Balanced permutations Even-Mansour ciphers

The $r$-rounds Even-Mansour block cipher uses $r$ public permutations of $\{0, 1\}^n$ and $r+1$ secret keys. An attack on this construction was described in \cite{DDKS}, for $r = 2, 3$. Although this attack is only marginally better than brute force, it is based on an interesting observation (due to \cite{NWW}): for a typical permutation $P$, the distribution of $P(x) \oplus x$ is not uniform. To address this, and other potential threats that might stem from this observation in this (or other) context, we introduce the notion of a ``balanced permutation\u27\u27 for which the distribution of $P(x) \oplus x$ is uniform, and show how to generate families of balanced permutations from the Feistel construction. This allows us to define a $2n$-bit block cipher from the $2$-rounds Even-Mansour scheme. The cipher uses public balanced permutations of $\{0, 1\}^{2n}$, which are based on two public permutations of $\{0, 1\}^{n}$. By construction, this cipher is immune against attacks that rely on the non-uniform behavior of $P(x) \oplus x$. We prove that this cipher is indistinguishable from a random permutation of $\{0, 1\}^{2n}$, for any adversary who has oracle access to the public permutations and to an encryption/decryption oracle, as long as the number of queries is $o (2^{n/2})$. As a practical example, we discuss the properties and the performance of a $256$-bit block cipher that is based on AES

Some properties of the output sequences of combined generator over finite fields

The sequences are an important part of the cryptography and analysis of their properties is of great interest. In this paper, the following characteristics of combined generator are analyzed: period of output sequences and the distribution of elements in the output sequences over finite field

A method for constructing permutations, involutions and orthomorphisms with strong cryptographic properties

S-Boxes are crucial components in the design of many symmetric ciphers. To construct permutations having strong cryptographic properties is not a trivial task. In this work, we propose a new scheme based on the well-known Lai-Massey structure for generating permutations of dimension n = 2к, к 2. The main cores of our constructions are: the inversion in GF(2k), an arbitrary к-bit non-bijective function (which has no pre-image for 0) and any к-bit permutation. Combining these components with the finite field multiplication, we provide new 8-bit permutations without fixed points possessing a very good combination for nonlinearity, differential uniformity and minimum degree — (104; 6; 7) which can be described by a system of polynomial equations with degree 3. Also, we show that our approach can be used for constructing involutions and orthomorphisms with strong cryptographic properties

О классе степенных кусочно-аффинных подстановок на неабелевой группе порядка 2m, обладающей циклической подгруппой индекса два

Четыре неабелевы группы порядка 2m, m 4, имеют циклические подгруппы индекса два. Примерами являются широко известная группа диэдра и обобщённая группа кватернионов. Произвольная неабелева группа G порядка 2m, обладающая циклической подгруппой индекса два, в определённом смысле близка к встречающейся в качестве группы наложения ключа аддитивной абелевой группе кольца вычетов Z2m . В данной работе на группе G задаются два класса преобразований, названных степенными кусочно-аффинными, для которых доказаны критерии би- ективности. Они позволят далее провести полную классификацию ортоморфизмов, полных преобразований и их вариаций во множестве всех степенных кусочноаффинных подстановок

Вариации ортоморфизмов и псевдоадамаровых преобразований на неабелевой группе

В криптографии ортоморфизмы на абелевой группе используются как S-боксы в схемах Лея — Месси, квази-Фейстеля, в блочной шифрсистеме FOX, в режиме блочного шифрования Дэвиса — Мейера, а также в кодах аутентификации. В работе рассматриваются ортоморфизмы, полные преобразования и их вариации на конечной неабелевой группе (X, •) наложения ключа. В алгоритме блочного шифрования SAFER для обеспечения принципа рассеивания используется псевдоада- марово преобразование. Предложено десять аналогов псевдоадамарова преобразования, задаваемых подстановкой s на неабелевой группе (X, •). Доказано, что биективность аналогов псевдоадамарова преобразования равносильна справедливости следующего условия: подстановка s является ортоморфизмом, полным преобразованием или их вариацией

Key-alternating Ciphers and Key-length Extension: Exact Bounds and Multi-user Security

The best existing bounds on the concrete security of key-alternating ciphers (Chen and Steinberger, EUROCRYPT \u2714) are only asymptotically tight, and the quantitative gap with the best existing attacks remains numerically substantial for concrete parameters. Here, we prove exact bounds on the security of key-alternating ciphers and extend them to XOR cascades, the most efficient construction for key-length extension. Our bounds essentially match, for any possible query regime, the advantage achieved by the best existing attack. Our treatment also extends to the multi-user regime. We show that the multi-user security of key-alternating ciphers and XOR cascades is very close to the single-user case, i.e., given enough rounds, it does not substantially decrease as the number of users increases. On the way, we also provide the first explicit treatment of multi-user security for key-length extension, which is particularly relevant given the significant security loss of block ciphers (even if ideal) in the multi-user setting. The common denominator behind our results are new techniques for information-theoretic indistinguishability proofs that both extend and refine existing proof techniques like the H-coefficient method

Balanced Permutations Even–Mansour Ciphers

The r-rounds Even–Mansour block cipher is a generalization of the well known Even–Mansour block cipher to r iterations. Attacks on this construction were described by Nikolić et al. and Dinur et al. for r = 2 , 3 . These attacks are only marginally better than brute force but are based on an interesting observation (due to Nikolić et al.): for a “typical” permutation P, the distribution of P ( x ) ⊕ x is not uniform. This naturally raises the following question. Let us call permutations for which the distribution of P ( x ) ⊕ x is uniformly “balanced” — is there a sufficiently large family of balanced permutations, and what is the security of the resulting Even–Mansour block cipher? We show how to generate families of balanced permutations from the Luby–Rackoff construction and use them to define a 2 n -bit block cipher from the 2-round Even–Mansour scheme. We prove that this cipher is indistinguishable from a random permutation of { 0 , 1 } 2 n , for any adversary who has oracle access to the public permutations and to an encryption/decryption oracle, as long as the number of queries is o ( 2 n / 2 ) . As a practical example, we discuss the properties and the performance of a 256-bit block cipher that is based on our construction, and uses the Advanced Encryption Standard (AES), with a fixed key, as the public permutation

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security

Key-Alternating Feistel (KAF) ciphers, a.k.a. Feistel-2 models, refer to Feistel networks with round functions of the form $F_i(k_i\oplus x_i)$, where $k_i$ is the (secret) round-key and $F_i$ is a public random function. This model roughly captures the structures of many famous Feistel ciphers, and the most prominent instance is DES. Existing provable security results on KAF assumed independent round-keys and round functions (ASIACRYPT 2004 & FSE 2014). In this paper, we investigate how to achieve security under simpler and more realistic assumptions: with round-keys derived from a short main-key, and hopefully with identical round functions. For birthday-type security, we consider 4-round KAF, investigate the minimal conditions on the way to derive the four round-keys, and prove that when such adequately derived keys and the same round function are used, the 4-round KAF is secure up to $2^{n/2}$ queries. For beyond-birthday security, we focus on 6-round KAF. We prove that when the adjacent round-keys are independent, and independent round-functions are used, the 6 round KAF is secure up to $2^{2n/3}$ queries. To our knowledge, this is the first beyond-birthday security result for KAF without assuming completely independent round-keys. Our results hold in the multi-user setting as well, constituting the first non-trivial multi-user provable security results on Feistel ciphers. We finally demonstrate applications of our results on designing key-schedules and instantiating keyed sponge constructions