Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations

This paper considers—for the first time—the concept of key- alternating ciphers in a provable security setting. Key-alternating ciphers can be seen as a generalization of a construction proposed by Even and Mansour in 1991. This construction builds a block cipher PX from an n-bit permutation P and two n-bit keys k0 and k1, setting PXk0,k1 (x )= k1 ⊕ P (x ⊕ k0). Here we consider a (natural) extension of the Even- Mansour construction with t permutations P1,...,Pt and t +1 keys, k0,...,kt. We demonstrate in a formal model that such a cipher is secure in the sense that an attacker needs to make at least 2 2n/3 queries to the underlying permutations to be able to distinguish the construction from random. We argue further that the bound is tight for t = 2 but there is a gap in the bounds for t> 2, which is left as an open and interesting problem. Additionally, in terms of statistical attacks, we show that the distribution of Fourier coefficients for the cipher over all keys is close to ideal. Lastly, we define a practical instance of the construction with t =2 using AES referred to as AES 2 . Any attack on AES 2 with complexity

[1]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[2]  Lars R. Knudsen,et al.  Practically Secure Feistel Ciphers , 1994 .

[3]  Serge Vaudenay,et al.  Links Between Differential and Linear Cryptanalysis , 1994, EUROCRYPT.

[4]  Guido Bertoni,et al.  Keccak sponge function family main document , 2009 .

[5]  Kaisa Nyberg,et al.  Linear Approximation of Block Ciphers , 1994, EUROCRYPT.

[6]  Serge Vaudenay,et al.  On the Lai-Massey Scheme , 1999, ASIACRYPT.

[7]  Peter Schwabe,et al.  Faster and Timing-Attack Resistant AES-GCM , 2009, CHES.

[8]  Vincent Rijmen,et al.  The Wide Trail Design Strategy , 2001, IMACC.

[9]  Xuejia Lai,et al.  A Proposal for a New Block Encryption Standard , 1991, EUROCRYPT.

[10]  Henk Meijer,et al.  Improving the Upper Bound on the Maximum Average Linear Hull Probability for Rijndael , 2001, Selected Areas in Cryptography.

[11]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[12]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[13]  Mitsuru Matsui,et al.  New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis , 1996, FSE.

[14]  Thomas Baignères,et al.  Dial C for Cipher , 2006, Selected Areas in Cryptography.

[15]  Yishay Mansour,et al.  A Construction of a Cioher From a Single Pseudorandom Permutation , 1991, ASIACRYPT.

[16]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[17]  Mitsuru Matsui,et al.  New Block Encryption Algorithm MISTY , 1997, FSE.

[18]  Joos Vandewalle,et al.  Correlation Matrices , 1994, FSE.

[19]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[20]  Alex Biryukov,et al.  Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds , 2010, IACR Cryptol. ePrint Arch..

[21]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[22]  Aris Spanos,et al.  Probability theory and statistical inference: econometric modelling with observational data , 1999 .

[23]  Geert Dhaene,et al.  Probability Theory and Statistical Inference: Econometric Modeling With Observational Data , 2001 .

[24]  Vincent Rijmen,et al.  Probability distributions of correlation and differentials in block ciphers , 2007, J. Math. Cryptol..

[25]  Serge Vaudenay,et al.  Decorrelation: A Theory for Block Cipher Security , 2003, Journal of Cryptology.

[26]  Vincent Rijmen,et al.  The KHAZAD Legacy-Level Block Cipher , 2001 .

[27]  Luke O'Connor,et al.  Properties of Linear Approximation Tables , 1994, FSE.

[28]  Vincent Rijmen,et al.  The Cipher SHARK , 1996, FSE.

[29]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[30]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[31]  Joan Daemen,et al.  Limitations of the Even-Mansour Construction , 1991, ASIACRYPT.

[32]  Thomas Baignères,et al.  KFC - The Krazy Feistel Cipher , 2006, ASIACRYPT.

[33]  Lars R. Knudsen,et al.  Practically Secure Feistel Cyphers , 1993, FSE.