We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) can not later forge the signature of even a single additional message. This may be somewhat surprising, since the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosen-message attack were considered in the folklore to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a "claw-free" pair of permutations - a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.

We invesitgate how to construct ciphers which operate on messages of various (and effectively arbitrary) lengths. In particular, lengths not necessarily a multiple of some block length. (By a "cipher" we mean a key-indexed family of length-preserving permutations, with a "good" cipher being one that resembles a family of random length-preserving permutations.) Oddly enough, this question seems not to have been investiaged. We show how to construct variableinput -length ciphers starting from any block cipher (ie, a cipher which operates on strings of some fixed length n). We do this by giving a general method starting from a particular kind of pseudorandom function and a particular kind of encryption scheme, and then we give example ways to realize these tools from a block cipher. All of our constructions are proven sound, in the provable-security sense of contemporary cryptography. Variable-input-length ciphers can be used to encrypt in the presence of the constraint that the ciphertex...

This paper reviews some possible design criteria for the key schedule in a DES style cryptosystem. The key schedule involves a Key Rotation component, and the permutation PC2. Together these provide for a diffusion of dependency ofciphertext bits on key bits. Some empirical rules which seem to account for the derivation of the key schedule used in the DES are first presented. Anumber of trials were run with various key schedules, and some further design rules were derived. An alternative form of key schedule was then tested. This used either a null PC2, or one in which permutations only occurred within the inputs to a given Sbox, and a much larger rotation schedule than used in the DES. This was found to be as effective as the key schedule used in the current DES, and is proposed for use in new cryptosystems. 1.

This paper reviews some possible design criteria for the permutation P in a DES style cryptosystem. These permutations provide the diffusion component in a substitution-permutation network. Some empirical rules which seem to account for the derivation of the permutation used in the DES are first presented. Then it is noted that these permutations may be regarded as latin-squares which link the outputs of Sboxes to their inputs at the next stage. A subset of these with an extremely regular structure, and which perform well in a dependency analysis are then presented and suggested for use in future schemes of both current and extended versions of the DES. 1.

With the recent development of a number of new ciphers, especially block ciphers, there is a need for a set of tools to help analyse them, in order to obtain some comparative measure of their relative security, and to assist in identifying any shortcomings in their design. This project uses a number of tests to provide a better determination of a cipher's capabilities than previous attempts, and incorporates them into a framework to aid extension of the testbed, through both the addition of new ciphers, and new tests. The testbed will be used for a comparative analysis of some of the new families of block ciphers, including LOKI, FEAL, Khufu, Khafre, and KSX against the older generation which includes Lucifer and DES. Some preliminary results from this analysis on DES, FEAL, and LOKI are presented here. 1 Introduction With the increasing need for new ciphers for use in new communications systems, a number of new ciphers, particularly block ciphers, have been developed. There is a need...

A secure hash structure in Random Oracle Model may not be a secure model in true design. In this paper, we give an integrated proof method on security proof of iterated hash structure. Based on the proof method, we can distinguish the security of Merkel-Damagård structure, wide-pipe hash, double-pipe hash and 3c hash and know the requirement of true design on compression function, and give a new recommend structure. At last, we give new hash structure, MAC structure, encryption model, which use same block cipher round function and key schedule algorithm, the security proofs on those structures are given.

this article which does not hide patterns (such as repetitions) in the plaintext. Usage of this mode should be strongly discouraged. In the past the ECB mode was sometimes 1 recommended for the encryption of keys; however, authenticated encryption would be much better for this application (or the AES key wrapping algorithm proposed by NIST)

Abstract. Online ciphers are deterministic length-preserving permutations EK: ({0, 1} n) + → ({0, 1} n) + where the i-th block of ciphertext depends only on the first i blocks of plaintext. Definitions, constructions, and applications for these objects were first given by Bellare, Boldyreva, Knudsen, and Namprempre. We simplify and generalize their work, showing that online ciphers are rather trivially constructed from tweakable blockciphers, a notion of Liskov, Rivest, and Wagner. We go on to show how to define and achieve online ciphers for settings in which messages need not be a multiple of n bits. Key words: Online ciphers, modes of operation, provable security, symmetric encryption, tweakable blockciphers. 1

Abstract. In this paper we present an efficient and secure generic method which can encrypt messages of size at least n. This generic encryption algorithm needs a secure encryption algorithm for messages of multiple of n. The first generic construction, XLS, has been proposed by Ristenpart and Rogaway in FSE-07. It needs two extra invocations of an independently chosen strong pseudorandom permutation or SPRP defined over {0, 1} n for encryption of an incomplete message block. Whereas our construction needs only one invocation of a weak pseudorandom function and two multiplications over a finite field (equivalently, two invocations of an universal hash function). We prove here that the proposed method preserves (tweakable) SPRP. This new construction is meaningful for two reasons. Firstly, it is based on weak pseudorandom function which is a weaker security notion than SPRP. Thus we are able to achieve stronger security from a weaker one. Secondly, in practice, finite field multiplication is more efficient than an invocation of SPRP. Hence our method can be more efficient than XLS. 1

Abstract. We study the weakness of key schedules from an observation: many existing attacks use the fact that the key schedules poorly distribute key bits in the diffusion path of round function. This reminds us of the importance of the diffusion’s relation between key schedule and round function. We present new cryptanalysis results by exploring such diffusion relation and propose a new criterion for necessary key schedule diffusion. We discuss potential attacks and summarize the causes for key schedules without satisfying this criterion. One major cause is that overlapping between the diffusion of key schedule and round function leads to information leakage of key bits. Finally, a measure to estimate our criterion for recursive key schedules is presented. Today designing key schedule still lacks practical and necessary principles. For a practical key schedule with limited diffusion, our work adds more insight to its requirements and helps to maximize the security level. 1