Chun Guo,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-662-46494-6_6

2015-01-01

Abstract:Feistel constructions have been shown to be indifferentiable from random permutations at STOC 2011. Whereas how to properly mix the keys into an un-keyed Feistel construction without appealing to domain separation technique to obtain a block cipher which is provably secure against known-key and chosen-key attacks (or to obtain an ideal cipher) remains an open problem. We study this, particularly the basic structure of NSA's SIMON family of block ciphers. SIMON family takes a construction which has the subkey xored into a halve of the state at each round. More clearly, at the i-th round, the state is updated according to (x(i), x(i-1)) -> (x(i-1) circle plus F-i(x(i)) circle plus k(i), x(i)) For such key-alternating Feistel ciphers, we show that 21 rounds are sufficient to achieve indifferentiability from ideal ciphers with 2n-bit blocks and n-bit keys, assuming the n-to-n-bit round functions F-1, ... , F-21 to be random and public and an identical user-provided n-bit key to be applied at each round. This gives an answer to the question mentioned before, which is the first to our knowledge.

Hailun Yan,Lei Wang,Yaobin Shen,Xuejia Lai

DOI: https://doi.org/10.1007/978-3-030-57808-4_4

2020-01-01

Abstract:Tweakable block cipher as a cryptographic primitive has found wide applications in disk encryption, authenticated encryption mode and message authentication code, etc. One popular approach of designing tweakable block ciphers is to tweak the generic constructions of classic block ciphers. This paper focuses on how to build a secure tweakable block cipher from the Key-Alternating Feistel (KAF) structure, a dedicated Feistel structure with round functions of the form F-i(k(i) circle plus x(i)), where k is the secret round key and F-i is a public random function in the i-th round. We start from the simplest KAF structures that have been published so far, and then incorporate the tweaks to the round key XOR operations by (almost) universal hash functions. Moreover, we limit the number of rounds with the tweak injections for the efficiency concerns of changing the tweak value. Our results are two-fold, depending on the provable security bound: For the birthday-bound security, we present a 4-round minimal construction with two independent round keys, a single round function and two universal hash functions; For the beyond-birthday-bound security, we present a 10-round construction secure up to O(min{2(2/3), 4 root 2(2n)epsilon(-1)}) adversarial queries, where n is the output size of the round function and epsilon is the upper bound of the collision probability of the universal hash functions. Our security proofs exploit the hybrid argument combined with the H-coefficient technique.

Chun Guo,Lei Wang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-031-30634-1_14

2023-01-01

Abstract:Virtually all modern blockciphers are iterated. In this paper, we ask: to construct a secure iterated blockcipher “non-trivially”, how many calls to random functions and permutations are necessary? When security means indistinguishability from a random permutation, optimality is achieved by the Even-Mansour scheme using 1 call to a public permutation. We seek for the arguably strongest security indifferentiability from an ideal cipher, a notion introduced by Maurer et al. (TCC 2004) and popularized by Coron et al. (JoC, 2014). We provide the first generic negative result/lower bounds: when the key is not too short, no iterated blockcipher making 3 calls is (statistically) indifferentiable. This proves optimality for a 4-call positive result of Guo et al. (Eprint 2016). Furthermore, using 1 or 2 calls, even indifferentiable iterated blockciphers with polynomial $$\text {keyspace}$$ are impossible. To prove this, we develop an abstraction of idealized iterated blockciphers and establish various basic properties, and apply Extremal Graph Theory results to prove the existence of certain (generalized) non-random properties such as the boomerang and yoyo.

Xiaoyang Dong,Xiaoyun Wang

DOI: https://doi.org/10.1007/s11432-017-9468-y

2018-08-31

Science China Information Sciences

Abstract:Post-quantum cryptography has drawn considerable attention from cryptologists on a global scale. At Asiacrypt 2017, Leander and May combined Grover’s and Simon’s quantum algorithms to break the FX-based block ciphers, which were introduced by Kilian and Rogaway to strengthen DES. In this study, we investigate the Feistel constructions using Grover’s and Simon’s algorithms to generate new quantum key-recovery attacks on different rounds of Feistel constructions. Our attacks require 20.25nr−0.75n quantum queries to break an r-round Feistel construction. The time complexity of our attacks is less than that observed for quantum brute-force search by a factor of 20.75n. When compared with the best classical attacks, i.e., Dinur et al.’s attacks at CRYPTO 2015, the time complexity is reduced by a factor of 20.5n without incurring any memory cost.

computer science, information systems,engineering, electrical & electronic

Yaobin Shen,Chun Guo,Lei Wang

DOI: https://doi.org/10.13154/tosc.v2020.i1.425-457

2020-01-01

Abstract:We revisit the security of various generalized Feistel networks. Concretely, for unbalanced, alternating, type-1, type-2, and type-3 Feistel networks built from random functions, we substantially improve the coupling analyzes of Hoang and Rogaway (CRYPTO 2010). For a tweakable blockcipher-based generalized Feistelnetwork proposed by Coron et al. (TCC 2010), we present a coupling analysis and for the first time show that with enough rounds, it achieves 2n-bit security, and this provides highly secure, double-length tweakable blockciphers.

Muhua Liu,Ping Zhang

DOI: https://doi.org/10.1093/comjnl/bxz154

2020-01-01

Abstract:Functional encryption (FE) can provide a fine-grained access control on the encrypted message. Therefore, it has been applied widely in security business. The previous works about functional encryptions most focused on the deterministic functions. The randomized algorithm has wide application, such as securely encryption algorithms against chosen ciphertext attack, privacy-aware auditing. Based on this, FE for randomized functions was proposed. The existing constructions are provided in a weaker selective security model, where the adversary is forced to output the challenge message before the start of experiment. This security is not enough in some scenes. In this work, we present a novel construction for FE, which supports the randomized functionalities. We use the technology of key encapsulated mechanism to achieve adaptive security under the simulated environment, where the adversary is allowed to adaptively choose the challenge message at any point in time. Our construction is built based on indistinguishability obfuscation, non-interactive witness indistinguishable proofs and perfectly binding commitment scheme.

Kwangsu Lee

DOI: https://doi.org/10.48550/arXiv.1703.08306

2017-03-24

Cryptography and Security

Abstract:A block cipher is a bijective function that transforms a plaintext to a ciphertext. A block cipher is a principle component in a cryptosystem because the security of a cryptosystem depends on the security of a block cipher. A Feistel network is the most widely used method to construct a block cipher. This structure has a property such that it can transform a function to a bijective function. But the previous Feistel network is unsuitable to construct block ciphers that have large input-output size. One way to construct block ciphers with large input-output size is to use an unbalanced Feistel network that is the generalization of a previous Feistel network. There have been little research on unbalanced Feistel networks and previous work was about some particular structures of unbalanced Feistel networks. So previous work didn't provide a theoretical base to construct block ciphers that are secure and efficient using unbalanced Feistel networks. In this thesis, we analyze the minimal number of rounds of pseudo-random permutation generators that use unbalanced Feistel networks. That is, after categorizing unbalanced Feistel networks as source-heavy structures and target-heavy structures, we analyze the minimal number of rounds of pseudo-random permutation generators that use each structure. Therefore, in order to construct a block cipher that is secure and efficient using unbalanced Feistel networks, we should follow the results of this thesis. Additionally, we propose a new unbalanced Feistel network that has some advantages such that it can extend a previous block cipher with small input-output size to a new block cipher with large input-output size. We also analyze the minimum number of rounds of a pseudo-random permutation generator that uses this structure.

Chun Guo,Ling Song

DOI: https://doi.org/10.1007/s10623-024-01394-x

IF: 1.4

2024-03-25

Designs Codes and Cryptography

Abstract:Feistel constructions using contracting round functions were introduced in 1990s and generalized by Yun et al. (Des Codes Cryptogr 58(1):45–72, 2011) to a quasigroup-based definition. To our knowledge, the minimal number of rounds sufficient for CCA security remains elusive. We bridge this gap: for the general quasigroup-based contracting Feistel construction using round functions , , we prove CCA security at rounds. This matches the attacked rounds of Patarin et al. (in: Lai, Chen (ed) ASIACRYPT, Springer, Heidelberg, 2006). Interestingly, this means 4 rounds are already sufficient for CCA security of the case , which is the same as the balanced Feistel.

mathematics, applied,computer science, theory & methods

William He,Ryan O'Donnell

2024-07-04

Abstract:We study pseudorandomness properties of permutations on $\{0,1\}^n$ computed by random circuits made from reversible $3$-bit gates (permutations on $\{0,1\}^3$). Our main result is that a random circuit of depth $n \cdot \tilde{O}(k^2)$, with each layer consisting of $\approx n/3$ random gates in a fixed nearest-neighbor architecture, yields almost $k$-wise independent permutations. The main technical component is showing that the Markov chain on $k$-tuples of $n$-bit strings induced by a single random $3$-bit nearest-neighbor gate has spectral gap at least $1/n \cdot \tilde{O}(k)$. This improves on the original work of Gowers [Gowers96], who showed a gap of $1/\mathrm{poly}(n,k)$ for one random gate (with non-neighboring inputs); and, on subsequent work [HMMR05,BH08] improving the gap to $\Omega(1/n^2k)$ in the same setting. From the perspective of cryptography, our result can be seen as a particularly simple/practical block cipher construction that gives provable statistical security against attackers with access to $k$~input-output pairs within few rounds. We also show that the Luby--Rackoff construction of pseudorandom permutations from pseudorandom functions can be implemented with reversible circuits. From this, we make progress on the complexity of the Minimum Reversible Circuit Size Problem (MRCSP), showing that block ciphers of fixed polynomial size are computationally secure against arbitrary polynomial-time adversaries, assuming the existence of one-way functions (OWFs).

Computational Complexity,Cryptography and Security,Probability

Huafei Zhu,Haibin Qu,Lixin Ran,Yumin Wang

IF: 1.019

2000-01-01

Chinese Journal of Electronics

Abstract:Pseudo-randomness and differential aspect of the unbalanced Feistel block cipher BEAR are mainly concerned in this paper. We have shown that two facts of block cipher BEAR. The order of pseudo-randomness of BEAR is O(2(t/2) + 2(S/2)), which implies that BEAR can resist O(2(t/2)+ 2(s/2)) Order plain-text attack. And the other fact is that if hash function can resist differential attack then so does the block cipher BEAR.

Ming Jiang,Lei Wang

DOI: https://doi.org/10.3390/sym13040649

2021-01-01

Symmetry

Abstract:This paper focuses on designing a tweakable block cipher via by tweaking the Key-Alternating Feistel (KAF for short) construction. Very recently Yan et al. published a tweakable KAF construction. It provides a birthday-bound security with 4 rounds and Beyond-Birthday-Bound (BBB for short) security with 10 rounds. Following their work, we further reduce the number of rounds in order to improve the efficiency while preserving the same level of security bound. More specifically, we rigorously prove that 6-round tweakable KAF cipher is BBB- secure. The main technical contribution is presenting a more refined security proof framework, which makes significant efforts to deal with several subtle and complicated sub-events. Note that Yan et al. showed that 4-round KAF provides exactly Birthday-Bound security by a concrete attack. Thus, 6 rounds are (almost) minimal rounds to achieve BBB security for tweakable KAF construction.

Yuxuan Lu,Sihem Mesnager,Nian Li,Lisha Wang,Xiangyong Zeng

2024-08-21

Abstract:The Feistel Boomerang Connectivity Table ($\rm{FBCT}$), which is the Feistel version of the Boomerang Connectivity Table ($\rm{BCT}$), plays a vital role in analyzing block ciphers' ability to withstand strong attacks, such as boomerang attacks. However, as of now, only four classes of power functions are known to have explicit values for all entries in their $\rm{FBCT}$. In this paper, we focus on studying the FBCT of the power function $F(x)=x^{2^{n-2}-1}$ over $\mathbb{F}_{2^n}$, where $n$ is a positive integer. Through certain refined manipulations to solve specific equations over $\mathbb{F}_{2^n}$ and employing binary Kloosterman sums, we determine explicit values for all entries in the $\rm{FBCT}$ of $F(x)$ and further analyze its Feistel boomerang spectrum. Finally, we demonstrate that this power function exhibits the lowest Feistel boomerang uniformity.

Information Theory

Yiyuan Luo,Xuejia Lai,Jing Hu

2015-01-01

Journal of information science and engineering

Abstract:In this paper we prove beyond-birthday-bound for the (strong) pseudorandomness of many-round Lai-Massey scheme. Motivated by Hoang and Rogaway's analysis of generalized Feistel networks, we use the coupling technology from Markov chain theory and prove that for any epsilon > 0, with enough rounds, the Lai-Massey scheme is indistinguishable from a uniform random permutation by any computationally unbounded distinguisher making at most q similar to N1-epsilon combined chosen plaintext/ciphertext (CCA) queries, where N is the range size of the round function. Previous works by Vaudenay et al. and Yun et al. only proved the birthday-bound CCA security of Lai-Massey scheme.

Chun Guo,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-662-48800-3_16

2015-01-01

Abstract:Iterated Even-Mansour scheme IEM is a generalization of the basic 1-round proposal ASIACRYPT '91. The scheme can use one key, two keys, or completely independent keys. Most of the published security proofs for IEM against relate-key and chosen-key attacks focus on the case where all the round-keys are derived from a single master key. Whereas results beyond this barrier are relevant to the cryptographic problem whether a secure blockcipher with key-size twice the block-size can be built by mixing two relatively independent keys into IEM and iterating sufficiently many rounds, and this strategy actually has been used in designing blockciphers for a long-time. This work makes the first step towards breaking this barrier and considers IEM with Interleaved Double independent round-keys: $$\\begin{aligned} \\text {IDEM}_rk_1,k_2,m=k_i\\oplus P_r\\ldots k_1\\oplus P_2k_2\\oplus P_1k_1\\oplus m\\ldots , \\end{aligned}$$ where $$i=2$$ when r is odd, and $$i=1$$ when r is even. As results, this work proves that 15 rounds can achieve full indifferentiability from an ideal cipher with $$O{q^{8}}/{2^n}$$ security bound. This work also proves that 7 rounds is sufficient and necessary to achieve sequential-indifferentiability a notion introduced at TCC 2012 with $$O{q^{6}}/{2^n}$$ security bound, so that $$\\text {IDEM}_{7}$$ is already correlation intractable and secure against any attack that exploits evasive relations between its input-output pairs.

蒋超,陈恭亮

DOI: https://doi.org/10.3969/j.issn.1009-8054.2009.05.057

2009-01-01

Abstract:In this paper, we reveal a restructuring method which might change the explicit complex structures or partof the structures in the algorithm into the framework of Feistel. By this method, we can change several algorithms inthe Program of eStream into Feistel Structure, and we hope this will reveal new attacking method for the cryptanalysis.

Nils Schlüter,Philipp Binfet,Moritz Schulze Darup

2023-04-13

Abstract:Cloud-based and distributed computations are of growing interest in modern control systems. However, these technologies require performing computations on not necessarily trustworthy platforms and, thus, put the confidentiality of sensitive control-related data at risk. Encrypted control has dealt with this issue by utilizing modern cryptosystems with homomorphic properties, which allow a secure evaluation at the cost of an increased computation or communication effort (among others). Recently, a cipher based on a random affine transformation gained attention in the encrypted control community. Its appeal stems from the possibility to construct security providing homomorphisms that do not suffer from the restrictions of ``conventional'' approaches. This paper provides a cryptanalysis of random affine transformations in the context of encrypted control. To this end, a deterministic and probabilistic variant of the cipher over real numbers are analyzed in a generalized setup, where we use cryptographic definitions for security and attacker models. It is shown that the deterministic cipher breaks under a known-plaintext attack, and unavoidably leaks information of the closed-loop, which opens another angle of attack. For the probabilistic variant, statistical indistinguishability of ciphertexts can be achieved, which makes successful attacks unlikely. We complete our analysis by investigating a floating point realization of the probabilistic random affine transformation cipher, which unfortunately suggests the impracticality of the scheme if a security guarantee is needed.

Cryptography and Security,Systems and Control

Haibo Zhou,Rui Zong,Xiaoyang Dong,Keting Jia,Willi Meier

DOI: https://doi.org/10.1093/comjnl/bxaa101

2020-01-01

Abstract:We introduce an interpolation attack using the Moebius Transform. This can reduce the time complexity to get a linear system of equations for specified intermediate state bits, which is general to cryptanalysis of some ciphers with update function of low algebraic degree. Along this line, we perform an interpolation attack against Elephant-Delirium, a round 2 submission of the ongoing national institute of standards and technology (NIST) lightweight cryptography project. This is the first third-party cryptanalysis on this cipher. Moreover, we promote the interpolation attack by applying it to the Farfalle pseudo-random constructions Kravatte and Xoofff. Our attacks turn out to be the most efficient method for these ciphers thus far.

Yu Yu,François-Xavier Standaert

DOI: https://doi.org/10.1007/978-3-642-36095-4_15

2013-01-01

Abstract:One of the main challenges in leakage-resilient cryptography is to obtain proofs of security against side-channel attacks, under realistic assumptions and for efficient constructions. In a recent work from CHES 2012, Faust et al. proposed new designs of stream ciphers and pseudorandom functions for this purpose. Yet, a remaining limitation of these constructions is that they require large amounts of public randomness to be proven leakage-resilient. In this paper, we show that tweaked designs with minimum randomness requirements can be proven leakage-resilient in minicrypt. That is, either these constructions are secure, or we are able to construct public-key cryptographic primitives from symmetric-key building blocks and their leakage functions (which is very unlikely). Hence, our results improve the practical relevance of two important leakage-resilient pseudorandom objects.

Chun Guo,Lei Wang

DOI: https://doi.org/10.1007/978-3-030-03326-2_8

2018-01-01

Abstract:Key-Alternating Feistel (KAF) ciphers, a.k.a. Feistel-2 models, refer to Feistel networks with round functions of the form , where is the (secret) round-key and is a public random function. This model roughly captures the structures of many famous Feistel ciphers, and the most prominent instance is DES. Existing provable security results on KAF assumed independent round-keys and round functions (ASIACRYPT 2004 & FSE 2014). In this paper, we investigate how to achieve security under simpler and more realistic assumptions: with round-keys derived from a short main-key, and hopefully with identical round functions. For birthday-type security, we consider 4-round KAF, investigate the minimal conditions on the way to derive the four round-keys, and prove that when such adequately derived keys and the same round function are used, the 4-round KAF is secure up to queries. For beyond-birthday security, we focus on 6-round KAF. We prove that when the adjacent round-keys are independent, and independent round-functions are used, the 6 round KAF is secure up to queries. To our knowledge, this is the first beyond-birthday security result for KAF without assuming completely independent round-keys. Our results hold in the multi-user setting as well, constituting the first non-trivial multi-user provable security results on Feistel ciphers. We finally demonstrate applications of our results on designing key-schedules and instantiating keyed sponge constructions.

Chunfu Jia,Zheli Liu,Jingwei Li,Zongqing Dong,Xiaoying You

DOI: https://doi.org/10.1007/978-3-642-28744-2_83

2012-01-01

Abstract:Format-preserving encryption implies a block cipher which encrypts a plaintext of some specified format into a ciphertext of identical format. In the paper, we make an overview of various types of Feistel networks used in FPE schemes and show that all Feistel networks divide the input into two sub-blocks. Then we present an integer FPE scheme based on type-2 Feistel network which divides the input into k sub-blocks (here k=4) to provide better diffusion and be better immunity to differential cryptanalysis.