{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T10:50:18Z","timestamp":1778151018264,"version":"3.51.4"},"reference-count":47,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2014,11,1]],"date-time":"2014-11-01T00:00:00Z","timestamp":1414800000000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Cryptol"],"published-print":{"date-parts":[[2016,1]]},"DOI":"10.1007\/s00145-014-9189-6","type":"journal-article","created":{"date-parts":[[2014,10,31]],"date-time":"2014-10-31T19:06:16Z","timestamp":1414782376000},"page":"61-114","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":42,"title":["How to Build an Ideal Cipher: The Indifferentiability of the Feistel Construction"],"prefix":"10.1007","volume":"29","author":[{"given":"Jean-S\u00e9bastien","family":"Coron","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Thomas","family":"Holenstein","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Robin","family":"K\u00fcnzler","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jacques","family":"Patarin","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yannick","family":"Seurin","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Stefano","family":"Tessaro","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2014,11,1]]},"reference":[{"key":"9189_CR1","doi-asserted-by":"crossref","unstructured":"E. Andreeva, A. Bogdanov, Y. Dodis, B. Mennink, J.P. Steinberger, On the indifferentiability of key-alternating ciphers, in R. Canetti, J.A. Garay, editors, Advances in Cryptology\u2014CRYPTO 2013 (Proceedings, Part I), Lecture Notes in Computer Science, vol. 8042 (Springer, Berlin, 2013), pp. 531\u2013550. Full version available at http:\/\/eprint.iacr.org\/2013\/061","DOI":"10.1007\/978-3-642-40041-4_29"},{"key":"9189_CR2","doi-asserted-by":"crossref","unstructured":"G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, On the indifferentiability of the sponge construction, in N.P. Smart, editor, Advances in Cryptology\u2014EUROCRYPT 2008, Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 181\u2013197","DOI":"10.1007\/978-3-540-78967-3_11"},{"key":"9189_CR3","doi-asserted-by":"crossref","unstructured":"D. Boneh, M.K. Franklin, Identity-based encryption from the weil pairing. SIAM J. Comput. 32(3), 586\u2013615 (2003)","DOI":"10.1137\/S0097539701398521"},{"key":"9189_CR4","doi-asserted-by":"crossref","unstructured":"M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, in Advances in Cryptology\u2014EUROCRYPT 2003, Lecture Notes in Computer Science, vol. 2656, pp. 491\u2013506 (2003)","DOI":"10.1007\/3-540-39200-9_31"},{"key":"9189_CR5","doi-asserted-by":"crossref","unstructured":"A. Bogdanov, L.R. Knudsen, G. Leander, F.-X. Standaert, J.P. Steinberger, E. Tischhauser, Key-alternating ciphers in a provable setting: encryption using a small number of public permutations\u2014(Extended Abstract), in D. Pointcheval, T. Johansson, editors, Advances in Cryptology\u2014EUROCRYPT 2012, Lecture Notes in Computer Science, vol. 7237 (Springer, Berlin, 2012), pp. 45\u201362","DOI":"10.1007\/978-3-642-29011-4_5"},{"key":"9189_CR6","doi-asserted-by":"crossref","unstructured":"J. Black, The ideal-cipher model, revisited: an uninstantiable blockcipher-based hash function, in FSE 2006, Lecture Notes in Computer Science, vol. 4047, pp. 328\u2013340 (2006)","DOI":"10.1007\/11799313_21"},{"key":"9189_CR7","doi-asserted-by":"crossref","unstructured":"D. Boneh, B. Lynn, H. Shacham, Short signatures from the weil pairing. J. Cryptol. 17(4), 297\u2013319 (2004)","DOI":"10.1007\/s00145-004-0314-9"},{"key":"9189_CR8","unstructured":"M. Bellare, D. Pointcheval, P. Rogaway, Authenticated key exchange secure against dictionary attacks, in EUROCRYPT00, Lecture Notes in Computer Science, vol. 1807, pp. 139\u2013155 (2000)"},{"key":"9189_CR9","doi-asserted-by":"crossref","unstructured":"M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in CCS \u201993: Proceedings of the 1st ACM Conference on Computer and Communications Security (ACM, New York, NY, USA, 1993), pp. 62\u201373","DOI":"10.1145\/168588.168596"},{"key":"9189_CR10","doi-asserted-by":"crossref","unstructured":"M. Bellare, P. Rogaway. Optimal asymmetric encryption, in Advances in Cryptology\u2014EUROCRYPT \u201994, Lecture Notes in Computer Science, pp. 92\u2013111 (1994)","DOI":"10.1007\/BFb0053428"},{"key":"9189_CR11","doi-asserted-by":"crossref","unstructured":"M. Bellare, P. Rogaway, The exact security of digital signatures\u2014how to sign with RSA and Rabin, in Advances in Cryptology\u2014EUROCRYPT \u201996, Lecture Notes in Computer Science, pp. 399\u2013416 (1996)","DOI":"10.1007\/3-540-68339-9_34"},{"key":"9189_CR12","doi-asserted-by":"crossref","unstructured":"J. Black, P. Rogaway, Ciphers with arbitrary finite domains, in CT-RSA 2002, Lecture Notes in Computer Science, pp. 114\u2013130 (2002)","DOI":"10.1007\/3-540-45760-7_9"},{"key":"9189_CR13","doi-asserted-by":"crossref","unstructured":"M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in Advances in Cryptology\u2014EUROCRYPT 2006, Lecture Notes in Computer Science, vol. 4004, pp. 409\u2013426 (2006)","DOI":"10.1007\/11761679_25"},{"key":"9189_CR14","unstructured":"J. Black, P. Rogaway, T. Shrimpton, Black-box analysis of the block-cipher-based hash-function constructions from PGV, in Advances in Cryptology\u2014CRYPTO 2002, Lecture Notes in Computer Science, vol. 2442, pp. 320\u2013335 (2002)"},{"key":"9189_CR15","doi-asserted-by":"crossref","unstructured":"R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, in FOCS \u201901: Proceedings of the 42nd IEEE Annual Symposium on Foundations of Computer Science, pp. 136\u2013145 (2001)","DOI":"10.1109\/SFCS.2001.959888"},{"key":"9189_CR16","doi-asserted-by":"crossref","unstructured":"J.-S. Coron, Y. Dodis, C. Malinaud, P. Puniya, Merkle-Damg\u00e5rd revisited: how to construct a hash function, in V. Shoup, editor, Advances in Cryptology\u2014CRYPTO 2005, Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 430\u2013448","DOI":"10.1007\/11535218_26"},{"key":"9189_CR17","doi-asserted-by":"crossref","unstructured":"R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited. J. ACM 51(4), 557\u2013594 (2004)","DOI":"10.1145\/1008731.1008734"},{"key":"9189_CR18","doi-asserted-by":"crossref","unstructured":"S. Chen, R. Lampe, J. Lee, Y. Seurin, J.P. Steinberger, Minimizing the two-round even-mansour cipher, in J.A. Garay, R. Gennaro, editors, Advances in Cryptology\u2014CRYPTO 2014 (Proceedings, Part I), Lecture Notes in Computer Science, vol. 8616 (Springer, Berlin, 2014), pp. 39\u201356. Full version available at http:\/\/eprint.iacr.org\/2014\/443","DOI":"10.1007\/978-3-662-44371-2_3"},{"key":"9189_CR19","doi-asserted-by":"crossref","unstructured":"J.-S. Coron, J. Patarin, Y. Seurin, The random oracle model and the ideal cipher model are equivalent, in D. Wagner, editor, CRYPTO, Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 1\u201320","DOI":"10.1007\/978-3-540-85174-5_1"},{"key":"9189_CR20","unstructured":"J.-S. Coron, J. Patarin, Y. Seurin, The random oracle model and the ideal cipher model are equivalent. Cryptology ePrint Archive, Report 2008\/246, August 2008. Version: 20080816:121712, http:\/\/eprint.iacr.org\/ , Extended Abstract at CRYPTO 2008"},{"key":"9189_CR21","doi-asserted-by":"crossref","unstructured":"S. Chen, J. Steinberger, Tight security bounds for key-alternating ciphers, in P.Q. Nguyen, E. Oswald, editors, Advances in Cryptology\u2014EUROCRYPT 2014, Lecture Notes in Computer Science, vol. 8441, pp. 327\u2013350 (Springer, Berlin, 2014). Full version available at http:\/\/eprint.iacr.org\/2013\/222","DOI":"10.1007\/978-3-642-55220-5_19"},{"key":"9189_CR22","doi-asserted-by":"crossref","unstructured":"I.B. Damg\u00e5rd, A design principle for hash functions, in Advances in Cryptology\u2014CRYPTO \u201989, Lecture Notes in Computer Science, vol. 435, pp. 416\u2013427 (1989)","DOI":"10.1007\/0-387-34805-0_39"},{"key":"9189_CR23","unstructured":"G. Demay, P. Gazi, M. Hirt, U. Maurer, Resource-restricted indifferentiability, in EUROCRYPT13, Lecture Notes in Computer Science, vol. 7881, pp. 664\u2013683 (2013)"},{"key":"9189_CR24","doi-asserted-by":"crossref","unstructured":"Y. Dodis, P. Puniya, On the relation between the ideal cipher and the random oracle models, in Theory of Cryptography\u2014TCC 2006, Lecture Notes in Computer Science, vol. 3876, pp. 184\u2013206 (2006)","DOI":"10.1007\/11681878_10"},{"key":"9189_CR25","unstructured":"S. Dziembowski, K. Pietrzak, D. Wichs, Non-malleable codes, in Innovations in Computer Science\u2014ICS 2010, pp. 434\u2013452 (2010)"},{"key":"9189_CR26","doi-asserted-by":"crossref","unstructured":"Y. Dodis, L. Reyzin, R.L. Rivest, E. Shen, Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6, in O. Dunkelman, editor, Fast Software Encryption\u2014FSE 2009, Lecture Notes in Computer Science, vol. 5665 (Springer, Berlin, 2009), pp. 104\u2013121","DOI":"10.1007\/978-3-642-03317-9_7"},{"key":"9189_CR27","doi-asserted-by":"crossref","unstructured":"S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151\u2013162 (1997)","DOI":"10.1007\/s001459900025"},{"key":"9189_CR28","doi-asserted-by":"crossref","unstructured":"A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in Advances in Cryptology\u2014CRYPTO \u201986, Lecture Notes in Computer Science, vol. 263, pp. 186\u2013194 (1986)","DOI":"10.1007\/3-540-47721-7_12"},{"key":"9189_CR29","doi-asserted-by":"crossref","unstructured":"T. Holenstein, R. K\u00fcnzler, S. Tessaro, The equivalence of the random oracle model and the ideal cipher model, revisited, in L. Fortnow, S.P. Vadhan, editors, STOC (ACM, New York, 2011), pp. 89\u201398","DOI":"10.1145\/1993636.1993650"},{"key":"9189_CR30","doi-asserted-by":"crossref","unstructured":"J. Kilian, P. Rogaway, How to protect DES against exhaustive key search (an analysis of DESX). J. Cryptol. 14(1), 17\u201335 (2001)","DOI":"10.1007\/s001450010015"},{"key":"9189_CR31","doi-asserted-by":"crossref","unstructured":"J. Kahn, M.E. Saks, C.D. Smyth, A dual version of Reimer\u2019s inequality and a proof of Rudich\u2019s conjecture, in IEEE Conference on Computational Complexity, pp. 98\u2013103 (2000)","DOI":"10.1109\/CCC.2000.856739"},{"key":"9189_CR32","doi-asserted-by":"crossref","unstructured":"M. Luby, C. Rackoff, How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373\u2013386 (1988)","DOI":"10.1137\/0217022"},{"key":"9189_CR33","doi-asserted-by":"crossref","unstructured":"R. Lampe, Y. Seurin, How to construct an ideal cipher from a small set of public permutations, in K. Sako, P. Sarkar, editors, Advances in Cryptology\u2014ASIACRYPT 2013 (Proceedings, Part I), Lecture Notes in Computer Science, vol. 8269 (Springer, Berlin, 2013), pp. 444\u2013463. Full version available at http:\/\/eprint.iacr.org\/2013\/255","DOI":"10.1007\/978-3-642-42033-7_23"},{"key":"9189_CR34","doi-asserted-by":"crossref","unstructured":"Y. Lindell, H. Zarosim, Adaptive zero-knowledge proofs and adaptively secure oblivious transfer, in Theory of Cryptography Conference\u2014TCC 2009, Lecture Notes in Computer Science, vol. 5444, pp. 183\u2013201 (2009)","DOI":"10.1007\/978-3-642-00457-5_12"},{"key":"9189_CR35","doi-asserted-by":"crossref","unstructured":"U. Maurer, Indistinguishability of random systems, in Advances in Cryptology\u2014EUROCRYPT 2002, Lecture Notes in Computer Science, vol. 2332, pp. 110\u2013132 (2002)","DOI":"10.1007\/3-540-46035-7_8"},{"key":"9189_CR36","doi-asserted-by":"crossref","unstructured":"R.C. Merkle, A certified digital signature, in Advances in Cryptology\u2014CRYPTO \u201989, Lecture Notes in Computer Science, vol. 435, pp. 218\u2013238 (1989)","DOI":"10.1007\/0-387-34805-0_21"},{"key":"9189_CR37","unstructured":"A. Mandal, J. Patarin, Y. Seurin, On the public indifferentiability and correlation intractability of the 6-round Feistel construction, in TCC (2012). Full version available at http:\/\/eprint.iacr.org\/2011\/496.pdf"},{"key":"9189_CR38","unstructured":"U. Maurer, R. Renner. Abstract cryptography, in Innovations in Computer Science\u2014ICS 2011, pp. 1\u201321 (2011)"},{"key":"9189_CR39","doi-asserted-by":"crossref","unstructured":"U. Maurer, R. Renner, C. Holenstein, Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology, in Theory of Cryptography Conference\u2014TCC 2004, Lecture Notes in Computer Science, vol. 2951, pp. 21\u201339, February 2004","DOI":"10.1007\/978-3-540-24638-1_2"},{"key":"9189_CR40","doi-asserted-by":"crossref","unstructured":"P. Rogaway, J.P. Steinberger, Constructing cryptographic hash functions from fixed-key blockciphers, in D. Wagner, editor, Advances in Cryptology\u2014CRYPTO 2008, Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 433\u2013450","DOI":"10.1007\/978-3-540-85174-5_24"},{"key":"9189_CR41","doi-asserted-by":"crossref","unstructured":"P. Rogaway, J.P. Steinberger, Security\/efficiency tradeoffs for permutation-based hashing, in N.P. Smart, editor, Advances in Cryptology\u2014EUROCRYPT 2008, Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 220\u2013236","DOI":"10.1007\/978-3-540-78967-3_13"},{"key":"9189_CR42","doi-asserted-by":"crossref","unstructured":"T. Ristenpart, H. Shacham, T. Shrimpton, Careful with composition: limitations of the indifferentiability framework, in K.G. Paterson, editor, EUROCRYPT, Lecture Notes in Computer Science, vol. 6632 (Springer, Berlin, 2011), pp. 487\u2013506","DOI":"10.1007\/978-3-642-20465-4_27"},{"key":"9189_CR43","unstructured":"S. Rudich, Limits on the Provable Consequences of One-way Functions. PhD thesis (1989)"},{"key":"9189_CR44","unstructured":"Y. Seurin, Primitives et protocoles cryptographiques \u00e0 s\u00e9curit\u00e9 prouv\u00e9e. PhD thesis, Universit\u00e9 de Versailles Saint-Quentin-en-Yvelines, UFR de Sciences - \u00c9cole doctorale SoFt - Laboratoire PRiSM (2009)"},{"key":"9189_CR45","unstructured":"Y. Seurin, A note on the indifferentiability of the 10-round feistel construction, March 2011. Unpublished note available from the author"},{"key":"9189_CR46","doi-asserted-by":"crossref","unstructured":"C.E. Shannon, Communication theory of secrecy systems. Bell Syst. Tech. J. 28, 656\u2013715 (1949)","DOI":"10.1002\/j.1538-7305.1949.tb00928.x"},{"key":"9189_CR47","unstructured":"V. Shoup, Sequences of games: a tool for taming complexity in security proofs (2004)"}],"container-title":["Journal of Cryptology"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-014-9189-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s00145-014-9189-6\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-014-9189-6","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-014-9189-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,5,6]],"date-time":"2025-05-06T01:01:27Z","timestamp":1746493287000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s00145-014-9189-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2014,11,1]]},"references-count":47,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2016,1]]}},"alternative-id":["9189"],"URL":"https:\/\/doi.org\/10.1007\/s00145-014-9189-6","relation":{},"ISSN":["0933-2790","1432-1378"],"issn-type":[{"value":"0933-2790","type":"print"},{"value":"1432-1378","type":"electronic"}],"subject":[],"published":{"date-parts":[[2014,11,1]]},"assertion":[{"value":"23 March 2012","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"1 November 2014","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"This content has been made available to all.","name":"free","label":"Free to read"}]}}