A Hardcore Lemma for Computational Indistinguishability
Distinguisher D
$
M,N
251
/ On input z cfw_0, 1
(z)
$
x1 , . . . , xm cfw_0, 1k , r cfw_0, 1d
for all i = 1, . . . , m do
G := G cfw_i with probability M(xi )
$
i cfw_1, . . . , m
for all i = 1, . .

244
U. Maurer and S. Tessaro
A slightly weaker statement holds in the uniform setting, where we can only
show that for every polynomial-time adversary A there exists a measure M for
which GuessA (P (W ) | g(W ) even if A is allowed to query the measure M

On Related-Secret Pseudorandomness
259
Definition 4 (Related key secure pseudorandom permutation (RKPRP). An eciently computable function E : cfw_0, 1p(k) cfw_0, 1k cfw_0, 1p(k)
where p is a polynomial is considered a related key secure pseudorandom permu

A Domain Extender for the Ideal Cipher
281
E2 (X, R) and T E3 (S, X), then the distinguisher obtains ST = P (LR) as
required.
We now proceed to prove that the systems (3 , E) and (P, S) are indistinguishable. We consider a distinguisher D making at most q

On Related-Secret Pseudorandomness
269
one-way functions or permutations. As such, any private operations in those
proofs are kept to a strict minimum because they must be eciently computable
given only f (x). Also, in the case of bits that are generic -

294
2
M. Fischlin and A. Lehmann
Preliminaries
In this section we introduce the basic notions for message authentication codes.
In the key exchange application the two parties at the end usually compute the
MAC for the same message m but include their ide

262
D. Goldenberg and M. Liskov
tokenizer. T has oracle access to ABT , as well as any oracle ABT might possess.
As such, (TABT )O (x) is the machine that runs AO
BT where T translates things
to and from pseudonyms as appropriate as it gives input to A, p

A Hardcore Lemma for Computational Indistinguishability
245
Y := F (V ), where U and V are uniformly8 distributed on U and V, respectively.
Note that this is the usual way to capture that X and Y are eciently samplable,
where typically U and V both consis

268
D. Goldenberg and M. Liskov
pairs of ri with specified dierences. This allows for us to determine x, ri with
high probability. Since the f (x) value is left untouched, the same argument
applies; the general reduction is also black token.
See Appendix

270
D. Goldenberg and M. Liskov
11. Cramer, R., Dodis, Y., Fehr, S., Padro, C., Wichs, D.: Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors. In: Smart,
N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 4714

272
D. Goldenberg and M. Liskov
We note that dealing with imperfect A is done by simply computing multiplication mod p by known quadratic residues. As such, the full proof still remains
black token.
A.1
Other Hardcore Bits
There are too many examples of h

260
D. Goldenberg and M. Liskov
Definition 8 (Related-secret secure one way permutation family (RSOWPF). A related-secret secure one-way permutation family is a related-secret
secure one-way function family in which each individual fs is a permutation.
2.

A Domain Extender for the Ideal Cipher
277
the same answer. A random permutation is an ideal primitive that provides
oracle access to a random permutation P : cfw_0, 1n cfw_0, 1n and to P 1 . An
ideal cipher is a generalization of a random permutation tha

On Related-Secret Pseudorandomness
271
or slightly modified versions to emphasize the fact that they are black token.
For each proof, we only formally show that the necessary reduction exists and
is black token for an adversary which always returns the co

Delayed-Key Message Authentication for Streams
291
transcript and only inputs the messages of the final rounds. This allows the
resource-bounded passport to free memory immediately. The protocol is under
standardization for ISO/IEC JTC1/SC17.
The SSL and

242
U. Maurer and S. Tessaro
whereas
the statistical distance
! between X and Y is defined as d(X, Y ) :=
1 !
|P
(u)
P
(u)|
=
X
Y
uU
u:PX (u)PY (u) PY (u) PX (u).
2
Pseudorandom Generators. An eciently computable function G : cfw_0, 1k
cfw_0, 1 is a (t,

250
U. Maurer and S. Tessaro
this is essentially optimal. For example, for = 12 , the output length of the
given generator G needs to be slightly larger than 2k in order to achieve expansion. For comparison, the SUM construction is expanding if /k > m, wh

A Hardcore Lemma for Computational Indistinguishability
241
is devoted to proving the soundness of the concatenate-and-extract approach for
security amplification of PRGs. All tools employed throughout this paper are
introduced in Section 2, where in part

256
D. Goldenberg and M. Liskov
paper by Biryukov et al has made substantial progress on attacking AES-256 in
Davies-Meyer mode via a strong related-key attack on AES [7]. Finally, there are
settings in which related-key security has been put to good use:

282
J.-S. Coron et al.
E
3
E
D
Game 0
T
3
T
E
S
P
S
D
D
Game 1
Game 2
P
S
D
Game 3
Fig. 4. Sequence of games for proving indierentiability
We must show that the distinguishers view has statistically close distribution
in Game1 and Game2 . For this, we con

On Related-Secret Pseudorandomness
267
We construct A to attack B as an RS-PRB under . We can view A as
having access to two oracles, O and Ff,x , where O either returns B(x) or a
random bit. First A queries Ff,x (ident ) to obtain f (x), creates a token

246
U. Maurer and S. Tessaro
output from an -bit string U! sampled
according to N , which, by Lemma 2, has
"
1
min-entropy at least log 1 .
In other words, the output of every -PRG G : cfw_0, 1k cfw_0, 1 exhibits (with
probability 1) high computational mi

On Related-Secret Pseudorandomness
261
We finally introduce the idea of a related-secret secure pseudorandom bit or
RS-PRB. As noted before, normal hardcore bits are inherently pseudorandom.
As we will see in the next section however, when the adversary i

280
J.-S. Coron et al.
Theorem 2. The 3-round Feistel construction 3 is (tD , tS , q, )-indierentiable
from a random permutation, with tS = O(qn) and = 5q 2 /2n . The 3-round
block-cipher construction 3 is (tD , tS , q, )-indierentiable from an ideal ciph

274
J.-S. Coron et al.
shows that a scheme is secure against generic attacks, that do not exploit specific
weaknesses of the underlying block cipher.
It was shown in [9,10] that the Ideal Cipher Model and the Random Oracle
Model are equivalent; the random

258
D. Goldenberg and M. Liskov
Definition 2. A list decodable code C, C1 , R is linear when C is a linear subspace of cfw_0, 1n.
2.1
Related-Secret Security
We consider primitives to be related-secret secure if they maintain their security even under an

A Domain Extender for the Ideal Cipher
279
It is easy to see that this defines an invertible permutation over cfw_0, 12n . Namely,
given a ciphertext (S, T ) the value R is recovered by decrypting T with blockcipher E2 and key S, and the value L is recove

252
U. Maurer and S. Tessaro
that |G| = g cfw_0, 1, . . . , m. Similarly, we denote P[D (X) | g, i] := P[D (X) =
1 | |G| = g i = i] when additionally conditioned on i = i. Then,
D (G(X ), U ) = |P[D (G(X ) = 1] P[D (U ) = 1]|
!
!
m
!"
!
!
!
=!
P|G| (g) (P

A Hardcore Lemma for Computational Indistinguishability
2.3
243
Measures and the Hardcore Lemma
Guessing Advantages. Let (X, B) be a pair of correlated random variables
with joint probability distribution PXB , where B is binary, and let A be an
adversary

248
U. Maurer and S. Tessaro
Lemma 3. GuessD (B | g(U , V , B ) > 2 d(X1 , B1 ), (X2 , B2 ).
Proof. Consider the distinguisher D which given a pair (x, b) (U cfw_0) (V
cfw_1) outputs 1 if b = 0 and D (E(x) = 0, or if b = 1 and D (F (x) = 1. Then,
note th