## Luby-Rackoff backwards: Increasing security by making block ciphers non-invertible (1998)

### Cached

### Download Links

Venue: | ADVANCES IN CRYPTOLOGY|EUROCRYPT '98 PROCEEDINGS |

Citations: | 22 - 2 self |

### BibTeX

@INPROCEEDINGS{Bellare98luby-rackoffbackwards:,

author = {Mihir Bellare and Ted Krovetz and Phillip Rogaway},

title = {Luby-Rackoff backwards: Increasing security by making block ciphers non-invertible},

booktitle = {ADVANCES IN CRYPTOLOGY|EUROCRYPT '98 PROCEEDINGS},

year = {1998},

pages = {140--3},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

We argue that the invertibility of a block cipher can reduce the security of schemes that use it, and a better starting point for scheme design is the non-invertible analog of a block cipher, that is, a pseudorandom function (PRF). Since a block cipher may be viewed as a pseudorandom permutation, we are led to investigate the reverse of the problem studied by Luby and Rackoff, and ask: "how can one transform a PRP into a PRF in as security-preserving a way as possible?" The solution we propose is data-dependent re-keying. As an illustrative special case, let E:f0; 1g nf0;1g n!f0;1g n be the block cipher. Then we can construct the PRF F from the PRP E by setting F (k; x) =E(E(k; x);x). We generalize this to allow for arbitrary block and key lengths, and to improve e ciency. We prove strong quantitative bounds on the value of data-dependent re-keying in the Shannon model of an ideal cipher, and take some initial steps towards an analysis in the standard model.

### Citations

1174 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...resources. 2 A good encryption scheme is much more than one that prevents key recovery from a ciphertext: it should have the property that even partial information about the plaintext is not revealed =-=[9, 4]-=-. 3 The attacks are well known. See [4] for an analysis of their effectiveness relative to formal notions of security for many other common modes of operation, too. Thus direct use of a 64-bit block s... |

791 |
Communication Theory of Secrecy Systems
- Shannon
- 1949
(Show Context)
Citation Context ...ity framework the difference is crucial; indeed, if concrete security is ignored, the problem we are considering does not exist. The ideal block cipher model we use for some of our results is that of =-=[19]-=-, used also in [7, 10]. There are many natural ways to try to do the PRP-to-PRF conversion. One of the first to come to mind is to define F k (x) = x\PhiE k (x). This construction is of value in some ... |

621 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...2.4 History and related work Our construction is related to the cascade construction of [3]. The notion of a PRF was first defined in the polynomial-time framework by Goldreich, Goldwasser and Micali =-=[8]-=-. A concrete security treatment of PRFs, together with the idea that concretely defined PRFs/PRPs can be used to model block ciphers, originates with [6]. Luby and Rackoff use the term PRP to refer to... |

352 | A concrete security treatment of symmetric encryption: Analysis of DES modes of operation
- Bellare, Desai, et al.
(Show Context)
Citation Context ...resources. 2 A good encryption scheme is much more than one that prevents key recovery from a ciphertext: it should have the property that even partial information about the plaintext is not revealed =-=[9, 4]-=-. 3 The attacks are well known. See [4] for an analysis of their effectiveness relative to formal notions of security for many other common modes of operation, too. Thus direct use of a 64-bit block s... |

329 |
New hash functions and their use in authentication and set equality
- Wegman, Carter
- 1981
(Show Context)
Citation Context ...lose to 2 n . Our construction is also more efficient, and it yields a map of the same key size and block length as the original one. In constructing a Wegman-Carter message authentication code (MAC) =-=[21]-=- one needs to symmetrically encrypt the universal-hash of each message M . If a PRP is in hand for doing the encryption, one could define MAC k1;k2 (M) = (ctr; E k2 (ctr)\Phih k1 (M )), but the securi... |

281 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
- 1988
(Show Context)
Citation Context ...ransform PRPs into PRFs. That is, starting with a good PRP E (realized by a block cipher), convert it into a good PRF F . This is effectively the reverse of the problem considered by Luby and Rackoff =-=[12], who want-=-ed to turn PRFs into PRPs. A crucial issue is to make transformations that are as "security preserving" as possible. We want Sec prf F (q; t) to remain low even for q AE 2 n=2 . Ideally, Sec... |

144 | The Security of Cipher Block Chaining
- Bellare, Kilian, et al.
(Show Context)
Citation Context ...bout 1=e if q = 2 n=2 . The adversary's advantage then goes quickly to 1 with q AE 2 n=2 . 2.3 Luby-Rackoff backwards The above is part of an emerging view or understanding, emanating from works like =-=[4, 5, 6, 20]-=-, that when it comes to designing higher-level primitives (like encryption schemes or MACs) a PRF is a better tool than a PRP, from two points of view: it permits easier and more effective analysis of... |

123 |
The first experimental cryptanalysis of the data encryption standard
- Matsui
- 1994
(Show Context)
Citation Context ...omprises) its cryptanalytic strength. Of course we won't know for sure what is this function, but we can work with what we know from cryptanalytic results. For example, if the linear cryptanalysis of =-=[13] is the best attack -=-on DES, we might assume Sec prp DES (q; t) stays small (close to 0) until q; t reaches around 2 43 . From now on, "block cipher" and "PRP" are synonymous, from the security point o... |

122 | XOR MACâ€™s: New methods for message authentication using finite pseudorandom functions
- Bellare, Guerin, et al.
- 1995
(Show Context)
Citation Context ...bout 1=e if q = 2 n=2 . The adversary's advantage then goes quickly to 1 with q AE 2 n=2 . 2.3 Luby-Rackoff backwards The above is part of an emerging view or understanding, emanating from works like =-=[4, 5, 6, 20]-=-, that when it comes to designing higher-level primitives (like encryption schemes or MACs) a PRF is a better tool than a PRP, from two points of view: it permits easier and more effective analysis of... |

93 | On the construction of pseudorandom permutations: Luby-Rackoff revisited
- Naor, Reingold
- 1999
(Show Context)
Citation Context ...o-PRF conversion starting from E. As we explained, Luby and Rackoff consider the complementary problem of turning a PRF into a block cipher [12]. Luby and Rackoff spawned much further work, including =-=[14, 15, 16, 17, 22]-=-, and our work shares their emphasis on concrete bounds, efficiency, and tight reductions. 3 The Fn Construction We have described in Section 2.4 some simple suggestions that don't work and some relat... |

92 | Pseudorandom Functions Revisited: The Cascade Construction and Its Concrete Security
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...ion we give has merit which goes beyond the birthday attacks which we have been using to motivate this problem. 2.4 History and related work Our construction is related to the cascade construction of =-=[3]-=-. The notion of a PRF was first defined in the polynomial-time framework by Goldreich, Goldwasser and Micali [8]. A concrete security treatment of PRFs, together with the idea that concretely defined ... |

89 | How to Protect DES Against Exhaustive Key Search
- Kilian, Rogaway
- 1996
(Show Context)
Citation Context ...ifference is crucial; indeed, if concrete security is ignored, the problem we are considering does not exist. The ideal block cipher model we use for some of our results is that of [19], used also in =-=[7, 10]-=-. There are many natural ways to try to do the PRP-to-PRF conversion. One of the first to come to mind is to define F k (x) = x\PhiE k (x). This construction is of value in some contexts, but not in o... |

67 | On Fast and Provably Secure Message Authentication Based on Universal Hashing
- Shoup
- 1996
(Show Context)
Citation Context ...bout 1=e if q = 2 n=2 . The adversary's advantage then goes quickly to 1 with q AE 2 n=2 . 2.3 Luby-Rackoff backwards The above is part of an emerging view or understanding, emanating from works like =-=[4, 5, 6, 20]-=-, that when it comes to designing higher-level primitives (like encryption schemes or MACs) a PRF is a better tool than a PRP, from two points of view: it permits easier and more effective analysis of... |

50 | A Construction of a Cipher from a Single Pseudorandom Permutation
- Even, Mansour
- 1997
(Show Context)
Citation Context ...ifference is crucial; indeed, if concrete security is ignored, the problem we are considering does not exist. The ideal block cipher model we use for some of our results is that of [19], used also in =-=[7, 10]-=-. There are many natural ways to try to do the PRP-to-PRF conversion. One of the first to come to mind is to define F k (x) = x\PhiE k (x). This construction is of value in some contexts, but not in o... |

31 | A simplified and generalized treatment of Luby-Rackoff pseudorandom permutation generators
- Maurer
(Show Context)
Citation Context ...o-PRF conversion starting from E. As we explained, Luby and Rackoff consider the complementary problem of turning a PRF into a block cipher [12]. Luby and Rackoff spawned much further work, including =-=[14, 15, 16, 17, 22]-=-, and our work shares their emphasis on concrete bounds, efficiency, and tight reductions. 3 The Fn Construction We have described in Section 2.4 some simple suggestions that don't work and some relat... |

22 |
personal communication
- Kahn
- 1966
(Show Context)
Citation Context ... There are many natural alternatives to the Fn d transformation. For example, truncate E k (x), defining F k (x) to be some appropriate-length prefix of E k (x). This scheme was partially analyzed by =-=[2]-=-. Another natural method is F k1 k2 (x) = E k1 (x)\PhiE k2 (x). This has not been analyzed. Aiello and Venkatesan [1] give a general construction for turning a PRF E : f0; 1g \Theta f0; 1g n ! f0; 1g ... |

14 | How to construct pseudorandom permutations from single pseudorandom functions - Pieprzyk - 1990 |

12 |
Improved security bounds for pseudorandom permutations
- Patarin
- 1997
(Show Context)
Citation Context ...o-PRF conversion starting from E. As we explained, Luby and Rackoff consider the complementary problem of turning a PRF into a block cipher [12]. Luby and Rackoff spawned much further work, including =-=[14, 15, 16, 17, 22]-=-, and our work shares their emphasis on concrete bounds, efficiency, and tight reductions. 3 The Fn Construction We have described in Section 2.4 some simple suggestions that don't work and some relat... |

12 |
About Feistel schemes with six (or more) rounds. FSE
- Patarin
- 1998
(Show Context)
Citation Context |

9 | Impossibility and optimality results on constructing pseudorandom permutations
- Zheng, Matsumoto, et al.
(Show Context)
Citation Context |

3 |
Foiling birthday attacks in output-doubling transformations
- Aiello, Vanketesan
(Show Context)
Citation Context ...e some appropriate-length prefix of E k (x). This scheme was partially analyzed by [2]. Another natural method is F k1 k2 (x) = E k1 (x)\PhiE k2 (x). This has not been analyzed. Aiello and Venkatesan =-=[1]-=- give a general construction for turning a PRF E : f0; 1g \Theta f0; 1g n ! f0; 1g n into a PRF F : f0; 1g 6 \Theta f0; 1g 2n ! f0; 1g 2n . But this is a different problem. Although they too want to c... |

3 | A simpli ed and generalized treatment of Luby-Racko pseudorandom permutation generator - Maurer - 1992 |

1 |
Pseudorandomness and Crpyptographic Applications
- Luby
- 1996
(Show Context)
Citation Context ...han 2 n=2 blocks? One answer is to use a slightly different type of primitive in an appropriate mode of operation: specifically, a "pseudorandom function" (PRF) in CTR (counter) mode, as dis=-=cussed in [4, 11]-=- and explained further below. This way to encrypt is easy and has no extra overhead if a PRF of cost comparable to the block cipher is available. The above is only one example of an issue that arises ... |