Indifferentiability of Iterated Even-Mansour Ciphers with Non-idealized Key-Schedules: Five Rounds Are Necessary and Sufficient

Dai, Yuanxi; Seurin, Yannick; Steinberger, John P.; Thiruvengadam, Aishwarya

doi:10.1007/978-3-319-63697-9_18

Cited by 19 publications

(7 citation statements)

References 42 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Last, a series of papers analyzed idealized BCs in the indifferentiability framework, which is a different security model. Please see [19] and the references therein. Among them is a positive result [27] on a variant of KAF abstracted from NSA's cipher SIMON [4].…”

Section: Introductionmentioning

confidence: 99%

Revisiting Key-Alternating Feistel Ciphers for Shorter Keys and Multi-user Security

Guo

Wang

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Key-Alternating Feistel (KAF) ciphers, a.k.a. Feistel-2 models, refer to Feistel networks with round functions of the form Fi(ki⊕xi), where ki is the (secret) round-key and Fi is a public random function. This model roughly captures the structures of many famous Feistel ciphers, and the most prominent instance is DES. Existing provable security results on KAF assumed independent round-keys and round functions (ASI-ACRYPT 2004 & FSE 2014. In this paper, we investigate how to achieve security under simpler and more realistic assumptions: with round-keys derived from a short main-key, and hopefully with identical round functions. For birthday-type security, we consider 4-round KAF, investigate the minimal conditions on the way to derive the four round-keys, and prove that when such adequately derived keys and the same round function are used, the 4-round KAF is secure up to 2 n/2 queries. For beyond-birthday security, we focus on 6-round KAF. We prove that when the adjacent round-keys are independent, and independent round-functions are used, the 6 round KAF is secure up to 2 2n/3 queries. To our knowledge, this is the first beyond-birthday security result for KAF without assuming completely independent round-keys. Our results hold in the multi-user setting as well, constituting the first non-trivial multi-user provable security results on Feistel ciphers. We finally demonstrate applications of our results on designing keyschedules and instantiating keyed sponge constructions.To obtain a 2n-bit BC, the IEM model requires 2n-bit permutations. Whereas following the Feistel approach, several n-to-n-bit functions suffice. Moreover, these functions need not to be invertible (this might be the reason why Feistel ciphers were extremely popular before 1990s). In all, Feistel ciphers could be built upon primitives with smaller domain and less structural properties, which is particularly appealing from a theoretical point of view. From the security point of view, without any additional hardness assumption other than the idealness of round functions, provable security is limited by the domain-size of the round functions [48]. Therefore, IEM benefits from the use of larger primitives: with t independent 2n-bit random permutations and 2tn key bits, t-round IEM is provably secure up to 2 2tn t+1 adversarial queries [15] which approaches 2 2n for large t. In contrast, Feistel models can only be secure against at most 2 n queries [48], which is far less than its domain-size 2 2n . This upper bound is very unsatisfying. Despite this limitation as well as the gap between the idealized model and the rather weak round functions in practice, this provable approach supplies insights into the BC structures, excludes generic attacks, and may help refine designs. Due to these, this approach is valuable and has received a lot of attention. The Luby-Rackoff (LR) Scheme, in reference to the seminal work of Luby and Rackoff [37], might be the most popular model for Feistel ciphers so far. In this model, the round functions G i (k i , x R ) are ...

show abstract

Section: Introductionmentioning

confidence: 99%

Revisiting Key-Alternating Feistel Ciphers for Shorter Keys and Multi-user Security

Guo

Wang

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…One possibility would be the class of key-unpredictable, claw-free, and xkcd-secure CDF sets as shown in Theorem 1. Although feasibility of this level of security claim for iterated Even-Mansour ciphers would follow from known indifferentiability [LS13,DSST17], this would require a larger number of rounds and also comes at the cost of lower levels of security. It remains an interesting open question to find the minimal number of rounds needed in the Even-Mansour ciphers that yields (Ξ e , Ξ d )-KC-CCA security with respect to any pair (Ξ e , Ξ d ) for which the ideal cipher is also (Ξ e , Ξ d )-KC-CCA secure.…”

Section: ($ + P −mentioning

confidence: 99%

Security of Symmetric Primitives against Key-Correlated Attacks

Connolly

Farshim

Fuchsbauer

2019

ToSC

View full text Add to dashboard Cite

We study the security of symmetric primitives against key-correlated attacks (KCA), whereby an adversary can arbitrarily correlate keys, messages, and ciphertexts. Security against KCA is required whenever a primitive should securely encrypt key-dependent data, even when it is used under related keys. KCA is a strengthening of the previously considered notions of related-key attack (RKA) and key-dependent message (KDM) security. This strengthening is strict, as we show that 2-round Even–Mansour fails to be KCA secure even though it is both RKA and KDM secure. We provide feasibility results in the ideal-cipher model for KCAs and show that 3-round Even–Mansour is KCA secure under key offsets in the random-permutation model. We also give a natural transformation that converts any authenticated encryption scheme to a KCA-secure one in the random-oracle model. Conceptually, our results allow for a unified treatment of RKA and KDM security in idealized models of computation.

show abstract

“…4 Thus, proving that a construction C is indifferentiable from an ideal object F amounts to proving that C f retains essentially all security properties implicit in F . This approach has been successfully applied to the analysis of many symmetric cryptographic constructions in various ideal-primitive models; see, e.g., [CDMP05,BDPV08,HKT11,DSSL16,DSST17]. Our work is motivated by this composition property.…”

Section: Background On Indifferentiabilitymentioning

confidence: 99%

Indifferentiable Authenticated Encryption

Barbosa

Farshim

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We study Authenticated Encryption with Associated Data (AEAD) from the viewpoint of composition in arbitrary (single-stage) environments. We use the indifferentiability framework to formalize the intuition that a "good" AEAD scheme should have random ciphertexts subject to decryptability. Within this framework, we can then apply the indifferentiability composition theorem to show that such schemes offer extra safeguards wherever the relevant security properties are not known, or cannot be predicted in advance, as in general-purpose crypto libraries and standards. We show, on the negative side, that generic composition (in many of its configurations) and well-known classical and recent schemes fail to achieve indifferentiability. On the positive side, we give a provably indifferentiable Feistel-based construction, which reduces the round complexity from at least 6, needed for blockciphers, to only 3 for encryption. This result is not too far off the theoretical optimum as we give a lower bound that rules out the indifferentiability of any construction with less than 2 rounds.

show abstract

Indifferentiability of Iterated Even-Mansour Ciphers with Non-idealized Key-Schedules: Five Rounds Are Necessary and Sufficient

Cited by 19 publications

References 42 publications

Revisiting Key-Alternating Feistel Ciphers for Shorter Keys and Multi-user Security

Revisiting Key-Alternating Feistel Ciphers for Shorter Keys and Multi-user Security

Security of Symmetric Primitives against Key-Correlated Attacks

Indifferentiable Authenticated Encryption

Contact Info

Product

Resources

About