Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI 4th March 2014 - FSE 2014 Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 1 / 16
Key-Alternating Ciphers ( aka iterated Even-Mansour) k 0 k 1 k r x y P 1 P 2 P r P 1 , . . . , P r are modeled as public random permutation oracles interpretation: gives a guarantee against any adversary which does not use particular properties of the P i ’s Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 2 / 16
Results on the pseudorandomness of KA ciphers The following results have been successively obtained for the pseudorandomness of KA ciphers (notation: N = 2 n ): 1 2 ) queries [EM97] for r = 1 round, security up to O ( N 2 3 ) queries [BKL + 12] for r ≥ 2, security up to O ( N 3 4 ) queries [Ste12] for r ≥ 3, security up to O ( N r r + 2 ) queries [LPS12] for any even r , security up to O ( N r r + 1 ) queries [CS13] tight result: for r rounds, security up to O ( N NB: Results for independent round keys ( k 0 , k 1 , . . . , k r ) Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 3 / 16
Key-Alternating Feistel Ciphers x − 1 x 0 k 0 F 0 k 1 x 1 F 1 functions F i are public random oracles . different from the Luby-Rackoff setting . . k r − 2 (where the F i ’s are pseudorandom) x r − 2 F r − 2 k r − 1 x r − 1 F r − 1 x r − 1 x r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 4 / 16
KAF ciphers as a special type of Key-Alternating ciphers k i + 1 k i k i F i F i k i + 1 F i + 1 F i + 1 k i + 1 k i Two rounds of a KAF cipher is equivalent to a 1-round KA cipher where the permutation is a two-round (un-keyed) Feistel cipher with public random functions Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 5 / 16
Results previous results: Gentry and Ramzan [GR04]: secure up to N 1 / 2 queries for r = 4 rounds t t + 1 queries where our results: secure up to N � r � t = for NCPA attacks 3 � r � t = for CCA attacks 6 t improved results in the Luby-Rackoff setting: security up to N t + 1 queries where � r � t = for NCPA attacks 2 � r � t = for CCA attacks 4 Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 6 / 16
Results previous results: Gentry and Ramzan [GR04]: secure up to N 1 / 2 queries for r = 4 rounds t t + 1 queries where our results: secure up to N � r � t = for NCPA attacks 3 � r � t = for CCA attacks 6 t improved results in the Luby-Rackoff setting: security up to N t + 1 queries where � r � t = for NCPA attacks 2 � r � t = for CCA attacks 4 Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 6 / 16
Results previous results: Gentry and Ramzan [GR04]: secure up to N 1 / 2 queries for r = 4 rounds t t + 1 queries where our results: secure up to N � r � t = for NCPA attacks 3 � r � t = for CCA attacks 6 t improved results in the Luby-Rackoff setting: security up to N t + 1 queries where � r � t = for NCPA attacks 2 � r � t = for CCA attacks 4 Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 6 / 16
Intuition of the proof x 1 x 1 x 2 x 2 x ℓ + 1 x ℓ + 1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ + 1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ + 1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ + 1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ + 1 x 1 x 2 x ℓ + 1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16
Intuition of the proof x 1 x 1 x 2 x 2 x ℓ + 1 x ℓ + 1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ + 1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ + 1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ + 1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ + 1 x 1 x 2 x ℓ + 1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16
Intuition of the proof x 1 x 1 x 2 x 2 x ℓ + 1 x ℓ + 1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ + 1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ + 1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ + 1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ + 1 x 1 x 2 x ℓ + 1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16
Intuition of the proof x 1 x 1 x 2 x 2 x ℓ + 1 x ℓ + 1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ + 1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ + 1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ + 1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ + 1 x 1 x 2 x ℓ + 1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16
Intuition of the proof x 1 x 1 x 2 x 2 x ℓ + 1 x ℓ + 1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ + 1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ + 1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ + 1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ + 1 x 1 x 2 x ℓ + 1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16
Intuition of the proof x 1 x 1 x 2 x 2 x ℓ + 1 x ℓ + 1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ + 1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ + 1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 [ x ℓ + 1 r − 1 , x ℓ + 1 ] uniformly random ? r k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ + 1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ + 1 x 1 x 2 x ℓ + 1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16
Intuition of the proof x 1 x 1 x 2 x 2 x ℓ + 1 x ℓ + 1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ + 1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ + 1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 what can go wrong ? k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ + 1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ + 1 x 1 x 2 x ℓ + 1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16
Intuition of the proof x 1 x 1 x 2 x 2 x ℓ + 1 x ℓ + 1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ + 1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ + 1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 collisions ! k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ + 1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ + 1 x 1 x 2 x ℓ + 1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16
Intuition of the proof x 1 x 1 x 2 x 2 x ℓ + 1 x ℓ + 1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ + 1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ + 1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 collisions ! k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ + 1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ + 1 x 1 x 2 x ℓ + 1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16
Intuition of the proof x 1 x 1 x 2 x 2 x ℓ + 1 x ℓ + 1 − 1 0 − 1 0 − 1 0 k 0 k 0 k 0 F 0 F 0 F 0 k 1 k 1 k 1 x 1 x 2 x ℓ + 1 F 1 F 1 F 1 1 1 1 · · · . . . . . . . . . k r − 2 k r − 2 k r − 2 x 1 x 2 x ℓ + 1 F r − 2 F r − 2 F r − 2 r − 2 r − 2 r − 2 collisions ! k r − 1 k r − 1 k r − 1 x 1 x 2 x ℓ + 1 F r − 1 F r − 1 F r − 1 r − 1 r − 1 r − 1 x 1 x 2 x ℓ + 1 x 1 x 2 x ℓ + 1 r − 1 r r − 1 r r − 1 r Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16
Recommend
More recommend