Cryptanalysis of Iterated Even-Mansour Schemes with Two Keys

Dinur, Itai; Dunkelman, Orr; Keller, Nathan; Shamir, Adi

doi:10.1007/978-3-662-45611-8_23

Cited by 24 publications

(20 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It is not only applicable to Sponge-based modes. For example, there are quite a few cryptographic schemes that have been attacked using multi-collisions, such as block-cipher-based hashing schemes [73], identification schemes [41], JH hash function [58], MDC-2 hash function [54], HMAC and ChopMD MAC [68], the LED block cipher [70], iterated Even-Mansour [32], and strengthened HMAC [88]. Multi-collisions have also influenced various security upper bounds.…”

Section: Tightness Of the Resultsmentioning

confidence: 99%

See 1 more Smart Citation

Beyond Conventional Security in Sponge-Based Authenticated Encryption Modes

et al. 2018

View full text Add to dashboard Cite

Abstract. The Sponge function is known to achieve 2 c/2 security, where c is its capacity. This bound was carried over to its keyed variants, such as SpongeWrap, to achieve a min{2 c/2 , 2 κ } security bound, with κ the key length. Similarly, many CAESAR competition submissions were designed to comply with the classical 2 c/2 security bound. We show that Sponge-based constructions for authenticated encryption can achieve the significantly higher bound of min{2 b/2 , 2 c , 2 κ }, with b > c the permutation size, by proving that the CAESAR submission NORX achieves this bound. The proof relies on rigorous computation of multi-collision probabilities, which may be of independent interest. We additionally derive a generic attack based on multi-collisions that matches the bound. We show how to apply the proof to five other Sponge-based CAESAR submissions: Ascon, CBEAM/STRIBOB, ICEPOLE, Keyak, and two out of the three PRIMATEs. A direct application of the result shows that the parameter choices of some of these submissions are overly conservative. Simple tweaks render the schemes considerably more efficient without sacrificing security. We finally consider the remaining one of the three PRIMATEs, APE, and derive a blockwise adaptive attack in the noncerespecting setting with complexity 2 c/2 , therewith demonstrating that the techniques cannot be applied to APE.

show abstract

Section: Tightness Of the Resultsmentioning

confidence: 99%

“…NORX consists of five proposed parameter configurations: (32,4,1), (64,6,1), (32,6,1), (64,4,4)}. The parameter R denotes the number of rounds of the underlying permutation p, and W denotes the word size which we use to set r = 10W and c = 6W .…”

Section: Norxmentioning

confidence: 99%

Beyond Conventional Security in Sponge-Based Authenticated Encryption Modes

et al. 2018

View full text Add to dashboard Cite

show abstract

“…Despite considerable cryptanalytic efforts over past twenty years, there is no efficient generic attacks on the more than 5-round iterated Even-Mansour with two alternating keys [23,24,34,42]. However, as mentioned in [24], there are polynomial-time advantage attacks on up to 8-round which improve over exhaustive search by a relatively-small factor [23].…”

Section: Key/state Recovery Attacksmentioning

confidence: 99%

“…However, as mentioned in [24], there are polynomial-time advantage attacks on up to 8-round which improve over exhaustive search by a relatively-small factor [23]. If the user would like to also avoid this type of the attack, he has only to use a 10-round iterated Even-Mansour with two alternating keys as E NC K 1 ,K 2 ,IV, L r (·).…”

Section: Key/state Recovery Attacksmentioning

confidence: 99%

See 1 more Smart Citation

On Design of Robust Lightweight Stream Cipher with Short Internal State

Banik

Isobe

Morii

2018

IEICE Trans. Fundamentals

View full text Add to dashboard Cite

SUMMARYThe stream cipher Sprout with a short internal state was proposed in FSE 2015. Although the construction guaranteed resistance to generic Time Memory Data Tradeoff attacks, there were some weaknesses in the design and the cipher was completely broken. In this paper we propose a family of stream ciphers LILLE in which the size of the internal state is half the size of the secret key. Our main goal is to develop robust lightweight stream cipher. To achieve it, our cipher based on the two-key Even Mansour construction and thus its security against key/state recovery attacks reduces to a well analyzed problem. We also prove that like Sprout, the construction is resistant to generic Time Memory Data Tradeoff attacks. Unlike Sprout, the construction of the cipher guarantees that there are no weak key-IV pairs which produce a keystream sequence with short period or which make the algebraic structure of the cipher weaker and easy to cryptanalyze. The reference implementations of all members of the LILLE family with standard cell libraries based on the STM 90nm and 65 nm processes were also found to be smaller than Grain v1 while security of LILLE family depend on reliable problem in the symmetric cryptography.

show abstract

On Finding Quantum Multi-collisions

Liu

Zhandry

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

A k-collision for a compressing hash function H is a set of k distinct inputs that all map to the same output. In this work, we show that for any constant k, Θ N 1 2 (1− 1 2 k −1 ) quantum queries are both necessary and sufficient to achieve a k-collision with constant probability. This improves on both the best prior upper bound (Hosoyamada et al., ASIACRYPT 2017) and provides the first non-trivial lower bound, completely resolving the problem.

show abstract

Cryptanalysis of Iterated Even-Mansour Schemes with Two Keys

Cited by 24 publications

References 27 publications

Beyond Conventional Security in Sponge-Based Authenticated Encryption Modes

Beyond Conventional Security in Sponge-Based Authenticated Encryption Modes

On Design of Robust Lightweight Stream Cipher with Short Internal State

On Finding Quantum Multi-collisions

Contact Info

Product

Resources

About