Results 1  10
of
24
FormatPreserving Encryption
"... Abstract. Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid creditcard number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous ..."
Abstract

Cited by 20 (7 self)
 Add to MetaCart
Abstract. Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid creditcard number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous treatment. We provide one, starting off by formally defining FPE and security goals for it. We investigate the natural approach for achieving FPE on complex domains, the “rankthenencipher ” approach, and explore what it can and cannot do. We describe two flavors of unbalanced Feistel networks that can be used for achieving FPE, and we prove new security results for each. We revisit the cyclewalking approach for enciphering on a nonsparse subset of an encipherable domain, showing that the timing information that may be divulged by cycle walking is not a damaging thing to leak. 1
Feistel networks made public, and applications
 Advances in Cryptology – EUROCRYPT ’07. LNCS
, 2007
"... Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient and popular method of designing “cryptographically strong ” permutations from corresponding “cryptographically strong ” functions. Up to now, all usages of the Feistel Network, including the celeb ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient and popular method of designing “cryptographically strong ” permutations from corresponding “cryptographically strong ” functions. Up to now, all usages of the Feistel Network, including the celebrated LubyRackoff’s result, critically rely on (a) the (pseudo)randomness of round functions; and (b) the secrecy of (at least some of) the intermediate round values appearing during the Feistel computation. Moreover, a small constant number of Feistel rounds was typically sufficient to guarantee security under assumptions (a) and (b). In this work we consider several natural scenarios where at least one of the above assumptions does not hold, and show that a constant, or even logarithmic number of rounds is provably insufficient to handle such applications, implying that a new method of analysis is needed. On a positive side, we develop a new combinatorial understanding of Feistel networks, which makes them applicable to situations when the round functions are merely unpredictable rather than (pseudo)random and/or when the intermediate round values may be leaked to the adversary (either through an attack or because the application requires it). In essence, our results show that in any such scenario a superlogarithmic number of Feistel rounds is necessary and sufficient to guarantee security. This partially explains why practical block ciphers use
Security Analysis of the GFNLFSR Structure and FourCell Block Cipher
"... Abstract. The overall structure is one of the most important properties of block ciphers. At present, the most common structures include Feistel structure, SP structure, MISTY structure, LM structure and Generalized Feistel structure. In [29], Choy et al. proposed a new structure called GFNLFSR (G ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. The overall structure is one of the most important properties of block ciphers. At present, the most common structures include Feistel structure, SP structure, MISTY structure, LM structure and Generalized Feistel structure. In [29], Choy et al. proposed a new structure called GFNLFSR (Generalized FeistelNonLinear Feedback Shift Register), and designed a new block cipher called FourCell which is based on the 4cell GFNLFSR. In this paper, we first study properties of the ncell GFNLFSR structure, and prove that for an ncell GFNLFSR, there exists an (n 2 + n − 2) rounds impossible differential. Then we present an impossible differential attack on the full 25round FourCell using this kind of 18round impossible differential distinguisher together with differential cryptanalysis technique. The data complexity of our attack is 2 111.5 and the time complexity is less than 2 123.5 encryptions. In addition, we expect the attack to be more efficient when the relations between different round subkeys can be exploited by taking the key schedule algorithm into consideration.
On Tweaking LubyRackoff Blockciphers
 In Advances in Cryptology – ASIACRYPT
, 2007
"... Abstract. Tweakable blockciphers, first formalized by Liskov, Rivest, and Wagner [13], are blockciphers with an additional input, the tweak, which allows for variability. An open problem proposed by Liskov et al. is how to construct tweakable blockciphers without using a preexisting blockcipher. Th ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. Tweakable blockciphers, first formalized by Liskov, Rivest, and Wagner [13], are blockciphers with an additional input, the tweak, which allows for variability. An open problem proposed by Liskov et al. is how to construct tweakable blockciphers without using a preexisting blockcipher. This problem has yet to receive any significant study. There are many natural questions in this area: is it significantly more efficient to incorporate a tweak directly? How do direct constructions compare to existing techniques? Are these direct constructions optimal and for what levels of security? How large of a tweak can be securely added? In this work, we address these questions for LubyRackoff blockciphers. We show that tweakable blockciphers can be created directly from Feistel ciphers, and in some cases show that direct constructions of tweakable blockciphers are more efficient than previously known constructions. 1
Proving the security of AES substitutionpermutation network
 Selected Areas in Cryptography, SAC 05, volume 3897 of LNCS
, 2006
"... Abstract. In this paper we study the substitutionpermutation network (SPN) on which AES is based. We introduce AES ∗ , a SPN identical to AES except that fixed Sboxes are replaced by random and independent permutations. We prove that this construction resists linear and differential cryptanalysis ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Abstract. In this paper we study the substitutionpermutation network (SPN) on which AES is based. We introduce AES ∗ , a SPN identical to AES except that fixed Sboxes are replaced by random and independent permutations. We prove that this construction resists linear and differential cryptanalysis with 4 inner rounds only, despite the huge cumulative effect of multipath characteristics that is induced by the symmetries of AES. We show that the DP and LP terms both tend towards 1/(2 128 −1) very fast when the number of round increases. This proves a conjecture by Keliher, Meijer, and Tavares. We further show that AES ∗ is immune to any iterated attack of order 1 after 10 rounds only, which substantially improves a previous result by Moriai and Vaudenay.
New Integrated proof method on Iterated Hash Structure and New Structures
, 2006
"... A secure hash structure in Random Oracle Model may not be a secure model in true design. In this paper, we give an integrated proof method on security proof of iterated hash structure. Based on the proof method, we can distinguish the security of MerkelDamagård structure, widepipe hash, doublepi ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
A secure hash structure in Random Oracle Model may not be a secure model in true design. In this paper, we give an integrated proof method on security proof of iterated hash structure. Based on the proof method, we can distinguish the security of MerkelDamagård structure, widepipe hash, doublepipe hash and 3c hash and know the requirement of true design on compression function, and give a new recommend structure. At last, we give new hash structure, MAC structure, encryption model, which use same block cipher round function and key schedule algorithm, the security proofs on those structures are given.
Lubyrackoff ciphers from weak round functions
 In EUROCRYPT
, 2006
"... Abstract. The Feistelnetwork is a popular structure underlying many blockciphers where the cipher is constructed from many simpler rounds, each defined by some function which is derived from the secret key. Luby and Rackoff showed that the threeround Feistelnetwork – each round instantiated with ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. The Feistelnetwork is a popular structure underlying many blockciphers where the cipher is constructed from many simpler rounds, each defined by some function which is derived from the secret key. Luby and Rackoff showed that the threeround Feistelnetwork – each round instantiated with a pseudorandom function secure against adaptive chosen plaintext attacks (CPA) –isaCPA secure pseudorandom permutation, thus giving some confidence in the soundness of using a Feistelnetwork to design blockciphers. But the round functions used in actual blockciphers are – for efficiency reasons – far from being pseudorandom. We investigate the security of the Feistelnetwork against CPA distinguishers when the only security guarantee we have for the round functions is that they are secure against nonadaptive chosen plaintext attacks (nCPA). We show that in the informationtheoretic setting, four rounds with nCPA secure round functions are sufficient (and necessary) to get a CPA secure permutation. Unfortunately, this result does not translate into the more interesting pseudorandom setting. In fact, under the socalled Inverse Decisional DiffieHellman assumption the Feistelnetwork with four rounds, each instantiated with a nCPA secure pseudorandom function, is in general not a CPA secure pseudorandom permutation. 1
Generic Attacks on Unbalanced Feistel Schemes with Expanding Functions
 ASIACRYPT'07
, 2007
"... Unbalanced Feistel schemes with expanding functions are used to construct pseudorandom permutations from kn bits to kn bits by using random functions from n bits to (k − 1)n bits. At each round, all the bits except n bits are changed by using a function that depends only on these n bits. C.S.Jutla ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Unbalanced Feistel schemes with expanding functions are used to construct pseudorandom permutations from kn bits to kn bits by using random functions from n bits to (k − 1)n bits. At each round, all the bits except n bits are changed by using a function that depends only on these n bits. C.S.Jutla [6] investigated such schemes, which he denotes by F^d_k, where d is the number of rounds. In this paper, we describe novel Known Plaintext Attacks (KPA) and Non Adaptive Chosen Plaintext Attacks (CPA1) against these schemes. With these attacks we will often be able to improve the result of C.S.Jutla. We also give precise formulas for the complexity of our attacks in d, k and n. Key words: Unbalanced Feistel permutations, pseudorandom permutations, generic attacks on encryption schemes, Block ciphers.
FastPRP: Fast pseudorandom permutations for small domains. Cryptology ePrint Report 2012/254
"... We propose a novel smalldomain pseudorandom permutation, also referred to as a smalldomain cipher or smalldomain (deterministic) encryption. We prove that our construction achieves “strong security”, i.e., is indistinguishable from a random permutation even when an adversary has observed all poss ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We propose a novel smalldomain pseudorandom permutation, also referred to as a smalldomain cipher or smalldomain (deterministic) encryption. We prove that our construction achieves “strong security”, i.e., is indistinguishable from a random permutation even when an adversary has observed all possible inputoutput pairs. More importantly, our construction is 1,000 to 8,000 times faster in most realistic scenarios, in comparison with the best known construction (also achieving strong security). Our implementation leverages the extended instruction sets of modern processors; and we also introduce a smart caching strategy to freely tune the tradeoff between time and space. 1.
Beyondbirthdaybound security based on tweakable block cipher
 In FSE
"... Abstract. This paper studies how to build a 2nbit block cipher which is hard to distinguish from a truly random permutation against attacks with q 2n=2 queries, i.e., birthday attacks. Unlike previous approaches using pseudorandom functions, we present a simple and efficient proposal using a tweak ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. This paper studies how to build a 2nbit block cipher which is hard to distinguish from a truly random permutation against attacks with q 2n=2 queries, i.e., birthday attacks. Unlike previous approaches using pseudorandom functions, we present a simple and efficient proposal using a tweakable block cipher as an internal module. Our proposal is provably secure against birthday attacks, if underlying tweakable block cipher is also secure against birthday attacks. We also study how to build such tweakable block ciphers from ordinary block ciphers, which may