[PPT] - Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe PowerPoint Presentation

SLIDE 1

Security Analysis of Key-Alternating Feistel Ciphers

Rodolphe Lampe and Yannick Seurin

University of Versailles and ANSSI

4th March 2014 - FSE 2014

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 1 / 16

SLIDE 2

Key-Alternating Ciphers (aka iterated Even-Mansour)

x P1 k0 P2 k1 Pr y kr

P1, . . . , Pr are modeled as public random permutation oracles interpretation: gives a guarantee against any adversary which does not use particular properties of the Pi’s

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 2 / 16

SLIDE 3

Results on the pseudorandomness of KA ciphers

The following results have been successively obtained for the pseudorandomness of KA ciphers (notation: N = 2n): for r = 1 round, security up to O(N

1 2 ) queries [EM97]

for r ≥ 2, security up to O(N

2 3 ) queries [BKL+12]

for r ≥ 3, security up to O(N

3 4 ) queries [Ste12]

for any even r, security up to O(N

r r+2 ) queries [LPS12]

tight result: for r rounds, security up to O(N

r r+1 ) queries [CS13]

NB: Results for independent round keys (k0, k1, . . . , kr)

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 3 / 16

SLIDE 4

Key-Alternating Feistel Ciphers

functions Fi are public random oracles different from the Luby-Rackoff setting (where the Fi’s are pseudorandom)

F0 k0 F1 k1 x1 . . . Fr−2 kr−2 xr−2 Fr−1 kr−1 xr−1 x−1 x0 xr−1 xr

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 4 / 16

SLIDE 5

KAF ciphers as a special type of Key-Alternating ciphers

Fi ki Fi+1 ki+1 Fi Fi+1 ki+1 ki ki+1 ki

Two rounds of a KAF cipher is equivalent to a 1-round KA cipher where the permutation is a two-round (un-keyed) Feistel cipher with public random functions

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 5 / 16

SLIDE 6

Results

previous results: Gentry and Ramzan [GR04]: secure up to N1/2 queries for r = 4 rounds

ur results: secure up to N

t t+1 queries where

t =

r

3

for NCPA attacks

t =

r

6

for CCA attacks

improved results in the Luby-Rackoff setting: security up to N

t t+1

queries where t =

r

2

for NCPA attacks

t =

r

4

for CCA attacks

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 6 / 16

SLIDE 7

Results

previous results: Gentry and Ramzan [GR04]: secure up to N1/2 queries for r = 4 rounds

ur results: secure up to N

t t+1 queries where

t =

r

3

for NCPA attacks

t =

r

6

for CCA attacks

improved results in the Luby-Rackoff setting: security up to N

t t+1

queries where t =

r

2

for NCPA attacks

t =

r

4

for CCA attacks

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 6 / 16

SLIDE 8

Results

previous results: Gentry and Ramzan [GR04]: secure up to N1/2 queries for r = 4 rounds

ur results: secure up to N

t t+1 queries where

t =

r

3

for NCPA attacks

t =

r

6

for CCA attacks

improved results in the Luby-Rackoff setting: security up to N

t t+1

queries where t =

r

2

for NCPA attacks

t =

r

4

for CCA attacks

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 6 / 16

SLIDE 9

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · ·

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 10

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · ·

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 11

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · ·

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 12

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · ·

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 13

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · ·

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 14

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · · [x ℓ+1

r−1, x ℓ+1 r

] uniformly random ?

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 15

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · · what can go wrong ?

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 16

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · · collisions !

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 17

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · · collisions !

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 18

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · · collisions !

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 19

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · · collisions !

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 20

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · · collisions !

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 21

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · · what can go right ?

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 22

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · · what can go right ?

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 23

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · · what can go right ?

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 24

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · · 2 consecutive rounds without collisions

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 25

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · · 2 consecutive rounds without collisions

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 26

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · · 2 consecutive rounds without collisions

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 27

Intuition of the proof

F0 k0 F1 k1 x 1

1

. . . Fr−2 kr−2 x 1

r−2

Fr−1 kr−1 x 1

r−1

x 1

−1

x 1 x 1

r−1

x 1

r

F0 k0 F1 k1 x 2

1

. . . Fr−2 kr−2 x 2

r−2

Fr−1 kr−1 x 2

r−1

x 2

−1

x 2 x 2

r−1

x 2

r

F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

· · · 2 consecutive rounds without collisions

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 7 / 16

SLIDE 28

Technique

Proof using the coupling technique main problem: given ℓ queries, upper bound the probability that, for every two consecutive rounds, the ℓ + 1-th query collision in (at least)

ne of the two rounds.

Ai = event that the ℓ-th query collisions with previous queries at round i; we want to upper bound Pr

(A1 ∪ A2) ∩ (A2 ∪ A3) ∩ · · · ∩ (Ar−2 ∪ Ar−1) ∩ (Ar−1 ∪ Ar)

Lampe & Seurin (Versailles & ANSSI)

Key-Alternating Feistel Ciphers FSE 2014 8 / 16

SLIDE 29

Technique

Proof using the coupling technique main problem: given ℓ queries, upper bound the probability that, for every two consecutive rounds, the ℓ + 1-th query collision in (at least)

ne of the two rounds.

Ai = event that the ℓ-th query collisions with previous queries at round i; we want to upper bound Pr

(A1 ∪ A2) ∩ (A2 ∪ A3) ∩ · · · ∩ (Ar−2 ∪ Ar−1) ∩ (Ar−1 ∪ Ar)

Lampe & Seurin (Versailles & ANSSI)

Key-Alternating Feistel Ciphers FSE 2014 8 / 16

SLIDE 30

Technique

Proof using the coupling technique main problem: given ℓ queries, upper bound the probability that, for every two consecutive rounds, the ℓ + 1-th query collision in (at least)

ne of the two rounds.

Ai = event that the ℓ-th query collisions with previous queries at round i; we want to upper bound Pr

(A1 ∪ A2) ∩ (A2 ∪ A3) ∩ · · · ∩ (Ar−2 ∪ Ar−1) ∩ (Ar−1 ∪ Ar)

Lampe & Seurin (Versailles & ANSSI)

Key-Alternating Feistel Ciphers FSE 2014 8 / 16

SLIDE 31

Technique

Proof using the coupling technique main problem: given ℓ queries, upper bound the probability that, for every two consecutive rounds, the ℓ + 1-th query collision in (at least)

ne of the two rounds.

Ai = event that the ℓ-th query collisions with previous queries at round i; we want to upper bound Pr

(A1 ∪ A2) ∩ (A2 ∪ A3) ∩ · · · ∩ (Ar−2 ∪ Ar−1) ∩ (Ar−1 ∪ Ar)

Lampe & Seurin (Versailles & ANSSI)

Key-Alternating Feistel Ciphers FSE 2014 8 / 16

SLIDE 32

The Coupling technique

head tail 1/2 1/2 head tail 3/5 2/5

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 9 / 16

SLIDE 33

The Coupling technique

head tail 1/2 1/2 head tail 3/5 2/5 Adv = Statistical distance =

3

5 − 1 2

= 1

10

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 9 / 16

SLIDE 34

The Coupling technique

1/2 1/2 head/head head/tail tail/head tail/tail

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 10 / 16

SLIDE 35

The Coupling technique

1/2 1/2 head/head head/tail tail/head tail/tail 1 1/2

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 10 / 16

SLIDE 36

The Coupling technique

1/2 1/2 head/head head/tail tail/head tail/tail 1 1/2

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 10 / 16

SLIDE 37

The Coupling technique

1/2 1/2 head/head head/tail tail/head tail/tail 1 1/2 1/5 1/10

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 10 / 16

SLIDE 38

The Coupling technique

1/2 1/2 head/head head/tail tail/head tail/tail 1 1/2 1/5 1/10 4/5 2/5

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 10 / 16

SLIDE 39

The Coupling technique

1/2 1/2 head/head head/tail tail/head tail/tail 1 1/2 1/5 1/10 4/5 2/5

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 10 / 16

SLIDE 40

The Coupling technique

random variables X Y probability distributions µ ν The Coupling lemma µ − ν ≤ Pr [X = Y ]

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 11 / 16

SLIDE 41

The Coupling technique

random variables X Y probability distributions µ ν The Coupling lemma µ − ν ≤ Pr [X = Y ]

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 11 / 16

SLIDE 42

The Coupling Technique for the KAF

Ideal World F ′ k0 F ′

1

k1 uℓ+1

1

. . . F ′

r−2

kr−2 uℓ+1

r−2

F ′

r−1

kr−1 uℓ+1

r−1

uℓ+1

−1

uℓ+1 uℓ+1

r−1

uℓ+1

r

Real World F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 12 / 16

SLIDE 43

The Coupling Technique for the KAF

Ideal World F ′ k0 F ′

1

k1 uℓ+1

1

. . . F ′

r−2

kr−2 uℓ+1

r−2

F ′

r−1

kr−1 uℓ+1

r−1

uℓ+1

−1

uℓ+1 uℓ+1

r−1

uℓ+1

r

Real World F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

Uniformly Random Uniformly Random

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 12 / 16

SLIDE 44

The Coupling Technique for the KAF

Ideal World F ′ k0 F ′

1

k1 uℓ+1

1

. . . F ′

r−2

kr−2 uℓ+1

r−2

F ′

r−1

kr−1 uℓ+1

r−1

uℓ+1

−1

uℓ+1 uℓ+1

r−1

uℓ+1

r

Real World F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

Uniformly Random Uniformly Random both free ?

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 12 / 16

SLIDE 45

The Coupling Technique for the KAF

Ideal World F ′ k0 F ′

1

k1 uℓ+1

1

. . . F ′

r−2

kr−2 uℓ+1

r−2

F ′

r−1

kr−1 uℓ+1

r−1

uℓ+1

−1

uℓ+1 uℓ+1

r−1

uℓ+1

r

Real World F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

Uniformly Random Uniformly Random both free ? impose equality

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 12 / 16

SLIDE 46

The Coupling Technique for the KAF

Ideal World F ′ k0 F ′

1

k1 uℓ+1

1

. . . F ′

r−2

kr−2 uℓ+1

r−2

F ′

r−1

kr−1 uℓ+1

r−1

uℓ+1

−1

uℓ+1 uℓ+1

r−1

uℓ+1

r

Real World F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

Uniformly Random Uniformly Random both free ? equal

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 12 / 16

SLIDE 47

The Coupling Technique for the KAF

Ideal World F ′ k0 F ′

1

k1 uℓ+1

1

. . . F ′

r−2

kr−2 uℓ+1

r−2

F ′

r−1

kr−1 uℓ+1

r−1

uℓ+1

−1

uℓ+1 uℓ+1

r−1

uℓ+1

r

Real World F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

Uniformly Random Uniformly Random both free ?

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 12 / 16

SLIDE 48

The Coupling Technique for the KAF

Ideal World F ′ k0 F ′

1

k1 uℓ+1

1

. . . F ′

r−2

kr−2 uℓ+1

r−2

F ′

r−1

kr−1 uℓ+1

r−1

uℓ+1

−1

uℓ+1 uℓ+1

r−1

uℓ+1

r

Real World F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

Uniformly Random Uniformly Random both free ? equal

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 12 / 16

SLIDE 49

The Coupling Technique for the KAF

Ideal World F ′ k0 F ′

1

k1 uℓ+1

1

. . . F ′

r−2

kr−2 uℓ+1

r−2

F ′

r−1

kr−1 uℓ+1

r−1

uℓ+1

−1

uℓ+1 uℓ+1

r−1

uℓ+1

r

Real World F0 k0 F1 k1 x ℓ+1

1

. . . Fr−2 kr−2 x ℓ+1

r−2

Fr−1 kr−1 x ℓ+1

r−1

x ℓ+1

−1

x ℓ+1 x ℓ+1

r−1

x ℓ+1

r

Uniformly Random Uniformly Random both free ? both free ? equal

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 12 / 16

SLIDE 50

Advantage

qe :number of queries to the cipher qf :number of queries to the round functions Advncpa

KAF[n,r](qe, qf ) ≤

4t t + 1 (qe + 2qf )t+1 2tn with t =

r

3

.

Advcca

KAF[n,2r′](qe, qf ) ≤ 4

4t

t + 1 (qe + 2qf )t+1 2tn

1/2

with t =

r ′

3

.

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 13 / 16

SLIDE 51

The end. . .

Thanks for your attention! Comments or questions?

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 14 / 16

SLIDE 52

References I

Andrey Bogdanov, Lars R. Knudsen, Gregor Leander, François-Xavier Standaert, John P. Steinberger, and Elmar Tischhauser. Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations - (Extended Abstract). In David Pointcheval and Thomas Johansson, editors, Advances in Cryptology - EUROCRYPT 2012, volume 7237 of Lecture Notes in Computer Science, pages 45–62. Springer, 2012. Shan Chen and John P. Steinberger. Tight security bounds for key-alternating ciphers. IACR Cryptology ePrint Archive, 2013:222, 2013. Shimon Even and Yishay Mansour. A Construction of a Cipher from a Single Pseudorandom Permutation. Journal of Cryptology, 10(3):151–162, 1997.

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 15 / 16

SLIDE 53

References II

Craig Gentry and Zulfikar Ramzan. Eliminating Random Permutation Oracles in the Even-Mansour Cipher. In Pil Joong Lee, editor, Advances in Cryptology - ASIACRYPT 2004, volume 3329 of Lecture Notes in Computer Science, pages 32–47. Springer, 2004. Rodolphe Lampe, Jacques Patarin, and Yannick Seurin. An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher. In Xiaoyun Wang and Kazue Sako, editors, Advances in Cryptology - ASIACRYPT 2012, volume 7658 of Lecture Notes in Computer Science, pages 278–295. Springer, 2012. John Steinberger. Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance. IACR Cryptology ePrint Archive, Report 2012/481, 2012. Available at http://eprint.iacr.org/2012/481.

Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 16 / 16