The Experts below are selected from a list of 16443 Experts worldwide ranked by ideXlab platform
Yannick Seurin - One of the best experts on this subject based on the ideXlab platform.
-
Minimizing the Two-Round Even-Mansour Cipher
Journal of Cryptology, 2018Co-Authors: Shan Chen, Yannick Seurin, Rodolphe Lampe, Jooyoung Lee, John SteinbergerAbstract:The r-round (iterated) Even-Mansour cipher (also known as key-alternating cipher) defines a block cipher from r fixed public n-bit Permutations P1,...,Pr as follows Given a sequence of n-bit round keys k0,...,kr, an n-bit plaintext x is encrypted by xoring round key k0, applying Permutation P1, xoring round key k1, etc. The (strong) pseudoRandomness of this construction in the Random Permutation model (i.e., when the Permutations P1,...,Pr are public Random Permutation oracles that the adversary can query in a black-box way) was studied in a number of recent papers, culminating with the work of Chen and Steinberger (EUROCRYPT2014), who proved that the r-round Even-Mansour cipher is indistinguishable from a truly Random Permutation up to O(2+1) queries of any adaptive adversary (which is an optimal security bound since it matches a simple distinguishing attack). All results in this entire line of work share the common restriction that they only hold under the assumption that the round keys k0,...,kr and the Permutations P1,...,Pr are independent. In particular, for two rounds, the current state of knowledge is that the block cipher E(x)=k2 circle plus P2(k1 circle plus P1(k0 circle plus x)) is provably secure up to O(22n/3) queries of the adversary, when k0, k1, and k2 are three independent n-bit keys, and P1 and P2 are two independent Random n-bit Permutations. In this paper, we ask whether one can obtain a similar bound for the two-round Even-Mansour cipher from just onen-bit key and onen-bit Permutation. Our answer is positive When the three n-bit round keys k0, k1, and k2 are adequately derived from an n-bit master key k, and the same Permutation P is used in place of P1 and P2, we prove a qualitatively similar O security bound (in the Random Permutation model). To the best of our knowledge, this is the first beyond the birthday bound security result for AES-like ciphers that does not assume independent round keys.
-
How to Build an Ideal Cipher: The Indifferentiability of the Feistel Construction
Journal of Cryptology, 2016Co-Authors: Jean-sébastien Coron, Yannick Seurin, Thomas Holenstein, Robin Künzler, Jacques Patarin, Stefano TessaroAbstract:This paper provides the first provably secure construction of an invertible Random Permutation (and of an ideal cipher) from a public Random function that can be evaluated by all parties in the system, including the adversary. The associated security goal was formalized via the notion of indifferentiability by Maurer et al. (TCC 2004 ). The problem is the natural extension of that of building (invertible) Random Permutations from (private) Random functions, first solved by Luby and Rackoff (SIAM J Comput 17(2):373–386, 1988 ) via the four-round Feistel construction. As our main result, we prove that the Feistel construction with fourteen rounds is indifferentiable from an invertible Random Permutation. We also provide a new lower bound showing that five rounds are not sufficient to achieve indifferentiability. A major corollary of our result is the equivalence (in a well-defined sense) of the Random oracle model and the ideal cipher model .
-
the iterated Random Permutation problem with applications to cascade encryption
International Cryptology Conference, 2015Co-Authors: Brice Minaud, Yannick SeurinAbstract:We introduce and study the iterated Random Permutation problem, which asks how hard it is to distinguish, in a black-box way, the r-th power of a Random Permutation from a uniformly Random Permutation of a set of size N. We show that this requires \(\varOmega (N)\) queries (even for a two-sided, adaptive adversary). As a direct application of this result, we show that cascading a block cipher with the same key cannot degrade its security (as a pseudoRandom Permutation) more than negligibly.
-
CRYPTO (1) - The Iterated Random Permutation Problem with Applications to Cascade Encryption
Lecture Notes in Computer Science, 2015Co-Authors: Brice Minaud, Yannick SeurinAbstract:We introduce and study the iterated Random Permutation problem, which asks how hard it is to distinguish, in a black-box way, the r-th power of a Random Permutation from a uniformly Random Permutation of a set of size N. We show that this requires \(\varOmega (N)\) queries (even for a two-sided, adaptive adversary). As a direct application of this result, we show that cascading a block cipher with the same key cannot degrade its security (as a pseudoRandom Permutation) more than negligibly.
Palash Sarkar - One of the best experts on this subject based on the ideXlab platform.
-
a new mode of encryption providing a tweakable strong pseudo Random Permutation
2006Co-Authors: Debrup Chakraborty, Palash SarkarAbstract:We present PEP, which is a new construction of a tweakable strong pseudo-Random Permutation. PEP uses a hash-encrypt-hash approach which has recently been used in the construction of HCTR. This approach is different from the encrypt-mask-encrypt approach of constructions such as CMC, EME and EME∗. The general hash-encrypt-hash approach was earlier used by Naor-Reingold to provide a generic construction technique for an SPRP (but not a tweakable SPRP). PEP can be seen as the development of the Naor-Reingold approach into a fully specified mode of operation with a concrete security reduction for a tweakable strong pseudo-Random Permutation. The security bound of HCTR which is also based on the Naor-Reingold approach is weaker than that of PEP. Compared to previous known constructions, PEP is the only construction of tweakable SPRP which uses a single key, is efficiently parallelizable and can handle an arbitrary number of blocks.
-
a new mode of encryption providing a tweakable strong pseudo Random Permutation
Lecture Notes in Computer Science, 2006Co-Authors: Debrup Chakraborty, Palash SarkarAbstract:We present PEP, which is a new construction of a tweakable strong pseudo-Random Permutation. PEP uses a hash-encrypt-hash approach which has been recently used in the construction of HCTR. This approach is different from the encrypt-mask-encrypt approach of constructions such as CMC, EME and EME*. The general hash-encrypt-hash approach was earlier used by Naor-Reingold to provide a generic construction technique for an SPRP (but not a tweakable SPRP). PEP can be seen as the development of the Naor-Reingold approach into a fully specified mode of operation with a concrete security reduction for a tweakable strong pseudo-Random Permutation. HCTR is also based on the Naor-Reingold approach but its security bound is weaker than PEP. Compared to previous known constructions, PEP is the only known construction of tweakable SPRP which uses a single key, is efficiently parallelizable and can handle an arbitrary number of blocks.
Debrup Chakraborty - One of the best experts on this subject based on the ideXlab platform.
-
a new mode of encryption providing a tweakable strong pseudo Random Permutation
2006Co-Authors: Debrup Chakraborty, Palash SarkarAbstract:We present PEP, which is a new construction of a tweakable strong pseudo-Random Permutation. PEP uses a hash-encrypt-hash approach which has recently been used in the construction of HCTR. This approach is different from the encrypt-mask-encrypt approach of constructions such as CMC, EME and EME∗. The general hash-encrypt-hash approach was earlier used by Naor-Reingold to provide a generic construction technique for an SPRP (but not a tweakable SPRP). PEP can be seen as the development of the Naor-Reingold approach into a fully specified mode of operation with a concrete security reduction for a tweakable strong pseudo-Random Permutation. The security bound of HCTR which is also based on the Naor-Reingold approach is weaker than that of PEP. Compared to previous known constructions, PEP is the only construction of tweakable SPRP which uses a single key, is efficiently parallelizable and can handle an arbitrary number of blocks.
-
a new mode of encryption providing a tweakable strong pseudo Random Permutation
Lecture Notes in Computer Science, 2006Co-Authors: Debrup Chakraborty, Palash SarkarAbstract:We present PEP, which is a new construction of a tweakable strong pseudo-Random Permutation. PEP uses a hash-encrypt-hash approach which has been recently used in the construction of HCTR. This approach is different from the encrypt-mask-encrypt approach of constructions such as CMC, EME and EME*. The general hash-encrypt-hash approach was earlier used by Naor-Reingold to provide a generic construction technique for an SPRP (but not a tweakable SPRP). PEP can be seen as the development of the Naor-Reingold approach into a fully specified mode of operation with a concrete security reduction for a tweakable strong pseudo-Random Permutation. HCTR is also based on the Naor-Reingold approach but its security bound is weaker than PEP. Compared to previous known constructions, PEP is the only known construction of tweakable SPRP which uses a single key, is efficiently parallelizable and can handle an arbitrary number of blocks.
Ofer Zeitouni - One of the best experts on this subject based on the ideXlab platform.
-
maximum of the characteristic polynomial for a Random Permutation matrix
arXiv: Probability, 2018Co-Authors: Nicholas A Cook, Ofer ZeitouniAbstract:Let $P_N$ be a uniform Random $N\times N$ Permutation matrix and let $\chi_N(z)=\det(zI_N- P_N)$ denote its characteristic polynomial. We prove a law of large numbers for the maximum modulus of $\chi_N$ on the unit circle, specifically, \[ \sup_{|z|=1}|\chi_N(z)|= N^{x_0 + o(1)} \] with probability tending to one as $N\to \infty$, for a numerical constant $x_0\approx 0.652$. The main idea of the proof is to uncover a logarithmic correlation structure for the distribution of (the logarithm of) $\chi_N$, viewed as a Random field on the circle, and to adapt a well-known second moment argument for the maximum of the branching Random walk. Unlike the well-studied \emph{CUE field} in which $P_N$ is replaced with a Haar unitary, the distribution of $\chi_N(e^{2\pi it})$ is sensitive to Diophantine properties of the point $t$. To deal with this we borrow tools from the Hardy--Littlewood circle method in analytic number theory.
-
circular law for the sum of Random Permutation matrices
Electronic Journal of Probability, 2018Co-Authors: Anirban Basak, Nicholas A Cook, Ofer ZeitouniAbstract:Let $P_n^1,\dots , P_n^d$ be $n\times n$ Permutation matrices drawn independently and uniformly at Random, and set $S_n^d:=\sum _{\ell =1}^d P_n^\ell $. We show that if $\log ^{12}n/(\log \log n)^{4} \le d=O(n)$, then the empirical spectral distribution of $S_n^d/\sqrt{d} $ converges weakly to the circular law in probability as $n \to \infty $.
Benoît Collins - One of the best experts on this subject based on the ideXlab platform.
-
Eigenvalues of Random lifts and polynomials of Random Permutation matrices
Annals of Mathematics, 2019Co-Authors: Charles Bordenave, Benoît CollinsAbstract:Consider a finite sequence of independent Random Permutations, chosen uniformly either among all Permutations or among all matchings on n points. We show that, in probability, as n goes to infinity, these Permutations viewed as operators on the (n-1) dimensional vector space orthogonal to the vector with all coordinates equal to 1, are asymptotically strongly free. Our proof relies on the development of a matrix version of the non-backtracking operator theory and a refined trace method. As a byproduct, we show that the non-trivial eigenvalues of Random n-lifts of a fixed based graphs approximately achieve the Alon-Boppana bound with high probability in the large n limit. This result generalizes Friedman's Theorem stating that with high probability, the Schreier graph generated by a finite number of independent Random Permutations is close to Ramanujan. Finally, we extend our results to tensor products of Random Permutation matrices. This extension is especially relevant in the context of quantum expanders.
