security analysis of key alternating feistel ciphers
play

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe - PowerPoint PPT Presentation

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI 2 March 2014 - FSE 2014 Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 1 / 11


  1. Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI 2 March 2014 - FSE 2014 Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 1 / 11

  2. Key-Alternating Ciphers ( aka iterated Even-Mansour) k 0 k 1 k r x y P 1 P 2 P r P 1 , . . . , P r are modeled as public random permutation oracles interpretation: gives a guarantee against any adversary which does not use particular properties of the P i ’s Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 2 / 11

  3. Results on the pseudorandomness of KA ciphers The following results have been successively obtained for the pseudorandomness of KA ciphers (notation: N = 2 n ): 1 2 ) queries [EM97] for r = 1 round, security up to O ( N 2 3 ) queries [BKL + 12] for r ≥ 2, security up to O ( N 3 4 ) queries [Ste12] for r ≥ 3, security up to O ( N r r +2 ) queries [LPS12] for any even r , security up to O ( N r r +1 ) queries [ ? ] tight result: for r rounds, security up to O ( N NB: Results for independent round keys ( k 0 , k 1 , . . . , k r ) Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 3 / 11

  4. Key-Alternating Feistel Ciphers x − 1 x 0 k 0 F 0 k 1 x 1 F 1 functions F i are public random oracles . different from the Luby-Rackoff setting . . k r − 2 (where the F i ’s are pseudorandom) x r − 2 F r − 2 k r − 1 x r − 1 F r − 1 x r − 1 x r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 4 / 11

  5. KAF ciphers as a special type of Key-Alternating ciphers k i +1 k i k i F i F i k i +1 F i +1 F i +1 k i +1 k i Two rounds of a KAF cipher is equivalent to a 1-round KA cipher where the permutation is a two-round (un-keyed) Feistel cipher with public random functions Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 5 / 11

  6. Results previous results: Gentry and Ramzan [GR04]: secure up to N 1 / 2 queries for r = 4 rounds t t +1 queries where our results: secure up to N � r � t = for NCPA attacks 3 � r � t = for CCA attacks 6 t improved results in the Luby-Rackoff setting: security up to N t +1 queries where � r � t = for NCPA attacks 2 � r � t = for CCA attacks 4 Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 6 / 11

  7. Results previous results: Gentry and Ramzan [GR04]: secure up to N 1 / 2 queries for r = 4 rounds t t +1 queries where our results: secure up to N � r � t = for NCPA attacks 3 � r � t = for CCA attacks 6 t improved results in the Luby-Rackoff setting: security up to N t +1 queries where � r � t = for NCPA attacks 2 � r � t = for CCA attacks 4 Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 6 / 11

  8. Results previous results: Gentry and Ramzan [GR04]: secure up to N 1 / 2 queries for r = 4 rounds t t +1 queries where our results: secure up to N � r � t = for NCPA attacks 3 � r � t = for CCA attacks 6 t improved results in the Luby-Rackoff setting: security up to N t +1 queries where � r � t = for NCPA attacks 2 � r � t = for CCA attacks 4 Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 6 / 11

  9. Intuition of the proof x 1 x 1 x 2 x 2 x ℓ +1 x ℓ +1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ +1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ +1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ +1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ +1 x 1 x 2 x ℓ +1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 11

  10. Intuition of the proof x 1 x 1 x 2 x 2 x ℓ +1 x ℓ +1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ +1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ +1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ +1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ +1 x 1 x 2 x ℓ +1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 11

  11. Intuition of the proof x 1 x 1 x 2 x 2 x ℓ +1 x ℓ +1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ +1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ +1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ +1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ +1 x 1 x 2 x ℓ +1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 11

  12. Intuition of the proof x 1 x 1 x 2 x 2 x ℓ +1 x ℓ +1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ +1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ +1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ +1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ +1 x 1 x 2 x ℓ +1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 11

  13. Intuition of the proof x 1 x 1 x 2 x 2 x ℓ +1 x ℓ +1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ +1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ +1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ +1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ +1 x 1 x 2 x ℓ +1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 11

  14. Intuition of the proof x 1 x 1 x 2 x 2 x ℓ +1 x ℓ +1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ +1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ +1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 [ x ℓ +1 r − 1 , x ℓ +1 ] uniformly random ? r k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ +1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ +1 x 1 x 2 x ℓ +1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 11

  15. Intuition of the proof x 1 x 1 x 2 x 2 x ℓ +1 x ℓ +1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ +1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ +1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 what can go wrong ? k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ +1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ +1 x 1 x 2 x ℓ +1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 11

  16. Intuition of the proof x 1 x 1 x 2 x 2 x ℓ +1 x ℓ +1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ +1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ +1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 collisions ! k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ +1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ +1 x 1 x 2 x ℓ +1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 11

  17. Intuition of the proof x 1 x 1 x 2 x 2 x ℓ +1 x ℓ +1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ +1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ +1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 collisions ! k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ +1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ +1 x 1 x 2 x ℓ +1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 11

  18. Intuition of the proof x 1 x 1 x 2 x 2 x ℓ +1 x ℓ +1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ +1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ +1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 collisions ! k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ +1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ +1 x 1 x 2 x ℓ +1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 11

  19. Intuition of the proof x 1 x 1 x 2 x 2 x ℓ +1 x ℓ +1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ +1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ +1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 collisions ! k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ +1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ +1 x 1 x 2 x ℓ +1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 11

Recommend


More recommend