N ), k) return S ,
,
,
,
A, ? ), k) ,
, AD.init
N ), k) return S ,
, k) return (M, S)
, Algo. AD.last AD
A, ? ), k) ,
,
On the indifferentiability of key-alternating ciphers, CRYPTO 2013, Part I, vol.8042, pp.531-550, 2013. ,
How to securely release unverified plaintext in authenticated encryption, Palash Sarkar and Tetsu Iwata, vol.8873, pp.105-125, 2014. ,
Message-locked encryption for lock-dependent messages, CRYPTO 2013, Part I, vol.8042, pp.374-391, 2013. ,
Boosting authenticated encryption robustness with minimal modifications, Part III, vol.10403, pp.3-33, 2017. ,
RIV for robust authenticated encryption, LNCS, vol.9783, pp.23-42, 2016. ,
On cipher-dependent related-key attacks in the ideal-cipher model, LNCS, vol.6733, pp.128-145, 2011. ,
URL : https://hal.archives-ouvertes.fr/hal-01287992
Hash-function based PRFs: AMAC and its multiuser security, EUROCRYPT 2016, Part I, vol.9665, pp.566-595, 2016. ,
On the impossibility of highly-efficient blockcipherbased hash functions, LNCS, vol.3494, pp.526-541, 2005. ,
On the indifferentiability of the sponge construction, LNCS, vol.4965, pp.181-197, 2008. ,
Cryptographic competitions, 2014. ,
A theoretical treatment of related-key attacks: RKA-PRPs, RKAPRFs, and applications, LNCS, vol.2656, pp.491-506, 2003. ,
Authenticated and misuse-resistant encryption of key-dependent data, LNCS, vol.6841, pp.610-629, 2011. ,
Message-locked encryption and secure deduplication, LNCS, vol.7881, pp.296-312, 2013. ,
Robust authenticated encryption and the limits of symmetric cryptography, 15th IMA International Conference on Cryptography and Coding, vol.9496, pp.112-129, 2015. ,
Authenticated encryption in the face of protocol and side channel leakage, Part I, vol.10624, pp.693-723, 2017. ,
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, LNCS, vol.1976, pp.531-545, 2000. ,
Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography, LNCS, vol.1976, pp.317-330, 2000. ,
The security of triple encryption and a framework for code-based game-playing proofs, LNCS, vol.4004, pp.409-426, 2006. ,
Encryption-scheme security in the presence of key-dependent messages, LNCS, vol.2595, pp.62-75, 2002. ,
The EAX mode of operation, LNCS, vol.3017, pp.389-407, 2004. ,
Can01. Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols, CRYPTO 2016, Part I, vol.9814, pp.136-145, 2001. ,
Merkle-Damgård revisited: How to construct a hash function, LNCS, vol.3621, pp.430-448, 2005. ,
A domain extender for the ideal cipher, TCC 2010, vol.5978, pp.273-289, 2010. ,
How to build an ideal cipher: The indifferentiability of the Feistel construction, Journal of Cryptology, vol.29, issue.1, pp.61-114, 2016. ,
The simplest protocol for oblivious transfer, LATINCRYPT 2015, vol.9230, pp.40-58, 2015. ,
The random oracle model and the ideal cipher model are equivalent, LNCS, vol.5157, pp.1-20, 2008. ,
DOI : 10.1007/978-3-540-85174-5_1
URL : http://eprint.iacr.org/2008/246.pdf
Resource-restricted indifferentiability, LNCS, vol.7881, pp.664-683, 2013. ,
DOI : 10.1007/978-3-642-38348-9_39
URL : http://eprint.iacr.org/2012/613.pdf
Provable security of substitution-permutation networks, Cryptology ePrint Archive, 2017. ,
10-round Feistel is indifferentiable from an ideal cipher, EUROCRYPT 2016, Part II, vol.9666, pp.649-678, 2016. ,
DOI : 10.1007/978-3-662-49896-5_23
Indifferentiability of permutationbased compression functions and tree-based modes of operation, with applications to MD6, LNCS, vol.5665, pp.371-388, 2009. ,
To hash or not to hash again? (In)differentiability results for H 2 and HMAC, LNCS, vol.7417, pp.348-366, 2012. ,
Indifferentiability of 10-round Feistel networks, Cryptology ePrint Archive, vol.874, 2015. ,
Indifferentiability of 8-round Feistel networks, CRYPTO 2016, Part I, vol.9814, pp.95-120, 2016. ,
Indifferentiability of confusiondiffusion networks, EUROCRYPT 2016, Part II, vol.9666, pp.679-704, 2016. ,
Indifferentiability of iterated Even-Mansour ciphers with non-idealized key-schedules: Five rounds are necessary and sufficient, Part III, vol.10403, pp.524-555, 2017. ,
Reforgeability of authenticated encryption schemes, LNCS, vol.17, pp.19-37, 2017. ,
Security of symmetric primitives under incorrect usage of keys, IACR Trans. Symm. Cryptol, vol.2017, issue.1, pp.449-473, 2017. ,
URL : https://hal.archives-ouvertes.fr/hal-01470885
The related-key security of iterated Even-Mansour ciphers, LNCS, vol.9054, pp.342-363, 2015. ,
GCM-SIV: Full nonce misuse-resistant authenticated encryption at under one cycle per byte, ACM CCS 15, pp.109-119, 2015. ,
Message franking via committing authenticated encryption, CRYPTO 2017, Part III, volume 10403 of LNCS, pp.66-97, 2017. ,
Lower bounds on the efficiency of generic cryptographic constructions, 41st FOCS, pp.305-313, 2000. ,
Robust authenticated-encryption AEZ and the problem that it solves, EUROCRYPT 2015, Part I, vol.9056, pp.15-44, 2007. ,
AEZ v5: Authenticated encryption by enciphering, 2017. ,
The equivalence of the random oracle model and the ideal cipher model, revisited, 43rd ACM STOC, pp.89-98, 2011. ,
Online authenticatedencryption and its nonce-reuse misuse-resistance, CRYPTO 2015, Part I, vol.9215, pp.493-517, 2015. ,
New security proofs for the 3GPP confidentiality and integrity algorithms, LNCS, vol.3017, pp.427-445, 2004. ,
Deoxys v1, vol.41, 2016. ,
Digital signatures with minimal overhead from indifferentiable random invertible functions, CRYPTO 2013, Part I, vol.8042, pp.571-588, 2013. ,
Universally composable symmetric encryption, Proceedings of the 22nd IEEE Computer Security Foundations Symposium, pp.293-307, 2009. ,
Faster Luby-Rackoff ciphers, LNCS, vol.1039, pp.189-203, 1996. ,
Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology, LNCS, vol.2951, pp.21-39, 2004. ,
Chanathip Namprempre, Phillip Rogaway, and Thomas Shrimpton. Reconsidering generic composition, Cryptology ePrint Archive, vol.2951, pp.257-274, 2004. ,
Counter-in-tweak: Authenticated encryption modes for tweakable block ciphers, CRYPTO 2016, Part I, vol.9814, pp.33-63, 2016. ,
Leakage-resilient authentication and encryption from symmetric cryptographic primitives, ACM CCS 15, pp.96-108, 2015. ,
OCB: A block-cipher mode of operation for efficient authenticated encryption, ACM CCS 01, pp.98-107, 2001. ,
A provable-security treatment of the key-wrap problem, LNCS, vol.4004, pp.373-390, 2006. ,
Careful with composition: Limitations of the indifferentiability framework, LNCS, vol.6632, pp.487-506, 2011. ,
Authenticated encryption with variable stretch, ASIACRYPT 2016, Part I, volume 10031 of LNCS, pp.396-425, 2016. ,
DOI : 10.1007/978-3-662-53887-6_15
Beyond uniformity: Better security/efficiency tradeoffs for compression functions, LNCS, vol.5157, pp.397-412, 2008. ,
DOI : 10.1007/978-3-540-85174-5_22
URL : https://link.springer.com/content/pdf/10.1007%2F978-3-540-85174-5_22.pdf
Programmable encryption and key-dependent messages, Cryptology ePrint Archive, vol.423, 2012. ,
Security flaws induced by CBC padding-applications to SSL, LNCS, vol.2332, pp.534-546, 2002. ,
DOI : 10.1007/3-540-46035-7_35
URL : https://link.springer.com/content/pdf/10.1007%2F3-540-46035-7_35.pdf
Am) ? A (M1, Mm) ? M (?1,. .. , ?m) ? ? S0 ? AE .init(K, N ) for i = 1. .. m ? 1 (Ci, Si) ? AE .next(Si?1 ,
? |C| if m = 0 or |A| = |C| then return, ?m) ? ? S0 ? AD.init(K, N ) for i = 1. .. m ? 1 if AD.next(Si?1, Ai, Ci, ?i) =? if m = 1 return [ ] return (M1 ,
Mm) a nonce. 28 The original STREAM construction includes (K, N ) in S and uses (N, i) as nonce in each invocation. As for online schemes, Mm ? AD.last(Sm?1, Am, Cm, ?m) return ,