508 research outputs found

    Tight security bounds for key-alternating ciphers

    Get PDF
    A tt-round \emph{key-alternating cipher} (also called \emph{iterated Even-Mansour cipher}) can be viewed as an abstraction of AES. It defines a cipher EE from tt fixed public permutations P_1, \ldots, P_t : \bits^n \ra \bits^n and a key k = k_0\Vert \cdots \Vert k_t \in \bits^{n(t+1)} by setting Ek(x)=kt⊕Pt(kt−1⊕Pt−1(⋯k1⊕P1(k0⊕x)⋯ ))E_{k}(x) = k_t \oplus P_t(k_{t-1} \oplus P_{t-1}(\cdots k_1 \oplus P_1(k_0 \oplus x) \cdots)). The indistinguishability of EkE_k from a truly random permutation by an adversary who also has oracle access to the (public) random permutations P1,…,PtP_1, \ldots, P_t was investigated in 1997 by Even and Mansour for t=1t = 1 and for higher values of tt in a series of recent papers. For t=1t = 1, Even and Mansour proved indistinguishability security up to 2n/22^{n/2} queries, which is tight. Much later Bogdanov et al.. (2011) conjectured that security should be 2tt+1n2^{\frac{t}{t+1}n} queries for general tt, which matches an easy distinguishing attack (so security cannot be more) . A number of partial results have been obtained supporting this conjecture, besides Even and Mansour\u27s original result for t=1t = 1: Bogdanov et al.. proved security of 223n2^{\frac{2}{3}n} for t≥2t \geq 2, Steinberger (2012) proved security of 234n2^{\frac{3}{4}n} for t≥3t \geq 3, and Lampe, Patarin and Seurin (2012) proved security of 2tt+2n2^{\frac{t}{t+2}n} for all even values of tt, thus barely falling short of the desired 2tt+1n2^{\frac{t}{t+1}n}. Our contribution in this work is to prove the long-sought-for security bound of 2tt+1n2^{\frac{t}{t+1}n}, up to a constant multiplicative factor depending on tt. Our method is essentially an application of Patarin\u27s H-coefficient technique. The proof contains some coupling-like and inclusion-exclusion ideas, but the main trick that pushes the computations through is to stick with the combinatorics and to refrain from rounding any quantities too early. For the reader\u27s interest, we include a self-contained tutorial on the H-coefficient technique

    Key-alternating Ciphers and Key-length Extension: Exact Bounds and Multi-user Security

    Get PDF
    The best existing bounds on the concrete security of key-alternating ciphers (Chen and Steinberger, EUROCRYPT \u2714) are only asymptotically tight, and the quantitative gap with the best existing attacks remains numerically substantial for concrete parameters. Here, we prove exact bounds on the security of key-alternating ciphers and extend them to XOR cascades, the most efficient construction for key-length extension. Our bounds essentially match, for any possible query regime, the advantage achieved by the best existing attack. Our treatment also extends to the multi-user regime. We show that the multi-user security of key-alternating ciphers and XOR cascades is very close to the single-user case, i.e., given enough rounds, it does not substantially decrease as the number of users increases. On the way, we also provide the first explicit treatment of multi-user security for key-length extension, which is particularly relevant given the significant security loss of block ciphers (even if ideal) in the multi-user setting. The common denominator behind our results are new techniques for information-theoretic indistinguishability proofs that both extend and refine existing proof techniques like the H-coefficient method

    Small-Box Cryptography

    Get PDF
    One of the ultimate goals of symmetric-key cryptography is to find a rigorous theoretical framework for building block ciphers from small components, such as cryptographic S-boxes, and then argue why iterating such small components for sufficiently many rounds would yield a secure construction. Unfortunately, a fundamental obstacle towards reaching this goal comes from the fact that traditional security proofs cannot get security beyond 2^{-n}, where n is the size of the corresponding component. As a result, prior provably secure approaches - which we call "big-box cryptography" - always made n larger than the security parameter, which led to several problems: (a) the design was too coarse to really explain practical constructions, as (arguably) the most interesting design choices happening when instantiating such "big-boxes" were completely abstracted out; (b) the theoretically predicted number of rounds for the security of this approach was always dramatically smaller than in reality, where the "big-box" building block could not be made as ideal as required by the proof. For example, Even-Mansour (and, more generally, key-alternating) ciphers completely ignored the substitution-permutation network (SPN) paradigm which is at the heart of most real-world implementations of such ciphers. In this work, we introduce a novel paradigm for justifying the security of existing block ciphers, which we call small-box cryptography. Unlike the "big-box" paradigm, it allows one to go much deeper inside the existing block cipher constructions, by only idealizing a small (and, hence, realistic!) building block of very small size n, such as an 8-to-32-bit S-box. It then introduces a clean and rigorous mixture of proofs and hardness conjectures which allow one to lift traditional, and seemingly meaningless, "at most 2^{-n}" security proofs for reduced-round idealized variants of the existing block ciphers, into meaningful, full-round security justifications of the actual ciphers used in the real world. We then apply our framework to the analysis of SPN ciphers (e.g, generalizations of AES), getting quite reasonable and plausible concrete hardness estimates for the resulting ciphers. We also apply our framework to the design of stream ciphers. Here, however, we focus on the simplicity of the resulting construction, for which we managed to find a direct "big-box"-style security justification, under a well studied and widely believed eXact Linear Parity with Noise (XLPN) assumption. Overall, we hope that our work will initiate many follow-up results in the area of small-box cryptography

    Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes

    Get PDF
    We revisit the security (as a pseudorandom permutation) of cascading-based constructions for block-cipher key-length extension. Previous works typically considered the extreme case where the adversary is given the entire codebook of the construction, the only complexity measure being the number qeq_e of queries to the underlying ideal block cipher, representing adversary\u27s secret-key-independent computation. Here, we initiate a systematic study of the more natural case of an adversary restricted to adaptively learning a number qcq_c of plaintext/ciphertext pairs that is less than the entire codebook. For any such qcq_c, we aim to determine the highest number of block-cipher queries qeq_e the adversary can issue without being able to successfully distinguish the construction (under a secret key) from a random permutation. More concretely, we show the following results for key-length extension schemes using a block cipher with nn-bit blocks and κ\kappa-bit keys: - Plain cascades of length ℓ=2r+1\ell = 2r+1 are secure whenever qcqer≪2r(κ+n)q_c q_e^r \ll 2^{r(\kappa+n)}, q_c \ll 2^\ka and q_e \ll 2^{2\ka}. The bound for r=1r = 1 also applies to two-key triple encryption (as used within Triple DES). - The rr-round XOR-cascade is secure as long as qcqer≪2r(κ+n)q_c q_e^r \ll 2^{r(\kappa+n)}, matching an attack by Gazi (CRYPTO 2013). - We fully characterize the security of Gazi and Tessaro\u27s two-call 2XOR construction (EUROCRYPT 2012) for all values of qcq_c, and note that the addition of a third whitening step strictly increases security for 2n/4≤qc≤23/4n2^{n/4} \le q_c \le 2^{3/4n}. We also propose a variant of this construction without re-keying and achieving comparable security levels

    Tight Security of Cascaded LRW2

    Get PDF
    At CRYPTO \u2712, Landecker et al. introduced the cascaded LRW2 (or CLRW2) construction, and proved that it is a secure tweakable block cipher up to roughly 22n/3 2^{2n/3} queries. Recently, Mennink presented a distinguishing attack on CLRW2 in 2n1/223n/4 2n^{1/2}2^{3n/4} queries. In the same paper, he discussed some non-trivial bottlenecks in proving tight security bound, i.e. security up to 23n/4 2^{3n/4} queries. Subsequently, he proved security up to 23n/4 2^{3n/4} queries for a variant of CLRW2 using 4 4 -wise independent AXU assumption and the restriction that each tweak value occurs at most 2n/4 2^{n/4} times. Moreover, his proof relies on a version of mirror theory which is yet to be publicly verified. In this paper, we resolve the bottlenecks in Mennink\u27s approach and prove that the original CLRW2 is indeed a secure tweakable block cipher up to roughly 23n/4 2^{3n/4} queries. To do so, we develop two new tools: First, we give a probabilistic result that provides improved bound on the joint probability of some special collision events; Second, we present a variant of Patarin\u27s mirror theory in tweakable permutation settings with a self-contained and concrete proof. Both these results are of generic nature, and can be of independent interests. To demonstrate the applicability of these tools, we also prove tight security up to roughly 23n/4 2^{3n/4} queries for a variant of DbHtS, called DbHtS-p, that uses two independent universal hash functions

    Strong and Tight Security Guarantees against Integral Distinguishers

    Get PDF
    Integral attacks belong to the classical attack vectors against any given block ciphers. However, providing arguments that a given cipher is resistant against those attacks is notoriously difficult. In this paper, based solely on the assumption of independent round keys, we develop significantly stronger arguments than what was possible before: our main result is that we show how to argue that the sum of ciphertexts over any possible subset of plaintext is key-dependent, i.e., the non existence of integral distinguishers

    Bison: Instantiating the Whitened Swap-Or-Not Construction

    Get PDF
    International audienceWe give the first practical instance-bison-of the Whitened Swap-Or-Not construction. After clarifying inherent limitations of the construction, we point out that this way of building block ciphers allows easy and very strong arguments against differential attacks

    Categorization of Faulty Nonce Misuse Resistant Message Authentication

    Get PDF
    A growing number of lightweight block ciphers are proposed for environments such as the Internet of Things. An important contribution to the reduced implementation cost is a block length n of 64 or 96 bits rather than 128 bits. As a consequence, encryption modes and message authentication code (MAC) algorithms require security beyond the 2^{n/2} birthday bound. This paper provides an extensive treatment of MAC algorithms that offer beyond birthday bound PRF security for both nonce-respecting and nonce-misusing adversaries. We study constructions that use two block cipher calls, one universal hash function call and an arbitrary number of XOR operations. We start with the separate problem of generically identifying all possible secure n-to-n-bit pseudorandom functions (PRFs) based on two block cipher calls. The analysis shows that the existing constructions EDM, SoP, and EDMD are the only constructions of this kind that achieve beyond birthday bound security. Subsequently we deliver an exhaustive treatment of MAC algorithms, where the outcome of a universal hash function evaluation on the message may be entered at any point in the computation of the PRF. We conclude that there are a total amount of nine schemes that achieve beyond birthday bound security, and a tenth construction that cannot be proven using currently known proof techniques. For these former nine MAC algorithms, three constructions achieve optimal n-bit security in the nonce-respecting setting, but are completely insecure if the nonce is reused. The remaining six constructions have 3n/4-bit security in the nonce-respecting setting, and only four out of these six constructions still achieve beyond the birthday bound security in the case of nonce misuse

    Provably Secure Reflection Ciphers

    Get PDF
    This paper provides the first analysis of reflection ciphers such as PRINCE from a provable security viewpoint. As a first contribution, we initiate the study of key-alternating reflection ciphers in the ideal permutation model. Specifically, we prove the security of the two-round case and give matching attacks. The resulting security bound takes form O(qp2/22n+q2/2n)O(qp^2/2^{2n}+q^2/2^n), where qq is the number of construction evaluations and pp is the number of direct adversarial queries to the underlying permutation. Since the two-round construction already achieves an interesting security lower bound, this result can also be of interest for the construction of reflection ciphers based on a single public permutation. Our second contribution is a generic key-length extension method for reflection ciphers. It provides an attractive alternative to the FXFX construction, which is used by PRINCE and other concrete key-alternating reflection ciphers. We show that our construction leads to better security with minimal changes to existing designs. The security proof is in the ideal cipher model and relies on a reduction to the two-round Even-Mansour cipher with a single round key. In order to obtain the desired result, we sharpen the bad-transcript analysis and consequently improve the best-known bounds for the single-key Even-Mansour cipher with two rounds. This improvement is enabled by a new sum-capture theorem that is of independent interest
    • …
    corecore