Results 1  10
of
17
FormatPreserving Encryption
"... Abstract. Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid creditcard number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous ..."
Abstract

Cited by 15 (6 self)
 Add to MetaCart
Abstract. Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid creditcard number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous treatment. We provide one, starting off by formally defining FPE and security goals for it. We investigate the natural approach for achieving FPE on complex domains, the “rankthenencipher ” approach, and explore what it can and cannot do. We describe two flavors of unbalanced Feistel networks that can be used for achieving FPE, and we prove new security results for each. We revisit the cyclewalking approach for enciphering on a nonsparse subset of an encipherable domain, showing that the timing information that may be divulged by cycle walking is not a damaging thing to leak. 1
Proving the security of AES substitutionpermutation network
 Selected Areas in Cryptography, SAC 05, volume 3897 of LNCS
, 2006
"... Abstract. In this paper we study the substitutionpermutation network (SPN) on which AES is based. We introduce AES ∗ , a SPN identical to AES except that fixed Sboxes are replaced by random and independent permutations. We prove that this construction resists linear and differential cryptanalysis ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Abstract. In this paper we study the substitutionpermutation network (SPN) on which AES is based. We introduce AES ∗ , a SPN identical to AES except that fixed Sboxes are replaced by random and independent permutations. We prove that this construction resists linear and differential cryptanalysis with 4 inner rounds only, despite the huge cumulative effect of multipath characteristics that is induced by the symmetries of AES. We show that the DP and LP terms both tend towards 1/(2 128 −1) very fast when the number of round increases. This proves a conjecture by Keliher, Meijer, and Tavares. We further show that AES ∗ is immune to any iterated attack of order 1 after 10 rounds only, which substantially improves a previous result by Moriai and Vaudenay.
On Tweaking LubyRackoff Blockciphers
 In Advances in Cryptology – ASIACRYPT
, 2007
"... Abstract. Tweakable blockciphers, first formalized by Liskov, Rivest, and Wagner [13], are blockciphers with an additional input, the tweak, which allows for variability. An open problem proposed by Liskov et al. is how to construct tweakable blockciphers without using a preexisting blockcipher. Th ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. Tweakable blockciphers, first formalized by Liskov, Rivest, and Wagner [13], are blockciphers with an additional input, the tweak, which allows for variability. An open problem proposed by Liskov et al. is how to construct tweakable blockciphers without using a preexisting blockcipher. This problem has yet to receive any significant study. There are many natural questions in this area: is it significantly more efficient to incorporate a tweak directly? How do direct constructions compare to existing techniques? Are these direct constructions optimal and for what levels of security? How large of a tweak can be securely added? In this work, we address these questions for LubyRackoff blockciphers. We show that tweakable blockciphers can be created directly from Feistel ciphers, and in some cases show that direct constructions of tweakable blockciphers are more efficient than previously known constructions. 1
Generic Attacks on Unbalanced Feistel Schemes with Expanding Functions
 ASIACRYPT'07
, 2007
"... Unbalanced Feistel schemes with expanding functions are used to construct pseudorandom permutations from kn bits to kn bits by using random functions from n bits to (k − 1)n bits. At each round, all the bits except n bits are changed by using a function that depends only on these n bits. C.S.Jutla ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Unbalanced Feistel schemes with expanding functions are used to construct pseudorandom permutations from kn bits to kn bits by using random functions from n bits to (k − 1)n bits. At each round, all the bits except n bits are changed by using a function that depends only on these n bits. C.S.Jutla [6] investigated such schemes, which he denotes by F^d_k, where d is the number of rounds. In this paper, we describe novel Known Plaintext Attacks (KPA) and Non Adaptive Chosen Plaintext Attacks (CPA1) against these schemes. With these attacks we will often be able to improve the result of C.S.Jutla. We also give precise formulas for the complexity of our attacks in d, k and n. Key words: Unbalanced Feistel permutations, pseudorandom permutations, generic attacks on encryption schemes, Block ciphers.
New Integrated proof method on Iterated Hash Structure and New Structures
, 2006
"... A secure hash structure in Random Oracle Model may not be a secure model in true design. In this paper, we give an integrated proof method on security proof of iterated hash structure. Based on the proof method, we can distinguish the security of MerkelDamagård structure, widepipe hash, doublepi ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
A secure hash structure in Random Oracle Model may not be a secure model in true design. In this paper, we give an integrated proof method on security proof of iterated hash structure. Based on the proof method, we can distinguish the security of MerkelDamagård structure, widepipe hash, doublepipe hash and 3c hash and know the requirement of true design on compression function, and give a new recommend structure. At last, we give new hash structure, MAC structure, encryption model, which use same block cipher round function and key schedule algorithm, the security proofs on those structures are given.
Security Analysis of the GFNLFSR Structure and FourCell Block Cipher
"... Abstract. The overall structure is one of the most important properties of block ciphers. At present, the most common structures include Feistel structure, SP structure, MISTY structure, LM structure and Generalized Feistel structure. In [29], Choy et al. proposed a new structure called GFNLFSR (G ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. The overall structure is one of the most important properties of block ciphers. At present, the most common structures include Feistel structure, SP structure, MISTY structure, LM structure and Generalized Feistel structure. In [29], Choy et al. proposed a new structure called GFNLFSR (Generalized FeistelNonLinear Feedback Shift Register), and designed a new block cipher called FourCell which is based on the 4cell GFNLFSR. In this paper, we first study properties of the ncell GFNLFSR structure, and prove that for an ncell GFNLFSR, there exists an (n 2 + n − 2) rounds impossible differential. Then we present an impossible differential attack on the full 25round FourCell using this kind of 18round impossible differential distinguisher together with differential cryptanalysis technique. The data complexity of our attack is 2 111.5 and the time complexity is less than 2 123.5 encryptions. In addition, we expect the attack to be more efficient when the relations between different round subkeys can be exploited by taking the key schedule algorithm into consideration.
FHASH: Securing Hash Functions Using Feistel Chaining”, Cryptology ePrint Archive
"... Abstract. The Feistel structure is wellknown as a good structure for building block ciphers, due to its property of invertibility. It can be made noninvertible by fixing the left half of the input to 0, and by discarding the left half of the output bits. It then becomes suitable as a hash function ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. The Feistel structure is wellknown as a good structure for building block ciphers, due to its property of invertibility. It can be made noninvertible by fixing the left half of the input to 0, and by discarding the left half of the output bits. It then becomes suitable as a hash function construction. This paper uses the structure to build a hash function called FHash, which is immune to recent attack styles. Generally the security of such structures is discussed using Random Oracle Models. In this paper, a more precise evaluation method, based upon conditional probability, is given.
TWEAKABLE BLOCKCIPHERS SECURE AGAINST GENERIC EXPONENTIAL ATTACKS
, 2007
"... ii To my best friend and my parents. iii Table of Contents Acknowledgments vi ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
ii To my best friend and my parents. iii Table of Contents Acknowledgments vi
Domain Extension for MACs Beyond the Birthday Barrier. Eurocrypt 2011. Full version of this paper available at http://people.csail.mit.edu/dodis/ps/optimalmac.pdf
"... Given an nbit to nbit MAC (e.g., a fixed key blockcipher) with MAC security ε against q queries, we design a variablelength MAC achieving MAC security O(εqpoly(n)) against queries of total length qn. In particular, our construction is the first to break the “birthday barrier ” for MAC domain exte ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Given an nbit to nbit MAC (e.g., a fixed key blockcipher) with MAC security ε against q queries, we design a variablelength MAC achieving MAC security O(εqpoly(n)) against queries of total length qn. In particular, our construction is the first to break the “birthday barrier ” for MAC domain extension from noncompressing primitives, since our security bound is meaningful even for q = 2 n /poly(n) (assuming ε is the best possible O(1/2 n)). In contrast, the previous best construction for MAC domain extension for nbit to nbit primitives, due to Dodis and Steinberger [13], achieved MAC security of O(εq 2 (log q) 2), which means that q cannot cross the “birthday bound ” of 2 n/2.
Generic attacks on Alternating Unbalanced Feistel Schemes
"... Abstract. Generic attacks against classical (balanced) Feistel schemes, unbalanced Feistel schemes with contracting functions and unbalanced Feistel schemes with expanding functions have been studied in [12], [4], [15], [16]. In this paper we study schemes where we use alternatively contracting rand ..."
Abstract
 Add to MetaCart
Abstract. Generic attacks against classical (balanced) Feistel schemes, unbalanced Feistel schemes with contracting functions and unbalanced Feistel schemes with expanding functions have been studied in [12], [4], [15], [16]. In this paper we study schemes where we use alternatively contracting random functions and expanding random functions. We name these schemes “Alternating Unbalanced Feistel Schemes”. They allow constructing pseudorandom permutations from kn bits to kn bits where k ≥ 3. At each round, we use either a random function from n bits to (k−1)n bits or a random function from (k−1)n bits to n bits. We describe the best generic attacks we have found. We present“known plaintext attacks” (KPA) and “nonadaptive chosen plaintext attacks ” (CPA1). Let d be the number of rounds. We show that if d ≤ k, there are CPA1 with 2 messages and KPA with m the number of messages about 2 (d−1)n 4. For d ≥ k + 1 we have to distinguish k even and k odd. For k even, we have m = 2 in CPA1 and m ≃ 2 kn 4 in KPA. When k is odd, we show that there exist CPA1 for d ≤ 2k − 1 and KPA for d ≤ 2k + 3 with less than 2 kn messages and computations. Beyond these values, we give KPA against generators of permutations.