Summary - Provable secure scalable block ciphers





0 Rk= Rl

|M1| Rk 6= Rj

Pr[Tk = Tl] =







0 Uk = Ul

|M2| Uk 6= Uj

Therefore, Pr[Sk= Sl] ≤ |M¹1|, Pr[Tk = Tl] ≤ |M¹2|, and from Theorem 2.2.3

AdvC^ACPCA(d)(Ψ[F₁^∗, F₂^∗, F₃^∗, F₄^∗]) ≤ 1 − Pr[∀ k 6= l : Sk6= Sl∧ Tk6= Tl]

= Pr[∃ k 6= l : S^k= Sl∨ T^k = Tj]

≤ Pr[∃ k 6= l : S^k= Sj] + Pr[∃ k 6= l : T^k= Tl]

≤d 2

|M¹| +d 2

|M²| = d²

min{|M¹|, |M²|}

Note that adding a new round (even a weak one) between the second and third round cannot increase the advantage, because the proof does not depend on what happens between these two rounds.

Corollary 3.8.5 LetF₁^∗, F₂^∗, F₃^∗, F₄^∗be four independent perfect random functions,F₁^∗andF₃^∗from a set M²to a setM¹andF₂^∗andF₄^∗fromM¹toM²,Ψ[F₁^∗, F₂^∗, F₃^∗, F₄^∗] a 4-round UFN on M = M¹×M², andd an integer. Then

DecC_k·k^d

s(Ψ[F₁^∗, F₂^∗, F₃^∗, F₄^∗]) ≤ 2 d² min{|M¹|, |M²|}

Corollary 3.8.6 LetF1, . . . , Frber ≥ 4 independent random functions such that AdvF^ACPCA(d)(Fi) ≤ ε, and d be an integer. Then

AdvC^ACPCA(d)(Ψ[F1, . . . , Fr]) ≤1 2

4ε + d²

min{|M1|, |M2|}

b^r₄c

Proof: Follows from Theorem 2.4.4 and 2.4.2, and from the note at the end of the proof of Theorem 3.8.4.

3.9 Summary

In this chapter, we studied general types of attacks. For each one we found an associated matrix normk · k, and showed that the advantage between two functions (permutations)F1,F2is

Adv^ATK(d)(F1, F2) = 1

2k[F1]^d− [F2]^dk, The normk · k is:

• k·k1the for the known plaintext attack;

• |||·|||∞for the chosen plaintext attack and chosen ciphertext attack;

• k·kafor the adaptive chosen plaintext attack and adaptive chosen ciphertext attack;

• k·ksfor the adaptive chosen plaintext-ciphertext attack.

From the definition of the norms, it follows that

Adv^KPA(d)(F1, F2) ≤











Adv^CPA(d)(F1, F2) ≤ Adv^ACPA(d(F1, F2)

≤ Adv^CPCA(d)(F1, F2) Adv^CCA(d)(F1, F2) ≤ Adv^ACCA(d)(F1, F2)











≤ Adv^ACPCA(d)(F1, F2)

The relationship is depicted on the following picture so that the arrows direct from the weaker attacks to the stronger ones, i.e. from attacks with the lower upper-bound on the advantage to the ones with the higher upper-bound.

KPA

CPA -ACPA

@@R

CCA -ACCA

-CPCA

@@R

-ACPCA

@@R

We further examined unbalanced Feistel networksΨ[F1, . . . Fr] : M1× M2→ M1× M2against the attacks, and showed that

• The 2-round UFNs are secure against known plaintext attack in the random oracle model;

• There is no 2-round UFN secure against chosen plaintext attacks;

• The 3-round UFNs are secure against adaptive chosen plaintext attack in the random oracle model;

• There is no 3-round UFN secure against adaptive chosen plaintext-ciphertext attacks;

• The 4-round UFNs are secure against adaptive chosen plaintext-ciphertext attacks in the random oracle model.

More formally: LetD^d= _min{|M^d₁²_|,|M₂_|}. Then for thed-limited known plaintext, adaptive chosen plain-text, and adaptive chosen plaintext-ciphertext attacks,

• AdvC^KPA(d)(Ψ[F₁^∗, F₂^∗]) ≤ Dd

• AdvC^ACPA(d)(Ψ[F₁^∗, F₂^∗, F₃^∗]) ≤ D^d

• AdvC^ACPCA(d)(Ψ[F₁^∗, F₂^∗, F₃^∗, F^∗4]) ≤ D^d

Note that the bounds are minimal for the balanced Feistel network. Further, the attacker must dispose d pmin{|M¹|, |M²|} plaintext/ciphertext pairs in order to ensure security against the particular at-tack, and then the minimal number of rounds of a UFN is 3 for pseudorandomness, and 4 for super-pseudorandomness. However, for design of a UFN cipher, we usually need to quantify how many rounds it has to have in order to achieve a defined minimal security, or to find out what size of attack the cipher is able to withstand.

Consider now a UFN defined on {0, 1}ⁿ = {0, 1}^m× {0, 1}^n−m, with m ≤ ⁿ2, and thus with min{2^m, 2^n−m} = 2^m. Corollary 3.4.10 implies that in the ideal case, when the primitive functions are perfectly random,

AdvC^ACPA(d)(Ψ[F₁^∗, . . . , F_3k^∗]) ≤1 2

2 · d²

2^m

Hence, in order to achieve the pseudorandomness with advantage less than2^−l, we need k ≥ l − 1

m − 2 lg d − 1,

and thus at least3dm−2 lg d−1^l−1 e rounds, or we have to bound the size of the attack to d ≤ 2

b r3c(m−1)−l+1

2k ,

for anr-round UFN.

Similarly, for the super-pseudorandomness, if we want to achieve advantage smaller than2^−l, we need at least4dm−2 lg d−1^l−1 e rounds, or to bound the size of the attack to d ≤ 2^{k(m−1)−l+1}^2k for a4k-round UFN.

Evaluating the minimal number of rounds involves two parameters: the maximal size of the attack (d), and the upper-bound of the advantage.

The size of the attack may be surely limited by2ⁿ because that is the number of plaintext/ciphertext pairs, and thus withd = 2ⁿ the attacker already has all plaintext/ciphertext pairs and does not need to attack the cipher at all. However, in the calculation of the advantage, we required < 2^m−1² , but even this upper-bound may be considered to be unrealistic, since an attacker is usually able to get only a few plaintext/ciphertext pairs. Note that we require plaintext/ciphertext pairs encrypted with the right key, not any pairs which can be easily obtained whenever the encryption algorithm is known, which is the accepted rule known as Kerckhoffs’s principle. To obtain many plaintext/ciphertext pairs encrypted with the right key would probably mean access to the encryption device together with the key for quite a long time, which is a security problem beyond the framework of this work. Therefore, we can considerd to be small.

On the other hand, advantage expresses the probability that an attacker can distinguish a cipher from a perfectly random output. It can be seen as amount of calculation necessary to distinguish between them.

Thus, whenevern is considered to be an appropriate block length, i.e. when the exhaustive search of size 2ⁿis deemed to be infeasible,2⁻ⁿcan be considered as an appropriate value of advantage for the cipher of sizen bits [17]. Applying this for UFNs, we get

k ≥ n − 1

m − 1 − 2 lg d. (3.2)

Composed Attacks

In the previous chapter we showed under which conditions a cipher may withstand different types of attacks.

It is natural to ask whether some combination of these attacks can lead to a more efficient attack against the cipher. This chapter gives some answers to this question. First, we examine the case when an attacker has a simple chosen plaintext attack and repeats it many times in order to get a better advantage. This kind of attack is called iterated attack. The differential and linear cryptanalysis ([4], [15]) happen to be included in this class of attacks, and because of their popularity, we focus on them separately. Then we examine combined attacks which make use of several distinct attacks with the same goal to build a stronger attack, and give upper bounds of their advantage. Here we consider the average advantage of the attacks. Although the small average advantage does not exclude the possibility of weak keys in a particular cipher, it shows that the attack does not work on average, which implies that the fraction of weak keys is negligible against the average case.

4.1 Basic Differential Cryptanalysis

Although differential cryptanalysis was invented by Eli Biham and Adi Shamir [4] in order to recover the encryption key of a cipher, we study here its distinguishing variant which exploits the underlying idea of the differential cryptanalysis. In our notion, the basic differential cryptanalysis is the2d-limited distinguisher with a characteristic(a, b) ∈ M⁺× M between a cipher C and a perfect cipher C^∗ both defined on M = {0, 1}^m, working as follows:

DISTINGUISHER4.1 (DCA):2d-limited basic-differential-cryptanalysis distinguisher [21]

1. Fork = 1 to d do

1.1 Choose a random plaintext messagexk.

1.2 Query the oracle withxkandx⁰_k = xk+ a, and get yk = ˜C(xk) and y_k⁰ = ˜C(x⁰_k), where ˜C is eitherC or C^∗.

1.3 If ˜C(xk+ a) = ˜C(xk) + b, stop and output “accept”.

2. Output “reject”.

Differential cryptanalysis depends on the following probability [21]:

DP^C[a, b](x) = Pr[C(x + a) = C(x) + b ]

wherex has the uniform distribution over all plaintext messages. The probability of success in one round is DP^C[a, b] = E(DP^C[a, b](x)) =X

Pr[x] · Pr[C(x + a) = C(x) + b ]

= 1

|M|

Pr[C(x + a) = C(x) + b ]

= 1

|M|

Pr[C(x) = y ∧ C(x + a) = y + b ]

= 1

|M|

[C]²(x,x+a)(y,y+b).

Sincea 6= 0, for a perfect cipher: The probability that the distinguisher accepts whenC is implemented is

p = X

For a perfect cipher it gives,

p^∗≤ d · DP^C^∗[a, b] = d Theorem 4.1.1 ([21]) LetC be a cipher on M, and d an integer. Then

AdvC^DCA(2d)(C) ≤ d

In document Provable secure scalable block ciphers (Page 48-53)