Abstract. Format-preserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid credit-card number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous treatment. We provide one, starting off by formally defining FPE and security goals for it. We investigate the natural approach for achieving FPE on complex domains, the “rank-then-encipher ” approach, and explore what it can and cannot do. We describe two flavors of unbalanced Feistel networks that can be used for achieving FPE, and we prove new security results for each. We revisit the cycle-walking approach for enciphering on a non-sparse subset of an encipherable domain, showing that the timing information that may be divulged by cycle walking is not a damaging thing to leak. 1

Abstract. In this paper we study the substitution-permutation network (SPN) on which AES is based. We introduce AES ∗ , a SPN identical to AES except that fixed S-boxes are replaced by random and independent permutations. We prove that this construction resists linear and differential cryptanalysis with 4 inner rounds only, despite the huge cumulative effect of multipath characteristics that is induced by the symmetries of AES. We show that the DP and LP terms both tend towards 1/(2 128 −1) very fast when the number of round increases. This proves a conjecture by Keliher, Meijer, and Tavares. We further show that AES ∗ is immune to any iterated attack of order 1 after 10 rounds only, which substantially improves a previous result by Moriai and Vaudenay.

Abstract. Tweakable blockciphers, first formalized by Liskov, Rivest, and Wagner [13], are blockciphers with an additional input, the tweak, which allows for variability. An open problem proposed by Liskov et al. is how to construct tweakable blockciphers without using a pre-existing blockcipher. This problem has yet to receive any significant study. There are many natural questions in this area: is it significantly more efficient to incorporate a tweak directly? How do direct constructions compare to existing techniques? Are these direct constructions optimal and for what levels of security? How large of a tweak can be securely added? In this work, we address these questions for Luby-Rackoff blockciphers. We show that tweakable blockciphers can be created directly from Feistel ciphers, and in some cases show that direct constructions of tweakable blockciphers are more efficient than previously known constructions. 1

Abstract. The Feistel structure is well-known as a good structure for building block ciphers, due to its property of invertibility. It can be made non-invertible by fixing the left half of the input to 0, and by discarding the left half of the output bits. It then becomes suitable as a hash function construction. This paper uses the structure to build a hash function called F-Hash, which is immune to recent attack styles. Generally the security of such structures is discussed using Random Oracle Models. In this paper, a more precise evaluation method, based upon conditional probability, is given.

A secure hash structure in Random Oracle Model may not be a secure model in true design. In this paper, we give an integrated proof method on security proof of iterated hash structure. Based on the proof method, we can distinguish the security of Merkel-Damagård structure, wide-pipe hash, double-pipe hash and 3c hash and know the requirement of true design on compression function, and give a new recommend structure. At last, we give new hash structure, MAC structure, encryption model, which use same block cipher round function and key schedule algorithm, the security proofs on those structures are given.

Abstract. Unbalanced Feistel schemes with expanding functions are used to construct pseudo-random permutations from kn bits to kn bits by using random functions from n bits to (k − 1)n bits. At each round, all the bits except n bits are changed by using a function that depends only on these n bits. C.S.Jutla [6] investigated such schemes, which he denotes by F d k, where d is the number of rounds. In this paper, we describe novel Known Plaintext Attacks (KPA) and Non Adaptive Chosen Plaintext Attacks (CPA-1) against these schemes. With these attacks we will often be able to improve the result of C.S.Jutla. We also give precise formulas for the complexity of our attacks in d, k and n. Key words: Unbalanced Feistel permutations, pseudo-random permutations, generic attacks on encryption schemes, Block ciphers. 1

ii To my best friend and my parents. iii Table of Contents Acknowledgments vi

Abstract. The overall structure is one of the most important properties of block ciphers. At present, the most common structures include Feistel structure, SP structure, MISTY structure, L-M structure and Generalized Feistel structure. In [29], Choy et al. proposed a new structure called GF-NLFSR (Generalized Feistel-NonLinear Feedback Shift Register), and designed a new block cipher called Four-Cell which is based on the 4-cell GF-NLFSR. In this paper, we first study properties of the n-cell GF-NLFSR structure, and prove that for an n-cell GF-NLFSR, there exists an (n 2 + n − 2) rounds impossible differential. Then we present an impossible differential attack on the full 25-round Four-Cell using this kind of 18-round impossible differential distinguisher together with differential cryptanalysis technique. The data complexity of our attack is 2 111.5 and the time complexity is less than 2 123.5 encryptions. In addition, we expect the attack to be more efficient when the relations between different round subkeys can be exploited by taking the key schedule algorithm into consideration.

Abstract. Generic attacks against classical (balanced) Feistel schemes, unbalanced Feistel schemes with contracting functions and unbalanced Feistel schemes with expanding functions have been studied in [12], [4], [15], [16]. In this paper we study schemes where we use alternatively contracting random functions and expanding random functions. We name these schemes “Alternating Unbalanced Feistel Schemes”. They allow constructing pseudo-random permutations from kn bits to kn bits where k ≥ 3. At each round, we use either a random function from n bits to (k−1)n bits or a random function from (k−1)n bits to n bits. We describe the best generic attacks we have found. We present“known plaintext attacks” (KPA) and “non-adaptive chosen plaintext attacks ” (CPA-1). Let d be the number of rounds. We show that if d ≤ k, there are CPA-1 with 2 messages and KPA with m the number of messages about 2 (d−1)n 4. For d ≥ k + 1 we have to distinguish k even and k odd. For k even, we have m = 2 in CPA-1 and m ≃ 2 kn 4 in KPA. When k is odd, we show that there exist CPA-1 for d ≤ 2k − 1 and KPA for d ≤ 2k + 3 with less than 2 kn messages and computations. Beyond these values, we give KPA against generators of permutations.

Abstract. Activation Codes are used in many different digital services and known by many different names including voucher, e-coupon and discount code. In this paper we focus on a specific class of ACs that are short, human-readable, fixed-length and represent value. Even though this class of codes is extensively used there are no general guidelines for thedesignofActivationCodeschemes. Wediscussdifferentmethodsthat are used in practice and propose BEPAC, a new Activation Code scheme that provides both authenticity and confidentiality. The small message spaceofactivationcodesintroducessomeproblemsthatareillustrated by an adaptive chosen-plaintext attack (CPA-2) on a general 3-round Feistel network of size 2 2n. This attack recovers the complete permutation from at most 2 n+2 plaintext-ciphertext pairs. For this reason, BEPAC is designed in such a way that authenticity and confidentiality are independent properties, i.e. loss of confidentiality does not imply loss of authenticity.