How to construct pseudorandom permutations from pseudorandom functions
SIAM Journal on Computing - Special issue on cryptography
Elements of information theory
Elements of information theory
Differential cryptanalysis of the data encryption standard
Differential cryptanalysis of the data encryption standard
Provable Security for Block Ciphers by Decorrelation
STACS '98 Proceedings of the 15th Annual Symposium on Theoretical Aspects of Computer Science
A Unified Markow Approach to Differential and Linear Cryptanalysis
ASIACRYPT '94 Proceedings of the 4th International Conference on the Theory and Applications of Cryptology: Advances in Cryptology
Ciphers and their products: group theory in private key cryptography
Ciphers and their products: group theory in private key cryptography
Markov ciphers and differential cryptanalysis
EUROCRYPT'91 Proceedings of the 10th annual international conference on Theory and application of cryptographic techniques
The one-round functions of the DES generate the alternating group
EUROCRYPT'92 Proceedings of the 11th annual international conference on Theory and application of cryptographic techniques
A Polynomial-Time Universal Security Amplifier in the Class of Block Ciphers
SAC '00 Proceedings of the 7th Annual International Workshop on Selected Areas in Cryptography
On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks
INDOCRYPT '00 Proceedings of the First International Conference on Progress in Cryptology
Feeling is believing: a secure template exchange protocol
ICB'07 Proceedings of the 2007 international conference on Advances in Biometrics
| Hi-index | 0.00 |
Absolute lower limits to the cost of cryptanalytic attacks are quantified, via a theory of guesswork. Conditional guesswork naturally expresses limits to known and chosen plaintext attacks. New inequalities are derived between various forms of guesswork and variation distance. The machinery thus offers a new technique for establishing the security of a cipher: When the work-factor of the optimal known or chosen plaintext attack against a cipher is bounded below by a prohibitively large number, then no practical attack against the cipher can succeed. As an example, we apply the technique to iterated cryptosystems, as the Markov property which results from an independent subkey assumption makes them particularly amenable to analysis.