## Towards making Luby-Rackoff ciphers optimal and practical (1999)

### Cached

### Download Links

- [www.mathmagic.cn]
- [theory.lcs.mit.edu]
- [theory.lcs.mit.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | IN FAST SOFTWARE ENCRYPTION |

Citations: | 11 - 3 self |

### BibTeX

@INPROCEEDINGS{Patel99towardsmaking,

author = {Sarvar Patel and Ganapathy S. Sundaram and et al.},

title = {Towards making Luby-Rackoff ciphers optimal and practical},

booktitle = {IN FAST SOFTWARE ENCRYPTION},

year = {1999},

pages = {171--185},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

We provide new constructions for Luby-Rackoff block ciphers which are efficient in terms of computations and key material used. Next, we show that we can make some security guarantees for Luby-Rackoff block ciphers under much weaker and more practical assumptions about the underlying function; namely, that the underlying function is a secure Message Authentication Code. Finally, we provide a SHA-1 based example block cipher called Sha-zam.

### Citations

668 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...e against adaptive chosen plaintext and ciphertext attacks. These permutations are closely related to the concept of pseudorandom functions which was defined by Goldreich, Goldwasser and Micali (GGM) =-=[5]. These ar-=-e functions which are "indistinguishable" from random functions in polynomial time. The GGM construction relied on the notion of pseudorandom bit generators, i.e., bit generators whose outpu... |

511 | Keying Hash Functions for Message Authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...a message and corresponding MAC that the verification algorithm will be accept as valid. The formal security requirement for a Message Authentication Code was defined by Bellare, Canetti and Krawczyk =-=[3]-=-. In particular, we say that an adversary forges a MAC if, when given oracle access to (S x ; V x ), where x is kept secret, the adversary can come up with a valid pair (M ;s) such that V x (M ;s) = 1... |

366 | Hmac: Keyed-hashing for message authentication
- Krawczyk, Bellare, et al.
- 1997
(Show Context)
Citation Context ... underlying primitive is a secure MAC. Here security is with respect to some form of invertibility. From a practical standpoint the use of SHA-1 is justified. For example, the internet RFC HMAC-SHA-1 =-=[4]-=- assumes that forging a tag using SHA-1 as the underlying MAC is hard. In addition to SHA-1 we use the Square Hash function (SQH) which we have introduced earlier. This cipher is driven by a key sched... |

303 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
- 1988
(Show Context)
Citation Context ...n The design of block ciphers whose security provably relies on a hard underlying primitive has been a popular area of contemporary cryptographic research. The path breaking paper of Luby and Rackoff =-=[7]-=- described the construction of pseudorandom permutation generators from pseudorandom function generators, which enabled the formalism of the notion of a block cipher. This theoretical breakthrough has... |

101 | On the construction of pseudo-random permutations: Luby-Racko® revisited
- Naor, Reingold
- 1999
(Show Context)
Citation Context ...ons are computationally intensive to create and hence any reduction in the number of different functions used directly leads to a more efficient construction. Following these works, Naor and Reingold =-=[10]-=-, established a very efficient generalization, where they formalized Lucks' treatment by using strongly universal hash functions. In [10], they achieve an improvement in the computational complexity b... |

71 |
Two Practical and Provably Secure Block Ciphers
- Anderson, Biham
- 1996
(Show Context)
Citation Context ...e SHA-1 as the underlying primitive instead of a family of pseudorandom functions. Replacing pseudorandom functions by cryptographic functions (with desired properties) is not new. Biham and Anderson =-=[2]-=-, propose the use of SHA-1 in conjunction with stream ciphers to design block ciphers. Also, Lucks used MD5 with an unbalanced Feistel network and Guttman's construction uses SHA-1 but different from ... |

33 | A simplified and Generalized Treatment of Luby-Rackoff Pseudorandom Permutation Generators
- Maurer
- 1992
(Show Context)
Citation Context ...y and Rackoff consists of four Feistel permutations, each of which requires the evaluation of a pseudorandom function. The proofs of security that were provided were subsequently simplified by Maurer =-=[9]-=- where he provided a rather generalized treatment based on information theoretic (as opposed to complexity theoretic) ideas. In what follows we review some of the more popular results in this field. W... |

29 |
Foiling birthday attacks in length-doubling transformations - Benes: A non-reversible alternative to Feistel
- Aiello, Venkatesan
- 1996
(Show Context)
Citation Context ...n how to enhance the security of LubyRackoff ciphers. Patarin [12] has shown that a Luby-Rackoff permutation can be distinguished from a random permutation using O(2 n 2 ) queries. In a related work, =-=[1]-=- showed how to obtain pseudorandom functions on 2n bits from pseudorandom functions on n bits using Benes networks. More recently, Patarin [13] has shown that six rounds of the Luby-Rackoff constructi... |

25 | Z.: “Square hash: Fast message authentication via optimized universal hash functions
- Etzel, Patel, et al.
- 1999
(Show Context)
Citation Context ...ughly half the number of basic word multiplications than actually multiplying two n-bit numbers. Thus square hash requires fewer operations and instructions to implement. More details can be found in =-=[14]-=-. 4 Proving Security Under MAC Assumption We give an alternate proof of security of our construction. This proof utilizes a weaker, but perhaps more practical, assumption, and makes a weaker claim on ... |

23 | Faster Luby-Rackoff ciphers
- Lucks
- 1996
(Show Context)
Citation Context ...t. Specifically, as noted in the introduction, most of the focus has been in "reducing" the number of invocations of a random function and the amount of key material used. Following the work=-= of Lucks [8]-=-, Naor-Reingold have produced extremely efficient constructions with the help of hash functions and just two calls to a random function. In the present work, we have described a further generalization... |

22 | From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs
- Naor, Reingold
- 1998
(Show Context)
Citation Context ... plaintext/ciphertext pair after mounting an adaptive chosen plaintext/ciphertext attack. Some earlier work on the relationship between unpredictability (MACs) and indistinguishability was studied in =-=[11]-=-. We now define the relevant notions and then prove our claim. The goal of message authentication codes is for one party to efficiently transmit a message to another party in a way that enables the re... |

12 |
How to construct pseudorandom permutations from single pseudorandom functions
- Pieprzyk
- 1990
(Show Context)
Citation Context ... lot of research has concentrated on obtaining variants of Luby-Rackoff constructions where the number of different pseudorandom functions used in the four rounds is minimized. For example, see [12], =-=[16]-=-. This minimization is motivated by the fact that pseudorandom functions are computationally intensive to create and hence any reduction in the number of different functions used directly leads to a m... |

11 |
New results on pseudorandom permutation generators based
- Patarin
(Show Context)
Citation Context ...his, a lot of research has concentrated on obtaining variants of Luby-Rackoff constructions where the number of different pseudorandom functions used in the four rounds is minimized. For example, see =-=[12]-=-, [16]. This minimization is motivated by the fact that pseudorandom functions are computationally intensive to create and hence any reduction in the number of different functions used directly leads ... |

11 |
Improved security bounds for pseudorandom permutations, 4th ACM Conference on Computer and Communications Security, 142�150
- Patarin
- 1997
(Show Context)
Citation Context ...m permutation using O(2 n 2 ) queries. In a related work, [1] showed how to obtain pseudorandom functions on 2n bits from pseudorandom functions on n bits using Benes networks. More recently, Patarin =-=[13]-=- has shown that six rounds of the Luby-Rackoff construction (instead of four) results in a pseudorandom permutation which cannot be distinguished from a random permutation with advantage better than O... |

8 | Faster Luby-Racko� ciphers - Lucks - 1996 |

4 | A simpli�ed and generalized treatment of Luby-Racko� pseudorandom permutation generators - Maurer - 1992 |

2 | documentation to SFS release 1.20 - Gutmann - 1995 |

1 |
On constructing pseudorandom generators based on cryptographic hash functions
- Patel, Ramzan, et al.
(Show Context)
Citation Context ...a universal class. For example, the linear congruential hash function is any finite field is a very good candidate. The proof of security of this key scheduling generator will be presented elsewhere, =-=[15]-=-. 6 A Discussion on Optimality Since the invention of Luby-Rackoff ciphers, considerable progress has been made with respect to making the construction more efficient. Specifically, as noted in the in... |

1 |
Efficient pseudorandom generators from cryptographic hash functions, preprint
- Patel, Ramzan, et al.
(Show Context)
Citation Context ...niversal class. For example, the 18 linear congruential hash function is any finite field is a very good candidate. The proof of security of this key scheduling generator will be presented elsewhere, =-=[15]-=-. 6 A Discussion on Optimality Since the invention of Luby-Rackoff ciphers, considerable progress has been made with respect to making the construction more efficient. Specifically, as noted in the in... |

1 | Towards Making Luby-Rackoff Ciphers Optimal and Practical �1 - Aiello, Venkatesan - 1996 |