On The Distinguishability of Ideal Ciphers

We present distinguishing attacks (based on the Birthday Paradox) which show that the use of 2 permutations for a block cipher is insufficient to obtain a security of l bits in the Ideal Cipher Model. The context is that of an Oracle that can provide an Adversary the ciphertexts of a very small number of known plaintexts under a large number of (session) keys and IVs/nonces. Our attacks distinguish an ideal cipher from a “perfectly ideal” block cipher, realised as an Oracle that can always produce new permutations up to the cardinality of the symmetric group on the block space. The result is that in order to guarantee that an Adversary which is time limited to O(2) encryption requests has only a negligible advantage, the cipher needs to express 2 distinct permutations. This seems to contradict a folklore belief about the security of using a block cipher in the multi-key setting, i.e. to obtain l-bit security it is sufficient to use lor 2 l-bit keys depending on the mode of operation and the use case.

[1]  Andrew Chi-Chih Yao,et al.  Theory and Applications of Trapdoor Functions (Extended Abstract) , 1982, FOCS.

[2]  Bruce Schneier,et al.  Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator , 1999, Selected Areas in Cryptography.

[3]  Alex Biryukov,et al.  Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.

[4]  Antoine Joux,et al.  Multi-user Collisions: Applications to Discrete Logarithm, Even-Mansour and PRINCE , 2014, ASIACRYPT.

[5]  Gilles Brassard,et al.  Quantum Cryptanalysis of Hash and Claw-Free Functions , 1998, LATIN.

[6]  Stefano Tessaro,et al.  Key-Alternating Ciphers and Key-Length Extension: Exact Bounds and Multi-user Security , 2016, CRYPTO.

[7]  Jongsung Kim,et al.  Related-Key Rectangle Attacks on Reduced AES-192 and AES-256 , 2007, FSE.

[8]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[9]  Roberto Maria Avanzi,et al.  The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes , 2017, IACR Trans. Symmetric Cryptol..

[10]  Luther Martin,et al.  XTS: A Mode of AES for Encrypting Hard Disks , 2010, IEEE Security & Privacy.

[11]  Chanathip Namprempre,et al.  Reconsidering Generic Composition , 2014, IACR Cryptol. ePrint Arch..

[12]  Stefano Tessaro,et al.  Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation, and Better Bounds , 2018, IACR Cryptol. ePrint Arch..

[13]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[14]  Alex Biryukov,et al.  Improved Time-Memory Trade-Offs with Multiple Data , 2005, Selected Areas in Cryptography.

[15]  Kenneth G. Paterson,et al.  Analyzing Multi-key Security Degradation , 2017, ASIACRYPT.

[16]  M. Sayrafiezadeh The birthday problem revisited , 1994 .

[17]  Bruce Schneier,et al.  Improved Cryptanalysis of Rijndael , 2000, FSE.

[18]  Alex Biryukov,et al.  Feasible Attack on the 13-round AES-256 , 2010, IACR Cryptol. ePrint Arch..

[19]  Mihir Bellare,et al.  The Multi-user Security of Authenticated Encryption: AES-GCM in TLS 1.3 , 2016, CRYPTO.

[20]  Palash Sarkar,et al.  New Applications of Time Memory Data Tradeoffs , 2005, ASIACRYPT.

[21]  Silvio Micali,et al.  Probabilistic encryption & how to play mental poker keeping secret all partial information , 1982, STOC '82.

[22]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[23]  B. Harshbarger An Introduction to Probability Theory and its Applications, Volume I , 1958 .

[24]  Eli Biham,et al.  How to decrypt or even substitute DES-encrypted messages in 228 steps , 2002, Inf. Process. Lett..

[25]  Thomas Peyrin,et al.  Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers , 2016, CRYPTO.

[26]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[27]  Atul Luykx,et al.  Multi-key Security: The Even-Mansour Construction Revisited , 2015, CRYPTO.

[28]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[29]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[30]  Thomas Peyrin,et al.  Tweaks and Keys for Block Ciphers: The TWEAKEY Framework , 2014, ASIACRYPT.

[31]  Jean-Sébastien Coron,et al.  The Random Oracle Model and the Ideal Cipher Model Are Equivalent , 2008, CRYPTO.

[32]  Adi Shamir,et al.  A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony , 2010, CRYPTO.

[33]  Stefano Tessaro,et al.  The Multi-user Security of Double Encryption , 2017, EUROCRYPT.

[34]  Eli Biham,et al.  Related-Key Boomerang and Rectangle Attacks , 2005, EUROCRYPT.

[35]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[36]  Stefano Tessaro,et al.  Optimally Secure Block Ciphers from Ideal Primitives , 2015, ASIACRYPT.

[37]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[38]  Alex Biryukov,et al.  Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds , 2010, IACR Cryptol. ePrint Arch..

[39]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, Journal of Cryptology.

[40]  Yehuda Lindell,et al.  GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte , 2015, CCS.