Chun Guo,Lei Wang

DOI: https://doi.org/10.1007/978-3-030-03326-2_8

2018-01-01

Abstract:Key-Alternating Feistel (KAF) ciphers, a.k.a. Feistel-2 models, refer to Feistel networks with round functions of the form , where is the (secret) round-key and is a public random function. This model roughly captures the structures of many famous Feistel ciphers, and the most prominent instance is DES. Existing provable security results on KAF assumed independent round-keys and round functions (ASIACRYPT 2004 & FSE 2014). In this paper, we investigate how to achieve security under simpler and more realistic assumptions: with round-keys derived from a short main-key, and hopefully with identical round functions. For birthday-type security, we consider 4-round KAF, investigate the minimal conditions on the way to derive the four round-keys, and prove that when such adequately derived keys and the same round function are used, the 4-round KAF is secure up to queries. For beyond-birthday security, we focus on 6-round KAF. We prove that when the adjacent round-keys are independent, and independent round-functions are used, the 6 round KAF is secure up to queries. To our knowledge, this is the first beyond-birthday security result for KAF without assuming completely independent round-keys. Our results hold in the multi-user setting as well, constituting the first non-trivial multi-user provable security results on Feistel ciphers. We finally demonstrate applications of our results on designing key-schedules and instantiating keyed sponge constructions.

Hailun Yan,Lei Wang,Yaobin Shen,Xuejia Lai

DOI: https://doi.org/10.1007/978-3-030-57808-4_4

2020-01-01

Abstract:Tweakable block cipher as a cryptographic primitive has found wide applications in disk encryption, authenticated encryption mode and message authentication code, etc. One popular approach of designing tweakable block ciphers is to tweak the generic constructions of classic block ciphers. This paper focuses on how to build a secure tweakable block cipher from the Key-Alternating Feistel (KAF) structure, a dedicated Feistel structure with round functions of the form F-i(k(i) circle plus x(i)), where k is the secret round key and F-i is a public random function in the i-th round. We start from the simplest KAF structures that have been published so far, and then incorporate the tweaks to the round key XOR operations by (almost) universal hash functions. Moreover, we limit the number of rounds with the tweak injections for the efficiency concerns of changing the tweak value. Our results are two-fold, depending on the provable security bound: For the birthday-bound security, we present a 4-round minimal construction with two independent round keys, a single round function and two universal hash functions; For the beyond-birthday-bound security, we present a 10-round construction secure up to O(min{2(2/3), 4 root 2(2n)epsilon(-1)}) adversarial queries, where n is the output size of the round function and epsilon is the upper bound of the collision probability of the universal hash functions. Our security proofs exploit the hybrid argument combined with the H-coefficient technique.

Alexander Russell,Qiang Tang,Jiadong Zhu

2024-04-15

Abstract:The Feistel construction is a fundamental technique for building pseudorandom permutations and block ciphers. This paper shows that a simple adaptation of the construction is resistant, even to algorithm substitution attacks -- that is, adversarial subversion -- of the component round functions. Specifically, we establish that a Feistel-based construction with more than $2000n/\log(1/\epsilon)$ rounds can transform a subverted random function -- which disagrees with the original one at a small fraction (denoted by $\epsilon$) of inputs -- into an object that is \emph{crooked-indifferentiable} from a random permutation, even if the adversary is aware of all the randomness used in the transformation. We also provide a lower bound showing that the construction cannot use fewer than $2n/\log(1/\epsilon)$ rounds to achieve crooked-indifferentiable security.

Cryptography and Security

Chun Guo,Lei Wang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-031-30634-1_14

2023-01-01

Abstract:Virtually all modern blockciphers are iterated. In this paper, we ask: to construct a secure iterated blockcipher “non-trivially”, how many calls to random functions and permutations are necessary? When security means indistinguishability from a random permutation, optimality is achieved by the Even-Mansour scheme using 1 call to a public permutation. We seek for the arguably strongest security indifferentiability from an ideal cipher, a notion introduced by Maurer et al. (TCC 2004) and popularized by Coron et al. (JoC, 2014). We provide the first generic negative result/lower bounds: when the key is not too short, no iterated blockcipher making 3 calls is (statistically) indifferentiable. This proves optimality for a 4-call positive result of Guo et al. (Eprint 2016). Furthermore, using 1 or 2 calls, even indifferentiable iterated blockciphers with polynomial $$\text {keyspace}$$ are impossible. To prove this, we develop an abstraction of idealized iterated blockciphers and establish various basic properties, and apply Extremal Graph Theory results to prove the existence of certain (generalized) non-random properties such as the boomerang and yoyo.

Chun Guo,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-662-48800-3_16

2015-01-01

Abstract:Iterated Even-Mansour scheme IEM is a generalization of the basic 1-round proposal ASIACRYPT '91. The scheme can use one key, two keys, or completely independent keys. Most of the published security proofs for IEM against relate-key and chosen-key attacks focus on the case where all the round-keys are derived from a single master key. Whereas results beyond this barrier are relevant to the cryptographic problem whether a secure blockcipher with key-size twice the block-size can be built by mixing two relatively independent keys into IEM and iterating sufficiently many rounds, and this strategy actually has been used in designing blockciphers for a long-time. This work makes the first step towards breaking this barrier and considers IEM with Interleaved Double independent round-keys: $$\\begin{aligned} \\text {IDEM}_rk_1,k_2,m=k_i\\oplus P_r\\ldots k_1\\oplus P_2k_2\\oplus P_1k_1\\oplus m\\ldots , \\end{aligned}$$ where $$i=2$$ when r is odd, and $$i=1$$ when r is even. As results, this work proves that 15 rounds can achieve full indifferentiability from an ideal cipher with $$O{q^{8}}/{2^n}$$ security bound. This work also proves that 7 rounds is sufficient and necessary to achieve sequential-indifferentiability a notion introduced at TCC 2012 with $$O{q^{6}}/{2^n}$$ security bound, so that $$\\text {IDEM}_{7}$$ is already correlation intractable and secure against any attack that exploits evasive relations between its input-output pairs.

Chun Guo,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-662-48800-3_16

2015-01-01

Abstract:Iterated Even-Mansour scheme (IEM) is a generalization of the basic 1-round proposal (ASIACRYPT '91). The scheme can use one key, two keys, or completely independent keys.Most of the published security proofs for IEM against relate-key and chosen-key attacks focus on the case where all the round-keys are derived from a single master key. Whereas results beyond this barrier are relevant to the cryptographic problem whether a secure blockcipher with key-size twice the block-size can be built by mixing two relatively independent keys into IEM and iterating sufficiently many rounds, and this strategy actually has been used in designing blockciphers for a long-time.This work makes the first step towards breaking this barrier and considers IEM with Interleaved Double independent round-keys:IDEMr((k(1), k(2)), m) = k(i) circle plus (P-r( ... k(1) circle plus P-2(k(2) circle plus P-1(k(1) circle plus m)) ...)),where i = 2 when r is odd, and i = 1 when r is even. As results, this work proves that 15 rounds can achieve (full) indifferentiability from an ideal cipher with O(q(8)/2(n)) security bound. This work also proves that 7 rounds is sufficient and necessary to achieve sequential-indifferentiability (a notion introduced at TCC 2012) with O(q(6)/2(n)) security bound, so that IDEM7 is already correlation intractable and secure against any attack that exploits evasive relations between its input-output pairs.

Chun Guo,Dongdai Lin

DOI: https://doi.org/10.1007/s10623-015-0132-0

2015-01-01

Abstract:Iterated Even–Mansour (IEM) scheme consists of a small number r of fixed n-bit permutations separated by \(r+1\) round-key additions. When the permutations are public, independent and random, and a common round key derived from the master key by an idealized non-invertible key derivation (KD) function is used, 5 rounds was proved sufficient to obtain (full) indifferentiability from ideal ciphers by Andreeva et al. (CRYPTO 2013). The KD can be a random oracle, or a Davies-Meyer construction from a random permutation. This work considers such IEM with non-invertible KD in the sequential indifferentiability model of Mandal et al. (TCC 2012). As results, this work shows that in both cases mentioned before, 3 rounds yields sequential indifferentiability from ideal ciphers. As Andreeva et al. has proved 3-round IEM with idealized invertible key derivations not sequentially indifferentiable (by exhibiting an attack), a definitive separation between IEM with invertible key derivations and IEM with non-invertible key derivations is established. This is the most important implication of the results in this work.

Xiaoyang Dong,Xiaoyun Wang

DOI: https://doi.org/10.13154/tosc.v2016.i1.13-32

2016-01-01

Abstract:Since Knudsen and Rijmen proposed the known-key attacks in ASIACRYPT 2007, the open-key model becomes more and more popular. As the other component of the open-key model, chosen-key model was applied to the full attacks on AES-256 by Biryukov et al. in CRYPTO 2009. In this paper, we explore how practically the chosen-key model affect the real-world cryptography and show that 11-round generic Feistel-SP block cipher is no longer safe in its hashing modes (MMO and MP mode) as there exist collision attacks. This work improves Sasaki and Yasuda’s collision attacks by 2 rounds with two interesting techniques. First, we for the first time use the available degrees of freedom in the key to reduce the complexity of the inbound phase, which extends the previous 5-round inbound differential to a 7-round one. This results in a 12-round chosen-key distinguisher of Feistel-SP block cipher. Second, inspired by the idea of Wang et al., we construct collisions using two blocks. The rebound attack is used in the second compression function. We carefully balance the freedom of the first block and the complexity of the rebound attack, and extend the chosen-key attack to a 11-round collision attack on its hashing modes (MMO and MP mode).

Yaobin Shen,Chun Guo,Lei Wang

DOI: https://doi.org/10.13154/tosc.v2020.i1.425-457

2020-01-01

Abstract:We revisit the security of various generalized Feistel networks. Concretely, for unbalanced, alternating, type-1, type-2, and type-3 Feistel networks built from random functions, we substantially improve the coupling analyzes of Hoang and Rogaway (CRYPTO 2010). For a tweakable blockcipher-based generalized Feistelnetwork proposed by Coron et al. (TCC 2010), we present a coupling analysis and for the first time show that with enough rounds, it achieves 2n-bit security, and this provides highly secure, double-length tweakable blockciphers.

Xiaoyang Dong,Xiaoyun Wang

DOI: https://doi.org/10.1007/s11432-017-9468-y

2018-08-31

Science China Information Sciences

Abstract:Post-quantum cryptography has drawn considerable attention from cryptologists on a global scale. At Asiacrypt 2017, Leander and May combined Grover’s and Simon’s quantum algorithms to break the FX-based block ciphers, which were introduced by Kilian and Rogaway to strengthen DES. In this study, we investigate the Feistel constructions using Grover’s and Simon’s algorithms to generate new quantum key-recovery attacks on different rounds of Feistel constructions. Our attacks require 20.25nr−0.75n quantum queries to break an r-round Feistel construction. The time complexity of our attacks is less than that observed for quantum brute-force search by a factor of 20.75n. When compared with the best classical attacks, i.e., Dinur et al.’s attacks at CRYPTO 2015, the time complexity is reduced by a factor of 20.5n without incurring any memory cost.

computer science, information systems,engineering, electrical & electronic

Ming Jiang,Lei Wang

DOI: https://doi.org/10.3390/sym13040649

2021-01-01

Symmetry

Abstract:This paper focuses on designing a tweakable block cipher via by tweaking the Key-Alternating Feistel (KAF for short) construction. Very recently Yan et al. published a tweakable KAF construction. It provides a birthday-bound security with 4 rounds and Beyond-Birthday-Bound (BBB for short) security with 10 rounds. Following their work, we further reduce the number of rounds in order to improve the efficiency while preserving the same level of security bound. More specifically, we rigorously prove that 6-round tweakable KAF cipher is BBB- secure. The main technical contribution is presenting a more refined security proof framework, which makes significant efforts to deal with several subtle and complicated sub-events. Note that Yan et al. showed that 4-round KAF provides exactly Birthday-Bound security by a concrete attack. Thus, 6 rounds are (almost) minimal rounds to achieve BBB security for tweakable KAF construction.

Chunfu Jia,Zheli Liu,Jingwei Li,Zongqing Dong,Xiaoying You

DOI: https://doi.org/10.1007/978-3-642-28744-2_83

2012-01-01

Abstract:Format-preserving encryption implies a block cipher which encrypts a plaintext of some specified format into a ciphertext of identical format. In the paper, we make an overview of various types of Feistel networks used in FPE schemes and show that all Feistel networks divide the input into two sub-blocks. Then we present an integer FPE scheme based on type-2 Feistel network which divides the input into k sub-blocks (here k=4) to provide better diffusion and be better immunity to differential cryptanalysis.

Yuying Man,Sihem Mesnager,Nian Li,Xiangyong Zeng,Xiaohu Tang

2023-09-05

Abstract:Substitution boxes (S-boxes) play a significant role in ensuring the resistance of block ciphers against various attacks. The Difference Distribution Table (DDT), the Feistel Boomerang Connectivity Table (FBCT), the Feistel Boomerang Difference Table (FBDT) and the Feistel Boomerang Extended Table (FBET) of a given S-box are crucial tools to analyze its security concerning specific attacks. However, the results on them are rare. In this paper, we investigate the properties of the power function $F(x):=x^{2^{m+1}-1}$ over the finite field $\gf_{2^n}$ of order $2^n$ where $n=2m$ or $n=2m+1$ ($m$ stands for a positive integer). As a consequence, by carrying out certain finer manipulations of solving specific equations over $\gf_{2^n}$, we give explicit values of all entries of the DDT, the FBCT, the FBDT and the FBET of the investigated power functions. From the theoretical point of view, our study pushes further former investigations on differential and Feistel boomerang differential uniformities for a novel power function $F$. From a cryptographic point of view, when considering Feistel block cipher involving $F$, our in-depth analysis helps select $F$ resistant to differential attacks, Feistel differential attacks and Feistel boomerang attacks, respectively.

Information Theory

Kai Zhang,Xuejia Lai,Jie Guan,Bin Hu

DOI: https://doi.org/10.4018/JDM.318452

IF: 2.656

2023-01-01

Journal of Database Management

Abstract:In 2013, a lightweight block cipher SIMON is proposed by NSA. This paper tries to investigate this design criterion in terms of resisting against impossible differential cryptanalysis. On one hand, starting from all the possible rotation constants, this paper sieves those "bad parameters" step by step, for each step, the regular patterns for those "bad parameters" are deduced. Accordingly, basic rules for selecting rotation constants on SIMON-type ciphers to construct shorter longest impossible differentials are proposed. On the other hand, the authors categorize the optimal parameters proposed in CRYPTO 2015, according to these results, some "good parameters" in terms of differential cryptanalysis may be rather "bad parameters" while considering impossible differential cryptanalysis. Finally, a concrete attack on 26-round SIMON(13,0,10) is proposed, which is a suggested SIMON variant in CRYPTO 2015 against differential cryptanalysis and linear cryptanalysis. The result in this paper indicates that it is very important to choose appropriate rotation constants when designing a new block cipher.

Wentan Yi,Shaozhen Chen

DOI: https://doi.org/10.48550/arXiv.1405.6483

2014-05-26

Cryptography and Security

Abstract:Block cipher E2, designed and submitted by Nippon Telegraph and Telephone Corporation, is a first-round Advanced Encryption Standard candidate. It employs a Feistel structure as global structure and two-layer substitution-permutation network structure in round function with initial transformation IT function before the first round and final transformation FT function after the last round. The design principles influences several more recent block ciphers including Camellia, an ISO/IEC standard cipher. In this paper, we focus on the key-recovery attacks on reduced-round E2-128/192 taking both IT and FT functions in consideration with integral cryptanalysis. We first improve the relations between zero-correlation linear approximations and integral distinguishers, and then deduce some integral distinguishers from zero-correlation linear approximations over 6 rounds of E2. Furthermore, we apply these integral distinguishers to break 6-round E2-128 with 2^{120} known plaintexts (KPs), 2^{115.4} encryptions and 2^{28} bytes memory. In addition, the attack on 7-round E2-192 requires 2^{120} KPs, 2^{167.2} encryptions and 2^{60} bytes memory.

Zheng Gong,Xuejia Lai,Kefei Chen

DOI: https://doi.org/10.1007/s10623-008-9208-4

2008-01-01

Abstract:At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision resistant PGV and the PBGV hash functions with the prefix-free padding. In this article, a synthetic indifferentiability analysis of some block-cipher-based hash functions is considered. First, a more precise definition is proposed on the indifferentiability adversary in block-cipher-based hash functions. Next, the advantage of indifferentiability is separately analyzed by considering whether the hash function is keyed or not. Finally, a limitation is observed in Chang et al.’s indifferentiable attacks on the four PGV and the PBGV hash functions. The formal proofs show the fact that those hash functions are indifferentiable from a random oracle in the ideal cipher model with the prefix-free padding, the NMAC/HMAC and the chop construction.

Rui Zong,Xiaoyang Dong,Huaifeng Chen,Yiyuan Luo,Si Wang,Zheng Li

DOI: https://doi.org/10.46586/tosc.v2021.i1.156-184

2021-01-01

Abstract:When analyzing a block cipher, the first step is to search for some valid distinguishers, for example, the differential trails in the differential cryptanalysis and the linear trails in the linear cryptanalysis. A distinguisher is advantageous if it can be utilized to attack more rounds and the amount of the involved key bits during the key-recovery process is small, as this leads to a long attack with a low complexity. In this article, we propose a two-step strategy to search for such advantageous distinguishers. This strategy is inspired by the intuition that if a differential is advantageous only when some properties are satisfied, then we can predefine some constraints describing these properties and search for the differentials in the small set.As applications, our strategy is used to analyze GIFT-128, which was proposed in CHES 2017. Based on some 20-round differentials, we give the first 27-round differential attack on GIFT-128, which covers one more round than the best previous result. Also, based on two 17-round linear trails, we give the first linear hull attack on GIFT-128, which covers 22 rounds. In addition, we also give some results on two GIFT-128 based AEADs GIFT-COFB and SUNDAE-GIFT.

Yuxuan Lu,Sihem Mesnager,Nian Li,Lisha Wang,Xiangyong Zeng

2024-08-21

Abstract:The Feistel Boomerang Connectivity Table ($\rm{FBCT}$), which is the Feistel version of the Boomerang Connectivity Table ($\rm{BCT}$), plays a vital role in analyzing block ciphers' ability to withstand strong attacks, such as boomerang attacks. However, as of now, only four classes of power functions are known to have explicit values for all entries in their $\rm{FBCT}$. In this paper, we focus on studying the FBCT of the power function $F(x)=x^{2^{n-2}-1}$ over $\mathbb{F}_{2^n}$, where $n$ is a positive integer. Through certain refined manipulations to solve specific equations over $\mathbb{F}_{2^n}$ and employing binary Kloosterman sums, we determine explicit values for all entries in the $\rm{FBCT}$ of $F(x)$ and further analyze its Feistel boomerang spectrum. Finally, we demonstrate that this power function exhibits the lowest Feistel boomerang uniformity.

Information Theory

Liqing Yu,Yusai Wu,Yu Yu,Zhenfu Cao,Xiaolei Dong

DOI: https://doi.org/10.1007/978-3-031-48615-9_9

2023-01-01

Abstract:This work studies the key-alternating ciphers (KACs) whose round permutations are not necessarily independent. We revisit existing security proofs for key-alternating ciphers with a single permutation (KACSPs), and extend their method to an arbitrary number of rounds. In particular, we propose new techniques that can significantly simplify the proofs, and also remove two unnatural restrictions in the known security bound of 3-round KACSP (Wu et al., Asiacrypt 2020). With these techniques, we prove the first tight security bound for t-round KACSP, which was an open problem. We stress that our techniques apply to all variants of KACs with non-independent round permutations, as well as to the standard KACs.

Kwangsu Lee

DOI: https://doi.org/10.48550/arXiv.1703.08306

2017-03-24

Cryptography and Security

Abstract:A block cipher is a bijective function that transforms a plaintext to a ciphertext. A block cipher is a principle component in a cryptosystem because the security of a cryptosystem depends on the security of a block cipher. A Feistel network is the most widely used method to construct a block cipher. This structure has a property such that it can transform a function to a bijective function. But the previous Feistel network is unsuitable to construct block ciphers that have large input-output size. One way to construct block ciphers with large input-output size is to use an unbalanced Feistel network that is the generalization of a previous Feistel network. There have been little research on unbalanced Feistel networks and previous work was about some particular structures of unbalanced Feistel networks. So previous work didn't provide a theoretical base to construct block ciphers that are secure and efficient using unbalanced Feistel networks. In this thesis, we analyze the minimal number of rounds of pseudo-random permutation generators that use unbalanced Feistel networks. That is, after categorizing unbalanced Feistel networks as source-heavy structures and target-heavy structures, we analyze the minimal number of rounds of pseudo-random permutation generators that use each structure. Therefore, in order to construct a block cipher that is secure and efficient using unbalanced Feistel networks, we should follow the results of this thesis. Additionally, we propose a new unbalanced Feistel network that has some advantages such that it can extend a previous block cipher with small input-output size to a new block cipher with large input-output size. We also analyze the minimum number of rounds of a pseudo-random permutation generator that uses this structure.