46 research outputs found
Minimizing the Two-Round Even-Mansour Cipher
The -round (iterated) \emph{Even-Mansour cipher} (also known as \emph{key-alternating cipher}) defines a block cipher from fixed public -bit permutations as follows: given a sequence of -bit round keys , an -bit plaintext is encrypted by xoring round key , applying permutation , xoring round key , etc. The (strong) pseudorandomness of this construction in the random permutation model (i.e., when the permutations are public random permutation oracles that the adversary can query in a black-box way) was studied in a number of recent papers, culminating with the work of Chen and Steinberger (EUROCRYPT~2014), who proved that the -round Even-Mansour cipher is indistinguishable from a truly random permutation up to queries of any adaptive adversary (which is an optimal security bound since it matches a simple distinguishing attack). All results in this entire line of work share the common restriction that they only hold under the assumption that \emph{the round keys and the permutations are independent}. In particular, for two rounds, the current state of knowledge is that the block cipher is provably secure up to queries of the adversary, when , , and are three independent -bit keys, and and are two independent random -bit permutations. In this paper, we ask whether one can obtain a similar bound for the two-round Even-Mansour cipher \emph{from just one -bit key and one -bit permutation}. Our answer is positive: when the three -bit round keys , , and are adequately derived from an -bit master key , and the same permutation is used in place of and , we prove a qualitatively similar security bound (in the random permutation model). To the best of our knowledge, this is the first ``beyond the birthday bound\u27\u27 security result for AES-like ciphers that does not assume independent round keys
Secure Key-Alternating Feistel Ciphers Without Key Schedule
Light key schedule has found many applications in lightweight blockciphers, e.g. LED, PRINTcipher and LBlock. In this paper, we study an interesting question of how to design a as light as possible key schedule from the view of provable security and revisit the four-round key-alternating Feistel cipher by Guo and Wang in Asiacrypt 18. We optimize the construction by Guo and Wang and propose a four-round key-alternating Feistel cipher with an ultra-light (in fact non-existent) key schedule. We prove our construction retain the same security level as that of Guo and Wang\u27s construction. To the best of our knowledge, this is the first provably secure key-alternating Feistel cipher using identical round function and one n-bit master key but with ultra-light (non-existent) key schedule.
We also investigate whether the same refinement works for the three-round key-alternating Feistel cipher. This time we show a distinguishing attack on such three-round construction with only four encryption queries. On the positive side, we prove that three-round key-alternating Feistel cipher with a suitable key schedule is a pseudorandom permutation. This is also the first provable-security result for three-round key-alternating Feistel cipher
Multi-user Security Bound for Filter Permutators in the Random Oracle Model
At EUROCRYPT 2016, MĂ©aux et al. introduced a new design
strategy for symmetric ciphers for Fully Homomorphic Encryption (FHE),
which they dubbed filter permutators. Although less efficient than classical
stream ciphers, when used in conjunction with an adequate FHE scheme,
they allow constant and small noise growth when homomorphically evaluating
decryption circuit. In this article, we present a security proof up to the birthday
bound (with respect to the size of the IV and the size of the key space) for this
new structure in the random oracle model and in the multi-user setting. In
particular, this result justifies the theoretical soundness of filter permutators.
We also provide a related-key attack against all instances of FLIP, a stream
cipher based on this design
RMAC -- A Lightweight Authentication Protocol for Highly Constrained IoT Devices
Nowadays, highly constrained IoT devices have earned an important place in our everyday lives. These
devices mainly comprise RFID (Radio-Frequency IDentification) or WSN (Wireless Sensor Networks) components.
Their adoption is growing in areas where data security or privacy or both must be guaranteed. Therefore, it is necessary
to develop appropriate security solutions for these systems. Many papers have proposed solutions for encryption
or authentication. But it turns out that sometimes the proposal has security flaw or is ill-suited for the constrained IoT
devices (which has very limited processing and storage capacities). In this paper we introduce a new authentication
protocol inspired by Mirror-Mac (MM) which is a generic construction of authentication protocol proposed by Mol
et al. Our proposal named RMAC is well suited for highly constrained IoT devices since its implementation uses
simple and lightweight algorithms.We also prove that RMAC is at least as secure as the MM protocol and thus secure
against man-in-the-middle attacks
Tight Security Analysis of the Public Permutation-Based PMAC_Plus
Yasuda proposed a variable input-length PRF in CRYPTO 2011, called \textsf{PMAC_Plus}, based on an -bit block cipher. \textsf{PMAC_Plus} is a rate- construction and inherits the well-known parallel network with a low additional cost. However, unlike , \textsf{PMAC_Plus} is secure roughly up to queries. Zhang et al. proposed \textsf{3kf9} in ASIACRYPT 2012, Naito proposed \textsf{LightMAC_Plus} in ASIACRYPT 2017, and Iwata et al. proposed \textsf{GCM-SIV2} in FSE 2017 -- all of them secure up to around queries. Their structural designs and corresponding security proofs were unified by Datta et al. in their framework {\em Double-block Hash-then-Sum} (\textsf{DbHtS}). Leurent et al. in CRYPTO 2018 and then Lee et al. in EUROCRYPT 2020 established a tight security bound of on \textsf{DbHtS}. That \textsf{PMAC_Plus} provides security for roughly up to queries is a consequence of this result. In this paper, we propose a public permutation-based variable input-length PRF called {\textsf{pPMAC_Plus}}. We show that {\textsf{pPMAC_Plus}} is secure against all adversaries that make at most queries. We also show that the bound is essentially tight. It is of note here that instantiation of each block cipher of {\textsf{pPMAC_Plus}} with the two-round iterated Even-Mansour cipher can yield a beyond the birthday bound secure PRF based on public permutations. Altogether, the solution incurs permutation calls, whereas our proposal requires only permutation calls, being the maximum number of message blocks
Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks
Substitution-Permutation Networks (SPNs) refer to a family
of constructions which build a wn-bit block cipher from n-bit public
permutations (often called S-boxes), which alternate keyless and “local”
substitution steps utilizing such S-boxes, with keyed and “global” permu-
tation steps which are non-cryptographic. Many widely deployed block
ciphers are constructed based on the SPNs, but there are essentially no
provable-security results about SPNs.
In this work, we initiate a comprehensive study of the provable security
of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying
n-bit permutation is modeled as a public random permutation. When the
permutation step is linear (which is the case for most existing designs),
we show that 3 SPN rounds are necessary and sufficient for security. On
the other hand, even 1-round SPNs can be secure when non-linearity
is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond-
birthday” (up to 2 2n/3 adversarial queries) security, and, as the number
of non-linear rounds increases, our bounds are meaningful for the number
of queries approaching 2 n . Finally, our non-linear SPNs can be made
tweakable by incorporating the tweak into the permutation layer, and
provide good multi-user security.
As an application, our construction can turn two public n-bit permuta-
tions (or fixed-key block ciphers) into a tweakable block cipher working
on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w ≥ 2); the
tweakable block cipher provides security up to 2 2n/3 adversarial queries
in the random permutation model, while only requiring w calls to each
permutation, and 3w field multiplications for each wn-bit input
New Key Recovery Attacks on Minimal Two-Round Even-Mansour Ciphers
Chen et al. proved that two variants of the two-round n-bit
Even-Mansour ciphers are secure up to 22n/3 queries against distinguish-
ing attacks. These constructions can be regarded as minimal two-round
Even-Mansour ciphers delivering security beyond the birthday bound,
since removing any component from the ciphers causes security to drop
back to 2n/2 queries. On the other hand, for the minimal two-round con-
structions, the proved lower bounds on the product of data and time
complexities (DT) against the other attacks including key recovery at-
tacks is 2n. However, an attack requiring DT close to the lower bound
has not been known yet, and thus its tightness is not clear. In this pa-
per, we propose new key recovery attacks on the two minimal two-round
Even-Mansour ciphers by using the advanced meet-in-the-middle tech-
nique. In particular, we introduce novel matching techniques called partial
invariable pair and matching with input-restricted public permutation
, which enable us to compute one of permutations without knowing
a part of the key information. Moreover, we present two improvements of
the proposed attack: one significantly reduces data complexity and the
other reduces time complexity by dynamically finding partial invariant
pairs. Compared with the previously known attacks, when blocksize is
64 bits, our attacks drastically reduce the required data from 245 to 226
with keeping time complexity required by the previous attacks, though
our attack requires chosen plaintexts. Importantly, the previous attacks
never break the birthday barrier of data complexity due to the usage
of multicollisions in the internal state. Furthermore, by increasing time
complexity up to 262, the required data is further reduced to 28, and
DT = 270 which is close to the proved lower bound 264. We show that
our data-optimized attack on the minimal two-round Even-Mansour ci-
phers requires DT = 2n+6 in general cases. This implies that adding
one round does not sufficiently improve the security against key recovery
attacks of the Even-Mansour ciphers
Minimizing Even-Mansour Ciphers for Sequential Indifferentiability (Without Key Schedules)
Iterated Even-Mansour (IEM) schemes consist of a small number of fixed permutations separated by round key additions. They enjoy provable security, assuming the permutations are public and random. In particular, regarding chosen-key security in the sense of sequential indifferentiability (seq-indifferentiability), Cogliati and Seurin (EUROCRYPT 2015) showed that without key schedule functions, the 4-round Even-Mansour with Independent Permutations and no key schedule is sequentially indifferentiable.
Minimizing IEM variants for classical strong (tweakable) pseudorandom security has stimulated an attractive line of research. In this paper, we seek for minimizing the construction while retaining seq-indifferentiability. We first consider , a natural variant of using a single round permutation. Unfortunately, we exhibit a slide attack against with any number of rounds. In light of this, we show that the 4-round using 2 independent random permutations is seq-indifferentiable. This provides the minimal seq-indifferentiable IEM without key schedule