[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PRPs and SPRPs
-----BEGIN PGP SIGNED MESSAGE-----
[This doesn't seem to have got through, so I'll send it again without the
.ps attachment. What's the policy for attachments on this list?]
Roger Dingledine wrote:
> George: I'll fix it in the paper if you change the picture to say
> AONT rather than BEAR. Sound good? (Is this a good thing to change it
> to? Read below.)
We either need a PRP or an SPRP, I think the latter (but not an AONT,
which is unkeyed).
The security definition for an SPRP is like a PRP, but the attacker is
given both encryption and decryption oracles (i.e. f and f^-1). I have
a draft manuscript by Daniel Bleichenbacher & Anand Desai about a proposed
SPRP construction; ask me if you want a copy.
I would put "LBC" for "large-block cipher" in the diagram, then say that
- LBC means a large-domain PRP or SPRP, we're not sure which yet
- BEAR is a PRP
- there are several possible candidates for SPRPs (Bleichenbacher's,
and some by Zulfikar Ramzan et al, including "Sha-Zam" from
"Toward Optimal and Practical Luby-Rackoff Ciphers.").
- --
David Hopwood <david.hopwood@zetnet.co.uk>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBPNgxejkCAxeYt5gVAQElAAgAiw6GO9DDL3CmPPBe9Sv8jNRzzbXcRWKX
kbVhiYFPDmZeD5lGa63Hq8o3vAadX3miIgYlcZbX/Ac1JSxHSlFC1Wp9g+Uu0mgn
kNlKJyEbxdXNMb3AZl97di1b6HriPWNJZIJ7JaXmmuZfoUBTFjtVZdeg/PcN3i0v
azHAZy1Ppd0a0LyJKKqul8M095Nv8FQdFIy4lO2sHdZf22H3kF7MjcEDZcBBtXKx
1NFApp4x5b/sFwiyvldZ04ufOxa8Y0T9Y1/Kyj3rlKNH8gPY1p2HUIns3zbIlPFi
61w0aD+We+UG8WkjQQvyyYw1Uen13FOLP5YGx3uUaSR/6LcCNHBZfw==
=pm7h
-----END PGP SIGNATURE-----