Results 1  10
of
13
LubyRackoff backwards: Increasing security by making block ciphers noninvertible
 ADVANCES IN CRYPTOLOGYEUROCRYPT '98 PROCEEDINGS
, 1998
"... We argue that the invertibility of a block cipher can reduce the security of schemes that use it, and a better starting point for scheme design is the noninvertible analog of a block cipher, that is, a pseudorandom function (PRF). Since a block cipher may be viewed as a pseudorandom permutation, ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
(Show Context)
We argue that the invertibility of a block cipher can reduce the security of schemes that use it, and a better starting point for scheme design is the noninvertible analog of a block cipher, that is, a pseudorandom function (PRF). Since a block cipher may be viewed as a pseudorandom permutation, we are led to investigate the reverse of the problem studied by Luby and Rackoff, and ask: "how can one transform a PRP into a PRF in as securitypreserving a way as possible?" The solution we propose is datadependent rekeying. As an illustrative special case, let E:f0; 1g nf0;1g n!f0;1g n be the block cipher. Then we can construct the PRF F from the PRP E by setting F (k; x) =E(E(k; x);x). We generalize this to allow for arbitrary block and key lengths, and to improve e ciency. We prove strong quantitative bounds on the value of datadependent rekeying in the Shannon model of an ideal cipher, and take some initial steps towards an analysis in the standard model.
On the Construction of VariableInputLength Ciphers
 In Fast Software Encryption
, 1998
"... We invesitgate how to construct ciphers which operate on messages of various (and effectively arbitrary) lengths. In particular, lengths not necessarily a multiple of some block length. (By a "cipher" we mean a keyindexed family of lengthpreserving permutations, with a "good" c ..."
Abstract

Cited by 23 (7 self)
 Add to MetaCart
(Show Context)
We invesitgate how to construct ciphers which operate on messages of various (and effectively arbitrary) lengths. In particular, lengths not necessarily a multiple of some block length. (By a "cipher" we mean a keyindexed family of lengthpreserving permutations, with a "good" cipher being one that resembles a family of random lengthpreserving permutations.) Oddly enough, this question seems not to have been investiaged. We show how to construct variableinput length ciphers starting from any block cipher (ie, a cipher which operates on strings of some fixed length n). We do this by giving a general method starting from a particular kind of pseudorandom function and a particular kind of encryption scheme, and then we give example ways to realize these tools from a block cipher. All of our constructions are proven sound, in the provablesecurity sense of contemporary cryptography. Variableinputlength ciphers can be used to encrypt in the presence of the constraint that the ciphertex...
Building PRFs from PRPs
 Advances in Cryptology—CRYPTO ’98, LNCS 1462
, 1998
"... . We evaluate constructions for building pseudorandom functions (PRFs) from pseudorandom permutations (PRPs). We present two constructions: a slower construction which preserves the security of the PRP and a faster construction which has less security. One application of our construction is to ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
. We evaluate constructions for building pseudorandom functions (PRFs) from pseudorandom permutations (PRPs). We present two constructions: a slower construction which preserves the security of the PRP and a faster construction which has less security. One application of our construction is to build a wider block cipher given a block cipher as a building tool. We do not require any additional constructionse.g. pseudorandom generatorsto create the wider block cipher. The security of the resulting cipher will be as strong as the original block cipher. Keywords. pseudorandom permutations, pseudorandom functions, concrete security, block ciphers, cipher feedback mode. 1 Introduction and Background In this paper we examine building psuedorandom functions from pseudorandom permutations. There are several well known constructions for building pseudorandom permutations from pseudorandom functions, notably [LR88]. However, the only results we are aware of for going in t...
The Sum of PRPs is a Secure PRF
, 2000
"... Given d independent pseudorandom permutations (PRPs) # i , . . . , #d over {0, 1} , it appears natural to define a pseudorandom function (PRF) by adding (or XORing) the permutation results: sum #1 (x)# ##d (x). This paper investigates the security of and also considers a variant that only u ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
Given d independent pseudorandom permutations (PRPs) # i , . . . , #d over {0, 1} , it appears natural to define a pseudorandom function (PRF) by adding (or XORing) the permutation results: sum #1 (x)# ##d (x). This paper investigates the security of and also considers a variant that only uses one single PRP over {0, 1} . Keywords: Pseudorandom Functions, Concrete Security, Block Ciphers. 1
Report on the AES Candidates
, 1999
"... This document reports the activities of the AES working group organized at the Ecole Normale Superieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria between the candidates, and make casebycas ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
This document reports the activities of the AES working group organized at the Ecole Normale Superieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria between the candidates, and make casebycase comments. We finally recommend the selection of Mars, RC6, Serpent, ... and DFC. As the report is being finalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the Appendix which are not considered in the main body of the report.
Towards Understanding the KnownKey Security of Block Ciphers
"... Knownkey distinguishers for block ciphers were proposed by Knudsen and Rijmen at ASIACRYPT 2007 and have been a major research topic in cryptanalysis since then. A formalization of knownkey attacks in general is known to be difficult. In this paper, we tackle this problem for the case of block cip ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Knownkey distinguishers for block ciphers were proposed by Knudsen and Rijmen at ASIACRYPT 2007 and have been a major research topic in cryptanalysis since then. A formalization of knownkey attacks in general is known to be difficult. In this paper, we tackle this problem for the case of block ciphers based on ideal components such as random permutations and random functions as well as propose new generic knownkey attacks on generalized Feistel ciphers. We introduce the notion of knownkey indifferentiability to capture the security of such block ciphers under a known key. To show its meaningfulness, we prove that the knownkey attacks on block ciphers with ideal primitives to date violate security under knownkey indifferentiability. On the other hand, to demonstrate its constructiveness, we prove the balanced Feistel cipher with random functions and the multiple EvenMansour cipher with random permutations knownkey indifferentiable for a sufficient number of rounds. We note that knownkey indifferentiability is more quickly and tightly attained by multiple EvenMansour which puts it forward as a construction provably secure against knownkey attacks.
Security of the Misty Structure Beyond the Birthday Bound
"... Abstract. In this paper, we first prove beyondbirthydaybound security for the Misty structure. Specifically, we show that an rround Misty structure is secure against CCA attacks up to O(2 rn r+7) query complexity, where n is the size of each round permutation. So for any ɛ> 0, a sufficient num ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we first prove beyondbirthydaybound security for the Misty structure. Specifically, we show that an rround Misty structure is secure against CCA attacks up to O(2 rn r+7) query complexity, where n is the size of each round permutation. So for any ɛ> 0, a sufficient number of rounds would guarantee the security of the Misty structure up to 2 n(1−ɛ) query complexity. 1
Security of the MISTY Structure in the LubyRackoff Model: Improved Results
"... Abstract. In this paper we consider the security of the Misty structure in the LubyRackoff model, if the inner functions are replaced by involutions without fixed point. In this context we show that the success probability in distinguishing a 4round Lscheme from a random function is O(m 2 /2 n) ( ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we consider the security of the Misty structure in the LubyRackoff model, if the inner functions are replaced by involutions without fixed point. In this context we show that the success probability in distinguishing a 4round Lscheme from a random function is O(m 2 /2 n) (where m is the number of queries and 2n the block size) when the adversary is allowed to make adaptively chosen encryption queries. We give a similar bound in the case of the 3round Rscheme. Finally, we show that the advantage in distinguishing a 5round scheme from a random permutation when the adversary is allowed to adaptively chosen encryption as well as decryption queries is also O(m 2 /2 n). This is to our knowledge the first time involutions are considered in the context of the LubyRackoff model. 1 Introduction. Proving the security of block ciphers has been a longstanding problem, and it is not solved yet. In their seminal paper [4], M. Luby and C. Rackoff
Best Effort and Practice Activation Codes
, 1101
"... Abstract. Activation Codes are used in many different digital services and known by many different names including voucher, ecoupon and discount code. In this paper we focus on a specific class of ACs that are short, humanreadable, fixedlength and represent value. Even though this class of codes ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Activation Codes are used in many different digital services and known by many different names including voucher, ecoupon and discount code. In this paper we focus on a specific class of ACs that are short, humanreadable, fixedlength and represent value. Even though this class of codes is extensively used there are no general guidelines for thedesignofActivationCodeschemes. Wediscussdifferentmethodsthat are used in practice and propose BEPAC, a new Activation Code scheme that provides both authenticity and confidentiality. The small message spaceofactivationcodesintroducessomeproblemsthatareillustrated by an adaptive chosenplaintext attack (CPA2) on a general 3round Feistel network of size 2 2n. This attack recovers the complete permutation from at most 2 n+2 plaintextciphertext pairs. For this reason, BEPAC is designed in such a way that authenticity and confidentiality are independent properties, i.e. loss of confidentiality does not imply loss of authenticity.
Generic Attacks on Feistel SchemesExtended Version
"... Let A be a Feistel scheme with 5 rounds from 2n bits to 2n bits. In the present paper we show that for most such schemes A: 1. It is possible to distinguish A from a random permutation from 2n bits to 2n bits after doing at most O(2n) computations with O(2n) nonadaptive chosen plaintexts. 2. It is ..."
Abstract
 Add to MetaCart
Let A be a Feistel scheme with 5 rounds from 2n bits to 2n bits. In the present paper we show that for most such schemes A: 1. It is possible to distinguish A from a random permutation from 2n bits to 2n bits after doing at most O(2n) computations with O(2n) nonadaptive chosen plaintexts. 2. It is possible to distinguish A from a random permutation from 2n bits to 2n bits after doing at most O(2 3n2) computations with O(2 3n2) random plaintext/ciphertext pairs. Since the complexities are smaller than the number 22n of possible inputs, they show that some generic attacks always exist on Feistel schemes with 5 rounds. Therefore we recommend in Cryptography to use Feistel schemes with at least 6 rounds in the design of pseudorandom permutations. We will also show in this paper that it is possible to distinguish most of 6 round Feistel permutations generator from a truly random permutation generator by using a few (i.e. O(1)) permutations of the generator and by using a total number of O(22n) queries and a total of O(22n) computations. This result is not really useful to attack a single 6 round Feistel permutation, but it shows that when we have to generate several pseudorandom permutations on a small number of bits we recommend to use more than 6 rounds. We also show that it is also possible to extend these results to any number of rounds, however with an even larger complexity.