Advertisement

Journal of Cryptology

, Volume 16, Issue 4, pp 249–286 | Cite as

Decorrelation: A Theory for Block Cipher Security

  • Serge Vaudenay
Article

Abstract

Pseudorandomness is a classical model for the security of block ciphers. In this paper we propose convenient tools in order to study it in connection with the Shannon Theory, the Carter–Wegman universal hash functions paradigm, and the Luby–Rackoff approach. This enables the construction of new ciphers with security proofs under specific models. We show how to ensure security against basic differential and linear cryptanalysis and even more general attacks. We propose practical construction schemes.

Block ciphers Cryptanalysis Pseudorandomness 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Data Encryption Standard. Federal Information Processing Standard Publication 46, U.S. National\linebreak[4] Bureau of Standards, 1977. Google Scholar
  2. 2.
    ETSI. Universal Mobile Telecommunications System (UMTS); specification of the 3GPP confidentiality and integrity algorithms. Document 2: Kasumi algorithm specification (3GPP TS 35.202 version 3.1.2 Release 1999). http://www.etsi.org/
  3. 3.
    Méthode de chiffrement fondée sur la décorrélation. In 100 Faits Marquants du Département des Sciences Pour l’Ingénieur}, p. 15, CNRS, 1997. Google Scholar
  4. 4.
    Aoki, K., Ohta, K. 1997Strict Evaluation of the Maximum Average of Differential Probability and the Maximum Average of Linear Probability.IEICE Transactions on FundamentalsE80-A18Google Scholar
  5. 5.
    K. Aoki, S. Vaudenay. On the Use of GF-Inversion as a Cryptographic Primitive. To appear in Selected Areas in Cryptography ‘03, Ottawa, Ontario, Canada, Lecture Notes in Computer Science, Springer-Verlag, Berlin. Google Scholar
  6. 6.
    E. Biham. On Matsui’s Linear Cryptanalysis. eurocrypt 94, 341–355Google Scholar
  7. 7.
    Biham, E. 1994New Types of Cryptanalytic Attacks using Related Keys.J Cryptology7229246zbMATHGoogle Scholar
  8. 8.
    E. Biham. A fast new DES Implementation in Software. fse 97, 260–272Google Scholar
  9. 9.
    E. Biham, O. Dunkelman, N. Keller. The Rectangle Attack—Rectangling the Serpent. In Advances in Cryptology, EUROCRYPT ‘01, Innsbruck, Austria, Lecture Notes in Computer Science 2045, pp. 340–357, Springer-Verlag, Berlin, 2001. Google Scholar
  10. 10.
    E. Biham, O. Dunkelman, N. Keller. Enhancing Differential-Linear Cryptanalysis. In Advances in Cryptology, ASIACRYPT ‘02, Queenstown, New Zealand, Lecture Notes in Computer Science 2501, pp. 254–266, Springer-Verlag, Berlin, 2002. Google Scholar
  11. 11.
    E. Biham, A. Shamir. Differential Cryptanalysis of DES-Like Cryptosystems. In Advances in Cryptology, CRYPTO ‘90, Santa Barbara, California, U.S.A., Lecture Notes in computer Science 537, pp. 2–21, Springer-Verlag, Berlin, 1991. Google Scholar
  12. 12.
    Biham, E., Shamir, A. 1991Differential Cryptanalysis of DES-Like Cryptosystems.J Cryptology4372MathSciNetzbMATHGoogle Scholar
  13. 13.
    E. Biham, A. Shamir. Differential Cryptanalysis of the Full 16-Round DES. In Advances in Cryptology, CRYPTO ‘92, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 740, pp. 487–496, Springer-Verlag, Berlin, 1993. Google Scholar
  14. 14.
    E. Biham, A. Shamir. Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, Berlin, 1993. Google Scholar
  15. 15.
    Carter, J.L., Wegman, M.N. 197Universal Classes of Hash Functions.J Computer System Sciences18143154zbMATHGoogle Scholar
  16. 16.
    F. Chabaud, S. Vaudenay. Links between Differential and Linear Cryptanalysis. In Advances in Cryptology, EUROCRYPT ‘94, Perugia, Italy, Lecture Notes in Computer Science 950, pp. 356–365, Springer-Verlag, Berlin, 1995. Google Scholar
  17. 17.
    D.H. Cheon, S.J. Lee, J.I. Lim, S.J. Lee. New Block Cipher DONUT Using Pairwise Perfect Decorrelation. In Progress in Cryptology, INDOCRYPT ‘00, Calcutta, India, Lecture Notes in Computer Science 1997, pp. 262–270, Springer-Verlag, Berlin, 2000. Google Scholar
  18. 18.
    Feistel, H. 1973Cryptography and Computer Privacy.Scientific American2281523Google Scholar
  19. 19.
    H. Gilbert. Cryptanalyse Statistique des Algorithmes de Chiffrement et Sécurité des Schémas d’Authentification, Thése de Doctorat de l’Université de Paris 11, 1997. Google Scholar
  20. 20.
    H. Gilbert, G. Chassé. A Statistical Attack of the FEAL-8 Cryptosystem. In Advances in Cryptology, CRYPTO ‘90, Santa Barbara, California, U.S.A. Lecture Notes in Computer Science 537, pp. 22–33, Springer-Verlag, Berlin, 1991. Google Scholar
  21. 21.
    H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay. Decorrelated Fast Cipher: an AES Candidate. (Extended Abstract.) In Proceedings from the First Advanced Encryption Standard Candidate Conference, National Institute of Standards and Technology (NIST), Ventura, California, U.S.A., August 1998. Google Scholar
  22. 22.
    H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay. Decorrelated Fast Cipher: an AES Candidate. Submitted to the Advanced Encryption Standard process. In CD-ROM “AES CD-1: Documentation”, National Institute of Standards and Technology (NIST), August 1998. Google Scholar
  23. 23.
    H. Gilbert, M. Minier. New Results on the Pseudorandomness of Some Blockcipher Constructions. In Fast Software Encryption ‘01, Yokohama, Japan, Lecture Notes in Computer Science 2355, pp. 248–266, Springer-Verlag, Berlin, 2002. Google Scholar
  24. 24.
    O. Goldreich, S. Goldwasser, S. Micali. How to Construct Random Functions. FOCS 84, 464–479Google Scholar
  25. 25.
    L. Granboulan, P. Nguyen, F. Noilhan, S. Vaudenay. DFCv2. In Selected Areas in Cryptography ‘00, Waterloo, Ontario, Canada, Lecture Notes in Computer Science 2012, pp. 57–71, Springer-Verlag, Berlin, 2001. Google Scholar
  26. 26.
    S. Halevi, H. Krawczyk. MMH: Software Message Authentication in the Gbit/second Rates. In Fast Software Encryption ‘97, Haifa, Israel, Lecture Notes in Computer Science 1267, pp. 172–189, Springer-Verlag, Berlin, 1997. Google Scholar
  27. 27.
    H.M. Heys. The Design of Substitution-Permutation Network Ciphers Resistant to Cryptanalysis, Ph.D. Thesis of Queen’s University, Kingston, Ontario, Canada 1994.Google Scholar
  28. 28.
    M.E. Hellman, R. Merkle, R. Schroeppel, L. Washington, W. Diffie, S. Pohlig, P. Schweitzer. Results of an Initial Attempt to Cryptanalyze the NBS Data Encryption Standard, Stanford University, September 1976Google Scholar
  29. 29.
    Heys, H.M., Tavares, S.E. 1996Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis.J Cryptology9119CrossRefMathSciNetzbMATHGoogle Scholar
  30. 30.
    A.Hodges. Alan Turing: The Enigma of Intelligence, Unwin Paperbacks, 1985 Google Scholar
  31. 31.
    T. Iwata, K. Kurosawa. On the Pseudorandomness of the AES Finalists—RC6 and Serpent. In Fast Software Encryption ‘00, New York, U.S.A., Lecture Notes in Computer Science 1978, pp. 231–243, Springer-Verlag, Berlin, 2001. Google Scholar
  32. 32.
    T. Iwata, T. Yoshino, T. Yuasa, K. Kurosawa. Round Security and Super-Pseudorandomness of MISTY Type Structure. In Fast Software Encryption ‘01, Yokohama, Japan, Lecture Notes in Computer Science 2355, pp. 233–247, Springer-Verlag, Berlin, 2002. Google Scholar
  33. 33.
    T. Jakobsen, L.R. Knudsen. The Interpolation Attack on Block Ciphers. In Fast Software Encryption ‘97, Haifa, Israel, Lecture Notes in Computer Science 1267, pp. 28–40, Springer-Verlag, Berlin, 1997. Google Scholar
  34. 34.
    P. Junod. On the Complexity of Matsui’s Attack. In Selected Areas in Cryptography ‘01, Toronto, Ontario, Canada, Lecture Notes in Computer Science 2259, pp. 199–211, Springer-Verlag, Berlin, 2001. Google Scholar
  35. 35.
    P. Junod, S. Vaudenay. Optimal Key Ranking Procedures in a Statistical Cryptanalysis. To appear in Fast Software Encryption ‘03, Lund, Sweden, Lecture Notes in Computer Science, Springer-Verlag, Berlin. Google Scholar
  36. 36.
    P. Junod. On the Optimality of Linear, Differential and Sequential Distinguishers. In Advances in Cryptology, EUROCRYPT ‘03, Warsaw, Poland, Lecture Notes in Computer Science 2656, pp. 17–32, Springer-Verlag, Berlin, 2003. Google Scholar
  37. 37.
    B. R. Kaliski Jr., M. J. B. Robshaw. Linear Cryptanalysis Using Multiple Approximations. In Advances in Cryptology, CRYPTO ‘94, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 839, pp. 26–39, Springer-Verlag, Berlin, 1994. Google Scholar
  38. 38.
    J.-S. Kang, S.-U. Shin, D. Hong, O. Yi. Provable Security of KASUMI and 3GPP Encryption Mode f8. In Advances in Cryptology, ASIACRYPT ‘00, Brisbane, Australia, Lecture Notes in Computer Science 2248, pp. 255–271, Springer-Verlag, Berlin, 2001. Google Scholar
  39. 39.
    L. Keliher, H. Meijer, S. Tavares. New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs. In Advances in Cryptology, EUROCRYPT ‘01, Innsbruck, Austria, Lecture Notes in Computer Science 2045, pp. 420–436, Springer-Verlag, Berlin, 2001. Google Scholar
  40. 40.
    L. Keliher, H. Meijer, S. Tavares. Improving the Upper Bound on the Maximum Average Linear Hull Probability for Rijndael. In Selected Areas in Cryptography ‘01, Toronto, Ontario, Canada, Lecture Notes in Computer Science 2259, pp. 112–128, Springer-Verlag, Berlin, 2001. Google Scholar
  41. 41.
    A. Kerckhoffs. La Cryptographie Militaire, Librairie militaire de L. Baudouin & Cie., Paris 1883. Google Scholar
  42. 42.
    L. R. Knudsen. Block Ciphers—Analysis, Design and Applications, Aarhus University 1994. Google Scholar
  43. 43.
    X. Lai. On the Design and Security of Block Ciphers, ETH Series in Information Processing, vol. 1, Hartung-Gorre Verlag Konstanz, 1992. Google Scholar
  44. 44.
    X. Lai, J. L. Massey, S. Murphy. Markov Ciphers and Differential Cryptanalysis. In Advances in Cryptology, EUROCRYPT ‘91, Brighton, England, Lecture Notes in Computer Science 547, pp. 17--38, Springer-Verlag, Berlin, 1991. Google Scholar
  45. 45.
    S. K. Langford, M. E. Hellman Differential-linear Cryptanalysis. In Advances in Cryptology, CRYPTO ‘94, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 839, pp. 17–25, Springer-Verlag, Berlin, 1994. Google Scholar
  46. 46.
    M. Luby, C. Rackoff. Pseudo-Random Permutation Generators and Cryptographic Composition. In Proceedings of the 17th ACM Symposioum on Theory of Computing, Providence, Rhode Island, U.S.A., pp. 363–365, AMC Press, New York, 1985. Google Scholar
  47. 47.
    M. Luby, C. Rackoff. How to Construct Pseudorandom Permutations from Pseudorandom Functions. vol. 17, pp. 373–386, 1988. Google Scholar
  48. 48.
    S. Lucks. Faster Luby-Rackoff Ciphers. FSE, 96, 189–203 Google Scholar
  49. 49.
    M. Matsui. Linear Cryptanalysis Methods for DES Cipher. In Advances in Cryptology, EUROCRYPT ‘93, Lofthus, Norway, Lecture Notes in Computer Science 765, pp. 386–397, Springer-Verlag, Berlin, 1994. Google Scholar
  50. 50.
    M. Matsui. The First Experimental Cryptanalysis of the Data Encryption Standard. In Advances in Cryptology, CRYPTO ‘94, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 839, pp. 1–11, Springer-Verlag, Berlin, 1994. Google Scholar
  51. 51.
    M. Matsui. New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis. In Fast Software Encryption’96, Cambrige, England, Lecture Notes in Computer Science 1039, pp. 205–218, Springer-Verlag, Berlin, 1996. Google Scholar
  52. 52.
    M. Matsui. New Block Encryption Algorithm MISTY. In Fast Software Encryption ‘97, Haifa, Israel, Lecture Notes in Computer Science 1267, pp. 54–68, Springer-Verlag, Berlin, 1997. Google Scholar
  53. 53.
    Maurer, U. M., Massey, J. L. 1993Cascade Ciphers: The Importance of Being First.J Cryptology65561zbMATHGoogle Scholar
  54. 54.
    U. Maurer, K. Pietrzak. The Security of Many-Round Luby–Rackoff Pseudo-Random Permutations. In Advances in Cryptology, Eurocrypt ‘03, Warsaw, Poland, Lecture Notes in Computer Science 2656, pp. 544–561, Springer-Verlag, Berlin, 2003. Google Scholar
  55. 55.
    S. Moriai, S. Vaudenay. On the Pseudorandomness of Top-Level Schemes of Block Ciphers. In Advances in Cryptology, ASIACRYPT ‘00, Kyoto, Japan, Lecture Notes in Computer Science 1976, pp. 289--302, Springer-Verlag, Berlin, 2000. Google Scholar
  56. 56.
    S. Murphy, F. Piper, M. Walker, P. Wild. Likelihood Estimation for Block Cipher Keys. Unpublished. Google Scholar
  57. 57.
    W. Meier, O. Staffelbach. % Nonlinearity Criteria for Cryptographic Functions. Eurocrypt, 89, 549–562 Google Scholar
  58. 58.
    M. Naor, O. Reingold. On the Construction of Pseudorandom Permutations: Luby–Rackoff Revisited. Journal of Cryptology, vol. 12, pp. 29–66, 1999. MathSciNetzbMATHGoogle Scholar
  59. 59.
    K. Nyberg. Perfect Nonlinear S-Boxes. In Advances in Cryptology, EUROCRYPT ‘91, Brighton, England, Lecture Notes in Computer Science 547, pp. 378–385, Springer-Verlag, Berlin, 1991. Google Scholar
  60. 60.
    K. Nyberg, L. R. Knudsen. Provable Security against a Differential Cryptanalysis. In Advances in Cryptology, CRYPTO ‘94, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 839, pp. 566–574, Springer-Verlag, Berlin, 1994. Google Scholar
  61. 61.
    Nyberg, K., Knudsen, L. R. 1995Provable Security against a Differential Cryptanalysis.J Cryptology82737MathSciNetzbMATHGoogle Scholar
  62. 62.
    S. Park, S. H. Sung, S. Chee, E-J. Yoon, J. Lim On the Security of Rijndael-Like Structures against Differential and Linear Cryptanalysis. In Advances in Cryptology, ASIACRYPT ‘02, Queenstown, New Zealand, Lecture Notes in Computer Science 2501, pp. 176–191, Springer-Verlag, Berlin, 2002. Google Scholar
  63. 63.
    S. Park, S. H. Sung, S. Lee, J. Lim. Improving the Upper Bound on the Maximum Differential and Maximum Linear Hull Probability for SPN Structures and AES. To appear in Fast Software Encryption ‘03, Lund, Sweden, Lecture Notes in Computer Science, Springer-Verlag, Berlin. Google Scholar
  64. 64.
    J. Patarin. Etude des Générateurs de Permutations Basés sur le Schéma du D.E.S., Thése de Doctorat de l’Université de Paris 6, 1991. Google Scholar
  65. 65.
    J. Patarin. About Feistel Schemes with Six (or More) Rounds. In Fast Software Encryption’98, Paris France, Lecture Notes in Computer Science 1372, pp. 103–121, Springer-Verlag, Berlin, 1998. Google Scholar
  66. 66.
    G. Poupard, S. Vaudenay. Decorrelated Fast Cipher: an AES Candidate Well Suited for Low Cost Smart Cards Applications. In CARDIS ‘98, Louvain-la-Neuve, Belgium, Lecture Notes in Computer Science 1820, pp. 254–264, Springer-Verlag, Berlin, 2000. Google Scholar
  67. 67.
    A. Rényi. Probability Theory, Elsevier, Amsterdam, 1970.Google Scholar
  68. 68.
    Rothaus, O. S. 1976On Bent Functions.J Combinatorial TheoryA20300305Google Scholar
  69. 69.
    C. E. Shannon. Communication Theory of Secrecy Systems. Bell System Technical Journal, vol. 28, pp. 656–715, 1949. % Google Scholar
  70. 70.
    C. P. Schnorr, S. Vaudenay. Black Box Cryptanalysis of Cryptographic Primitives. Submitted. Google Scholar
  71. 71.
    A. Tardy-Corfdir, H. Gilbert. A Known Plaintext Attack of FEAL-4 and FEAL-6. In Advances in Cryptology, CRYPTO ‘91, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 576, pp. 172–181, Springer-Verlag, Berlin, 1992 Google Scholar
  72. 72.
    S. Vaudenay. On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER. FSE, 95, 286–297 Google Scholar
  73. 73.
    S. Vaudenay. La Sécurité des Primitives Cryptographiques, Thése de Doctorat de l’Université de Paris 7, Technical Report LIENS-95-10 of the Laboratoire d’Informatique de l’Ecole Normale Supérieure, 1995. Google Scholar
  74. 74.
    S. Vaudenay. An Experiment on DES—Statistical Cryptanalysis. In Proceedings of the 3rd ACM Conference on Computer and Communications Security, New Delhi, India, pp. 139–147, ACM Press, New York, 1996. Google Scholar
  75. 75.
    S. Vaudenay. A Cheap Paradigm for Block Cipher Security Strengthening. Technical Report LIENS-97-3, 1997. Google Scholar
  76. 76.
    S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. in STACS ‘98 Paris, France, Lecture Notes in Computer Science 1373 pp. 249–275, Springer-Verlag, Berlin, 1998. Google Scholar
  77. 77.
    S. Vaudenay. On Perfect Secrecy, Differential Cryptanalysis, one-time Pad, two-time Pad, ... Presented at the Rump Session of the Fast Software Encryption 1998 Workshop. Google Scholar
  78. 78.
    S. Vaudenay. Feistel Ciphers with L_2-Decorrelation. In Selected Areas in Cryptography ‘98, Kingston, Ontario, Canada, Lecture Notes in Computer Science 1556, pp. 1–14, Springer-Verlag, Berlin, 1999. Google Scholar
  79. 79.
    S. Vaudenay. The Decorrelation Technique Home-Page. URL: http://lasecwww.epfl.ch/decorrelation.shtml
  80. 80.
    S. Vaudenay. Resistance against General Iterated Attacks. In Advances in Cryptology, EUROCRYPT ‘99, Prague, Czech Republic, Lecture Notes in Computer Science 1592, pp. 255–271, Springer-Verlag, Berlin, 1999. Google Scholar
  81. 81.
    S. Vaudenay. On Provable Security for Conventional Cryptography. Invited talk. In Information Security and Cryptography ICISC ‘99, Seoul, Korea, Lecture Notes in Computer Science 1787, pp. 1–16, Springer-Verlag, Berlin, 1999. Google Scholar
  82. 82.
    S. Vaudenay. On the Lai–Massey Scheme. In Advances in Cryptology, ASIACRYPT ‘99, Singapore, Lecture Notes in Computer Science 1716, pp. 8–19, Springer-Verlag, Berlin, 2000. Google Scholar
  83. 83.
    S. Vaudenay. Adaptive-Attack Norm for Decorrelation and Super-Pseudorandomness. In Selected Areas in Cryptography ‘99, Kingston, Ontario, Canada, Lecture Notes in Computer Science 1758, pp. 49–61, Springer-Verlag, Berlin, 2000. Google Scholar
  84. 84.
    G. S. Vernam. Cipher Printing Telegraph Systems for Secret Wire and Radio Telegraphic communications. Journal of the American Institute of Electrical Engineers, vol. 45, pp. 109–115, 1926. Google Scholar
  85. 85.
    D. Wagner. The Boomerang Attack. In Fast Software Encryption ‘99, Rome, Italy, Lecture Notes in Computer Science 1636, pp. 156–170, Springer-Verlag, Berlin, 1999. Google Scholar
  86. 86.
    Wegman, M. N., Carter, J. L. 1981New Hash Functions and Their Use in Authentication and Set Equality.Journal of Computer and System Sciences22265279MathSciNetzbMATHGoogle Scholar

Copyright information

© International Association for Cryptological Research 2003

Authors and Affiliations

  1. 1.Swiss Federal Institute of Technology (EPFL), CH-1015 LausanneSwitzerland

Personalised recommendations