S. Vaudenay, Provable security for block ciphers by decorrelation, In stacs'98, Paris, France, Lectures Note in Computer Science 1373, Springer-Verlag, pp. 249-- 275, 1998.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....the proof for the Luby Rackoff construction and generalizations thereof was shown to boil down to simple collision arguments (but the proof was stated only for non adaptive distinguishers) Naor and Reingold [18] generalized the Luby Rackoff constructions. In a sequence of papers (e.g. see [21, 22]) Vaudenay developed decorrelation theory and applied it to the design of block ciphers and the analysis of constructions like the CBC MAC. Petrank and Rackoff [17] gave a generalized treatment of the CBC MAC. 1.4 Contributions of the Paper and Sketch of the Framework This paper defines the ....

S. Vaudenay, Provable security for block ciphers by decorrelation, Proceedings of STACS'98, Lecture Notes in Computer Science, vol. 1373, Springer-Verlag, pp. 249--275, 1998.

....Khufu (16) 2 18 CP 2 18 CAST 256 (16) 2 49:3 KP 2 49:3 FEAL (6) 4 CP KP known plaintext, CP adaptive chosen plaintext ciphertext. Table 1. Summary of our attacks. We give a surprisingly sharp example of this possibility in Sections 3 5 below, where we show how to break COCONUT98 [V98] with just 2 16 chosen texts and 2 38 work, despite a proof that the best characteristic for the whole cipher must have probability p 2 64 . Our attack makes crucial use of a characteristic for half of the cipher with probability q 2 4 . This shows that the folk theorem can fail ....

....0 to obtain the plaintexts Q; Q 0 with two adaptive chosen ciphertext queries. See Figure 1 for a pictorial depiction of the basic boomerang attack. In the remainder of the paper, we consider several concrete attacks using the boomerang attack. 3 The COCONUT98 algorithm The COCONUT98 cipher [V98] may be of special interest to some readers because of its reliance on the recently developed theory of decorrelation techniques for block cipher design [V97,V98,V98b,GG 98] Using decorrelation techniques, V98] proves that the full COCONUT98 cipher admits no good di erential characteristics. ....

[Article contains additional citation context not shown here]

S. Vaudenay, \Provable Security for Block Ciphers by Decorrelation," STACS'98, Springer-Verlag LNCS 1373, 1998.

.... 45cbfa73 a6160ffe x 393c48cb bbca060f 0ff8ec6d 31beb5cc eed7f2f0 bb088017 x 163bc60d f45a0ecb 1bcd289b 06cbbfea 21ad08e1 847f3f73 x 78d56ced 94640d6e f0d3d37b e67008e1 eb64749a 86d1bf27 x 5b9b241d x 7 Security Results The design construction is based on decorrelation techniques (see [5 7]) From the decorrelation theory we know that a six round Feistel cipher which uses RF with independent subkeys has a pairwise decorrelation distance less than 0;821:2 Gamma113 to the Perfect Cipher. We can thus give lower bounds on the complexity of differential cryptanalysis, linear ....

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. In STACS 98, Paris, France, Lectures Notes in Computer Science 1373, pp. 249--275, SpringerVerlag, 1998.

....sharper statement: even if no differential for the whole cipher has probability that is too high or too low, the cipher might still be vulnerable to differential style attacks. We give a surprisingly sharp example of this possibility in Sections 3 5 below, where we show how to break COCONUT98 [V98] with just 2 16 chosen texts and 2 38 work, despite a proof that the best characteristic for the whole cipher must have probability p 2 Gamma64 . Our attack makes crucial use of a characteristic for half of the cipher with probability q 2 Gamma4 . This shows that the folk theorem can ....

....0 as D = C Phi r and D 0 = C 0 Phi r. Finally we decrypt D;D 0 to obtain the plaintexts Q; Q 0 with two adaptive chosen ciphertext queries. In the remainder of the paper, we consider several concrete attacks using the boomerang attack. 3 The COCONUT98 algorithm The COCONUT98 cipher [V98] may be of special interest to some readers because of its reliance on the recently developed theory of decorrelation techniques for block cipher design [V97,V98,V98b,GGH 98] Using decorrelation techniques, V98] proves that the full COCONUT98 cipher admits no good differential characteristics. ....

[Article contains additional citation context not shown here]

S. Vaudenay, "Provable Security for Block Ciphers by Decorrelation," STACS'98, Springer-Verlag LNCS 1373, pp.249--275, 1998.

No context found.

S. Vaudenay, Provable security for block ciphers by decorrelation, In stacs'98, Paris, France, Lectures Note in Computer Science 1373, Springer-Verlag, pp. 249-- 275, 1998.

No context found.

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. In Proc. of STACS 98, LNCS 1373, Springer-Verlag, pp. 249--275, 1998.

No context found.

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. In Proc. of STACS 98, LNCS 1373, Springer-Verlag, pp. 249--275, 1998.

No context found.

S. Vaudenay, Provable security for block ciphers by decorrelation, In stacs'98, Paris, France, Lectures Note in Computer Science 1373, Springer-Verlag, pp. 249-- 275, 1998.

No context found.

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. (Full Paper.) Technical report LIENS-98-8, Ecole Normale Superieure, 1998.

No context found.

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. In STACS 98, Paris, France, Lectures Notes in Computer Science 1373, pp. 249--275, SpringerVerlag, 1998.

No context found.

S. Vaudenay, Provable security for block ciphers by decorrelation, In stacs'98, Paris, France, Lectures Note in Computer Science 1373, Springer-Verlag, pp. 249-- 275, 1998.

No context found.

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. In Proc. of STACS 98, LNCS 1373, Springer-Verlag, pp. 249--275, 1998.

No context found.

S. Vaudenay, Provable security for block ciphers by decorrelation, In stacs'98, Paris, France, Lectures Note in Computer Science 1373, Springer-Verlag, pp. 249-- 275, 1998.

No context found.

S. Vaudenay, Provable security for block ciphers by decorrelation, In stacs'98, Paris, France, Lectures Note in Computer Science 1373, Springer-Verlag, pp. 249-- 275, 1998.

No context found.

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. In Proc. of STACS 98, LNCS 1373, Springer-Verlag, pp. 249--275, 1998.

....process. 1 Introduction A major goal in cryptography is to prove security statements on encryption schemes. To this respect, it is well known that the status of secret key cryptography is quite di erent from that of public key cryptography. The decorrelation theory was introduced in 1998 (see [20] for the original reference) as an attempt towards lling this gap, by providing new ideas to build block ciphers, together with security proofs covering certain (however general) classes of attacks. Since the AES process was launched by NIST at about the same period, the French National Center ....

....proposal for making secure and ecient block ciphers. The target platform was chosen to be 64 bit microprocessors, as such chips are likely to become standard during the lifetime of the AES. The CNRS project gave birth to the Decorrelated Fast Cipher (DFC) 6,7] Decorrelation theory (see [20,21,22,23,24,25]) enables to prove formal results on the security of cryptographic primitives under certain hypotheses which we believe to be realistic. In particular, it enables to quantify the best advantage to distinguish two families of block ciphers, for a class of attacks with limited resources. For ....

[Article contains additional citation context not shown here]

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. Invited talk. In STACS 98, Paris, France, Lectures Notes in Computer Science 1373, pp. 249-275, Springer-Verlag,

....variant of Schnorr s scheme. safe until n = 2 =4 messages have been encrypted (this argument was brought as an evidence for DES security) Note that (n; pseudo randomness was recently shown to be close to the notion of n wise decorrelation bias, investigated by Vaudenay in [24]. This construction can be adapted to pseudo random hash functions as follows: we rst show how to construct a pseudo random hash function from a huge random string and then simplify the model by de randomizing the string and shrinking it to what is strictly necessary for providing provable ....

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. In STACS '98, LNCS 1373, pages 249-275. Springer-Verlag, 1998.

....theory. This leads to a slightly improved result and a more compact proof. This result is meant to be a general proving technique for security, which can be compared to the approach which was announced by Maurer at CRYPTO 99. Decorrelation theory has recently been introduced. See references [17] to [22] Its rst aim was to address provable security in the area of block ciphers in order to prove their security against di erential [7] and linear cryptanalysis [10] As a matter of fact, these techniques have also been used in order to prove Luby Racko like pseudorandomness results [9] ....

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. Invited talk. In STACS 98, Paris, France, Lectures Notes in Computer Science 1373, pp. 249-275, Springer-Verlag, 1998. Full Paper: technical report LIENS-98-8, Ecole Normale Superieure, 1998. (ftp://ftp.ens.fr/pub/reports/liens/)

No context found.

S. Vaudenay. Provable security for block ciphers by decorrelation. (Journal Version. ) Submitted.

....to prove the security of block ciphers against it. Earlier work, initiated by Nyberg [9] was based on algebraic techniques. Recently, Vaudenay adapted Carter and Wegman s combinatoric notion of universal functions [3, 16] in context of encryption and formalized the notion of decorrelation bias [13]. This measurement enables to quantify the security of block ciphers against several classes of attacks. In [13] several real life block ciphers have been proposed, namely COCONUT98 and PEANUT98. Their decorrelation bias have been measured, and the security against differential and linear ....

....techniques. Recently, Vaudenay adapted Carter and Wegman s combinatoric notion of universal functions [3, 16] in context of encryption and formalized the notion of decorrelation bias [13] This measurement enables to quantify the security of block ciphers against several classes of attacks. In [13], several real life block ciphers have been proposed, namely COCONUT98 and PEANUT98. Their decorrelation bias have been measured, and the security against differential and linear cryptanalysis has been proved. In this paper, we generalize these results in a uniform approach. We introduce the ....

[Article contains additional citation context not shown here]

S. Vaudenay. Provable security for block ciphers by decorrelation. In STACS 98, Paris, France, Lectures Notes in Computer Science 1373, pp. 249--275, SpringerVerlag, 1998.

No context found.

S. Vaudenay. Provable security for block ciphers by decorrelation. In STACS 98, Lectures Notes in Computer Science 1373, pp. 249#275, Springer-Verlag, 1998.

No context found.

#5# S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. In STACS 98, Paris, France, Lectures Notes in Computer Science 1373, pp.

.... is (n; n 2 =2 =2 ) pseudo random and safe until n = 2 =4 messages have been encrypted (this argument was brought as an evidence for DES security) Note that (n; ffl) pseudo randomness was recently shown to be close to the notion of n wise decorrelation bias, investigated by Vaudenay in [22]. This construction can be adapted to pseudo random hash functions as follows : we first show how to construct a pseudo random hash function from a huge random string and then simplify the model by derandomising the string and shrinking it to what is strictly necessary for providing provable ....

S. Vaudenay, Provable security for block ciphers by decorrelation, In stacs'98, Paris, France, Lectures Note in Computer Science 1373, Springer-Verlag, pp. 249--275, 1998.

....scheme used in Square, Rijndael and Crypton. The pseudorandomness of some general schemes were discussed in previous papers e.g. 6, 16] In this paper we show how we can reach these kind of results and extensions in a easier and systematic way by using decorrelation theory introduced in [9, 10, 12 14]. In order to compare the schemes we study the threshold number of rounds for having randomness, the theoretical minimal number of secure rounds against attacks which are limited to two chosen plaintexts or ciphertexts (which plays a crucial role in the security against di#erential and linear ....

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. (Full Paper.) Technical report LIENS-98-8, Ecole Normale Superieure, 1998. URL: ftp://ftp.ens.fr/pub/reports/liens/liens-98-8.A4.ps.Z

....scheme used in Square, Rijndael and Crypton. The pseudorandomness of some general schemes were discussed in previous papers e.g. 6, 16] In this paper we show how we can reach these kind of results and extensions in a easier and systematic way by using decorrelation theory introduced in [9, 10, 12 14]. In order to compare the schemes we study the threshold number of rounds for having randomness, the theoretical minimal number of secure rounds against attacks which are limited to two chosen plaintexts or ciphertexts (which plays a crucial role in the security against di#erential and linear ....

....random function from M 1 to M 2 . Similarly, for M 1 = M 2 ,ifC is a random permutation over M 1 we define the d wise decorrelation bias of permutation C as being the distance DecP d D (C) D( C] d , C # ] d ) where C # is a uniformly distributed random permutation over M 1 . In [9], the infinity associated matrix norm . # was considered. This facilitated the proof of the security against non adaptive iterated attacks. The following matrix norms . a and . s are dedicated to adaptive chosen plaintext attacks and chosen plaintext and ciphertext attacks, ....

[Article contains additional citation context not shown here]

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. In STACS 98, Paris, France, Lectures Notes in Computer Science 1373, pp. 249--275, SpringerVerlag, 1998.

....http: www.dmi.ens.fr vaudenay dfc.html stream cipher, hash function, MAC algorithm. The new design of DFC combines heuristic construction with provable security against a wide class of attacks. Unlike the Nyberg Knudsen paradigm, our approach is combinatorial. It relies on Vaudenay s paradigm [15 19]. This construction provides much more freedom since it can be combined with heuristic designs. In [6] we provided proofs of security against some classes of general simple attacks which includes differential and linear cryptanalysis. This result is based on the decorrelation theory. We believe ....

S. Vaudenay. Provable security for block ciphers by decorrelation. In STACS 98, Lectures Notes in Computer Science 1373, pp. 249--275, Springer-Verlag, 1998.

....where ffl = DecF 2 (RF) is the pairwise decorrelation bias of the round function which is such that DecF 2 (RF) 2 i p 2 m 2 j 2 Gamma 1 (2) where p is the smallest prime number greater than 2 m 2 . We consider here the decorrelation with the jjj:jjj 1 norm as explained in [8 11]. Thus if we let p = 2 m 2 (1 ffi) we can approximate the decorrelation bias upper bound by Gamma 4ffi 2 3 Gamma m 2 Delta b r 3 c : 3) This shows that the pairwise decorrelation bias is negligible compared to 2 Gammam if r 9. We believe that r = 8 is sufficient. For m = ....

....order of 1= p DecP 2 . In these results, the phrase on the order of means equality to within a constant factor depending only on the expected probability of success. For a probability of 50 , these constants are greater than 1=10. More precisely we recall the following results taken from [8 11]. Theorem 2. For any differential distinguisher with complexity n against a permutation over a space of 2 m elements and with a pairwise decorrelation bias of DecP 2 , the advantage Adv is such that Adv n 2 DecP 2 n 2 m Gamma 1 : 5) Similarly, for any linear distinguisher we ....

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. In STACS 98, Paris, France, Lectures Notes in Computer Science 1373, pp. 249--275, SpringerVerlag, 1998.

No context found.

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. In STACS 98, Paris, France, Lectures Notes in Computer Science 1373, pp. 249#275, SpringerVerlag, 1998.

No context found.

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. In STACS 98, Paris, France, Lectures Notes in Computer Science 1373, pp. 249#275, SpringerVerlag, 1998.

....complexity of a fixed characteristic attack over the distribution of the secret key. It is well known that this average complexity depends on the following quantity. EDP( Deltax; Deltay) EK Pr X [E K (X Deltax) EK (X) Deltay] More precisely, we have the following result (see [3] for instance) Theorem 3. If for any ( Deltax; Deltay) with Deltax 6= 0) we have EDP( Deltax; Deltay) c2 Gamman (where n is the bitlength of the plaintexts) then for any differential cryptanalysis with a fixed characteristic the average complexity is greater than 2 n =c in encryption ....

.... Although this result is quite paradoxical, we can use it by defining the cipher EK (x) E 00 K2 (aE 0 K1 (x) b) where K = K 1 ; K 2 ; a; b) for any choice of E 0 and E 00 (for instance, E 0 = E 00 = DES [1] This is actually the construction of the COCONUT Cipher Family [3]. The internal affine permutation makes the cipher provably resistant against differential cryptanalysis, and the two other ciphers can provide some empiristic security against any other attacks. Here security against differential cryptanalysis comes from the unconditional security when used only ....

[Article contains additional citation context not shown here]

S. Vaudenay. Provable security for block ciphers by decorrelation. In STACS 98, Paris, France, Lectures Notes in Computer Science 1373, pp. 249--275, SpringerVerlag, 1998.

No context found.

S. Vaudenay. Provable security for block ciphers by decorrelation. (Journal Version. ) Submitted.

....Knudsen [9] although no weakness has been discovered in MISTY so far) Here, we propose a new design which combines heuristic construction with provable security against a wide class of attacks. Unlike the Nyberg Knudsen paradigm, our approach is combinatorial. It relies on Vaudenay s paradigm [19 21]. This construction provides much more freedom since it can be combined with heuristic designs. In response to the call for candidate for the Advanced Encryption Standard (AES) which has been issued by the National Institute of Standards and Technology (NIST) we propose the hereafter defined ....

....efficiently possible. Although we did not investigate all possible applications, we believe that there is no restriction on the implementability of DFC. 5 Security Analysis, Tentative Attacks 5. 1 Security Results The design construction is based on decorrelation techniques developed by Vaudenay [19 21] (see Appendix) From the results recalled in Appendix C, we know that if ajb is a uniformly distributed 128 bit string we have jj[RF ajb ] 2 Gamma [R] 2 jj 0;813:2 Gamma58 (32) see Appendix A for definitions of the notations) where R is a truly random 64 bit to 64 bit function. Thus a ....

S. Vaudenay. Provable security for block ciphers by decorrelation. In STACS 98, Paris, France, Lectures Notes in Computer Science 1373, pp. 249--275, SpringerVerlag, 1998.

No context found.

S. Vaudenay. Provable security for block ciphers by decorrelation. (Journal Version) Submitted.

....other cryptographic primitive such as stream cipher, hash function, MAC algorithm. The new design of DFC combines heuristic construction with provable security against a wide class of attacks. Unlike the Nyberg Knudsen paradigm, our approach is combinatorial. It relies on Vaudenay s paradigm [14 16]. This construction provides much more freedom since it can be combined with heuristic designs. In [6] we provided proofs of security against some classes of general simple attacks which includes differential and linear cryptanalysis. This result is based on the decorrelation theory. We believe ....

S. Vaudenay. Provable security for block ciphers by decorrelation. In STACS 98, Paris, France, Lectures Notes in Computer Science 1373, pp. 249--275, SpringerVerlag, 1998.

....more freedom in the design and allows one to prove security against several classes of popular attacks. Of course, this has to be considered with great care, because some simple decorrelated designs can be broken by new kinds of attacks. We mention Wagner s boomerang attacks [52] against Coconut98 [48]. The reasonable conclusion is that the cipher has to be heuristically secure without the decorrelation modules (which was not the case of Coconut98) and that the decorrelation properties provide an additional level of security. We think that it is important for the forthcoming encryption ....

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. In STACS 98, Paris, France, Lectures Notes in Computer Science 1373, pp. 249--275, SpringerVerlag, 1998.

....variant of Schnorr s scheme. safe until n = 2 =4 messages have been encrypted (this argument was brought as an evidence for DES security) Note that (n; ffl) pseudo randomness was recently shown to be close to the notion of n wise decorrelation bias, investigated by Vaudenay in [24]. This construction can be adapted to pseudo random hash functions as follows: we first show how to construct a pseudo random hash function from a huge random string and then simplify the model by de randomizing the string and shrinking it to what is strictly necessary for providing provable ....

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. In STACS '98, LNCS 1373, pages 249--275. Springer-Verlag, 1998.

....Therefore, the COCONUT approach consists in making the cipher provably resistant against attacks of order at most 2 such as differential or linear cryptanalysis, and heuristically secure against attacks of higher order by real life ciphers as C 1 and C 3 . The COCONUT98 Cipher has been proposed in [35] with parameters m = 64 and p = x 64 x 11 x 2 x 1. 10 PEANUT: a Partial Decorrelation Design In this section we define the PEANUT Ciphers family, which achieves an example of partial decorrelation. This family is based on a combinatorial tool which has been previously used by ....

....r 3 c : Example 20. We can use the parameters m = 64, r = 9, d = 2 and p = 2 32 15. We obtain that Dec 2 jjj:jjj 1 (C) 2 Gamma76 . Therefore from Theorems 14 and 16 no differential or linear distinguisher can be efficient. The PEANUT98 Cipher has been proposed with these parameters in [35]. In an earlier version of this work [34] we proposed a similar construction (say PEANUT97) which uses prime numbers smaller than 2 m 2 . However the result above does not hold with the jjj:jjj 1 norm, but rather with the jj:jj 2 one. The drawback is that this norm has less friendly theorems ....

[Article contains additional citation context not shown here]

S. Vaudenay. Provable security for block ciphers by decorrelation. In STACS 98, Paris, France, Lectures Notes in Computer Science 1373, pp. 249--275, SpringerVerlag, 1998.

No context found.

Serge Vaudenay, Provable Security for Block Ciphers by Decorrelation, proceedings of STACS '98, Lecture Notes in Computer Science 1373, pp. 249--275, 1998.

No context found.

S. Vaudenay, Provable security for block ciphers by decorrelation, Proceedings of STACS'98, Lecture Notes in Computer Science, vol. 1373, Springer-Verlag, pp. 249-275, 1998.

No context found.

Serge Vaudenay. Provable security for block ciphers by decorrelation. In Symposium on Theoretical Aspects of Computer Science 1998.

No context found.

S. Vaudenay, "Provable security for block ciphers by decorrelation," in STACS , Lecture Notes in Computer Science, pp. 249--275, Springer-Verlag, 1998.

No context found.

Serge Vaudenay. Provable security for block ciphers by decorrelation. In Proceedings STACS '98, volume 1373 of Lecture Notes in Computer Science, pages 249--275. Springer-Verlag, 1998. 103

No context found.

S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. (Journal Version. ) Submitted.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC