## How to Stretch Random Functions: The Security of Protected Counter Sums (1999)

Venue: | Journal of Cryptology |

Citations: | 19 - 7 self |

### BibTeX

@ARTICLE{Bernstein99howto,

author = {Daniel J. Bernstein},

title = {How to Stretch Random Functions: The Security of Protected Counter Sums},

journal = {Journal of Cryptology},

year = {1999},

volume = {12},

pages = {185--192}

}

### Years of Citing Articles

### OpenURL

### Abstract

. Let f be an unpredictable random function taking (b + c)-bit inputs to b-bit outputs. This paper presents an unpredictable random function f 0 taking variable-length inputs to b-bit outputs. This construction has several advantages over chaining, which was proven unpredictable by Bellare, Kilian, and Rogaway, and cascading, which was proven unpredictable by Bellare, Canetti, and Krawczyk. The highlight here is a very simple proof of security. 1.

### Citations

2762 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context ...ility, taking constant factors and practical issues into account. \Unpredictable" has several aliases in the literature: \cryptographically strong" (see [26] or [15]), \cryptographically sec=-=ure" (see [20]), and \pseudor-=-andom" (see, e.g., [19]). \Fixed-input/variable-input pseudorandom function" is used in [3] where I would say \unpredictable random function on blocks/messages" respectively. Isnd it di... |

731 | The art of computer programming, Volume2, Seminumerical algorithms - Knuth - 1973 |

718 |
Universal classes of hash functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ... answer only one question. One-time security is not sucient for most practical applications. The following random function on asniteseld is unpredictable with an n-time oracle; see [17, page 486] and =-=[-=-11]. Select independent uniform random elements k 0 ; k 1 ; : : : ; k n 1 in theseld, and consider the function x 7! k 0 +k 1 x+ +k n 1 x n 1 . Notes. In [29], while introducing the Turing test, Turi... |

668 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...redictable. Unfortunately the details of Turing's example were never published. A specic asymptotic form of Turing's notion of unpredictability was introduced by Goldreich, Goldwasser, and Micali in [=-=15-=-], and studied further by Luby and Racko in [19]. The theorems stated in [15] and [19], being purely asymptotic, are irrelevant to applied cryptography, though the constructions underlying the theorem... |

303 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
- 1988
(Show Context)
Citation Context ...s example were never published. A specic asymptotic form of Turing's notion of unpredictability was introduced by Goldreich, Goldwasser, and Micali in [15], and studied further by Luby and Racko in [1=-=9]-=-. The theorems stated in [15] and [19], being purely asymptotic, are irrelevant to applied cryptography, though the constructions underlying the theorems are useful. HOW TO STRETCH RANDOM FUNCTIONS 3 ... |

215 | The security of the cipher block chaining message authentication code
- Bellare, Kilian, et al.
- 2000
(Show Context)
Citation Context ...-bit outputs. I show that if f is an unpredictable random function then f 0 is also unpredictable. See section 4. This construction compares favorably with chaining, which was proven unpredictable in =-=[7]-=-, and cascading, which was proven unpredictable in [3]. All the ideas in the protected counter sum construction are already present in [5] and [3]. My main contribution is the exact security analysis,... |

159 | The security of cipher block chaining - Bellare, Kilian, et al. - 1994 |

129 | XOR MACs: New methods for message authentication using finite pseudorandom functions - Bellare, Guerin, et al. - 1995 |

96 | Pseudorandom Functions Revisited: The Cascade Construction and - Bellare, Canetti, et al. - 1996 |

86 |
On the Generation of Cryptographically Strong Pseudorandom Sequences
- Shamir
- 1983
(Show Context)
Citation Context ...continue Turing's concrete study of unpredictability, taking constant factors and practical issues into account. \Unpredictable" has several aliases in the literature: \cryptographically strong&q=-=uot; (see [26] or [15]), \cry-=-ptographically secure" (see [20]), and \pseudorandom" (see, e.g., [19]). \Fixed-input/variable-input pseudorandom function" is used in [3] where I would say \unpredictable random functi... |

76 | On fast and provably secure message authentication based on universal hashing - Shoup - 1996 |

57 | Bucket hashing and its application to fast message authentication - Rogaway - 1995 |

52 |
Real Analysis" (3rd. Edition
- Royden
- 1988
(Show Context)
Citation Context ...c probability theory Probability theory considers a set Pr of possible universes. Pr is a probability space, i.e., a measure space of total measure 1. For an introduction to measure theory see, e.g., =-=[25]-=-. An event is a measurable subset of Pr. The measure of an event E is called the probability of E, written Pr[E]. For example,sip a fair coin. Let E be the event that the coin comes up heads, i.e., th... |

47 |
Computing machinery and intelligence, Mind 59
- Turing
- 1950
(Show Context)
Citation Context ...an n-time oracle; see [17, page 486] and [11]. Select independent uniform random elements k 0 ; k 1 ; : : : ; k n 1 in theseld, and consider the function x 7! k 0 +k 1 x+ +k n 1 x n 1 . Notes. In [29=-=]-=-, while introducing the Turing test, Turing discussed the claim that an observer of mechanical behavior could alwayssgure out the underlying rules of behavior. He pointed out that a particular easily ... |

11 |
Inferring Sequences Produced by a Linear Congruential Generator Missing Low-Order Bits
- Boyar
- 1989
(Show Context)
Citation Context ...espectively. Isnd it distasteful to use \pseudorandom" to mean \passes all statistical tests"; forsfty years the standard meaning of \pseudorandom" has been \passes some statistical tes=-=ts." See [16], [10]-=-, [22], [20], or [21, page 950]. 3. Proving information-theoretic unpredictability Let S and T besnite sets. Let q 1 ; q 2 ; : : : ; q m be distinct elements of S. A random function f from S to T is w... |

11 |
The Riemann hypothesis and pseudorandom features of the MoĢbius sequence
- Good, Churchhouse
- 1968
(Show Context)
Citation Context ...ges" respectively. Isnd it distasteful to use \pseudorandom" to mean \passes all statistical tests"; forsfty years the standard meaning of \pseudorandom" has been \passes some stat=-=istical tests." See [16]-=-, [10], [22], [20], or [21, page 950]. 3. Proving information-theoretic unpredictability Let S and T besnite sets. Let q 1 ; q 2 ; : : : ; q m be distinct elements of S. A random function f from S to ... |

6 |
The serial test for congruential pseudorandom numbers generated by inversions
- Niederreiter
- 1989
(Show Context)
Citation Context ...ively. Isnd it distasteful to use \pseudorandom" to mean \passes all statistical tests"; forsfty years the standard meaning of \pseudorandom" has been \passes some statistical tests.&qu=-=ot; See [16], [10], [22]-=-, [20], or [21, page 950]. 3. Proving information-theoretic unpredictability Let S and T besnite sets. Let q 1 ; q 2 ; : : : ; q m be distinct elements of S. A random function f from S to T is within ... |

3 | annual symposium on foundations of computer science - 37th - 1996 |

1 | SURF: Simple Unpredictable Random Function, draft available from http://pobox.com/~djb/papers/surf.dvi
- Bernstein
(Show Context)
Citation Context ...ascading, which was proven unpredictable by Bellare, Canetti, and Krawczyk. The highlight here is a very simple proof of security. 1. Introduction When k is kept secret, the function surf k dened in [=-=9]-=-, taking 384-bit inputs to 256-bit outputs, appears to be unpredictable. There is a $1000 reward for anyone who can predict surf k . Starting from surf k one can construct ecient secret-key solutions ... |

1 | Oded Kariv (editors), Automata, langauges and programming - Even - 1981 |

1 | Mish (editor), Webster's ninth new collegiate dictionary - Frederick - 1987 |