[{"title":"Incoercible multi-party computation and universally composable receipt-free voting","author":[{"id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F","last_name":"Alwen","full_name":"Alwen, Joel F"},{"full_name":"Ostrovsky, Rafail","last_name":"Ostrovsky","first_name":"Rafail"},{"first_name":"Hongsheng","last_name":"Zhou","full_name":"Zhou, Hongsheng"},{"first_name":"Vassilis","last_name":"Zikas","full_name":"Zikas, Vassilis"}],"publist_id":"5476","article_processing_charge":"No","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Alwen, Joel F., et al. “Incoercible Multi-Party Computation and Universally Composable Receipt-Free Voting.” Advances in Cryptology - CRYPTO 2015, vol. 9216, Springer, 2015, pp. 763–80, doi:10.1007/978-3-662-48000-7_37.","ieee":"J. F. Alwen, R. Ostrovsky, H. Zhou, and V. Zikas, “Incoercible multi-party computation and universally composable receipt-free voting,” in Advances in Cryptology - CRYPTO 2015, Santa Barbara, CA, United States, 2015, vol. 9216, pp. 763–780.","short":"J.F. Alwen, R. Ostrovsky, H. Zhou, V. Zikas, in:, Advances in Cryptology - CRYPTO 2015, Springer, 2015, pp. 763–780.","apa":"Alwen, J. F., Ostrovsky, R., Zhou, H., & Zikas, V. (2015). Incoercible multi-party computation and universally composable receipt-free voting. In Advances in Cryptology - CRYPTO 2015 (Vol. 9216, pp. 763–780). Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-662-48000-7_37","ama":"Alwen JF, Ostrovsky R, Zhou H, Zikas V. Incoercible multi-party computation and universally composable receipt-free voting. In: Advances in Cryptology - CRYPTO 2015. Vol 9216. Lecture Notes in Computer Science. Springer; 2015:763-780. doi:10.1007/978-3-662-48000-7_37","chicago":"Alwen, Joel F, Rafail Ostrovsky, Hongsheng Zhou, and Vassilis Zikas. “Incoercible Multi-Party Computation and Universally Composable Receipt-Free Voting.” In Advances in Cryptology - CRYPTO 2015, 9216:763–80. Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-662-48000-7_37.","ista":"Alwen JF, Ostrovsky R, Zhou H, Zikas V. 2015. Incoercible multi-party computation and universally composable receipt-free voting. Advances in Cryptology - CRYPTO 2015. CRYPTO: International Cryptology ConferenceLecture Notes in Computer Science, LNCS, vol. 9216, 763–780."},"project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"doi":"10.1007/978-3-662-48000-7_37","date_published":"2015-08-01T00:00:00Z","date_created":"2018-12-11T11:53:23Z","page":"763 - 780","day":"01","publication":"Advances in Cryptology - CRYPTO 2015","has_accepted_license":"1","year":"2015","publisher":"Springer","quality_controlled":"1","oa":1,"acknowledgement":"Joël Alwen was supported by the ERC starting grant (259668-PSPC). Rafail Ostrovsky was supported in part by NSF grants 09165174, 1065276, 1118126 and 1136174, US-Israel BSF grant 2008411, OKAWA Foundation Research Award, IBM Faculty Research Award, Xerox Faculty Research Award, B. John Garrick Foundation Award, Teradata Research Award, Lockheed-Martin Corporation Research Award, and the Defense Advanced Research Projects Agency through the U.S. Office of Naval Research under Contract N00014 -11 -1-0392. The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government. Vassilis Zikas was supported in part by the Swiss National Science Foundation (SNF) via the Ambizione grant PZ00P-2142549.","file_date_updated":"2020-07-14T12:45:11Z","department":[{"_id":"KrPi"}],"ddc":["000"],"date_updated":"2022-06-07T09:51:55Z","status":"public","type":"conference","conference":{"location":"Santa Barbara, CA, United States","end_date":"2015-08-20","start_date":"2015-08-16","name":"CRYPTO: International Cryptology Conference"},"_id":"1672","series_title":"Lecture Notes in Computer Science","volume":9216,"ec_funded":1,"file":[{"checksum":"5b6649e80d1f781a8910f7cce6427f78","file_id":"7853","relation":"main_file","access_level":"open_access","content_type":"application/pdf","file_name":"2015_CRYPTO_Alwen.pdf","date_created":"2020-05-15T08:55:29Z","creator":"dernst","file_size":397363,"date_updated":"2020-07-14T12:45:11Z"}],"language":[{"iso":"eng"}],"publication_identifier":{"isbn":["978-3-662-47999-5"],"eisbn":["978-3-662-48000-7"]},"publication_status":"published","month":"08","intvolume":" 9216","alternative_title":["LNCS"],"scopus_import":"1","oa_version":"Submitted Version","abstract":[{"text":"Composable notions of incoercibility aim to forbid a coercer from using anything beyond the coerced parties’ inputs and outputs to catch them when they try to deceive him. Existing definitions are restricted to weak coercion types, and/or are not universally composable. Furthermore, they often make too strong assumptions on the knowledge of coerced parties—e.g., they assume they known the identities and/or the strategies of other coerced parties, or those of corrupted parties— which makes them unsuitable for applications of incoercibility such as e-voting, where colluding adversarial parties may attempt to coerce honest voters, e.g., by offering them money for a promised vote, and use their own view to check that the voter keeps his end of the bargain. In this work we put forward the first universally composable notion of incoercible multi-party computation, which satisfies the above intuition and does not assume collusions among coerced parties or knowledge of the corrupted set. We define natural notions of UC incoercibility corresponding to standard coercion-types, i.e., receipt-freeness and resistance to full-active coercion. Importantly, our suggested notion has the unique property that it builds on top of the well studied UC framework by Canetti instead of modifying it. This guarantees backwards compatibility, and allows us to inherit results from the rich UC literature. We then present MPC protocols which realize our notions of UC incoercibility given access to an arguably minimal setup—namely honestly generate tamper-proof hardware performing a very simple cryptographic operation—e.g., a smart card. This is, to our knowledge, the first proposed construction of an MPC protocol (for more than two parties) that is incoercibly secure and universally composable, and therefore the first construction of a universally composable receipt-free e-voting protocol.","lang":"eng"}]},{"publist_id":"5480","author":[{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"},{"first_name":"Maciej","full_name":"Skórski, Maciej","last_name":"Skórski"}],"title":"The chain rule for HILL pseudoentropy, revisited","citation":{"ama":"Pietrzak KZ, Skórski M. The chain rule for HILL pseudoentropy, revisited. 2015;9230:81-98. doi:10.1007/978-3-319-22174-8_5","apa":"Pietrzak, K. Z., & Skórski, M. (2015). The chain rule for HILL pseudoentropy, revisited. Presented at the LATINCRYPT: Cryptology and Information Security in Latin America, Guadalajara, Mexico: Springer. https://doi.org/10.1007/978-3-319-22174-8_5","ieee":"K. Z. Pietrzak and M. Skórski, “The chain rule for HILL pseudoentropy, revisited,” vol. 9230. Springer, pp. 81–98, 2015.","short":"K.Z. Pietrzak, M. Skórski, 9230 (2015) 81–98.","mla":"Pietrzak, Krzysztof Z., and Maciej Skórski. The Chain Rule for HILL Pseudoentropy, Revisited. Vol. 9230, Springer, 2015, pp. 81–98, doi:10.1007/978-3-319-22174-8_5.","ista":"Pietrzak KZ, Skórski M. 2015. The chain rule for HILL pseudoentropy, revisited. 9230, 81–98.","chicago":"Pietrzak, Krzysztof Z, and Maciej Skórski. “The Chain Rule for HILL Pseudoentropy, Revisited.” Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-319-22174-8_5."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"page":"81 - 98","date_published":"2015-08-15T00:00:00Z","doi":"10.1007/978-3-319-22174-8_5","date_created":"2018-12-11T11:53:22Z","has_accepted_license":"1","year":"2015","day":"15","publisher":"Springer","quality_controlled":"1","oa":1,"file_date_updated":"2020-07-14T12:45:11Z","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T06:52:24Z","ddc":["005"],"type":"conference","conference":{"name":"LATINCRYPT: Cryptology and Information Security in Latin America","start_date":"2015-08-23","location":"Guadalajara, Mexico","end_date":"2015-08-26"},"status":"public","pubrep_id":"669","series_title":"Lecture Notes in Computer Science","_id":"1669","volume":9230,"ec_funded":1,"publication_status":"published","file":[{"creator":"system","date_updated":"2020-07-14T12:45:11Z","file_size":443340,"date_created":"2018-12-12T10:18:29Z","file_name":"IST-2016-669-v1+1_599.pdf","access_level":"open_access","relation":"main_file","content_type":"application/pdf","file_id":"5351","checksum":"8cd4215b83efba720e8cf27c23ff4781"}],"language":[{"iso":"eng"}],"alternative_title":["LNCS"],"scopus_import":1,"month":"08","intvolume":" 9230","abstract":[{"lang":"eng","text":"Computational notions of entropy (a.k.a. pseudoentropy) have found many applications, including leakage-resilient cryptography, deterministic encryption or memory delegation. The most important tools to argue about pseudoentropy are chain rules, which quantify by how much (in terms of quantity and quality) the pseudoentropy of a given random variable X decreases when conditioned on some other variable Z (think for example of X as a secret key and Z as information leaked by a side-channel). In this paper we give a very simple and modular proof of the chain rule for HILL pseudoentropy, improving best known parameters. Our version allows for increasing the acceptable length of leakage in applications up to a constant factor compared to the best previous bounds. As a contribution of independent interest, we provide a comprehensive study of all known versions of the chain rule, comparing their worst-case strength and limitations."}],"oa_version":"Submitted Version"},{"day":"01","year":"2015","has_accepted_license":"1","date_created":"2018-12-11T11:53:23Z","date_published":"2015-08-01T00:00:00Z","doi":"10.1007/978-3-662-47989-6_18","page":"368 - 387","oa":1,"quality_controlled":"1","publisher":"Springer","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"ista":"Gazi P, Pietrzak KZ, Tessaro S. 2015. The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC. CRYPTO: International Cryptology Conference, LNCS, vol. 9215, 368–387.","chicago":"Gazi, Peter, Krzysztof Z Pietrzak, and Stefano Tessaro. “The Exact PRF Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC,” 9215:368–87. Springer, 2015. https://doi.org/10.1007/978-3-662-47989-6_18.","apa":"Gazi, P., Pietrzak, K. Z., & Tessaro, S. (2015). The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC (Vol. 9215, pp. 368–387). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-662-47989-6_18","ama":"Gazi P, Pietrzak KZ, Tessaro S. The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC. In: Vol 9215. Springer; 2015:368-387. doi:10.1007/978-3-662-47989-6_18","short":"P. Gazi, K.Z. Pietrzak, S. Tessaro, in:, Springer, 2015, pp. 368–387.","ieee":"P. Gazi, K. Z. Pietrzak, and S. Tessaro, “The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States, 2015, vol. 9215, pp. 368–387.","mla":"Gazi, Peter, et al. The Exact PRF Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC. Vol. 9215, Springer, 2015, pp. 368–87, doi:10.1007/978-3-662-47989-6_18."},"title":"The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC","author":[{"first_name":"Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","last_name":"Gazi","full_name":"Gazi, Peter"},{"full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"},{"first_name":"Stefano","full_name":"Tessaro, Stefano","last_name":"Tessaro"}],"publist_id":"5478","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"language":[{"iso":"eng"}],"file":[{"relation":"main_file","access_level":"open_access","content_type":"application/pdf","file_id":"4827","checksum":"17d854227b3b753fd34f5d29e5b5a32e","creator":"system","file_size":592296,"date_updated":"2020-07-14T12:45:11Z","file_name":"IST-2016-673-v1+1_053.pdf","date_created":"2018-12-12T10:10:38Z"}],"publication_status":"published","ec_funded":1,"volume":9215,"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"This paper studies the concrete security of PRFs and MACs obtained by keying hash functions based on the sponge paradigm. One such hash function is KECCAK, selected as NIST’s new SHA-3 standard. In contrast to other approaches like HMAC, the exact security of keyed sponges is not well understood. Indeed, recent security analyses delivered concrete security bounds which are far from existing attacks. This paper aims to close this gap. We prove (nearly) exact bounds on the concrete PRF security of keyed sponges using a random permutation. These bounds are tight for the most relevant ranges of parameters, i.e., for messages of length (roughly) l ≤ min{2n/4, 2r} blocks, where n is the state size and r is the desired output length; and for l ≤ q queries (to the construction or the underlying permutation). Moreover, we also improve standard-model bounds. As an intermediate step of independent interest, we prove tight bounds on the PRF security of the truncated CBC-MAC construction, which operates as plain CBC-MAC, but only returns a prefix of the output."}],"intvolume":" 9215","month":"08","scopus_import":1,"alternative_title":["LNCS"],"ddc":["004","005"],"date_updated":"2021-01-12T06:52:25Z","file_date_updated":"2020-07-14T12:45:11Z","department":[{"_id":"KrPi"}],"_id":"1671","pubrep_id":"673","status":"public","conference":{"name":"CRYPTO: International Cryptology Conference","end_date":"2015-08-20","location":"Santa Barbara, CA, United States","start_date":"2015-08-16"},"type":"conference"},{"ec_funded":1,"issue":"2181","volume":471,"language":[{"iso":"eng"}],"file":[{"creator":"kschuh","date_updated":"2020-07-14T12:45:11Z","file_size":391466,"date_created":"2019-04-18T12:39:56Z","file_name":"2015_rspa_Adlam.pdf","access_level":"open_access","relation":"main_file","content_type":"application/pdf","file_id":"6342","checksum":"e613d94d283c776322403a28aad11bdd"}],"publication_status":"published","intvolume":" 471","month":"09","scopus_import":1,"oa_version":"Published Version","abstract":[{"text":"When a new mutant arises in a population, there is a probability it outcompetes the residents and fixes. The structure of the population can affect this fixation probability. Suppressing population structures reduce the difference between two competing variants, while amplifying population structures enhance the difference. Suppressors are ubiquitous and easy to construct, but amplifiers for the large population limit are more elusive and only a few examples have been discovered. Whether or not a population structure is an amplifier of selection depends on the probability distribution for the placement of the invading mutant. First, we prove that there exist only bounded amplifiers for adversarial placement-that is, for arbitrary initial conditions. Next, we show that the Star population structure, which is known to amplify for mutants placed uniformly at random, does not amplify for mutants that arise through reproduction and are therefore placed proportional to the temperatures of the vertices. Finally, we construct population structures that amplify for all mutational events that arise through reproduction, uniformly at random, or through some combination of the two. ","lang":"eng"}],"department":[{"_id":"KrCh"}],"file_date_updated":"2020-07-14T12:45:11Z","ddc":["000"],"date_updated":"2021-01-12T06:52:26Z","status":"public","type":"journal_article","_id":"1673","date_created":"2018-12-11T11:53:24Z","date_published":"2015-09-08T00:00:00Z","doi":"10.1098/rspa.2015.0114","publication":"Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences","day":"08","year":"2015","has_accepted_license":"1","oa":1,"publisher":"Royal Society of London","quality_controlled":"1","acknowledgement":"K.C. gratefully acknowledges support from ERC Start grant no. (279307: Graph Games), Austrian Science Fund (FWF) grant no. P23499-N23, and FWF NFN grant no. S11407-N23 (RiSE). ","title":"Amplifiers of selection","publist_id":"5477","author":[{"first_name":"Ben","full_name":"Adlam, Ben","last_name":"Adlam"},{"full_name":"Chatterjee, Krishnendu","orcid":"0000-0002-4561-241X","last_name":"Chatterjee","first_name":"Krishnendu","id":"2E5DCA20-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Martin","full_name":"Nowak, Martin","last_name":"Nowak"}],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Adlam, Ben, Krishnendu Chatterjee, and Martin Nowak. “Amplifiers of Selection.” Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences. Royal Society of London, 2015. https://doi.org/10.1098/rspa.2015.0114.","ista":"Adlam B, Chatterjee K, Nowak M. 2015. Amplifiers of selection. Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences. 471(2181), 20150114.","mla":"Adlam, Ben, et al. “Amplifiers of Selection.” Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences, vol. 471, no. 2181, 20150114, Royal Society of London, 2015, doi:10.1098/rspa.2015.0114.","apa":"Adlam, B., Chatterjee, K., & Nowak, M. (2015). Amplifiers of selection. Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences. Royal Society of London. https://doi.org/10.1098/rspa.2015.0114","ama":"Adlam B, Chatterjee K, Nowak M. Amplifiers of selection. Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences. 2015;471(2181). doi:10.1098/rspa.2015.0114","short":"B. Adlam, K. Chatterjee, M. Nowak, Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences 471 (2015).","ieee":"B. Adlam, K. Chatterjee, and M. Nowak, “Amplifiers of selection,” Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences, vol. 471, no. 2181. Royal Society of London, 2015."},"project":[{"_id":"2581B60A-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","name":"Quantitative Graph Games: Theory and Applications","grant_number":"279307"},{"name":"Modern Graph Algorithmic Techniques in Formal Verification","grant_number":"P 23499-N23","_id":"2584A770-B435-11E9-9278-68D0E5697425","call_identifier":"FWF"},{"name":"Rigorous Systems Engineering","grant_number":"S 11407_N23","call_identifier":"FWF","_id":"25832EC2-B435-11E9-9278-68D0E5697425"}],"article_number":"20150114"},{"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Gazi, Peter, et al. Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes. Vol. 9054, Springer, 2015, pp. 319–41, doi:10.1007/978-3-662-48116-5_16.","ieee":"P. Gazi, J. Lee, Y. Seurin, J. Steinberger, and S. Tessaro, “Relaxing full-codebook security: A refined analysis of key-length extension schemes,” vol. 9054. Springer, pp. 319–341, 2015.","short":"P. Gazi, J. Lee, Y. Seurin, J. Steinberger, S. Tessaro, 9054 (2015) 319–341.","ama":"Gazi P, Lee J, Seurin Y, Steinberger J, Tessaro S. Relaxing full-codebook security: A refined analysis of key-length extension schemes. 2015;9054:319-341. doi:10.1007/978-3-662-48116-5_16","apa":"Gazi, P., Lee, J., Seurin, Y., Steinberger, J., & Tessaro, S. (2015). Relaxing full-codebook security: A refined analysis of key-length extension schemes. Presented at the FSE: Fast Software Encryption, Istanbul, Turkey: Springer. https://doi.org/10.1007/978-3-662-48116-5_16","chicago":"Gazi, Peter, Jooyoung Lee, Yannick Seurin, John Steinberger, and Stefano Tessaro. “Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes.” Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-662-48116-5_16.","ista":"Gazi P, Lee J, Seurin Y, Steinberger J, Tessaro S. 2015. Relaxing full-codebook security: A refined analysis of key-length extension schemes. 9054, 319–341."},"title":"Relaxing full-codebook security: A refined analysis of key-length extension schemes","publist_id":"5481","author":[{"full_name":"Gazi, Peter","last_name":"Gazi","first_name":"Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Lee, Jooyoung","last_name":"Lee","first_name":"Jooyoung"},{"first_name":"Yannick","full_name":"Seurin, Yannick","last_name":"Seurin"},{"full_name":"Steinberger, John","last_name":"Steinberger","first_name":"John"},{"full_name":"Tessaro, Stefano","last_name":"Tessaro","first_name":"Stefano"}],"project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"day":"12","year":"2015","date_created":"2018-12-11T11:53:22Z","date_published":"2015-08-12T00:00:00Z","doi":"10.1007/978-3-662-48116-5_16","page":"319 - 341","oa":1,"quality_controlled":"1","publisher":"Springer","date_updated":"2020-08-11T10:09:26Z","department":[{"_id":"KrPi"}],"_id":"1668","series_title":"Lecture Notes in Computer Science","status":"public","conference":{"location":"Istanbul, Turkey","end_date":"2015-03-11","start_date":"2015-03-08","name":"FSE: Fast Software Encryption"},"type":"conference","language":[{"iso":"eng"}],"publication_status":"published","ec_funded":1,"volume":9054,"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"We revisit the security (as a pseudorandom permutation) of cascading-based constructions for block-cipher key-length extension. Previous works typically considered the extreme case where the adversary is given the entire codebook of the construction, the only complexity measure being the number qe of queries to the underlying ideal block cipher, representing adversary’s secret-key-independent computation. Here, we initiate a systematic study of the more natural case of an adversary restricted to adaptively learning a number qc of plaintext/ciphertext pairs that is less than the entire codebook. For any such qc, we aim to determine the highest number of block-cipher queries qe the adversary can issue without being able to successfully distinguish the construction (under a secret key) from a random permutation.\r\nMore concretely, we show the following results for key-length extension schemes using a block cipher with n-bit blocks and κ-bit keys:\r\nPlain cascades of length ℓ=2r+1 are secure whenever qcqre≪2r(κ+n), qc≪2κ and qe≪22κ. The bound for r=1 also applies to two-key triple encryption (as used within Triple DES).\r\nThe r-round XOR-cascade is secure as long as qcqre≪2r(κ+n), matching an attack by Gaži (CRYPTO 2013).\r\nWe fully characterize the security of Gaži and Tessaro’s two-call "}],"intvolume":" 9054","month":"08","main_file_link":[{"url":"http://eprint.iacr.org/2015/397","open_access":"1"}],"alternative_title":["LNCS"],"scopus_import":1}]