The Security of Elastic Block Ciphers Against Key-Recovery Attacks

Information Security and Cryptology

2009

Self Cite

We create variable-length pseudorandom permutations (PRPs) and strong PRPs (SPRPs) accepting any input length chosen from the range of b to 2b bits from fixed-length, b-bit PRPs. We utilize the elastic network that underlies the recently introduced concrete design of elastic block ciphers, exploiting it as a network of PRPs. We prove that three and four-round elastic networks are variable-length PRPs and five-round elastic networks are variable-length SPRPs, accepting any input length that is fixed in the range of b to 2b bits, when the round functions are independently chosen fixed-length PRPs on b bits. We also prove that these are the minimum number of rounds required.

Section: Introductionmentioning

confidence: 95%

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs

Information Security and Cryptology

2009

Self Cite

“…This work is an extended version of our previous work on elastic block ciphers, including a more detailed explanation for the selection of the basic structure utilized when creating elastic block ciphers, extended proofs of claims and extended descriptions of instantiations of the method from [11][12][13].…”

Section: Introductionmentioning

confidence: 99%

Elastic block ciphers: method, security and instantiations

2009

Int. J. Inf. Secur.

Self Cite

We introduce the concept of an elastic block cipher, which refers to stretching the supported block size of a block cipher to any length up to twice the original block size while incurring a computational workload that is proportional to the block size. Our method uses the round function of an existing block cipher as a black box and inserts it into a substitution-permutation network. Our method is designed to enable us to form a reduction between the elastic and the original versions of the cipher. Using this reduction, we prove that the elastic version of a cipher is secure against key-recovery attacks if the original cipher is secure against such attacks. We note that while reductionbased proofs of security are a cornerstone of cryptographic analysis, they are typical when complete components are used as sub-components in a larger design. We are not aware of use of such techniques in the case of concrete block cipher designs. We demonstrate the general applicability of the elastic block cipher method by constructing examples from existing block ciphers: AES, Camellia, MISTY1 and RC6. We compare the performance of the elastic versions to that of the original versions and evaluate the elastic versions using statistical tests measuring the randomness of the ciphertext. We also use our examples to demonstrate the concept of a generic key schedule for block ciphers. key words: elastic block ciphers, variable-length block ciphers, security analysis, reduction proof, key recovery attacks.

“…Our analysis is independent of the key schedule. 4 The swap step is performed by selecting y consecutive bits from the round function's output to XOR and swap with the y bits left out of the round function. In the implementation of elastic AES, the starting position of the y bits selected rotates to the right one byte each round.…”

Section: Examplesmentioning

confidence: 99%

“…In [4] it was proven that an elastic version of a cipher is immune to any practical key-recovery attack if the original cipher is immune to the attack regardless of the specific bit positions chosen for the swap steps. Differential cryptanalysis is covered by this result.…”

Section: Examplesmentioning

confidence: 99%

See 1 more Smart Citation

Methods for Linear and Differential Cryptanalysis of Elastic Block Ciphers

Information Security and Privacy

Self Cite

Abstract. The elastic block cipher design employs the round function of a given, b-bit block cipher in a black box fashion, embedding it in a network structure to construct a family of ciphers in a uniform manner. The family is parameterized by block size, for any size between b and 2b. The design assures that the overall workload for encryption is proportional to the block size. When considering the approach taken in elastic block ciphers, the question arises as to whether cryptanalysis results, including methods of analysis and bounds on security, for the original fixed-sized cipher are lost or, since original components of the cipher are used, whether previous analysis can be applied or reused in some manner. With this question in mind, we analyze elastic block ciphers and consider the security against two basic types of attacks, linear and differential cryptanalysis. We show how they can be related to the corresponding security of the fixed-length version of the cipher. Concretely, we develop techniques that take advantage of relationships between the structure of the elastic network and the original version of the cipher, independently of the cipher. This approach demonstrates how one can build upon existing components to allow cryptanalysis within an extended structure (a topic which may be of general interest outside of elastic block ciphers). We show that any linear attack on an elastic block cipher can be converted efficiently into a linear attack on the fixed-length version of the cipher by converting the equations used to attack the elastic version to equations for the fixed-length version. We extend the result to any algebraic attack. We then define a general method for deriving the differential characteristic bound of an elastic block cipher using the differential bound on a single round of the fixed-length version of the cipher. The structure of elastic block ciphers allows us to use a state transition method to compute differentials for the elastic version from differentials of the round function of the original cipher.