On the Indifferentiability of Key-Alternating Ciphers

The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KA t consists of a small number t of fixed permutations P i on n bits, separated by key addition: $$ \text{KA}_t(K,m)= k_t\oplus P_t(\dots k_2\oplus P_2(k_1\oplus P_1(k_0 \oplus m))\dots), $$ where (k0,…,k t ) are obtained from the master key K using some key derivation function.

[1]  David Pointcheval,et al.  Chosen-Ciphertext Security without Redundancy , 2003, ASIACRYPT.

[2]  Jean-Sébastien Coron,et al.  A Domain Extender for the Ideal Cipher , 2010, TCC.

[3]  Daesung Kwon,et al.  Security of Single-permutation-based Compression Functions , 2009, IACR Cryptol. ePrint Arch..

[4]  Leonid A. Levin,et al.  Pseudo-random generation from one-way functions , 1989, STOC '89.

[5]  Hovav Shacham,et al.  Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[6]  Alex Biryukov,et al.  Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.

[7]  Matthew J. B. Robshaw,et al.  Using Block Ciphers , 2011 .

[8]  Willi Meier,et al.  SHA-3 proposal BLAKE , 2009 .

[9]  Yannick Seurin,et al.  How to Construct an Ideal Cipher from a Small Set of Public Permutations , 2013, ASIACRYPT.

[10]  John P. Steinberger,et al.  Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers , 2008, CRYPTO.

[11]  Yevgeniy Dodis,et al.  A New Mode of Operation for Block Ciphers and Length-Preserving MACs , 2008, EUROCRYPT.

[12]  Stefan Lucks,et al.  The Skein Hash Function Family , 2009 .

[13]  Stefano Tessaro,et al.  The equivalence of the random oracle model and the ideal cipher model, revisited , 2010, STOC '11.

[14]  Alex Biryukov,et al.  Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds , 2010, IACR Cryptol. ePrint Arch..

[15]  John P. Steinberger,et al.  The preimage security of double-block-length compression functions , 2011, IACR Cryptol. ePrint Arch..

[16]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[17]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[18]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[19]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[20]  Eric Miles,et al.  Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs , 2012, CRYPTO.

[21]  Ueli Maurer,et al.  Resource-Restricted Indifferentiability , 2013, IACR Cryptol. ePrint Arch..

[22]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[23]  John P. Steinberger,et al.  Security/Efficiency Tradeoffs for Permutation-Based Hashing , 2008, EUROCRYPT.

[24]  John P. Steinberger,et al.  Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance , 2012, IACR Cryptol. ePrint Arch..

[25]  Yevgeniy Dodis,et al.  Salvaging Merkle-Damgard for Practical Applications , 2009, IACR Cryptol. ePrint Arch..

[26]  Ronald L. Rivest,et al.  Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 , 2009, FSE.

[27]  Joe Kilian,et al.  How to Protect DES Against Exhaustive Key Search (an Analysis of DESX) , 2015, Journal of Cryptology.

[28]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[29]  Mihir Bellare,et al.  Multi-Property-Preserving Hash Domain Extension and the EMD Transform , 2006, ASIACRYPT.

[30]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[31]  Moti Yung,et al.  Indifferentiable Security Analysis of Popular Hash Functions with Prefix-Free Padding , 2006, ASIACRYPT.

[32]  John P. Steinberger,et al.  Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations , 2012, IACR Cryptol. ePrint Arch..

[33]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[34]  Je Hong Park,et al.  Adaptive Preimage Resistance and Permutation-based Hash Functions , 2009, IACR Cryptol. ePrint Arch..

[35]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[36]  Yannick Seurin Primitives et protocoles cryptographiques à sécurité prouvée , 2009 .

[37]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[38]  Shoichi Hirose,et al.  Some Plausible Constructions of Double-Block-Length Hash Functions , 2006, FSE.

[39]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[40]  Hongjun Wu,et al.  The Hash Function JH , 2009 .

[41]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[42]  Adi Shamir,et al.  Minimalism in Cryptography: The Even-Mansour Scheme Revisited , 2012, EUROCRYPT.

[43]  Jakob Jonsson,et al.  An OAEP Variant With a Tight Security Proof , 2002, IACR Cryptol. ePrint Arch..

[44]  Vincent Rijmen,et al.  The Wide Trail Design Strategy , 2001, IMACC.

[45]  Yishay Mansour,et al.  A Construction of a Cioher From a Single Pseudorandom Permutation , 1991, ASIACRYPT.

[46]  Bruce Schneier One-way hash functions , 1991 .

[47]  Louis Granboulan,et al.  Short Signatures in the Random Oracle Model , 2002, ASIACRYPT.

[48]  Anand Desai,et al.  The Security of All-or-Nothing Encryption: Protecting against Exhaustive Key Search , 2000, CRYPTO.

[49]  Yevgeniy Dodis,et al.  On the Relation Between the Ideal Cipher and the Random Oracle Models , 2006, TCC.

[50]  Joos Vandewalle,et al.  Correlation Matrices , 1994, FSE.

[51]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[52]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[53]  Jooyoung Lee,et al.  Collision Resistance of the JH Hash Function , 2012, IEEE Transactions on Information Theory.

[54]  Robert S. Winternitz A Secure One-Way Hash Function Built from DES , 1984, 1984 IEEE Symposium on Security and Privacy.

[55]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[56]  Jean-Sébastien Coron,et al.  The Random Oracle Model and the Ideal Cipher Model Are Equivalent , 2008, CRYPTO.

[57]  Xuejia Lai,et al.  Hash Function Based on Block Ciphers , 1992, EUROCRYPT.

[58]  John Black,et al.  The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function , 2006, FSE.