A Domain Extender for the Ideal Cipher
289
13. Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom
permutation. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991.
LNCS, vol. 739, pp. 210224. Springer, Heidelberg (199

A Domain Extender for the Ideal Cipher
275
values of n.1 In this paper we describe a more ecient construction, based on
a 3-round Feistel only, and with a better security bound; we view this as the
main result of the paper. More precisely, we show that th

292
M. Fischlin and A. Lehmann
key K.2 Note that since verification is usually done by re-computing a MAC the
idea also applies to the verification of the others party MAC, i.e., one of the
parties in a key-exchange protocol can both compute its own MAC a

On Related-Secret Pseudorandomness
263
Proof. To prove that B(x, r) is an RS-SHCB for f we will create a black-box
reduction MFf ,(x,r) ,A which will invert f (x) with non-negligible probability as
long as AFf ,(x,r) returns B(x, r) with probability non-n

Sec. 5] Topological Vector Spaces 235
continuity of multiplication implies that there is an open set V containing 9
and an e > 0 such that 21V C 0 for all |/l| < 6. Then U = U AV is open,
lit|<c
BaUCQandaUCUoreachawithLal<L]
e. IfCB satises the condit

Sec. 8] Hilbert Space 249
LetxbeanyelementofH.Then Zavgpvax,andso
v=l
f(x) = limf( in: am.) = lim 2": avbv
Q)
2 avbv
= (x, y)-
Hyfhechwarzinequahtylflksly. |
Problems
50. Show that the inner prodtuc is ctthon inuous; at is, if

234 Banach Spaces [Chap. 10
The proof of the proposition is left to the reader. We note that, if
X is a normed linear space, we may take (B to be the set of spheres
about9amfthrproposrtrongivesusabaseforthegeneralcase
which has many of the properties po

222 Banach Spaces [Chap. 10
for all n 2 N. Thus for n 2 N,
He4nAH sup MANApt Se.
HXII=1
Thus A,l + A and 33 is complete. I
FTUb|erTTs
13. Show that if A" > A and x" x, then A" x,' * Ax.
H.ThekernelofanoperatorAisthesetcfw_x:Ax0.Provethatthe

SGLLZJ LineaereLanrs 221
since W + xo xoll = W = '1 < 5- Consequently, IIAZII S '71 NZ,
and A is bounded. |
3. Proposition: The space 33 of all bounded linear operators from a
nermedvect0rspaceXroaBanachspace YisirsebaBnachspace.
Proof

A Domain Extender for the Ideal Cipher
283
By definition of the simulator S , when the simulator S makes a query for
3 (LR), it must have made an ideal cipher query to E1 (R, L) before, or an
ideal cipher query to E11 (R, X) before, with L = E11 (R, X).
I

254
U. Maurer and S. Tessaro
8. Holenstein, T.: Key agreement from weak bit agreement. In: STOC 2005: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, pp. 664673
(2005)
9. Holenstein, T.: Pseudorandom generators from one-way functions:

286
J.-S. Coron et al.
The security notion for a tweakable block-cipher is a straightforward extension of
the corresponding notion for block-ciphers. A classical block-cipher E is a strong
pseudo-random permutation if no adversary can distinguish E(K, ) f

288
J.-S. Coron et al.
ideal cipher. Our construction is based on a 3-round Feistel, and is more ecient
and more secure than first building a n-bit random oracle from a n-bit ideal
cipher (as in [9]) and then a 2n-bit ideal cipher from a n-bit random orac

Delayed-Key Message Authentication for Streams
293
attacking this modified scheme can only make a limited number of verification requests (which corresponds to the common case that in two-party
key-exchange protocols for each exchanged key K the server an

Delayed-Key Message Authentication for
Streams
Marc Fischlin and Anja Lehmann
Darmstadt University of Technology, Germany
www.minicrypt.de
Abstract. We consider message authentication codes for streams where
the key becomes known only at the end of the st

A Hardcore Lemma for Computational Indistinguishability
253
Definition 1. A black-box (, )-indistinguishability amplifier consists a pair of
polynomial-time algorithms (C, S) with the following two properties:
(i) For some
! functions
"m m, d, dand h, the

On Related-Secret Pseudorandomness
257
In the standard model, a hard-core bit fills this role simply: a hard-core bit
is hard to learn, and thus, hard to distinguish from a random bit [14,15]. However, in the related-secret setting things are dierent, bec

264
D. Goldenberg and M. Liskov
We go on to show that related-secret pseudorandom bits can be used to construct related-key secure blockciphers. First, we show how to construct an RSPRG from an RS-PRB.
Theorem 4. Let f be a function from cfw_0, 1k to cfw_

A Hardcore Lemma for Computational Indistinguishability
247
!
Furthermore, let mb :=
u,v M(u, v, b) for b cfw_0, 1, and let m := |M| =
m
b
m0 + m1 . Note that in particular (Mb ) = |Um
|V| and (M) = 2|U |V| .
We consider two cases in the following, both l

A Domain Extender for the Ideal Cipher
287
Theorem 3. The tweakable block-cipher 2 is a (t , q, )-secure tweakable blockcipher, if E1 and E2 are both (t, q, )-secure tweakable block-ciphers, where =
2 + q 2 /2n + q 2 /22n and t = t O(qn).
Proof. See the f

Sec. 5] Signed Measures 275
is called the absolute value or total variation of v. A set E is positive
for v 1TvE = 0. It is a null set if|v|(E) =
Prob+ems
27. a. Give an example to show thta the Hahn decomposition need not
be uniqm
b. Show

Sec. 3] Linear Functionals and the HahnBanachlheotem 223
4. Theorem (HahnBanach): Let p be a real-valued function
dened on the vector space X satisfying p(x + y) S p(x) + p( y) and
p(ood apfx)f01 each a>0. Suppose thatfis a limarjunctional
dened on a su

248 Banach Spaces [Chap. 10
Lmaseparable Hilbert space there are two alternativesEither
every complete orthonormal system has an innite number of ele-
, _ , _ - , - - - - - - with a nite
number N of elements. In the latter case such a system is a basis (i

2156 Measure and Integration [Chap. 11
13. Proposition: If f and g are nonnegative measurable functions
and a and b nonnegative constants, then
Iaf+ bg=ajf+bjg.
Jf>0
with equality only iff= 0 ac.
Proof: To prove the rst statement, let (on) and (M) be in

284 WWWM
We shall also use the following lemma, whose proof is left to the
reader.
28 ,H, 7 , 7 ,
and for each n let 1;, be a function in B(1 < p < 00) that vanishes
outside En. Setf= 2 f,. Thenfe L" ifand only ifz |f,|" < 00. In
":1
this casef=

Sec. 5] Signed Measures 213
EAUI:UEk:|.
k=1
Sincethisisadisjoinurrion,wehave
vEVA+ 2ka
k=1
then
with the series on the right absolutely convergent, since VB is nite.
Thus 2 l/nk converges, and we have nk* 00. Since ka < O and
vE > 0, we

282 Measure and Integration [Chap. 11
d. The conclusion of (c) is still valid if instead of assuming cfw_X1 to be
a decomposition for v, we merely assume that if E e (B and v(E n X) = 0
for alLa, then \LE = Q
7 The LP Spaces
H(X,63,p)isacomp

Sec. 3] Integration 25]
An arbitrary functionfis said to be integrable if bothf+ andf are
integrable. In this case we dene
leis-tr-
Some of the properties of the integral are containedjn the iollow-
. . . , I F' 1 F l l .
15. Proposition: I f f and g ar

250 Banach Spaces [Chap 10
e. Let M be a closed linear manifold. Then each x a H can be written
uniquely in the form x=y+z with yaM and zaMi. Moreover,
Hxi'lzHllzi H42
54. Let <x, > be a bounded sequence of elements in a separable Hilbert
519396

Sec. 6] The RadonNikodym Theorem 231
c. If v < 11, then A < ,4, and g = 0 only on a set of ,u-measure zero. In
this case
ME) = Lg'l dp.
[Hint Consider Problem 22.]
d. Hv<p,then(lg)g_lisintegrablerwitlrrespecttoyand
v(E) = LU (1)9 d11-

A Hardcore Lemma for Computational Indistinguishability
Distinguisher D
$
M,N
251
/ On input z cfw_0, 1
(z)
$
x1 , . . . , xm cfw_0, 1k , r cfw_0, 1d
for all i = 1, . . . , m do
G := G cfw_i with probability M(xi )
$
i cfw_1, . . . , m
for all i = 1, . .

244
U. Maurer and S. Tessaro
A slightly weaker statement holds in the uniform setting, where we can only
show that for every polynomial-time adversary A there exists a measure M for
which GuessA (P (W ) | g(W ) even if A is allowed to query the measure M

On Related-Secret Pseudorandomness
259
Definition 4 (Related key secure pseudorandom permutation (RKPRP). An eciently computable function E : cfw_0, 1p(k) cfw_0, 1k cfw_0, 1p(k)
where p is a polynomial is considered a related key secure pseudorandom permu

A Domain Extender for the Ideal Cipher
281
E2 (X, R) and T E3 (S, X), then the distinguisher obtains ST = P (LR) as
required.
We now proceed to prove that the systems (3 , E) and (P, S) are indistinguishable. We consider a distinguisher D making at most q

On Related-Secret Pseudorandomness
269
one-way functions or permutations. As such, any private operations in those
proofs are kept to a strict minimum because they must be eciently computable
given only f (x). Also, in the case of bits that are generic -