## Decorrelation: a theory for block cipher security (2003)

Venue: | Journal of Cryptology |

Citations: | 34 - 4 self |

### BibTeX

@ARTICLE{Vaudenay03decorrelation:a,

author = {Serge Vaudenay},

title = {Decorrelation: a theory for block cipher security},

journal = {Journal of Cryptology},

year = {2003},

volume = {16},

pages = {2003}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. Pseudorandomness is a classical model for the security of block ciphers. In this paper we propose convenient tools in order to study it in connection with the Shannon Theory, the Carter-Wegman universal hash functions paradigm, and the Luby-Rackoff approach. This enables the construction of new ciphers with security proofs under specific models. We show how to ensure security against basic differential and linear cryptanalysis and even more general attacks. We propose practical construction schemes. 1

### Citations

674 |
Universal classes of hash functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ... Shannon result, this suffers from the expensive cost of random bits, and basically requires having an enormous private key. We can still use derandomization techniques, like the Carter-Wegman method =-=[11,73]-=- for sampling pairwise independent numbers. This leads us to the notion of decorrelation which enables measuring the pseudo-randomness with small keys and studying how it protects against attacks. Ins... |

502 | Differential cryptanalysis of des-like cryptosystems
- Biham, Shamir
- 1991
(Show Context)
Citation Context ...er or attack the design of DES. Real advances on the attack strategies on block ciphers were made in the early 90s when Biham and Shamir invented differential cryptanalysis and applied it against DES =-=[7,8,9,10]-=-. The best version of this attack can recover a secret key with a simple ����� -chosen plaintext attack. 1 Although this attack is heuristic, experiments confirmed the results. Biham and Shamir’s atta... |

335 |
Differential Cryptanalysis of the Data Encryption Standard
- Biham, Shamir
- 1993
(Show Context)
Citation Context ...er or attack the design of DES. Real advances on the attack strategies on block ciphers were made in the early 90s when Biham and Shamir invented differential cryptanalysis and applied it against DES =-=[7,8,9,10]-=-. The best version of this attack can recover a secret key with a simple ����� -chosen plaintext attack. 1 Although this attack is heuristic, experiments confirmed the results. Biham and Shamir’s atta... |

139 |
Cryptography and computer privacy
- Feistel
- 1973
(Show Context)
Citation Context ...was introduced by Luby and Rackoff in 1988 3 [40]. They have shown how to formalize security by pseudo-randomness and how to prove the security of the underlying DES construction — the Feistel scheme =-=[14]-=- — provided that round functions are totally random. As for the Shannon result, this suffers from the expensive cost of random bits, and basically requires having an enormous private key. We can still... |

90 | A.: Differential cryptanalysis of the full 16-round DES
- Biham, Shamir
- 1993
(Show Context)
Citation Context ...er or attack the design of DES. Real advances on the attack strategies on block ciphers were made in the early 90s when Biham and Shamir invented differential cryptanalysis and applied it against DES =-=[7,8,9,10]-=-. The best version of this attack can recover a secret key with a simple ����� -chosen plaintext attack. 1 Although this attack is heuristic, experiments confirmed the results. Biham and Shamir’s atta... |

66 | Vaudenay S.: Links between differential and linear cryptanalysis
- Chabaud
- 1995
(Show Context)
Citation Context ...ption functions, Nyberg first formalized the notion of strength against differential cryptanalysis [50]. Similarly, Chabaud and Vaudenay formalized the notion of strength against linear cryptanalysis =-=[12]-=-. With this approach, we can study how to make internal computation boxes resistant against both attacks. This can be used in a heuristic way by usual active s-boxes counting tricks (e.g. see [22,23])... |

62 | Correlation Attacks on Block Ciphers
- Jakobsen
- 1996
(Show Context)
Citation Context ...e the security against both attacks (see Nyberg and Knudsen [52]), but in an unsatisfactory way which introduces some algebraic properties which lead to other attacks as shown by Jakobsen and Knudsen =-=[26]-=-. The Nyberg-Knudsen approach was later used by Matsui in practical block ciphers including MISTY and KASUMI [1,43,44]. Another approach in order to study the security of block ciphers was introduced ... |

51 | N.: 'The Rectangle Attack – Rectangling the Serpent
- Biham, Dunkelman, et al.
(Show Context)
Citation Context ...ced Encryption Standard process. Security against some other generic models of attacks is still open. In particular we may investigate security against the Boomerang attack [72], the rectangle attack =-=[5]-=-, or the linear-differential attack [6,38]. Although we can directly use results from Section 6.3 with a high order of decorrelation it is not quite clear at this time what the minimal order of decorr... |

40 | MMH: Software message authentication in the Gbit/second rates
- Halevi, Krawczyk
- 1997
(Show Context)
Citation Context ...f this theorem requires materials from Section 5. We provide it in Appendix A. Note that a similar construction has been previously used by Halevi and Krawczyk for authentication in the MMH algorithm =-=[21]-=-. � ��� ��� ¦���� � ��� for ��� � � ¦¨��� prime, ©�¢¨��� � � ����������� � independent uniformly distributed random variables in � � � ��� . � is a random function ©������������������ . ��� Let be a u... |

29 | Substitution-permutation networks resistant to differential and linear cryptanalysis
- Heyes, Tavares
(Show Context)
Citation Context ...sis [12]. With this approach, we can study how to make internal computation boxes resistant against both attacks. This can be used in a heuristic way by usual active s-boxes counting tricks (e.g. see =-=[22,23]-=-). This has also been used to construct the PURE cipher for which we can prove the security against both attacks (see Nyberg and Knudsen [52]), but in an unsatisfactory way which introduces some algeb... |

21 |
Strict evaluation of the maximum average of differential probability and the maxumum average of linear probability
- Aoki, Ohta
- 1997
(Show Context)
Citation Context ...designers try to upper bound the probability of the best differential or linear characteristics in ad-hoc ways. Some results apply to multi-path characteristics like Nyberg-Knudsen [51,52], Aoki-Ohta =-=[3]-=-, Keliher et al. [32,33], and Park et al. [53,54]. In another approach, Luby-Rackoff [39] and Maurer-Massey [45] studied the security of product ciphers. One of our purpose is to quantify the security... |

15 | Enhancing differential-linear cryptanalysis
- Biham, Dunkelman, et al.
- 2001
(Show Context)
Citation Context ...he NUT-II structure, � � is a constant bit thus � so the advantage of the distinguisher is close to 1. This simple example � � � , but ©�� � � ��������� extends into a real attack due to Biham et al. =-=[6]-=- against the COCONUT98 cipher [64]. We can however prove the security when the cipher has a good decorrelation to the ��� order and an extra assumption about the distribution � of in every iteration. ... |

14 |
The Design of Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis
- Heys, Tavares
- 1994
(Show Context)
Citation Context ... heuristic attack, which has been implemented, can recover the key with a ����� -known plaintext attack. Since then, many researchers tried to generalize and improve these attacks (see, for instance, =-=[22,27,29,31,35,36,37,48,61,62]-=-), but the underlying ideas were quite the same. ¢¥¤§¦¨¦�©�¤ for any message ¤ . The basic idea of differential cryptanalysis is to use properties like ¤ “if ¤�� and are two plaintext blocks such that... |

12 | New results on the pseudorandomness of some block cipher constructions
- Gilbert, Minier
- 2002
(Show Context)
Citation Context ...tensions investigated the security with higher values of � , e.g. Patarin [56], and Maurer-Pietrzak [46]. Many other researchers have applied the same techniques to other schemes. (See, for instance, =-=[19,24,25,30,47,49]-=-.) Our work studies provable security against specific models of attacks. We addressed the basic differential and linear cryptanalysis and the more general model of iterated attacks which are based on... |

10 |
On the use of GF-inversion as a cryptographic primitive
- Aoki, Vaudenay
- 2003
(Show Context)
Citation Context ...ver a Finite Field A similar way to construct (almost) perfect 3-wise decorrelated permutation on a field structure � where � is the field cardinality, with the same techniques as for Theorem 6. (See =-=[4]-=-.) where ��©�¢¥�§��������¦ with ��� ©�� . (By convention we set ������©�� .) We can prove that ����� ��������¢¥¤�����¦ 4 Links to the Shannon Secrecy Theory 4.1 Perfect Secrecy and Decorrelation �¥� �... |

8 | Decorrelated Fast Cipher: an AES Candidate. (Extended Abstract
- Gilbert, Girault, et al.
- 1998
(Show Context)
Citation Context ...onstructing Feistel ciphers, and in particular we need more rounds to make the cipher provably secure. (See [65].) Example 28. The AES candidate DFC was proposed based on the PEANUT construction (see =-=[17,18,20]-=-). Nominal , so we ����� � ��� � have . parameters are � ©������ , ��©�� , ��©�� , and � 8.3 WALNUT: An Alternate Design � � ��� � ©�� The Feistel cipher is based on a round mapping defined by � � � �... |

7 |
Decorrelated Fast Cipher: an AES Candidate. Submitted to the Advanced Encryption Standard process
- Gilbert, Girault, et al.
- 1998
(Show Context)
Citation Context ...onstructing Feistel ciphers, and in particular we need more rounds to make the cipher provably secure. (See [65].) Example 28. The AES candidate DFC was proposed based on the PEANUT construction (see =-=[17,18,20]-=-). Nominal , so we ����� � ��� � have . parameters are � ©������ , ��©�� , ��©�� , and � 8.3 WALNUT: An Alternate Design � � ��� � ©�� The Feistel cipher is based on a round mapping defined by � � � �... |

6 |
Round security and super-pseudorandomness of MISTY type structure
- Iwata, Yoshino, et al.
- 2001
(Show Context)
Citation Context ...tensions investigated the security with higher values of � , e.g. Patarin [56], and Maurer-Pietrzak [46]. Many other researchers have applied the same techniques to other schemes. (See, for instance, =-=[19,24,25,30,47,49]-=-.) Our work studies provable security against specific models of attacks. We addressed the basic differential and linear cryptanalysis and the more general model of iterated attacks which are based on... |

4 |
Cryptanalyse Statistique des Algorithmes de Chiffrement et Sécurité des Schémas d’Authentification, Thèse de Doctorat de l’Université de Paris 11
- Gilbert
- 1997
(Show Context)
Citation Context ... this attack is heuristic, experiments confirmed the results. Biham and Shamir’s attack was based on statistical cryptanalysis ideas which were later used by Gilbert and Chassé against another cipher =-=[15,16]-=-. Those ideas inspired Matsui who developed a linear cryptanalysis on DES [41,42]. This heuristic attack, which has been implemented, can recover the key with a ����� -known plaintext attack. Since th... |

4 |
A Statistical Attack of the FEAL-8 Cryptosystem
- Gilbert, Chassé
- 1991
(Show Context)
Citation Context ... this attack is heuristic, experiments confirmed the results. Biham and Shamir’s attack was based on statistical cryptanalysis ideas which were later used by Gilbert and Chassé against another cipher =-=[15,16]-=-. Those ideas inspired Matsui who developed a linear cryptanalysis on DES [41,42]. This heuristic attack, which has been implemented, can recover the key with a ����� -known plaintext attack. Since th... |

3 | On the Pseudorandomness of AES Finalists -- RC6 and Serpent", These proceedings
- Iwata, Kurosawa
(Show Context)
Citation Context ...tensions investigated the security with higher values of � , e.g. Patarin [56], and Maurer-Pietrzak [46]. Many other researchers have applied the same techniques to other schemes. (See, for instance, =-=[19,24,25,30,47,49]-=-.) Our work studies provable security against specific models of attacks. We addressed the basic differential and linear cryptanalysis and the more general model of iterated attacks which are based on... |

2 |
Mobile Telecommunications System (UMTS); Specification of the 3GPP confidentiality and integrity algorithms. Document 2: Kasumi algorithm specification (3GPP TS 35.202 version 3.1.2 Release
- Universal
- 1999
(Show Context)
Citation Context ...some algebraic properties which lead to other attacks as shown by Jakobsen and Knudsen [26]. The Nyberg-Knudsen approach was later used by Matsui in practical block ciphers including MISTY and KASUMI =-=[1,43,44]-=-. Another approach in order to study the security of block ciphers was introduced by Luby and Rackoff in 1988 3 [40]. They have shown how to formalize security by pseudo-randomness and how to prove th... |

1 |
New Block Cipher DONUT Using Pairwise Perfect Decorrelation
- Cheon, Lee, et al.
- 1977
(Show Context)
Citation Context ...ttack” [72] in order to break it. This attack ¤ For completeness, we mention that an extension of the COCONUT construction (called DONUT for “Double Operations with NUT”) was proposed by Cheon et al. =-=[13]-=-. � 21s8.2 PEANUT: A Partial Decorrelation Design In this section we define the PEANUT Ciphers family, which achieve an example of partial decorrelation. This family is based on the NUT-IV decorrelati... |