introduction to Derivatives

Introduction to Derivatives Introduction to Derivatives 5-Minute Review: Instantaneous Rates and Tangent Slope Recall te analogy tat we developed earlier First we saw tat te secant slope of te line troug te two points (a, f (a))

More information

Lecture 5, CPA Secure Encryption from PRFs

Lecture 5, CPA Secure Encryption from PRFs CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and

More information

MVT and Rolle s Theorem

MVT and Rolle s Theorem AP Calculus CHAPTER 4 WORKSHEET APPLICATIONS OF DIFFERENTIATION MVT and Rolle s Teorem Name Seat # Date UNLESS INDICATED, DO NOT USE YOUR CALCULATOR FOR ANY OF THESE QUESTIONS In problems 1 and, state

More information

HMAC is a Randomness Extractor and Applications to TLS

HMAC is a Randomness Extractor and Applications to TLS MAC is a Randomness Extractor and Applications to TLS Pierre-Alain Fouue ENS CNRS INRIA Paris, France fouue@diensfr David Pointceval CNRS ENS INRIA Paris, France pointceval@diensfr Sébastien Zimmer ENS

More information

The derivative function

The derivative function Roberto s Notes on Differential Calculus Capter : Definition of derivative Section Te derivative function Wat you need to know already: f is at a point on its grap and ow to compute it. Wat te derivative

More information

HMAC is a Randomness Extractor and Applications to TLS

HMAC is a Randomness Extractor and Applications to TLS HMAC is a Randomness Extractor and Applications to TLS Pierre-Alain Fouque, David Pointceval, Sébastien Zimmer To cite tis version: Pierre-Alain Fouque, David Pointceval, Sébastien Zimmer. HMAC is a Randomness

More information

The Verlet Algorithm for Molecular Dynamics Simulations

The Verlet Algorithm for Molecular Dynamics Simulations Cemistry 380.37 Fall 2015 Dr. Jean M. Standard November 9, 2015 Te Verlet Algoritm for Molecular Dynamics Simulations Equations of motion For a many-body system consisting of N particles, Newton's classical

More information

Provable Chosen-Target-Forced-Midx Preimage Resistance

Provable Chosen-Target-Forced-Midx Preimage Resistance Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /

More information

Differentiation in higher dimensions

Differentiation in higher dimensions Capter 2 Differentiation in iger dimensions 2.1 Te Total Derivative Recall tat if f : R R is a 1-variable function, and a R, we say tat f is differentiable at x = a if and only if te ratio f(a+) f(a) tends

More information

Key words: collision resistance, cryptographic hash functions, preimage resistance, provable security, second-preimage resistance.

Key words: collision resistance, cryptographic hash functions, preimage resistance, provable security, second-preimage resistance. Cryptographic ash-function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance Phillip Rogaway 1 and Thomas Shrimpton 2 1 Dept.

More information

Lecture 21. Numerical differentiation. f ( x+h) f ( x) h h

Lecture 21. Numerical differentiation. f ( x+h) f ( x) h h Lecture Numerical differentiation Introduction We can analytically calculate te derivative of any elementary function, so tere migt seem to be no motivation for calculating derivatives numerically. However

More information

LIMITS AND DERIVATIVES CONDITIONS FOR THE EXISTENCE OF A LIMIT

LIMITS AND DERIVATIVES CONDITIONS FOR THE EXISTENCE OF A LIMIT LIMITS AND DERIVATIVES Te limit of a function is defined as te value of y tat te curve approaces, as x approaces a particular value. Te limit of f (x) as x approaces a is written as f (x) approaces, as

More information

1 Cryptographic hash functions

1 Cryptographic hash functions CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length

More information

WYSE Academic Challenge 2004 Sectional Mathematics Solution Set

WYSE Academic Challenge 2004 Sectional Mathematics Solution Set WYSE Academic Callenge 00 Sectional Matematics Solution Set. Answer: B. Since te equation can be written in te form x + y, we ave a major 5 semi-axis of lengt 5 and minor semi-axis of lengt. Tis means

More information

lecture 26: Richardson extrapolation

lecture 26: Richardson extrapolation 43 lecture 26: Ricardson extrapolation 35 Ricardson extrapolation, Romberg integration Trougout numerical analysis, one encounters procedures tat apply some simple approximation (eg, linear interpolation)

More information

1 Calculus. 1.1 Gradients and the Derivative. Q f(x+h) f(x)

1 Calculus. 1.1 Gradients and the Derivative. Q f(x+h) f(x) Calculus. Gradients and te Derivative Q f(x+) δy P T δx R f(x) 0 x x+ Let P (x, f(x)) and Q(x+, f(x+)) denote two points on te curve of te function y = f(x) and let R denote te point of intersection of

More information

Consider a function f we ll specify which assumptions we need to make about it in a minute. Let us reformulate the integral. 1 f(x) dx.

Consider a function f we ll specify which assumptions we need to make about it in a minute. Let us reformulate the integral. 1 f(x) dx. Capter 2 Integrals as sums and derivatives as differences We now switc to te simplest metods for integrating or differentiating a function from its function samples. A careful study of Taylor expansions

More information

Chapter 5 FINITE DIFFERENCE METHOD (FDM)

Chapter 5 FINITE DIFFERENCE METHOD (FDM) MEE7 Computer Modeling Tecniques in Engineering Capter 5 FINITE DIFFERENCE METHOD (FDM) 5. Introduction to FDM Te finite difference tecniques are based upon approximations wic permit replacing differential

More information

Derivatives of Exponentials

Derivatives of Exponentials mat 0 more on derivatives: day 0 Derivatives of Eponentials Recall tat DEFINITION... An eponential function as te form f () =a, were te base is a real number a > 0. Te domain of an eponential function

More information

Higher Order Universal One-Way Hash Functions

Higher Order Universal One-Way Hash Functions Higher Order Universal One-Way Hash Functions Deukjo Hong 1, Bart Preneel 2, and Sangjin Lee 1 1 Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {hongdj,sangjin}@cist.korea.ac.kr

More information

Combining functions: algebraic methods

Combining functions: algebraic methods Combining functions: algebraic metods Functions can be added, subtracted, multiplied, divided, and raised to a power, just like numbers or algebra expressions. If f(x) = x 2 and g(x) = x + 2, clearly f(x)

More information

Design Paradigms for Building Multi-Property Hash Functions

Design Paradigms for Building Multi-Property Hash Functions Design Paradigms or Building Multi-Property Hash Functions Thomas Ristenpart UCSD Security and Cryptography Lab Lorentz Workshop June, 2008 Multi-property hash unctions One hash unction with many security

More information

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1 MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified

More information

On the Security of Hash Functions Employing Blockcipher Post-processing

On the Security of Hash Functions Employing Blockcipher Post-processing On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,

More information

Volume 29, Issue 3. Existence of competitive equilibrium in economies with multi-member households

Volume 29, Issue 3. Existence of competitive equilibrium in economies with multi-member households Volume 29, Issue 3 Existence of competitive equilibrium in economies wit multi-member ouseolds Noriisa Sato Graduate Scool of Economics, Waseda University Abstract Tis paper focuses on te existence of

More information

Efficient algorithms for for clone items detection

Efficient algorithms for for clone items detection Efficient algoritms for for clone items detection Raoul Medina, Caroline Noyer, and Olivier Raynaud Raoul Medina, Caroline Noyer and Olivier Raynaud LIMOS - Université Blaise Pascal, Campus universitaire

More information

Multi-property-preserving Hash Domain Extension and the EMD Transform

Multi-property-preserving Hash Domain Extension and the EMD Transform Multi-property-preserving Hash Domain Extension and the EMD Transform Mihir Bellare and Thomas Ristenpart Dept. of Computer Science & Engineering 0404, University of California San Diego 9500 Gilman Drive,

More information

Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample

Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample Fuchun Guo 1, Rongmao Chen 2, Willy Susilo 1, Jianchang Lai 1, Guomin Yang 1, and Yi Mu 1 1 Institute

More information

Symmetry Labeling of Molecular Energies

Symmetry Labeling of Molecular Energies Capter 7. Symmetry Labeling of Molecular Energies Notes: Most of te material presented in tis capter is taken from Bunker and Jensen 1998, Cap. 6, and Bunker and Jensen 2005, Cap. 7. 7.1 Hamiltonian Symmetry

More information

Function Composition and Chain Rules

Function Composition and Chain Rules Function Composition and s James K. Peterson Department of Biological Sciences and Department of Matematical Sciences Clemson University Marc 8, 2017 Outline 1 Function Composition and Continuity 2 Function

More information

Differential Calculus (The basics) Prepared by Mr. C. Hull

Differential Calculus (The basics) Prepared by Mr. C. Hull Differential Calculus Te basics) A : Limits In tis work on limits, we will deal only wit functions i.e. tose relationsips in wic an input variable ) defines a unique output variable y). Wen we work wit

More information

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages Lecture 24: MAC for Arbitrary Length Messages Recall Previous lecture, we constructed MACs for fixed length messages The GGM Pseudo-random Function (PRF) Construction Given. Pseudo-random Generator (PRG)

More information

4. The slope of the line 2x 7y = 8 is (a) 2/7 (b) 7/2 (c) 2 (d) 2/7 (e) None of these.

4. The slope of the line 2x 7y = 8 is (a) 2/7 (b) 7/2 (c) 2 (d) 2/7 (e) None of these. Mat 11. Test Form N Fall 016 Name. Instructions. Te first eleven problems are wort points eac. Te last six problems are wort 5 points eac. For te last six problems, you must use relevant metods of algebra

More information

Sin, Cos and All That

Sin, Cos and All That Sin, Cos and All Tat James K. Peterson Department of Biological Sciences and Department of Matematical Sciences Clemson University Marc 9, 2017 Outline Sin, Cos and all tat! A New Power Rule Derivatives

More information

Math 161 (33) - Final exam

Math 161 (33) - Final exam Name: Id #: Mat 161 (33) - Final exam Fall Quarter 2015 Wednesday December 9, 2015-10:30am to 12:30am Instructions: Prob. Points Score possible 1 25 2 25 3 25 4 25 TOTAL 75 (BEST 3) Read eac problem carefully.

More information

Lecture 15. Interpolation II. 2 Piecewise polynomial interpolation Hermite splines

Lecture 15. Interpolation II. 2 Piecewise polynomial interpolation Hermite splines Lecture 5 Interpolation II Introduction In te previous lecture we focused primarily on polynomial interpolation of a set of n points. A difficulty we observed is tat wen n is large, our polynomial as to

More information

5 January Key words: collision resistance, cryptographic hash functions, preimage resistance, provable security, second-preimage resistance.

5 January Key words: collision resistance, cryptographic hash functions, preimage resistance, provable security, second-preimage resistance. Appears in Fast Software Encryption(FSE 2004), Lecture Notes in Computer Science, Vol.????, Springer-Verlag. This is the full version. Cryptographic ash-function Basics: Definitions, Implications, and

More information

Lecture 14: Cryptographic Hash Functions

Lecture 14: Cryptographic Hash Functions CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is

More information

Subdifferentials of convex functions

Subdifferentials of convex functions Subdifferentials of convex functions Jordan Bell jordan.bell@gmail.com Department of Matematics, University of Toronto April 21, 2014 Wenever we speak about a vector space in tis note we mean a vector

More information

Click here to see an animation of the derivative

Click here to see an animation of the derivative Differentiation Massoud Malek Derivative Te concept of derivative is at te core of Calculus; It is a very powerful tool for understanding te beavior of matematical functions. It allows us to optimize functions,

More information

2.8 The Derivative as a Function

2.8 The Derivative as a Function .8 Te Derivative as a Function Typically, we can find te derivative of a function f at many points of its domain: Definition. Suppose tat f is a function wic is differentiable at every point of an open

More information

232 Calculus and Structures

232 Calculus and Structures 3 Calculus and Structures CHAPTER 17 JUSTIFICATION OF THE AREA AND SLOPE METHODS FOR EVALUATING BEAMS Calculus and Structures 33 Copyrigt Capter 17 JUSTIFICATION OF THE AREA AND SLOPE METHODS 17.1 THE

More information

SFU UBC UNBC Uvic Calculus Challenge Examination June 5, 2008, 12:00 15:00

SFU UBC UNBC Uvic Calculus Challenge Examination June 5, 2008, 12:00 15:00 SFU UBC UNBC Uvic Calculus Callenge Eamination June 5, 008, :00 5:00 Host: SIMON FRASER UNIVERSITY First Name: Last Name: Scool: Student signature INSTRUCTIONS Sow all your work Full marks are given only

More information

Pre-Calculus Review Preemptive Strike

Pre-Calculus Review Preemptive Strike Pre-Calculus Review Preemptive Strike Attaced are some notes and one assignment wit tree parts. Tese are due on te day tat we start te pre-calculus review. I strongly suggest reading troug te notes torougly

More information

Modeling Random Oracles under Unpredictable Queries

Modeling Random Oracles under Unpredictable Queries Modeling Random Oracles under Unpredictable Queries Pooya Farsim 1 and Arno Mittelbac 2 1 ENS, CNRS & INRIA, PSL Researc University, Paris, France 2 Darmstadt University of Tecnology, Germany pooya.farsim@gmail.com

More information

SECTION 3.2: DERIVATIVE FUNCTIONS and DIFFERENTIABILITY

SECTION 3.2: DERIVATIVE FUNCTIONS and DIFFERENTIABILITY (Section 3.2: Derivative Functions and Differentiability) 3.2.1 SECTION 3.2: DERIVATIVE FUNCTIONS and DIFFERENTIABILITY LEARNING OBJECTIVES Know, understand, and apply te Limit Definition of te Derivative

More information

(a) At what number x = a does f have a removable discontinuity? What value f(a) should be assigned to f at x = a in order to make f continuous at a?

(a) At what number x = a does f have a removable discontinuity? What value f(a) should be assigned to f at x = a in order to make f continuous at a? Solutions to Test 1 Fall 016 1pt 1. Te grap of a function f(x) is sown at rigt below. Part I. State te value of eac limit. If a limit is infinite, state weter it is or. If a limit does not exist (but is

More information

An efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing

An efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 An efficient variant of Boneh-Gentry-Hamburg's

More information

Numerical Differentiation

Numerical Differentiation Numerical Differentiation Finite Difference Formulas for te first derivative (Using Taylor Expansion tecnique) (section 8.3.) Suppose tat f() = g() is a function of te variable, and tat as 0 te function

More information

Hardness Preserving Constructions of Pseudorandom Functions

Hardness Preserving Constructions of Pseudorandom Functions Hardness Preserving Constructions of Pseudorandom Functions Abisek Jain 1, Krzysztof Pietrzak 2, and Aris Tentes 3 1 UCLA. E-mail: abisek@cs.ucla.edu 2 IST Austria. E-mail: pietrzak@ist.ac.at 3 New York

More information

5.1 We will begin this section with the definition of a rational expression. We

5.1 We will begin this section with the definition of a rational expression. We Basic Properties and Reducing to Lowest Terms 5.1 We will begin tis section wit te definition of a rational epression. We will ten state te two basic properties associated wit rational epressions and go

More information

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBC-MAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining - Message Authentication

More information

Reflection Symmetries of q-bernoulli Polynomials

Reflection Symmetries of q-bernoulli Polynomials Journal of Nonlinear Matematical Pysics Volume 1, Supplement 1 005, 41 4 Birtday Issue Reflection Symmetries of q-bernoulli Polynomials Boris A KUPERSHMIDT Te University of Tennessee Space Institute Tullaoma,

More information

The Zeckendorf representation and the Golden Sequence

The Zeckendorf representation and the Golden Sequence University of Wollongong Researc Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 1991 Te Zeckendorf representation and te Golden

More information

REVIEW LAB ANSWER KEY

REVIEW LAB ANSWER KEY REVIEW LAB ANSWER KEY. Witout using SN, find te derivative of eac of te following (you do not need to simplify your answers): a. f x 3x 3 5x x 6 f x 3 3x 5 x 0 b. g x 4 x x x notice te trick ere! x x g

More information

3.1 Extreme Values of a Function

3.1 Extreme Values of a Function .1 Etreme Values of a Function Section.1 Notes Page 1 One application of te derivative is finding minimum and maimum values off a grap. In precalculus we were only able to do tis wit quadratics by find

More information

Improved indifferentiability security analysis of chopmd Hash Function

Improved indifferentiability security analysis of chopmd Hash Function Improved indifferentiability security analysis of chopmd Hash Function Donghoon Chang 1 and Mridul Nandi 2 1 Center for Information Security Technologies (CIST) Korea University, Seoul, Korea dhchang@cist.korea.ac.kr

More information

5 Ordinary Differential Equations: Finite Difference Methods for Boundary Problems

5 Ordinary Differential Equations: Finite Difference Methods for Boundary Problems 5 Ordinary Differential Equations: Finite Difference Metods for Boundary Problems Read sections 10.1, 10.2, 10.4 Review questions 10.1 10.4, 10.8 10.9, 10.13 5.1 Introduction In te previous capters we

More information

Effect of the Dependent Paths in Linear Hull

Effect of the Dependent Paths in Linear Hull 1 Effect of te Dependent Pats in Linear Hull Zenli Dai, Meiqin Wang, Yue Sun Scool of Matematics, Sandong University, Jinan, 250100, Cina Key Laboratory of Cryptologic Tecnology and Information Security,

More information

How to Find the Derivative of a Function: Calculus 1

How to Find the Derivative of a Function: Calculus 1 Introduction How to Find te Derivative of a Function: Calculus 1 Calculus is not an easy matematics course Te fact tat you ave enrolled in suc a difficult subject indicates tat you are interested in te

More information

Integral Calculus, dealing with areas and volumes, and approximate areas under and between curves.

Integral Calculus, dealing with areas and volumes, and approximate areas under and between curves. Calculus can be divided into two ke areas: Differential Calculus dealing wit its, rates of cange, tangents and normals to curves, curve sketcing, and applications to maima and minima problems Integral

More information

HOMEWORK HELP 2 FOR MATH 151

HOMEWORK HELP 2 FOR MATH 151 HOMEWORK HELP 2 FOR MATH 151 Here we go; te second round of omework elp. If tere are oters you would like to see, let me know! 2.4, 43 and 44 At wat points are te functions f(x) and g(x) = xf(x)continuous,

More information

NUMERICAL DIFFERENTIATION

NUMERICAL DIFFERENTIATION NUMERICAL IFFERENTIATION FIRST ERIVATIVES Te simplest difference formulas are based on using a straigt line to interpolate te given data; tey use two data pints to estimate te derivative. We assume tat

More information

Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions

Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions Akinori Hosoyamada and Kan Yasuda NTT Secure Platform Laboratories, 3-9-, Midori-cho Musashino-shi,

More information

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2

More information

Brazilian Journal of Physics, vol. 29, no. 1, March, Ensemble and their Parameter Dierentiation. A. K. Rajagopal. Naval Research Laboratory,

Brazilian Journal of Physics, vol. 29, no. 1, March, Ensemble and their Parameter Dierentiation. A. K. Rajagopal. Naval Research Laboratory, Brazilian Journal of Pysics, vol. 29, no. 1, Marc, 1999 61 Fractional Powers of Operators of sallis Ensemble and teir Parameter Dierentiation A. K. Rajagopal Naval Researc Laboratory, Wasington D. C. 2375-532,

More information

1 Cryptographic hash functions

1 Cryptographic hash functions CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length

More information

Breaking H 2 -MAC Using Birthday Paradox

Breaking H 2 -MAC Using Birthday Paradox Breaking H 2 -MAC Using Birthday Paradox Fanbao Liu 1,2, Tao Xie 1 and Changxiang Shen 2 1 School of Computer, National University of Defense Technology, Changsha, 410073, Hunan, P. R. China 2 School of

More information

Continuity and Differentiability Worksheet

Continuity and Differentiability Worksheet Continuity and Differentiability Workseet (Be sure tat you can also do te grapical eercises from te tet- Tese were not included below! Typical problems are like problems -3, p. 6; -3, p. 7; 33-34, p. 7;

More information

Recall from our discussion of continuity in lecture a function is continuous at a point x = a if and only if

Recall from our discussion of continuity in lecture a function is continuous at a point x = a if and only if Computational Aspects of its. Keeping te simple simple. Recall by elementary functions we mean :Polynomials (including linear and quadratic equations) Eponentials Logaritms Trig Functions Rational Functions

More information

Chapter 2 Limits and Continuity

Chapter 2 Limits and Continuity 4 Section. Capter Limits and Continuity Section. Rates of Cange and Limits (pp. 6) Quick Review.. f () ( ) () 4 0. f () 4( ) 4. f () sin sin 0 4. f (). 4 4 4 6. c c c 7. 8. c d d c d d c d c 9. 8 ( )(

More information

Lecture 10 - MAC s continued, hash & MAC

Lecture 10 - MAC s continued, hash & MAC Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy

More information

Avoiding collisions Cryptographic hash functions. Table of contents

Avoiding collisions Cryptographic hash functions. Table of contents Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Collision resistance Birthday attacks

More information

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34 Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:

More information

Math 1241 Calculus Test 1

Math 1241 Calculus Test 1 February 4, 2004 Name Te first nine problems count 6 points eac and te final seven count as marked. Tere are 120 points available on tis test. Multiple coice section. Circle te correct coice(s). You do

More information

New Proofs for NMAC and HMAC: Security without Collision-Resistance

New Proofs for NMAC and HMAC: Security without Collision-Resistance A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for

More information

Preface. Here are a couple of warnings to my students who may be here to get a copy of what happened on a day that you missed.

Preface. Here are a couple of warnings to my students who may be here to get a copy of what happened on a day that you missed. Preface Here are my online notes for my course tat I teac ere at Lamar University. Despite te fact tat tese are my class notes, tey sould be accessible to anyone wanting to learn or needing a refreser

More information

Teaching Differentiation: A Rare Case for the Problem of the Slope of the Tangent Line

Teaching Differentiation: A Rare Case for the Problem of the Slope of the Tangent Line Teacing Differentiation: A Rare Case for te Problem of te Slope of te Tangent Line arxiv:1805.00343v1 [mat.ho] 29 Apr 2018 Roman Kvasov Department of Matematics University of Puerto Rico at Aguadilla Aguadilla,

More information

Continuity and Differentiability of the Trigonometric Functions

Continuity and Differentiability of the Trigonometric Functions [Te basis for te following work will be te definition of te trigonometric functions as ratios of te sides of a triangle inscribed in a circle; in particular, te sine of an angle will be defined to be te

More information

Dedicated to the 70th birthday of Professor Lin Qun

Dedicated to the 70th birthday of Professor Lin Qun Journal of Computational Matematics, Vol.4, No.3, 6, 4 44. ACCELERATION METHODS OF NONLINEAR ITERATION FOR NONLINEAR PARABOLIC EQUATIONS Guang-wei Yuan Xu-deng Hang Laboratory of Computational Pysics,

More information

2011 Fermat Contest (Grade 11)

2011 Fermat Contest (Grade 11) Te CENTRE for EDUCATION in MATHEMATICS and COMPUTING 011 Fermat Contest (Grade 11) Tursday, February 4, 011 Solutions 010 Centre for Education in Matematics and Computing 011 Fermat Contest Solutions Page

More information

Foundations of Cryptography

Foundations of Cryptography - 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such

More information

Average Rate of Change

Average Rate of Change Te Derivative Tis can be tougt of as an attempt to draw a parallel (pysically and metaporically) between a line and a curve, applying te concept of slope to someting tat isn't actually straigt. Te slope

More information

Characterization of reducible hexagons and fast decomposition of elementary benzenoid graphs

Characterization of reducible hexagons and fast decomposition of elementary benzenoid graphs Discrete Applied Matematics 156 (2008) 1711 1724 www.elsevier.com/locate/dam Caracterization of reducible exagons and fast decomposition of elementary benzenoid graps Andrej Taranenko, Aleksander Vesel

More information

Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security

Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security Non-Malleable Non-Interactive Zero Knowledge and Adaptive Cosen-Cipertext Security AMIT SAHAI Abstract We introduce te notion of non-malleable noninteractive zero-knowledge (NIZK) proof systems. We sow

More information

Math 102 TEST CHAPTERS 3 & 4 Solutions & Comments Fall 2006

Math 102 TEST CHAPTERS 3 & 4 Solutions & Comments Fall 2006 Mat 102 TEST CHAPTERS 3 & 4 Solutions & Comments Fall 2006 f(x+) f(x) 10 1. For f(x) = x 2 + 2x 5, find ))))))))) and simplify completely. NOTE: **f(x+) is NOT f(x)+! f(x+) f(x) (x+) 2 + 2(x+) 5 ( x 2

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback