Results 1  10
of
29
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
, 2000
"... and analysis of the generic composition paradigm ..."
Abstract

Cited by 242 (25 self)
 Add to MetaCart
(Show Context)
and analysis of the generic composition paradigm
CodeBased GamePlaying Proofs and the Security of Triple Encryption
 Eurocrypt 2006, LNCS
"... (Draft 3.0) The gameplaying technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of threekey tripleencryption, a longstanding open problem. Our result, which is in the idealcipher model, demonstrates t ..."
Abstract

Cited by 40 (10 self)
 Add to MetaCart
(Draft 3.0) The gameplaying technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of threekey tripleencryption, a longstanding open problem. Our result, which is in the idealcipher model, demonstrates that for DES parameters (56bit keys and 64bit plaintexts) an adversary’s maximal advantage is small until it asks about 278 queries. Beyond this application, we develop the foundations for game playing, formalizing a general framework for gameplaying proofs and discussing techniques used within such proofs. To further exercise the gameplaying framework we show how to use games to get simple proofs for the PRP/PRF Switching Lemma, the security
Pseudorandom Functions and Permutations Provably Secure Against RelatedKey Attacks
, 2010
"... This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) resisting rich and relevant forms of relatedkey attacks (RKA). An RKA allows the adversa ..."
Abstract

Cited by 19 (4 self)
 Add to MetaCart
This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) resisting rich and relevant forms of relatedkey attacks (RKA). An RKA allows the adversary to query the function not only under the target key but under other keys derived from it in adversaryspecified ways. Based on the NaorReingold PRF we obtain an RKAPRF whose keyspace is a group and that is proven, under DDH, to resist attacks in which the key may be operated on by arbitrary adversaryspecified group elements. Previous work was able only to provide schemes in idealized models (ideal cipher, random oracle), under new, nonstandard assumptions, or for limited classes of attacks. The reason was technical difficulties that we resolve via a new approach and framework that, in addition to the above, yields other RKAPRFs including a DLINbased one derived from the LewkoWaters PRF. Over the last 15 years cryptanalysts and blockcipher designers have routinely and consistently targeted RKAsecurity; it is visibly important for abuseresistant cryptography; and it helps protect against faultinjection sidechannel attacks. Yet ours are the first significant proofs of existence of secure constructs. We warn that our constructs are proofsofconcept
Improved security analyses for CBC MACs
 In Advances in Cryptology Crypto 2005, LNCS 3621
, 2005
"... Abstract We present an improved bound on the advantage of any qquery adversary at distinguishingbetween the CBC MAC over a random nbit permutation and a random function outputting nbits. The result assumes that no message queried is a prefix of any other, as is the case when all messages to be MAC ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
(Show Context)
Abstract We present an improved bound on the advantage of any qquery adversary at distinguishingbetween the CBC MAC over a random nbit permutation and a random function outputting nbits. The result assumes that no message queried is a prefix of any other, as is the case when all messages to be MACed have the same length. We go on to give an improved analysis ofthe encrypted CBC MAC, where there is no restriction on queried messages. Letting
Analysis of RMAC
 Fast Software Encryption 2003, LNCS
, 2002
"... Abstract. In this paper the newly proposed RMAC system is analysed. The scheme allows a (traditional MAC) attack some control over one of two keys of the underlying block cipher and makes it possible to mount several relatedkey attacks on RMAC. First, an efficient attack on RMAC when used with trip ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper the newly proposed RMAC system is analysed. The scheme allows a (traditional MAC) attack some control over one of two keys of the underlying block cipher and makes it possible to mount several relatedkey attacks on RMAC. First, an efficient attack on RMAC when used with tripleDES is presented, which rely also on other findings in the proposed draft standard. Second, a generic attack on RMAC is presented which can be used to find one of the two keys in the system faster than by an exhaustive search. Third, relatedkey attacks on RMAC in a multiuser setting are presented. In addition to beating the claimed security bounds in NIST’s RMAC proposal, this work suggests that, as a general principle, one may wish to avoid designing modes of operation that use related keys. 1
The GamePlaying Technique
, 2004
"... In the gameplaying technique, one writes a pseudocode game such that an adversary's advantage in attacking some cryptographic construction is bounded above by the probability that the game sets a flag bad. This probability is then upper bounded by making stepwise, syntactical refinements to th ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
In the gameplaying technique, one writes a pseudocode game such that an adversary's advantage in attacking some cryptographic construction is bounded above by the probability that the game sets a flag bad. This probability is then upper bounded by making stepwise, syntactical refinements to the pseudocode  a chain of games. The approach was first used by Kilian and Rogaway (1996) and has been used repeatedly since, but it has never received a systematic treatment. In this paper we provide one. We develop the foundations...
Feistel networks made public, and applications
 Advances in Cryptology – EUROCRYPT ’07. LNCS
, 2007
"... Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient and popular method of designing “cryptographically strong ” permutations from corresponding “cryptographically strong ” functions. Up to now, all usages of the Feistel Network, including the celeb ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient and popular method of designing “cryptographically strong ” permutations from corresponding “cryptographically strong ” functions. Up to now, all usages of the Feistel Network, including the celebrated LubyRackoff’s result, critically rely on (a) the (pseudo)randomness of round functions; and (b) the secrecy of (at least some of) the intermediate round values appearing during the Feistel computation. Moreover, a small constant number of Feistel rounds was typically sufficient to guarantee security under assumptions (a) and (b). In this work we consider several natural scenarios where at least one of the above assumptions does not hold, and show that a constant, or even logarithmic number of rounds is provably insufficient to handle such applications, implying that a new method of analysis is needed. On a positive side, we develop a new combinatorial understanding of Feistel networks, which makes them applicable to situations when the round functions are merely unpredictable rather than (pseudo)random and/or when the intermediate round values may be leaked to the adversary (either through an attack or because the application requires it). In essence, our results show that in any such scenario a superlogarithmic number of Feistel rounds is necessary and sufficient to guarantee security. This partially explains why practical block ciphers use
Virtually pipelined network memory
 In MICRO 39: Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture
, 2006
"... ..."
Distinguishing and Forgery Attacks on Alred and Its AESbased Instance AlphaMAC
"... Abstract. In this paper, we present new distinguishers of the MAC construction Alred and its specific instance AlphaMAC based on AES, which is proposed by Daemen and Rijmen in 2005. For the Alred construction, we describe a general distinguishing attack which leads to a forgery attack directly. The ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we present new distinguishers of the MAC construction Alred and its specific instance AlphaMAC based on AES, which is proposed by Daemen and Rijmen in 2005. For the Alred construction, we describe a general distinguishing attack which leads to a forgery attack directly. The complexity is 2 64.5 chosen messages and 2 64.5 queries with success probability 0.63. We also use a tworound collision differential path for AlphaMAC, to construct a new distinguisher with about 2 65.5 queries. The most important is that the new distinguisher can be used to recover the internal state, which is an equivalent secret subkey, and leads to a second preimage attack. Moreover, the distinguisher on Alred construction is also applicable to the MACs based on CBC and CFB encryption mode.
TMAC: TwoKey CBC MAC
, 2002
"... In this paper, we propose TMAC, TwoKey CBC Message Authentication Code. TMAC is a re nement of XCBC (which is a variant of CBC MAC) shown by Black and Rogaway. We use only (k + n)bit key for TMAC while XCBC uses (k + 2n)bit key, where k is the key length of the underlying block cipher and n is i ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
In this paper, we propose TMAC, TwoKey CBC Message Authentication Code. TMAC is a re nement of XCBC (which is a variant of CBC MAC) shown by Black and Rogaway. We use only (k + n)bit key for TMAC while XCBC uses (k + 2n)bit key, where k is the key length of the underlying block cipher and n is its block length. The cost for reducing the size of secret keys is almost negligible; only one shift and one conditional XOR. Similarly to XCBC, our algorithm correctly and eciently handles messages of arbitrary bit length. 1