## TWEAKABLE BLOCKCIPHERS SECURE AGAINST GENERIC EXPONENTIAL ATTACKS (2007)

Citations: | 1 - 0 self |

### BibTeX

@MISC{Crump07tweakableblockciphers,

author = {Elizabeth A. Crump},

title = {TWEAKABLE BLOCKCIPHERS SECURE AGAINST GENERIC EXPONENTIAL ATTACKS},

year = {2007}

}

### OpenURL

### Abstract

ii To my best friend and my parents. iii Table of Contents Acknowledgments vi

### Citations

284 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
- 1988
(Show Context)
Citation Context ...howed that a three-round Feistel construction is CPA secure and a four-round Feistel construction is CCA secure against polyno0 L R 4 L f 1 Figure 1.1: A 4-round Feistel blockcipher. mial adversaries =-=[14]-=-. A four-round Feistel cipher is illustrated in Figure 1.1. Lucks described an optimization for the CPA secure three-round Feistel construction by replacing the first round with a universal hash funct... |

162 | Description of a New Variable-Length-Key, 64Bit Block Cipher (Blowfish
- Schneier
- 1994
(Show Context)
Citation Context ... constructions when the round functions are unpredictable rather than pseudorandom [8]. Many common blockciphers are constructed in a Feistel model and include: DES [18], RC6 [25], Mars [4], Blowfish =-=[27]-=-, and Lucifer [29]. 1.2.3 Exponential Adversaries Thus far, the security of tweakable blockciphers have only been proven against polynomial adversaries. An adversary A is defined to be polynomial if A... |

137 |
Cryptography and computer privacy
- Feistel
- 1973
(Show Context)
Citation Context ... using modes of operations for encrypting messages that are not evenly divisible into blocks without expanding the ciphertext. 8sSince their introduction almost thirty-five years ago, Feistel ciphers =-=[9]-=-, also known as Feistel networks, have become the most actively studied class of blockciphers. The formula for the Feistel blockcipher on input M = (L 0 ,R 0 ) is: L i+1 = R i R i+1 = fi+1(R i ) ⊕ L i... |

103 | Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV
- Black, Rogaway, et al.
- 2002
(Show Context)
Citation Context ...ions to allow for longer tweaks. When proving the security of specific constructions against generic attacks it is a standard assumption to treat pseudorandom permutations or functions as random ones =-=[2]-=-, [3]. Specifically when proving the security against general attacks, the inner primitives are treated as a blackbox and the constructions are proven secure assuming that the inner primitives are sec... |

102 | Tweakable block ciphers
- Liskov, Rivest, et al.
- 2002
(Show Context)
Citation Context ...from a family of random permutations indexed by the tweak. Tweakable blockciphers were first formalized by Liskov, Rivest and Wagner, who constructed tweakable blockciphers directly from blockciphers =-=[13]-=-. Crump, Goldenberg, Hohenberger, Liskov, and Seyalioglu showed that tweakable blockciphers can be constructed directly from pseudorandom functions using a Feistel model [7]. Tweakable blockciphers ha... |

66 | A Tweakable Enciphering Mode
- Halevi, Rogaway
(Show Context)
Citation Context ...-xoruniversal hash function. All subsequent constructions of tweakable blockcipher have been created in this model, where a tweakable blockcipher is created using a regular blockcipher as a primitive =-=[10]-=-, [10], [26], [5]. Tweakable blockciphers are important primitives which have many practical applications. Liskov, Rivest and Wagner show that tweakable blockciphers can be used to implement secure sy... |

42 | A Parallelizable Enciphering Mode
- Halevi, Rogaway
(Show Context)
Citation Context ... symmetric encryption [13]. Halevi and Rogaway show that tweakable blockciphers have immediate applications to disk encryption, where the tweak is set to the memory address of an encrypted block [10],=-=[11]-=-. Thus two encrypted blocks storing the same data look completely different, even though the decryption of the blocks remains straightforward. Additionally, Rogaway developed XEX mode which creates a ... |

40 | Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC
- Rogaway
- 2004
(Show Context)
Citation Context ...l hash function. All subsequent constructions of tweakable blockcipher have been created in this model, where a tweakable blockcipher is created using a regular blockcipher as a primitive [10], [10], =-=[26]-=-, [5]. Tweakable blockciphers are important primitives which have many practical applications. Liskov, Rivest and Wagner show that tweakable blockciphers can be used to implement secure symmetric encr... |

26 | On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions
- Black, Cochran, et al.
(Show Context)
Citation Context ...P1619 [30]. Tweakable blockciphers have also been studied in a variety of other contexts including the security against key related attacks [1], the security of tweakable modes [12], [16], efficiency =-=[3]-=-, and other general constructions [5]. 1.2.2 Feistel Blockciphers 3 Ciphertext stealing is a method for using modes of operations for encrypting messages that are not evenly divisible into blocks with... |

24 | Faster Luby-Rackoff Ciphers
- Lucks
- 1996
(Show Context)
Citation Context ...four-round Feistel cipher is illustrated in Figure 1.1. Lucks described an optimization for the CPA secure three-round Feistel construction by replacing the first round with a universal hash function =-=[15]-=-. Shortly thereafter, Naor and Reingold provided optimizations for the strongly secure four-round cipher, replacing both the first and last rounds with a more general 9 f 2 f 3 f 4 R 0 4stype of funct... |

21 | A fast large block cipher for disk sector encryption
- Mercy
- 2000
(Show Context)
Citation Context ...} n . The first blockcipher to allow for an auxiliary input, called the spice, was the Hasty Pudding Cipher created by Rich Schroeppel [28]. Another cipher, 4sthe Mercy Cipher created by Paul Crowley =-=[6]-=- also allows for an additional input, called the randomiser, which creates variablity within the cipher. Tweakable blockciphers were thereafter formalized by Liskov, Rivest, and Wagner [13] who presen... |

20 | Security of Random Feistel Schemes with 5 or More Rounds
- Patarin
- 2004
(Show Context)
Citation Context ...y of tweakable blockciphers against a computationally unbounded adversary allowed q ≪ 2 k queries, where k is half the input size. Our results match the best level of security proven for blockciphers =-=[22]-=-. We also explicitly address the problem of incorporating tweaks of arbitrary length into a tweakable blockcipher. This is an important problem because certain applications require different, specific... |

14 |
a Cryptographic Algorithm
- Sorkin
- 1987
(Show Context)
Citation Context ...n the round functions are unpredictable rather than pseudorandom [8]. Many common blockciphers are constructed in a Feistel model and include: DES [18], RC6 [25], Mars [4], Blowfish [27], and Lucifer =-=[29]-=-. 1.2.3 Exponential Adversaries Thus far, the security of tweakable blockciphers have only been proven against polynomial adversaries. An adversary A is defined to be polynomial if A runs in polynomia... |

12 |
Etude des Générateurs de Permutations Basés sur le Schéma du D.E.S., Phd Thèsis de Doctorat de l’Université de Paris 6
- Patarin
- 1991
(Show Context)
Citation Context ...ssage) is 2k , then A ′ is allowed q ≪ 2 k oracle queries. 1.2.4 Exponential Security of Feistel Ciphers The exponential security of Feistel blockciphers have been formally studied by Jacques Patarin =-=[19]-=-, [20], [21], [22], [23]. Much of this thesis is based on Patarin’s work where he proved that against exponential adversaries [21]: • a four-round Feistel construction is secure against known plaintex... |

11 | A general construction of tweakable block ciphers and different modes of operations
- Chakraborty, Sarkar
(Show Context)
Citation Context ... function. All subsequent constructions of tweakable blockcipher have been created in this model, where a tweakable blockcipher is created using a regular blockcipher as a primitive [10], [10], [26], =-=[5]-=-. Tweakable blockciphers are important primitives which have many practical applications. Liskov, Rivest and Wagner show that tweakable blockciphers can be used to implement secure symmetric encryptio... |

11 |
How to construct pseudorandom and super pseudorandom permutations from one single pseudorandom function
- Patarin
- 1993
(Show Context)
Citation Context ... is 2k , then A ′ is allowed q ≪ 2 k oracle queries. 1.2.4 Exponential Security of Feistel Ciphers The exponential security of Feistel blockciphers have been formally studied by Jacques Patarin [19], =-=[20]-=-, [21], [22], [23]. Much of this thesis is based on Patarin’s work where he proved that against exponential adversaries [21]: • a four-round Feistel construction is secure against known plaintext atta... |

8 |
a candidate cipher for AES
- MARS
- 1998
(Show Context)
Citation Context ...nding of these constructions when the round functions are unpredictable rather than pseudorandom [8]. Many common blockciphers are constructed in a Feistel model and include: DES [18], RC6 [25], Mars =-=[4]-=-, Blowfish [27], and Lucifer [29]. 1.2.3 Exponential Adversaries Thus far, the security of tweakable blockciphers have only been proven against polynomial adversaries. An adversary A is defined to be ... |

7 |
Luby-Rackoff: 7 rounds are enough for 2 n(1−ε) security
- Patarin
- 2003
(Show Context)
Citation Context ... , then A ′ is allowed q ≪ 2 k oracle queries. 1.2.4 Exponential Security of Feistel Ciphers The exponential security of Feistel blockciphers have been formally studied by Jacques Patarin [19], [20], =-=[21]-=-, [22], [23]. Much of this thesis is based on Patarin’s work where he proved that against exponential adversaries [21]: • a four-round Feistel construction is secure against known plaintext attacks, •... |

5 | Cryptanalysis of the EMD mode of operation
- Joux
(Show Context)
Citation Context ...sk encryption standard P1619 [30]. Tweakable blockciphers have also been studied in a variety of other contexts including the security against key related attacks [1], the security of tweakable modes =-=[12]-=-, [16], efficiency [3], and other general constructions [5]. 1.2.2 Feistel Blockciphers 3 Ciphertext stealing is a method for using modes of operations for encrypting messages that are not evenly divi... |

4 |
Improved Security Analysis of XEX and LRW Modes
- Minematsu
- 2006
(Show Context)
Citation Context ...ryption standard P1619 [30]. Tweakable blockciphers have also been studied in a variety of other contexts including the security against key related attacks [1], the security of tweakable modes [12], =-=[16]-=-, efficiency [3], and other general constructions [5]. 1.2.2 Feistel Blockciphers 3 Ciphertext stealing is a method for using modes of operations for encrypting messages that are not evenly divisible ... |

3 | On linear systems of equations with distinct variables and small block size. This paper is available from the author or from e-print. A Summary of the known results on random Feistel schemes KPA denotes known plaintext attacks. CPA-1 denotes non-adaptive - Patarin |

2 |
A Study of Luby-Rackoff Ciphers
- Ramzan
- 2001
(Show Context)
Citation Context ... and Reingold provided optimizations for the strongly secure four-round cipher, replacing both the first and last rounds with a more general 9 f 2 f 3 f 4 R 0 4stype of function [17]. In 2001, Ramzan =-=[24]-=- formally studied many variations on the Feistel construction. Most recently, Dodis and Puniya presented results about Feistel networks, including a combinatorial understanding of these constructions ... |

2 |
The Hasty Pudding Cipher. Available at http://www.cs.arizona.edu/ rcs/hpc
- Schroeppel
- 1999
(Show Context)
Citation Context ...ockcipher’s signature is: �E : {0,1} k × {0,1} t × {0,1} n → {0,1} n . The first blockcipher to allow for an auxiliary input, called the spice, was the Hasty Pudding Cipher created by Rich Schroeppel =-=[28]-=-. Another cipher, 4sthe Mercy Cipher created by Paul Crowley [6] also allows for an additional input, called the randomiser, which creates variablity within the cipher. Tweakable blockciphers were the... |

1 |
On Tweaking Feistel Ciphers
- Crump, Goldberg, et al.
(Show Context)
Citation Context ...irectly from blockciphers [13]. Crump, Goldenberg, Hohenberger, Liskov, and Seyalioglu showed that tweakable blockciphers can be constructed directly from pseudorandom functions using a Feistel model =-=[7]-=-. Tweakable blockciphers have only been shown to be secure against polynomial-time adversaries, whereas the security of regular blockciphers has been proven against adversaries capable of launching ge... |

1 |
Architecture for Encrypted Shared Storage Media
- Standard
(Show Context)
Citation Context ...er [26]. In fact, XTS-AES (AES in XEX mode with ciphertext stealing 3 ) is currently being considered by SISWG (Security in Storage Working Group) for the proposed IEEE disk encryption standard P1619 =-=[30]-=-. Tweakable blockciphers have also been studied in a variety of other contexts including the security against key related attacks [1], the security of tweakable modes [12], [16], efficiency [3], and o... |

1 |
Improving the SHA1 attack from 2 69 to 2 63 Operations. Rump Session Crypto 2005, 2005. Elizabeth Ann Crump Elizabeth Ann Crump was born on August 16th, 1983 in Waynesboro, Virginia to her parents James Edward Crump Jr. and Kathleen O’Connor Crump. She g
- Wang, Yao, et al.
- 2007
(Show Context)
Citation Context ...r than brute force time, even though the best known attack still requires many operations (a brute force attack requires 2 80 hash operations while the best known attack requires 2 63 hash operations =-=[31]-=-). Blockciphers, by design, only allow us to encrypt messages of size n. The most natural way to encrypt larger messages is to break a message M into m blocks of size n; thus M = (M1,M2 ... Mm) and |M... |