The Related-Key Security of Iterated Even–Mansour Ciphers

Farshim, Pooya; Procter, Gordon

doi:10.1007/978-3-662-48116-5_17

Cited by 32 publications

(33 citation statements)

References 44 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Due to the generalized nature of our definition, it is in fact equivalent to the definition of related-key security of (tweakable) blockciphers [10,21,32], although the applications structurally differ in the types of key derivation functions considered. Particularly, related-key security targets simple KDFs, often as simple as bitwise XOR or bitwise addition, while for multi-key security the KDFs are usually stronger primitives, and in most cases are pseudorandom.…”

Section: Compatibility With Prior Definitionsmentioning

confidence: 99%

See 1 more Smart Citation

Connecting tweakable and multi-key blockcipher security

Lee

Luykx

Mennink

et al. 2017

Des. Codes Cryptogr.

View full text Add to dashboard Cite

The significance of understanding blockcipher security in the multi-key setting is highlighted by the extensive literature on attacks, and how effective key size can be significantly reduced. Nevertheless, little attention has been paid in formally understanding the design of multi-key secure blockciphers. In this work, we formalize the multi-key security of tweakable blockciphers in case of general key derivation functions. We show an equivalence between blockcipher multi-key security and tweakable blockcipher security. Our equivalence connects two objects of study, the iterated Even-Mansour (EUROCRYPT 2012) and the iterated Tweakable Even-Mansour (CRYPTO 2015), which establishes that results in both areas are, to a certain extent, transferable. Using our novel equivalence relation, we derive new bounds for both constructions, pave the path towards the solution of two wellstudied conjectures, and show that, contrary to common knowledge, key derivation functions need not necessarily be pseudorandom functions in order to provide security: for the iterated Even-Mansour universal hash functions suffice.

show abstract

Section: Compatibility With Prior Definitionsmentioning

confidence: 99%

“…Beyond single-key and multi-key security, further works on EM[r ] cover the related-key security [21,32], chosen-key security [1,38,54], and security of minimized EM [2] [15].…”

Section: Proposition 3 (Multi-key Security Of Em[r] [42])mentioning

confidence: 99%

Connecting tweakable and multi-key blockcipher security

Lee

Luykx

Mennink

et al. 2017

Des. Codes Cryptogr.

View full text Add to dashboard Cite

show abstract

“…Indeed, any n-adversary game where only one adversary can call the primitive directly and the rest call it indirectly via the construction can be written as a single-stage game as the game itself has access to the construction. We summarize this observation in the following theorem, which generalizes a result for related-key security in [FP15].…”

Section: ⊓ ⊔mentioning

confidence: 55%

“…The RKA game is not known to be equivalent to a single-stage game. The authors in [FP15] consider a restricted form of this game where dependence of φ on the ideal primitive F 1 is constrained to be through the construction C F 1 only. In other words, an RKD function takes the form φ C F 1 rather than φ F 1 .…”

Section: ⊓ ⊔mentioning

confidence: 99%

Indifferentiable Authenticated Encryption

Barbosa

Farshim

2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

We study Authenticated Encryption with Associated Data (AEAD) from the viewpoint of composition in arbitrary (single-stage) environments. We use the indifferentiability framework to formalize the intuition that a "good" AEAD scheme should have random ciphertexts subject to decryptability. Within this framework, we can then apply the indifferentiability composition theorem to show that such schemes offer extra safeguards wherever the relevant security properties are not known, or cannot be predicted in advance, as in general-purpose crypto libraries and standards. We show, on the negative side, that generic composition (in many of its configurations) and well-known classical and recent schemes fail to achieve indifferentiability. On the positive side, we give a provably indifferentiable Feistel-based construction, which reduces the round complexity from at least 6, needed for blockciphers, to only 3 for encryption. This result is not too far off the theoretical optimum as we give a lower bound that rules out the indifferentiability of any construction with less than 2 rounds.

show abstract

“…In particular, a series of works considered constructions of block ciphers from random functions [9], [20] and from random permutations [3], [23] in the sense of indifferentiability [28]. Very recently, the notion of PRF and PRP security against related-key attacks has also been shown to be attainable in [14], [8]. However, the concrete security of the constructions is far lower than that for all aforementioned results.…”

Section: On Stronger Security Notionsmentioning

confidence: 94%

Secret-key cryptography from ideal primitives: A systematic overview

Gaži

Tessaro

2015

2015 IEEE Information Theory Workshop (ITW)

View full text Add to dashboard Cite

Secret-key constructions are often proved secure in a model where one or more underlying components are replaced by an idealized oracle accessible to the attacker. This model gives rise to information-theoretic security analyses, and several advances have been made in this area over the last few years. This paper provides a systematic overview of what is achievable in this model, and how existing works fit into this view.

show abstract

The Related-Key Security of Iterated Even–Mansour Ciphers

Cited by 32 publications

References 44 publications

Connecting tweakable and multi-key blockcipher security

Connecting tweakable and multi-key blockcipher security

Indifferentiable Authenticated Encryption

Secret-key cryptography from ideal primitives: A systematic overview

Contact Info

Product

Resources

About