Questions tagged [pseudo-random-permutation]
A Pseudo-Random Permutation (PRP) is a function that cannot be distinguished (with practical effort) from a permutation selected at random with uniform probability from the family of all permutations on the function's domain.
183
questions
2
votes
0
answers
66
views
Cryptanalysis of xorshift + multiplication mixer
Suppose we have a $2w$-bit integer $s$, a $2w$-bit odd round key $k$, and some constant $c$ then we can define the following permutation:
...
1
vote
1
answer
70
views
Is there any notion of key-recovery attacks security (perhaphs using games) that is equivalent to IND-CPA?
I am talking about Symmetric Cryptography only in the following.
We know that Semantic Security (in the presence of eavesdropper) implies security against message recovery (in the presence of ...
1
vote
0
answers
75
views
When using AES-NI as a high-speed permutation, does AESDEC offer better diffusion?
If I was to use AES-NI as a high performance 128-bit permutation/PRF would AESDEC offer faster/better diffusion than AESENC? The reason I ask is because both instructions have the same cost, but the ...
0
votes
1
answer
52
views
Can f(S) also be replaced by PRP(S) in a Sponge consruction?
I have difficulties understanding the PRP in the absorb phase of a sponge construction: a block is XORed to the r part of the state memory,and then the entire state sent through a blockcipher-like ...
5
votes
1
answer
232
views
Is F(k,k) $\oplus$ F(k,x) a pseudorandom permutation?
Suppose that $F: \{0,1\}^n\times \{0,1\}^n\rightarrow \{0,1\}^n$ is a strongly pseudorandom permutation. Let $\hat{F}(k,x):=F(k,k)\oplus F(k,x)$. I know that $\hat{F}$ can't be a strongly ...
1
vote
1
answer
142
views
My new PRNG (PaulssonSponge) with dieharder tests
I run an open source project implementing some RipeMD and SHA hashes, one day I got nerdy and threw together my own Sponge function. I have now tested it with the dieharder 3.31.1 test suite. Is it ...
1
vote
2
answers
101
views
How to construct a permutation (shuffle) oblivious pseudorandom function?
We know that OPRF is a two-party protocol, where Alice inputs $X = {x_1, ..., x_n}$, Bob has no input, and after executing the OPRF protocol, Alice gets $F_k(x_i)$, and Bob receives a pseudorandom key ...
3
votes
3
answers
1k
views
Why is SHA-2 considered an ARX construction when it also uses non-ARX operations?
SHA-2 makes use of non-ARX non-linear operators such as the Choice and Majority functions:
\begin{align}
\mathsf{Ch}(E,F,G) &= (E \wedge F) \oplus (\neg E \wedge G)\\
\mathsf{Ma}(A, B, C) &= (...
0
votes
0
answers
82
views
Full-Block Cipher Feedback Mode as a complete AEAD with a free MAC?
Full-State Keyed Sponge (aka Donkey Sponge) appears to cross over into block cipher mode territory such as Full Block Cipher Feedback Mode:
Full State Keyed Sponge (FKS) construction:
FKS has been ...
1
vote
0
answers
139
views
Can a Full-State Keyed Sponge be used as AEAD by using XEX?
Full-State Keyed Sponge (aka Donkey Sponge) is when a message is absorbed into the full state of the sponge.
Such an approach to MAC construction is considered secure. 1
However for an AEAD or a ...
3
votes
2
answers
344
views
Are sponges inherently inefficient when compared to other constructions?
A sponge has by definition 'wasted' operations (the part of the state which always remains private but goes through all the ops of the permutation).
In return for that waste you get a MAC at the end - ...
4
votes
1
answer
144
views
How is the Full-State Keyed duplex useful?
In the Full-State Keyed duplex (sponge construction AEAD), plaintext is absorbed into the entire state of the sponge permutation but only a portion of the output can be used else the scheme breaks (...
1
vote
2
answers
85
views
Given $i$ keyed-$PRP$ labels $\ell_{i,x}$ from a $2^{256} \times 2^{256}$ Sudoku (Latin-square), how difficult is it for an adversary to solve?
There's a keyed-permutation I'm playing with, $\ell_{i,x} = \pi_i(x_i)$, which is a bijection $X \leftrightarrow X$, where $|X| = 2^{256}$, and whose evaluations on plaintext inputs $x_i$ perfectly ...
0
votes
1
answer
76
views
Regarding: Pseudorandomness, Pseudorandomgenerators and Padding
Hey there guys and gals,
so I am right now studying topics regarding pseudorandomness.
I was wondering why, for example with CBC-MAC oder a regular CBC blockcipher, we use padding instead of a PRG. ...
1
vote
0
answers
110
views
Can a one-way permutation be used to stretch a pseudorandom generator?
Consider a secure PRG $G:\{0,1\}^\lambda \to \{0,1\}^n$ and a one-way permutation $f:\{0,1\}^{n-\lambda} \to \{0,1\}^{n-\lambda}$. I'm wondering if the following construction $G': \{0,1\}^\lambda \to \...