On the Indifferentiability of Key-Alternating Feistel Ciphers with No Key Derivation

Feistel constructions have been shown to be indifferentiable from random permutations at STOC 2011. Whereas how to properly mix the keys into an un-keyed Feistel construction without appealing to domain separation technique to obtain a block cipher which is provably secure against known-key and chosen-key attacks (or to obtain an ideal cipher) remains an open problem. We study this, particularly the basic structure of NSA’s SIMON family of block ciphers. SIMON family takes a construction which has the subkey xored into a halve of the state at each round. More clearly, at the i-th round, the state is updated according to

[1]  Hovav Shacham,et al.  Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[2]  Jacques Patarin Pseudorandom Permutations Based on the D.E.S. Scheme , 1990, ESORICS.

[3]  Jason Smith,et al.  The SIMON and SPECK Families of Lightweight Block Ciphers , 2013, IACR Cryptol. ePrint Arch..

[4]  Alex Biryukov,et al.  Complementing Feistel Ciphers , 2013, FSE.

[5]  John P. Steinberger,et al.  On the Indifferentiability of Key-Alternating Ciphers , 2013, IACR Cryptol. ePrint Arch..

[6]  Alex Biryukov,et al.  Differential Analysis of Block Ciphers SIMON and SPECK , 2014, FSE.

[7]  Yannick Seurin,et al.  On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel Construction , 2011, IACR Cryptol. ePrint Arch..

[8]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[9]  Kyoji Shibutani,et al.  Generic Key Recovery Attack on Feistel Scheme , 2013, IACR Cryptol. ePrint Arch..

[10]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[11]  Ueli Maurer,et al.  Resource-Restricted Indifferentiability , 2013, IACR Cryptol. ePrint Arch..

[12]  Patrick Schaumont,et al.  SIMON Says, Break the Area Records for Symmetric Key Block Ciphers on FPGAs , 2014, IACR Cryptol. ePrint Arch..

[13]  Ueli Maurer,et al.  The Security of Many-Round Luby-Rackoff Pseudo-Random Permutations , 2003, EUROCRYPT.

[14]  Yannick Seurin,et al.  How to Construct an Ideal Cipher from a Small Set of Public Permutations , 2013, ASIACRYPT.

[15]  Manuel Barbosa,et al.  The Related-Key Analysis of Feistel Constructions , 2014, IACR Cryptol. ePrint Arch..

[16]  Yosuke Todo,et al.  Upper Bounds for the Security of Several Feistel Networks , 2013, ACISP.

[17]  María Naya-Plasencia,et al.  Scrutinizing and Improving Impossible Differential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon (Full Version) , 2014, IACR Cryptol. ePrint Arch..

[18]  Jean-Sébastien Coron,et al.  The Random Oracle Model and the Ideal Cipher Model Are Equivalent , 2008, CRYPTO.

[19]  John Black,et al.  The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function , 2006, FSE.

[20]  Lei Hu,et al.  Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers , 2014, ASIACRYPT.

[21]  Stefan Lucks,et al.  Differential Cryptanalysis of Round-Reduced Simon and Speck , 2014, FSE.

[22]  Yannick Seurin Primitives et protocoles cryptographiques à sécurité prouvée , 2009 .

[23]  Yu Sasaki,et al.  Improved Known-Key Distinguishers on Feistel-SP Ciphers and Application to Camellia , 2012, ACISP.

[24]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[25]  Yannick Seurin,et al.  Security Analysis of Key-Alternating Feistel Ciphers , 2014, FSE.

[26]  Andrey Bogdanov,et al.  Towards Understanding the Known-Key Security of Block Ciphers , 2013, IACR Cryptol. ePrint Arch..

[27]  Yu Sasaki,et al.  Known-Key Distinguishers on 11-Round Feistel and Collision Attacks on Its Hashing Modes , 2011, FSE.

[28]  Jacques Patarin,et al.  Security of Random Feistel Schemes with 5 or More Rounds , 2004, CRYPTO.

[29]  Orr Dunkelman,et al.  Another Look at Complementation Properties , 2010, FSE.

[30]  Stefano Tessaro,et al.  The equivalence of the random oracle model and the ideal cipher model, revisited , 2010, STOC '11.

[31]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.