On Tweaking Luby-Rackoff Blockciphers. - Internet Archive Scholar

How large of a tweak can be securely added? In this work, we explore these questions for Luby-Rackoff blockciphers. ... We show that tweakable blockciphers can be created directly from Luby-Rackoff ciphers, and in some cases show that direct constructions of tweakable blockciphers are more efficient than previously known ... In this work, we perform a systematic study of issues relating to directly tweaking Luby-Rackoff blockciphers. ...

doi:10.1007/978-3-540-76900-2_21 dblp:conf/asiacrypt/GoldenbergHLSS07 fatcat:a4wogg534bettcrcx6pgfs4pei

We then prove that swap-or-not has excellent quantitative security bounds, giving a Luby-Rackoff type result that ensures security (assuming an ideal round function) to a number of adversarial queries ... The analysis of swap-or-not is based on the theory of mixing times of Markov chains. ... For comparison, the leftmost two graphs are for balanced Feistel, both the classical 4-round result of Luby and Rackoff [19, 27] (LR-4) and then a six-round result of Patarin (LR-6) [29, Th. 7]. ...

arXiv:1208.1176v2 fatcat:qpnjjikkljfb3m6heq6ae3ycn4

Multiple Versions

., THEM) that turns a n-bit blockcipher into a variable-input-length cipher (resp., tweakable cipher) that acts on strings of [n..2n − 1] bits. ... Both HEM and THEM are simple and intuitive and use only two blockcipher calls, while prior work at least takes three. ... Goldenberg et al. addressed the question on how to directly incorporate a tweak on Luby-Rackoff blockciphers [7] . Discussion. ...

doi:10.1007/978-3-642-31284-7_7 fatcat:26yuridgynh5rchyaprysfcyu4

Each of these tweakable blockciphers uses two invocations of a blockcipher, one of which uses a tweak-dependent key generated by XORing the tweak to the key (or to a secret subkey derived from the key) ... We point out the provable security of these tweakable blockciphers is obtained in the ideal blockcipher model due to the usage of the tweak-dependent key. ... The second approach is to introduce the additional parameter tweak to generic constructions of blockcipher, including tweaking Luby-Rackoff cipher or Feistel cipher [20] , tweaking Generalized Feistel ...

doi:10.1007/978-3-662-53887-6_17 fatcat:lked4vdluncpzlvhf4z6zblarm

Two types of tweakable blockciphers based on classical blockciphers have been presented over the last years: non-tweak-rekeyable and tweak-rekeyable, depending on whether the tweak may influence the key ... Then, we prove that if this proof technique is adopted, tweak-rekeying will not help in achieving optimal security: if 2 σn/(σ+1) is the best one can get without tweak-rekeying, optimal 2 n provable security ... This issue is in fact not new: already in 1998, Bellare et al. encountered it in their seminal paper on Luby-Rackoff backwards [8] , and reverted to an analysis in the ideal cipher model. ...

doi:10.1007/978-3-319-63715-0_24 fatcat:syjt6k5fcnfypiakty6ovcpvga

HCTR turns an n-bit blockcipher into a tweakable blockcipher that supports arbitrary variable input length which is no less than n bits. The tweak length of HCTR is fixed and can be zero. ... This paper proposes a blockcipher mode of operation, HCTR, which is a length-preserving encryption mode. ... Related Work Constructions of large-block-size blockciphers from small-block-size blockciphers can date back to the pioneering work of Luby and Rackoff [12] . ...

doi:10.1007/11599548_15 fatcat:ikcy2wnctncg5n7tmxccommla4

The typical recipe for instantiating a TBC is to start with a blockcipher, and then build up a construction that admits a tweak. ... Almost all such constructions enjoy provable security only to the birthday bound, and the one that does achieve security beyond the birthday bound (due to Minematsu) severely restricts the tweak size and ... [17] show how to build a TBC by directly tweaking the Luby-Rackoff construction. ...

doi:10.1007/978-3-642-32009-5_2 fatcat:mewtjwrgibbt7fqnzyyb6c37mi

Here we propose a single-keyed inverse-free construction that achieves online sprp security with an optimal number of blockcipher calls. ... For blockcipher based construction requiring the inverse, we count the number of calls after replacing the blockcipher (over a dibock) by a four-round Luby-Rackoff construction. ... Luby and Rackoff gave a security proof of Feistel ciphers [LR88] , and later the design was generalised to obtain inverse-free enciphering of longer messages [Nyb96]. ...

doi:10.13154/tosc.v2016.i2.30-51 dblp:journals/tosc/BhaumikN16 fatcat:vx55aqrgdnc7pi3zz4zh7bp2nu

DOAJ OJS

Here we propose a single-keyed inverse-free construction that achieves online sprp security with an optimal number of blockcipher calls. ... For blockcipher based construction requiring the inverse, we count the number of calls after replacing the blockcipher (over a dibock) by a four-round Luby-Rackoff construction. ... Luby and Rackoff gave a security proof of Feistel ciphers [LR88] , and later the design was generalised to obtain inverse-free enciphering of longer messages [Nyb96]. ...

doi:10.46586/tosc.v2016.i2.30-51 fatcat:ipdd2zf47rczlotsowsjfinxyq

DOAJ OJS

Our construction is based on a 3-round Feistel, and is more efficient than first building a n-bit random oracle from a nbit ideal cipher (as in [9] ) and then a 2n-bit ideal cipher from a n-bit random ... Our construction is similar to that of Luby-Rackoff [23] . ... The well known Luby-Rackoff result that 4 rounds are enough to obtain a strong pseudo-random permutation from pseudorandom functions [23] , is proven under the classical indistinguishability notion. ...

doi:10.1007/978-3-642-11799-2_17 fatcat:fv6pfytwcbhhliv4gl7zq2oh2a

When it is realized with a blockcipher, it requires one blockcipher call to process one input block (i.e. rate-1), and uses the encryption function of the blockcipher for both encryption and decryption ... Moreover, the scheme enables one-pass, parallel operation under two-block partition. ... The author also would like to thank Tetsu Iwata for fruitful discussions, and Sumio Morioka and Tomoyasu Suzaki for useful comments on implementation aspects. ...

doi:10.1007/978-3-642-55220-5_16 fatcat:vyv577v3ong4hokfyqzvrdsyzu

Luby and Rackoff gave a security proof of Feistel ciphers[12], and later the design was generalised to obtain inversefree enciphering of longer messages[17]. ... In CRYPTO 2003, Halevi and Rogaway proposed CMC, a tweakable enciphering scheme (TES) based on a blockcipher. ... ) on the underlying blockcipher; -Tweak is processed using an independent key, and the proposed single-key variant uses an extra call to the blockcipher. ...

doi:10.1007/978-3-662-48800-3_7 fatcat:iytgcvq5mjg5vbalhbypzw5qxu

We investigate conditions on the key-schedules that are sufficient for security against XOR-induced related-key attacks up to 2^n/2 adversarial queries. ... This allows us to derive concrete implications on these two (more common) models, and helps understanding their differences---and further understanding the related-key security of Feistel ciphers. ... In all, in the RKA setting, Luby-Rackoff results appear less convincing. ...

arXiv:1810.07428v3 fatcat:ti2baqqagnak7n2xvijjohyaoy

Multiple Versions

For a tweakable blockcipher-based generalized Feistelnetwork proposed by Coron et al. ... (TCC 2010), we present a coupling analysis and for the first time show that with enough rounds, it achieves 2n-bit security, and this provides highly secure, double-length tweakable blockciphers. ... A popular approach to analyzing the security of Feistel networks, pioneered by Luby and Rackoff [LR88] , is to model the round function F i as a secret random function. ...

doi:10.13154/tosc.v2020.i1.425-457 dblp:journals/tosc/ShenGW20 fatcat:ajxegtvq6bd3paoelo4sulw5yi

DOAJ OJS

Unlike the ICM, results in the ICM-KOA are less brittle to current and future cryptanalytic results on the blockcipher used to instantiate the ideal cipher. ... This is done, for example, in the NIST CTR-DRBG and in the hardware RNG that ships on Intel chips. ... The classic "Luby-Rackoff Backwards" paper by Bellare, Krovetz and Rogaway [4] addresses the construction of beyond birthday-bound secure PRFs from PRPs, but they are unable to do so in the standard ...

doi:10.1007/978-3-662-53887-6_16 fatcat:6hzbulnrfjaflmjj32spfgxozu

On Tweaking Luby-Rackoff Blockciphers [chapter]

Preserved Fulltext

An Enciphering Scheme Based on a Card Shuffle [article]

Preserved Fulltext

Other Versions

Length-Doubling Ciphers and Tweakable Ciphers [chapter]

Preserved Fulltext

How to Build Fully Secure Tweakable Blockciphers from Classical Blockciphers [chapter]

Preserved Fulltext

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security [chapter]

Preserved Fulltext

HCTR: A Variable-Input-Length Enciphering Mode [chapter]

Preserved Fulltext

Tweakable Blockciphers with Beyond Birthday-Bound Security [chapter]

Preserved Fulltext

OleF: an Inverse-Free Online Cipher. An Online SPRP with an Optimal Inverse-Free Construction

Preserved Fulltext

OleF: an Inverse-Free Online Cipher. An Online SPRP with an Optimal Inverse-Free Construction

Preserved Fulltext

A Domain Extender for the Ideal Cipher [chapter]

Preserved Fulltext

Parallelizable Rate-1 Authenticated Encryption from Pseudorandom Functions [chapter]

Preserved Fulltext

An Inverse-Free Single-Keyed Tweakable Enciphering Scheme [chapter]

Preserved Fulltext

Understanding the Related-Key Security of Feistel Ciphers from a Provable Perspective [article]

Preserved Fulltext

Other Versions

Improved Security Bounds for Generalized Feistel Networks

Preserved Fulltext

Salvaging Weak Security Bounds for Blockcipher-Based Constructions [chapter]

Preserved Fulltext