scholarly journals On the Resilience of Even-Mansour to Invariant Permutations

2021 ◽  
Author(s):  
Bart Mennink ◽  
Samuel Neves
Keyword(s):  
Invariant Subspace ◽  
Block Cipher ◽  
Random Permutation ◽  
Cryptographic Primitives ◽  
Distinguishing Attack ◽  
Cryptographic Primitive ◽  
Permutation Model ◽  
Random Permutation Model

AbstractSymmetric cryptographic primitives are often exposed to invariances: deterministic relations between plaintexts and ciphertexts that propagate through the primitive. Recent invariant subspace attacks have shown that these can be a serious issue. One way to mitigate invariant subspace attacks is at the primitive level, namely by proper use of round constants (Beierle et al., CRYPTO 2017). In this work, we investigate how to thwart invariance exploitation at the mode level, namely by assuring that a mode never evaluates its underlying primitive under any invariance. We first formalize the use of invariant cryptographic permutations from a security perspective, and analyze the Even-Mansour block cipher construction. We further demonstrate how the model composes, and apply it to the keyed sponge construction. The security analyses exactly pinpoint how the presence of linear invariances affects the bounds compared with analyses in the random permutation model. As such, they give an exact indication how invariances can be exploited. From a practical side, we apply the derived security bounds to the case where the Even-Mansour construction is instantiated with the 512-bit ChaCha permutation, and derive a distinguishing attack against Even-Mansour-ChaCha in $$2^{128}$$ 2 128 queries, faster than the birthday bound. Comparable results are derived for instantiation using the 200-bit Keccak permutation without round constants (attack in $$2^{50}$$ 2 50 queries), the 1024-bit CubeHash permutation (attack in $$2^{256}$$ 2 256 queries), and the 384-bit Gimli permutation without round constants (attack in $$2^{96}$$ 2 96 queries). The attacks do not invalidate the security of the permutations themselves, but rather they demonstrate the tightness of our bounds and confirm that care should be taken when employing a cryptographic primitive that has nontrivial linear invariances.

scholarly journals CTET+: A Beyond-Birthday-Bound Secure Tweakable Enciphering Scheme Using a Single Pseudorandom Permutation

2021 ◽  
pp. 1-35
Author(s):  
Benoît Cogliati ◽  
Jordan Ethan ◽  
Virginie Lallemand ◽  
Byeonghak Lee ◽  
Jooyoung Lee ◽  
...  
Keyword(s):  
Block Cipher ◽  
Random Permutation ◽  
Pseudorandom Permutation ◽  
Linear Layer ◽  
Non Linear ◽  
Single Block ◽  
Permutation Model ◽  
Beyond Birthday Bound ◽  
Disk Encryption ◽  
Block Sizes

In this work, we propose a construction of 2-round tweakable substitutionpermutation networks using a single secret S-box. This construction is based on non-linear permutation layers using independent round keys, and achieves security beyond the birthday bound in the random permutation model. When instantiated with an n-bit block cipher with ωn-bit keys, the resulting tweakable block cipher, dubbed CTET+, can be viewed as a tweakable enciphering scheme that encrypts ωκ-bit messages for any integer ω ≥ 2 using 5n + κ-bit keys and n-bit tweaks, providing 2n/3-bit security.Compared to the 2-round non-linear SPN analyzed in [CDK+18], we both minimize it by requiring a single permutation, and weaken the requirements on the middle linear layer, allowing better performance. As a result, CTET+ becomes the first tweakable enciphering scheme that provides beyond-birthday-bound security using a single permutation, while its efficiency is still comparable to existing schemes including AES-XTS, EME, XCB and TET. Furthermore, we propose a new tweakable enciphering scheme, dubbed AES6-CTET+, which is an actual instantiation of CTET+ using a reduced round AES block cipher as the underlying secret S-box. Extensivecryptanalysis of this algorithm allows us to claim 127 bits of security.Such tweakable enciphering schemes with huge block sizes become desirable in the context of disk encryption, since processing a whole sector as a single block significantly worsens the granularity for attackers when compared to, for example, AES-XTS, which treats every 16-byte block on the disk independently. Besides, as a huge amount of data is being stored and encrypted at rest under many different keys in clouds, beyond-birthday-bound security will most likely become necessary in the short term.

Multiway Trees of Maximum and Minimum Probability under the Random Permutation Model

1996 ◽  
Vol 5 (4) ◽  
pp. 351-371 ◽  
Author(s):  
Robert P. Dobrow ◽  
James Allen Fill
Keyword(s):  
Probability Model ◽  
Mass Function ◽  
Random Permutation ◽  
Search Tree ◽  
Probability Mass Function ◽  
Search Trees ◽  
Asymptotic Expressions ◽  
Minimum Probability ◽  
Permutation Model ◽  
Random Permutation Model

Multiway trees, also known as m–ary search trees, are data structures generalising binary search trees. A common probability model for analysing the behaviour of these structures is the random permutation model. The probability mass function Q on the set of m–ary search trees under the random permutation model is the distribution induced by sequentially inserting the records of a uniformly random permutation into an initially empty m–ary search tree. We study some basic properties of the functional Q, which serves as a measure of the ‘shape’ of the tree. In particular, we determine exact and asymptotic expressions for the maximum and minimum values of Q and identify and count the trees achieving those values.

scholarly journals A Random Permutation Model Arising in Chemistry

2008 ◽  
Vol 45 (04) ◽  
pp. 1060-1070
Author(s):  
Mark Brown ◽  
Erol A. Peköz ◽  
Sheldon M. Ross
Keyword(s):  
Random Permutation ◽  
Permutation Model ◽  
Single Cluster ◽  
Random Permutation Model

We study a model arising in chemistry where n elements numbered 1, 2, …, n are randomly permuted and if i is immediately to the left of i + 1 then they become stuck together to form a cluster. The resulting clusters are then numbered and considered as elements, and this process keeps repeating until only a single cluster is remaining. In this article we study properties of the distribution of the number of permutations required.

scholarly journals Almost sure asymptotics for the random binary search tree

2010 ◽  
Vol DMTCS Proceedings vol. AM,... (Proceedings) ◽  
Author(s):  
Matthew Roberts
Keyword(s):  
Random Permutation ◽  
Search Tree ◽  
Binary Search ◽  
Saturation Level ◽  
Binary Search Tree ◽  
International Audience ◽  
Permutation Model ◽  
Random Permutation Model

International audience We consider a (random permutation model) binary search tree with $n$ nodes and give asymptotics on the $\log$ $\log$ scale for the height $H_n$ and saturation level $h_n$ of the tree as $n \to \infty$, both almost surely and in probability. We then consider the number $F_n$ of particles at level $H_n$ at time $n$, and show that $F_n$ is unbounded almost surely.

scholarly journals A Random Permutation Model Arising in Chemistry

2008 ◽  
Vol 45 (4) ◽  
pp. 1060-1070 ◽  
Author(s):  
Mark Brown ◽  
Erol A. Peköz ◽  
Sheldon M. Ross
Keyword(s):  
Random Permutation ◽  
Permutation Model ◽  
Single Cluster ◽  
Random Permutation Model

We study a model arising in chemistry where n elements numbered 1, 2, …, n are randomly permuted and if i is immediately to the left of i + 1 then they become stuck together to form a cluster. The resulting clusters are then numbered and considered as elements, and this process keeps repeating until only a single cluster is remaining. In this article we study properties of the distribution of the number of permutations required.

scholarly journals On the semantic security of cellular automata based pseudo-random permutation using results from the Luby-Rackoff construction

2015 ◽  
Vol 15 (1) ◽  
pp. 21
Author(s):  
Kamel Mohammed Faraoun
Keyword(s):  
Cellular Automata ◽  
Block Cipher ◽  
Random Permutation ◽  
Block Ciphers ◽  
Random Permutations ◽  
Semantic Security ◽  
Transition Rules ◽  
Reversible Cellular Automata ◽  
Symmetric Block ◽  
Number Of Iterations

This paper proposes a semantically secure construction of pseudo-random permutations using second-order reversible cellular automata. We show that the proposed construction is equivalent to the Luby-Rackoff model if it is built using non-uniform transition rules, and we prove that the construction is strongly secure if an adequate number of iterations is performed. Moreover, a corresponding symmetric block cipher is constructed and analysed experimentally in comparison with popular ciphers. Obtained results approve robustness and efficacy of the construction, while achieved performances overcome those of some existing block ciphers.

scholarly journals The Exact Security of PMAC with Two Powering-Up Masks

2019 ◽  
pp. 125-145 ◽  
Author(s):  
Yusuke Naito
Keyword(s):  
Lower Bound ◽  
Upper Bound ◽  
Open Problem ◽  
Random Function ◽  
Block Cipher ◽  
Random Permutation ◽  
Authentication Code ◽  
Open Problems ◽  
Main Research ◽  
Main Research Topic

PMAC is a rate-1, parallelizable, block-cipher-based message authentication code (MAC), proposed by Black and Rogaway (EUROCRYPT 2002). Improving the security bound is a main research topic for PMAC. In particular, showing a tight bound is the primary goal of the research, since Luykx et al.’s paper (EUROCRYPT 2016). Regarding the pseudo-random-function (PRF) security of PMAC, a collision of the hash function, or the difference between a random permutation and a random function offers the lower bound Ω(q2/2n) for q queries and the block cipher size n. Regarding the MAC security (unforgeability), a hash collision for MAC queries, or guessing a tag offers the lower bound Ω(q2m /2n + qv/2n) for qm MAC queries and qv verification queries (forgery attempts). The tight upper bound of the PRF-security O(q2/2n) of PMAC was given by Gaži et el. (ToSC 2017, Issue 1), but their proof requires a 4-wise independent masking scheme that uses 4 n-bit random values. Open problems from their work are: (1) find a masking scheme with three or less random values with which PMAC has the tight upper bound for PRF-security; (2) find a masking scheme with which PMAC has the tight upper bound for MAC-security.In this paper, we consider PMAC with two powering-up masks that uses two random values for the masking scheme. Using the structure of the powering-up masking scheme, we show that the PMAC has the tight upper bound O(q2/2n) for PRF-security, which answers the open problem (1), and the tight upper bound O(q2m /2n + qv/2n) for MAC-security, which answers the open problem (2). Note that these results deal with two-key PMACs, thus showing tight upper bounds of PMACs with single-key and/or with one powering-up mask are open problems.

scholarly journals Efficient Length Doubling From Tweakable Block Ciphers

2017 ◽  
pp. 253-270 ◽  
Author(s):  
Yu Long Chen ◽  
Atul Luykx ◽  
Bart Mennink ◽  
Bart Preneel
Keyword(s):  
Block Cipher ◽  
Block Ciphers ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Arbitrary Length ◽  
Pseudorandom Permutation ◽  
Cryptographic Primitive ◽  
Length Data ◽  
Tweakable Block Cipher ◽  
Integral Data

We present a length doubler, LDT, that turns an n-bit tweakable block cipher into an efficient and secure cipher that can encrypt any bit string of length [n..2n − 1]. The LDT mode is simple, uses only two cryptographic primitive calls (while prior work needs at least four), and is a strong length-preserving pseudorandom permutation if the underlying tweakable block ciphers are strong tweakable pseudorandom permutations. We demonstrate that LDT can be used to neatly turn an authenticated encryption scheme for integral data into a mode for arbitrary-length data.

Sign in / Sign up

Export Citation Format

Share Document