Advertisement

Journal of Cryptology

, Volume 29, Issue 1, pp 61–114 | Cite as

How to Build an Ideal Cipher: The Indifferentiability of the Feistel Construction

  • Jean-Sébastien Coron
  • Thomas HolensteinEmail author
  • Robin Künzler
  • Jacques Patarin
  • Yannick Seurin
  • Stefano Tessaro
Article

Abstract

This paper provides the first provably secure construction of an invertible random permutation (and of an ideal cipher) from a public random function that can be evaluated by all parties in the system, including the adversary. The associated security goal was formalized via the notion of indifferentiability by Maurer et al. (TCC 2004). The problem is the natural extension of that of building (invertible) random permutations from (private) random functions, first solved by Luby and Rackoff (SIAM J Comput 17(2):373–386, 1988) via the four-round Feistel construction. As our main result, we prove that the Feistel construction with fourteen rounds is indifferentiable from an invertible random permutation. We also provide a new lower bound showing that five rounds are not sufficient to achieve indifferentiability. A major corollary of our result is the equivalence (in a well-defined sense) of the random oracle model and the ideal cipher model.

Keywords

Random oracle model Ideal cipher model Feistel construction  Indifferentiability 

Notes

Acknowledgments

It is a pleasure to thank Ueli Maurer for his insightful feedback. We also would like to thank the reviewers of the Journal of Cryptology for their very detailed comments, which helped us in substantially improving the presentation of the paper. Robin Künzler was partially supported by the Swiss National Science Foundation (SNF), Project No. 200021-132508.

References

  1. 1.
    E. Andreeva, A. Bogdanov, Y. Dodis, B. Mennink, J.P. Steinberger, On the indifferentiability of key-alternating ciphers, in R. Canetti, J.A. Garay, editors, Advances in Cryptology—CRYPTO 2013 (Proceedings, Part I), Lecture Notes in Computer Science, vol. 8042 (Springer, Berlin, 2013), pp. 531–550. Full version available at http://eprint.iacr.org/2013/061
  2. 2.
    G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, On the indifferentiability of the sponge construction, in N.P. Smart, editor, Advances in Cryptology—EUROCRYPT 2008, Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 181–197Google Scholar
  3. 3.
    D. Boneh, M.K. Franklin, Identity-based encryption from the weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)Google Scholar
  4. 4.
    M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, in Advances in Cryptology—EUROCRYPT 2003, Lecture Notes in Computer Science, vol. 2656, pp. 491–506 (2003)Google Scholar
  5. 5.
    A. Bogdanov, L.R. Knudsen, G. Leander, F.-X. Standaert, J.P. Steinberger, E. Tischhauser, Key-alternating ciphers in a provable setting: encryption using a small number of public permutations—(Extended Abstract), in D. Pointcheval, T. Johansson, editors, Advances in Cryptology—EUROCRYPT 2012, Lecture Notes in Computer Science, vol. 7237 (Springer, Berlin, 2012), pp. 45–62Google Scholar
  6. 6.
    J. Black, The ideal-cipher model, revisited: an uninstantiable blockcipher-based hash function, in FSE 2006, Lecture Notes in Computer Science, vol. 4047, pp. 328–340 (2006)Google Scholar
  7. 7.
    D. Boneh, B. Lynn, H. Shacham, Short signatures from the weil pairing. J. Cryptol. 17(4), 297–319 (2004)Google Scholar
  8. 8.
    M. Bellare, D. Pointcheval, P. Rogaway, Authenticated key exchange secure against dictionary attacks, in EUROCRYPT00, Lecture Notes in Computer Science, vol. 1807, pp. 139–155 (2000)Google Scholar
  9. 9.
    M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in CCS ’93: Proceedings of the 1st ACM Conference on Computer and Communications Security (ACM, New York, NY, USA, 1993), pp. 62–73Google Scholar
  10. 10.
    M. Bellare, P. Rogaway. Optimal asymmetric encryption, in Advances in Cryptology—EUROCRYPT ’94, Lecture Notes in Computer Science, pp. 92–111 (1994)Google Scholar
  11. 11.
    M. Bellare, P. Rogaway, The exact security of digital signatures—how to sign with RSA and Rabin, in Advances in Cryptology—EUROCRYPT ’96, Lecture Notes in Computer Science, pp. 399–416 (1996)Google Scholar
  12. 12.
    J. Black, P. Rogaway, Ciphers with arbitrary finite domains, in CT-RSA 2002, Lecture Notes in Computer Science, pp. 114–130 (2002)Google Scholar
  13. 13.
    M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in Advances in Cryptology—EUROCRYPT 2006, Lecture Notes in Computer Science, vol. 4004, pp. 409–426 (2006)Google Scholar
  14. 14.
    J. Black, P. Rogaway, T. Shrimpton, Black-box analysis of the block-cipher-based hash-function constructions from PGV, in Advances in Cryptology—CRYPTO 2002, Lecture Notes in Computer Science, vol. 2442, pp. 320–335 (2002)Google Scholar
  15. 15.
    R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, in FOCS ’01: Proceedings of the 42nd IEEE Annual Symposium on Foundations of Computer Science, pp. 136–145 (2001)Google Scholar
  16. 16.
    J.-S. Coron, Y. Dodis, C. Malinaud, P. Puniya, Merkle-Damgård revisited: how to construct a hash function, in V. Shoup, editor, Advances in Cryptology—CRYPTO 2005, Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 430–448Google Scholar
  17. 17.
    R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004)Google Scholar
  18. 18.
    S. Chen, R. Lampe, J. Lee, Y. Seurin, J.P. Steinberger, Minimizing the two-round even-mansour cipher, in J.A. Garay, R. Gennaro, editors, Advances in Cryptology—CRYPTO 2014 (Proceedings, Part I), Lecture Notes in Computer Science, vol. 8616 (Springer, Berlin, 2014), pp. 39–56. Full version available at http://eprint.iacr.org/2014/443
  19. 19.
    J.-S. Coron, J. Patarin, Y. Seurin, The random oracle model and the ideal cipher model are equivalent, in D. Wagner, editor, CRYPTO, Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 1–20Google Scholar
  20. 20.
    J.-S. Coron, J. Patarin, Y. Seurin, The random oracle model and the ideal cipher model are equivalent. Cryptology ePrint Archive, Report 2008/246, August 2008. Version: 20080816:121712, http://eprint.iacr.org/, Extended Abstract at CRYPTO 2008
  21. 21.
    S. Chen, J. Steinberger, Tight security bounds for key-alternating ciphers, in P.Q. Nguyen, E. Oswald, editors, Advances in Cryptology—EUROCRYPT 2014, Lecture Notes in Computer Science, vol. 8441, pp. 327–350 (Springer, Berlin, 2014). Full version available at http://eprint.iacr.org/2013/222
  22. 22.
    I.B. Damgård, A design principle for hash functions, in Advances in Cryptology—CRYPTO ’89, Lecture Notes in Computer Science, vol. 435, pp. 416–427 (1989)Google Scholar
  23. 23.
    G. Demay, P. Gazi, M. Hirt, U. Maurer, Resource-restricted indifferentiability, in EUROCRYPT13, Lecture Notes in Computer Science, vol. 7881, pp. 664–683 (2013)Google Scholar
  24. 24.
    Y. Dodis, P. Puniya, On the relation between the ideal cipher and the random oracle models, in Theory of Cryptography—TCC 2006, Lecture Notes in Computer Science, vol. 3876, pp. 184–206 (2006)Google Scholar
  25. 25.
    S. Dziembowski, K. Pietrzak, D. Wichs, Non-malleable codes, in Innovations in Computer Science—ICS 2010, pp. 434–452 (2010)Google Scholar
  26. 26.
    Y. Dodis, L. Reyzin, R.L. Rivest, E. Shen, Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6, in O. Dunkelman, editor, Fast Software Encryption—FSE 2009, Lecture Notes in Computer Science, vol. 5665 (Springer, Berlin, 2009), pp. 104–121Google Scholar
  27. 27.
    S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997)Google Scholar
  28. 28.
    A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in Advances in Cryptology—CRYPTO ’86, Lecture Notes in Computer Science, vol. 263, pp. 186–194 (1986)Google Scholar
  29. 29.
    T. Holenstein, R. Künzler, S. Tessaro, The equivalence of the random oracle model and the ideal cipher model, revisited, in L. Fortnow, S.P. Vadhan, editors, STOC (ACM, New York, 2011), pp. 89–98Google Scholar
  30. 30.
    J. Kilian, P. Rogaway, How to protect DES against exhaustive key search (an analysis of DESX). J. Cryptol. 14(1), 17–35 (2001)Google Scholar
  31. 31.
    J. Kahn, M.E. Saks, C.D. Smyth, A dual version of Reimer’s inequality and a proof of Rudich’s conjecture, in IEEE Conference on Computational Complexity, pp. 98–103 (2000)Google Scholar
  32. 32.
    M. Luby, C. Rackoff, How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)Google Scholar
  33. 33.
    R. Lampe, Y. Seurin, How to construct an ideal cipher from a small set of public permutations, in K. Sako, P. Sarkar, editors, Advances in Cryptology—ASIACRYPT 2013 (Proceedings, Part I), Lecture Notes in Computer Science, vol. 8269 (Springer, Berlin, 2013), pp. 444–463. Full version available at http://eprint.iacr.org/2013/255
  34. 34.
    Y. Lindell, H. Zarosim, Adaptive zero-knowledge proofs and adaptively secure oblivious transfer, in Theory of Cryptography Conference—TCC 2009, Lecture Notes in Computer Science, vol. 5444, pp. 183–201 (2009)Google Scholar
  35. 35.
    U. Maurer, Indistinguishability of random systems, in Advances in Cryptology—EUROCRYPT 2002, Lecture Notes in Computer Science, vol. 2332, pp. 110–132 (2002)Google Scholar
  36. 36.
    R.C. Merkle, A certified digital signature, in Advances in Cryptology—CRYPTO ’89, Lecture Notes in Computer Science, vol. 435, pp. 218–238 (1989)Google Scholar
  37. 37.
    A. Mandal, J. Patarin, Y. Seurin, On the public indifferentiability and correlation intractability of the 6-round Feistel construction, in TCC (2012). Full version available at http://eprint.iacr.org/2011/496.pdf
  38. 38.
    U. Maurer, R. Renner. Abstract cryptography, in Innovations in Computer Science—ICS 2011, pp. 1–21 (2011)Google Scholar
  39. 39.
    U. Maurer, R. Renner, C. Holenstein, Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology, in Theory of Cryptography Conference—TCC 2004, Lecture Notes in Computer Science, vol. 2951, pp. 21–39, February 2004Google Scholar
  40. 40.
    P. Rogaway, J.P. Steinberger, Constructing cryptographic hash functions from fixed-key blockciphers, in D. Wagner, editor, Advances in Cryptology—CRYPTO 2008, Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 433–450Google Scholar
  41. 41.
    P. Rogaway, J.P. Steinberger, Security/efficiency tradeoffs for permutation-based hashing, in N.P. Smart, editor, Advances in Cryptology—EUROCRYPT 2008, Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 220–236Google Scholar
  42. 42.
    T. Ristenpart, H. Shacham, T. Shrimpton, Careful with composition: limitations of the indifferentiability framework, in K.G. Paterson, editor, EUROCRYPT, Lecture Notes in Computer Science, vol. 6632 (Springer, Berlin, 2011), pp. 487–506Google Scholar
  43. 43.
    S. Rudich, Limits on the Provable Consequences of One-way Functions. PhD thesis (1989)Google Scholar
  44. 44.
    Y. Seurin, Primitives et protocoles cryptographiques à sécurité prouvée. PhD thesis, Université de Versailles Saint-Quentin-en-Yvelines, UFR de Sciences - École doctorale SoFt - Laboratoire PRiSM (2009)Google Scholar
  45. 45.
    Y. Seurin, A note on the indifferentiability of the 10-round feistel construction, March 2011. Unpublished note available from the authorGoogle Scholar
  46. 46.
    C.E. Shannon, Communication theory of secrecy systems. Bell Syst. Tech. J. 28, 656–715 (1949)Google Scholar
  47. 47.
    V. Shoup, Sequences of games: a tool for taming complexity in security proofs (2004)Google Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
  • Thomas Holenstein
    • 2
    Email author
  • Robin Künzler
    • 2
  • Jacques Patarin
    • 3
  • Yannick Seurin
    • 4
  • Stefano Tessaro
    • 5
  1. 1.University of LuxembourgLuxembourgLuxembourg
  2. 2.Department of Computer ScienceETH ZurichZurichSwitzerland
  3. 3.University of Versailles-Saint-QuentinVersaillesFrance
  4. 4.ANSSIParisFrance
  5. 5.Department of Computer ScienceUniversity of California, Santa BarbaraSanta BarbaraUSA

Personalised recommendations