Provable security for block ciphers by decorrelation

  • Serge Vaudenay
Invited Talk
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1373)

Abstract

In this presentation we investigate a new way of protecting block ciphers against classes of attacks (including differential and linear crypt-analysis) which is based on the notion of decorrelation which is fairly connected to Carter-Wegman's notion of universal functions. This defines a simple and friendly combinatorial measurement which enables to quantify the security. We show that we can mix provable protections and heuristic protections. We finally propose two new block ciphers family we call COCONUT and PEANUT, which implement these ideas and achieve quite reasonable performances for real-life applications.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    E. Biham. A fast new DES implementation in software. In Fast Software Encryption, Haifa, Israel, Lectures Notes in Computer Science 1267, pp. 260–272, Springer-Verlag, 1997.Google Scholar
  2. [2]
    E. Biham, A. Shamir. Differential cryptanalysis of DES-like cryptosysterns. In Advances in Cryptology CRYPTO'90, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 537, pp. 2–21, Springer-Verlag, 1991.Google Scholar
  3. [3]
    E. Biham, A. Shamir. Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology, vol. 4, pp. 3–72, 1991.MATHCrossRefMathSciNetGoogle Scholar
  4. [4]
    E. Biham, A. Shamir. Differential cryptanalysis of the full 16-round DES. In Advances in Cryptology CRYPTO'92, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 740, pp. 487–496, Springer-Verlag, 1993.Google Scholar
  5. [5]
    E. Biham, A. Shamir. Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, 1993.Google Scholar
  6. [6]
    F. Chabaud, S. Vaudenay. Links between differential and linear cryptanalysis. In Advances in Cryptology EUROCRYPT'94, Perugia, Italy, Lectures Notes in Computer Science 950, pp. 356–365, Springer-Verlag, 1995.Google Scholar
  7. [7]
    L. Carter, M. Wegman. Universal closes of hash functions. Journal of Computer and System Sciences, vol. 18, pp. 143–154, 1979.MATHCrossRefMathSciNetGoogle Scholar
  8. [8]
    New directions in cryptography. IEEE Transactions on Information Theory, vol. IT-22, pp. 644–654, 1976.Google Scholar
  9. [9]
    H. Feistel. Cryptography and computer privacy. Scientific american, vol. 228, pp. 15–23, 1973.CrossRefGoogle Scholar
  10. [10]
    H. Gilbert. Cryptanalyse Statistique des Algorithmes de Chiffrement et Sécurité des Schémas d'Authentification, Thèse de Doctorat de l'Université de Paris 11, 1997.Google Scholar
  11. [11]
    H. Gilbert, G. Chassé. A statistical attack of the FEAL-8 cryptosystem. In Advances in Cryptology CRYPTO'90, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 537, pp. 22–33, Springer-Verlag, 1991.Google Scholar
  12. [12]
    S. Halevi, H. Krawczyk. MMH: software message authentication in the Gbit/second rates. In Fast Software Encryption, Haifa, Israel, Lectures Notes in Computer Science 1267, pp. 172–189, Springer-Verlag, 1997.Google Scholar
  13. [13]
    H. M. Heys, S. E. Tavares. Substitution-Permutation Networks resistant to differential and linear cryptanalysis. Journal of Cryptology, vol. 9, pp. 1–19, 1996.MATHCrossRefMathSciNetGoogle Scholar
  14. [14]
    T. Jakobsen, L. R. Knudsen. The interpolation attack on block ciphers. In Fast Software Encryption, Haifa, Israel, Lectures Notes in Computer Science 1267, pp. 28–40, Springer-Verlag, 1997.Google Scholar
  15. [15]
    L. R. Knudsen. Block Ciphers — Analysis, Design and Applications, Aarhus University, 1994.Google Scholar
  16. [16]
    B. R. Kaliski Jr., M. J. B. Robshaw. Linear cryptanalysis using multiple approximations. In Advances in Cryptology CRYPTO'94, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 839, pp. 26–39, Springer-Verlag, 1994.Google Scholar
  17. [17]
    X. Lai. On the Design and Security of Block Ciphers, ETH Series in Information Processing, vol. 1, Hartung-Gorre Verlag Konstanz, 1992.Google Scholar
  18. [18]
    X. Lai, J. L. Massey, S. Murphy. Markov ciphers and differential cryptanalysis. In Advances in Cryptology EUROCRYPT'91, Brighton, United Kingdom, Lectures Notes in Computer Science 547, pp. 17–38, Springer-Verlag, 1991.Google Scholar
  19. [19]
    M. Luby, C. Rackoff. How to construct pseudorandom permutations from pseudorandom functions. SIAM Journal on Computing, vol. 17, pp. 373–386, 1988.MATHCrossRefMathSciNetGoogle Scholar
  20. [20]
    M. Matsui. Linear cryptanalysis methods for DES cipher. In Advances in Cryptology EURO-CRYPT'93, Lofthus, Norway, Lectures Notes in Computer Science 765, pp. 386–397, Springer-Verlag, 1994.Google Scholar
  21. [21]
    M. Matsui. The first experimental cryptanalysis of the Data Encryption Standard. In Advances in Cryptology CRYPTO'94, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 839, pp. 1–11, Springer-Verlag, 1994.Google Scholar
  22. [22]
    M. Matsui. New structure of block ciphers with provable security against differential and linear crypt-analysis. In Fast Software Encryption, Cambridge, United Kingdom, Lectures Notes in Computer Science 1039, pp. 205–218, Springer-Verlag, 1996.Google Scholar
  23. [23]
    R. Merkle, M. Hellman. Hiding information and signatures in trapdoor knapsacks. IEEE Transactions on Information Theory, vol. IT-24, pp. 525–530, 1978.CrossRefGoogle Scholar
  24. [24]
    S. Murphy, F. Piper, M. Walker, P. Wild. Likehood estimation for block cipher keys. Unpublished.Google Scholar
  25. [25]
    K. Nyberg. Perfect nonlinear S-boxes. In Advances in Cryptology EUROCRYPT'91, Brighton, United Kingdom, Lectures Notes in Computer Science 547, pp. 378–385, Springer-Verlag, 1991.Google Scholar
  26. [26]
    K. Nyberg, L. R. Knudsen. Provable security against a differential cryptanalysis. Journal of Cryptology, vol. 8, pp. 27–37, 1995.MATHCrossRefMathSciNetGoogle Scholar
  27. [27]
    J. Patarin. Etude des Générateurs de Permutations Basés sur le Schéma du D.E.S., Thèse de Doctorat de l'Université de Paris 6, 1991.Google Scholar
  28. [28]
    J. Patarin. In Advances in Cryptology EUROCRYPT'92, Balatonfüred, Hungary, Lectures Notes in Computer Science 658, pp. 256–266, Springer-Verlag, 1993.Google Scholar
  29. [29]
    J. Patarin. About Feistel schemes with six (or more) rounds. To appear in Fast Software Encryption, 1998.Google Scholar
  30. [30]
    R. L. Rivest, A. Shamir, L. M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, vol. 21, pp. 120–126, 1978.MATHCrossRefMathSciNetGoogle Scholar
  31. [31]
    C. E. Shannon. Communication theory of secrecy systems. Bell system technical journal, vol. 28, pp. 656–715, 1949.MATHMathSciNetGoogle Scholar
  32. [32]
    A. Shamir. How to photofinish a cryptosystem? Presented at the Rump Session of Crypto'97.Google Scholar
  33. [33]
    A. Tardy-Corfdir, H. Gilbert. A known plaintext attack of FEAL-4 and FEAL-6. In Advances in Cryptology CRYPTO'91, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 576, pp. 172–181, Springer-Verlag, 1992.Google Scholar
  34. [34]
    S. Vaudenay. La Sécurité des Primitives Cryptographiques, Thèse de Doctorat de l'Université de Paris 7, Technical Report LIENS-95-10 of the Laboratoire d'Informatique de l'Ecole Normale Supérieure, 1995.Google Scholar
  35. [35]
    S. Vaudenay. An experiment on DES — Statistical cryptanalysis. In 3rd ACM Conference on Computer and Communications Security, New Delhi, India, pp. 139–147, ACM Press, 1996.Google Scholar
  36. [36]
    S. Vaudenay. A cheap paradigm for block cipher security strengthening. Technical Report LIENS-97-3. Unpublished.Google Scholar
  37. [37]
    G. S. Vernam. Cipher printing telegraph systems for secret wire and radio telegraphic communications. Journal of the American Institute of Electrical Engineers, vol. 45, pp. 109–115, 1926.Google Scholar
  38. [38]
    M. N. Wegman, J. L. Carter. New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences, vol. 22, pp. 265–279, 1981.MATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag 1998

Authors and Affiliations

  • Serge Vaudenay
    • 1
  1. 1.Ecole Normale Supérieure - CNRSFrance

Personalised recommendations