Results 1  10
of
15
Blackbox analysis of the blockcipherbased hashfunction constructions from pgv
 In Advances in Cryptology – CRYPTO ’02 (2002
, 2002
"... Abstract. Preneel, Govaerts, and Vandewalle [6] considered the 64 most basic ways to construct a hash function H: {0, 1} ∗ →{0, 1} n from a block cipher E: {0, 1} n ×{0, 1} n →{0, 1} n. They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. The remaining 52 sc ..."
Abstract

Cited by 105 (15 self)
 Add to MetaCart
Abstract. Preneel, Govaerts, and Vandewalle [6] considered the 64 most basic ways to construct a hash function H: {0, 1} ∗ →{0, 1} n from a block cipher E: {0, 1} n ×{0, 1} n →{0, 1} n. They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. The remaining 52 schemes were shown to be subject to various attacks. Here we provide a formal and quantitative treatment of the 64 constructions considered by PGV. We prove that, in a blackbox model, the 12 schemes that PGV singled out as secure really are secure: we give tight upper and lower bounds on their collision resistance. Furthermore, by stepping outside of the MerkleDamg˚ard approach to analysis, we show that an additional 8 of the 64 schemes are just as collision resistant (up to a small constant) as the first group of schemes. Nonetheless, we are able to differentiate among the 20 collisionresistant schemes by bounding their security as oneway functions. We suggest that proving blackbox bounds, of the style given here, is a feasible and useful step for understanding the security of any blockcipherbased hashfunction construction. 1
Distinguisher and RelatedKey Attack on the Full AES256
 Advances in Cryptology – CRYPTO 2009, Proceedings, volume 5677 of Lecture Notes in Computer Science
, 2009
"... Abstract. In this paper we construct a chosenkey distinguisher and a relatedkey attack on the full 256bit key AES. We define a notion of differential qmulticollision and show that for AES256 qmulticollisions can be constructed in time q · 2 67 and with negligible memory, while we prove that th ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
Abstract. In this paper we construct a chosenkey distinguisher and a relatedkey attack on the full 256bit key AES. We define a notion of differential qmulticollision and show that for AES256 qmulticollisions can be constructed in time q · 2 67 and with negligible memory, while we prove that the same task for an ideal cipher of the same block size would require at least O(q · 2 q−1 q+1 128) time. Using similar approach and with the same complexity we can also construct qpseudo collisions for AES256 in DaviesMeyer hashing mode, a scheme which is provably secure in the idealcipher model. We have also computed partial qmulticollisions in time q · 2 37 on a PC to verify our results. These results show that AES256 can not model an ideal cipher in theoretical constructions. Finally we extend our results to find the first publicly known attack on the full 14round AES256: a relatedkey distinguisher which works for one out of every 2 35 keys with 2 120 data and time complexity and negligible memory. This distinguisher is translated into a keyrecovery attack with total complexity of 2 131 time and 2 65 memory. Keywords: AES, relatedkey attack, chosen key distinguisher, DaviesMeyer, ideal cipher.
Pseudorandom Functions and Permutations Provably Secure Against RelatedKey Attacks
, 2010
"... This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) resisting rich and relevant forms of relatedkey attacks (RKA). An RKA allows the adversa ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) resisting rich and relevant forms of relatedkey attacks (RKA). An RKA allows the adversary to query the function not only under the target key but under other keys derived from it in adversaryspecified ways. Based on the NaorReingold PRF we obtain an RKAPRF whose keyspace is a group and that is proven, under DDH, to resist attacks in which the key may be operated on by arbitrary adversaryspecified group elements. Previous work was able only to provide schemes in idealized models (ideal cipher, random oracle), under new, nonstandard assumptions, or for limited classes of attacks. The reason was technical difficulties that we resolve via a new approach and framework that, in addition to the above, yields other RKAPRFs including a DLINbased one derived from the LewkoWaters PRF. Over the last 15 years cryptanalysts and blockcipher designers have routinely and consistently targeted RKAsecurity; it is visibly important for abuseresistant cryptography; and it helps protect against faultinjection sidechannel attacks. Yet ours are the first significant proofs of existence of secure constructs. We warn that our constructs are proofsofconcept
A CollisionResistant Rate1 DoubleBlockLength Hash Function
"... (on the leave to BauhausUniversity Weimar, Germany) Abstract. This paper proposes a construction for collision resistant 2nbit hash functions, based on nbit block ciphers with 2nbit keys. The construction is analysed in the ideal cipher model; for n = 128 an adversary would need roughly 2 122 un ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(on the leave to BauhausUniversity Weimar, Germany) Abstract. This paper proposes a construction for collision resistant 2nbit hash functions, based on nbit block ciphers with 2nbit keys. The construction is analysed in the ideal cipher model; for n = 128 an adversary would need roughly 2 122 units of time to find a collision. The construction employs “combinatorial ” hashing as an underlying building block (like Universal Hashing for cryptographic message authentication by Wegman and Carter). The construction runs at rate 1, thus improving on a similar rate 1/2 approach by Hirose (FSE 2006). 1
On the relation between the ideal cipher and the random oracle models
 In: TCC 2006. LNCS
, 2006
"... Abstract. The Random Oracle Model and the Ideal Cipher Model are two of the most popular idealized models in cryptography. It is a fundamentally important practical and theoretical problem to compare the relative strengths of these models and to see how they relate to each other. Recently, Coron et ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Abstract. The Random Oracle Model and the Ideal Cipher Model are two of the most popular idealized models in cryptography. It is a fundamentally important practical and theoretical problem to compare the relative strengths of these models and to see how they relate to each other. Recently, Coron et al. [8] proved that one can securely instantiate a random oracle in the ideal cipher model. In this paper, we investigate if it is possible to instantiate an ideal block cipher in the random oracle model, which is a considerably more challenging question. We conjecture that the LubyRackoff construction [19] with a sufficient number of rounds should suffice to show this implication. This does not follow from the famous LubyRackoff result [19] showing that 4 rounds are enough to turn a pseudorandom function into a pseudorandom permutation, since the results of the intermediate rounds are known to everybody. As a partial step toward resolving this conjecture, we show that random oracles imply ideal ciphers in the honestbutcurious model, where all the participants are assumed to follow the protocol, but keep all their intermediate results. Namely, we show that the LubyRackoff construction with a superlogarithmic number of rounds can be used to instantiate the ideal block cipher in any honestbutcurious cryptosystem, and result in a similar honestbutcurious cryptosystem in the random oracle model. We also show that securely instantiating the ideal cipher using the Luby Rackoff construction with upto a logarithmic number of rounds is equivalent in the honestbutcurious and malicious models. 1
On CipherDependent RelatedKey Attacks in the IdealCipher Model
"... Abstract. Bellare and Kohno introduced a formal framework for the study of relatedkey attacks against blockciphers. They established sufficient conditions (outputunpredictability and collisionresistance) on the set of relatedkeyderiving (RKD) functions under which an ideal cipher is secure again ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. Bellare and Kohno introduced a formal framework for the study of relatedkey attacks against blockciphers. They established sufficient conditions (outputunpredictability and collisionresistance) on the set of relatedkeyderiving (RKD) functions under which an ideal cipher is secure against relatedkey attacks, and suggested this could be used to derive security goals for real blockciphers. However, to do so requires the reinterpretation of results proven in the idealcipher model for the standard model (in which a blockcipher is modelled as, say, a pseudorandom permutation family). As we show here, this is a fraught activity. In particular, building on a recent idea of Bernstein, we first demonstrate a relatedkey attack that applies generically to a large class of blockciphers. The attack exploits the existence of a short description of the blockcipher, and so does not apply in the idealcipher model. However, the specific RKD functions used in the attack are provably outputunpredictable and collisionresistant. In this sense, the attack can be seen as a separation between the idealcipher model and the standard model. Second, we investigate how the relatedkey attack model of Bellare and Kohno can be extended to include sets of RKD functions that themselves access the ideal cipher. Precisely such relatedkey functions underlie the generic attack, so our extended modelling allows us to capture a larger universe of relatedkey attacks in the idealcipher model. We establish a new set of conditions on relatedkey functions that is sufficient to prove a theorem analogous to the main result of Bellare and Kohno, but for our extended model. We then exhibit nontrivial classes
Blockcipher Based Hashing Revisited
 Fast Software Encryption – FSE ’09
, 2009
"... Abstract. We revisit the rate1 blockcipher based hash functions as first studied by Preneel, Govaerts and Vandewalle (Crypto’93) and later extensively analysed by Black, Rogaway and Shrimpton (Crypto’02). We analyse a further generalization where any pre and postprocessing is considered. This lead ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. We revisit the rate1 blockcipher based hash functions as first studied by Preneel, Govaerts and Vandewalle (Crypto’93) and later extensively analysed by Black, Rogaway and Shrimpton (Crypto’02). We analyse a further generalization where any pre and postprocessing is considered. This leads to a clearer understanding of the current classification of rate1 blockcipher based schemes as introduced by Preneel et al. and refined by Black et al. In addition, we also gain insight in chopped, overloaded and supercharged compression functions. In the latter category we propose two compression functions based on a single call to a blockcipher whose collision resistance exceeds the birthday bound on the cipher’s blocklength. 1
Survey on Security Requirements and Models for Group Key Exchange
 HorstGörtz Institute, Network and Data Security Group
, 2006
"... In this report we provide an analytical survey on security issues that are relevant for group key exchange (GKE) protocols. We start with the description of the security requirements that have been informally described in the literature and widely used to analyze security of earlier GKE protocols. M ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
In this report we provide an analytical survey on security issues that are relevant for group key exchange (GKE) protocols. We start with the description of the security requirements that have been informally described in the literature and widely used to analyze security of earlier GKE protocols. Most of these definitions were originally stated for twoparty protocols and then adapted to a group setting. These informal definitions are foundational for the later appeared formal security models for GKE protocols whose
Feistel networks made public, and applications
 Advances in Cryptology – EUROCRYPT ’07. LNCS
, 2007
"... Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient and popular method of designing “cryptographically strong ” permutations from corresponding “cryptographically strong ” functions. Up to now, all usages of the Feistel Network, including the celeb ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient and popular method of designing “cryptographically strong ” permutations from corresponding “cryptographically strong ” functions. Up to now, all usages of the Feistel Network, including the celebrated LubyRackoff’s result, critically rely on (a) the (pseudo)randomness of round functions; and (b) the secrecy of (at least some of) the intermediate round values appearing during the Feistel computation. Moreover, a small constant number of Feistel rounds was typically sufficient to guarantee security under assumptions (a) and (b). In this work we consider several natural scenarios where at least one of the above assumptions does not hold, and show that a constant, or even logarithmic number of rounds is provably insufficient to handle such applications, implying that a new method of analysis is needed. On a positive side, we develop a new combinatorial understanding of Feistel networks, which makes them applicable to situations when the round functions are merely unpredictable rather than (pseudo)random and/or when the intermediate round values may be leaked to the adversary (either through an attack or because the application requires it). In essence, our results show that in any such scenario a superlogarithmic number of Feistel rounds is necessary and sufficient to guarantee security. This partially explains why practical block ciphers use
How to Construct an Ideal Cipher from a Small Set of Public Permutations
, 2013
"... Abstract. We show how to construct an ideal cipher with nbit blocks and nbit keys (i.e. a set of 2 n public nbit permutations) from a small constant number of nbit random public permutations. The construction that we consider is the singlekey iterated EvenMansour cipher, which encrypts a plain ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We show how to construct an ideal cipher with nbit blocks and nbit keys (i.e. a set of 2 n public nbit permutations) from a small constant number of nbit random public permutations. The construction that we consider is the singlekey iterated EvenMansour cipher, which encrypts a plaintext x ∈ {0, 1} n under a key k ∈ {0, 1} n by alternatively xoring the key k and applying independent random public nbit permutations P1,..., Pr (this construction is also named a keyalternating cipher). We analyze this construction in the plain indifferentiability framework of Maurer, Renner, and Holenstein (TCC 2004), and show that twelve rounds are sufficient to achieve indifferentiability from an ideal cipher. We also show that four rounds are