Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI
4th March 2014 - FSE 2014
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
1 / 16
Key-Alternating Ciphers (aka iterated Even-Mansour)
k0 x
k1 P1
kr P2
y
Pr
P1 , . . . , Pr are modeled as public random permutation oracles interpretation: gives a guarantee against any adversary which does not use particular properties of the Pi ’s
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
2 / 16
Results on the pseudorandomness of KA ciphers
The following results have been successively obtained for the pseudorandomness of KA ciphers (notation: N = 2n ): 1
for r = 1 round, security up to O(N 2 ) queries [EM97] 2
for r ≥ 2, security up to O(N 3 ) queries [BKL+ 12] 3
for r ≥ 3, security up to O(N 4 ) queries [Ste12] r
for any even r , security up to O(N r +2 ) queries [LPS12] r
tight result: for r rounds, security up to O(N r +1 ) queries [CS13] NB: Results for independent round keys (k0 , k1 , . . . , kr )
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
3 / 16
Key-Alternating Feistel Ciphers x−1
x0 k0 F0 k1 x1
F1
functions Fi are public random oracles
.. .
different from the Luby-Rackoff setting (where the Fi ’s are pseudorandom)
kr −2 xr −2
Fr −2 kr −1
xr −1
Fr −1
xr −1
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
xr
FSE 2014
4 / 16
KAF ciphers as a special type of Key-Alternating ciphers
ki
ki+1
Fi
ki Fi
ki+1 Fi+1
Fi+1 ki+1
ki
Two rounds of a KAF cipher is equivalent to a 1-round KA cipher where the permutation is a two-round (un-keyed) Feistel cipher with public random functions
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
5 / 16
Results previous results: Gentry and Ramzan [GR04]: secure up to N 1/2 queries for r = 4 rounds t our results: secure up to N t+1 queries where r 3 r t= 6
t=
for NCPA attacks for CCA attacks t
improved results in the Luby-Rackoff setting: security up to N t+1 queries where r 2 r t= 4
t=
Lampe & Seurin (Versailles & ANSSI)
for NCPA attacks for CCA attacks
Key-Alternating Feistel Ciphers
FSE 2014
6 / 16
Results previous results: Gentry and Ramzan [GR04]: secure up to N 1/2 queries for r = 4 rounds t our results: secure up to N t+1 queries where r 3 r t= 6
t=
for NCPA attacks for CCA attacks t
improved results in the Luby-Rackoff setting: security up to N t+1 queries where r 2 r t= 4
t=
Lampe & Seurin (Versailles & ANSSI)
for NCPA attacks for CCA attacks
Key-Alternating Feistel Ciphers
FSE 2014
6 / 16
Results previous results: Gentry and Ramzan [GR04]: secure up to N 1/2 queries for r = 4 rounds t our results: secure up to N t+1 queries where r 3 r t= 6
t=
for NCPA attacks for CCA attacks t
improved results in the Luby-Rackoff setting: security up to N t+1 queries where r 2 r t= 4
t=
Lampe & Seurin (Versailles & ANSSI)
for NCPA attacks for CCA attacks
Key-Alternating Feistel Ciphers
FSE 2014
6 / 16
Intuition of the proof 1 x−1
2 x−1
x01
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
Fr −2
Fr −2
xr1−1
Fr −1
xr1
.. .
···
kr −2 xr2−2
Fr −2
xr2−1
Fr −1
kr −1
xr2−1
Lampe & Seurin (Versailles & ANSSI)
x1`+1
F1
kr −2 xr1−2
kr −1 Fr −1
xr1−1
`+1 x−1
x02
k0
xr`+1 −2 kr −1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
Fr −2
Fr −2
xr1−1
Fr −1
xr1
.. .
···
kr −2 xr2−2
Fr −2
xr2−1
Fr −1
kr −1
xr2−1
Lampe & Seurin (Versailles & ANSSI)
x1`+1
F1
kr −2 xr1−2
kr −1 Fr −1
xr1−1
`+1 x−1
x02
k0
xr`+1 −2 kr −1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
Fr −2
Fr −2
xr1−1
Fr −1
xr1
.. .
···
kr −2 xr2−2
Fr −2
xr2−1
Fr −1
kr −1
xr2−1
Lampe & Seurin (Versailles & ANSSI)
x1`+1
F1
kr −2 xr1−2
kr −1 Fr −1
xr1−1
`+1 x−1
x02
k0
xr`+1 −2 kr −1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
Fr −2
Fr −2
xr1−1
Fr −1
xr1
.. .
···
kr −2 xr2−2
Fr −2
xr2−1
Fr −1
kr −1
xr2−1
Lampe & Seurin (Versailles & ANSSI)
x1`+1
F1
kr −2 xr1−2
kr −1 Fr −1
xr1−1
`+1 x−1
x02
k0
xr`+1 −2 kr −1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
Fr −2
Fr −2
xr1−1
Fr −1
xr1
.. .
···
kr −2 xr2−2
Fr −2
xr2−1
Fr −1
kr −1
xr2−1
Lampe & Seurin (Versailles & ANSSI)
x1`+1
F1
kr −2 xr1−2
kr −1 Fr −1
xr1−1
`+1 x−1
x02
k0
xr`+1 −2 kr −1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
Fr −2
Fr −2
xr1−1
Fr −1
xr1
.. .
···
kr −2 xr2−2
Lampe & Seurin (Versailles & ANSSI)
xr`+1 −2
Fr −2 `+1 [xr`+1 ] uniformly random ? −1 , xr
kr −1
xr2−1
x1`+1
F1
kr −2 xr1−2
kr −1 Fr −1
xr1−1
`+1 x−1
x02
k0
kr −1 xr2−1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
`+1 x−1
x02
k0
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
.. .
··· kr −2
xr1−2
Fr −2
kr −2 xr2−2
Fr −2
x1`+1
F1
xr`+1 −2
Fr −2 what can go wrong ?
kr −1
xr1−1
kr −1 xr1−1
Fr −1
xr1
xr2−1
Lampe & Seurin (Versailles & ANSSI)
kr −1 xr2−1
Fr −1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
`+1 x−1
x02
k0
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
.. .
··· kr −2
xr1−2
Fr −2
kr −2 xr2−2
Fr −2
x1`+1
F1
xr`+1 −2
Fr −2 collisions !
kr −1
xr1−1
kr −1 xr1−1
Fr −1
xr1
xr2−1
Lampe & Seurin (Versailles & ANSSI)
kr −1 xr2−1
Fr −1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
`+1 x−1
x02
k0
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
.. .
··· kr −2
xr1−2
Fr −2
kr −2 xr2−2
Fr −2
x1`+1
F1
xr`+1 −2
Fr −2 collisions !
kr −1
xr1−1
kr −1 xr1−1
Fr −1
xr1
xr2−1
Lampe & Seurin (Versailles & ANSSI)
kr −1 xr2−1
Fr −1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
`+1 x−1
x02
k0
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
.. .
··· kr −2
xr1−2
Fr −2
kr −2 xr2−2
Fr −2
x1`+1
F1
xr`+1 −2
Fr −2 collisions !
kr −1
xr1−1
kr −1 xr1−1
Fr −1
xr1
xr2−1
Lampe & Seurin (Versailles & ANSSI)
kr −1 xr2−1
Fr −1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
`+1 x−1
x02
k0
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
.. .
··· kr −2
xr1−2
Fr −2
kr −2 xr2−2
Fr −2
x1`+1
F1
xr`+1 −2
Fr −2 collisions !
kr −1
xr1−1
kr −1 xr1−1
Fr −1
xr1
xr2−1
Lampe & Seurin (Versailles & ANSSI)
kr −1 xr2−1
Fr −1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
`+1 x−1
x02
k0
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
.. .
··· kr −2
xr1−2
Fr −2
kr −2 xr2−2
Fr −2
x1`+1
F1
xr`+1 −2
Fr −2 collisions !
kr −1
xr1−1
kr −1 xr1−1
Fr −1
xr1
xr2−1
Lampe & Seurin (Versailles & ANSSI)
kr −1 xr2−1
Fr −1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
`+1 x−1
x02
k0
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
.. .
··· kr −2
xr1−2
Fr −2
kr −2 xr2−2
Fr −2
x1`+1
F1
xr`+1 −2
Fr −2 what can go right ?
kr −1
xr1−1
kr −1 xr1−1
Fr −1
xr1
xr2−1
Lampe & Seurin (Versailles & ANSSI)
kr −1 xr2−1
Fr −1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
`+1 x−1
x02
k0
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
.. .
··· kr −2
xr1−2
Fr −2
kr −2 xr2−2
Fr −2
x1`+1
F1
xr`+1 −2
Fr −2 what can go right ?
kr −1
xr1−1
kr −1 xr1−1
Fr −1
xr1
xr2−1
Lampe & Seurin (Versailles & ANSSI)
kr −1 xr2−1
Fr −1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
`+1 x−1
x02
k0
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
.. .
··· kr −2
xr1−2
Fr −2
kr −2 xr2−2
Fr −2
x1`+1
F1
xr`+1 −2
Fr −2 what can go right ?
kr −1
xr1−1
kr −1 xr1−1
Fr −1
xr1
xr2−1
Lampe & Seurin (Versailles & ANSSI)
kr −1 xr2−1
Fr −1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
Fr −2
Fr −2
xr1−1
Fr −1
xr1
.. .
···
kr −2 xr2−2
Lampe & Seurin (Versailles & ANSSI)
xr`+1 −2
Fr −2
2 consecutive rounds without collisions
kr −1
xr2−1
x1`+1
F1
kr −2 xr1−2
kr −1 Fr −1
xr1−1
`+1 x−1
x02
k0
kr −1 xr2−1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
Fr −2
Fr −2
xr1−1
Fr −1
xr1
.. .
···
kr −2 xr2−2
Lampe & Seurin (Versailles & ANSSI)
xr`+1 −2
Fr −2
2 consecutive rounds without collisions
kr −1
xr2−1
x1`+1
F1
kr −2 xr1−2
kr −1 Fr −1
xr1−1
`+1 x−1
x02
k0
kr −1 xr2−1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
Fr −2
Fr −2
xr1−1
Fr −1
xr1
.. .
···
kr −2 xr2−2
Lampe & Seurin (Versailles & ANSSI)
xr`+1 −2
Fr −2
2 consecutive rounds without collisions
kr −1
xr2−1
x1`+1
F1
kr −2 xr1−2
kr −1 Fr −1
xr1−1
`+1 x−1
x02
k0
kr −1 xr2−1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Intuition of the proof 1 x−1
2 x−1
x01
x0`+1 k0
k0
F0
F0 k1
F0 k1
x11
F1
k1 x12
F1
.. .
.. . kr −2
Fr −2
Fr −2
xr1−1
Fr −1
xr1
.. .
···
kr −2 xr2−2
Lampe & Seurin (Versailles & ANSSI)
xr`+1 −2
Fr −2
2 consecutive rounds without collisions
kr −1
xr2−1
x1`+1
F1
kr −2 xr1−2
kr −1 Fr −1
xr1−1
`+1 x−1
x02
k0
kr −1 xr2−1
xr2
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
7 / 16
Technique
Proof using the coupling technique main problem: given ` queries, upper bound the probability that, for every two consecutive rounds, the ` + 1-th query collision in (at least) one of the two rounds. Ai = event that the `-th query collisions with previous queries at round i; we want to upper bound
Pr (A1 ∪ A2 ) ∩ (A2 ∪ A3 ) ∩ · · · ∩ (Ar −2 ∪ Ar −1 ) ∩ (Ar −1 ∪ Ar )
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
8 / 16
Technique
Proof using the coupling technique main problem: given ` queries, upper bound the probability that, for every two consecutive rounds, the ` + 1-th query collision in (at least) one of the two rounds. Ai = event that the `-th query collisions with previous queries at round i; we want to upper bound
Pr (A1 ∪ A2 ) ∩ (A2 ∪ A3 ) ∩ · · · ∩ (Ar −2 ∪ Ar −1 ) ∩ (Ar −1 ∪ Ar )
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
8 / 16
Technique
Proof using the coupling technique main problem: given ` queries, upper bound the probability that, for every two consecutive rounds, the ` + 1-th query collision in (at least) one of the two rounds. Ai = event that the `-th query collisions with previous queries at round i; we want to upper bound
Pr (A1 ∪ A2 ) ∩ (A2 ∪ A3 ) ∩ · · · ∩ (Ar −2 ∪ Ar −1 ) ∩ (Ar −1 ∪ Ar )
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
8 / 16
Technique
Proof using the coupling technique main problem: given ` queries, upper bound the probability that, for every two consecutive rounds, the ` + 1-th query collision in (at least) one of the two rounds. Ai = event that the `-th query collisions with previous queries at round i; we want to upper bound
Pr (A1 ∪ A2 ) ∩ (A2 ∪ A3 ) ∩ · · · ∩ (Ar −2 ∪ Ar −1 ) ∩ (Ar −1 ∪ Ar )
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
8 / 16
The Coupling technique head
head
1/2
3/5
1/2
2/5 tail
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
tail
FSE 2014
9 / 16
The Coupling technique head
head
1/2
3/5
1/2
2/5 tail
tail
3 1 1 Adv = Statistical distance = − = 5 2 10
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
9 / 16
The Coupling technique head/head
1/2
1/2
head/tail
tail/head
tail/tail
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
10 / 16
The Coupling technique 1
1/2
1/2
head/head
1/2
head/tail
tail/head
tail/tail
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
10 / 16
The Coupling technique
1/2
1/2
1
head/head
1/2
0
head/tail
0
tail/head
tail/tail
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
10 / 16
The Coupling technique
1/2
1/2
1
head/head
1/2
0
head/tail
0
1/5
tail/head
1/10
tail/tail
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
10 / 16
The Coupling technique
1/2
1/2
Lampe & Seurin (Versailles & ANSSI)
1
head/head
1/2
0
head/tail
0
1/5
tail/head
1/10
4/5
tail/tail
2/5
Key-Alternating Feistel Ciphers
FSE 2014
10 / 16
The Coupling technique
1/2
1/2
Lampe & Seurin (Versailles & ANSSI)
1
head/head
1/2
0
head/tail
0
1/5
tail/head
1/10
4/5
tail/tail
2/5
Key-Alternating Feistel Ciphers
FSE 2014
10 / 16
The Coupling technique
random variables
X
Y
probability distributions
µ
ν
The Coupling lemma kµ − νk ≤ Pr [X 6= Y ]
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
11 / 16
The Coupling technique
random variables
X
Y
probability distributions
µ
ν
The Coupling lemma kµ − νk ≤ Pr [X 6= Y ]
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
11 / 16
The Coupling Technique for the KAF Ideal World `+1 u−1
Real World `+1 x−1
u0`+1 k0 F00
x0`+1 k0 F0
k1 F10
k1 u1`+1
.. .
.. . kr −2
Fr0−2
kr −2 ur`+1 −2
Lampe & Seurin (Versailles & ANSSI)
xr`+1 −2
Fr −2
kr −1 Fr0−1
ur`+1 −1
x1`+1
F1
kr −1 ur`+1 −1
ur`+1
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
12 / 16
The Coupling Technique for the KAF Ideal World Uniformly Random
`+1 u−1
Real World `+1 x−1
u0`+1 k0 F00
x0`+1 k0 F0
k1 F10
k1 u1`+1
.. .
.. . kr −2
Fr0−2
kr −2 ur`+1 −2
Lampe & Seurin (Versailles & ANSSI)
ur`+1 −1
xr`+1 −2
Fr −2
kr −1 Fr0−1
Uniformly Random
x1`+1
F1
kr −1 ur`+1 −1
ur`+1
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
12 / 16
The Coupling Technique for the KAF Ideal World Uniformly Random
`+1 u−1
Real World `+1 x−1
u0`+1 k0 F00
x0`+1 k0 F0
k1 F10
k1 u1`+1
.. .
.. . kr −2
Fr0−2
Fr0−1
Lampe & Seurin (Versailles & ANSSI)
ur`+1 −1
kr −2 ur`+1 −2
kr −1
Uniformly Random
x1`+1
F1
both free ?
kr −1
ur`+1 −1
ur`+1
Key-Alternating Feistel Ciphers
xr`+1 −2
Fr −2
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
12 / 16
The Coupling Technique for the KAF Ideal World Uniformly Random
`+1 u−1
Real World `+1 x−1
u0`+1 k0 F00
x0`+1 k0 F0
k1 F10
k1 u1`+1
x1`+1
F1
.. .
.. . kr −2
Fr0−2
kr −2 ur`+1 −2
kr −1 Fr0−1
xr`+1 −2
Fr −2
both free ?
kr −1
ur`+1 −1
xr`+1 −1
Fr −1
impose equality Uniformly Random
Lampe & Seurin (Versailles & ANSSI)
ur`+1 −1
ur`+1
Key-Alternating Feistel Ciphers
xr`+1 −1
xr`+1
FSE 2014
12 / 16
The Coupling Technique for the KAF Ideal World Uniformly Random
`+1 u−1
Real World `+1 x−1
u0`+1 k0 F00
x0`+1 k0 F0
k1 F10
k1 u1`+1
x1`+1
F1
.. .
.. . kr −2
Fr0−2
kr −2 ur`+1 −2
kr −1 Fr0−1
xr`+1 −2
Fr −2
both free ?
kr −1
ur`+1 −1
xr`+1 −1
Fr −1 equal
Uniformly Random
Lampe & Seurin (Versailles & ANSSI)
ur`+1 −1
ur`+1
Key-Alternating Feistel Ciphers
xr`+1 −1
xr`+1
FSE 2014
12 / 16
The Coupling Technique for the KAF Ideal World Uniformly Random
`+1 u−1
Real World `+1 x−1
u0`+1 k0 F00
x0`+1 k0 F0
k1 F10
k1 u1`+1
.. . kr −2 Fr0−2
.. .
both free ?
kr −2
ur`+1 −2
Uniformly Random
Lampe & Seurin (Versailles & ANSSI)
ur`+1 −1
xr`+1 −2
Fr −2
kr −1 Fr0−1
x1`+1
F1
kr −1 ur`+1 −1
ur`+1
Key-Alternating Feistel Ciphers
xr`+1 −1
Fr −1
xr`+1 −1
xr`+1
FSE 2014
12 / 16
The Coupling Technique for the KAF Ideal World Uniformly Random
`+1 u−1
Real World `+1 x−1
u0`+1 k0 F00
x0`+1 k0 F0
k1 F10
k1 u1`+1
.. . kr −2 Fr0−2
.. .
both free ?
kr −2
ur`+1 −2
xr`+1 −2
Fr −2
kr −1 Fr0−1
x1`+1
F1
kr −1 ur`+1 −1
xr`+1 −1
Fr −1 equal
Uniformly Random
Lampe & Seurin (Versailles & ANSSI)
ur`+1 −1
ur`+1
Key-Alternating Feistel Ciphers
xr`+1 −1
xr`+1
FSE 2014
12 / 16
The Coupling Technique for the KAF Ideal World Uniformly Random
`+1 u−1
Real World `+1 x−1
u0`+1 k0 F00
x0`+1 k0 F0
k1 F10
k1 u1`+1
.. . kr −2 Fr0−2
.. .
both free ?
kr −2
ur`+1 −2 kr −1
Fr0−1
x1`+1
F1
xr`+1 −2
Fr −2
both free ?
kr −1
ur`+1 −1
xr`+1 −1
Fr −1 equal
Uniformly Random
Lampe & Seurin (Versailles & ANSSI)
ur`+1 −1
ur`+1
Key-Alternating Feistel Ciphers
xr`+1 −1
xr`+1
FSE 2014
12 / 16
Advantage
qe :number of queries to the cipher qf :number of queries to the round functions Advncpa KAF[n,r ] (qe , qf ) Advcca KAF[n,2r 0 ] (qe , qf )
Lampe & Seurin (Versailles & ANSSI)
4t (qe + 2qf )t+1 ≤ t +1 2tn
4t (qe + 2qf )t+1 ≤4 t +1 2tn
Key-Alternating Feistel Ciphers
r . 3
with t = !1/2
with t =
0 r
FSE 2014
3
.
13 / 16
The end. . .
Thanks for your attention! Comments or questions?
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
14 / 16
References I Andrey Bogdanov, Lars R. Knudsen, Gregor Leander, François-Xavier Standaert, John P. Steinberger, and Elmar Tischhauser. Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations - (Extended Abstract). In David Pointcheval and Thomas Johansson, editors, Advances in Cryptology - EUROCRYPT 2012, volume 7237 of Lecture Notes in Computer Science, pages 45–62. Springer, 2012. Shan Chen and John P. Steinberger. Tight security bounds for key-alternating ciphers. IACR Cryptology ePrint Archive, 2013:222, 2013. Shimon Even and Yishay Mansour. A Construction of a Cipher from a Single Pseudorandom Permutation. Journal of Cryptology, 10(3):151–162, 1997.
Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
15 / 16
References II Craig Gentry and Zulfikar Ramzan. Eliminating Random Permutation Oracles in the Even-Mansour Cipher. In Pil Joong Lee, editor, Advances in Cryptology - ASIACRYPT 2004, volume 3329 of Lecture Notes in Computer Science, pages 32–47. Springer, 2004. Rodolphe Lampe, Jacques Patarin, and Yannick Seurin. An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher. In Xiaoyun Wang and Kazue Sako, editors, Advances in Cryptology ASIACRYPT 2012, volume 7658 of Lecture Notes in Computer Science, pages 278–295. Springer, 2012. John Steinberger. Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance. IACR Cryptology ePrint Archive, Report 2012/481, 2012. Available at http://eprint.iacr.org/2012/481. Lampe & Seurin (Versailles & ANSSI)
Key-Alternating Feistel Ciphers
FSE 2014
16 / 16