Cryptographically secure substitutions based on the approximation of mixing maps (original) (raw)

Practical and Provable Security against Differential and Linear Cryptanalysis for Substitution-Permutation Networks

ETRI Journal, 2001

We examine the diffusion layers of some block ciphers referred to as substitution-permutation networks. We investigate the practical and provable security of these diffusion layers against differential and linear cryptanalysis. First, in terms of practical security, we show that the minimum number of differentially active S-boxes and that of linearly active S-boxes are generally not identical and propose some special conditions in which those are identical. We also study the optimal diffusion effect for some diffusion layers according to their constraints. Second, we obtain the results that the consecutive two rounds of SPN structure provide provable security against differential and linear cryptanalysis, i.e., we prove that the probability of each differential (resp. linear hull) of the consecutive two rounds of SPN structure with a maximal diffusion layer is bounded by p n (resp. q n ) and that of each differential (resp. linear hull) of the SDS function with a semi-maximal diffusion layer is bounded by p n-1 (resp. q n-1 ), where p and q are maximum differential and linear probabilities of the substitution layer, respectively.

Recursive Diffusion Layers for Block Ciphers and Hash Functions

Lecture Notes in Computer Science, 2012

Many modern block ciphers use maximum distance separable (MDS) matrices as the main part of their diffusion layers. In this paper, we propose a new class of diffusion layers constructed from several rounds of Feistel-like structures whose round functions are linear. We investigate the requirements of the underlying linear functions to achieve the maximal branch number for the proposed 4 × 4 words diffusion layer. The proposed diffusion layers only require word-level XORs, rotations, and they have simple inverses. They can be replaced in the diffusion layer of the block ciphers MMB and Hierocrypt to increase their security and performance, respectively. Finally, we try to extend our results for up to 8 × 8 words diffusion layers.

Efficient Recursive Diffusion Layers for Block Ciphers and Hash Functions

Journal of Cryptology, 2013

The interpolation attack on block ciphers

Lecture Notes in Computer Science, 1997

In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as S-boxes. Also, ciphers of low non-linear order are vulnerable to attacks based on higher order differentials. Recently, Knudsen and Nyberg presented a 6-round prototype cipher which is provably secure against ordinary differential cryptanalysis. We show how to attack the cipher by using higher order differentials and a variant of the cipher by the interpolation attack. It is possible to successfully cryptanalyse up to 32 rounds of the variant using about 232 chosen plaintexts with a running time less than 264 . Using higher order differentials, a new design concept for block ciphers by Kiefer is also shown to be insecure. Rijmen et al presented a design strategy for block ciphers and the cipher SHARK. We show that there exist ciphers constructed according to this design strategy which can be broken faster than claimed. In particular, we cryptanalyse 5 rounds of a variant of SHARK, which deviates only slightly from the proposed SHARK.

Cryptanalysis of Block Ciphers Using Almost-Impossible Differentials

In this paper, inspired from the notion of impossible differentials, we present a model to use differentials that are less probable than a random permutation. We introduce such a distinguisher for 2 rounds of Crypton, and present an attack on 6 rounds of this predecessor AES candidate. As a special case of this idea, we embed parts of the additional rounds around the impossible differential into the distinguisher to make a probabilistic distinguisher with more rounds. We show that with this change, the data complexity is increased but the time complexity may be reduced or increased. Then we discuss that this change in the impossible differential cryptanalysis is commodious and rational when the data complexity is low and time complexity is marginal.

Block ciphers, pseudorandom functions, and Natural Proofs

This paper takes a new step towards closing the troubling gap between pseudorandom functions (PRF) and their popular, bounded-input-length counterpart: block ciphers. This gap is both quantitative, because block-ciphers are more efficient than PRF in various ways, and methodological, because block-ciphers usually fit in the substitution-permutation network paradigm (SPN) which has no counterpart in PRF. We give several candidate PRF F i that are inspired by the SPN paradigm. This paradigm involves a "substitution function" (S-box). Our main candidates are: F 1 : {0, 1} n → {0, 1} n is an SPN whose S-box is a random function on b = O(lg n) bits, given as part of the seed. We prove unconditionally that F 1 resists attacks that run in time ≤ 2 ǫb. Setting b = ω(lg n) we obtain an inefficient PRF, which however seems to be the first such construction using the SPN paradigm. F 2 : {0, 1} n → {0, 1} n is an SPN where the S-box is (patched) field inversion, a common choice in block ciphers. F 2 is computable with Boolean circuits of size n•log O(1) n, and in particular with seed length n•log O(1) n. We prove that this candidate has exponential security 2 Ω(n) against linear and differential cryptanalysis. F 3 : {0, 1} n → {0, 1} is a non-standard variant on the SPN paradigm, where "states" grow in length. F 3 is computable with size n 1+ǫ , for any ǫ > 0, in the restricted circuit class TC 0 of unbounded fan-in majority circuits of constant-depth. We prove that F 3 is almost 3-wise independent. F 4 : {0, 1} n → {0, 1} uses an extreme setting of the SPN parameters (one round, one S-box, no diffusion matrix). The S-box is again (patched) field inversion. We prove that this candidate is a small-bias generator (for tests of weight up to 2 0.9n). Assuming the security of our candidates, our work also narrows the gap between the"Natural Proofs barrier" [Razborov & Rudich; JCSS '97] and existing lower bounds, in three models: unbounded-depth circuits, TC 0 circuits, and Turing machines. In particular, the efficiency of the circuits computing F 3 is related to a result by Allender and Koucky [JACM '10] who show that a lower bound for such circuits would imply a lower bound for TC 0 .

Provable security of block ciphers against linear cryptanalysis: a mission impossible?

Designs, Codes and Cryptography, 2009

In this paper, we are concerned with the security of block ciphers against linear cryptanalysis and discuss the distance between the so-called practical security approach and the actual theoretical security provided by a given cipher. For this purpose, we present a number of illustrative experiments performed against small (i.e. computationally tractable) ciphers. We compare the linear probability of the best linear characteristic and the actual best linear probability (averaged over all keys). We also test the key equivalence hypothesis. Our experiments illustrate both that provable security against linear cryptanalysis is not achieved by present design strategies and the relevance of the practical security approach. Finally, we discuss the (im)possibility to derive actual design criteria from the intuitions underlined in these experiments.

Statistics of Random Permutations and the Cryptanalysis of Periodic Block Ciphers

Cryptologia, 2012

A block cipher is intended to be computationally indistinguishable from a random permutation of appropriate domain and range. But what are the properties of a random permutation? By the aid of exponential and ordinary generating functions, we derive a series of collolaries of interest to the cryptographic community. These follow from the Strong Cycle Structure Theorem of permutations, and are useful in rendering rigorous two attacks on Keeloq, a block cipher in wide-spread use. These attacks formerly had heuristic approximations of their probability of success. Moreover, we delineate an attack against the (roughly) millionth-fold iteration of a random permutation. In particular, we create a distinguishing attack, whereby the iteration of a cipher a number of times equal to the product of the first eight primes is breakable, but merely one fewer round is considerably more secure. We then extend this to a key-recovery attack in a “Triple-DES” style construction, but using AES-256 and iterating the middle cipher (roughly) a million-fold. It is hoped that these results will showcase the utility of exponential and ordinary generating functions and will encourage their use in cryptanalytic research.

Enhancing the security of block ciphers with the aid of parallel substitution box construction

Proceedings 22nd International Conference on Distributed Computing Systems Workshops

When considering block cipher designs, one feature that is seemingly not related to their robustness of a design is algorithmic variability, i.e. the ability to effect changes on a design that essentially leave its structure unchanged while they modify its functional characteristics. This feature, however, is related to robustness as there are situations where a specific algorithm is either suspected to be under cryptanalytic attack or it is not considered secure any more due to a discovered weakness. The easiest action would be to change the characteristics of the algorithm in a way that obscures the cryptanalytic attack or that eliminates the cipher's weaknesses. Our focus is on this kind of changes, using as a specific case the CAST-128 cipher. The changes we consider refer to the algorithm's substitution boxes and since the creation of good substitution boxes is a highly time consuming process, we also provide a parallel algorithm for completing this task fast.

Cryptographically secure substitutions based on the approximation of mixing maps (original) (raw)

Related papers