Improved Security for OCB3

OCB3 is the current version of the OCB authenticated encryption mode which is selected for the third round in CAESAR. So far the integrity analysis has limited to an adversary making a single forging attempt. A simple extension for the best known bound establishes integrity security as long as the total number of query blocks (including encryptions and forging attempts) does not exceed the birthday-bound. In this paper we show an improved bound for integrity of OCB3 in terms of the number of blocks in the forging attempt. In particular we show that when the number of encryption query blocks is not more than birthdaybound (an assumption without which the privacy guarantee of OCB3 disappears), even an adversary making forging attempts with the number of blocks in the order of 2n=L_MAX (n being the block-size and L_MAX being the length of the longest block) may fail to break the integrity of OCB3

An Inverse-free Single-Keyed Tweakable Enciphering Scheme

In CRYPTO 2003, Halevi and Rogaway proposed CMC, a tweakable enciphering scheme (TES) based on a blockcipher. It requires two blockcipher keys and it is not inverse-free (i.e., the decryption algorithm uses the inverse (decryption) of the underlying blockcipher). We present here a new inverse-free, single-keyed TES. Our construction is a tweakable strong pseudorandom permutation (tsprp), i.e., it is secure against chosen-plaintext-ciphertext adversaries assuming that the underlying blockcipher is a pseudorandom permutation (prp), i.e., secure against chosen-plaintext adversaries. In comparison, sprp assumption of the blockcipher is required for the sprp security of CMC. Our scheme can be viewed as a mixture of type-1 and type-3 Feistel cipher and so we call it FMix or mixed-type Feistel cipher

OleF: an Inverse-Free Online Cipher. An Online SPRP with an Optimal Inverse-Free Construction

Online ciphers, in spite of being insecure against an sprp adversary, can be desirable at places because of their ease of implementation and speed. Here we propose a single-keyed inverse-free construction that achieves online sprp security with an optimal number of blockcipher calls. We also include a partial block construction, without requiring any extra key

OleF: An Inverse-Free Online Cipher

Online ciphers, in spite of being insecure against an sprp adversary, can be desirable at places because of their ease of implementation and speed. Here we propose a single-keyed inverse-free construction that achieves online sprp security with an optimal number of blockcipher calls. We also include a partial block construction, without requiring any extra key

Revisiting Turning Online Cipher Off

In \u27Turning Online Ciphers Off\u27, a class of constructions was defined based on layers of secure online ciphers interleaved with simple mixing layers (like reversing and block-shifting). Here we show that an SPRP construction proposed in the work cited is insecure. Howevewr, the same construction is secure under the assumption that the underlying construction is online-but-last ciphers. We include a simpler proof for beyond-birthday security of other constructions proposed in the same work

A Sponge-Based PRF with Good Multi-user Security

Both multi-user PRFs and sponge-based constructions have generated a lot of research interest lately. Dedicated analyses for multi-user security have improved the bounds a long distance from the early generic bounds obtained through hybrid arguments, yet the bounds generally don\u27t allow the number of users to be more than birthday-bound in key-size. Similarly, known sponge constructions suffer from being only birthday-bound secure in terms of their capacity. We present in this paper $\textsf{Muffler}$, a multi-user PRF built from a random permutation using a full-state sponge with feed-forward, which uses a combination of the user keys and unique user IDs to solve both the problems mentioned by improving the security bounds for multi-user constructions and sponge constructions. For $D$ construction query blocks and $T$ permutation queries, with key-size $\kappa = n/2$ and tag-size $\tau$ = $n/2$ (where $n$ is the state-size or the size of the underlying permutation), both $D$ and $T$ must touch birthday bound in $n$ in order to distinguish $\textsf{Muffler}$ from a random function

Offset-Based BBB-Secure Tweakable Block-ciphers with Updatable Caches

A nonce-respecting tweakable blockcipher is the building-block for the OCB authenticated encryption mode. An XEX-based TBC is used to process each block in OCB. However, XEX can provide at most birthday bound privacy security, whereas in Asiacrypt 2017, beyond-birthday-bound (BBB) forging security of OCB3 was shown by Bhaumik and Nandi. In this paper we study how at a small cost we can construct a nonce-respecting BBB-secure tweakable blockcipher. We propose the OTBC-3 construction, which maintains a cache that can be easily updated when used in an OCB-like mode. We show how this can be used in a BBB-secure variant of OCB with some additional keys and a few extra blockcipher calls but roughly the same amortised rate

Eutetrarhynchid trypanorhynchs (Cestoda) from elasmobranchs off Argentina, including the description of Dollfusiella taminii sp. n. and Parachristianella damiani sp. n., and amended description of Dollfusiella vooremi (São Clemente et Gomes, 1989)

During a parasitological survey of teleosts and elasmobranchs in the Argentine Sea, 3 species of eutetrarhynchids were collected from the batoids Myliobatis goodei Garman and Psammobatis bergi Marini, and the shark Mustelus schmitti Springer. The specimens collected from Mu. schmitti were identified as Dollfusiela vooremi (São Clemente et Gomes, 1989), whereas the specimens from My. goodei and Ps. bergi resulted in new species of Dollfusiella Campbell et Beveridge, 1994 and Parachristianella Dollfus, 1946, respectively. Dollfusiella taminii sp. n. from Ps. bergi is characterised by a distinct basal armature with basal swelling and a heteroacanthous homeomorphous metabasal armature with 7–9 falcate hooks per principal row. Parachristianella damiani sp. n. from My. goodei lacks a distinct basal armature, having 2–3 initial rows of uncinate hooks, a heteroacanthous heteromorphous metabasal armature with the first principal row of small hooks, followed by rows with 10–14 large hooks. This is the first record of Parachristianella in the southwestern Atlantic. The amended description of D. vooremi includes the detailed description of the tentacular armature, including SEM micrographs of all tentacular surfaces. This species is characterised by a basal armature consisting of rows of uncinate and falcate hooks, a basal swelling and a metabasal armature with billhooks on the antibothrial surface and uncinate hooks on the bothrial surface. The scolex peduncle of D. vooremi is covered with enlarged spinitriches. This species is restricted to carcharhiniform sharks, since the report of D. vooremi in Sympterygia bonapartii Müller et Henle off Bahía Blanca (Argentina) is dubious.Fil: Menoret, Adriana. Consejo Nacional de Investigaciones Científicas y Técnicas. Oficina de Coordinación Administrativa Ciudad Universitaria. Instituto de Biodiversidad y Biología Experimental y Aplicada. Universidad de Buenos Aires. Facultad de Ciencias Exactas y Naturales. Instituto de Biodiversidad y Biología Experimental y Aplicada; ArgentinaFil: Ivanov, Veronica Adriana. Consejo Nacional de Investigaciones Científicas y Técnicas. Oficina de Coordinación Administrativa Ciudad Universitaria. Instituto de Biodiversidad y Biología Experimental y Aplicada. Universidad de Buenos Aires. Facultad de Ciencias Exactas y Naturales. Instituto de Biodiversidad y Biología Experimental y Aplicada; Argentin

On Quantum Secure Compressing Pseudorandom Functions

In this paper we characterize all $2n$-bit-to-$n$-bit Pseudorandom Functions (PRFs) constructed with the minimum number of calls to $n$-bit-to-$n$-bit PRFs and arbitrary number of linear functions. First, we show that all two-round constructions are either classically insecure, or vulnerable to quantum period-finding attacks. Second, we categorize three-round constructions depending on their vulnerability to these types of attacks. This allows us to identify classes of constructions that could be proven secure. We then proceed to show the security of the following three candidates against any quantum distinguisher that asks at most $2^{n/4}$ (possibly superposition) queries $$\begin{array}{rcl} \mathsf{TNT}(x_1,x_2) &:=& f_3(x_2 \oplus f_2(x_2 \oplus f_1(x_1)))\\ \mathsf{LRQ}(x_1,x_2) &:=& f_2(x_2) \oplus f_3(x_2 \oplus f_1(x_1))\\ \mathsf{LRWQ}(x_1,x_2) &:=& f_3( f_1(x_1) \oplus f_2(x_2)). \end{array}$$ Note that the first construction is a classically secure tweakable block cipher due to Bao et al., and the third construction is shown to be quantum secure tweakable block cipher by Hosoyamada and Iwata with similar query limits. Of note is our proof framework, an adaptation of Chung et al.\u27s rigorous formulation of Zhandry\u27s compressed oracle technique in indistinguishability setup, which could be of independent interests. This framework gives very compact and mostly classical looking proofs as compared to Hosoyamada and Iwata interpretation of Zhandry\u27s compressed oracle

Revisiting the Indifferentiability of the Sum of Permutations

The sum of two n-bit pseudorandom permutations is known to behave like a pseudorandom function with n bits of security. A recent line of research has investigated the security of two public n-bit permutations and its degree of indifferentiability. Mandal et al. (INDOCRYPT 2010) proved 2n/3-bit security, Mennink and Preneel (ACNS 2015) pointed out a non-trivial flaw in their analysis and re-proved (2n/3-\log_2(n))-bit security. Bhattacharya and Nandi (EUROCRYPT 2018) eventually improved the result to n-bit security. Recently, Gunsing at CRYPTO 2022 already observed that a proof technique used in this line of research only holds for sequential indifferentiability. We revisit the line of research in detail, and observe that the strongest bound of n-bit security has two other serious issues in the reasoning, the first one is actually the same non-trivial flaw that was present in the work of Mandal et al., while the second one discards biases in the randomness influenced by the distinguisher. More concretely, we introduce two attacks that show limited potential of different approaches. We (i) show that the latter issue that discards biases only holds up to 2^{3n/4} queries, and (ii) perform a differentiability attack against their simulator in 2^{5n/6} queries. On the upside, we revive the result of Mennink and Preneel and show (2n/3-\log_2(n))-bit regular indifferentiability security of the sum of public permutations