Minimizing the Two-Round Even-Mansour Cipher

The $r$-round (iterated) \emph{Even-Mansour cipher} (also known as \emph{key-alternating cipher}) defines a block cipher from $r$ fixed public $n$-bit permutations $P_1,\ldots,P_r$ as follows: given a sequence of $n$-bit round keys $k_0,\ldots,k_r$, an $n$-bit plaintext $x$ is encrypted by xoring round key $k_0$, applying permutation $P_1$, xoring round key $k_1$, etc. The (strong) pseudorandomness of this construction in the random permutation model (i.e., when the permutations $P_1,\ldots,P_r$ are public random permutation oracles that the adversary can query in a black-box way) was studied in a number of recent papers, culminating with the work of Chen and Steinberger (EUROCRYPT~2014), who proved that the $r$-round Even-Mansour cipher is indistinguishable from a truly random permutation up to $O(2^{\frac{rn}{r+1}})$ queries of any adaptive adversary (which is an optimal security bound since it matches a simple distinguishing attack). All results in this entire line of work share the common restriction that they only hold under the assumption that \emph{the round keys $k_0,\ldots,k_r$ and the permutations $P_1,\ldots,P_r$ are independent}. In particular, for two rounds, the current state of knowledge is that the block cipher $E(x)=k_2\oplus P_2(k_1\oplus P_1(k_0\oplus x))$ is provably secure up to $O(2^{2n/3})$ queries of the adversary, when $k_0$, $k_1$, and $k_2$ are three independent $n$-bit keys, and $P_1$ and $P_2$ are two independent random $n$-bit permutations. In this paper, we ask whether one can obtain a similar bound for the two-round Even-Mansour cipher \emph{from just one $n$-bit key and one $n$-bit permutation}. Our answer is positive: when the three $n$-bit round keys $k_0$, $k_1$, and $k_2$ are adequately derived from an $n$-bit master key $k$, and the same permutation $P$ is used in place of $P_1$ and $P_2$, we prove a qualitatively similar $\tilde{O}(2^{2n/3})$ security bound (in the random permutation model). To the best of our knowledge, this is the first ``beyond the birthday bound\u27\u27 security result for AES-like ciphers that does not assume independent round keys

Secure Key-Alternating Feistel Ciphers Without Key Schedule

Light key schedule has found many applications in lightweight blockciphers, e.g. LED, PRINTcipher and LBlock. In this paper, we study an interesting question of how to design a as light as possible key schedule from the view of provable security and revisit the four-round key-alternating Feistel cipher by Guo and Wang in Asiacrypt 18. We optimize the construction by Guo and Wang and propose a four-round key-alternating Feistel cipher with an ultra-light (in fact non-existent) key schedule. We prove our construction retain the same security level as that of Guo and Wang\u27s construction. To the best of our knowledge, this is the first provably secure key-alternating Feistel cipher using identical round function and one n-bit master key but with ultra-light (non-existent) key schedule. We also investigate whether the same refinement works for the three-round key-alternating Feistel cipher. This time we show a distinguishing attack on such three-round construction with only four encryption queries. On the positive side, we prove that three-round key-alternating Feistel cipher with a suitable key schedule is a pseudorandom permutation. This is also the first provable-security result for three-round key-alternating Feistel cipher

Multi-user Security Bound for Filter Permutators in the Random Oracle Model

At EUROCRYPT 2016, Méaux et al. introduced a new design strategy for symmetric ciphers for Fully Homomorphic Encryption (FHE), which they dubbed filter permutators. Although less efficient than classical stream ciphers, when used in conjunction with an adequate FHE scheme, they allow constant and small noise growth when homomorphically evaluating decryption circuit. In this article, we present a security proof up to the birthday bound (with respect to the size of the IV and the size of the key space) for this new structure in the random oracle model and in the multi-user setting. In particular, this result justifies the theoretical soundness of filter permutators. We also provide a related-key attack against all instances of FLIP, a stream cipher based on this design

RMAC -- A Lightweight Authentication Protocol for Highly Constrained IoT Devices

Nowadays, highly constrained IoT devices have earned an important place in our everyday lives. These devices mainly comprise RFID (Radio-Frequency IDentification) or WSN (Wireless Sensor Networks) components. Their adoption is growing in areas where data security or privacy or both must be guaranteed. Therefore, it is necessary to develop appropriate security solutions for these systems. Many papers have proposed solutions for encryption or authentication. But it turns out that sometimes the proposal has security flaw or is ill-suited for the constrained IoT devices (which has very limited processing and storage capacities). In this paper we introduce a new authentication protocol inspired by Mirror-Mac (MM) which is a generic construction of authentication protocol proposed by Mol et al. Our proposal named RMAC is well suited for highly constrained IoT devices since its implementation uses simple and lightweight algorithms.We also prove that RMAC is at least as secure as the MM protocol and thus secure against man-in-the-middle attacks

Tight Security Analysis of the Public Permutation-Based PMAC_Plus

Yasuda proposed a variable input-length PRF in CRYPTO 2011, called \textsf{PMAC_Plus}, based on an $n$-bit block cipher. \textsf{PMAC_Plus} is a rate-$1$ construction and inherits the well-known $\textsf{PMAC}$ parallel network with a low additional cost. However, unlike $\textsf{PMAC}$, \textsf{PMAC_Plus} is secure roughly up to $2^{2n/3}$ queries. Zhang et al. proposed \textsf{3kf9} in ASIACRYPT 2012, Naito proposed \textsf{LightMAC_Plus} in ASIACRYPT 2017, and Iwata et al. proposed \textsf{GCM-SIV2} in FSE 2017 -- all of them secure up to around $2^{2n/3}$ queries. Their structural designs and corresponding security proofs were unified by Datta et al. in their framework {\em Double-block Hash-then-Sum} (\textsf{DbHtS}). Leurent et al. in CRYPTO 2018 and then Lee et al. in EUROCRYPT 2020 established a tight security bound of $2^{3n/4}$ on \textsf{DbHtS}. That \textsf{PMAC_Plus} provides security for roughly up to $2^{3n/4}$ queries is a consequence of this result. In this paper, we propose a public permutation-based variable input-length PRF called {\textsf{pPMAC_Plus}}. We show that {\textsf{pPMAC_Plus}} is secure against all adversaries that make at most $2^{2n/3}$ queries. We also show that the bound is essentially tight. It is of note here that instantiation of each block cipher of {\textsf{pPMAC_Plus}} with the two-round iterated Even-Mansour cipher can yield a beyond the birthday bound secure PRF based on public permutations. Altogether, the solution incurs $(2\ell + 4)$ permutation calls, whereas our proposal requires only $(\ell+2)$ permutation calls, $\ell$ being the maximum number of message blocks

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks

Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit block cipher from n-bit public permutations (often called S-boxes), which alternate keyless and “local” substitution steps utilizing such S-boxes, with keyed and “global” permu- tation steps which are non-cryptographic. Many widely deployed block ciphers are constructed based on the SPNs, but there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the provable security of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying n-bit permutation is modeled as a public random permutation. When the permutation step is linear (which is the case for most existing designs), we show that 3 SPN rounds are necessary and sufficient for security. On the other hand, even 1-round SPNs can be secure when non-linearity is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond- birthday” (up to 2 2n/3 adversarial queries) security, and, as the number of non-linear rounds increases, our bounds are meaningful for the number of queries approaching 2 n . Finally, our non-linear SPNs can be made tweakable by incorporating the tweak into the permutation layer, and provide good multi-user security. As an application, our construction can turn two public n-bit permuta- tions (or fixed-key block ciphers) into a tweakable block cipher working on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w ≥ 2); the tweakable block cipher provides security up to 2 2n/3 adversarial queries in the random permutation model, while only requiring w calls to each permutation, and 3w field multiplications for each wn-bit input

New Key Recovery Attacks on Minimal Two-Round Even-Mansour Ciphers

Chen et al. proved that two variants of the two-round n-bit Even-Mansour ciphers are secure up to 22n/3 queries against distinguish- ing attacks. These constructions can be regarded as minimal two-round Even-Mansour ciphers delivering security beyond the birthday bound, since removing any component from the ciphers causes security to drop back to 2n/2 queries. On the other hand, for the minimal two-round con- structions, the proved lower bounds on the product of data and time complexities (DT) against the other attacks including key recovery at- tacks is 2n. However, an attack requiring DT close to the lower bound has not been known yet, and thus its tightness is not clear. In this pa- per, we propose new key recovery attacks on the two minimal two-round Even-Mansour ciphers by using the advanced meet-in-the-middle tech- nique. In particular, we introduce novel matching techniques called partial invariable pair and matching with input-restricted public permutation , which enable us to compute one of permutations without knowing a part of the key information. Moreover, we present two improvements of the proposed attack: one significantly reduces data complexity and the other reduces time complexity by dynamically finding partial invariant pairs. Compared with the previously known attacks, when blocksize is 64 bits, our attacks drastically reduce the required data from 245 to 226 with keeping time complexity required by the previous attacks, though our attack requires chosen plaintexts. Importantly, the previous attacks never break the birthday barrier of data complexity due to the usage of multicollisions in the internal state. Furthermore, by increasing time complexity up to 262, the required data is further reduced to 28, and DT = 270 which is close to the proved lower bound 264. We show that our data-optimized attack on the minimal two-round Even-Mansour ci- phers requires DT = 2n+6 in general cases. This implies that adding one round does not sufficiently improve the security against key recovery attacks of the Even-Mansour ciphers

Minimizing Even-Mansour Ciphers for Sequential Indifferentiability (Without Key Schedules)

Iterated Even-Mansour (IEM) schemes consist of a small number of fixed permutations separated by round key additions. They enjoy provable security, assuming the permutations are public and random. In particular, regarding chosen-key security in the sense of sequential indifferentiability (seq-indifferentiability), Cogliati and Seurin (EUROCRYPT 2015) showed that without key schedule functions, the 4-round Even-Mansour with Independent Permutations and no key schedule $EMIP_4(k,u) = k \oplus p_4 ( k \oplus p_3( k \oplus p_2( k\oplus p_1(k \oplus u))))$ is sequentially indifferentiable. Minimizing IEM variants for classical strong (tweakable) pseudorandom security has stimulated an attractive line of research. In this paper, we seek for minimizing the $EMIP_4$ construction while retaining seq-indifferentiability. We first consider $EMSP$, a natural variant of $EMIP$ using a single round permutation. Unfortunately, we exhibit a slide attack against $EMSP$ with any number of rounds. In light of this, we show that the 4-round $EM2P_4^{p_1,p_2} (k,u)=k\oplus p_1(k \oplus p_2(k\oplus p_2(k\oplus p_1(k\oplus u))))$ using 2 independent random permutations $p_1,p_2$ is seq-indifferentiable. This provides the minimal seq-indifferentiable IEM without key schedule