Results 1  10
of
13
A Simplified and Generalized Treatment of LubyRackoff Pseudorandom Permutation Generators
 ADVANCES IN CRYPTOLOGY EUROCRYPT '92 PROCEEDINGS
, 1992
"... A paper by Luby and Rackoff on the construction of pseudorandom permutations from pseudorandom functions based on a design principle of the DES has recently initiated a burst of research activities on applications and generalizations of these results. This paper presents a strongly simplified treatm ..."
Abstract

Cited by 33 (1 self)
 Add to MetaCart
(Show Context)
A paper by Luby and Rackoff on the construction of pseudorandom permutations from pseudorandom functions based on a design principle of the DES has recently initiated a burst of research activities on applications and generalizations of these results. This paper presents a strongly simplified treatment of these results and generalizes them by pointing out the relation to locally random functions, thereby providing new insight into the relation between probabilitytheoretic and complexitytheoretic results in cryptography. The rst asymptoticallyoptimal construction of a locally random function is presented and new design strategies for block ciphers based on these results are proposed.
On the pseudorandomness of toplevel schemes of block ciphers
 Advances in Cryptology  Asiacrypt’00, volume 1976 of LNCS
, 2000
"... Abstract. Block ciphers are usually basedon one toplevel scheme into which we plug “roundfunctions”. To analyze security, it is important to study the intrinsic security provided by the toplevel scheme from the viewpoint of randomness: given a block cipher in which we replaced the lowerlevel sche ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Block ciphers are usually basedon one toplevel scheme into which we plug “roundfunctions”. To analyze security, it is important to study the intrinsic security provided by the toplevel scheme from the viewpoint of randomness: given a block cipher in which we replaced the lowerlevel schemes by idealized oracles, we measure the security (in terms of best advantage for a distinguisher) depending on the number of rounds and the number of chosen plaintexts. We then extrapolate a sufficient number of secure rounds given the regular bounds provided by decorrelation theory. This approach allows the comparison of several generalizations of the Feistel schemes andothers. In particular, we compare the randomness provided by the schemes used by the AES candidates. In addition we provide a general paradigm for analyzing the security provided by the interaction between the different levels of the block cipher structure. 1
New results on the pseudorandomness of some blockcipher constructions
 in Proceedings of Fast Software Encryption (FSE 2001), Lecture Notes in Computer Science, Volume 2355, Pages
, 2002
"... Abstract. In this paper, we describe new results on the security, in the LubyRackoff paradigm, of two modified Feistel constructions, namely the Lscheme, a construction used at various levels of the MISTY blockcipher which allows to derive a 2nbit permutation from several nbit permutations, and ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we describe new results on the security, in the LubyRackoff paradigm, of two modified Feistel constructions, namely the Lscheme, a construction used at various levels of the MISTY blockcipher which allows to derive a 2nbit permutation from several nbit permutations, and a slightly different construction named the Rscheme. We obtain pseudorandomness and superpseudorandomness proofs for Lschemes and Rschemes with a sufficient number of rounds, which extend the pseudorandomness and non superpseudorandomness results on the 4round Lscheme previously established by Sugita [Su96] and Sakurai et al. [Sa97]. In particular, we show that unlike the 3round Lscheme, the 3round Rscheme is pseudorandom, and that both the 5round L scheme and the 5round R scheme are super pseudorandom (whereas the 4 round versions of both schemes are not super pseudorandom). The security bounds obtained here are close to those established by Luby and Rackoff for the three round version of the original Feistel scheme. 1
Decorrelation over Infinite Domains: the Encrypted CBCMAC Case
, 2000
"... Decorrelation theory has recently been proposed in order to address the security of block ciphers and other cryptographic primitives over a nite domain. We show here how to extend it to innite domains, which can be used in the Message Authentication Code (MAC) case. In 1994, Bellare, Kilian and Roga ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Decorrelation theory has recently been proposed in order to address the security of block ciphers and other cryptographic primitives over a nite domain. We show here how to extend it to innite domains, which can be used in the Message Authentication Code (MAC) case. In 1994, Bellare, Kilian and Rogaway proved that CBCMAC is secure when the input length is xed. This has been extended by Petrank and Racko in 1997 with a variable length. In this paper, we prove a result similar to Petrank and Racko's one by using decorrelation theory. This leads to a slightly improved result and a more compact proof. This result is meant to be a general proving technique for security, which can be compared to the approach which was announced by Maurer at CRYPTO'99. Decorrelation theory has recently been introduced. (See references [17] to [22].) Its rst aim was to address provable security in the area of block ciphers in order to prove their security against dierential [7] and linear cryptanalysis...
Report on the AES Candidates
, 1999
"... This document reports the activities of the AES working group organized at the Ecole Normale Superieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria between the candidates, and make casebycas ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
This document reports the activities of the AES working group organized at the Ecole Normale Superieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria between the candidates, and make casebycase comments. We finally recommend the selection of Mars, RC6, Serpent, ... and DFC. As the report is being finalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the Appendix which are not considered in the main body of the report.
Security of the MISTY Structure in the LubyRackoff Model: Improved Results
"... Abstract. In this paper we consider the security of the Misty structure in the LubyRackoff model, if the inner functions are replaced by involutions without fixed point. In this context we show that the success probability in distinguishing a 4round Lscheme from a random function is O(m 2 /2 n) ( ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we consider the security of the Misty structure in the LubyRackoff model, if the inner functions are replaced by involutions without fixed point. In this context we show that the success probability in distinguishing a 4round Lscheme from a random function is O(m 2 /2 n) (where m is the number of queries and 2n the block size) when the adversary is allowed to make adaptively chosen encryption queries. We give a similar bound in the case of the 3round Rscheme. Finally, we show that the advantage in distinguishing a 5round scheme from a random permutation when the adversary is allowed to adaptively chosen encryption as well as decryption queries is also O(m 2 /2 n). This is to our knowledge the first time involutions are considered in the context of the LubyRackoff model. 1 Introduction. Proving the security of block ciphers has been a longstanding problem, and it is not solved yet. In their seminal paper [4], M. Luby and C. Rackoff
TWEAKABLE BLOCKCIPHERS SECURE AGAINST GENERIC EXPONENTIAL ATTACKS
, 2007
"... ii To my best friend and my parents. iii Table of Contents Acknowledgments vi ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
ii To my best friend and my parents. iii Table of Contents Acknowledgments vi
Security of Feistel Schemes with New and Various Tools
"... Abstract: We combine the H Coe cients technique and the Coupling technique to improve security bounds of balanced Feistel schemes. For q queries and round functions of n−bits to n−bits, we nd that the CCA Security of 4 + 2r rounds Feistel schemes is upperbounded by ..."
Abstract
 Add to MetaCart
Abstract: We combine the H Coe cients technique and the Coupling technique to improve security bounds of balanced Feistel schemes. For q queries and round functions of n−bits to n−bits, we nd that the CCA Security of 4 + 2r rounds Feistel schemes is upperbounded by
On Provable Security for Digital Signature Algorithms
, 1996
"... In this paper we consider provable security for ElGamallike digital signature schemes. We point out that the good security criterion on the underlying hash function is pseudorandomness. We extend PointchevalStern 's results about the use of the random oracle model to prove the security of two ..."
Abstract
 Add to MetaCart
(Show Context)
In this paper we consider provable security for ElGamallike digital signature schemes. We point out that the good security criterion on the underlying hash function is pseudorandomness. We extend PointchevalStern 's results about the use of the random oracle model to prove the security of two variants of the US Digital Signature Algorithm against adaptive attacks which issue an existential forgery. We prove that a very practical use of the random oracle model is possible whith tamperresistant modules. 1 The security of cryptographic hash functions Cryptographic hash functions are commonly used for providing message authentication. So far, several security criteria have been considered. The most popular criteria are collision freedom and onewayness. Roughly, collision freedom is the property that no practical algorithm can issue a pair (x; x 0 ) such that x 6= x 0 and F (x) = F (x 0 ) (see Damgard [12, 13] and Merkle [25]). Onewayness is the property that no practical algorith...
Equivalence between MAC and PRF for Blockcipher based Constructions
"... Abstract. In FSE 2010, Nandi proved a sufficient condition of pseudo random function (PRF) for affine domain extensions (ADE), wide class of block cipher based domain extensions. This sufficient condition is satisfied by all known blockcipher based ADE constructions, however, it is not a characteriz ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. In FSE 2010, Nandi proved a sufficient condition of pseudo random function (PRF) for affine domain extensions (ADE), wide class of block cipher based domain extensions. This sufficient condition is satisfied by all known blockcipher based ADE constructions, however, it is not a characterization of PRF. In this paper we completely characterize the ADE and show that message authentication code (MAC) and weakly collision resistant (WCR) are indeed equivalent to PRF. Note that a PRF is trivially a MAC and WCR, however, the converse need not be true in general. So our result suggests that it would be sufficient to ensure resisting against weakly collision attack or the forging attack to construct a pseudo random function ADE. Unlike FSE 2010 paper, here we consider the forced collisions of inputs of underlying blockciphers by incorporating the final outputs of a domain extension queried by an adaptive adversary. This is the main reason why we are able to obtain a characterization of PRF. Our approach is a more general and hence might have other theoretical interest.