## Elastic Block Ciphers: Method, Security and Instantiations

### BibTeX

@MISC{Cook_elasticblock,

author = {Debra L. Cook and Moti Yung and Angelos D. Keromytis},

title = {Elastic Block Ciphers: Method, Security and Instantiations},

year = {}

}

### OpenURL

### Abstract

We introduce the concept of an elastic block cipher, which refers to stretching the supported block size of a block cipher to any length up to twice the original block size while incurring a computational workload that is proportional to the block size. Our method uses the round function of an existing block cipher as a black box and inserts it into a substitution- permutation network. Our method is designed to enable us to form a reduction between the elastic and the original versions of the cipher. Using this reduction, we prove that the elastic version of a cipher is secure against key-recovery attacks if the original cipher is secure against such attacks. We note that while reductionbased proofs of security are a cornerstone of cryptographic analysis, they are typical when complete components are used as sub-components in a larger design. We are not aware of use of such techniques in the case of concrete block cipher designs. We demonstrate the general applicability of the elastic block cipher method by constructing examples from existing block ciphers: AES, Camellia, MISTY1 and RC6. We compare the performance of the elastic versions to that of the original versions and evaluate the elastic versions using statistical tests measuring the randomness of the ciphertext. We also use our examples to demonstrate the concept of a generic key schedule for block ciphers. key words: elastic block ciphers, variable-length block ciphers, security analysis, reduction proof, key recovery attacks. 1

### Citations

451 |
Linear cryptanalysis method for DES cipher
- Matsui
- 1994
(Show Context)
Citation Context ...k. We consider the security of elastic block ciphers against practical attacks. These attacks typically attempt to recover the keys or the round keys of the block cipher; differential [7, 18], linear =-=[20]-=- and exhaustive search methods are instances of such attacks (but other attacks exist [6, 38]). The fact that the round function of the original block cipher is used as a black box in the elastic vers... |

353 |
Differential Cryptanalysis of the Data Encryption Standard
- Biham, Shamir
- 1993
(Show Context)
Citation Context ...ext-to-last block. We consider the security of elastic block ciphers against practical attacks. These attacks typically attempt to recover the keys or the round keys of the block cipher; differential =-=[7, 18]-=-, linear [20] and exhaustive search methods are instances of such attacks (but other attacks exist [6, 38]). The fact that the round function of the original block cipher is used as a black box in the... |

299 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
- 1988
(Show Context)
Citation Context ...rvey of proof techniques in this area, see [37]:Chapter 4) and are more common in generic designs based on strong assumptions on the components (e.g., a component is a random or pseudorandom function =-=[19]-=-). We prove that the elastic version of a block cipher is secure against attacks that attempt to recover key bits if the original, fixed-length version of the cipher is secure against such attacks. Ou... |

254 |
The Design of Rijndael: AES — The Advanced Encryption Standard (Information Security and Cryptography
- Daemen, Rijmen
- 2002
(Show Context)
Citation Context ...ook a ”less ambitious” approach focused on avoiding symmetry between rounds and attacks due to related keys because ”All other attacks are supposed to be prevented by the rounds of the block cipher.” =-=[14]-=-, page 77. In Camellia, there is a large overlap amongst the round keys. In MISTY1, the same expanded key bits are used in multiple locations within the block cipher. In RC6, it is more difficult tod... |

168 | New types of cryptanalytic attacks using related keys
- Biham
- 1994
(Show Context)
Citation Context ...cks typically attempt to recover the keys or the round keys of the block cipher; differential [7, 18], linear [20] and exhaustive search methods are instances of such attacks (but other attacks exist =-=[6, 38]-=-). The fact that the round function of the original block cipher is used as a black box in the elastic version directs us to relate the security of the elastic version of a block cipher directly to th... |

146 | The boomerang attack
- Wagner
- 1999
(Show Context)
Citation Context ...cks typically attempt to recover the keys or the round keys of the block cipher; differential [7, 18], linear [20] and exhaustive search methods are instances of such attacks (but other attacks exist =-=[6, 38]-=-). The fact that the round function of the original block cipher is used as a black box in the elastic version directs us to relate the security of the elastic version of a block cipher directly to th... |

99 | On the construction of pseudo-random permutations: Luby-Rackoff revisited
- Naor, Reingold
- 1999
(Show Context)
Citation Context ...variable-length PRFs and PRPs includes support for variable-length inputs with fixed-length outputs as applicable to MACs and hash functions [1, 3, 5, 8] and on multiples of the original block length =-=[15, 16, 19, 28]-=- (although the same goal is accomplished by modes of encryption, for which there are numerous examples used in practice, e.g., CBC, OFB, CFB, CTR). There has also been work on using PRPs to create PRF... |

95 | Pseudo-random functions revisited: The cascade construction and its concrete security
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ... subset of pseudorandom functions (PRFs). Previous work on variable-length PRFs and PRPs includes support for variable-length inputs with fixed-length outputs as applicable to MACs and hash functions =-=[1, 3, 5, 8]-=- and on multiples of the original block length [15, 16, 19, 28] (although the same goal is accomplished by modes of encryption, for which there are numerous examples used in practice, e.g., CBC, OFB, ... |

74 | Camellia: A 128-bit block cipher suitable for multiple platforms
- Aoki, Ichikawa, et al.
- 2001
(Show Context)
Citation Context ... then the elastic version is also immune to the attack. We illustrate the method for creating elastic block ciphers with four constructions. We construct elastic block ciphers from AES [27], Camellia =-=[2]-=-, MISTY1 [21] and RC6 [33] to serve as examples of the general applicability of the method. We analyze the randomness of each cipher’s output using standard statistical tests and evaluate the performa... |

74 | A Tweakable Enciphering Mode
- Halevi, Rogaway
(Show Context)
Citation Context ...variable-length PRFs and PRPs includes support for variable-length inputs with fixed-length outputs as applicable to MACs and hash functions [1, 3, 5, 8] and on multiples of the original block length =-=[15, 16, 19, 28]-=- (although the same goal is accomplished by modes of encryption, for which there are numerous examples used in practice, e.g., CBC, OFB, CFB, CTR). There has also been work on using PRPs to create PRF... |

67 |
New Block Encryption Algorithm MISTY
- Matsui
- 1997
(Show Context)
Citation Context ...astic version is also immune to the attack. We illustrate the method for creating elastic block ciphers with four constructions. We construct elastic block ciphers from AES [27], Camellia [2], MISTY1 =-=[21]-=- and RC6 [33] to serve as examples of the general applicability of the method. We analyze the randomness of each cipher’s output using standard statistical tests and evaluate the performance of the el... |

56 | Unbalanced Feistel Networks and Block Cipher Design
- Schneier, Kelsey
- 1996
(Show Context)
Citation Context ... to the block size, in contrast to the black box approaches. First, we describe the elastic network and explain why we could not use an existing structure, specifically, an unbalanced Feistel network =-=[34]-=-. Second, we describe thesteps for converting any fixed-length block cipher to a variable-length block cipher. Four instantiations of elastic block ciphers are described in Section 5. 3.2 Elastic Net... |

40 | Not So) Random Shuffles of RC4
- Mironov
- 2002
(Show Context)
Citation Context ...onsecutive bits from the n2 th segment of rotated component. If there is no fractional segment, n2 is unused. RC4 [32] was used for the key schedule. The first 512 bytes of RC4’s outputare discarded =-=[22]-=-, then RC4 is run until the required amount of expanded key bytes are obtained. How the bits are selected for the swap steps varies slightly among our constructions. In all cases, the bits swapped out... |

28 | Constructing VIL-MACs from FIL-MACs: Message authentication under weakened assumptions
- An, Bellare
- 1999
(Show Context)
Citation Context ... subset of pseudorandom functions (PRFs). Previous work on variable-length PRFs and PRPs includes support for variable-length inputs with fixed-length outputs as applicable to MACs and hash functions =-=[1, 3, 5, 8]-=- and on multiples of the original block length [15, 16, 19, 28] (although the same goal is accomplished by modes of encryption, for which there are numerous examples used in practice, e.g., CBC, OFB, ... |

19 | How to stretch random functions: the security of protected counter sums
- BERNSTEIN
- 1999
(Show Context)
Citation Context ... subset of pseudorandom functions (PRFs). Previous work on variable-length PRFs and PRPs includes support for variable-length inputs with fixed-length outputs as applicable to MACs and hash functions =-=[1, 3, 5, 8]-=- and on multiples of the original block length [15, 16, 19, 28] (although the same goal is accomplished by modes of encryption, for which there are numerous examples used in practice, e.g., CBC, OFB, ... |

18 | Building PRFs from PRPs
- Hall, Wagner, et al.
- 1998
(Show Context)
Citation Context ...although the same goal is accomplished by modes of encryption, for which there are numerous examples used in practice, e.g., CBC, OFB, CFB, CTR). There has also been work on using PRPs to create PRFs =-=[17]-=-. Three previous approaches for creating variable-length block ciphers are designing a cipher from scratch, using an existing block cipher as a black box and adding operations around it, and altering ... |

12 |
A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
- NIST
- 2001
(Show Context)
Citation Context ... they do assist in determining if there are any obvious weaknesses with the cipher. There are sixteen tests performed on eight sets of data for each cipher. Refer to NIST’s special publication 800-22 =-=[26]-=- for a description of the tests and [25] for a description of the data sets. We tested every (b + y)-bit block size where y is an integral of 8 and 0 ≤ y ≤< b. We also tested two block sizes that were... |

11 |
Efficient Constructions of VariableInput-Length Block Ciphers
- Patel, Ramzan, et al.
- 2004
(Show Context)
Citation Context ...hat of the original cipher. Previous proposals for converting existing block ciphers into variable-length ones focused on treating a block cipher as a black box and combining it with other operations =-=[4, 29]-=- in what amounts to a mode of encryption. While such an approach allows the security of the variable-length block cipher to be defined in terms of the original block cipher, the resulting construction... |

10 |
The hasty pudding cipher
- Schroeppel
(Show Context)
Citation Context ...he length of the data but they do not address how to design block ciphers to support variable-length blocks. There have also been ad-hoc attempts to design a variable-length block cipher from scratch =-=[31, 36]-=-. Ciphertext stealing is another way of preserving the length of the data when using a mode of encryption. It involves padding the last plaintext block using ciphertext from the previous block. Howeve... |

8 |
On the Construction of Variable Length-Input Ciphers
- Bellare, Rogaway
- 1999
(Show Context)
Citation Context ...hat of the original cipher. Previous proposals for converting existing block ciphers into variable-length ones focused on treating a block cipher as a black box and combining it with other operations =-=[4, 29]-=- in what amounts to a mode of encryption. While such an approach allows the security of the variable-length block cipher to be defined in terms of the original block cipher, the resulting construction... |

7 | Elastic Block Ciphers
- Cook
- 2006
(Show Context)
Citation Context ...xceeded this rate. For the elastic versions of the ciphers, the percentage of samples passing each test was consistent across all block sizes and data sets. The detailed test results are available in =-=[10]-=-. 5.8 Key Schedules The key schedule for an elastic version of a block cipher has to generate more expandedkey bits than the key schedule of the original block cipher. Additional key bits are needed d... |

7 | Elastic Block Ciphers: The Basic Design - Cook, Yung, et al. - 2007 |

6 |
A tweakable enciphering mode. Cryptology ePrint Archive, Report 2003/148
- Halevi, Rogaway
(Show Context)
Citation Context ...variable-length PRFs and PRPs includes support for variable-length inputs with fixed-length outputs as applicable to MACs and hash functions [1, 3, 5, 8] and on multiples of the original block length =-=[15, 16, 19, 28]-=- (although the same goal is accomplished by modes of encryption, for which there are numerous examples used in practice, e.g., CBC, OFB, CFB, CTR). There has also been work on using PRPs to create PRF... |

5 |
Cryptosystem for Cellular Telephony
- Reeds
- 1992
(Show Context)
Citation Context ...he length of the data but they do not address how to design block ciphers to support variable-length blocks. There have also been ad-hoc attempts to design a variable-length block cipher from scratch =-=[31, 36]-=-. Ciphertext stealing is another way of preserving the length of the data when using a mode of encryption. It involves padding the last plaintext block using ciphertext from the previous block. Howeve... |

4 | The Security of Elastic Block Ciphers Against KeyRecovery Attacks - Cook, Yung, et al. - 2007 |

3 |
CBC MACs for Arbitrary-Length: The Three-Key Constructions
- Black, Rogaway
- 2000
(Show Context)
Citation Context |

3 |
Related-Key and Slide Attacks: Analysis
- Ciet, Piret, et al.
- 2002
(Show Context)
Citation Context ... design results in key schedules contributing to attacks (due to the ease in which additional key bits can be determined once a few are found and by increasing the opportunity for related key attacks =-=[9]-=-) and forces applications supporting multiple block ciphers to support a separate key schedule for each cipher. When creating elastic block ciphers, we wanted to avoid these disadvantages of existing ... |

3 |
Report on the
- NESSIE
- 2000
(Show Context)
Citation Context ...cipher because its round function processes the entire 128-bit block in each application. Camellia, one of the recommended 128-bit block ciphers from NESSIE’s competition for cryptographic algorithms =-=[23]-=-, is a Feistel network with an additional function applied after certain cycles. MISTY1, the recommended 64-bit block cipher from NESSIE, is also structured as a Feistel network. Its elastic version p... |

3 |
Randomness Testing of the Advanced Encryption Standard Finalist Candidates
- NIST
- 2000
(Show Context)
Citation Context ...ck box and adding operations around it, and altering existing modes of encryption. The Hasty Pudding Cipher (HPC) [36], a submission to the AES competition that was deemed insecure in the first round =-=[25]-=-, is an example of designing a variable-length block cipher from scratch. While creating a new block cipher from scratch allows the design to incorporate new features, such as support for a range of b... |

3 |
RC4”. In Applied Cryptography by B
- Rivest
- 1996
(Show Context)
Citation Context ... if any, is omitted from the rotation. The fractional component is then swapped with consecutive bits from the n2 th segment of rotated component. If there is no fractional segment, n2 is unused. RC4 =-=[32]-=- was used for the key schedule. The first 512 bytes of RC4’s outputare discarded [22], then RC4 is run until the required amount of expanded key bytes are obtained. How the bits are selected for the ... |

2 |
A Classical Introduction to Cryptography
- Vaudenay
- 2006
(Show Context)
Citation Context ...vated by reduction-oriented proofs of security. Such proof techniques are not typical in symmetric-key cryptography, especially in concrete designs (for a survey of proof techniques in this area, see =-=[37]-=-:Chapter 4) and are more common in generic designs based on strong assumptions on the components (e.g., a component is a random or pseudorandom function [19]). We prove that the elastic version of a b... |