33 research outputs found
On the Indifferentiability of Key-Alternating Feistel Ciphers with No Key Derivation
Feistel constructions have been shown to be indifferentiable from random permutations at STOC 2011. Whereas how to properly mix the keys into an un-keyed Feistel construction without appealing to domain separation technique to obtain a block cipher which is provably secure against known-key and chosen-key attacks (or to obtain an ideal cipher) remains an open problem. We study this, particularly the basic structure of NSA\u27s SIMON family of block ciphers. SIMON family takes a construction which has the subkey xored into a halve of the state at each round. More clearly, at the -th round, the state is updated according to
For such key-alternating Feistel ciphers, we show that 21 rounds are sufficient to achieve indifferentiability from ideal ciphers with -bit blocks and -bit keys, assuming the -to--bit round functions to be random and public and an identical user-provided -bit key to be applied at each round. This gives an answer to the question mentioned before, which is the first to our knowledge
How to Construct an Ideal Cipher from a Small Set of Public Permutations
We show how to construct an ideal cipher with -bit blocks and -bit keys (\emph{i.e.} a set of public -bit permutations) from a small constant number of -bit random public permutations. The construction that we consider is the \emph{single-key iterated Even-Mansour cipher}, which encrypts a plaintext under a key by alternatively xoring the key and applying independent random public -bit permutations (this construction is also named a \emph{key-alternating cipher}). We analyze this construction in the plain indifferentiability framework of Maurer, Renner, and Holenstein (TCC 2004), and show that twelve rounds are sufficient to achieve indifferentiability from an ideal cipher. We also show that four rounds are necessary by exhibiting attacks for three rounds or less
Impossibility of Indifferentiable Iterated Blockciphers from 3 or Less Primitive Calls
Virtually all modern blockciphers are iterated. In this paper, we ask: to construct a secure iterated blockcipher non-trivially , how many calls to random functions and permutations are necessary?
When security means indistinguishability from a random permutation, optimality is achieved by the Even-Mansour scheme using 1 call to a public permutation. We seek for the arguably strongest security indifferentiability from an ideal cipher, a notion introduced by Maurer et al. (TCC 2004) and popularized by Coron et al. (JoC, 2014).
We provide the first generic negative result/lower bounds: when the key is not too short, no iterated blockcipher making 3 calls is (statistically) indifferentiable. This proves optimality for a 4-call positive result of Guo et al. (Eprint 2016). Furthermore, using 1 or 2 calls, even indifferentiable iterated blockciphers with polynomial keyspace are impossible.
To prove this, we develop an abstraction of idealized iterated blockciphers and establish various basic properties, and apply Extremal Graph Theory results to prove the existence of certain (generalized) non-random properties such as the boomerang and yoyo
Optimally Secure Block Ciphers from Ideal Primitives
Recent advances in block-cipher theory deliver security analyses in
models where one or more underlying components (e.g., a function or
a permutation) are {\em ideal} (i.e., randomly chosen). This paper
addresses the question of finding {\em new} constructions achieving
the highest possible security level under minimal assumptions in
such ideal models.
We present a new block-cipher construction, derived from the
Swap-or-Not construction by Hoang et al. (CRYPTO \u2712). With -bit
block length, our construction is a secure pseudorandom permutation
(PRP) against attackers making block-cipher
queries, and queries to the underlying component
(which has itself domain size roughly ). This security level is
nearly optimal. So far, only key-alternating ciphers have been known
to achieve comparable security levels using independent
random permutations. In contrast, here we only assume that a {\em
single} {\em function} or {\em permutation} is available, while
achieving similar efficiency.
Our second contribution is a generic method to enhance a block
cipher, initially only secure as a PRP, to achieve related-key
security with comparable quantitative security
Minimizing Even-Mansour Ciphers for Sequential Indifferentiability (Without Key Schedules)
Iterated Even-Mansour (IEM) schemes consist of a small number of fixed permutations separated by round key additions. They enjoy provable security, assuming the permutations are public and random. In particular, regarding chosen-key security in the sense of sequential indifferentiability (seq-indifferentiability), Cogliati and Seurin (EUROCRYPT 2015) showed that without key schedule functions, the 4-round Even-Mansour with Independent Permutations and no key schedule is sequentially indifferentiable.
Minimizing IEM variants for classical strong (tweakable) pseudorandom security has stimulated an attractive line of research. In this paper, we seek for minimizing the construction while retaining seq-indifferentiability. We first consider , a natural variant of using a single round permutation. Unfortunately, we exhibit a slide attack against with any number of rounds. In light of this, we show that the 4-round using 2 independent random permutations is seq-indifferentiable. This provides the minimal seq-indifferentiable IEM without key schedule
Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security
Key-Alternating Feistel (KAF) ciphers, a.k.a. Feistel-2 models, refer to Feistel networks with round functions of the form , where is the (secret) round-key and is a public random function. This model roughly captures the structures of many famous Feistel ciphers, and the most prominent instance is DES.
Existing provable security results on KAF assumed independent round-keys and round functions (ASIACRYPT 2004 & FSE 2014). In this paper, we investigate how to achieve security under simpler and more realistic assumptions: with round-keys derived from a short main-key, and hopefully with identical round functions.
For birthday-type security, we consider 4-round KAF, investigate the minimal conditions on the way to derive the four round-keys, and prove that when such adequately derived keys and the same round function are used, the 4-round KAF is secure up to queries.
For beyond-birthday security, we focus on 6-round KAF. We prove that when the adjacent round-keys are independent, and independent round-functions are used, the 6 round KAF is secure up to queries. To our knowledge, this is the first beyond-birthday security result for KAF without assuming completely independent round-keys.
Our results hold in the multi-user setting as well, constituting the first non-trivial multi-user provable security results on Feistel ciphers. We finally demonstrate applications of our results on designing key-schedules and instantiating keyed sponge constructions
On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks
The iterated Even-Mansour cipher is a construction of a block cipher from public permutations which abstracts in a generic way the structure of key-alternating ciphers. The indistinguishability of this construction from a truly random permutation by an adversary with oracle access to the inner permutations has been investigated in a series of recent papers. This construction has also been shown to be (fully) indifferentiable from an ideal cipher for a sufficient number of rounds (five or twelve depending on the assumptions on the key-schedule). In this paper, we extend this line of work by considering the resistance of the iterated Even-Mansour cipher to xor-induced related-key attacks (i.e., related-key attacks where the adversary is allowed to xor any constant of its choice to the secret key) and to chosen-key attacks. For xor-induced related-key attacks, we first provide a distinguishing attack for two rounds, assuming the key-schedule is linear. We then prove that for a linear key-schedule, three rounds yield a cipher which is secure against xor-induced related-key attacks up to queries of the adversary, whereas for a nonlinear key-schedule, one round is sufficient to obtain a similar security bound. We also show that the iterated Even-Mansour cipher with four rounds offers some form of provable resistance to chosen-key attacks, which is the minimal number of rounds to achieve this property. The main technical tool that we use to prove this result is \emph{sequential indifferentiability}, a weakened variant of (full) indifferentiability introduced by Mandal \emph{et al.} (TCC~2010)
Strengthening the Known-Key Security Notion for Block Ciphers
We reconsider the formalization of known-key attacks against ideal primitive-based block ciphers. This was previously tackled by Andreeva, Bogdanov, and Mennink (FSE 2013), who introduced the notion of known-key indifferentiability. Our starting point is the observation, previously made by Cogliati and Seurin (EUROCRYPT 2015), that this notion, which considers only a single known key available to the attacker, is too weak in some settings to fully capture what one might expect from a block cipher informally deemed resistant to known-key attacks. Hence, we introduce a stronger variant of known-key indifferentiability, where the adversary is given multiple known keys to ``play\u27\u27 with, the informal goal being that the block cipher construction must behave as an independent random permutation for each of these known keys. Our main result is that the 9-round iterated Even-Mansour construction (with the trivial key-schedule, i.e., the same round key xored between permutations) achieves our new ``multiple\u27\u27 known-keys indifferentiability notion, which contrasts with the previous result of Andreeva et al. that one single round is sufficient when only a single known key is considered. We also show that the 3-round iterated Even-Mansour construction achieves the weaker notion of multiple known-keys sequential indifferentiability, which implies in particular that it is correlation intractable with respect to relations involving any (polynomial) number of known keys
IMPROVING THE ROUND COMPLEXITY OF IDEAL-CIPHER CONSTRUCTIONS
Block ciphers are an essential ingredient of modern cryptography.
They are widely used as building blocks in many cryptographic constructions
such as encryption schemes, hash functions etc.
The security of block ciphers is not currently
known to reduce to well-studied, easily formulated, computational
problems.
Nevertheless, modern block-cipher constructions
are far from ad-hoc,
and a strong theory for their design has been developed.
Two classical paradigms for block cipher design are the Feistel network and the
key-alternating cipher (which is encompassed by the popular
substitution-permutation network).
Both of these paradigms that are iterated structures
that involve applications of random-looking functions/permutations
over many rounds.
An important area of research is to understand the provable
security guarantees offered by these classical design paradigms for block cipher constructions.
This can be done using a security notion called indifferentiability which formalizes
what it means for a block cipher to be ideal.
In particular, this notion allows us to assert the structural robustness
of a block cipher design.
In this thesis, we apply the indifferentiability notion to the two classical paradigms
mentioned above and improve upon the previously known round complexity
in both cases.
Specifically, we make the following two contributions:
(1) We show that a 10-round Feistel network behaves as an ideal block cipher
when the keyed round functions are built using a random oracle.
(2) We show that a 5-round key-alternating cipher (also known as the iterated Even-Mansour
construction) with identical round keys behaves as an ideal block cipher when the round permutations are independent, public random permutations