We'll recall (again) some definitions from last time: Definition 1 (Database Update Sequence) Let D ∈ N |X | be any database and let Using the exponential mechanism as a distinguisher, we proved the following utility theorem about the IC mechanism: Theorem 3 Given a B(α)-DUA, the Iterative Construction mechanism is (α, β) accurate and-differentially private for: α ≥ 8B(α/2) nn log C γ and (, δ)...

We consider finding discrete logarithms in a group G when the help of an algorithm D that distinguishes certain subsets of G from each other is available. For a group G of prime order p, if algorithm D is polynomialtime with complexity c(log(p)), we can find discrete logarithms faster than square-root algorithms. We consider two variations on this idea and give algorithms solving the discrete l...

The zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the Keccak-f permutation and to Hamsi-256. We exhibit several zero-sum partitions fo...

This paper presents differential-based distinguishers against ISO standard hash functions RIPEMD-128 and RIPEMD-160. The compression functions of RIPEMD-128/-160 adopt the doublebranch structure, which updates a chaining variable by computing two functions and merging their outputs. Due to the double size of the internal state and difficulties of controlling two functions simultaneously, only f...

Abstract. Zorro is an AES-like lightweight block cipher proposed in CHES 2013, which only uses 4 S-boxes per round. The designers showed the resistance of the cipher against various attacks and concluded the cipher has a large security margin. Recently, Guo et. al [1] have given a key recovery attack on full-round Zorro by using the internal differential characteristics. However, the attack onl...

We devise a novel simulation technique that makes black-box use of the adversary as well as the distinguisher. Using this technique we construct several round-optimal protocols, many of which were previously unknown even using non-black-box simulation techniques: ◦ Two-round witness indistinguishable (WI) arguments for NP from different assumptions than previously known. ◦ Two-round arguments a...

Keccak is one of the five hash functions selected for the final round of the SHA-3 competition and its inner primitive is a permutation called Keccakf . In this paper, we find that for the inverse of the only one nonlinear transformation of Keccak-f , the algebraic degrees of any output coordinate and of the product of any two output coordinates are both 3 and also 2 less than its size 5. Combi...

Improved meet-in-the-middle cryptanalysis with efficient tabulation technique has been shown to be a very powerful form of cryptanalysis against SPN block ciphers. However, few literatures show the effectiveness of this cryptanalysis against Balanced-Feistel-Networks (BFN) and Generalized-Feistel-Networks (GFN) ciphers due to the stagger of affected trail and special truncated differential trai...

Computational indistinguishability amplification is the problem of strengthening cryptographic primitives whose security is defined by bounding the distinguishing advantage of an efficient distinguisher. Examples include pseudorandom generators (PRGs), pseudorandom functions (PRFs), and pseudorandom permutations (PRPs). The literature on computational indistinguishability amplification consists...

Recently, a number of relations have been established among previously known statistical attacks on block ciphers. Leander showed in 2011 that statistical saturation distinguishers are on average equivalent to multidimensional linear distinguishers. Further relations between these two types of distinguishers and the integral and zero-correlation distinguishers were established by Bogdanov et al...