The Collision Security of Tandem-DM in the Ideal Cipher Model
|
|
- Lucas Malone
- 5 years ago
- Views:
Transcription
1 The Collision ecurity of Tandem-DM in the Ideal Cipher Model Jooyoung Lee 1 Martijn tam 2 John teinberger 3 1 Faculty of Mathematics and tatistics, ejong University, eoul, Korea 2 Department of Computer cience, University of Bristol, Bristol, United Kingdom 3 Institute of Theoretical Computer cience, Tsinghua University, Beijing, China ugust 18, 2011
2 Tandem-DM E M E 3n-bit to 2n-bit compression function making two calls to a blockcipher using 2n-bit keys Proposed by Lai and Massey in Eurocrypt 1992 The first security proof given in FE 2009, its extension given in Provec 2010
3 Tandem-DM E M E Contribution hows the prior proofs are flawed Presents a novel proof for the collision resistance of Tandem-DM in the ideal cipher model Mostly historical interest, rather than practical interest
4 Ideal Cipher Model & Query History E dversary E -1 n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function
5 Ideal Cipher Model & Query History E K 1,X 1 dversary E -1 n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function
6 Ideal Cipher Model & Query History E K 1,X 1 dversary E -1 Y 1 $ n {0,1} \R K 1 R 1 R 1 K 1 K 1 {Y } n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function
7 Ideal Cipher Model & Query History E K 1,X 1 dversary E -1 Y 1 $ n {0,1} \R K 1 R 1 R 1 K 1 K 1 {Y } Y 1 n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function
8 Ideal Cipher Model & Query History E K 1,X 1 dversary E -1 (X 1,K 1,Y 1 ) Y 1 n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function
9 Ideal Cipher Model & Query History E dversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function
10 Ideal Cipher Model & Query History E dversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) X 2 $ n {0,1} \D K 2 D 2 D 2 K 2 K 2 {X } n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function
11 Ideal Cipher Model & Query History E dversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) X 2 $ n {0,1} \D K 2 X 2 D 2 D 2 K 2 K 2 {X } n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function
12 Ideal Cipher Model & Query History E dversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) X 2 n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function
13 Ideal Cipher Model & Query History E K 3,X 3 dversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function
14 Ideal Cipher Model & Query History E K 3,X 3 dversary E -1 Y 3 $ n {0,1} \R (X 1,K 1,Y 1 ) K 3 (X 2,K 2,Y 2 ) R 3 R 3 K 3 K 3 {Y } n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function
15 Ideal Cipher Model & Query History E K 3,X 3 dversary E -1 Y 3 $ n {0,1} \R (X 1,K 1,Y 1 ) K 3 (X 2,K 2,Y 2 ) R 3 R 3 K 3 K 3 {Y } Y 3 n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function
16 Ideal Cipher Model & Query History E K 3,X 3 Y 3 dversary (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) E -1 n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function
17 Ideal Cipher Model & Query History E dversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) (X q,k q,y q ) n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function
18 Ideal Cipher Model & Query History E dversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) (X q,k q,y q ) Query History Q n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function
19 Ideal Cipher Model & Query History E dversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) (X q,k q,y q ) Query History Q n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function
20 Evaluation of Tandem-DM (, B L, R), (B, L R, ) Q determine TDM E : {0, 1} 3n {0, 1} 2n B L R B TL R BL B
21 Collisions in Tandem-DM The goal of a collision-finding adversary To find (, B L, R), (B, L R, ), (, B L, R ), (B, L R, ) such that B L B L, R = R, B = B Predicate Coll(Q) is true if and only if such queries exist in Q TL R TR R BL B B L R BR B
22 Collisions in Tandem-DM The goal of a collision-finding adversary To find (, B L, R), (B, L R, ), (, B L, R ), (B, L R, ) such that B L B L, R = R, B = B We want to upper bound Pr[Coll(Q)] = dv Coll TDM E () TL R TR R BL B B L R BR B
23 Collisions in Tandem-DM The goal of a collision-finding adversary To find (, B L, R), (B, L R, ), (, B L, R ), (B, L R, ) such that B L B L, R = R, B = B We want Pr[Coll(Q)] to be small TL R TR R BL B B L R BR B
24 Case nalysis Coll(Q) Coll 1 (Q) Coll 2 (Q) Coll 3 (Q), where Coll 1 (Q) Q has a collision with TL, BL, TR, BR distinct Coll 2 (Q) Q has a collision with TL = BL or TR = BR Coll 3 (Q) Q has a collision with TL = BR or BL = TR Ex) Coll 2 (Q) occurs if (,, ), (B, B B, B) s.t. B exist TL 0 n B TR 0 n BL 0 n B B B BR B 0 n
25 Case nalysis Coll(Q) Coll 1 (Q) Coll 2 (Q) Coll 3 (Q), where Coll 1 (Q) Q has a collision with TL, BL, TR, BR distinct Coll 2 (Q) Q has a collision with TL = BL or TR = BR Coll 3 (Q) Q has a collision with TL = BR or BL = TR We are going to focus on upper bounding Pr[Coll 1 (Q)] Ex) Coll 2 (Q) occurs if (,, ), (B, B B, B) s.t. B exist TL 0 n B TR 0 n BL 0 n B B B BR B 0 n
26 Upper bounding Pr[Coll 1 (Q)] General Framework 1 Upper bound the probability of Coll i 1(Q) that the i-th query completes a collision 2 Union bound by summing the upper bounds over all possible queries i = 1,..., q (If the upper bounds are independent of each query, then we can just multiply q) TL R TR R BL B B L R BR B
27 Upper bounding Pr[Coll 1 (Q)] General Framework 1 Upper bound the probability of Coll i 1(Q) that the i-th query completes a collision 2 Union bound by summing the upper bounds over all possible queries i = 1,..., q (If the upper bounds are independent of each query, then we can just multiply q) How can we upper bound Pr[Coll i 1(Q)]? TL R TR R BL B B L R BR B
28 Upper bounding Pr[Coll i 1(Q)] By symmetry, we can assume the last query is either TL or BL. The last query: TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 TL R TR R BL B B L R BR B
29 Upper bounding Pr[Coll i 1(Q)] By symmetry, we can assume the last query is either TL or BL. Union bound The last query: TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 Pr[Coll i 1(Q)] Pr[Case1] + Pr[Case2] + Pr[Case3] + Pr[Case4] TL R TR R BL B B L R BR B
30 Upper bounding Pr[Coll i 1(Q)] By symmetry, we can assume the last query is either TL or BL. Union bound The last query: TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 Pr[Coll i 1(Q)] Pr[Case1] + Pr[Case2] + Pr[Case3] + Pr[Case4] TL R TR R BL B B L R BR B
31 Case 1: The Last Query is TL and Backward 1 t the point when TL is queried, B, L, R are fixed 2 B, L, R uniquely determine BL, and B 3 The number of BR-queries (B, L R, ) such that B = B is at most α except with small probability 4 Each of BR-queries uniquely determines TR, and R 5 The response should be R R, so Pr[Case1] α 2 n q (except with the bad event")?
32 Case 1: The Last Query is TL and Backward 1 t the point when TL is queried, B, L, R are fixed 2 B, L, R uniquely determine BL, and B 3 The number of BR-queries (B, L R, ) such that B = B is at most α except with small probability 4 Each of BR-queries uniquely determines TR, and R 5 The response should be R R, so Pr[Case1] α 2 n q (except with the bad event")? B
33 Case 1: The Last Query is TL and Backward 1 t the point when TL is queried, B, L, R are fixed 2 B, L, R uniquely determine BL, and B 3 The number of BR-queries (B, L R, ) such that B = B is at most α except with small probability 4 Each of BR-queries uniquely determines TR, and R 5 The response should be R R, so Pr[Case1] α 2 n q (except with the bad event")? B L R B B
34 Case 1: The Last Query is TL and Backward 1 t the point when TL is queried, B, L, R are fixed 2 B, L, R uniquely determine BL, and B 3 The number of BR-queries (B, L R, ) such that B = B is at most α except with small probability 4 Each of BR-queries uniquely determines TR, and R 5 The response should be R R, so Pr[Case1] α 2 n q (except with the bad event")? R B L R B B
35 Case 1: The Last Query is TL and Backward 1 t the point when TL is queried, B, L, R are fixed 2 B, L, R uniquely determine BL, and B 3 The number of BR-queries (B, L R, ) such that B = B is at most α except with small probability 4 Each of BR-queries uniquely determines TR, and R 5 The response should be R R, so Pr[Case1] α 2 n q (except with the bad event") R R R R B L R B B
36 Case 2: The Last Query is TL and Forward ubcase 2a: BL-query is Backward 1 t the point when TL is queried,, B, L are fixed 2 The number of backward queries whose answer is B is at most α except with small probability 3 ince each of such backward queries uniquely determines R, Pr[ubcase2a] α 2 n q (except with the bad event") B L?
37 Case 2: The Last Query is TL and Forward ubcase 2a: BL-query is Backward 1 t the point when TL is queried,, B, L are fixed 2 The number of backward queries whose answer is B is at most α except with small probability 3 ince each of such backward queries uniquely determines R, Pr[ubcase2a] α 2 n q (except with the bad event")
38 Case 2: The Last Query is TL and Forward ubcase 2a: BL-query is Backward 1 t the point when TL is queried,, B, L are fixed 2 The number of backward queries whose answer is B is at most α except with small probability 3 ince each of such backward queries uniquely determines R, Pr[ubcase2a] α 2 n q (except with the bad event")
39 Case 2: The Last Query is TL and Forward ubcase 2b: BL-query is Forward 1 t the point when TL is queried,, B, L are fixed 2 The number of forward queries whose input block is B? B L?
40 Case 2: The Last Query is TL and Forward ubcase 2b: BL-query is Forward 1 t the point when TL is queried,, B, L are fixed 2 The number of forward queries whose input block is B?
41 Case 2: The Last Query is TL and Forward ubcase 2b: BL-query is Forward 1 t the point when TL is queried,, B, L are fixed 2 The number of forward queries whose input block is B? It is hard to probabilistically restrict this number!
42 Case 2: The Last Query is TL and Forward ubcase 2b: BL-query is Forward 1 t the point when TL is queried,, B, L are fixed 2 The number of forward queries whose input block is B? We want to eliminate this case
43 Main Idea: Modified dversary runs as a subroutine and records its query history Q If makes a forward query E L R (B), then makes a query E L R (B), and an additional query E 1 B L (R) If makes a backward query E 1 B L (R), then makes a query E 1 B L (R), and an additional query E L R(B)
44 Main Idea: Modified dversary runs as a subroutine and records its query history Q If makes a forward query E L R (B), then makes a query E L R (B), and an additional query E 1 B L (R) If makes a backward query E 1 B L (R), then makes a query E 1 B L (R), and an additional query E L R(B)
45 Main Idea: Modified dversary runs as a subroutine and records its query history Q If makes a forward query E L R (B), then makes a query E L R (B), and an additional query E 1 B L (R) If makes a backward query E 1 B L (R), then makes a query E 1 B L (R), and an additional query E L R(B)
46 The Property of the Modified dversary If makes q queries, then makes at most 2q queries ince Q Q, dv Coll TDM E () dv Coll TDM E ( )
47 The Property of the Modified dversary If makes q queries, then makes at most 2q queries ince Q Q, dv Coll TDM E () dv Coll TDM E ( )
48 The Property of the Modified dversary If makes q queries, then makes at most 2q queries ince Q Q, dv Coll TDM E () dv Coll TDM E ( ) If obtains the BL position of a certain evaluation by a forward query, then will immediately make an additional backward query and place it at the TL position
49 The Property of the Modified dversary If makes q queries, then makes at most 2q queries ince Q Q, dv Coll TDM E () dv Coll TDM E ( ) If the TL position of a certain evaluation is obtained by a forward query after the BL position is determined, then the BL query should have been obtained by a backward query
50 The Property of the Modified dversary If makes q queries, then makes at most 2q queries ince Q Q, dv Coll TDM E () dv Coll TDM E ( ) It means that does not create ubcase 2b
51 Main Result Theorem For N = 2 n, q < N/2 and 1 α 2q, ( dv coll TDM (q) 2N 2eq α(n 2q) symptotically, using α = n/ log n ) α + 4qα N 2q + lim n dvcoll TDM (N/n) = 0 Numerically, for n = 128, using α = 16 dv coll TDM ( ) < 1 2 4q N 2q
52 Thank You
Provable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationThe Collision Security of Tandem-DM in the Ideal Cipher Model
The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee 1, Martijn Stam 2,, and John Steinberger 3, 1 Faculty of Mathematics and Statistics, Sejong University, Seoul, Korea jlee05@sejong.ac.kr
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationThe preimage security of double-block-length compression functions
The preimage security of double-block-length compression functions Frederik Armknecht 1, Ewan Fleischmann 2, Matthias Krause 1, Jooyoung Lee 3, Martijn Stam 4, and John Steinberger 5 1 Arbeitsgruppe Theoretische
More informationThe preimage security of double-block-length compression functions
The preimage security of double-block-length compression functions Frederik Armknecht 1, Ewan Fleischmann 2, Matthias Krause 1, Jooyoung Lee 3, Martijn Stam 4, and John Steinberger 5 1 Arbeitsgruppe Theoretische
More informationSecurity of Permutation-based Compression Function lp231
Security of Permutation-based Compression Function lp231 Jooyoung Lee 1 and Daesung Kwon 2 1 Sejong University, Seoul, Korea, jlee05@sejong.ac.kr 2 The Attached Institute of Electronics and Telecommunications
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationSecurity of Cyclic Double Block Length Hash Functions including Abreast-DM
Security of Cyclic Double Block Length Hash Functions including Abreast-DM Ewan Fleischmann, Michael Gorski, Stefan Lucks {ewan.fleischmann,michael.gorski,stefan.lucks}@uni-weimar.de Bauhaus-University
More informationOptimal Collision Security in Double Block Length Hashing with Single Length Key
Optimal Collision Security in Double Block Length Hashing with Single Length Key Bart Mennink Dept. Electrical Engineering, EST/COSIC, KU Leuven, and IBBT, Belgium bart.mennink@esat.kuleuven.be bstract.
More informationAdaptive Preimage Resistance and Permutation-based Hash Functions
daptive Preimage Resistance and Permutation-based ash Functions Jooyoung Lee, Je ong Park The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390
More informationMJH: A Faster Alternative to MDC-2
MJH: A Faster Alternative to MDC-2 Jooyoung Lee 1 and Martijn Stam 2 1 Sejong University, Seoul, Korea, jlee05@sejongackr 2 University of Bristol, Bristol, United Kingdom, martijnstam@bristolacuk Abstract
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationAdaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications
Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Donghoon Chang 1 and Moti Yung 2 1 The Computer Security Division, National Institute of Standards and Technology,
More informationOn the Collision and Preimage Security of MDC-4 in the Ideal Cipher Model
On the ollision and Preimage Security o in the Ideal ipher Model art Mennink Dept. Electrical Engineering, EST/OSI and IT Katholieke Universiteit Leuven, elgium bart.mennink@esat.kuleuven.be bstract. We
More informationZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls
ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls Ritam Bhaumik, Indian Statistical Institute, Kolkata Eik List, Bauhaus-Universität Weimar, Weimar Mridul Nandi,
More informationConstructing Cryptographic Hash Functions from Fixed-Key Blockciphers
Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers Phillip Rogaway 1 and John Steinberger 2 1 Department of Computer Science, University of California, Davis, USA 2 Department of Mathematics,
More informationPreimage Resistance Beyond the Birthday Barrier The Case of Blockcipher Based Hashing
Preimage Resistance Beyond the Birthday Barrier The Case of Blockcipher Based Hashing Matthias Krause 1, Frederik Armknecht 1, and Ewan Fleischmann 2 1 Arbeitsgruppe Theoretische Informatik und Datensicherheit,
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Collision resistance Birthday attacks
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #2
CPSC 91 Computer Security Assignment #2 Note that for many of the problems, there are many possible solutions. I only describe one possible solution for each problem here, but we could examine other possible
More informationHow (not) to efficiently dither blockcipher-based hash functions?
How (not) to efficiently dither blockcipher-based hash functions? Jean-Philippe Aumasson, Raphael C.-W. Phan FHNW, Switzerland Loughborough University, UK 1 / 29 CONTENT OF THE TALK Dithered hashing Blockcipher-based
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationHASH FUNCTIONS. Mihir Bellare UCSD 1
HASH FUNCTIONS Mihir Bellare UCSD 1 Hashing Hash functions like MD5, SHA1, SHA256, SHA512, SHA3,... are amongst the most widely-used cryptographic primitives. Their primary purpose is collision-resistant
More informationLinearization and Message Modification Techniques for Hash Function Cryptanalysis
Linearization and Message Modification Techniques for Hash Function Cryptanalysis Jian Guo Institute for Infocomm Research, Singapore. ASK 2011, 30 August 2011 Jian Guo Linearization and Message Modification
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationnon-trivial black-box combiners for collision-resistant hash-functions don t exist
non-trivial black-box combiners for collision-resistant hash-functions don t exist Krzysztof Pietrzak (CWI Amsterdam) Eurocrypt May 21 2007 black-box combiners [H05,HKNRR05,PM06,BB06] C is a secure combiner
More informationA Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model
A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model Wonil Lee 1, Mridul Nandi 2, Palash Sarkar 2, Donghoon Chang 1, Sangjin Lee 1, and Kouichi Sakurai 3 1 Center for Information
More informationStronger Security Variants of GCM-SIV
Stronger Security Variants of GCM-SIV Tetsu Iwata 1 Kazuhiko Minematsu 2 FSE 2017 Tokyo, Japan March 8 2017 Nagoya University, Japan NEC Corporation, Japan Supported in part by JSPS KAKENHI, Grant-in-Aid
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationThe HMAC brawl. Daniel J. Bernstein University of Illinois at Chicago
The HMAC brawl Daniel J. Bernstein University of Illinois at Chicago 2012.02.19 Koblitz Menezes Another look at HMAC : : : : Third, we describe a fundamental flaw in Bellare s 2006 security proof for HMAC,
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationNew Preimage Attack on MDC-4
New Preimage Attack on MDC-4 Deukjo Hong and Daesung Kwon Abstract In this paper, we provide some cryptanalytic results for double-blocklength (DBL) hash modes of block ciphers, MDC-4. Our preimage attacks
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationImproved characteristics for differential cryptanalysis of hash functions based on block ciphers
1 Improved characteristics for differential cryptanalysis of hash functions based on block ciphers Vincent Rijmen Bart Preneel Katholieke Universiteit Leuven ESAT-COSIC K. Mercierlaan 94, B-3001 Heverlee,
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationFaster Evaluation of S-Boxes via Common Shares
Faster Evaluation of S-Boxes via Common Shares J-S. Coron, A. Greuet, E. Prouff, R. Zeitoun F.Rondepierre CHES 2016 CHES 2016 1 S-Box Evaluation AES By definition: S AES (x) = A x 254 + b F 2 8[x] CHES
More informationLecture 15: Message Authentication
CSE 599b: Cryptography (Winter 2006) Lecture 15: Message Authentication 22 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Message Authentication Recall that the goal of message authentication
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationCascade Encryption Revisited
Cascade Encryption Revisited Peter Gaži 1,2 and Ueli Maurer 1 1 ETH Zürich, Switzerland Department of Computer Science {gazipete,maurer}@inf.ethz.ch 2 Comenius University, Bratislava, Slovakia Department
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationAnalysis of Message Injection in Stream Cipher-based Hash Functions
Analysis o Message Injection in Stream Cipher-based Hash Functions Yuto Nakano 1, Carlos Cid 2, Kazuhide Fukushima 1, and Shinsaku Kiyomoto 1 1 KDDI R&D Laboratories Inc. 2 Royal Holloway, University o
More informationConstructing Cryptographic Hash Functions from Fixed-Key Blockciphers
Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers Phillip Rogaway 1 and John Steinberger 2 1 Department of Computer Science, University of California, Davis, USA 2 Department of Mathematics,
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationSome Plausible Constructions of Double-Block-Length Hash Functions
Some Plausible Constructions of Double-Block-Length Hash Functions Shoichi Hirose Faculty of Engineering, The University of Fukui, Fukui 910-8507 Japan hirose@fuee.fukui-u.ac.jp Abstract. In this article,
More informationNew Observation on Camellia
New Observation on Camellia Duo ei 1,iChao 2,andeqinFeng 3 1 Department of cience, National University of Defense Technology, Changsha, China Duoduolei@163.com 2 Department of cience, National University
More informationPost-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms
Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms Made by: Ehsan Ebrahimi Theory of Cryptography Conference, Beijing, China Oct. 31 - Nov. 3, 2016 Joint work with Dominique Unruh Motivation:
More informationIndifferentiability of Double Length Compression Functions
Indifferentiability of Double Length Compression Functions Bart Mennink Dept. Electrical Engineering, ESAT/COSIC, KU Leuven, and iminds, Belgium bart.mennink@esat.kuleuven.be Abstract. Double block length
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationSecurity of Random Feistel Schemes with 5 or more Rounds
Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random
More informationOptimized Interpolation Attacks on LowMC
Optimized Interpolation Attacks on LowMC Itai Dinur 1, Yunwen Liu 2, Willi Meier 3, and Qingju Wang 2,4 1 Département d Informatique, École Normale Supérieure, Paris, France 2 Dept. Electrical Engineering
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationCode-Based Game-Playing Proofs and the Security of Triple Encryption
The proceedings version of this papers, entitled The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs, appears in Advances in Cryptology Eurocrypt 2006, LNCS vol. 4004,
More informationSecurity Analysis of the Compression Function of Lesamnta and its Impact
Security Analysis of the Compression Function of Lesamnta and its Impact Shoichi Hirose 1, Hidenori Kuwakado 2, Hirotaka Yoshida 3, 4 1 University of Fukui hrs shch@u-fukui.ac.jp 2 Kobe University kuwakado@kobe-u.ac.jp
More informationImproved Collision and Preimage Resistance Bounds on PGV Schemes
Improved Collision and Preimage Resistance Bounds on PGV Schemes Lei Duo 1 and Chao Li 1 Department of Science, National University of Defense Technology, Changsha, China Duoduolei@gmail.com Department
More informationBeyond the MD5 Collisions
Beyond the MD5 Collisions Daniel Joščák Daniel.Joscak@i.cz S.ICZ a.s. Hvězdova 1689/2a, 140 00 Prague 4; Faculty of Mathematics and Physics, Charles University, Prague Abstract We summarize results and
More informationIndifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6
Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis 1, Leonid Reyzin 2, Ronald L. Rivest 3, and Emily Shen 3 1 New
More informationHumanistic, and Particularly Classical, Studies as a Preparation for the Law
University of Michigan Law School University of Michigan Law School Scholarship Repository Articles Faculty Scholarship 1907 Humanistic, and Particularly Classical, Studies as a Preparation for the Law
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationStam s Collision Resistance Conjecture
Stam s Collision Resistance Conjecture John Steinberger Institute of Theoretical Computer Science, Tsinghua University, Beijing jpsteinb@gmail.com Abstract. At CRYPTO 2008 Stam [7] made the following conjecture:
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More informationJohn P. Steinberger. Curriculum Vitae. Masters: University of Waterloo, 2003, Combinatorics and Optimization.
John P. Steinberger Curriculum Vitae Basic Information Current Position: (2010 ) Assistant Professor, IIIS, Tsinghua University. Previous Position: (2009 2010) Postdoctoral Research Fellow, IIIS, Tsinghua
More informationOn the Influence of Message Length in PMAC s Security Bounds
1 On the Influence of Message Length in PMAC s Security Bounds Atul Luykx 1 Bart Preneel 1 Alan Szepieniec 1 Kan Yasuda 2 1 COSIC, KU Leuven, Belgium 2 NTT Secure Platform Laboratories, Japan May 11, 2016
More informationOn the Counter Collision Probability of GCM*
On the Counter Collision Probability of GCM* Keisuke Ohashi, Nagoya University Yuichi Niwa, Nagoya University Tetsu Iwata, Nagoya University Early Symmetric Crypto (ESC) seminar January 14 18, Mondorf
More informationHash Functions. Adam O Neill Based on
Hash Functions Adam O Neill Based on http://cseweb.ucsd.edu/~mihir/cse207/ Where we are We ve seen a lower-level primitive (blockciphers) and a higher-level primitive (symmetric encryption) Where we are
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationProvably Secure Double-Block-Length Hash Functions in a Black-Box Model
Provably Secure Double-Block-ength Hash Functions in a Black-Box Model Shoichi Hirose Graduate School o Inormatics, Kyoto niversity, Kyoto 606-8501 Japan hirose@i.kyoto-u.ac.jp Abstract. In CRYPTO 89,
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationMTH 3311 Test #2 Solutions
Pat Rossi MTH 3311 Test #2 Solutions S 2018 Name Directions: Do two of the three exercises. 1. A paratrooper and parachute weigh 160 lb. At the instant the parachute opens, she is traveling vertically
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationOn Generalized Feistel Networks
On Generalized Feistel Networks Viet Tung Hoang and Phillip Rogaway Dept. of Computer Science, University of California, Davis, USA Abstract. We prove beyond-birthday-bound security for most of the well-known
More informationBlockcipher-based MACs: Beyond the Birthday Bound without Message Length
Blockcipher-based MACs: Beyond the Birthday Bound without Message Length Yusuke Naito Mitsubishi Electric Corporation, Kanagawa, Japan Naito.Yusuke@ce.MitsubishiElectric.co.jp Abstract. We present blockcipher-based
More informationAsymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)
Asymmetric Pairings Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp) 1 Overview In their 2006 paper "Pairings for cryptographers", Galbraith, Paterson and Smart identified three
More informationEfficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading
Efficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading Peter Gaži 1,2 and Stefano Tessaro 3,4 1 Department of Computer Science, Comenius University, Bratislava,
More informationSecurity Analysis of Constructions Combining FIL Random Oracles
Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin France Telecom R&D, 38-40 rue du Général Leclerc, F-92794 Issy-les-Moulineaux, France Université de Versailles,
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationCSA E0 235: Cryptography (19 Mar 2015) CBC-MAC
CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBC-MAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining - Message Authentication
More informationProblem Set 4 Momentum and Continuous Mass Flow Solutions
MASSACHUSETTS INSTITUTE OF TECHNOLOGY Department of Physics Physics 8.01 Fall 2012 Problem Set 4 Momentum and Continuous Mass Flow Solutions Problem 1: a) Explain why the total force on a system of particles
More informationHow to Find the Sufficient Collision Conditions for Haval-128 Pass 3 by Backward Analysis
University of Wollongong Research Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 2007 How to Find the Sufficient Collision Conditions for Haval-128 Pass
More informationBuilding Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions
Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions Akinori Hosoyamada and Kan Yasuda NTT Secure Platform Laboratories, 3-9-, Midori-cho Musashino-shi,
More informationH NT Z N RT L 0 4 n f lt r h v d lt n r n, h p l," "Fl d nd fl d " ( n l d n l tr l t nt r t t n t nt t nt n fr n nl, th t l n r tr t nt. r d n f d rd n t th nd r nt r d t n th t th n r lth h v b n f
More informationSPCS Cryptography Homework 13
1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationRebound Distinguishers: Results on the Full Whirlpool Compression Function
Rebound Distinguishers: Results on the Full Whirlpool Compression Function Mario Lamberger 1, Florian Mendel 1, Christian Rechberger 1, Vincent Rijmen 1,2,3, and Martin Schläffer 1 1 Institute for Applied
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationFull Indifferentiable Security of the Xor of Two or More Random Permutations Using the χ 2 Method
Full Indifferentiable Security of the Xor of Two or More Random Permutations Using the χ 2 Method Srimanta Bhattacharya, Mridul andi Indian Statistical Institute, Kolkata, India. Abstract. The construction
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationFORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol
FORGERY ON STATELESS CMCC WITH A SINGLE QUERY Guy Barwell guy.barwell@bristol.ac.uk University of Bristol Abstract. We present attacks against CMCC that invalidate the claimed security of integrity protection
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationProvable Chosen-Target-Forced-Midx Preimage Resistance
Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More information