Tải bản đầy đủ - 0 (trang)
1 Upper Bound of Pr[DG1 1] - Pr[DG2 1]

1 Upper Bound of Pr[DG1 1] - Pr[DG2 1]

Tải bản đầy đủ - 0trang

Sandwich Construction for Keyed Sponges



253



−1



in

out

Let τ in := i=1

τiin , and τ out := i=1

τiout . This proof permits D to obtain

these sets and the secret key K after D’s interaction but before it outputs a

result. Thus D’s transcript is summarized as τ = (τL , τP , τ in , τ out , τK , K).



Coefficient H Technique

We upper bound Pr[DG1 ⇒ 1] − Pr[DG2 ⇒ 1] by using the coefficient H technique [11,21]. In this technique, firstly, we need to partition valid transcripts

into good transcripts Tgood and bad transcripts Tbad . Then we can upper bound

the difference by the following lemma, and the proof is given in e.g., [11].

Lemma 1 (Coefficient H Technique). Let 0 ≤ ε ≤ 1 be such that for all τ ∈

1 =τ ]

G1

⇒ 1] − Pr[DG2 ⇒ 1] ≤ ε + Pr[T2 ∈ Tbad ].

Tgood , Pr[T

Pr[T2 =τ ] ≥ 1 − ε. Then, Pr[D

Hereafter, we first define good and bad transcripts. We then upper bound ε and

Pr[T2 ∈ Tbad ]. Finally, we obtain the upper bound of Pr[DG1 ⇒ 1]−Pr[DG2 ⇒ 1]

by putting these upper bounds to the lemma.

Good and Bad Transcripts

In order to define good and bad transcripts, we need to recall the modification

from Game 1 and Game 2, where the underlying primitive definition b-bit outputs

Wi , Ti and Hi is modified. In Game 1, outputs Wi , Ti and Hi in L1 are defined

by using P. On the other hand, in Game 2, outputs Wi , Ti and Hi in L2 are

defined by using P, Fi and Gi , respectively. Namely, in Game 2, (1) Ti and Hi

are independently defined, and (2) Ti and Hi are defined independently of offline

queries (Xi , Yi ) and Wi -values. In addition, (3) Ti and Tj with i = j are also

independently defined, and the same is true for Hi and Hj with i = j. Therefore,

if Game 1 and Game 2 are indistinguishable, then these independences for (1), (2)

and (3) should also hold in Game 1. Thus we consider conditions hitsx,ty , hithx,hy ,

hitsh,th , hitss,tt and hithh , which define good and bad transcripts. hitsh,th comes

from the independence for (1), hitsx,ty and hithx,hy come from the independence

for (2), hitss,tt and hithh come from the independence for (3). In addition, by

the PRP-PRF switch from Game 1 to Game 2, we need to consider a condition

with respect to output collisions of random functions, denoted by coll. These

definitions are given in the following.

hitsx,ty ⇔ ∃(S, T ) ∈ τ in , (X, Y ) ∈ τP ∪ τK s.t. S = X ∨ T = Y

hithx,hy ⇔ ∃(H, H ) ∈ τ out , (X, Y ) ∈ τP ∪ τK s.t. H = X ∨ H = Y

hitsh,th ⇔ ∃(S, T ) ∈ τ in , (H, H ) ∈ τ out s.t. S = H ∨ T = H

hitss,tt ⇔ ∃i, j ∈ {1, . . . , in − 1} with i = j s.t. ∃(Si , Ti ) ∈ τiin , (Sj , Tj ) ∈ τjin

s.t. Si = Sj ∨ Ti = Tj

– hithh ⇔ ∃i, j ∈ {1, . . . , out } with i = j s.t. ∃(Hi−1 , Hi ) ∈ τiout , (Hj−1 , Hj ) ∈

τjout s.t. Hi−1 = Hj−1 ∨ Hi = Hj

– coll ⇔ ∃(S, T ), (S , T ) ∈ τ in ∪ τ out s.t. S = S ∧ T = T .











We define Tbad by the set of transcripts which satisfy one of the above conditions,

and Tbad by the set of transcript which do not satisfy any of the above conditions.



254



Y. Naito



Upper Bound of Pr[T2 ∈ Tbad ]

First we note that Pr[T2 ∈ Tbad ] = Pr[hitsx,ty ∨hithx,hy ∨hitsh,th ∨hitss,tt ∨hithh ∨coll],

where these conditions are considered within Game 2. In this evaluation, we use

the randomness of internal values Si , Ti and Hi , where S1 = Wκpf ⊕ (M1 0c )

where Wκpf is defined by P, and other values are defined by random functions.

In order for Wκpf to become a (almost) b-bit random value, we use the condition:

hitux,wy ⇔ ∃(Uκpf , Wκpf ) ∈ τP , meaning D obtains the pair (Uκpf , Wκpf ) by some

offline query. Under the condition ¬hitux,wy , D does not know Wκpf , and thereby

it can be seen as a (almost) b-bit random value. By basic probability theory, we

have

Pr[T2 ∈ Tbad ] ≤ Pr[hitux,wy ] + Pr[hitsx,ty ∧ ¬hitux,wy ] + Pr[hithx,hy ]

+ Pr[hitsh,th ∧ ¬hitux,wy ] + Pr[hitss,tt ] + Pr[hithh ] + Pr[coll]. (2)

Hereafter, we evaluate these probabilities. Without loss of generality, we assume

that (U1 , W1 ), . . . , (Uκpf , Wκpf ) are defined in τK before D’s interaction.

Upper Bound of Pr[hitux,wy ]. The same condition appears at the security

proofs of the prefix keyed sponge function in [1,12,18], where the following upper

2κ Q

bound was given: Pr[Hitux,wy ] ≤ λ(Q) + 2pfb . We use the upper bound.

Upper Bound of Pr[hitsx,ty ∧ ¬hitux,wy ]. Due to lack of space, we give only an

intuition of deriving the upper bound. The condition hitsx,ty considers a collision

between τ in and τP ∪ τK , where τ in = τ1in ∪



in −1

in

i=2 τi



. In order to upper bound



Pr[hitsx,ty ∧ ¬hitux,wy ], the randomness of elements in τ in is used.

$



– For ∀(S, T ) ∈ τ1in , the output element T is defined as T ←

− {0, 1}b by a random

function, and the input element S is of the form S = Wκpf ⊕ M1 0c . By

¬hitux,wy , Wκpf is randomly drawn from at least 2b − κpf values of b bits.

in −1

τiin , which are defined by random functions, can be seen

– All elements in i=2

as b-bit random values.

Since |τ1in | ≤ q, |



in −1

in

i=2 τi |



≤ ( − 2)q, |τP ∪ τK | ≤ Q + κpf , we have



q(Q + κpf ) q(Q + κpf )

( − 2)q(Q + κpf )

+

+2×

b

b

2 − κpf

2

2b

2 q(Q + κpf )



, assuming κpf ≤ 2b−1 .

2b



Pr[hitsx,ty ∧ ¬hitux,wy ] ≤



Upper Bound of Pr[hithx,hy ]. The condition hithx,hy considers a collision

in −1

between τ out and τP ∪ τK , where τ out = i=1

τiin . Similar to the evaluation

of Pr[hitsx,ty ], in order to upper bound Pr[hithx,hy ], the randomness of elements

in τ out is used. However, we need to care the fact that D can obtain the rate

values of these elements from the corresponding outputs of L2 . This implies that

the randomness of the rate values cannot be used in this evaluation. In order to

reduce the influence of this fact, we use the analysis based on a multi-collision on



Sandwich Construction for Keyed Sponges



255



the rate values, which have been used in many security proofs of sponge-based

functions e.g., [1,14,18].

q

Let H := α=1 {H1α , . . . , H αout } be the set of outputs defined by G1 , . . . , G out .

Note that Hout does not include H01 , . . . , H0q . Then we define a condition for a

multi-collision in rate values of Hout .

mcoll ⇔ ∃H (1) , . . . , H (ρ) ∈ H s.t. msbr (H (1) ) = · · · = msbr (H (ρ) )

where ρ is a free parameter which will be defined later. Then we have

Pr[hithx,hy ] ≤ Pr[mcoll] + Pr[hithx,hy ∧ ¬mcoll].

Firstly, we upper bound Pr[mcoll]. Fix H ∈ {0, 1}r and H (1) , . . . , H (ρ) ∈ H.

$



− {0, 1}b , the probability that H = msbr (H (1) ) = · · · =

Since H (1) , . . . , H (ρ) ←

ρ

(ρ)

msbr (H ) holds is ≤ 21r . Since |Hout | ≤ q, we have Pr[mcoll] ≤ 2r × ρq ×

1 ρ

2r



≤ 2r ×



e q

ρ2r



ρ



, using Stirling’s approximation (x! ≥ (x/e)x for any x,



where e = 2.71828 · · · is Napier’s constant).

Secondly, we upper bound Pr[hithx,hy ∧ ¬mcoll]. The strategy of deriving the

upper bound is simple but we need to deal with several types of values for Hi ,

which yields many cases. Due to lack of space, we give only an intuition of

deriving the upper bound.

– For a collision between τP ∪ τK and elements {H01 , H02 , . . . , H0q } in τ out ,

H01 , H02 , . . . , H0q are defined by random functions and thus can be seen as

b-bit random values. Thus the collision probability is ≤ q × (Q + κpf ) × 1/2b .

– For a collision between τP ∪ τK and other elements {H11 , . . . , H1q , H21 , . . .} in

τ out , we use the condition ¬mcoll. Although D can obtain the rate values of

{H11 , . . . , H1q , H21 , . . .} from outputs of L2 , by ¬mcoll, for each element E in τP ∪

τK , the number of elements in {H11 , . . . , H1q , H21 , . . .} whose rate value equal

to msbr (E) is at most ρ. Since the capacity values of {H11 , . . . , H1q , H21 , . . .}

are randomly drawn from {0, 1}c by random functions, the probability that

one of the ρ values collides with E is ≤ ρ/2c . Thus the collision probability is

≤ 2(Q + κpf ) × ρ/2c .

Thus, we have Pr[hithx,hy ∧ ¬mcoll] ≤ q(Q + κpf )/2b + 2ρ(Q + κpf )/2c .

Finally, we have Pr[hithx,hy ] ≤

ρ = max r,



2c e q

2r (Q+κpf )



Pr[hithx,hy ] ≤



+



2ρ(Q+κpf )

2c



+ 2r ×



e q

ρ2r



ρ



, and putting



1/2



gives



q(Q + κpf ) 2r(Q + κpf )

+

+2×

2b

2c

⎞r





+ 2r × ⎝







q(Q+κpf )

2b



e q

2c e q

2r (Q+κpf )



1/2



2r



e q(Q + κpf )

2b



1/2









q(Q + κpf ) 2r(Q + κpf )

+

+

2b

2c



44 q(Q + κpf )

2b



1/2



.



256



Y. Naito



(0)



Fig. 2. hitsh ∧ (i = nβ ) ∧ (msbr·dβ (M α ) = M β 10∗ K padβ )



Upper Bound of Pr[hitsh,th ∧¬hitux,wy ]. This evaluation makes use of the existence of the suffix key that avoids the attack using the iterated structure of L2 :

for two message block sequences M1α , M2α , . . . , Mnαα and M1β , M2β , . . . , Mnββ , if the

message blocks are the same up to the i-th block, namely, M1α = M1β , . . . , Miα =

Miβ , then input-output pairs of the underlying random functions are the same

up to the i-th block. By this property, hitsh,th may be satisfied. Concretely, this

property may yield the collision Siα = H0β as shown in Fig. 2. However, D needs

to make a query including the suffix key, and thereby this attack can be avoided

without a negligible probability. The detail analysis is given in the following,

(0)

where this case is considered in the sub condition hitsh of hitsh,th defined bellow.

We split the condition hitsh,th into the following three conditions with respect

to the collisions S = H, T = H and the block numbers of H.

– hitsh ⇔ ∃α, β ∈ {1, . . . , q}, i ∈ {1, . . . , nα − 1} s.t. Siα = H0β

(1)

– hitsh ⇔ ∃α, β ∈ {1, . . . , q}, i ∈ {1, . . . , nα − 1}, j ∈ {1, . . . , out − 1} s.t.

Siα = Hjβ

– hitth ⇔ ∃α, β ∈ {1, . . . , q}, i ∈ {1, . . . , nα − 1}, j ∈ {1, . . . , out } s.t. Tiα = Hjβ

(0)



(0)



(1)



Since hitsh,th = hitsh ∨ hitsh ∨ hitth , we have

(0)



(1)



Pr[hitsh,th ∧ ¬hitux,wy ] ≤ Pr[hitsh ∧ ¬hitux,wy ] + Pr[hitsh ∧ ¬hitux,wy ] + Pr[hitth ].

(0)



Firstly, we upper bound Pr[hitsh ∧ ¬hitux,wy ]. We assume that hitux,wy is not

(0)

satisfied, and then evaluate the probability that hitsh is satisfied. We divide

(0)

hitsh into the following three cases. Note that in this condition, nα > nβ holds.

– hitsh ∧ (i = nβ ) ∧ (msbr·nβ (M α ) = M β 10∗ K padβ ): The equation i = nβ

ensures that the block numbers of Siα and H0β are the same, and msbr·nβ (M α ) =

(0)



Sandwich Construction for Keyed Sponges



257



M β 10∗ K padβ ensures that for each block up to the i-th block, the inputs by

the α-th and β-th online queries are the same (See also the Fig. 2). Thus, if this

case occurs, then D makes an online query including the secret key K. Since

$

− {0, 1}k , the probability that this case occurs is ≤ q/2k .

K←

(0)

– hitsh ∧ (i = nβ ) ∧ (msbr·nβ (M α ) = M β 10∗ K padβ ): By the condition

msbr·nβ (M α ) = M β 10∗ K padβ , there exists j ∈ {1, . . . , nβ − 1} such that

β

α

Sjα = Sjβ and Sj+1

= Sj+1

, where Snββ := H0β . Note that for γ ∈ {α, β}



γ

γ

= Tjγ ⊕ Mj+1

0c . By Sjα = Sjβ , Tjα , Tjβ ←

− {0, 1}b . Thus, fixing α, β,

Sj+1

β

α

the probability that for some j, Sjα = Sjβ ∧ Sj+1

= Sj+1

holds is ≤ × 1/2b .

q

Therefore, the probability that this case holds is ≤ 2 × /2b ≤ 0.5 q 2 /2b .

(0)

– hitsh ∧ (i = nβ ) ∧ (i = 1): Note that S1α = Wκpf ⊕ M1α 0c , and by ¬hitux,wy ,

Wκpf is randomly drawn from at least 2b − (Q + κpf ) values of b bits. Thus,

fixing α, β, the probability that S1α = H0β holds is ≤ 1/(2b − (Q + κpf )) ≤ 2/2b ,

assuming Q + κpf ≤ 2b−1 . Therefore, the probability that this case holds is

≤ q × q × 2/2b = 2q 2 /2b .

(0)

α

– hitsh ∧ (i = nβ ) ∧ (i = 1): Note that Siα = Ti−1

⊕ Miα 0c and H0β = Tnββ −1 ⊕

$



α

Mnββ 0c . By i = nβ , Ti−1

, Tnββ −1 ←

− {0, 1}b , and thereby, the probability that

$



Siα = H0β holds is ≤ 1/2b . Thus the probability that this case holds is ≤

( − 2)q × q × 1/2b = ( − 2)q 2 /2b .

Thus, we have Pr[hitsh ] ≤ q/2k + 1.5 q 2 /2b .

(1)

α

Secondly, we upper bound Pr[hitsh ∧¬hitux,wy ]. Note that Siα = Ti−1

⊕Miα 0c

α

where T0 := Wκpf . By ¬hitux,wy , Wκpf is randomly drawn from at least 2b − (Q +

(0)



$



α

κpf ) values of b bits, and Ti−1



− {0, 1}b for i = 1. We thus have Pr[hitsh ] ≤

b

q × out q × 1/(2 − (Q + κpf )) + ( in − 2)q × out q/2b ≤ 2 q 2 /2b , assuming that

Q + κpf ≤ 2b−1 .

(1)



− {0, 1}b , we have

Thirdly, we upper bound Pr[hitth ]. Since Tiα , Hjβ ←

b

2 2 b

Pr[hitth ] ≤ in q × out q × 1/2 ≤ q /2 .

2 2

Finally, we have Pr[hitsh,th ] ≤ 2qk + 3.52b q .

$



Upper Bound of Pr[hitss,tt ]. Note that hitss,tt ⇔ ∃α, β ∈ {1, . . . , q}, i ∈

{1, . . . , nα − 1}, j ∈ {1, . . . , nβ − 1} with i = j s.t. Siα = Sjβ ∨ Tiα = Tjβ . Without

loss of generality, we assume that j = 1. Regarding the equation Siα = Sjβ , Siα =

β

α

α

Ti−1

⊕ Miα 0c and Sjβ = Tj−1

⊕ Miβ 0c , where T0α := Wκpf . By i = j, Ti−1

and

β

β

are independently drawn, and Tj−1



− {0, 1}b . Thus, the probability that

Tj−1

for some α, β, i, j, Siα = Sjβ holds is ≤ q 2 × 2 × 1/2b = 0.5 2 q 2 /2b . Regarding

the equation Tiα = Tjβ , by i = j, Tiα and Tjβ are independently drawn, and

$



− {0, 1}b . Hence, the probability that for some α, β, i, j, Tiα = Tjβ holds is

Tjβ ←

$



≤ 0.5 2 q 2 /2b . Finally, we have Pr[hitss,tt ] ≤



q

2b



2 2



.



258



Y. Naito



Upper Bound of Pr[hithh ]. Note that hithh ⇔ ∃α, β ∈ {1, . . . , q} s.t. ∃i, j ∈

{0, . . . ,



out }



with i = j s.t. Hiα = Hjβ . Since for γ ∈ {α, β}, Hiγ ←

− {0, 1}b for

$



− {0, 1}b , we have Pr[hithh ] ≤

i = 0, and H0γ := Tnγγ −1 ⊕ Mnγ 0c where Tnγγ −1 ←

$



(



out +1)q



2



×



1

2b







q

2b







0.5 2 q 2

.

2b



Upper Bound of Pr[coll]. By the birthday analysis, Pr[coll] ≤



0.5( q)2

.

2b



Upper Bound of Pr[T2 ∈ Tbad ]. Putting the above upper bounds into (2)

gives

Pr[T2 ∈ Tbad ] ≤



2r(Q + κpf )

+

2c



44 q(Q + κpf )

2b



1/2



+



5.5 2 q 2

q

+ λ(Q) + k .

b

2

2



Upper Bound of ε

Let τ ∈ Tgood be a good transcript. For i = 1, 2, let alli be the set of all oracles

in Game i, and let compi (τ ) be the set of oracles compatible with τ in Game i.

1 (τ )|

2 (τ )|

Then Pr[T1 = τ ] = |comp

and Pr[T2 = τ ] = |comp

.

|all1 |

|all2 |

k

Firstly, we evaluate |all1 |. Since K ∈ {0, 1} and P ∈ Perm({0, 1}b ), we have

|all1 | = 2k · 2b !.

Secondly, we evaluate |all2 |. Since K ∈ {0, 1}k , P ∈ Perm({0, 1}b ), and

F1 , . . . , F in −1 , G1 , . . . , G out ∈ Func({0, 1}b , {0, 1}b ) we have |all2 | = 2k · (2b !) ·

b

((2b )2 ) in + out −1 .

Thirdly, we evaluate |comp1 (τ )|. For i ∈ {1, . . . , in −1}, let γiin be the number

of pairs in τiin . For i ∈ {1, . . . , out }, let γiout be the number of pairs in τiout . Let

in −1

out

γP be the number of pairs in τP ∪τK . Let γ in = i=1

γiin and γ out = i=1

γiout .

in

out

in

in

out

out

Let γ = γ + γ + γP . Note that τ1 , . . . , τ in −1 , τ1 , . . . , τ out , and τP ∪ τK are

defined so that these sets do not overlap each other. Moreover, K is uniquely

determined. Hence we have |comp1 (τ )| = (2b − γ)!

, γ in , γ out , γP

Finally we evaluate |comp2 (τ )|. γ1in , . . . , γ inin −1 , γ1out , . . . , γ out

out

and γ are analogously defined. Note that K is uniquely determined. We thus

b

in

b

out

in −1

out

(2b )2 −γi · i=1

(2b )2 −γi = (2b − γP )! ·

have |comp2 (τ )| = (2b − γP )! · i=1

b

(2b )( in + out −1)2 −γ+γP .

Hence we have

b



Pr[T1 = τ ]

(2b − γ)!

2k · (2b !) · (2b )( in + out −1)2

≥ k b · b

≥ 1.

Pr[T2 = τ ]

2 · 2 ! (2 − γP )! · (2b )( in + out −1)2b −γ+γP

We thus have ε = 0.

Upper Bound of Pr[DG1 ⇒ 1] − Pr[DG2 ⇒ 1]

By Lemma 1, we have Pr[G1 ] − Pr[G2 ]





2r(Q + κpf )

+

2c



44 q(Q + κpf )

2b



1/2



+



5.5 2 q 2

q

+ λ(Q) + k .

2b

2



(3)



Sandwich Construction for Keyed Sponges



4.2



259



Upper Bound of Pr[DG2 ⇒ 1] − Pr[DG3 ⇒ 1]



Note that L3 is a random function R. We show the following lemma.

Lemma 2. L2 and R are indistinguishable unless the following events occur in

Game 2.

collh ⇔ ∃α, β ∈ {1, . . . , q} with α = β and ∃i ∈ {0, . . . ,



out



− 1} s.t. Hiα = Hiβ .



Proof. If collh does not hold then for any online query to L2 the response is freshly

and randomly drawn from {0, 1} out ×r . Hence, L2 and R are indistinguishable.

By the above lemma, Pr[DG2 ⇒ 1|¬collh ] = Pr[DG3 ⇒ 1] holds. Hence, we have

Pr[DG2 ⇒ 1] − Pr[DG3 ⇒ 1] ≤ Pr[collh ].

The upper bound is given in the following. Due to lack of space, we omit the

detail for the evaluation of Pr[collh ]. The upper bound can be obtained by using

the birthday analysis for the random functions in L2 .

Pr[DG2 ⇒ 1] − Pr[DG3 ⇒ 1] ≤ Pr[collh ] ≤

4.3



0.5 q 2

.

2b



(4)



Upper Bound of the Advantage



Putting (3) and (4) into (1) gives

Advprf

SwSponge (D) ≤



2r(Q + κpf )

+

2c



44 q(Q + κpf )

2b



1/2



+



6 2 q2

q

+ λ(Q) + k .

2b

2



References

1. Andreeva, E., Daemen, J., Mennink, B., Van Assche, G.: Security of keyed

sponge constructions using a modular proof approach. In: Leander, G. (ed.) FSE

2015. LNCS, vol. 9054, pp. 364–384. Springer, Heidelberg (2015). doi:10.1007/

978-3-662-48116-5 18

2. Aumasson, J.-P., Henzen, L., Meier, W., Naya-Plasencia, M.: Quark: a lightweight

hash. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp.

1–15. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15031-9 1

3. Bertoni, G., Daemen, J., Peeters, M., Assche, G.: Duplexing the sponge: single-pass

authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.)

SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012). doi:10.1007/

978-3-642-28496-0 19

4. Bertoni, G., Daemen, J., Peeters, M., Assche, G.: Keccak. In: Johansson, T.,

Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 313–314. Springer,

Heidelberg (2013). doi:10.1007/978-3-642-38348-9 19

5. Bertoni, G., Daemen, J., Peeters, M., Assche, G.: On the indifferentiability of the

sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp.

181–197. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78967-3 11



260



Y. Naito



6. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: On the security of the keyed

sponge construction. In: Symmetric Key Encryption Workshop (SKEW), February

2011

7. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Permutation-based encryption, authentication and authenticated encryption. In: Directions in Authenticated

Ciphers (2012)

8. Bertoni, G., Daemen, J., Peeters, M., Assche, G.: Sponge-based pseudo-random

number generators. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS,

vol. 6225, pp. 33–47. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15031-9 3

9. Bogdanov, A., Kneˇzevi´c, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.:

spongent: a lightweight hash function. In: Preneel, B., Takagi, T. (eds.) CHES

2011. LNCS, vol. 6917, pp. 312–325. Springer, Heidelberg (2011). doi:10.1007/

978-3-642-23951-9 21

10. Chang, D., Dworkin, M., Hong, S., Kelsey, J., Nandi, M.: A keyed sponge construction with pseudorandomness in the standard model. In: NIST SHA-3 2012

Workshop (2012)

11. Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In:

Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–

350. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55220-5 19

12. Gaˇzi, P., Pietrzak, K., Tessaro, S.: The exact PRF security of truncation: tight

bounds for keyed sponges and truncated CBC. In: Gennaro, R., Robshaw, M.

(eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 368–387. Springer, Heidelberg (2015).

doi:10.1007/978-3-662-47989-6 18

13. Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash

functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239.

Springer, Heidelberg (2011). doi:10.1007/978-3-642-22792-9 13

14. Jovanovic, P., Luykx, A., Mennink, B.: Beyond 2c/2 security in sponge-based

authenticated encryption modes. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT

2014. LNCS, vol. 8873, pp. 85–104. Springer, Heidelberg (2014). doi:10.1007/

978-3-662-45611-8 5

15. Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on

reductions, and applications to the random oracle methodology. In: Naor, M. (ed.)

TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). doi:10.1007/

978-3-540-24638-1 2

16. Mennink, B., Reyhanitabar, R., Viz´

ar, D.: Security of full-state keyed sponge and

duplex: applications to authenticated encryption. In: Iwata, T., Cheon, J.H. (eds.)

ASIACRYPT 2015. LNCS, vol. 9453, pp. 465–489. Springer, Heidelberg (2015).

doi:10.1007/978-3-662-48800-3 19

17. Mouha, N., Mennink, B., Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede,

I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A.,

Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Heidelberg

(2014). doi:10.1007/978-3-319-13051-4 19

18. Naito, Y., Yasuda, K.: New bounds for keyed sponges with extendable output: independence between capacity and message length. In: Peyrin, T. (ed.)

FSE 2016. LNCS, vol. 9783, pp. 3–22. Springer, Heidelberg (2016). doi:10.1007/

978-3-662-52993-5 1

19. NIST: SHA-3 standard: permutation-based hash and extendable-output functions.

In: FIPS PUB 202 (2015)

20. NIST: Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3) family. Federal Regist. 27(212), 62212–62220

(2007)



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

1 Upper Bound of Pr[DG1 1] - Pr[DG2 1]

Tải bản đầy đủ ngay(0 tr)

×