revisiting key alternating feistel ciphers for shorter
play

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and - PowerPoint PPT Presentation

Mar 21, 2024 •277 likes •653 views

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and Lei Wang ICTEAM/ELEN/Crypto Group, Universit e catholique de Louvain Shanghai Jiao Tong University Presented by Yaobin Shen, Shanghai Jiao Tong

  1. Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and Lei Wang ICTEAM/ELEN/Crypto Group, Universit´ e catholique de Louvain Shanghai Jiao Tong University Presented by Yaobin Shen, Shanghai Jiao Tong University December 3 AISACRYPT 2018 C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 1 / 36

  2. Outline Feistel Cipher 1 Our Results 2 Key Issues in Security Proofs 3 Conclusion 4 C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 2 / 36

  3. Block Ciphers • Usually iterative designs • Fall into two paradigms: K i − 1 K i G K i ⊕ ⊕ ⊕ P i Feistel Cipher substitution-permutation networks (Even-Mansour Cipher) C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 3 / 36

  4. Feistel cipher v.s. Even-Mansour cipher • Consider constructing a cipher with 2 n -bit blocks. • Feistel: underlying primitives have - smaller size, i.e. , half block size; and - less construction properties, i.e. no need for invertibility K i − 1 K i G K i ⊕ ⊕ P i ⊕ Feistel Cipher Even-Mansour Cipher C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 4 / 36

  5. Feistel cipher v.s. Even-Mansour cipher • Consider constructing a cipher with 2 n -bit blocks. • Feistel: underlying primitives have - smaller size, i.e. , half block size; and - less construction properties, i.e. no need for invertibility • Even-Mansour: larger primitives for higher provable (lower) bound. - O ( n ) rounds for 2 2 n security. - In comparison, for Feistel security is at most 2 n . K i − 1 K i G K i ⊕ ⊕ P i ⊕ Feistel Cipher Even-Mansour Cipher C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 4 / 36

  6. Luby-Rackoff Feistel Cipher • Use a keyed PRF G K for the round function: ( L , R ) �→ ( L ⊕ G K ( R ) , L ) • Long-term research since [Luby and Rackoff, 1988], consists of - provable security lower bound; - cryptanalytic: generic attacks; - bridge abstract model and dedicated ciphers, e.g. practical key size, less round functions; L R ⊕ G K L ′ R ′ C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 5 / 36

  7. Gap between Generic Feistel and Dedicated Cipher • (Recall) the general model: independent round-keys. • In reality: round-keys are derived from a short main-key, thus correlated . - Using identical round-keys: 5 rounds [Pie91] - Using two independent round-keys: [NR99, PRG+99] • Besides, how to design the keyed PRF G K ? L i R i G K i ⊕ L i +1 R i +1 C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 6 / 36

  8. Keyed Functions from Keyless Functions • Important and popular research direction: constructing the keyed function from public keyless random functions F i • This turns Luby-Rackoff into key-alternating Feistel [Lampe and Seurin, FSE 2014] L i R i L i R i K i F K i ⊕ ⊕ F i ⊕ L i +1 R i +1 L i +1 R i +1 Luby-Rackoff Feistel = ⇒ Key-Alternating Feistel C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 7 / 36

  9. Key-Alternating Feistel: Provable Security • General case using independent public round functions F i independent round keys K i . rn r +1 security with r = ⌊ t / 6 ⌋ [Lampe and Seurin, FSE • t rounds has 2 2014] (asymptotically optimal) Security #rounds Reference 2 n / 2 6 [Lampe and Seurin] 2 2 n / 3 12 2 3 n / 4 18 C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 8 / 36

  10. Key-Alternating Feistel: Generic Attacks • Known as Feistel-2 schemes in the cryptanalytic community [Isobe and Shibutani, ASIACRYPT 2013] Attacks # Rounds Key size Complexity Reference 2 3 n / 2 Key-Recovery 6 2 n [Guo et al, 2 8 n / 3 8 3 n ASIACRYPT 2014] 2 11 n / 3 10 4 n C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 9 / 36

  11. Outline Feistel Cipher 1 Our Results 2 Key Issues in Security Proofs 3 Conclusion 4 C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 10 / 36

  12. In Short We revisit the information-theoretic security of key-alternating Feistel in the ideal model. • We prove security for correlated round-keys. • We prove non-degradating multi-user security. L i R i K i ⊕ F i ⊕ L i +1 R i +1 C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 11 / 36

  13. Recapitulating Previous Result • Assume independent round-keys K i In reality: correlated round-keys. • Assume (mostly) independent public round functions F i In reality: identical round functions. Security #rounds Reference 2 n / 2 4 [Gentry and Ramzan, ASIACRYPT 2004] 2 n / 2 6 [Lampe and Seurin, FSE 2014] 2 2 n / 3 12 2 3 n / 4 18 C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 12 / 36

  14. Our First Result for Birthday 2 n / 2 Security K 1 ⊕ ⊕ F • Uses 4 rounds with single public round function K 2 ⊕ ⊕ F • Uses Suitable Round Key Vec- tors − → K = ( K 1 , K 2 , K 3 , K 4 ): K 3 - K 1 is uniformly distributed; ⊕ ⊕ F - K 4 is uniformly distributed; - K 1 ⊕ K 4 is uniformly dis- K 4 tributed; ⊕ ⊕ F C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 13 / 36

  15. Our First Result for Birthday 2 n / 2 Security • Denote q e the number of cipher queries • Denote q f the number of function queries Theorem For the 4-round idealized Key-Alternating Feistel with a Single public round Function (SF) and a suitable round-key vector, in single-user (su) setting it holds KAFSF ( q f , q e ) ≤ 9 q 2 e + 4 q e q f Adv su . N In the multi-user (mu) setting it holds KAFSF ( q f , q e ) ≤ 50 q 2 e + 8 q e q f Adv mu . N C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 14 / 36

  16. Minimalism • Derive round-keys from an n -bit main-key K • Key-schedule function π is a public and fixed orthomorphism of F n 2 , e.g., π ( K L � K R ) = K L ⊕ K R � K L K ⊕ ⊕ F ⊕ F π ⊕ F ⊕ ⊕ F C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 15 / 36

  17. Minimalism No round-key in middle rounds. • But of course you can add any round-keys, they won’t reduce security. • On the other hand, the “unprotected” middle two rounds match Ramzan and Reyzin (CRYPTO 2000), who showed that the middle two round functions of 4-round Luby-Rackoff scheme can be public. K ⊕ ⊕ F ⊕ F π ⊕ F ⊕ ⊕ F C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 16 / 36

  18. Our Second Result for Beyond-Birthday Security • We consider independent round functions for simplicity. • We prove 6 rounds have 2 (2 n − r ) / 3 security, when using Suitable Round Key Vectors − → K = ( K 1 , K 2 , K 3 , K 4 , K 5 , K 6 ) such that - K 1 , K 3 , K 5 are uniform in { 0 , 1 } n , K 2 , K 4 , K 6 are uniform in 2 n − r possibilities - for ( i , j ) ∈ { (1 , 2) , (2 , 3) , (4 , 5) , (5 , 6) , (1 , 6) } , K i and K j are independent This means “adjacent” round-keys are independent. This is easily ensured by the common FSR-based key-schedules. C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 17 / 36

  19. Our Second Result for Beyond-Birthday Security Theorem For the 6-round idealized Key-Alternating Feistel with a suitable round-key vector, in single-user (su) setting it holds KAF ( q f , q e ) ≤ 7 q 3 e + 13 q e q 2 f + 22 q 2 + 2 r (8 q e q 2 f + 2 q 2 e q f e q f ) Adv su . N 2 N 2 In multi-user (mu) setting it holds KAF ( q f , q e ) ≤ 1214 q 3 e + 26 q e q 2 f + 356 q 2 + 2 r (600 q 3 e + 16 q e q 2 f + 196 q 2 e q f e q f ) Adv mu . N 2 N 2 C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 18 / 36

  20. The Simplest Example Alternating two main-keys | K 1 | = n , | K 2 | = n − r . K 1 K 2 k 1 y 1 x 1 F 1 y 1 F 1 x 1 k 2 y 2 x 2 F 2 y 2 F 2 x 2 X k 3 y 3 x 3 F 3 y 3 x 3 F 3 Y k 4 y 4 F 4 x 4 y 4 x 4 F 4 Z k 5 y 5 F 5 x 5 y 5 x 5 F 5 A k 6 y 6 F 6 x 6 y 6 F 6 x 6 S K 2 K 1 C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 19 / 36

  21. Collapses to Partial-key Even-Mansour (PKEM) This means the permutation in PKEM can be instantiated with a 6-round keyless Feistel for beyond-birthday security. K 2 K 1 k 1 y 1 F 1 x 1 y 1 F 1 x 1 k 2 y 2 F 2 x 2 y 2 F 2 x 2 X k 3 y 3 F 3 x 3 y 3 F 3 x 3 Y k 4 y 4 F 4 x 4 y 4 F 4 x 4 Z k 5 y 5 F 5 x 5 y 5 x 5 F 5 A k 6 y 6 F 6 x 6 y 6 x 6 F 6 S K 2 K 1 C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 20 / 36

  22. Application: Instantiating Keyed Sponges Keyed sponges can be used for MACs and authenticated encryption. M [1] M [2] M [ ℓ ] z trunc r 0 ... π π π π π c K K [1] K [ w ] M [1] M [2] M [ ℓ ] z trunc r 0 ... ... L π π π π π π c 0 C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 21 / 36

  23. Application: Instantiating Keyed Sponges Many (inner and outer) keyed sponges have their security reduce to the PKEM cipher. We show PKEM can be instantiated with the 6-round keyless Feistel Ψ 6 . So (inner and outer) keyed sponges can also be instantiated with the 6-round keyless Feistel Ψ 6 . M [1] M [2] M [3] M [1] M [2] M [3] ... ... Ψ 6 Ψ 6 Ψ 6 π π π ... ... K K K K K K K K K K K K PKEM C. Guo, L. Wang (SJTU) Revisiting KAF December 3, 2018 22 / 36

Recommend

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI 2 March 2014 - FSE 2014 Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 1 / 11

553 views • 52 slides
Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI 4th March 2014 - FSE 2014 Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 1 / 16

865 views • 53 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin PRiSM, Universit e de Versailles 2008-11-27 Joana Treger, Jacques Patarin (PRiSM, Universit Generic Attacks on Feistel Ciphers With Internal

1.04k views • 52 slides
Complementing Feistel Ciphers Ivica Nikoli c (joint work with Alex Biryukov) Nanyang

Complementing Feistel Ciphers Ivica Nikoli c (joint work with Alex Biryukov) Nanyang

Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Complementing Feistel Ciphers Ivica Nikoli c (joint work with Alex Biryukov) Nanyang Technological University, Singapore

426 views • 24 slides
Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. 1

Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. 1

Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. 1 Definitions A sequence a 1 , a 2 , . . . , a k of distinct integers is alternating if a 1 > a 2 < a 3 > a 4 < , and reverse alternating if

1.14k views • 98 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine

Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine

Introduction Full Diffusion Delay Matrix of a Feistel Network New Feistel Networks Proposals An Efficient Example Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine Minier 2 , Gal Thomas 1 1 XLIM

448 views • 31 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. Basic

Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. Basic

Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. Basic definitions A sequence a 1 , a 2 , . . . , a k of distinct integers is alternating if a 1 > a 2 < a 3 > a 4 < , and reverse alternating

1.4k views • 119 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Unit 10: Alternating-current circuits Introduction. Alternating current features. Phasor

Unit 10: Alternating-current circuits Introduction. Alternating current features. Phasor

Unit 10: Alternating-current circuits Introduction. Alternating current features. Phasor diagram. Behaviour of basic dipoles (resistor, inductor, capacitor) to an alternating current. RLC series circuit. Impedance and phase lag.

491 views • 18 slides
Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. 1 Basic

Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. 1 Basic

Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. 1 Basic definitions A sequence a 1 , a 2 , . . . , a k of distinct integers is alternating if a 1 > a 2 < a 3 > a 4 < , and reverse

1.59k views • 119 slides
Generalized Feistel Networks with Optimal Diffusion Lo Perrin DTU, Lyngby Inria, Paris

Generalized Feistel Networks with Optimal Diffusion Lo Perrin DTU, Lyngby Inria, Paris

Generalized Feistel Networks with Optimal Diffusion Lo Perrin DTU, Lyngby Inria, Paris Dagstuhl 2018 (seminar-18021) Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion In this talk

1.31k views • 52 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Classical Ciphers Classical

Classical Ciphers Classical

Classical Ciphers Classical Cryptography Monoalphabetic ciphers: letters of the plaintext alphabet are mapped into unique ciphertext letters Polyalphabetic ciphers:

512 views • 49 slides
Alternating Current Slide 2 / 69 Topics to be covered Sources of alternating EMF Transformers

Alternating Current Slide 2 / 69 Topics to be covered Sources of alternating EMF Transformers

Slide 1 / 69 Alternating Current Slide 2 / 69 Topics to be covered Sources of alternating EMF Transformers AC Circuits and Impedance LRC Series AC Circuits Resonance in AC Circuit Oscillations Slide 3 / 69 Sources of Alternating EMF

273 views • 23 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner - Crypto J.-C. Faugre Plan Grbner bases: properties Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher: FLURRY Feistel cipher modelling Jean-Charles Faugre Algorithms Buchberger

694 views • 57 slides
Improved Security Bounds for Generalized Feistel Networks Yaobin Shen 1 Chun Guo 2 Lei Wang 1 1

Improved Security Bounds for Generalized Feistel Networks Yaobin Shen 1 Chun Guo 2 Lei Wang 1 1

Feistel Networks Our Contributions Security Proofs Conclusion Improved Security Bounds for Generalized Feistel Networks Yaobin Shen 1 Chun Guo 2 Lei Wang 1 1 Shanghai Jiao Tong University 2 Shandong University November 13, FSE 2020 Yaobin

407 views • 22 slides

More recommend