Elena Andreeva

Learn More
Online ciphers encrypt an arbitrary number of plaintext blocks and output ciphertext blocks which only depend on the preceding plaintext blocks. All online ciphers proposed so far are essentially serial, which significantly limits their performance on parallel architectures such as modern general-purpose CPUs or dedicated hardware. We propose the first(More)
Scenarios in which authenticated encryption schemes output decrypted plaintext before successful verification raise many security issues. These situations are sometimes unavoidable in practice, such as when devices have insufficient memory to store an entire plaintext, or when a decrypted plaintext needs early processing due to real-time requirements. We(More)
Nearly all modern hash functions are constructed by iterating a compression function. At FSE’04, Rogaway and Shrimpton [RS04] formalized seven security notions for hash functions: collision resistance (Coll) and three variants of second-preimage resistance (Sec, aSec, eSec) and preimage resistance (Pre, aPre, ePre). The main contribution of this paper is in(More)
The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KAt consists of a small number t of fixed permutations Pi on n bits, separated by key addition: KAt(K,m) = kt ⊕ Pt(. . . k2 ⊕ P2(k1 ⊕ P1(k0 ⊕m)) . . . ),(More)
We develop a new generic long-message second preimage attack, based on combining the techniques in the second preimage attacks of Dean [8] and Kelsey and Schneier [16] with the herding attack of Kelsey and Kohno [15]. We show that these generic attacks apply to hash functions using the Merkle-Damgård construction with only slightly more work than the(More)
In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to the vulnerabilities identified in widely employed hash functions, such as MD5 and SHA-1. NIST received many submissions, 51 of which got accepted to the first round. At present, 5 candidates are left in the(More)
Tischhauser for many interesting discussions concerning the design of Lane and its predecessors, and for their continued effort on the cryptanalysis of both older and the final version of Lane. Their findings, comments and suggestions for improvements were invaluable in the design process. I extend my gratitude to Antoon Bosselaers, Emilia Käsper, Miroslav(More)
Sponge functions were originally proposed for hashing, but find increasingly more applications in keyed constructions, such as encryption and authentication. Depending on how the key is used we see two main types of keyed sponges in practice: inner and outer -keyed. Earlier security bounds, mostly due to the well-known sponge indifferentiability result,(More)
In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical Merkle­ Damg̊ard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Using this technique, we show a second preimage attack on the folklore(More)
In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to vulnerabilities identified in existing hash functions, such as MD5 and SHA-1. NIST received many submissions, 51 of which got accepted to the first round. At present, 14 candidates are left in the second round.(More)