How to construct pseudorandom permutations from pseudorandom functions
SIAM Journal on Computing - Special issue on cryptography
A hard-core predicate for all one-way functions
STOC '89 Proceedings of the twenty-first annual ACM symposium on Theory of computing
Universal one-way hash functions and their cryptographic applications
STOC '89 Proceedings of the twenty-first annual ACM symposium on Theory of computing
CT-RSA '02 Proceedings of the The Cryptographer's Track at the RSA Conference on Topics in Cryptology
Constructing VIL-MACsfrom FIL-MACs: Message Authentication under Weakened Assumptions
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
On the Round Security of Symmetric-Key Cryptographic Primitives
CRYPTO '00 Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology
Unique Signatures and Verifiable Random Functions from the DH-DDH Separation
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Bit Commitment Using Pseudo-Randomness
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Invariant Signatures and Non-Interactive Zero-Knowledge Proofs are Equivalent (Extended Abstract)
CRYPTO '92 Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology
Efficient Construction of (Distributed) Verifiable Random Functions
PKC '03 Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography: Public Key Cryptography
FOCS '99 Proceedings of the 40th Annual Symposium on Foundations of Computer Science
On the Implementation of Huge Random Objects
FOCS '03 Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science
The exact security of digital signatures-how to sign with RSA and Rabin
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
The security of many-round Luby-Rackoff pseudo-random permutations
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
Single-key AIL-MACs from any FIL-MAC
ICALP'05 Proceedings of the 32nd international conference on Automata, Languages and Programming
A verifiable random function with short proofs and keys
PKC'05 Proceedings of the 8th international conference on Theory and Practice in Public Key Cryptography
Luby-Rackoff ciphers from weak round functions?
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
On the relation between the ideal cipher and the random oracle models
TCC'06 Proceedings of the Third conference on Theory of Cryptography
The Random Oracle Model and the Ideal Cipher Model Are Equivalent
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Weak Verifiable Random Functions
TCC '09 Proceedings of the 6th Theory of Cryptography Conference on Theory of Cryptography
A Double-Piped Mode of Operation for MACs, PRFs and PROs: Security beyond the Birthday Barrier
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Information Security and Cryptology
Leakage-resilient pseudorandom functions and side-channel attacks on Feistel networks
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Domain extension for MACs beyond the birthday barrier
EUROCRYPT'11 Proceedings of the 30th Annual international conference on Theory and applications of cryptographic techniques: advances in cryptology
On the public indifferentiability and correlation intractability of the 6-round feistel construction
TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
Hi-index | 0.00 |
Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient and popular method for designing "cryptographically strong" permutations from corresponding "cryptographically strong" functions. Up to now, all usages of the Feistel Network, including the celebrated Luby-Rackoff's result, critically rely on (a) the (pseudo)randomness of round functions; and (b) the secrecy of (at least some of) the intermediate round valuesappearing during the Feistel computation. Moreover, a small constant number of Feistel rounds was typically sufficient to guarantee security under assumptions (a) and (b). In this work we consider several natural scenarios where at least one of the above assumptions does not hold, and show that a constant, or even logarithmic number of rounds is provably insufficientto handle such applications, implying that a new method of analysis is needed.On a positive side, we develop a new combinatorial understanding of Feistel networks, which makes them applicable to situations when the round functions are merely unpredictablerather than (pseudo)random and/or when the intermediate round values may be leaked to the adversary (either through an attack or because the application requiresit). In essence, our results show that in any such scenario a super-logarithmic number of Feistel rounds is necessary and sufficientto guarantee security.Of independent interest, our technique yields a novel domain extension method for messages authentication codes and other related primitives, settling a question studied by An and Bellare in CRYPTO 1999.