, N ), k) return S
,
,
,
, A, ? ), k)
, AD.init
, N ), k) return S
, k) return (M, S)
, Algo. AD.last AD
, A, ? ), k)
,
, On the indifferentiability of key-alternating ciphers, CRYPTO 2013, Part I, vol.8042, pp.531-550, 2013.
, How to securely release unverified plaintext in authenticated encryption, Palash Sarkar and Tetsu Iwata, vol.8873, pp.105-125, 2014.
, Message-locked encryption for lock-dependent messages, CRYPTO 2013, Part I, vol.8042, pp.374-391, 2013.
, Boosting authenticated encryption robustness with minimal modifications, Part III, vol.10403, pp.3-33, 2017.
, RIV for robust authenticated encryption, LNCS, vol.9783, pp.23-42, 2016.
, On cipher-dependent related-key attacks in the ideal-cipher model, LNCS, vol.6733, pp.128-145, 2011.
URL : https://hal.archives-ouvertes.fr/hal-01287992
, Hash-function based PRFs: AMAC and its multiuser security, EUROCRYPT 2016, Part I, vol.9665, pp.566-595, 2016.
, On the impossibility of highly-efficient blockcipherbased hash functions, LNCS, vol.3494, pp.526-541, 2005.
, On the indifferentiability of the sponge construction, LNCS, vol.4965, pp.181-197, 2008.
, Cryptographic competitions, 2014.
, A theoretical treatment of related-key attacks: RKA-PRPs, RKAPRFs, and applications, LNCS, vol.2656, pp.491-506, 2003.
, Authenticated and misuse-resistant encryption of key-dependent data, LNCS, vol.6841, pp.610-629, 2011.
, Message-locked encryption and secure deduplication, LNCS, vol.7881, pp.296-312, 2013.
, Robust authenticated encryption and the limits of symmetric cryptography, 15th IMA International Conference on Cryptography and Coding, vol.9496, pp.112-129, 2015.
, Authenticated encryption in the face of protocol and side channel leakage, Part I, vol.10624, pp.693-723, 2017.
, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, LNCS, vol.1976, pp.531-545, 2000.
, Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography, LNCS, vol.1976, pp.317-330, 2000.
, The security of triple encryption and a framework for code-based game-playing proofs, LNCS, vol.4004, pp.409-426, 2006.
, Encryption-scheme security in the presence of key-dependent messages, LNCS, vol.2595, pp.62-75, 2002.
, The EAX mode of operation, LNCS, vol.3017, pp.389-407, 2004.
, Can01. Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols, CRYPTO 2016, Part I, vol.9814, pp.136-145, 2001.
, Merkle-Damgård revisited: How to construct a hash function, LNCS, vol.3621, pp.430-448, 2005.
, A domain extender for the ideal cipher, TCC 2010, vol.5978, pp.273-289, 2010.
, How to build an ideal cipher: The indifferentiability of the Feistel construction, Journal of Cryptology, vol.29, issue.1, pp.61-114, 2016.
, The simplest protocol for oblivious transfer, LATINCRYPT 2015, vol.9230, pp.40-58, 2015.
, The random oracle model and the ideal cipher model are equivalent, LNCS, vol.5157, pp.1-20, 2008.
DOI : 10.1007/978-3-540-85174-5_1
URL : http://eprint.iacr.org/2008/246.pdf
, Resource-restricted indifferentiability, LNCS, vol.7881, pp.664-683, 2013.
DOI : 10.1007/978-3-642-38348-9_39
URL : http://eprint.iacr.org/2012/613.pdf
, Provable security of substitution-permutation networks, Cryptology ePrint Archive, 2017.
, 10-round Feistel is indifferentiable from an ideal cipher, EUROCRYPT 2016, Part II, vol.9666, pp.649-678, 2016.
DOI : 10.1007/978-3-662-49896-5_23
, Indifferentiability of permutationbased compression functions and tree-based modes of operation, with applications to MD6, LNCS, vol.5665, pp.371-388, 2009.
, To hash or not to hash again? (In)differentiability results for H 2 and HMAC, LNCS, vol.7417, pp.348-366, 2012.
, Indifferentiability of 10-round Feistel networks, Cryptology ePrint Archive, vol.874, 2015.
, Indifferentiability of 8-round Feistel networks, CRYPTO 2016, Part I, vol.9814, pp.95-120, 2016.
, Indifferentiability of confusiondiffusion networks, EUROCRYPT 2016, Part II, vol.9666, pp.679-704, 2016.
, Indifferentiability of iterated Even-Mansour ciphers with non-idealized key-schedules: Five rounds are necessary and sufficient, Part III, vol.10403, pp.524-555, 2017.
, Reforgeability of authenticated encryption schemes, LNCS, vol.17, pp.19-37, 2017.
, Security of symmetric primitives under incorrect usage of keys, IACR Trans. Symm. Cryptol, vol.2017, issue.1, pp.449-473, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01470885
, The related-key security of iterated Even-Mansour ciphers, LNCS, vol.9054, pp.342-363, 2015.
, GCM-SIV: Full nonce misuse-resistant authenticated encryption at under one cycle per byte, ACM CCS 15, pp.109-119, 2015.
, Message franking via committing authenticated encryption, CRYPTO 2017, Part III, volume 10403 of LNCS, pp.66-97, 2017.
, Lower bounds on the efficiency of generic cryptographic constructions, 41st FOCS, pp.305-313, 2000.
, Robust authenticated-encryption AEZ and the problem that it solves, EUROCRYPT 2015, Part I, vol.9056, pp.15-44, 2007.
, AEZ v5: Authenticated encryption by enciphering, 2017.
, The equivalence of the random oracle model and the ideal cipher model, revisited, 43rd ACM STOC, pp.89-98, 2011.
, Online authenticatedencryption and its nonce-reuse misuse-resistance, CRYPTO 2015, Part I, vol.9215, pp.493-517, 2015.
, New security proofs for the 3GPP confidentiality and integrity algorithms, LNCS, vol.3017, pp.427-445, 2004.
, Deoxys v1, vol.41, 2016.
, Digital signatures with minimal overhead from indifferentiable random invertible functions, CRYPTO 2013, Part I, vol.8042, pp.571-588, 2013.
, Universally composable symmetric encryption, Proceedings of the 22nd IEEE Computer Security Foundations Symposium, pp.293-307, 2009.
, Faster Luby-Rackoff ciphers, LNCS, vol.1039, pp.189-203, 1996.
, Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology, LNCS, vol.2951, pp.21-39, 2004.
, Chanathip Namprempre, Phillip Rogaway, and Thomas Shrimpton. Reconsidering generic composition, Cryptology ePrint Archive, vol.2951, pp.257-274, 2004.
, Counter-in-tweak: Authenticated encryption modes for tweakable block ciphers, CRYPTO 2016, Part I, vol.9814, pp.33-63, 2016.
, Leakage-resilient authentication and encryption from symmetric cryptographic primitives, ACM CCS 15, pp.96-108, 2015.
, OCB: A block-cipher mode of operation for efficient authenticated encryption, ACM CCS 01, pp.98-107, 2001.
, A provable-security treatment of the key-wrap problem, LNCS, vol.4004, pp.373-390, 2006.
, Careful with composition: Limitations of the indifferentiability framework, LNCS, vol.6632, pp.487-506, 2011.
, Authenticated encryption with variable stretch, ASIACRYPT 2016, Part I, volume 10031 of LNCS, pp.396-425, 2016.
DOI : 10.1007/978-3-662-53887-6_15
, Beyond uniformity: Better security/efficiency tradeoffs for compression functions, LNCS, vol.5157, pp.397-412, 2008.
DOI : 10.1007/978-3-540-85174-5_22
URL : https://link.springer.com/content/pdf/10.1007%2F978-3-540-85174-5_22.pdf
, Programmable encryption and key-dependent messages, Cryptology ePrint Archive, vol.423, 2012.
, Security flaws induced by CBC padding-applications to SSL, LNCS, vol.2332, pp.534-546, 2002.
DOI : 10.1007/3-540-46035-7_35
URL : https://link.springer.com/content/pdf/10.1007%2F3-540-46035-7_35.pdf
, Am) ? A (M1, Mm) ? M (?1,. .. , ?m) ? ? S0 ? AE .init(K, N ) for i = 1. .. m ? 1 (Ci, Si) ? AE .next(Si?1
, ? |C| if m = 0 or |A| = |C| then return, ?m) ? ? S0 ? AD.init(K, N ) for i = 1. .. m ? 1 if AD.next(Si?1, Ai, Ci, ?i) =? if m = 1 return [ ] return (M1
, Mm) a nonce. 28 The original STREAM construction includes (K, N ) in S and uses (N, i) as nonce in each invocation. As for online schemes, Mm ? AD.last(Sm?1, Am, Cm, ?m) return