Results 1  10
of
11
How to Build a Hash Function from any CollisionResistant Function
, 2007
"... Recent collisionfinding attacks against hash functions such as MD5 and SHA1 motivate the use of provably collisionresistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provab ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Recent collisionfinding attacks against hash functions such as MD5 and SHA1 motivate the use of provably collisionresistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provably CR functions make poor replacements for hash functions as they fail to deliver behaviors demanded by practical use. In particular, they are easily distinguished from a random oracle. We initiate an investigation into building hash functions from provably CR functions. As a method for achieving this, we present the MixCompressMix (MCM) construction; it envelopes any provably CR function H (with suitable regularity properties) between two injective “mixing” stages. The MCM construction simultaneously enjoys (1) provable collisionresistance in the standard model, and (2) indifferentiability from a monolithic random oracle when the mixing stages themselves are indifferentiable from a random oracle that observes injectivity. We instantiate our new design approach by specifying a blockcipherbased construction that
A Synopsis of FormatPreserving Encryption
 UNPUBLISHED MANUSCRIPT
, 2010
"... Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of the same format—for example, encrypting a socialsecurity number into a socialsecurity number. In this survey we describe FPE and review known techniques for achieving it. These include FFX, a rece ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of the same format—for example, encrypting a socialsecurity number into a socialsecurity number. In this survey we describe FPE and review known techniques for achieving it. These include FFX, a recent proposal made to NIST.
A Generic Method to Extend Message Space of a Strong Pseudorandom Permutation
"... Abstract. In this paper we present an efficient and secure generic method which can encrypt messages of size at least n. This generic encryption algorithm needs a secure encryption algorithm for messages of multiple of n. The first generic construction, XLS, has been proposed by Ristenpart and Rogaw ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we present an efficient and secure generic method which can encrypt messages of size at least n. This generic encryption algorithm needs a secure encryption algorithm for messages of multiple of n. The first generic construction, XLS, has been proposed by Ristenpart and Rogaway in FSE07. It needs two extra invocations of an independently chosen strong pseudorandom permutation or SPRP defined over {0, 1} n for encryption of an incomplete message block. Whereas our construction needs only one invocation of a weak pseudorandom function and two multiplications over a finite field (equivalently, two invocations of an universal hash function). We prove here that the proposed method preserves (tweakable) SPRP. This new construction is meaningful for two reasons. Firstly, it is based on weak pseudorandom function which is a weaker security notion than SPRP. Thus we are able to achieve stronger security from a weaker one. Secondly, in practice, finite field multiplication is more efficient than an invocation of SPRP. Hence our method can be more efficient than XLS. 1
XLS is not a Strong Pseudorandom Permutation
"... Abstract. In FSE 2007, Ristenpart and Rogaway had described a generic method XLS to construct a lengthpreserving strong pseudorandom permutation (SPRP) over bitstrings of size at least n. It requires a lengthpreserving permutation E over all bits of size multiple of n and a blockcipher E with b ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In FSE 2007, Ristenpart and Rogaway had described a generic method XLS to construct a lengthpreserving strong pseudorandom permutation (SPRP) over bitstrings of size at least n. It requires a lengthpreserving permutation E over all bits of size multiple of n and a blockcipher E with block size n. The SPRP security of XLS was proved from the SPRP assumptions of both E and E. In this paper we disprove the claim by demonstrating a SPRP distinguisher of XLS which makes only three queries and has distinguishing advantage about 1/2. XLS uses a multipermutation linear function, called mix2. In this paper, we also show that if we replace mix2 by any invertible linear functions, the construction XLS still remains insecure. Thus the mode has inherit weakness.
Constructing VariableLength PRPs and SPRPs from
"... We create variablelength pseudorandom permutations (PRPs) and strong PRPs (SPRPs) accepting any input length chosen from the range of b to 2b bits from fixedlength, bbit PRPs. We utilize the elastic network that underlies the recently introduced concrete design of elastic block ciphers, exploitin ..."
Abstract
 Add to MetaCart
(Show Context)
We create variablelength pseudorandom permutations (PRPs) and strong PRPs (SPRPs) accepting any input length chosen from the range of b to 2b bits from fixedlength, bbit PRPs. We utilize the elastic network that underlies the recently introduced concrete design of elastic block ciphers, exploiting it as a network of PRPs. We prove that three and fourround elastic networks are variablelength PRPs and fiveround elastic networks are variablelength SPRPs, accepting any input length that is fixed in the range of b to 2b bits, when the round functions are independently chosen fixedlength PRPs on b bits. We also prove that these are the minimum number of rounds required. Key words: (strong) pseudorandom permutations, block ciphers, variablelength PRPs 1
On orthogonal generalized equitable rectangles
, 2008
"... In this note, we give a complete solution of the existence of orthogonal generalized equitable rectangles, which was raised as an open problem in [4]. Key words: orthogonal latin squares, orthogonal equitable rectangles, 1 ..."
Abstract
 Add to MetaCart
(Show Context)
In this note, we give a complete solution of the existence of orthogonal generalized equitable rectangles, which was raised as an open problem in [4]. Key words: orthogonal latin squares, orthogonal equitable rectangles, 1
Lengthdoubling Ciphers and Tweakable Ciphers
"... Abstract. We motivate and describe a mode of operation HEM (resp., THEM) that turns a nbit blockcipher into a variableinputlength cipher (resp., tweakable cipher) that acts on strings of [n::2n − 1] bits. Both HEM and THEM are simple and intuitive and use only two blockcipher calls, while prior w ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We motivate and describe a mode of operation HEM (resp., THEM) that turns a nbit blockcipher into a variableinputlength cipher (resp., tweakable cipher) that acts on strings of [n::2n − 1] bits. Both HEM and THEM are simple and intuitive and use only two blockcipher calls, while prior work at least takes three. We prove them secure in the sense of strong PRP and tweakable strong PRP, assuming the underlying blockcipher is a strong PRP.
Deoxys v1 Designers/Submitters:
, 2014
"... In this note, we propose Deoxys, a new authenticated encryption design based on a tweakable block cipher DeoxysBC using the wellstudied AES round function as a building block. We suggest several sets of parameters that can use different key and tweak sizes, and claim security levels for all the pa ..."
Abstract
 Add to MetaCart
(Show Context)
In this note, we propose Deoxys, a new authenticated encryption design based on a tweakable block cipher DeoxysBC using the wellstudied AES round function as a building block. We suggest several sets of parameters that can use different key and tweak sizes, and claim security levels for all the parameters in later sections. Our design uses a particular instantiation of a more general
Revisiting Security Claims of XLS and COPA
"... Abstract. Ristenpart and Rogaway proposed XLS in 2007 which is a generic method to encrypt messages with incomplete last blocks. Later Andreeva et al., in 2013 proposed an authenticated encryption COPA which uses XLS while processing incomplete message blocks. Following the design of COPA, several o ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Ristenpart and Rogaway proposed XLS in 2007 which is a generic method to encrypt messages with incomplete last blocks. Later Andreeva et al., in 2013 proposed an authenticated encryption COPA which uses XLS while processing incomplete message blocks. Following the design of COPA, several other CAESAR candidates used the similar approach. Surprisingly in 2014, Nandi showed a threequery distinguisher against XLS which violates the security claim of XLS and puts a question mark on all schemes using XLS. However, due to the interleaved nature of encryption and decryption queries of the distinguisher, it was not clear whether the security claims of COPA remains true or not. This paper revisits XLS and COPA both in the direction of cryptanalysis and provable security. Our contribution of the paper can be summarized into following two parts: 1. Cryptanalysis: We describe two attacks (i) a new distinguisher against XLS and extending this attack to obtain (ii) a forging algorithm with query complexity about 2n/3 against COPA where n is the block size of the underlying blockcipher. 2. Security Proof: Due to the above attacks the main claims of XLS (already known before) and COPA are wrong. So we revise the security analysis of both and show that (i) both XLS and COPA are pseudorandom function or PRF up to 2n/2 queries and (ii) COPA is integritysecure up to 2n/3 queries (matching the query complexity of our forging algorithm).