Learn More
Sponge functions were introduced by Bertoni et al. as an alternative to the classical Merkle-Damgård design. Many hash function submissions to the SHA-3 competition launched by NIST in 2007, such as CubeHash, Fugue, Hamsi, JH, Keccak and Luffa, derive from the original sponge design, and security guarantees from some of these constructions are typically(More)
For the homomorphic Paillier cryptosystem we construct a protocol for secure modulo reduction, that on input of an encryption x with x of bit length x and a public 'modulus' a of bit length a outputs an encryption x mod a. As a result, a protocol for computing an encrypted integer division x div a is obtained. Surprisingly, efficiency of the protocol is(More)
We consider the family of 2n-ton bit compression functions that are solely based on at most three permutation executions and on XOR-operators, and analyze its collision and preimage security. Despite their elegance and simplicity, these designs are not covered by the results of Rogaway and Steinberger (CRYPTO 2008). By defining a carefully chosen(More)
Online ciphers encrypt an arbitrary number of plaintext blocks and output ciphertext blocks which only depend on the preceding plaintext blocks. All online ciphers proposed so far are essentially serial, which significantly limits their performance on parallel architectures such as modern general-purpose CPUs or dedicated hardware. We propose the first(More)
We propose Chaskey: a very efficient Message Authentication Code (MAC) algorithm for 32-bit microcontrollers. It is intended for applications that require 128-bit security, yet cannot implement standard MAC algorithms because of stringent requirements on speed, energy consumption , or code size. Chaskey is a permutation-based MAC algorithm that uses the(More)
In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to vulnerabilities identified in existing hash functions, such as MD5 and SHA-1. NIST received many submissions, 51 of which got accepted to the first round. At present, 14 candidates are left in the second round.(More)
The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KAt consists of a small number t of fixed permutations Pi on n bits, separated by key addition: kt) are obtained from the master key K using some key(More)
The Sponge function is known to achieve 2 c/2 security, where c is its capacity. This bound was carried over to keyed variants of the function, such as SpongeWrap, to achieve a min{2 c/2 , 2 κ } security bound, with κ the key length. Similarly, many CAESAR competition submissions are designed to comply with the classical 2 c/2 security bound. We show that(More)
We present XPX, a tweakable blockcipher based on a single permutation P. On input of a tweak (t11, t12, t21, t22) ∈ T and a message m, it outputs ciphertext c = P (m⊕∆1)⊕∆2, where ∆1 = t11k ⊕t12P (k) and ∆2 = t21k ⊕t22P (k). Here, the tweak space T is required to satisfy a certain set of trivial conditions (such as (0, 0, 0, 0) ∈ T). We prove that XPX with(More)
The notion of indifferentiability, introduced by Maurer et al., is an important criterion for the security of hash functions. Concretely, it ensures that a hash function has no structural design flaws and thus guarantees security against generic attacks up to the proven bounds. In this work we prove the indifferentiability of Grøstl, a second round SHA-3(More)