2012
DOI: 10.1007/978-3-642-29011-4_5
|View full text |Cite
|
Sign up to set email alerts
|

Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations

Abstract: Abstract. This paper considers-for the first time-the concept of keyalternating ciphers in a provable security setting. Key-alternating ciphers can be seen as a generalization of a construction proposed by Even and Mansour in 1991. This construction builds a block cipher P X from an n-bit permutation P and two n-bit keys k0 and k1, settingHere we consider a (natural) extension of the EvenMansour construction with t permutations P1, . . . , Pt and t + 1 keys, k0, . . . , kt. We demonstrate in a formal model tha… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1

Citation Types

2
91
0

Year Published

2013
2013
2019
2019

Publication Types

Select...
8

Relationship

2
6

Authors

Journals

citations
Cited by 102 publications
(93 citation statements)
references
References 32 publications
2
91
0
Order By: Relevance
“…We give some evidence of the importance of invertibility for understanding the indifferentiability-security of key-alternating ciphers by (1) critically using such non-invertibility in our analysis; and (2) showing several somewhat surprising attacks for the 3-round construction with certain natural "invertible" key schedules (e.g., all keys k i equal to K for κ = n). We stress that our results do not preclude the use of invertible key schedules for a sufficiently large number of rounds (say, [10][11][12], but only indicate why having non-invertible key schedules is very helpful in specific analyses (such as ours) and also for avoiding specific attacks (such as our 3-round attacks). Indeed, subsequent to our work, Lampe and Seurin [43] showed that the 12-round key alternating cipher will all keys k i = K (for κ = n) is indeed indifferentiable from an ideal cipher, with security O(q 12 /2 n ) and simulator query complexity O(q 4 ) to answer q queries made by the distinguisher.…”
mentioning
confidence: 81%
See 1 more Smart Citation
“…We give some evidence of the importance of invertibility for understanding the indifferentiability-security of key-alternating ciphers by (1) critically using such non-invertibility in our analysis; and (2) showing several somewhat surprising attacks for the 3-round construction with certain natural "invertible" key schedules (e.g., all keys k i equal to K for κ = n). We stress that our results do not preclude the use of invertible key schedules for a sufficiently large number of rounds (say, [10][11][12], but only indicate why having non-invertible key schedules is very helpful in specific analyses (such as ours) and also for avoiding specific attacks (such as our 3-round attacks). Indeed, subsequent to our work, Lampe and Seurin [43] showed that the 12-round key alternating cipher will all keys k i = K (for κ = n) is indeed indifferentiable from an ideal cipher, with security O(q 12 /2 n ) and simulator query complexity O(q 4 ) to answer q queries made by the distinguisher.…”
mentioning
confidence: 81%
“…We refer to the general problem of showing that runaway chain reactions do not occur as the problem of simulator termination. 12 To overcome the naïve simulator's problematic termination, we modify the naïve simulator to be more restrained and to complete fewer chains. For this we use the "tripwire" concept.…”
Section: Simulator Overviewmentioning
confidence: 99%
“…. , k r ) (resulting in a total key space {0, 1} m = {0, 1} (r+1)n ) is never indifferentiable (for any r) from an ideal cipher with n-bit blocks and (r + 1)n-bit keys (this had already been informally observed by [13]). In a sense, independent keys offer too much freedom to the attacker, enabling to easily find related-key relations.…”
Section: Introductionmentioning
confidence: 81%
“…. , k r ) was later studied for two rounds by Bogdanov et al [13], for three rounds by Steinberger [57], and for any number r of rounds (with non-tight security bounds) by Lampe et al [38]. Unsurprisingly, the number of adversarial queries up to which the key-alternating cipher is indistinguishable from a random permutation increases with the number of rounds.…”
Section: Introductionmentioning
confidence: 99%
“…From a conceptual point of view, the RKA-security of many-round Feistel networks (including beyond-birthday-type concrete security) are important open questions. From a practical point of view, the RKA security of alternative constructions of PRPs such as generalized Feistel networks [22] and key-alternating ciphers [12], along with their potential (dis)advantages over Feistel networks are another interesting direction for future work.…”
Section: Directions For Further Researchmentioning
confidence: 99%