Results 1 
5 of
5
Chosen Ciphertext Security with Optimal Ciphertext Overhead
 In Advances in Cryptology – Asiacrypt’08, volume 5350 of LNCS. Pages
, 2008
"... Abstract. Every publickey encryption scheme has to incorporate a certain amount of randomness into its ciphertexts to provide semantic security against chosen ciphertext attacks (INDCCA). The difference between the length of a ciphertext and the embedded message is called the ciphertext overhead. ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
Abstract. Every publickey encryption scheme has to incorporate a certain amount of randomness into its ciphertexts to provide semantic security against chosen ciphertext attacks (INDCCA). The difference between the length of a ciphertext and the embedded message is called the ciphertext overhead. While a generic bruteforce adversary running in 2 t steps gives a theoretical lower bound of t bits on the ciphertext overhead for INDCPA security, the best known INDCCA secure schemes demand roughly 2t bits even in the random oracle model. Is the tbit gap essential for achieving INDCCA security? We close the gap by proposing an INDCCA secure scheme whose ciphertext overhead matches the generic lower bound up to a small constant. Our scheme uses a variation of a fourround Feistel network in the random oracle model and hence belongs to the family of OAEPbased schemes. Maybe of independent interest is a new efficient method to encrypt long messages exceeding the length of the permutation while retaining the minimal overhead.
On the Security of Generalized Feistel Scheme with SP Round Function Abstract
, 2005
"... This paper studies the security against differential/linear cryptanalysis and the pseudorandomness of a class of generalized Feistel scheme with SP round function called GFSP. We consider the minimum number of active sboxes in four, eight and sixteen consecutive rounds of GFSP, which provide the upp ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
This paper studies the security against differential/linear cryptanalysis and the pseudorandomness of a class of generalized Feistel scheme with SP round function called GFSP. We consider the minimum number of active sboxes in four, eight and sixteen consecutive rounds of GFSP, which provide the upper bound of the maximum differential/linear probabilities of 16round GFSP scheme, in order to evaluate the strength against differential/linear cryptanalysis. Furthermore, we point out seven rounds GFSP is not pseudorandom for nonadaptive adversary, and prove that eight rounds GFSP is pseudorandom for any adversaries.
Noncryptographic Primitive for Pseudorandom Permutation
 Fast Software Encryption, 9th International Workshop, FSE 2002
"... Abstract. Four round Feistel permutation (like DES) is superpseudorandom if each round function is random or a secret universal hash function. A similar result is known for five round MISTY type permutation. It seems that each round function must be at least either random or secret in both cases. I ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. Four round Feistel permutation (like DES) is superpseudorandom if each round function is random or a secret universal hash function. A similar result is known for five round MISTY type permutation. It seems that each round function must be at least either random or secret in both cases. In this paper, however, we show that the second round permutation g in five round MISTY type permutation need not be cryptographic at all, i.e., no randomness nor secrecy is required. g has only to satisfy that g(x) ⊕ x � = g(x ′ ) ⊕ x ′ for any x � = x ′. This is the first example such that a noncryptographic primitive is substituted to construct the minimum round superpseudorandom permutation. Further we show efficient constructions of superpseudorandom permutations by using above mentioned g.
Security of the MISTY Structure in the LubyRackoff Model: Improved Results
"... Abstract. In this paper we consider the security of the Misty structure in the LubyRackoff model, if the inner functions are replaced by involutions without fixed point. In this context we show that the success probability in distinguishing a 4round Lscheme from a random function is O(m 2 /2 n) ( ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. In this paper we consider the security of the Misty structure in the LubyRackoff model, if the inner functions are replaced by involutions without fixed point. In this context we show that the success probability in distinguishing a 4round Lscheme from a random function is O(m 2 /2 n) (where m is the number of queries and 2n the block size) when the adversary is allowed to make adaptively chosen encryption queries. We give a similar bound in the case of the 3round Rscheme. Finally, we show that the advantage in distinguishing a 5round scheme from a random permutation when the adversary is allowed to adaptively chosen encryption as well as decryption queries is also O(m 2 /2 n). This is to our knowledge the first time involutions are considered in the context of the LubyRackoff model. 1 Introduction. Proving the security of block ciphers has been a longstanding problem, and it is not solved yet. In their seminal paper [4], M. Luby and C. Rackoff