Abstract. A t-round key-alternating cipher (also called iterated Even-Mansour cipher ) can be viewed as an abstraction of AES. It defines a cipher E from t fixed public permutations P1, . . . , Pt : {0, 1} n → {0, 1} n and a key k = k0 · · · kt ∈ {0, 1} n(t+1) by setting. The indistinguishability of E k from a truly random permutation by an adversary who also has oracle access to the (public) random permutations P1, . . . , Pt was investigated in 1997 by Even and Mansour for t = 1 and for higher values of t in a series of recent papers. For t = 1, Even and Mansour proved indistinguishability security up to 2 n/2 queries, which is tight. Much later Bogdanov et al. (2011) conjectured that security should be 2 t t+1 n queries for general t, which matches an easy distinguishing attack (so security cannot be more). n for all even values of t, thus "barely" falling short of the desired 2 t t+1 n .Our contribution in this work is to prove the long-sought-for security bound of 2 t t+1n , up to a constant multiplicative factor depending on t. Our method is essentially an application of Patarin's H-coefficient technique.
Abstract. This paper considers-for the first time-the concept of keyalternating ciphers in a provable security setting. Key-alternating ciphers can be seen as a generalization of a construction proposed by Even and Mansour in 1991. This construction builds a block cipher P X from an n-bit permutation P and two n-bit keys k0 and k1, settingHere we consider a (natural) extension of the EvenMansour construction with t permutations P1, . . . , Pt and t + 1 keys, k0, . . . , kt. We demonstrate in a formal model that such a cipher is secure in the sense that an attacker needs to make at least 2 2n/3 queries to the underlying permutations to be able to distinguish the construction from random. We argue further that the bound is tight for t = 2 but there is a gap in the bounds for t > 2, which is left as an open and interesting problem. Additionally, in terms of statistical attacks, we show that the distribution of Fourier coefficients for the cipher over all keys is close to ideal. Lastly, we define a practical instance of the construction with t = 2 using AES referred to as AES 2 . Any attack on AES 2 with complexity below 2 85 will have to make use of AES with a fixed known key in a non-black box manner. However, we conjecture its security is 2 128 .
Abstract.We provide attacks and analysis that capture a tradeoff, in the ideal-permutation model, between the speed of a permutation-based hash function and its potential security. We show that any 2n-bit to n-bit compression function will have unacceptable collision resistance it makes fewer than three n-bit permutation invocations, and any 3n-bit to 2n-bit compression function will have unacceptable security if it makes fewer than five n-bit permutation invocations. Any rate-α hash function built from n-bit permutations can be broken, in the sense of finding preimages as well as collisions, in about N 1−α queries, where N = 2 n . Our results provide guidance when trying to design or analyze a permutation-based hash function about the limits of what can possibly be done.
We present new techniques for deriving preimage resistance bounds for block cipher based double-block-length, double-call hash functions. We give improved bounds on the preimage security of the three "classical" double-block-length, double-call, block cipher-based compression functions, these being Abreast-DM, Tandem-DM and Hirose's scheme. For Hirose's scheme, we show that an adversary must make at least 2 2n−5 block cipher queries to achieve chance 0.5 of inverting a randomly chosen point in the range. For Abreast-DM and Tandem-DM we show that at least 2 2n−10 queries are necessary. These bounds improve upon the previous best bounds of Ω(2 n) queries, and are optimal up to a constant factor since the compression functions in question have range of size 2 2n .
Abstract. The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KAt consists of a small number t of fixed permutations Pi on n bits, separated by key addition:where (k0, . . . , kt) are obtained from the master key K using some key derivation function. For t = 1, KA1 collapses to the well-known Even-Mansour cipher, which is known to be indistinguishable from a (secret) random permutation, if P1 is modeled as a (public) random permutation. In this work we seek for stronger security of key-alternating ciphers -indifferentiability from an ideal cipher -and ask the question under which conditions on the key derivation function and for how many rounds t is the key-alternating cipher KAt indifferentiable from the ideal cipher, assuming P1, . . . , Pt are (public) random permutations? As our main result, we give an affirmative answer for t = 5, showing that the 5-round key-alternating cipher KA5 is indifferentiable from an ideal cipher, assuming P1, . . . , P5 are five independent random permutations, and the key derivation function sets all rounds keys ki = f (K), where 0 ≤ i ≤ 5 and f is modeled as a random oracle. Moreover, when |K| = |m|, we show we can set f (K) = P0(K) ⊕ K, giving an n-bit block cipher with an n-bit key, making only six calls to n-bit permutations P0, P1, P2, P3, P4, P5.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.