Advertisement

Foiling Birthday Attacks in Length-Doubling Transformations

Benes: a non-reversible alternative to Feistel
  • William Aiello
  • Ramarathnam Venkatesan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1070)

Abstract

For many cryptographic primitives, e.g., hashing and pseudorandom functions & generators, doubling the output length is useful even if the doubling transformation is not reversible. For these cases, we present a non-reversible construction based on a Benes network, as an alternative to the traditional Feistel construction (which is the basis of DES).

Assuming that a given primitive behaves like an n-bit to n-bit random function, we present a length-doubling scheme that yields a 2n-bit to 2n-bit function that provably requires Ω(2n) queries to distinguish with Θ(1) probability from a truly random function of that length. This is true even if the adversary is of unlimited computing power and is allowed to query the function adaptively. Our construction is minimal in the sense that omitting any operation makes the resulting network susceptible to birthday attacks using O(2n/2) queries.

Feistel networks also use truly random n-bit functions to achieve 2n-bit functions. Luby and Rackoff [16] showed that 3 and 4 round Feistel networks require Ω(2n/2) queries to distinguish with Θ(1) probability from truly random. We show that these bounds are tight by showing that these networks are susceptible various types of birthday attacks using O(2n/2) queries.

Keywords

Hash Function Random Function Dependency Graph Query Point Cryptographic Primitive 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    M. Bellare, R. Canetti, and H. Krawcyk, “Keying MD5 — Message Authentication via Iterated Pseudorandomness,” manuscript.Google Scholar
  2. 2.
    M. Bellare, J. Kilian, and P. Rogaway, “The Security of Cipher Block Chaining,” Advances in Cryptology-Crypto’ 94, Springer Verlag (1994).Google Scholar
  3. 3.
    E. Biham and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag (1993).Google Scholar
  4. 4.
    E. Biham and A. Shamir, “Differential Cryptanalysis of Snefru, Khafre, REDOC II, LOKI, Lucifer,” Advances in Cryptology Crypto’ 91, Springer Verlag (1992).Google Scholar
  5. 5.
    E. Biham and A. Shamir, “Differential Cryptanalysis of Feal and N-hash”, Advances in Cryptology Eurocrypt’ 91, Springer Verlag (1991).Google Scholar
  6. 6.
    M. Blum and S. Micali, “How to Generate Cryptographically Strong Sequences of Pseudorandom Bits,” SIAM Journal on Computing, 13 pp. 850–864 (1984).CrossRefzbMATHMathSciNetGoogle Scholar
  7. 7.
    D. Coppersmith, “Another Birthday Attack,” Advances in Cryptology-Crypto’ 85, Springer Verlag (1986).Google Scholar
  8. 8.
    I. Damgard, “A Design Principle for Hash Functions,” Advances in Cryptology-Crypto’ 89, Springer Verlag (1989).Google Scholar
  9. 9.
    D. Davies and W. Price, Security for Computer Networks (2e), John Wiley (1989).Google Scholar
  10. 10.
    H. Dobbertin, “Cryptanalysis of MD4,” To appear at the Fast Software Encryption Workshop, February, 1996.Google Scholar
  11. 11.
    O. Goldreich, S. Goldwasser, and S. Micali, “How To Construct Random Functions,” JACM, 33,4, pp. 792–807 (1986).CrossRefMathSciNetGoogle Scholar
  12. 12.
    J. Hastad, R. Impagliazzo, L. Levin, and M. Luby, “Pseudorandom Generation From One-Way Functions,” Proc. ACM Symp. on Theory of Computing, (1989); “Pseudorandom Generators Under Uniform Assumptions,” Proc. of the ACM Symp. on Theory of Computing (1990)Google Scholar
  13. 13.
    S. Langford and M. Hellman, “Differential-Linear Cryptanalysis,” Advances in Cryptology-Crypto’ 94, Springer Verlag (1994).Google Scholar
  14. 14.
    L. Levin, “One-Way Functions and Pseudo-Random Generators,” Proc. of the ACM Symp. on Theory of Computing (1985).Google Scholar
  15. 15.
    M. Luby, Pseudorandomness And Its Cryptographic Applications, Princeton Univ. Press, to appear.Google Scholar
  16. 16.
    M. Luby and C. Rackoff, “How to Construct Pseudorandom Permutations from Pseudorandom Functions,” SIAM Journal on Computing, 17, 373–386 (1988).CrossRefzbMATHMathSciNetGoogle Scholar
  17. 17.
    U. Maurer, “A Simplified and Generalized Treatment of Luby-Rackoff Pseudo-Random Permutation Generators,” Advances in Cryptology-Eurocrypt’ 92, Springer Verlag (1992).Google Scholar
  18. 18.
    M. Matsui, “The First Experimental Cryptanalysis of the Data Encryption Standard,” Advances in Cryptology-Crypto’ 94, Springer Verlag (1994).Google Scholar
  19. 19.
    R. Merkle, “A Fast in Software One-Way Hash Function,” Journal of Cryptology, 3,1, pp. 43–58 (1990).CrossRefzbMATHMathSciNetGoogle Scholar
  20. 20.
    R. Merkle, “One-Way Hash Functions and DES,” Advances in Cryptology-Crypto’ 89, Springer Verlag (1989).Google Scholar
  21. 21.
    P. van Oorschot and M. Wiener, “Parallel Collision Search with Application to Hash Functions and Discrete Logarithms,” Proc. of the 2nd ACM Conf. on Computer and Communications Security, (1994).Google Scholar
  22. 22.
    B. Prencel, Analysis and Design of Cryptographic Hash Functions, Ph.D Thesis, Katholieke Universiteit Leuven (1993).Google Scholar
  23. 23.
    B. Preneel, and P. van Oorschot, “MDx-MAC and Building Fast MACs from Hash Functions,” Advances in Cryptology-Crypto’ 95, Springer Verlag (1995).Google Scholar
  24. 24.
    V. Shoup, personal communication (1995).Google Scholar
  25. 25.
    A. Wyner, “The Wire-Tap Channel,” Bell System Technical Journal, 54 (1975).Google Scholar
  26. 26.
    A. Yao, “Theory and Applications of Trapdoor Functions,” Proc. of the IEEE Symp. on Foundations of Computer Science, (1982).Google Scholar
  27. 27.
    Y. Zheng, T. Matsumoto, and H. Imai, “On the Construction of Block Ciphers Provably Secure and Not Relying on Any Unproved Hypotheses,” Advances in Cryptology-Crypto’ 89 (1989).Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1996

Authors and Affiliations

  • William Aiello
    • 1
  • Ramarathnam Venkatesan
    • 1
  1. 1.Math and Cryptography Research GroupBell Communications ResearchMorristown

Personalised recommendations