14 research outputs found
Balanced permutations Even-Mansour ciphers
The -rounds Even-Mansour block cipher uses public permutations of and secret keys. An attack on this construction was described in \cite{DDKS}, for . Although this attack is only marginally better than brute force, it is based on an interesting observation (due to \cite{NWW}): for a typical permutation , the distribution of is not uniform.
To address this, and other potential threats that might stem from this observation in this (or other) context, we introduce the notion of a ``balanced permutation\u27\u27 for which the distribution of is uniform, and show how to generate families of balanced permutations from the Feistel construction.
This allows us to define a -bit block cipher from the -rounds Even-Mansour scheme. The cipher uses public balanced permutations of , which are based on two public permutations of .
By construction, this cipher is immune against attacks that rely on the non-uniform behavior of . We prove that this cipher is indistinguishable from a random permutation of ,
for any adversary who has oracle access to the public permutations and to an encryption/decryption oracle, as long as the number of queries is . As a practical example, we discuss the properties and the performance of a -bit block cipher that is based on AES
Probabilistic slide cryptanalysis and its applications to LED-64 and Zorro
Abstract. This paper aims to enhance the application of slide attack which is one of the most well-known cryptanalysis methods using selfsimilarity of a block cipher. The typical countermeasure against slide cryptanalysis is to use round-dependent constants. We present a new probabilistic technique and show how to overcome round-dependent constants in a slide attack against a block cipher based on the general EvenMansour scheme with a single key. Our technique can potentially break more rounds than any previously known cryptanalysis for a specific class of block ciphers. We show employing round constants is not always sufficient to provide security against slide variant cryptanalysis, but also the relation between the round constants should be taken into account. To demonstrate the impact of our model we provide analysis of two roundreduced block ciphers LED-64 and Zorro, presented in CHES 2011 and CHES 2013, respectively. As a first application we recover the key for 16 rounds of Zorro. This result improves the best cryptanalysis presented by the designers which could be applied upto 12 rounds of its 24 rounds. In the case of LED-64 the cryptanalysis leads to the best results on 2-step reduced LED-64 in the known-plaintext model
New Key Recovery Attacks on Minimal Two-Round Even-Mansour Ciphers
Chen et al. proved that two variants of the two-round n-bit
Even-Mansour ciphers are secure up to 22n/3 queries against distinguish-
ing attacks. These constructions can be regarded as minimal two-round
Even-Mansour ciphers delivering security beyond the birthday bound,
since removing any component from the ciphers causes security to drop
back to 2n/2 queries. On the other hand, for the minimal two-round con-
structions, the proved lower bounds on the product of data and time
complexities (DT) against the other attacks including key recovery at-
tacks is 2n. However, an attack requiring DT close to the lower bound
has not been known yet, and thus its tightness is not clear. In this pa-
per, we propose new key recovery attacks on the two minimal two-round
Even-Mansour ciphers by using the advanced meet-in-the-middle tech-
nique. In particular, we introduce novel matching techniques called partial
invariable pair and matching with input-restricted public permutation
, which enable us to compute one of permutations without knowing
a part of the key information. Moreover, we present two improvements of
the proposed attack: one significantly reduces data complexity and the
other reduces time complexity by dynamically finding partial invariant
pairs. Compared with the previously known attacks, when blocksize is
64 bits, our attacks drastically reduce the required data from 245 to 226
with keeping time complexity required by the previous attacks, though
our attack requires chosen plaintexts. Importantly, the previous attacks
never break the birthday barrier of data complexity due to the usage
of multicollisions in the internal state. Furthermore, by increasing time
complexity up to 262, the required data is further reduced to 28, and
DT = 270 which is close to the proved lower bound 264. We show that
our data-optimized attack on the minimal two-round Even-Mansour ci-
phers requires DT = 2n+6 in general cases. This implies that adding
one round does not sufficiently improve the security against key recovery
attacks of the Even-Mansour ciphers
Beyond quadratic speedups in quantum attacks on symmetric schemes
International audienceIn this paper, we report the first quantum key-recovery attack on a symmetric block cipher design, using classical queries only, with a more than quadratic time speedup compared to the best classical attack. We study the 2XOR-Cascade construction of GaĹľi and Tessaro (EURO-CRYPT 2012). It is a key length extension technique which provides an n-bit block cipher with 5n 2 bits of security out of an n-bit block cipher with 2n bits of key, with a security proof in the ideal model. We show that the offline-Simon algorithm of Bonnetain et al. (ASIACRYPT 2019) can be extended to, in particular, attack this construction in quantum time O(2 n), providing a 2.5 quantum speedup over the best classical attack. Regarding post-quantum security of symmetric ciphers, it is commonly assumed that doubling the key sizes is a sufficient precaution. This is because Grover's quantum search algorithm, and its derivatives, can only reach a quadratic speedup at most. Our attack shows that the structure of some symmetric constructions can be exploited to overcome this limit. In particular, the 2XOR-Cascade cannot be used to generically strengthen block ciphers against quantum adversaries, as it would offer only the same security as the block cipher itself
The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes
This paper introduces QARMA, a new family of lightweight tweakable block ciphers targeted at applications such as memory encryption, the generation of very short tags for hardware-assisted prevention of software exploitation, and the construction of keyed hash functions. QARMA is inspired by reflection ciphers such as PRINCE, to which it adds a tweaking input, and MANTIS. However, QARMA differs from previous reflector constructions in that it is a three-round Even-Mansour scheme instead of a FX-construction, and its middle permutation is non-involutory and keyed. We introduce and analyse a family of Almost MDS matrices defined over a ring with zero divisors that allows us to encode rotations in its operation while maintaining the minimal latency associated to {0, 1}-matrices. The purpose of all these design choices is to harden the cipher against various classes of attacks. We also describe new S-Box search heuristics aimed at minimising the critical path. QARMA exists in 64- and 128-bit block sizes, where block and tweak size are equal, and keys are twice as long as the blocks. We argue that QARMA provides sufficient security margins within the constraints determined by the mentioned applications, while still achieving best-in-class latency. Implementation results on a state-of-the art manufacturing process are reported. Finally, we propose a technique to extend the length of the tweak by using, for instance, a universal hash function, which can also be used to strengthen the security of QARMA
Minimizing the Two-Round Even-Mansour Cipher
The -round (iterated) \emph{Even-Mansour cipher} (also known as \emph{key-alternating cipher}) defines a block cipher from fixed public -bit permutations as follows: given a sequence of -bit round keys , an -bit plaintext is encrypted by xoring round key , applying permutation , xoring round key , etc. The (strong) pseudorandomness of this construction in the random permutation model (i.e., when the permutations are public random permutation oracles that the adversary can query in a black-box way) was studied in a number of recent papers, culminating with the work of Chen and Steinberger (EUROCRYPT~2014), who proved that the -round Even-Mansour cipher is indistinguishable from a truly random permutation up to queries of any adaptive adversary (which is an optimal security bound since it matches a simple distinguishing attack). All results in this entire line of work share the common restriction that they only hold under the assumption that \emph{the round keys and the permutations are independent}. In particular, for two rounds, the current state of knowledge is that the block cipher is provably secure up to queries of the adversary, when , , and are three independent -bit keys, and and are two independent random -bit permutations. In this paper, we ask whether one can obtain a similar bound for the two-round Even-Mansour cipher \emph{from just one -bit key and one -bit permutation}. Our answer is positive: when the three -bit round keys , , and are adequately derived from an -bit master key , and the same permutation is used in place of and , we prove a qualitatively similar security bound (in the random permutation model). To the best of our knowledge, this is the first ``beyond the birthday bound\u27\u27 security result for AES-like ciphers that does not assume independent round keys
A Salad of Block Ciphers
This book is a survey on the state of the art in block cipher design and analysis.
It is work in progress, and it has been for the good part of the last three years -- sadly, for various reasons no significant change has been made during the last twelve months.
However, it is also in a self-contained, useable, and relatively polished state, and for this reason
I have decided to release this \textit{snapshot} onto the public as a service to the cryptographic community, both in order to obtain feedback, and also as a means to give something back to the community from which I have learned much.
At some point I will produce a final version -- whatever being a ``final version\u27\u27 means in the constantly evolving field of block cipher design -- and I will publish it. In the meantime I hope the material contained here will be useful to other people
Triathlon of Lightweight Block Ciphers for the Internet of Things
In this paper, we introduce a framework for the benchmarking of lightweight block ciphers on a multitude of embedded platforms. Our framework is able to evaluate the execution time, RAM footprint, as well as binary code size, and allows one to define a custom "figure of merit" according to which all evaluated candidates can be ranked. We used the framework to benchmark implementations of 19 lightweight ciphers, namely AES, Chaskey, Fantomas, HIGHT, LBlock, LEA, LED, Piccolo, PRESENT, PRIDE, PRINCE, RC5, RECTANGLE, RoadRunneR, Robin, Simon, SPARX, Speck, and TWINE, on three microcontroller platforms: 8-bit AVR, 16-bit MSP430, and 32-bit ARM. Our results bring some new insights into the question of how well these lightweight ciphers are suited to secure the Internet of things. The benchmarking framework provides cipher designers with an easy-to-use tool to compare new algorithms with the state of the art and allows standardization organizations to conduct a fair and consistent evaluation of a large number of candidates
Refinements of the k-tree Algorithm for the Generalized Birthday Problem
We study two open problems proposed by Wagner in his seminal work on the generalized birthday problem. First, with the use of multicollisions, we improve Wagner\u27s -tree algorithm. The new 3-tree only slightly outperforms Wagner\u27s 3-tree, however, in some applications this suffices, and as a proof of concept, we apply the new algorithm to slightly reduce the security of two CAESAR proposals.
Next, with the use of multiple collisions based on Hellman\u27s table, we give improvements to the best known time-memory tradeoffs for the k-tree. As a result, we obtain the a new tradeoff curve T^2 \cdot M^{\lg k -1} = k \cdot N. For instance, when k=4, the tradeoff has the form T^2 M = 4 \cdot N