Parallelizable MACs Based on the Sum of PRPs with Security Beyond the Birthday Bound

Moch, Alexander; List, Eik

doi:10.1007/978-3-030-21568-2_7

Cited by 5 publications

(2 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Instead, these security proofs require (by application of the H-Coefficient technique [38]) a good lower bound on the number of distinct solutions to a system of bivariate affine equations with a general ξ max and therein comes the role of the result "Theorem P i ⊕ P j for any ξ max ". It has also been used in proving the beyond-birthday-bound security of many nonce-based MACs including [5,15,16,18,31]. Mennink [30] showed the optimal security bound of EWCDM using this result as the primary underlying tool, and Iwata et al [22] also used it to show the optimal security bound of CENC.…”

Section: Applications Of Theorem P I ⊕ P J For Any ξ Maxmentioning

confidence: 99%

“…Recently, a similar problem in the tweakable setting has been examined in [25], with an application to the security of the CLRW2 construction 4 . Mirror Theory has also been considered for nonce-based MACs that rely on an underlying blockcipher or tweakable blockciphers, such as in [15,16,18,26,31]. In that case, constraints also include inequalities of the form P i ⊕ P j = λ i,j , which also have to be taken into account.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Proof of Mirror Theory for a Wide Range of $$\xi _{\max }$$

Cogliati

Dutta²,

Nandi

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

In CRYPTO'03, Patarin conjectured a lower bound on the number of distinct solutions (P1, . . . , Pq) ∈ ({0, 1} n ) q satisfying a system of equations of the form Xi ⊕ Xj = λi,j such that P1, P2, . . ., Pq are pairwise distinct. This result is known as "Pi ⊕ Pj Theorem for any ξmax" or alternatively as Mirror Theory for general ξmax, which was later proved by Patarin in ICISC'05. Mirror theory for general ξmax stands as a powerful tool to provide a high-security guarantee for many blockcipher-(or even ideal permutation-) based designs. Unfortunately, the proof of the result contains gaps that are non-trivial to fix. In this work, we present the first complete proof of the Pi ⊕ Pj theorem for a wide range of ξmax, typically up to order O(2 n/4 / √ n). Furthermore, our proof approach is made simpler by using a new type of equation, dubbed link-deletion equation, that roughly corresponds to half of the so-called orange equations from earlier works. As an illustration of our result, we also revisit the security proofs of two optimally secure blockcipher-based pseudorandom functions, and n-bit security proof for six round Feistel cipher, and provide updated security bounds.

show abstract

Section: Applications Of Theorem P I ⊕ P J For Any ξ Maxmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Proof of Mirror Theory for a Wide Range of $$\xi _{\max }$$

Cogliati

Dutta²,

Nandi

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

Tight Security Bounds for Generic Stream Cipher Constructions

Hamann

Krause

Moch

2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

The design of modern stream ciphers is strongly influenced by the fact that Time-Memory-Data tradeoff attacks (TMD-TO attacks) reduce their effective key length to SL/2, where SL denotes the inner state length. The classical solution, employed, e.g., by eSTREAM portfolio members Trivium [CP05] and Grain v1 [HJM06], is to design the cipher in accordance with the Large-State-Small-Key construction, which implies that SL is at least twice as large as the session key length KL. In the last years, a new line of research looking for alternative stream cipher constructions guaranteeing a higher TMD-TO resistance with smaller inner state lengths has emerged. So far, this has led to three generic constructions: the Lizard construction [HK18], having a provable TMD-TO resistance of 2 • SL/3; the Continuous-Key-Use construction, underlying the stream cipher proposals Sprout [AM15], Plantlet [MAM17], and Fruit [AH18]; and the Continuous-IV-Use construction, very recently proposed in [HKM17a]. Meanwhile, it could be shown that the Continuous-Key-Use construction is vulnerable against certain nontrivial distinguishing attacks [HKMZ17].In this paper, we present a formal framework for proving security lower bounds on the resistance of generic stream cipher constructions against TMD-TO attacks and analyze two of the constructions mentioned above. First, we derive a tight security lower bound of approximately min{KL, SL/2} on the resistance of the Large-State-Small-Key construction. This shows that the feature KL ≤ SL/2 does not open the door for new nontrivial TMD-TO attacks against Trivium and Grain v1 which are more dangerous than the known ones. Second, we prove a maximal security bound on the TMD-TO resistance of the Continuous-IV-Use construction, which shows that designing concrete instantiations of ultra-lightweight Continuous-IV-Use stream ciphers is a hopeful direction of future research.

show abstract

BBB Secure Nonce Based MAC Using Public Permutations

Dutta

Nandi

2020

Progress in Cryptology - AFRICACRYPT 2020

View full text Add to dashboard Cite

Parallelizable MACs Based on the Sum of PRPs with Security Beyond the Birthday Bound

Cited by 5 publications

References 30 publications

Proof of Mirror Theory for a Wide Range of $$\xi _{\max }$$

Proof of Mirror Theory for a Wide Range of $$\xi _{\max }$$

Tight Security Bounds for Generic Stream Cipher Constructions

BBB Secure Nonce Based MAC Using Public Permutations

Contact Info

Product

Resources

About