## On the Round Security of Symmetric-Key Cryptographic Primitives (2000)

### Cached

### Download Links

- [theory.lcs.mit.edu]
- [theory.lcs.mit.edu]
- [theory.lcs.mit.edu]
- [www.cs.bu.edu]
- [groups.csail.mit.edu]
- [www.cs.bu.edu]
- [www.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | In Advances in Cryptology — CRYPTO ’00, volume 1880 of LNCS |

Citations: | 10 - 1 self |

### BibTeX

@INPROCEEDINGS{Ramzan00onthe,

author = {Zulfikar Ramzan and Leonid Reyzin},

title = {On the Round Security of Symmetric-Key Cryptographic Primitives},

booktitle = {In Advances in Cryptology — CRYPTO ’00, volume 1880 of LNCS},

year = {2000},

pages = {376--393},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

We put forward a new model for understanding the security of symmetric-key primitives, such as block ciphers. The model captures the fact that many such primitives often consist of iterating simpler constructs for a number of rounds, and may provide insight into the security of such designs. We completely characterize the security of four-round Luby-Racko ciphers in our model, and show that the ciphers remain secure even if the adversary is given black-box access to the middle two round functions. A similar result can be obtained for message authentication codes based on universal hash functions. 1 Introduction 1.1 Block Ciphers A block cipher is a family of permutations on a message space indexed by a secret key. Each permutation in the family deterministically maps plaintext blocks of some xed length to ciphertext blocks of the same length; both the permutation and its inverse are eciently computable given the key. Motivated originally by the study of security of the block ciphe...

### Citations

1425 | Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...le Model Our work has interesting implications for Luby-Racko ciphers and UHF MACs in the random oracle model. One can easily dene security of block ciphers and MACs in this model given the work of [4=-=-=-]: one simply allows all parties (including the adversary) access to the same oracle, and the adversary has to succeed for a random choice of the oracle. Our results imply that the Luby-Racko cipher r... |

710 |
Universal classes of hash functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ...m l : A f;f 1 = 1]s: For any integers q; t 0, we dene an insecurity function Adv sprp F (q; t) similarly to Denition 1. 2.1.4 Hash Functions Our denitions of hash functions follow those given in [8], [18], [22], [13], [20]. Denition 3 Let H be a keyed function family with domain I k , range I l , and key length s. Let 1 ; 2 ; 3 ; 4 2 l . H is an 1 -uniform family of hash functions i... |

665 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...ons of the permutation is unable to distinguish it from a truly random permutation on the same message space. This denition is an extension of the denition of a pseudorandom function generator from [1=-=2-=-], where the adversary has oracle access only to the forward direction of the function. 1 1.2 The Natural Round Structure of Symmetric-Key Primitives In addition to dening security of block ciphers, L... |

503 | Keying Hash Functions for Message Authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...[22], [9] can be viewed as consisting of two rounds. Moreover, cryptographic hash functions (e.g., MD-5 [19]), and the various message authentication schemes that are built on top of them (e.g., HMAC =-=[1]-=-), have an induced round structure as well. Consequently, it should come as little surprise that cryptanalysts have often considered looking at individual rounds in order to better understand the secu... |

405 | The MD5 Message Digest Algorithm - Rivest - 1992 |

366 |
Differential Cryptanalysis of the Data Encryption Standard
- BIHAM, SHAMIR
- 1993
(Show Context)
Citation Context ...order to better understand the security properties of a given design; for example, a large number of papers have been written analyzing reduced-round variants of block ciphers and hash functions (see =-=[5]-=-, [21], and the references therein). It thus seems that a theoretical framework incorporating the notion of rounds would be desirable. This paper proposes such a framework. Although our model is a sim... |

354 |
New hash functions and their use in authentication and set equality
- Wegman, Carter
- 1981
(Show Context)
Citation Context ...xt. In addition to block ciphers, constructions of other cryptographic primitives often also proceed in rounds. For example, universal-hash-function-based message authentication codes (UHF MACs) [6], =-=[22]-=-, [9] can be viewed as consisting of two rounds. Moreover, cryptographic hash functions (e.g., MD-5 [19]), and the various message authentication schemes that are built on top of them (e.g., HMAC [1])... |

257 | The Random Oracle Methodology, Revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ...antiated securely in the real world (that is, with polynomial-time computable functions in place of random oracles) is uncertain, particularly in light of the results of Canetti, Goldreich and Halevi =-=[7-=-]. However, our results open up an interesting direction: is it possible to replace pseudorandom functions with unkeyed functions in any of the constructions we discuss? 2 Prior Denitions and Construc... |

157 | The security of cipher block chaining
- Bellare, Kilian, et al.
- 1994
(Show Context)
Citation Context ...al Luby-Racko construction, some of its variants, and UHF MACs within our framework. 1.3 Our Contributions 1.3.1 A New Model The denition of a secure block cipher from [14], or of a secure MAC from [3=-=]-=-, allows the adversary only black-box access to the primitive. We develop the notion round security, which considers what happens when the adversary has additional access to some of the internal round... |

144 |
Cryptography and Computer Privacy
- Feistel
- 1973
(Show Context)
Citation Context ...ning security of block ciphers, Luby and Racko also provided a construction of a secure block cipher based on a pseudorandom function generator. Their block cipher consists of four rounds of Feistel [=-=11-=-] permutations, each of which consists of an application of a pseudorandom Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge, MA 02139. E-mail: fzulfikar, reyzing@theo... |

135 |
LFSR-based hashing and authentication
- Krawczyk
- 1994
(Show Context)
Citation Context ...]s: For any integers q; t 0, we dene an insecurity function Adv sprp F (q; t) similarly to Denition 1. 2.1.4 Hash Functions Our denitions of hash functions follow those given in [8], [18], [22], [13], [20]. Denition 3 Let H be a keyed function family with domain I k , range I l , and key length s. Let 1 ; 2 ; 3 ; 4 2 l . H is an 1 -uniform family of hash functions if for all x 2 I k ... |

120 | P.: “UMAC: Fast and Secure Message Authentication
- Black, Halevi, et al.
(Show Context)
Citation Context ...he next. In addition to block ciphers, constructions of other cryptographic primitives often also proceed in rounds. For example, universal-hash-function-based message authentication codes (UHF MACs) =-=[6]-=-, [22], [9] can be viewed as consisting of two rounds. Moreover, cryptographic hash functions (e.g., MD-5 [19]), and the various message authentication schemes that are built on top of them (e.g., HMA... |

101 | On the construction of pseudorandom permutations: LubyRackoff revisited
- Naor, Reingold
- 1999
(Show Context)
Citation Context ...the random oracle model if one replaces the functions f 1 and f 2 with random oracles. That is, in the random oracle model, keying material will only be necessary for h 1 and h 2 , which, as shown in =-=[15]-=- and [18], can be just (variants of) universal hash functions. 3 Similarly, the UHF MAC remains secure if the pseudorandom function, used in the second round, is replaced with a random oracle. Thus, a... |

96 | Pseudorandom functions revisited: The cascade construction and its concrete security," Proc. 37th Annual Symposium on the Foundations of Computer 2This section has not been discussed in the lectures
- Bellare, Canetti, et al.
- 1997
(Show Context)
Citation Context ...ating the notion of rounds would be desirable. This paper proposes such a framework. Although our model is a simple extension of the classical models of security for symmetric primitives ([14], [12], =-=[2-=-]), it allows one to obtain a number of interesting results not captured by the traditional models. In particular, we analyze the security of the original Luby-Racko construction, some of its variants... |

56 | Bucket hashing and its application to fast message authentication
- Rogaway
- 1995
(Show Context)
Citation Context ...r any integers q; t 0, we dene an insecurity function Adv sprp F (q; t) similarly to Denition 1. 2.1.4 Hash Functions Our denitions of hash functions follow those given in [8], [18], [22], [13], [20]. Denition 3 Let H be a keyed function family with domain I k , range I l , and key length s. Let 1 ; 2 ; 3 ; 4 2 l . H is an 1 -uniform family of hash functions if for all x 2 I k ; z 2 ... |

54 | A construction of a cipher from a single pseudorandom permutation
- Even, Mansour
- 1997
(Show Context)
Citation Context ...racle. Thus, again, in the random oracle model, keying material is needed only for the hash function. Block ciphers have been analyzed in the random-oracle model before. For example, Even and Mansour =-=[1-=-0] construct a cipher using a public random permutation oracle P (essentially, the construction is y = P (k 1 x) k 2 , where k 1 and k 2 constitute the key, x is the plaintext, and y is the resultin... |

27 |
How to construct pseudorandom permutations and pseudorandom functions
- Luby, Racko
- 1988
(Show Context)
Citation Context ... computable given the key. Motivated originally by the study of security of the block cipher DES [16], Luby and Racko provided a formal model for the security of block ciphers in their seminal paper [=-=14]. They consider-=- a block cipher to be secure (\super pseudorandom," or secure under both \chosen plaintext" and \chosen ciphertext" attacks) if, without knowing the key, a polynomial-time adversary wit... |

25 | Z.: “Square hash: Fast message authentication via optimized universal hash functions
- Etzel, Patel, et al.
- 1999
(Show Context)
Citation Context ... addition to block ciphers, constructions of other cryptographic primitives often also proceed in rounds. For example, universal-hash-function-based message authentication codes (UHF MACs) [6], [22], =-=[9]-=- can be viewed as consisting of two rounds. Moreover, cryptographic hash functions (e.g., MD-5 [19]), and the various message authentication schemes that are built on top of them (e.g., HMAC [1]), hav... |

11 | Towards making Luby-Rackoff ciphers optimal and practical
- Patel, Ramzan, et al.
- 1999
(Show Context)
Citation Context ...he last round, whose output is the output of the block cipher. Much of the theoretical research that followed the work of [14] focused on efficiency improvements to this construction (e.g., see [15], =-=[18]-=- and references therein). All of these variations can also be naturally broken up into rounds. This theme of an inherent round structure in block ciphers is also seen extensively in practice. For exam... |

5 |
Towards making Luby-Racko ciphers optimal and practical
- Patel, Ramzan, et al.
- 1999
(Show Context)
Citation Context ...r the last round, whose output is the output of the block cipher. Much of the theoretical research that followed the work of [14] focused on eciency improvements to this construction (e.g., see [15], =-=[18]-=- and references therein). All of these variations can also be naturally broken up into rounds. This theme of an inherent round structure in block ciphers is also seen extensively in practice. For exam... |

1 |
A self-study course in block cipher cryptanalysis. Available from: http://www.counterpane.com/self-study.html
- Schneier
- 1998
(Show Context)
Citation Context ... to better understand the security properties of a given design; for example, a large number of papers have been written analyzing reduced-round variants of block ciphers and hash functions (see [5], =-=[21]-=-, and the references therein). It thus seems that a theoretical framework incorporating the notion of rounds would be desirable. This paper proposes such a framework. Although our model is a simple ex... |