Pseudorandom Functions and Permutations Provably Secure against Related-Key Attacks

Bellare, Mihir; Cash, David M.

doi:10.1007/978-3-642-14623-7_36

Cited by 92 publications

(163 citation statements)

References 55 publications

(93 reference statements)

Supporting

Mentioning

157

Contrasting

Order By: Relevance

“…We now define a sufficient set of restrictions on oracle RKD sets that allow us to prove a ROM analogue of the result by Bellare and Cash [3]. Intuitively the restrictions are strong enough to rule out attacks that follow the above pattern.…”

Section: The Random-oracle Transformmentioning

confidence: 99%

“…We call this the "Hash-then-PRP" transform. Bellare and Cash [3,Theorem 6.1] prove the soundness of this approach in the standard model for a restricted class of RKD functions, when the hash function is replaced by an RKA-secure pseudorandom generator. At first sight it appears that the ideal hash function (i.e., the random oracle) should be a valid instantiation of this construction.…”

Section: The Random-oracle Transformmentioning

confidence: 99%

“…The underlying PRG can be instantiated in the standard model via an RKA-secure PRF (e.g., that used in the Luby-Rackoff construction) as suggested in [3] or, stepping outside the standard model, using random oracles.…”

Section: The Feistel Constructionmentioning

confidence: 99%

“…3 We are able to prove the RKA security of the three-stage (CPA) and four-stage (CCA) Luby-Rackoff constructions, whilst reducing the amount of key material and potentially improving the efficiency of the resulting implementations.…”

Section: Introductionmentioning

confidence: 99%

“…It is well known that the F ρ [1,2,3] construction is CCA insecure. For example, the attacker can proceed as follows: 1) Choose arbitrary L, R, L , query RKFn(L, R) to obtain C 1 and query RKFn(L , R) to obtain C 2 ; 2) Query…”

Section: Cca Security: the 4-round Constructionsmentioning

confidence: 99%

See 4 more Smart Citations

The Related-Key Analysis of Feistel Constructions

Barbosa

Farshim

2015

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. It is well known that the classical three-and four-round Feistel constructions are provably secure under chosen-plaintext and chosen-ciphertext attacks, respectively. However, irrespective of the number of rounds, no Feistel construction can resist related-key attacks where the keys can be offset by a constant. In this paper we show that, under suitable reuse of round keys, security under related-key attacks can be provably attained. Our modification is substantially simpler and more efficient than alternatives obtained using generic transforms, namely the PRG transform of Bellare and Cash (CRYPTO 2010) and its random-oracle analogue outlined by Lucks (FSE 2004). Additionally we formalize Luck's transform and show that it does not always work if related keys are derived in an oracle-dependent way, and then prove it sound under appropriate restrictions.

show abstract

Section: The Random-oracle Transformmentioning

confidence: 99%

Section: The Random-oracle Transformmentioning

confidence: 99%

Section: The Feistel Constructionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Cca Security: the 4-round Constructionsmentioning

confidence: 99%

See 3 more Smart Citations

The Related-Key Analysis of Feistel Constructions

Barbosa

Farshim

2015

Fast Software Encryption

View full text Add to dashboard Cite

show abstract

Achieving CCA security from DCCA security more efficiently by using the KEM+DEM hybrid paradigm

Yuan

Dong

2015

Security Comm Networks

View full text Add to dashboard Cite

Detectable Chosen Ciphertext (DCCA) security is a useful notion to achieve CCA security for public-key encryptions (PKE). An "inner-outer" structure can transform a DCCA-secure PKE into a CCA-secure one. In the structure, the "inner" layer encrypts both the message and the two embedded randomness, so a key encapsulated mechanism (KEM) + data encapsulation mechanism (DEM) hybrid paradigm helps to gain time efficiency. Nevertheless, the long "inner" ciphertext still makes the "outer" encryption less efficient. We show that the structure can be applied solely on the KEM part, and even the embedded randomness can be encrypted outside the structure by introducing a CCA-secure DEM. These reduce the length of the "inner" ciphertext, thus avoiding some redundant re-encryptions in the "outer" layer and offload as much of the work as possible from KEMs to faster DEMs. Combined with a recent improvement made on the "outer" layer, we can gain better time and space efficiency. Additionally, we prove that when a DCCA-secure KEM satisfies the so-called "translatability", a proper related-key secure DEM helps to achieve CCA security directly by applying the hybrid paradigm without any use of the less efficient "inner-outer" structure. Achieving CCA security from DCCA security more efficiently Note that we add more dangerous ciphertexts here to show the sufficiency. Security Comm. Networks 2015; 8:3323-3334Achieving CCA security from DCCA security more efficiently KEM dcca . We denote the scheme as KEM cca =

show abstract