DC Field | Value | Language |
---|---|---|
dc.contributor.author | Choi, Wonseok | ko |
dc.contributor.author | Kim, Hwigyeom | ko |
dc.contributor.author | Lee, Jooyoung | ko |
dc.contributor.author | Lee, YeongMin | ko |
dc.date.accessioned | 2022-11-25T09:00:29Z | - |
dc.date.available | 2022-11-25T09:00:29Z | - |
dc.date.created | 2022-11-01 | - |
dc.date.created | 2022-11-01 | - |
dc.date.issued | 2022-12-07 | - |
dc.identifier.citation | 28th Annual International Conference on the Theory and Application of Cryptology and Information Security, pp.682 - 710 | - |
dc.identifier.issn | 0302-9743 | - |
dc.identifier.uri | http://hdl.handle.net/10203/301019 | - |
dc.description.abstract | For several decades, constructing pseudorandom functions from pseudorandom permutations, so-called Luby-Rackoff backward construction, has been a popular cryptographic problem. Two methods are well-known and comprehensively studied for this problem: summing two random permutations and truncating partial bits of the output from a random permutation. In this paper, by combining both summation and truncation, we propose new Luby-Rackoff backward constructions, dubbed SaT1 and SaT2, respectively. SaT2 is obtained by partially truncating output bits from the sum of two independent random permutations, and SaT1 is its single permutation-based variant using domain separation. The distinguishing advantage against SaT1 and SaT2 is upper bounded by O(\sqrt{\mu q_max}/2^{n-0.5m}) and O({\sqrt{\mu}q_max^1.5}/2^{2n-0.5m}), respectively, in the multi-user setting, where n is the size of the underlying permutation, m is the output size of the construction, \mu is the number of users, and q_max is the maximum number of queries per user. We also prove the distinguishing advantage against a variant of XORP[3]~(studied by Bhattacharya and Nandi at Asiacrypt 2021) using independent permutations, dubbed SoP3-2, is upper bounded by O(\sqrt{\mu} q_max^2}/2^{2.5n})$. In the multi-user setting with \mu = O(2^{n-m}), a truncated random permutation provides only the birthday bound security, while SaT1 and SaT2 are fully secure, i.e., allowing O(2^n) queries for each user. It is the same security level as XORP[3] using three permutation calls, while SaT1 and SaT2 need only two permutation calls. | - |
dc.language | English | - |
dc.publisher | International Association for Cryptologic Research (IACR) | - |
dc.title | Multi-User Security of the Sum of Truncated Random Permutations | - |
dc.type | Conference | - |
dc.identifier.wosid | 000964575000023 | - |
dc.identifier.scopusid | 2-s2.0-85147991400 | - |
dc.type.rims | CONF | - |
dc.citation.beginningpage | 682 | - |
dc.citation.endingpage | 710 | - |
dc.citation.publicationname | 28th Annual International Conference on the Theory and Application of Cryptology and Information Security | - |
dc.identifier.conferencecountry | CH | - |
dc.identifier.conferencelocation | Taipei | - |
dc.identifier.doi | 10.1007/978-3-031-22966-4_23 | - |
dc.contributor.localauthor | Lee, Jooyoung | - |
dc.contributor.nonIdAuthor | Choi, Wonseok | - |
dc.contributor.nonIdAuthor | Kim, Hwigyeom | - |
dc.contributor.nonIdAuthor | Lee, YeongMin | - |
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.