Results 1  10
of
33
FormatPreserving Encryption
"... Abstract. Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid creditcard number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous ..."
Abstract

Cited by 32 (8 self)
 Add to MetaCart
Abstract. Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid creditcard number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous treatment. We provide one, starting off by formally defining FPE and security goals for it. We investigate the natural approach for achieving FPE on complex domains, the “rankthenencipher ” approach, and explore what it can and cannot do. We describe two flavors of unbalanced Feistel networks that can be used for achieving FPE, and we prove new security results for each. We revisit the cyclewalking approach for enciphering on a nonsparse subset of an encipherable domain, showing that the timing information that may be divulged by cycle walking is not a damaging thing to leak. 1
Beyondbirthdaybound security based on tweakable block cipher
 In FSE
"... Abstract. This paper studies how to build a 2nbit block cipher which is hard to distinguish from a truly random permutation against attacks with q 2n=2 queries, i.e., birthday attacks. Unlike previous approaches using pseudorandom functions, we present a simple and efficient proposal using a tweak ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper studies how to build a 2nbit block cipher which is hard to distinguish from a truly random permutation against attacks with q 2n=2 queries, i.e., birthday attacks. Unlike previous approaches using pseudorandom functions, we present a simple and efficient proposal using a tweakable block cipher as an internal module. Our proposal is provably secure against birthday attacks, if underlying tweakable block cipher is also secure against birthday attacks. We also study how to build such tweakable block ciphers from ordinary block ciphers, which may
K.: Generic Key Recovery Attack on Feistel Scheme
 Advances in Cryptology  ASIACRYPT 2013  19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 15, 2013, Proceedings, Part I. Lecture Notes in Computer Science
, 2013
"... Abstract. We propose new generic key recovery attacks on Feisteltype block ciphers. The proposed attack is based on the all subkeys recovery approach presented in SAC 2012, which determines all subkeys instead of the master key. This enables us to construct a key recovery attack without taking into ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We propose new generic key recovery attacks on Feisteltype block ciphers. The proposed attack is based on the all subkeys recovery approach presented in SAC 2012, which determines all subkeys instead of the master key. This enables us to construct a key recovery attack without taking into account a key scheduling function. With our advanced techniques, we apply several key recovery attacks to Feisteltype block ciphers. For instance, we show 8, 9 and 11round key recovery attacks on nbit Feistel ciphers with 2nbit key employing random keyed Ffunctions, random Ffunctions, and SPtype Ffunctions, respectively. Moreover, thanks to the meetinthemiddle approach, our attack leads to lowdata complexity. To demonstrate the usefulness of our approach, we show a key recovery attack on the 8round reduced CAST128, which is the best attack with respect to the number of attacked rounds. Since our approach derives the lower bounds on the numbers of rounds to be secure under the single secret key setting, it can be considered that we unveil the limitation of designing an efficient block cipher by a Feistel scheme such as a lowlatency cipher.
On Tweaking LubyRackoff Blockciphers
 In Advances in Cryptology – ASIACRYPT
, 2007
"... Abstract. Tweakable blockciphers, first formalized by Liskov, Rivest, and Wagner [13], are blockciphers with an additional input, the tweak, which allows for variability. An open problem proposed by Liskov et al. is how to construct tweakable blockciphers without using a preexisting blockcipher. Th ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Tweakable blockciphers, first formalized by Liskov, Rivest, and Wagner [13], are blockciphers with an additional input, the tweak, which allows for variability. An open problem proposed by Liskov et al. is how to construct tweakable blockciphers without using a preexisting blockcipher. This problem has yet to receive any significant study. There are many natural questions in this area: is it significantly more efficient to incorporate a tweak directly? How do direct constructions compare to existing techniques? Are these direct constructions optimal and for what levels of security? How large of a tweak can be securely added? In this work, we address these questions for LubyRackoff blockciphers. We show that tweakable blockciphers can be created directly from Feistel ciphers, and in some cases show that direct constructions of tweakable blockciphers are more efficient than previously known constructions. 1
Domain Extension for MACs Beyond the Birthday Barrier. Eurocrypt 2011. Full version of this paper available at http://people.csail.mit.edu/dodis/ps/optimalmac.pdf
"... Given an nbit to nbit MAC (e.g., a fixed key blockcipher) with MAC security ε against q queries, we design a variablelength MAC achieving MAC security O(εqpoly(n)) against queries of total length qn. In particular, our construction is the first to break the “birthday barrier ” for MAC domain exte ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Given an nbit to nbit MAC (e.g., a fixed key blockcipher) with MAC security ε against q queries, we design a variablelength MAC achieving MAC security O(εqpoly(n)) against queries of total length qn. In particular, our construction is the first to break the “birthday barrier ” for MAC domain extension from noncompressing primitives, since our security bound is meaningful even for q = 2 n /poly(n) (assuming ε is the best possible O(1/2 n)). In contrast, the previous best construction for MAC domain extension for nbit to nbit primitives, due to Dodis and Steinberger [13], achieved MAC security of O(εq 2 (log q) 2), which means that q cannot cross the “birthday bound ” of 2 n/2.
Towards Understanding the KnownKey Security of Block Ciphers
"... Knownkey distinguishers for block ciphers were proposed by Knudsen and Rijmen at ASIACRYPT 2007 and have been a major research topic in cryptanalysis since then. A formalization of knownkey attacks in general is known to be difficult. In this paper, we tackle this problem for the case of block cip ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Knownkey distinguishers for block ciphers were proposed by Knudsen and Rijmen at ASIACRYPT 2007 and have been a major research topic in cryptanalysis since then. A formalization of knownkey attacks in general is known to be difficult. In this paper, we tackle this problem for the case of block ciphers based on ideal components such as random permutations and random functions as well as propose new generic knownkey attacks on generalized Feistel ciphers. We introduce the notion of knownkey indifferentiability to capture the security of such block ciphers under a known key. To show its meaningfulness, we prove that the knownkey attacks on block ciphers with ideal primitives to date violate security under knownkey indifferentiability. On the other hand, to demonstrate its constructiveness, we prove the balanced Feistel cipher with random functions and the multiple EvenMansour cipher with random permutations knownkey indifferentiable for a sufficient number of rounds. We note that knownkey indifferentiability is more quickly and tightly attained by multiple EvenMansour which puts it forward as a construction provably secure against knownkey attacks.
Robust authenticatedencryption: AEZ and the problem that it solves
, 2014
"... Abstract. With a scheme for robust authenticatedencryption a user can select an arbitrary value λ ≥ 0 and then encrypt a plaintext of any length into a ciphertext that’s λ characters longer. The scheme must provide all the privacy and authenticity possible for the requested λ. We formalize and inve ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
Abstract. With a scheme for robust authenticatedencryption a user can select an arbitrary value λ ≥ 0 and then encrypt a plaintext of any length into a ciphertext that’s λ characters longer. The scheme must provide all the privacy and authenticity possible for the requested λ. We formalize and investigate this idea, and construct a welloptimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCBAES or CTRAES (on Haswell, AEZ has a peak speed of about 0.7 cpb). To accomplish this we employ an approach we call accelerated provable security: the scheme is designed and proven secure in the provablesecurity tradition, but, to improve speed, one instantiates by scaling down most instances of the underlying primitive. Keywords:AEZ, arbitraryinput blockciphers, authenticated encryption, robust AE, misuse resistance,
FastPRP: Fast pseudorandom permutations for small domains. Cryptology ePrint Report 2012/254
"... We propose a novel smalldomain pseudorandom permutation, also referred to as a smalldomain cipher or smalldomain (deterministic) encryption. We prove that our construction achieves “strong security”, i.e., is indistinguishable from a random permutation even when an adversary has observed all poss ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
We propose a novel smalldomain pseudorandom permutation, also referred to as a smalldomain cipher or smalldomain (deterministic) encryption. We prove that our construction achieves “strong security”, i.e., is indistinguishable from a random permutation even when an adversary has observed all possible inputoutput pairs. More importantly, our construction is 1,000 to 8,000 times faster in most realistic scenarios, in comparison with the best known construction (also achieving strong security). Our implementation leverages the extended instruction sets of modern processors; and we also introduce a smart caching strategy to freely tune the tradeoff between time and space. 1.
Security Analysis of the GFNLFSR Structure and FourCell Block Cipher
"... Abstract. The overall structure is one of the most important properties of block ciphers. At present, the most common structures include Feistel structure, SP structure, MISTY structure, LM structure and Generalized Feistel structure. In [29], Choy et al. proposed a new structure called GFNLFSR (G ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. The overall structure is one of the most important properties of block ciphers. At present, the most common structures include Feistel structure, SP structure, MISTY structure, LM structure and Generalized Feistel structure. In [29], Choy et al. proposed a new structure called GFNLFSR (Generalized FeistelNonLinear Feedback Shift Register), and designed a new block cipher called FourCell which is based on the 4cell GFNLFSR. In this paper, we first study properties of the ncell GFNLFSR structure, and prove that for an ncell GFNLFSR, there exists an (n 2 + n − 2) rounds impossible differential. Then we present an impossible differential attack on the full 25round FourCell using this kind of 18round impossible differential distinguisher together with differential cryptanalysis technique. The data complexity of our attack is 2 111.5 and the time complexity is less than 2 123.5 encryptions. In addition, we expect the attack to be more efficient when the relations between different round subkeys can be exploited by taking the key schedule algorithm into consideration.
Feistel networks made public, and applications
 Advances in Cryptology – EUROCRYPT ’07. LNCS
, 2007
"... Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient and popular method of designing “cryptographically strong ” permutations from corresponding “cryptographically strong ” functions. Up to now, all usages of the Feistel Network, including the celeb ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient and popular method of designing “cryptographically strong ” permutations from corresponding “cryptographically strong ” functions. Up to now, all usages of the Feistel Network, including the celebrated LubyRackoff’s result, critically rely on (a) the (pseudo)randomness of round functions; and (b) the secrecy of (at least some of) the intermediate round values appearing during the Feistel computation. Moreover, a small constant number of Feistel rounds was typically sufficient to guarantee security under assumptions (a) and (b). In this work we consider several natural scenarios where at least one of the above assumptions does not hold, and show that a constant, or even logarithmic number of rounds is provably insufficient to handle such applications, implying that a new method of analysis is needed. On a positive side, we develop a new combinatorial understanding of Feistel networks, which makes them applicable to situations when the round functions are merely unpredictable rather than (pseudo)random and/or when the intermediate round values may be leaked to the adversary (either through an attack or because the application requires it). In essence, our results show that in any such scenario a superlogarithmic number of Feistel rounds is necessary and sufficient to guarantee security. This partially explains why practical block ciphers use