Results 1  10
of
19
On the Construction of PseudoRandom Permutations: LubyRackoff Revisited
 JOURNAL OF CRYPTOLOGY
, 1997
"... Luby and Rackoff [27] showed a method for constructing a pseudorandom permutation from a pseudorandom function. The method is based on composing four (or three for weakened security) so called Feistel permutations, each of which requires the evaluation of a pseudorandom function. We reduce somewh ..."
Abstract

Cited by 93 (8 self)
 Add to MetaCart
Luby and Rackoff [27] showed a method for constructing a pseudorandom permutation from a pseudorandom function. The method is based on composing four (or three for weakened security) so called Feistel permutations, each of which requires the evaluation of a pseudorandom function. We reduce somewhat the complexity of the construction and simplify its proof of security by showing that two Feistel permutations are sufficient together with initial and final pairwise independent permutations. The revised construction and proof provide a framework in which similar constructions may be brought up and their security can be easily proved. We demonstrate this by presenting some additional adjustments of the construction that achieve the following:  Reduce the success probability of the adversary.  Provide a construction of pseudorandom permutations with large input size using pseudorandom functions with small input size.
Pseudorandom functions revisited: The cascade construction and its concrete security
 Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE
, 1996
"... Abstract Pseudorandom function families are a powerful cryptographic primitive, yielding, in particular, simple solutions for the main problems in private key cryptography. Their existence based on general assumptions (namely, the existence of oneway functions) has been established.In this work we ..."
Abstract

Cited by 92 (20 self)
 Add to MetaCart
Abstract Pseudorandom function families are a powerful cryptographic primitive, yielding, in particular, simple solutions for the main problems in private key cryptography. Their existence based on general assumptions (namely, the existence of oneway functions) has been established.In this work we investigate new ways of designing pseudorandom function families. The goal is to find constructions that are both efficient and secure, and thus eventually to bring thebenefits of pseudorandom functions to practice.
Security of random feistel schemes with 5 or more rounds
 In CRYPTO
, 2004
"... 45 avenue des EtatsUnis ..."
A Tool for Obtaining Tighter Security Analyses of Pseudorandom Function Based Constructions, With Applications to PRP>PRF conversion
, 1999
"... We present a general probabilistic lemma that can be applied to upper bound the advantage of an adversary in distinguishing between two families of functions. Our lemma reduces the task of upper bounding the advantage to that of upper bounding the ratio of two probabilities associated to the adversa ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
We present a general probabilistic lemma that can be applied to upper bound the advantage of an adversary in distinguishing between two families of functions. Our lemma reduces the task of upper bounding the advantage to that of upper bounding the ratio of two probabilities associated to the adversary, when this ratio is is viewed as a random variable. It enables us to obtain significantly tighter analyses than more conventional methods. In this paper we apply the technique to the problem of PRP to PRF conversion. We present a simple, new construction of a PRF from a PRP that makes only two invocations of the PRP and has insecurity linear in the number of queries made by the adversary. We also improve the analysis of the truncation construction. Keywords: Pseudorandom functions, pseudorandom permutations, provable security, birthday attacks.
Building a collisionresistant compression function from noncompressing primitives
 In ICALP 2008, Part II
, 2008
"... Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three independent nton bit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires Θ(2 n/2 /n c) queries for c ≈ 1. This result remains valid if two of the three random functions are replaced by a fixedkey ideal cipher in DaviesMeyer mode (i.e., EK(x) ⊕ x for permutation EK). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collisionresistant compression function from noncompressing functions. It also relates to an open question from Black et al. (Eurocrypt’05), who showed that compression functions that invoke a single noncompressing random function cannot suffice. We also explore the relationship of our problem with that of doubling the output of a hash function and we show how our compression function can be used to double the output length of ideal hashes.
Towards Making LubyRackoff Ciphers Optimal and Practical
 In Proc. Fast Software Encryption 99, Lecture Notes in Computer Science
, 1999
"... We provide new constructions for LubyRackoff block ciphers which are efficient in terms of computations and key material used. Next, we show that we can make some security guarantees for LubyRackoff block ciphers under much weaker and more practical assumptions about the underlying function; namel ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
We provide new constructions for LubyRackoff block ciphers which are efficient in terms of computations and key material used. Next, we show that we can make some security guarantees for LubyRackoff block ciphers under much weaker and more practical assumptions about the underlying function; namely, that the underlying function is a secure Message Authentication Code. Finally, we provide a SHA1 based example block cipher called Shazam.
The Security of ManyRound LubyRackoff PseudoRandom Permutations
, 2003
"... Luby and Rackoff showed how to construct a (super)pseudorandom permutation {0, 1} from some number r of pseudorandom functions f0; 1g . Their construction, motivated by DES, consists of a cascade of r Feistel permutations. A Feistel permutation 1for a pseudorandom function f is de ned as (L; R) ! ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Luby and Rackoff showed how to construct a (super)pseudorandom permutation {0, 1} from some number r of pseudorandom functions f0; 1g . Their construction, motivated by DES, consists of a cascade of r Feistel permutations. A Feistel permutation 1for a pseudorandom function f is de ned as (L; R) ! (R; L f(R)), where L and R are the left and right part of the input and denotes bitwise XOR or, in this paper, any other group operation on . The only nontrivial step of the security proof consists of proving that the cascade of r Feistel permutations with independent uniform random functions f0; 1g , denoted 2n , is indistinguishable from a uniform random permutation f0; 1g by any computationally unbounded adaptive distinguisher making at most O(2 combined chosen plaintext/ciphertext queries for any c < , where is a security parameter.
The Sum of PRPs is a Secure PRF
, 2000
"... Given d independent pseudorandom permutations (PRPs) # i , . . . , #d over {0, 1} , it appears natural to define a pseudorandom function (PRF) by adding (or XORing) the permutation results: sum #1 (x)# ##d (x). This paper investigates the security of and also considers a variant that only u ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Given d independent pseudorandom permutations (PRPs) # i , . . . , #d over {0, 1} , it appears natural to define a pseudorandom function (PRF) by adding (or XORing) the permutation results: sum #1 (x)# ##d (x). This paper investigates the security of and also considers a variant that only uses one single PRP over {0, 1} . Keywords: Pseudorandom Functions, Concrete Security, Block Ciphers. 1
Domain extension of public random functions: Beyond the birthday barrier
 In Advances in Cryptology – CRYPTO ’07 (2007), Lecture Notes in Computer Science
, 2007
"... Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multi ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multicollision attack, Kelsey and Schneier's secondpreimage attack, and Kelsey and Kohno's herding attacks. 1 Introduction 1.1 Secret vs. Public Random Functions Primitives that provide some form of randomness are of central importance in cryptography, both as a primitive assumed to be given (e.g. a secret key), and as a primitive constructed from a weaker one to "behave like " a certain ideal random primitive (e.g. a random function), according to some security notion.
Generalized Birthday Attacks on Unbalanced Feistel Networks
 in proceedings of Crypto’98, LNCS
, 1998
"... Abstract. Unbalanced Feistel networks Fk which are used to construct invertible pseudorandom permutations from kn bits to kn bits using d pseudorandom functions from n bits to (k − 1)n bits, k ≥ 2 are studied. We show a new generalized birthday attack on Fk with d ≤ 3k − 3. With 2 (k−1)n chosen pl ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. Unbalanced Feistel networks Fk which are used to construct invertible pseudorandom permutations from kn bits to kn bits using d pseudorandom functions from n bits to (k − 1)n bits, k ≥ 2 are studied. We show a new generalized birthday attack on Fk with d ≤ 3k − 3. With 2 (k−1)n chosen plaintexts an adversary can distinguish Fk (with d =3k−3) from a random permutation with high probability. If d< (3k − 3) then fewer plaintexts are required. We also show that for any Fk (with d =2k), any adversary with m chosen plaintext oracle queries, has probability O(m k /2 (k−1)n) of distinguishing Fk from a random permutation.