2,733 research outputs found
How to Build Pseudorandom Functions From Public Random Permutations
Pseudorandom functions are traditionally built upon block ciphers, but with the trend of permutation based cryptography, it is a natural question to investigate the design of pseudorandom functions from random permutations. We present a generic study of how to build beyond birthday bound secure pseudorandom functions from public random permutations. We first show that a pseudorandom function based on a single permutation call cannot be secure beyond the birthday bound, where n is the state size of the function. We next consider the Sum of Even-Mansour (SoEM) construction, that instantiates the sum of permutations with the Even-Mansour construction. We prove that SoEM achieves tight -bit security if it is constructed from two independent permutations and two randomly drawn keys. We also demonstrate a birthday bound attack if either the permutations or the keys are identical. Finally, we present the Sum of Key Alternating Ciphers (SoKAC) construction, a translation of Encrypted Davies-Meyer Dual to a public permutation based setting, and show that SoKAC achieves tight -bit security even when a single key is used
Permutation graphs, fast forward permutations, and sampling the cycle structure of a permutation
A permutation P on {1,..,N} is a_fast_forward_permutation_ if for each m the
computational complexity of evaluating P^m(x)$ is small independently of m and
x. Naor and Reingold constructed fast forward pseudorandom cycluses and
involutions. By studying the evolution of permutation graphs, we prove that the
number of queries needed to distinguish a random cyclus from a random
permutation on {1,..,N} is Theta(N) if one does not use queries of the form
P^m(x), but is only Theta(1) if one is allowed to make such queries.
We construct fast forward permutations which are indistinguishable from
random permutations even when queries of the form P^m(x) are allowed. This is
done by introducing an efficient method to sample the cycle structure of a
random permutation, which in turn solves an open problem of Naor and Reingold.Comment: Corrected a small erro
Using Simon's Algorithm to Attack Symmetric-Key Cryptographic Primitives
We present new connections between quantum information and the field of
classical cryptography. In particular, we provide examples where Simon's
algorithm can be used to show insecurity of commonly used cryptographic
symmetric-key primitives. Specifically, these examples consist of a quantum
distinguisher for the 3-round Feistel network and a forgery attack on CBC-MAC
which forges a tag for a chosen-prefix message querying only other messages (of
the same length). We assume that an adversary has quantum-oracle access to the
respective classical primitives. Similar results have been achieved recently in
independent work by Kaplan et al. Our findings shed new light on the
post-quantum security of cryptographic schemes and underline that classical
security proofs of cryptographic constructions need to be revisited in light of
quantum attackers.Comment: 14 pages, 2 figures. v3: final polished version, more formal
definitions adde
Bloom Filters in Adversarial Environments
Many efficient data structures use randomness, allowing them to improve upon
deterministic ones. Usually, their efficiency and correctness are analyzed
using probabilistic tools under the assumption that the inputs and queries are
independent of the internal randomness of the data structure. In this work, we
consider data structures in a more robust model, which we call the adversarial
model. Roughly speaking, this model allows an adversary to choose inputs and
queries adaptively according to previous responses. Specifically, we consider a
data structure known as "Bloom filter" and prove a tight connection between
Bloom filters in this model and cryptography.
A Bloom filter represents a set of elements approximately, by using fewer
bits than a precise representation. The price for succinctness is allowing some
errors: for any it should always answer `Yes', and for any it should answer `Yes' only with small probability.
In the adversarial model, we consider both efficient adversaries (that run in
polynomial time) and computationally unbounded adversaries that are only
bounded in the number of queries they can make. For computationally bounded
adversaries, we show that non-trivial (memory-wise) Bloom filters exist if and
only if one-way functions exist. For unbounded adversaries we show that there
exists a Bloom filter for sets of size and error , that is
secure against queries and uses only
bits of memory. In comparison, is the best
possible under a non-adaptive adversary
Guaranteeing the diversity of number generators
A major problem in using iterative number generators of the form
x_i=f(x_{i-1}) is that they can enter unexpectedly short cycles. This is hard
to analyze when the generator is designed, hard to detect in real time when the
generator is used, and can have devastating cryptanalytic implications. In this
paper we define a measure of security, called_sequence_diversity_, which
generalizes the notion of cycle-length for non-iterative generators. We then
introduce the class of counter assisted generators, and show how to turn any
iterative generator (even a bad one designed or seeded by an adversary) into a
counter assisted generator with a provably high diversity, without reducing the
quality of generators which are already cryptographically strong.Comment: Small update
- …