On the indifferentiability of key-alternating ciphers

Elena Andreeva; Andrey Bogdanov; Yevgeniy Dodis; Bart Mennink; John P. Steinberger

doi:10.1007/978-3-642-40041-4_29

On the indifferentiability of key-alternating ciphers

Elena Andreeva, Andrey Bogdanov, Yevgeniy Dodis, Bart Mennink, John P. Steinberger

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KA_t consists of a small number t of fixed permutations P_i on n bits, separated by key addition: KA_t(K, m) = k_t ⊕ P _t(...k₂ ⊕ P₂(k₁ ⊕ P ₁(k₀ ⊕ m))...), where, (k₀..., k _t) are obtained from the master key K using some key derivation function. For t = 1, KA₁ collapses to the well-known Even-Mansour cipher, which is known to be indistinguishable from a (secret) random permutation, if P₁ is modeled as a (public) random permutation. In this work we seek for stronger security of key-alternating ciphers - indifferentiability from an ideal cipher - and ask the question under which conditions on the key derivation function and for how many rounds t is the key-alternating cipher KA_t indifferentiable from the ideal cipher, assuming P₁,...,P_t are (public) random permutations? As our main result, we give an affirmative answer for t = 5, showing that the 5-round key-alternating cipher KA₅ is indifferentiable from an ideal cipher, assuming P₁,...,P₅ are five independent random permutations, and the key derivation function sets all rounds keys k_i = f(K), where 0 ≤ i ≤ 5 and f is modeled as a random oracle. Moreover, when |K| = |m|, we show we can set f(K) = P₀(K)⊕K, giving an n-bit block cipher with an n-bit key, making only six calls to n-bit permutations P₀,P₁,P₂,P₃,P ₄,P₅.

Original language	English (US)
Title of host publication	Advances in Cryptology, CRYPTO 2013 - 33rd Annual Cryptology Conference, Proceedings
Pages	531-550
Number of pages	20
Edition	PART 1
DOIs	https://doi.org/10.1007/978-3-642-40041-4_29
State	Published - 2013
Event	33rd Annual International Cryptology Conference, CRYPTO 2013 - Santa Barbara, CA, United States Duration: Aug 18 2013 → Aug 22 2013

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Number	PART 1
Volume	8042 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	33rd Annual International Cryptology Conference, CRYPTO 2013
Country/Territory	United States
City	Santa Barbara, CA
Period	8/18/13 → 8/22/13

Keywords

Even-Mansour
ideal cipher
indifferentiability
key-alternating cipher

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-642-40041-4_29

Cite this

Andreeva, E., Bogdanov, A., Dodis, Y., Mennink, B., & Steinberger, J. P. (2013). On the indifferentiability of key-alternating ciphers. In Advances in Cryptology, CRYPTO 2013 - 33rd Annual Cryptology Conference, Proceedings (PART 1 ed., pp. 531-550). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8042 LNCS, No. PART 1). https://doi.org/10.1007/978-3-642-40041-4_29

On the indifferentiability of key-alternating ciphers. / Andreeva, Elena; Bogdanov, Andrey; Dodis, Yevgeniy et al.
Advances in Cryptology, CRYPTO 2013 - 33rd Annual Cryptology Conference, Proceedings. PART 1. ed. 2013. p. 531-550 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8042 LNCS, No. PART 1).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Andreeva, E, Bogdanov, A, Dodis, Y, Mennink, B & Steinberger, JP 2013, On the indifferentiability of key-alternating ciphers. in Advances in Cryptology, CRYPTO 2013 - 33rd Annual Cryptology Conference, Proceedings. PART 1 edn, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), no. PART 1, vol. 8042 LNCS, pp. 531-550, 33rd Annual International Cryptology Conference, CRYPTO 2013, Santa Barbara, CA, United States, 8/18/13. https://doi.org/10.1007/978-3-642-40041-4_29

Andreeva E, Bogdanov A, Dodis Y, Mennink B, Steinberger JP. On the indifferentiability of key-alternating ciphers. In Advances in Cryptology, CRYPTO 2013 - 33rd Annual Cryptology Conference, Proceedings. PART 1 ed. 2013. p. 531-550. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); PART 1). doi: 10.1007/978-3-642-40041-4_29

Andreeva, Elena ; Bogdanov, Andrey ; Dodis, Yevgeniy et al. / On the indifferentiability of key-alternating ciphers. Advances in Cryptology, CRYPTO 2013 - 33rd Annual Cryptology Conference, Proceedings. PART 1. ed. 2013. pp. 531-550 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); PART 1).

@inproceedings{f51ac715dbf242e1a21f5f9f29b36d16,

title = "On the indifferentiability of key-alternating ciphers",

abstract = "The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KAt consists of a small number t of fixed permutations Pi on n bits, separated by key addition: KAt(K, m) = kt ⊕ P t(...k2 ⊕ P2(k1 ⊕ P 1(k0 ⊕ m))...), where, (k0..., k t) are obtained from the master key K using some key derivation function. For t = 1, KA1 collapses to the well-known Even-Mansour cipher, which is known to be indistinguishable from a (secret) random permutation, if P1 is modeled as a (public) random permutation. In this work we seek for stronger security of key-alternating ciphers - indifferentiability from an ideal cipher - and ask the question under which conditions on the key derivation function and for how many rounds t is the key-alternating cipher KAt indifferentiable from the ideal cipher, assuming P1,...,Pt are (public) random permutations? As our main result, we give an affirmative answer for t = 5, showing that the 5-round key-alternating cipher KA5 is indifferentiable from an ideal cipher, assuming P1,...,P5 are five independent random permutations, and the key derivation function sets all rounds keys ki = f(K), where 0 ≤ i ≤ 5 and f is modeled as a random oracle. Moreover, when |K| = |m|, we show we can set f(K) = P0(K)⊕K, giving an n-bit block cipher with an n-bit key, making only six calls to n-bit permutations P0,P1,P2,P3,P 4,P5.",

keywords = "Even-Mansour, ideal cipher, indifferentiability, key-alternating cipher",

author = "Elena Andreeva and Andrey Bogdanov and Yevgeniy Dodis and Bart Mennink and Steinberger, {John P.}",

year = "2013",

doi = "10.1007/978-3-642-40041-4_29",

language = "English (US)",

isbn = "9783642400407",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

number = "PART 1",

pages = "531--550",

booktitle = "Advances in Cryptology, CRYPTO 2013 - 33rd Annual Cryptology Conference, Proceedings",

edition = "PART 1",

note = "33rd Annual International Cryptology Conference, CRYPTO 2013 ; Conference date: 18-08-2013 Through 22-08-2013",

}

TY - GEN

T1 - On the indifferentiability of key-alternating ciphers

AU - Andreeva, Elena

AU - Bogdanov, Andrey

AU - Dodis, Yevgeniy

AU - Mennink, Bart

AU - Steinberger, John P.

PY - 2013

Y1 - 2013

N2 - The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KAt consists of a small number t of fixed permutations Pi on n bits, separated by key addition: KAt(K, m) = kt ⊕ P t(...k2 ⊕ P2(k1 ⊕ P 1(k0 ⊕ m))...), where, (k0..., k t) are obtained from the master key K using some key derivation function. For t = 1, KA1 collapses to the well-known Even-Mansour cipher, which is known to be indistinguishable from a (secret) random permutation, if P1 is modeled as a (public) random permutation. In this work we seek for stronger security of key-alternating ciphers - indifferentiability from an ideal cipher - and ask the question under which conditions on the key derivation function and for how many rounds t is the key-alternating cipher KAt indifferentiable from the ideal cipher, assuming P1,...,Pt are (public) random permutations? As our main result, we give an affirmative answer for t = 5, showing that the 5-round key-alternating cipher KA5 is indifferentiable from an ideal cipher, assuming P1,...,P5 are five independent random permutations, and the key derivation function sets all rounds keys ki = f(K), where 0 ≤ i ≤ 5 and f is modeled as a random oracle. Moreover, when |K| = |m|, we show we can set f(K) = P0(K)⊕K, giving an n-bit block cipher with an n-bit key, making only six calls to n-bit permutations P0,P1,P2,P3,P 4,P5.

AB - The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KAt consists of a small number t of fixed permutations Pi on n bits, separated by key addition: KAt(K, m) = kt ⊕ P t(...k2 ⊕ P2(k1 ⊕ P 1(k0 ⊕ m))...), where, (k0..., k t) are obtained from the master key K using some key derivation function. For t = 1, KA1 collapses to the well-known Even-Mansour cipher, which is known to be indistinguishable from a (secret) random permutation, if P1 is modeled as a (public) random permutation. In this work we seek for stronger security of key-alternating ciphers - indifferentiability from an ideal cipher - and ask the question under which conditions on the key derivation function and for how many rounds t is the key-alternating cipher KAt indifferentiable from the ideal cipher, assuming P1,...,Pt are (public) random permutations? As our main result, we give an affirmative answer for t = 5, showing that the 5-round key-alternating cipher KA5 is indifferentiable from an ideal cipher, assuming P1,...,P5 are five independent random permutations, and the key derivation function sets all rounds keys ki = f(K), where 0 ≤ i ≤ 5 and f is modeled as a random oracle. Moreover, when |K| = |m|, we show we can set f(K) = P0(K)⊕K, giving an n-bit block cipher with an n-bit key, making only six calls to n-bit permutations P0,P1,P2,P3,P 4,P5.

KW - Even-Mansour

KW - ideal cipher

KW - indifferentiability

KW - key-alternating cipher

UR - http://www.scopus.com/inward/record.url?scp=84884494086&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84884494086&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-40041-4_29

DO - 10.1007/978-3-642-40041-4_29

M3 - Conference contribution

AN - SCOPUS:84884494086

SN - 9783642400407

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 531

EP - 550

BT - Advances in Cryptology, CRYPTO 2013 - 33rd Annual Cryptology Conference, Proceedings

T2 - 33rd Annual International Cryptology Conference, CRYPTO 2013

Y2 - 18 August 2013 through 22 August 2013

ER -

On the indifferentiability of key-alternating ciphers

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this