Results 1  10
of
16
On the Security of Randomized CBCMAC Beyond the Birthday Paradox Limit  A New Construction
 Fast Software Encryption ’02, Lecture Notes in Computer Science
, 2001
"... . In this paper, we study the security of randomized CBC{MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The proof is done in a new security model that may be of independent interest to study the security of randomized functions. The size ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
. In this paper, we study the security of randomized CBC{MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The proof is done in a new security model that may be of independent interest to study the security of randomized functions. The size of the MAC tags in this construction is optimal, i.e., exactly twice the size of the block cipher. Up to a constant, the security of the proposed randomized CBC{MAC using an n{bit block cipher is the same as the security of the usual encrypted CBC{MAC using a 2n{bit block cipher. Moreover, this construction adds a negligible computational overhead compared to the cost of a plain, nonrandomized CBC{MAC. 1
Security under keydependent inputs
 In proceedings of the 14th ACM conference on computer and communications security (CCS
, 2007
"... In this work we revisit the question of building cryptographic primitives that remain secure even when queried on inputs that depend on the secret key. This was investigated by Black, Rogaway, and Shrimpton in the context of randomized encryption schemes and in the random oracle model. We extend th ..."
Abstract

Cited by 26 (1 self)
 Add to MetaCart
In this work we revisit the question of building cryptographic primitives that remain secure even when queried on inputs that depend on the secret key. This was investigated by Black, Rogaway, and Shrimpton in the context of randomized encryption schemes and in the random oracle model. We extend the investigation to deterministic symmetric schemes (such as PRFs and block ciphers) and to the standard model. We term this notion “security against keydependentinput attack”, or KDIsecurity for short. Our motivation for studying KDI security is the existence of significant realworld implementations of deterministic encryption (in the context of storage encryption) that actually rely on their building blocks to be KDI secure. We consider many natural constructions for PRFs, ciphers, tweakable ciphers and randomized encryption, and examine them with respect to their KDI security. We exhibit inherent limitations of this notion and show many natural constructions that fail to be KDI secure in the standard model, including some schemes that have been proven in the random oracle model. On the positive side, we demonstrate examples where some measure of KDI security can be provably achieved (in particular, we show such examples in the standard model). 1
Building PRFs from PRPs
 Advances in Cryptology—CRYPTO ’98, LNCS 1462
, 1998
"... . We evaluate constructions for building pseudorandom functions (PRFs) from pseudorandom permutations (PRPs). We present two constructions: a slower construction which preserves the security of the PRP and a faster construction which has less security. One application of our construction is to ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
. We evaluate constructions for building pseudorandom functions (PRFs) from pseudorandom permutations (PRPs). We present two constructions: a slower construction which preserves the security of the PRP and a faster construction which has less security. One application of our construction is to build a wider block cipher given a block cipher as a building tool. We do not require any additional constructionse.g. pseudorandom generatorsto create the wider block cipher. The security of the resulting cipher will be as strong as the original block cipher. Keywords. pseudorandom permutations, pseudorandom functions, concrete security, block ciphers, cipher feedback mode. 1 Introduction and Background In this paper we examine building psuedorandom functions from pseudorandom permutations. There are several well known constructions for building pseudorandom permutations from pseudorandom functions, notably [LR88]. However, the only results we are aware of for going in t...
A Tool for Obtaining Tighter Security Analyses of Pseudorandom Function Based Constructions, With Applications to PRP>PRF conversion
, 1999
"... We present a general probabilistic lemma that can be applied to upper bound the advantage of an adversary in distinguishing between two families of functions. Our lemma reduces the task of upper bounding the advantage to that of upper bounding the ratio of two probabilities associated to the adversa ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
We present a general probabilistic lemma that can be applied to upper bound the advantage of an adversary in distinguishing between two families of functions. Our lemma reduces the task of upper bounding the advantage to that of upper bounding the ratio of two probabilities associated to the adversary, when this ratio is is viewed as a random variable. It enables us to obtain significantly tighter analyses than more conventional methods. In this paper we apply the technique to the problem of PRP to PRF conversion. We present a simple, new construction of a PRF from a PRP that makes only two invocations of the PRP and has insecurity linear in the number of queries made by the adversary. We also improve the analysis of the truncation construction. Keywords: Pseudorandom functions, pseudorandom permutations, provable security, birthday attacks.
A PracticeOriented Treatment of Pseudorandom Number Generators
 ADVANCES IN CRYPTOLOGY–EUROCRYPT 02 PROCEEDINGS
, 2002
"... We study Pseudorandom Number Generators (PRNGs) as used in practice. We first give a general security framework for PRNGs, incorporating the attacks that users are typically concerned about. We then analyze the most popular ones, including the ANSI X9.17 PRNG and the FIPS 186 PRNG. Our results also ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
We study Pseudorandom Number Generators (PRNGs) as used in practice. We first give a general security framework for PRNGs, incorporating the attacks that users are typically concerned about. We then analyze the most popular ones, including the ANSI X9.17 PRNG and the FIPS 186 PRNG. Our results also suggest ways in which these PRNGs can be made more efficient and more secure.
The Sum of PRPs is a Secure PRF
, 2000
"... Given d independent pseudorandom permutations (PRPs) # i , . . . , #d over {0, 1} , it appears natural to define a pseudorandom function (PRF) by adding (or XORing) the permutation results: sum #1 (x)# ##d (x). This paper investigates the security of and also considers a variant that only u ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Given d independent pseudorandom permutations (PRPs) # i , . . . , #d over {0, 1} , it appears natural to define a pseudorandom function (PRF) by adding (or XORing) the permutation results: sum #1 (x)# ##d (x). This paper investigates the security of and also considers a variant that only uses one single PRP over {0, 1} . Keywords: Pseudorandom Functions, Concrete Security, Block Ciphers. 1
The GamePlaying Technique
, 2004
"... In the gameplaying technique, one writes a pseudocode game such that an adversary's advantage in attacking some cryptographic construction is bounded above by the probability that the game sets a flag bad. This probability is then upper bounded by making stepwise, syntactical refinements to the pse ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
In the gameplaying technique, one writes a pseudocode game such that an adversary's advantage in attacking some cryptographic construction is bounded above by the probability that the game sets a flag bad. This probability is then upper bounded by making stepwise, syntactical refinements to the pseudocode  a chain of games. The approach was first used by Kilian and Rogaway (1996) and has been used repeatedly since, but it has never received a systematic treatment. In this paper we provide one. We develop the foundations...
Cryptanalysis of Tweaked Versions of SMASH and Reparation
"... Abstract. In this paper, we study the security of permutation based hash functions, i.e. blockcipher based hash functions with fixed keys. SMASH is such a hash function proposed by Knudsen in 2005 and broken the same year by Pramstaller et al. Here we show that the two tweaked versions, proposed soo ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. In this paper, we study the security of permutation based hash functions, i.e. blockcipher based hash functions with fixed keys. SMASH is such a hash function proposed by Knudsen in 2005 and broken the same year by Pramstaller et al. Here we show that the two tweaked versions, proposed soon after by Knudsen to thwart the attack, can also be attacked in collision in time O(n2 n/3). This time complexity can be reduced to O(2 2 √ n) for the first tweak version, which means an attack against SMASH256 in c ·2 32 for a small constant c. Then, we show that an efficient generalization of SMASH, using two permutations instead of one, can be proved secure against collision in the idealcipher model in Ω(2 n/4) queries to the permutations. In order to analyze the tightness of our proof, we devise a nontrivial attack in O(2 3n/8) queries. Finally, we also prove that our construction is preimage resistant in Ω(2 n/2) queries, which the best security level that can be reached for 2permutation based hash functions, as proved in [12]. 1
New Blockcipher Modes of Operation with Beyond The Birthday . . .
, 2006
"... In this paper, we define and analyze a new blockcipher mode of operation for encryption, CENC, which stands for Cipherbased ENCryption. CENC has the following advantages: (1) beyond the birthday bound security, (2) security proofs with the standard PRP assumption, (3) highly e#cient, (4) single ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
In this paper, we define and analyze a new blockcipher mode of operation for encryption, CENC, which stands for Cipherbased ENCryption. CENC has the following advantages: (1) beyond the birthday bound security, (2) security proofs with the standard PRP assumption, (3) highly e#cient, (4) single blockcipher key, (5) fully parallelizable, (6) allows precomputation of keystream, and (7) allows random access. CENC is based on the new construction of "from PRPs to PRF conversion, " which is of independent interest. Based on CENC and a universal hashbased MAC (WegmanCarter MAC), we also define a new authenticatedencryption with associateddata scheme, CHM, which stands for CENC with Hashbased MAC. The security of CHM is also beyond the birthday bound.
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
, 2005
"... A new cryptographic pseudorandom number generator Cilia is presented. It hashes real random data using an iterative hash function to update its secret state, and it generates pseudorandom numbers using a block cipher. Cilia is a simple algorithm that uses an improved variant of double encryption ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
A new cryptographic pseudorandom number generator Cilia is presented. It hashes real random data using an iterative hash function to update its secret state, and it generates pseudorandom numbers using a block cipher. Cilia is a simple algorithm that uses an improved variant of double encryption with additional security to generate pseudorandom numbers, and its performance is similar to double encryption.