On generalized Feistel networks

We prove beyond-birthday-bound security for the well-known types of generalized Feistel networks, including: (1) unbalanced Feistel networks, where the $n$-bit to $m$-bit round functions may have $n\ne m$; (2) alternating Feistel networks, where the round functions alternate between contracting and expanding; (3) type-1, type-2, and type-3 Feistel networks, where $n$-bit to $n$-bit round functions are used to encipher $kn$-bit strings for some $k\ge2$; and (4) numeric variants of any of the above, where one enciphers numbers in some given range rather than strings of some given size. Using a unified analytic framework we show that, in any of these settings, for any $\varepsilon>0$, with enough rounds, the subject scheme can tolerate CCA attacks of up to $q\sim N^{1-\varepsilon}$ adversarial queries, where $N$ is the size of the round functions\u27 domain (the size of the larger domain for alternating Feistel). This is asymptotically optimal. Prior analyses for generalized Feistel networks established security to only $q\sim N^{0.5}$ adversarial queries

D.STVL.9 - Ongoing Research Areas in Symmetric Cryptography

This report gives a brief summary of some of the research trends in symmetric cryptography at the time of writing (2008). The following aspects of symmetric cryptography are investigated in this report: • the status of work with regards to different types of symmetric algorithms, including block ciphers, stream ciphers, hash functions and MAC algorithms (Section 1); • the algebraic attacks on symmetric primitives (Section 2); • the design criteria for symmetric ciphers (Section 3); • the provable properties of symmetric primitives (Section 4); • the major industrial needs in the area of symmetric cryptography (Section 5)

Information-theoretic Indistinguishability via the Chi-squared Method

Proving tight bounds on information-theoretic indistinguishability is a central problem in symmetric cryptography. This paper introduces a new method for information-theoretic indistinguishability proofs, called ``the chi-squared method\u27\u27. At its core, the method requires upper-bounds on the so-called $\chi^2$ divergence (due to Neyman and Pearson) between the output distributions of two systems being queries. The method morally resembles, yet also considerably simplifies, a previous approach proposed by Bellare and Impagliazzo (ePrint, 1999), while at the same time increasing its expressiveness and delivering tighter bounds. We showcase the chi-squared method on some examples. In particular: (1) We prove an optimal bound of $q/2^n$ for the XOR of two permutations, and our proof considerably simplifies previous approaches using the $H$-coefficient method, (2) we provide improved bounds for the recently proposed encrypted Davies-Meyer PRF construction by Cogliati and Seurin (CRYPTO \u2716), and (3) we give a tighter bound for the Swap-or-not cipher by Hoang, Morris, and Rogaway (CRYPTO \u2712)

On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel Construction

We show that the Feistel construction with six rounds and random round functions is publicly indifferentiable from a random invertible permutation (a result that is not known to hold for full indifferentiability). Public indifferentiability (pub-indifferentiability for short) is a variant of indifferentiability introduced by Yoneyama et al. \cite{YoneyamaMO09} and Dodis et al. \cite{DodisRS09} where the simulator knows all queries made by the distinguisher to the primitive it tries to simulate, and is useful to argue the security of cryptosystems where all the queries to the ideal primitive are public (as e.g. in many digital signature schemes). To prove the result, we introduce a new and simpler variant of indifferentiability, that we call sequential indifferentiability (seq-indifferentiability for short) and show that this notion is in fact equivalent to pub-indifferentiability for stateless ideal primitives. We then prove that the 6-round Feistel construction is seq-indifferentiable from a random invertible permutation. We also observe that sequential indifferentiability implies correlation intractability, so that the Feistel construction with six rounds and random round functions yields a correlation intractable invertible permutation, a notion we define analogously to correlation intractable functions introduced by Canetti et al. \cite{CanettiGH98}

Quantitative security of block ciphers:designs and cryptanalysis tools

Block ciphers probably figure in the list of the most important cryptographic primitives. Although they are used for many different purposes, their essential goal is to ensure confidentiality. This thesis is concerned by their quantitative security, that is, by measurable attributes that reflect their ability to guarantee this confidentiality. The first part of this thesis deals with well know results. Starting with Shannon's Theory of Secrecy, we move to practical implications for block ciphers, recall the main schemes on which nowadays block ciphers are based, and introduce the Luby-Rackoff security model. We describe distinguishing attacks and key-recovery attacks against block ciphers and show how to turn the firsts into the seconds. As an illustration, we recall linear cryptanalysis which is a classical example of statistical cryptanalysis. In the second part, we consider the (in)security of block ciphers against statistical cryptanalytic attacks and develop some tools to perform optimal attacks and quantify their efficiency. We start with a simple setting in which the adversary has to distinguish between two sources of randomness and show how an optimal strategy can be derived in certain cases. We proceed with the practical situation where the cardinality of the sample space is too large for the optimal strategy to be implemented and show how this naturally leads to the concept of projection-based distinguishers, which reduce the sample space by compressing the samples. Within this setting, we re-consider the particular case of linear distinguishers and generalize them to sets of arbitrary cardinality. We show how these distinguishers between random sources can be turned into distinguishers between random oracles (or block ciphers) and how, in this setting, one can generalize linear cryptanalysis to Abelian groups. As a proof of concept, we show how to break the block cipher TOY100, introduce the block cipher DEAN which encrypts blocks of decimal digits, and apply the theory to the SAFER block cipher family. In the last part of this thesis, we introduce two new constructions. We start by recalling some essential notions about provable security for block ciphers and about Serge Vaudenay's Decorrelation Theory, and introduce new simple modules for which we prove essential properties that we will later use in our designs. We then present the block cipher C and prove that it is immune against a wide range of cryptanalytic attacks. In particular, we compute the exact advantage of the best distinguisher limited to two plaintext/ciphertext samples between C and the perfect cipher and use it to compute the exact value of the maximum expected linear probability (resp. differential probability) of C which is known to be inversely proportional to the number of samples required by the best possible linear (resp. differential) attack. We then introduce KFC a block cipher which builds upon the same foundations as C but for which we can prove results for higher order adversaries. We conclude both discussions about C and KFC by implementation considerations

Scalable symmetric block ciphers based on group bases

Neben der Sicherheit und Effizienz werden Skalierbarkeit und Einstellbarkeit als besonders wichtige Eigenschaften einer Blockchiffre betrachtet. Einer der möglichen Ansätze zur Konstruktion von skalierbaren und einstellbaren Blockchiffren basiert auf Gruppenbasen. Dieser Ansatz ist aus mathematischer Sicht sehr direkt und einfach, und die resultierende Chiffren besitzen mehrere wünschenswerten Eigenschaften, wie z.B. eine skalierbare Block- und Schlüssellänge und einen extrem großen Schlüsselraum. In dieser Arbeit werden einige bisher unbeantwortete Fragen bezüglich Sicherheit, Effizienz und Implementierungstauglichkeit dieser Kryptosysteme - insbesondere des neuesten Repräsentanten TST - untersucht und zwei neue verbesserte Chiffren-Designs präsentiert. Im ersten Teil der Arbeit wird das Kryptosystem TST analysiert. Dabei werden zwei möglichen Permutationsdarstellungen verglichen, eine effiziente Implementierung der Schlüsselgenerierung diskutiert, und die wichtigsten Charakteristiken wie Durchsatz, Speicherbedarf und Initialisierungsverzögerung gemessen. Außerdem wird eine Sicherheitsanalyse durchgeführt, bei der die statistischen Eigenschaften des Kryptosystems untersucht werden und ein kryptographischer Angriff konstruiert wird. Die Ergebnisse dieser Analyse zeigen, dass die Effizienz und Sicherheit von TST nicht zufriedenstellend sind. Eine mögliche Lösung dieser bei TST auftretenden Probleme wird in dem zweiten Teil der Arbeit präsentiert. Mit Hilfe erweiterter Gruppenbasen kann die Diffusion von TST deutlich verbessert werden, was durch statistische Tests belegt wird. Aufgrund den besseren Diffusionseigenschaften kann auch eine einfachere Trägergruppe eingesetzt werden, mit der der Speicherbedarf reduziert und der Durchsatz erhöht werden kann. In dem letzten Teil der Arbeit wird eine iterative Version von TST vorgestellt. Der elementare Baustein dieses Designs entspricht einem Faktorisierungsschritt in einer Gruppenbasis, statt einer echten Faktorisierung wird jedoch eine konstante Funktion mehrmals iterativ angewandt. Die wesentlichen Vorteile dieses Ansatzes gegenüber TST sind ein deutlich reduzierter Speicherbedarf, erhöhter Durchsatz und verbesserte Flexibilität. Die Block- und Schlüssellänge sind, genau wie bei TST, frei wählbar. Zusätzlich ermöglicht das neue Kryptosystem eine freie Einstellung der Sicherheit, der Geschwindigkeit und des Speicherbedarfs. Mit der entsprechenden Anzahl von Runden bietet die neue Chiffre eine hervorragende Sicherheit, was sowohl unsere Kryptanalyse, als auch die statistischen Tests bestätigt haben

Hardware-Assisted Secure Computation

The theory community has worked on Secure Multiparty Computation (SMC) for more than two decades, and has produced many protocols for many settings. One common thread in these works is that the protocols cannot use a Trusted Third Party (TTP), even though this is conceptually the simplest and most general solution. Thus, current protocols involve only the direct players---we call such protocols self-reliant. They often use blinded boolean circuits, which has several sources of overhead, some due to the circuit representation and some due to the blinding. However, secure coprocessors like the IBM 4758 have actual security properties similar to ideal TTPs. They also have little RAM and a slow CPU.We call such devices Tiny TTPs. The availability of real tiny TTPs opens the door for a different approach to SMC problems. One major challenge with this approach is how to execute large programs on large inputs using the small protected memory of a tiny TTP, while preserving the trust properties that an ideal TTP provides. In this thesis we have investigated the use of real TTPs to help with the solution of SMC problems. We start with the use of such TTPs to solve the Private Information Retrieval (PIR) problem, which is one important instance of SMC. Our implementation utilizes a 4758. The rest of the thesis is targeted at general SMC. Our SMC system, Faerieplay, moves some functionality into a tiny TTP, and thus avoids the blinded circuit overhead. Faerieplay consists of a compiler from high-level code to an arithmetic circuit with special gates for efficient indirect array access, and a virtual machine to execute this circuit on a tiny TTP while maintaining the typical SMC trust properties. We report on Faerieplay\u27s security properties, the specification of its components, and our implementation and experiments. These include comparisons with the Fairplay circuit-based two-party system, and an implementation of the Dijkstra graph shortest path algorithm. We also provide an implementation of an oblivious RAM which supports similar tiny TTP-based SMC functionality but using a standard RAM program. Performance comparisons show Faerieplay\u27s circuit approach to be considerably faster, at the expense of a more constrained programming environment when targeting a circuit