John P. Steinberger

Learn More
We present new techniques for deriving preimage resistance bounds for block cipher based double-block-length, double-call hash functions. We give improved bounds on the preimage security of the three " classical " double-block-length, double-call, block cipher-based compression functions, these being Abreast-DM, Tandem-DM and Hirose's scheme. For Hirose's(More)
We prove that Tandem-DM, which is one of the two " classical " schemes for turning a blockcipher of 2n-bit key into a double block length hash function, has birthday-type collision resistance in the ideal cipher model. A collision resistance analysis for Tandem-DM achieving a similar birthday-type bound was already proposed by Fleischmann, Gorski and Lucks(More)
This paper considers—for the first time—the concept of key-alternating ciphers in a provable security setting. Key-alternating ciphers can be seen as a generalization of a construction proposed by Even and Mansour in 1991. This construction builds a block cipher P X from an n-bit permutation P and two n-bit keys k0 and k1, setting P X k 0 ,k 1 (x) = k1 ⊕ P(More)
A vanishing sum a 0 + a 1 ζn +. .. + a n−1 ζ n−1 n = 0 where ζn is a primitive n-th root of unity and the a i 's are nonnegative integers is called minimal if the coefficient vector (a 0 ,. .. , a n−1) does not properly dominate the coefficient vector of any other such nonzero sum. We show that for every c ∈ N there is a minimal vanishing sum of n-th roots(More)
We provide attacks and analysis that capture a tradeoff, in the ideal-permutation model, between the speed of a permutation-based hash function and its potential security. For collision-uniform, fixed-permutation-order compression functions, we show that any 2n-bit to n-bit construction will have unacceptable collision resistance it makes fewer than three(More)
We propose a family of compression functions built from fixed-key blockciphers and investigate their collision and preimage security in the ideal cipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2n-bit to n-bit compression(More)
A t-round key-alternating cipher (also called iterated Even-Mansour cipher) can be viewed as an abstraction of AES. It defines a cipher E from t fixed public permutations P 1 ,. .. , P t : {0, 1} n → {0, 1} n and a key k = k 0 · · · k t ∈ {0, 1} n(t+1) by setting E k (x) = k t ⊕P t (k t−1 ⊕P t−1 (· · · k 1 ⊕P 1 (k 0 ⊕ x) · · ·)). The indistinguishability of(More)
The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KAt consists of a small number t of fixed permutations Pi on n bits, separated by key addition: kt) are obtained from the master key K using some key(More)