1,333 research outputs found
Distinguishing a truncated random permutation from a random function
An oracle chooses a function f from the set of n bits strings to itself, which is either a randomly chosen permutation or a randomly chosen function. When queried by an n-bit string w, the oracle computes f(w), truncates the m last bits, and returns only the first n-m bits of f(w). How many queries does a querying adversary need to submit in order to distinguish the truncated permutation from a random function?
In 1998, Hall et al. showed an algorithm for determining (with high probability) whether or not f is a permutation, using O ( 2^((m+n)/2) ) queries. They also showed that if m n/7, their method gives a weaker bound.
In this manuscript, we show how a modification of the method used by Hall et al. can solve the porblem completely. It extends the result to essentially every m, showing that
Omega ( 2^((m+n)/2) ) queries are needed to get a non-negligible distinguishing advantage.
We recently became aware that a better bound for the distinguishing advantage, for every m<n, follows from a result of Stam published, in a different context, already in 1978
Best Effort and Practice Activation Codes
Activation Codes are used in many different digital services and known by
many different names including voucher, e-coupon and discount code. In this
paper we focus on a specific class of ACs that are short, human-readable,
fixed-length and represent value. Even though this class of codes is
extensively used there are no general guidelines for the design of Activation
Code schemes. We discuss different methods that are used in practice and
propose BEPAC, a new Activation Code scheme that provides both authenticity and
confidentiality. The small message space of activation codes introduces some
problems that are illustrated by an adaptive chosen-plaintext attack (CPA-2) on
a general 3-round Feis- tel network of size 2^(2n) . This attack recovers the
complete permutation from at most 2^(n+2) plaintext-ciphertext pairs. For this
reason, BEPAC is designed in such a way that authenticity and confidentiality
are in- dependent properties, i.e. loss of confidentiality does not imply loss
of authenticity.Comment: 15 pages, 3 figures, TrustBus 201
LNCS
This paper studies the concrete security of PRFs and MACs obtained by keying hash functions based on the sponge paradigm. One such hash function is KECCAK, selected as NISTās new SHA-3 standard. In contrast to other approaches like HMAC, the exact security of keyed sponges is not well understood. Indeed, recent security analyses delivered concrete security bounds which are far from existing attacks. This paper aims to close this gap. We prove (nearly) exact bounds on the concrete PRF security of keyed sponges using a random permutation. These bounds are tight for the most relevant ranges of parameters, i.e., for messages of length (roughly) l ā¤ min{2n/4, 2r} blocks, where n is the state size and r is the desired output length; and for l ā¤ q queries (to the construction or the underlying permutation). Moreover, we also improve standard-model bounds. As an intermediate step of independent interest, we prove tight bounds on the PRF security of the truncated CBC-MAC construction, which operates as plain CBC-MAC, but only returns a prefix of the output
When private set intersection meets big data : an efficient and scalable protocol
Large scale data processing brings new challenges to the design of privacy-preserving protocols: how to meet the increasing requirements of speed and throughput of modern applications, and how to scale up smoothly when data being protected is big. Efficiency and scalability become critical criteria for privacy preserving protocols in the age of Big Data. In this paper, we present a new Private Set Intersection (PSI) protocol that is extremely efficient and highly scalable compared with existing protocols. The protocol is based on a novel approach that we call oblivious Bloom intersection. It has linear complexity and relies mostly on efficient symmetric key operations. It has high scalability due to the fact that most operations can be parallelized easily. The protocol has two versions: a basic protocol and an enhanced protocol, the security of the two variants is analyzed and proved in the semi-honest model and the malicious model respectively. A prototype of the basic protocol has been built. We report the result of performance evaluation and compare it against the two previously fastest PSI protocols. Our protocol is orders of magnitude faster than these two protocols. To compute the intersection of two million-element sets, our protocol needs only 41 seconds (80-bit security) and 339 seconds (256-bit security) on moderate hardware in parallel mode
Estimating the Cost of Superposition Attacks on Lightweight Cryptography on Fault-Tolerant Quantum Systems
Wir werden verschiedene Angriffe in Quantensuperposition auf sogenannte Lightweight-Kryptographie Primitive unter Verwendung von Simonās-Algorithmus vorstellen. Drei unserer Angriffe richten sich gegen den Finalisten des NIST Lightweight Cryptography Standardization Process, Elephant. Die anderen Primitive sind LightMAC und ESTATE. Wir werden auch zeigen, dass das KĆ¼rzen der Ausgabe von periodischer 2-zu-1-Funktionen Simonās Algorithmus nicht einschrƤnkt. Dieses Ergebnis kann genutzt werden, um bestehende Angriffe zu beschleunigen.
Die Ressourcenkosten aller vorgestellten Angriffe werden dann unter BerĆ¼cksichtigung eines fehlertoleranten, auf surface-code basierenden Quantencomputers geschƤtzt. Wir werden die Unterschiede zwischen einem Angreifer, der in der Lage ist, das Elephant-Primitiv in Superposition anzufragen, und einem, der nur klassische Anfragen stellen kann, demonstrieren. Selbst wenn beide Zugang zum selben lokalen Quantencomputer haben, wird derjenige, der Zugang zu Superpositionen hat, den geheimen SchlĆ¼ssel in etwa logischen Qubit-Zyklen und 21.2 Sekunden wiederherstellen, wƤhrend der andere etwa logische Qubit-Zyklen und 209.9 Jahre benƶtigt
Wave: A New Family of Trapdoor One-Way Preimage Sampleable Functions Based on Codes
We present here a new family of trapdoor one-way Preimage Sampleable
Functions (PSF) based on codes, the Wave-PSF family. The trapdoor function is
one-way under two computational assumptions: the hardness of generic decoding
for high weights and the indistinguishability of generalized -codes.
Our proof follows the GPV strategy [GPV08]. By including rejection sampling, we
ensure the proper distribution for the trapdoor inverse output. The domain
sampling property of our family is ensured by using and proving a variant of
the left-over hash lemma. We instantiate the new Wave-PSF family with ternary
generalized -codes to design a "hash-and-sign" signature scheme which
achieves existential unforgeability under adaptive chosen message attacks
(EUF-CMA) in the random oracle model. For 128 bits of classical security,
signature sizes are in the order of 15 thousand bits, the public key size in
the order of 4 megabytes, and the rejection rate is limited to one rejection
every 10 to 12 signatures.Comment: arXiv admin note: text overlap with arXiv:1706.0806
- ā¦