Mridul Nandi

Security analysis of a 2/3-rate double length compression function in the black-box model

In this paper, we propose a 2/3-rate double length compression function and study its security in the black-box model. We prove that to get a collision attack for the compression function requires Ω(22 n/3) queries, where n is the single length output size. Thus, it has better security than a most secure single length compression function. This construction is more efficient than the construction given in [8]. Also the three computations of underlying compression functions can be done in parallel. The proof idea uses a concept of computable message which can be helpful to study security of other constructions like [8],[14],[16] etc.

A simple and unified method of proving indistinguishability

Recently Bernstein [4] has provided a simpler proof of indistinguishability of CBC construction [3] which is giving insight of the construction. Indistinguishability of any function intuitively means that the function behaves very closely to a uniform random function. In this paper we make a unifying and simple approach to prove indistinguishability of many existing constructions. We first revisit Bernsteins proof. Using this idea we can show a simpler proof of indistinguishability of a class of DAG based construction [8], XCBC [5], TMAC [9], OMAC [7] and PMAC [6]. We also provide a simpler proof for stronger bound of CBC [1] and a simpler proof of security of on-line Hash-CBC [2]. We note that there is a flaw in the security proof of Hash-CBC given in [2]. This paper will help to understand security analysis of indistinguishability of many constructions in a simpler way.

Towards optimal double-length hash functions

In this paper we design several double length hash functions and study their security properties in the random oracle model. We design a class of double length hash functions (and compression functions) which includes some recent constructions [4,6,10] . We also propose a secure double length hash function which is as efficient as the insecure concatenated classical hash functions [7].

RC4-hash: a new hash function based on RC4

In this paper, we propose a new hash function based on RC4 and we call it RC4-Hash. This proposed hash function produces variable length hash output from 16 bytes to 64 bytes. Our RC4-Hash has several advantages over many popularly known hash functions. Its efficiency is comparable with widely used known hash function (e.g., SHA-1). Seen in the light of recent attacks on MD4, MD5, SHA-0, SHA-1 and on RIPEMD, there is a serious need to consider other hash function design strategies. We present a concrete hash function design with completely new internal structure. The security analysis of RC4-Hash can be made in the view of the security analysis of RC4 (which is well studied) as well as the attacks on different hash functions. Our hash function is very simple and rules out all possible generic attacks. To the best of our knowledge, the design criteria of our hash function is different from all previously known hash functions. We believe our hash function to be secure and will appreciate security analysis and any other comments.

New Parallel Domain Extenders for UOWHF

We present two new parallel algorithms for extending the domain of a UOWHF. The first algorithm is complete binary tree based construction and has less key length expansion than Sarkar’s construction which is the previously best known complete binary tree based construction. But only disadvantage is that here we need more key length expansion than that of Shoup’s sequential algorithm. But it is not too large as in all practical situations we need just two more masks than Shoup’s. Our second algorithm is based on non-complete l-ary tree and has the same optimal key length expansion as Shoup’s which has the most efficient key length expansion known so far. Using the recent result [9], we can also prove that the key length expansion of this algorithm and Shoup’s sequential algorithm are the minimum possible for any algorithms in a large class of “natural” domain extending algorithms. But its parallelizability performance is less efficient than complete tree based constructions. However if l is getting larger, then the parallelizability of the construction is also getting near to that of complete tree based constructions. We also give a sufficient condition for valid domain extension in sequential domain extension.

An Improved Security Bound for HCTR

HCTR was proposed by Wang, Feng and Wu in 2005. It is a mode of operation which provides a tweakable strong pseudorandom permutation. Though HCTR is quite an efficient mode, the authors showed a cubic security bound for HCTR which makes it unsuitable for applications where tweakable strong pseudorandom permutations are required. In this paper we show that HCTR has a better security bound than what the authors showed. We prove that the distinguishing advantage of an adversary in distinguishing HCTR and its inverse from a random permutation and its inverse is bounded above by 4.5 i¾?2/2n, where nis the block-length of the block-cipher and i¾?is the number of n-block queries made by the adversary (including the tweak).

Improved security analysis of PMAC

Abstract In this paper we provide a simple, concrete and improved security analysis of Parallelizable Message Authentication Code or PMAC. In particular, we show that the advantage of any distinguisher at distinguishing PMAC from a random function is at most (5qσ – 3.5q 2)/2 n . Here, σ is the total number of message blocks in all q queries made by and PMAC is based on a random permutation over {0, 1} n . In the original paper of PMAC by Black and Rogaway in Eurocrypt-2002, the bound was shown to be (σ + 1)2/2 n–1. In FSE-2007, Minematsu and Matsushima provided a bound 5ℓq 2/(2 n – 2ℓ), where ℓ is the number of blocks of the longest queried made by the distinguisher. Our proposed bound is sharper than these two previous bounds.

Fast and Secure CBC-Type MAC Algorithms

The CBC ? MAC or cipher block chaining message authentication code, is a well-known method to generate message authentication codes. Unfortunately, it is not forgery-secure over an arbitrary domain. There are several secure variants of CBC ? MAC, among which OMAC is a widely-used candidate. To authenticate an s-block message, OMAC costs (s + 1) block cipher encryptions (one of these is a zero block encryption), and only one block cipher key is used. In this paper, we propose two secure and efficient variants of CBC ? MAC: namely, GCBC1 and GCBC2. Our constructions cost only s block cipher encryptions to authenticate an s-block message, for all s ? 2. Moreover, GCBC2 needs only one block cipher encryption for almost all single block messages, and for all other single block messages, it costs two block cipher encryptions. We have also defined a class of generalized CBC-MAC constructions, and proved a sufficient condition for prf-security. In particular, we have provided an unified prf-security analysis of CBC-type constructions, e.g., XCBC, TMAC and our proposals GCBC1 and GCBC2.

ELmE: A Misuse Resistant Parallel Authenticated Encryption

The authenticated encryptions which resist misuse of initial value (or nonce) at some desired level of privacy are two-pass or Mac-then-Encrypt constructions (inherently inefficient but provide full privacy) and online constructions, e.g., McOE, sponge-type authenticated encryptions (such as duplex) and COPA. Only the last one is almost parallelizable with some bottleneck in processing associated data. In this paper, we design a new online secure authenticated encryption, called ELmE or Encrypt-Linear mix-Encrypt, which is completely (two-stage) parallel (even in associated data) and pipeline implementable. It also provides full privacy when associated data (which includes initial value) is not repeated. The basic idea of our construction is based on EME, an Encrypt-Mix-Encrypt type SPRP constructions (secure against chosen plaintext and ciphertext). But unlike EME, we have used an online computable efficient linear mixing instead of a non-linear mixing. Our construction optionally supports intermediate tags which can be verified faster with less buffer size. Intermediate tag provides security against block-wise adversaries which is meaningful in low-end device implementation.

On the Optimality of Non-Linear Computations of Length-Preserving Encryption Schemes

It is well known that three and four rounds of balanced Feistel cipher or Luby-Rackoff LR encryption for two blocks messages are pseudorandom permutation PRP and strong pseudorandom permutation SPRP respectively. A block is n-bit long for some positive integer n and a possibly keyed block-function is a nonlinear function mapping all blocks to themselves, e.g. blockcipher. XLS eXtended Latin Square encryption defined over two block inputs with three blockcipher calls was claimed to be SPRP. However, later Nandi showed that it is not a SPRP. Motivating with these observations, we consider the following questions in this paper: What is the minimum number of invocations of block-functions required to achieve PRP or SPRP security over