On the Construction of Pseudorandom Permutations: Luby—Rackoff Revisited

Luby and Rackoff [26] showed a method for constructing a pseudorandom permutation from a pseudorandom function. The method is based on composing four (or three for weakened security) so-called Feistel permutations, each of which requires the evaluation of a pseudorandom function. We reduce somewhat the complexity of the construction and simplify its proof of security by showing that two Feistel permutations are sufficient together with initial and final pairwise independent permutations. The revised construction and proof provide a framework in which similar constructions may be brought up and their security can be easily proved. We demonstrate this by presenting some additional adjustments of the construction that achieve the following: • Reduce the success probability of the adversary. • Provide a construction of pseudorandom permutations with large input-length using pseudorandom functions with small input-length. Received 2 August 1996 and revised 26 July 1997     

Two-Key Triple Encryption

In this paper we consider multiple encryption schemes built from conventional cryptosystems such as DES. The existing schemes are either vulnerable to variants of meet-in-the-middle attacks, i.e., they do not provide security corresponding to the full key length used or there is no proof that the schemes are as secure as the underlying cipher. We propose a variant of two-key triple encryption with a new method of generating three keys from two. Our scheme is not vulnerable to the meet-in-the-middle attack and, under an appropriate assumption, we can show that our scheme is at least about as hard to break as the underlying block cipher. Received 22 June 1995 and revised 11 October 1996     

Cryptanalysis of Triple Modes of Operation

Multiple modes of operation and, in particular, triple modes of operation were proposed as a simple method to improve the strength of blockciphers, and in particular of DES. Developments in the cryptanalysis of DES in recent years have popularized the triple modes of DES, and such modes are now considered for ANSI standards. In a previous paper we analyzed multiple modes of operation and showed that the security of many multiple modes is significantly smaller than expected. In this paper we extend these results, with new cryptanalytic techniques, and show that all the (cascaded) triple modes of operation are not much more secure than a single encryption—in the case of DES they can be attacked with up to an order of 2 ⁵⁶ —2 ⁶⁶ chosen plaintexts or ciphertexts and complexity of analysis. We then propose several candidates for more secure modes. Received 19 August 1996 and revised 29 September 1997     

Cryptanalysis of the ANSI X9.52 CBCM mode

In this paper we cryptanalyze the CBCM mode of operation, which was almost included in the ANSI X9.52 Triple-DES Modes of Operation standard. The CBCM mode is a Triple-DES CBC variant which was designed against powerful attacks which control intermediate feedback for the benefit of the attacker. For this purpose, it uses intermediate feedbacks that the attacker cannot control, choosing them as a keyed OFB stream, independent of the plaintexts and the ciphertexts. In this paper we find a way to use even this kind of feedback for the benefit of the attacker, and we present an attack which requires a single chosen ciphertext of 2 ⁶⁵ blocks which needs to be stored and 2 ⁵⁹ complexity of analysis (CBCM encryptions) to find the key with a high probability. As a consequence of our attack, ANSI decided to remove the CBCM mode from the proposed standard. Received May 1998 and revised June 2001 Online publication 28 November 2001     

Linear ciphers and spreads

The purpose of this paper is to point out a correspondence between certain types of linear ciphers and projective planes. With the aid of this correspondence we are then able to answer a number of questions posed in [3].     

Decorrelation: A Theory for Block Cipher Security

Pseudorandomness is a classical model for the security of block ciphers. In this paper we propose convenient tools in order to study it in connection with the Shannon Theory, the Carter–Wegman universal hash functions paradigm, and the Luby–Rackoff approach. This enables the construction of new ciphers with security proofs under specific models. We show how to ensure security against basic differential and linear cryptanalysis and even more general attacks. We propose practical construction schemes.     

分组密码算法抗故障攻击能力度量方法研究

该文从算法层面对分组密码固有的故障泄露特点进行了分析,提出一种可用于刻画其故障传播特性的传播轨迹框架,并以此为基础构建了适用于单次和多次故障注入场景的抗故障攻击能力度量方法。实验表明,该度量方法能够有效刻画不同故障注入场景下密钥空间的变化规律,进而揭示其算法层面的抗故障攻击能力。     

CBC MAC for Real-Time Data Sources

The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an authentication method which is widely used in practice. It is well known that the use of the CBC MAC for variable length messages is not secure, and a few rules of thumb for the correct use of the CBC MAC are known by folklore. The first rigorous proof of the security of CBC MAC, when used on fixed length messages, was given only recently by Bellare et al.[3]. They also suggested variants of CBC MAC that handle variable-length messages but in these variants the length of the message has to be known in advance (i.e., before the message is processed). We study CBC authentication of real-time applications in which the length of the message is not known until the message ends, and furthermore, since the application is real-time, it is not possible to start processing the authentication until after the message ends. We first consider a variant of CBC MAC, that we call the encrypted CBC MAC (EMAC), which handles messages of variable unknown lengths. Computing EMAC on a message is virtually as simple and as efficient as computing the standard CBC MAC on the message. We provide a rigorous proof that its security is implied by the security of the underlying block cipher. Next, we argue that the basic CBC MAC is secure when applied to a prefix-free message space. A message space can be made prefix-free by also authenticating the (usually hidden) last character which marks the end of the message. Received 16 September 1997 and revised 24 August 1999 Online publication 2 June 2000     

Attacks on Fast Double Block Length Hash Functions

The security of hash functions based on a block cipher with a block length of m bits and a key length of k bits, where , is considered. New attacks are presented on a large class of iterated hash functions with a 2m -bit hash result which processes in each iteration two message blocks using two encryptions. In particular, the attacks break three proposed schemes: Parallel-DM, the PBGV hash function, and the LOKI DBH mode. Received 1 March 1996 and revised 16 December 1996     

Encryption Modes with Almost Free Message Integrity

We define a new mode of operation for block ciphers which, in addition to providing confidentiality, also ensures message integrity. In contrast, previously for message integrity a separate pass was required to compute a cryptographic message authentication code (MAC). The new mode of operation, called Integrity Aware Parallelizable Mode (IAPM), requires a total of m+1 block cipher evaluations on a plain-text of length m blocks. For comparison, the well-known CBC (cipher block chaining) encryption mode requires m block cipher evaluations, and the second pass of computing the CBC-MAC essentially requires additional m+1 block cipher evaluations. As the name suggests, the new mode is also highly parallelizable.     

AES-128 Biclique结构的分布特征

Biclique攻击是目前唯一能将对AES全轮攻击降至穷举攻击之下的密钥恢复攻击,但如何得到AES新的Biclique结构或全部Biclique结构尚没有解决。该文设计了寻找AES-128全部Biclique结构的算法以及衡量基于相应结构Biclique攻击的数据和时间复杂度的算法,得出了AES-128共有215类i-差分能产生555个Biclique结构,给出了数据复杂度最小和次小的i-差分路径,分别列出了计算复杂度最小和数据复杂度最小的Biclique差分及匹配。     

RAIN-128算法的中间相遇攻击

RAIN是一族SPN结构的轻量级分组密码算法,该算法具有软硬件实现效率高、安全性强等特点。中间相遇攻击被广泛应用于分组密码算法的安全性分析中。该文通过分析RAIN-128的结构特性和截断差分特征,利用差分枚举技术分别构造了4轮和6轮中间相遇区分器,给出了8轮及10轮的中间相遇攻击。当攻击轮数为8轮时,预计算阶段的时间复杂度为$ {2^{68}} $次8轮RAIN-128加密,存储复杂度为$ {2^{75}} $ bit,在线攻击阶段的时间复杂度为$ {2^{109}} $次8轮加密,数据复杂度是$ {2^{72}} $个选择明文;当攻击轮数为10轮时,预计算阶段的时间复杂度为$ {2^{214}} $次10轮加密,存储复杂度为$ {2^{219}} $ bit,在线攻击阶段的时间复杂度为$ {2^{109}} $次10轮加密,数据复杂度是$ {2^{72}} $个选择明文,分析结果显示,RAIN-128可以抵抗中间相遇攻击,并具有较高的安全冗余。     

闭环模式的线性空时分组码

介绍了正交空时分组码的模型,自干扰,性能;并由此提出了一种高速率准正交空时分组码的闭环模式,保证MIMO系统获得较高的速率,同时减少由于正交性减弱而引起的性能下降.其中反馈的方法就是根据发射端能够获得部分信道状态信息而提出的,这种自适应模式的性能在瑞利衰落信道下通过仿真得到了验证.     

Cascade ciphers: The importance of being first

The security of cascade ciphers, in which by definition the keys of the component ciphers are independent, is considered. It is shown by a counterexample that the intuitive result, formally stated and proved in the literature, that a cascade is at least as strong as the strongest component cipher, requires the uninterestingly restrictive assumption that the enemy cannot exploit information about the plaintext statistics. It is proved, for very general notions of breaking a cipher and of problem difficulty, that a cascade is at least as difficult to break as the first component cipher. A consequence of this result is that if the ciphers commute, then a cascade is at least as difficult to break as the most-difficult-to-break component cipher, i.e., the intuition that a cryptographic chain is at least as strong as its strongest link is then provably correct. It is noted that additive stream ciphers do commute, and this fact is used to suggest a strategy for designing secure practical ciphers. Other applications in cryptology are given of the arguments used to prove the cascade cipher result. The results of this paper were presented in part at the 1990 IEEE Symposium on Information Theory, January 14–19, 1990, San Diego, California.     

On Probability of Success in Linear and Differential Cryptanalysis

Despite their widespread usage in block cipher security, linear and differential cryptanalysis still lack a robust treatment of their success probability, and the success chances of these attacks have commonly been estimated in a rather ad hoc fashion. In this paper, we present an analytical calculation of the success probability of linear and differential cryptanalytic attacks. The results apply to an extended sense of the term “success” where the correct key is found not necessarily as the highest-ranking candidate but within a set of high-ranking candidates. Experimental results show that the analysis provides accurate results in most cases, especially in linear cryptanalysis. In cases where the results are less accurate, as in certain cases of differential cryptanalysis, the results are useful to provide approximate estimates of the success probability and the necessary plaintext requirement. The analysis also reveals that the attacked key length in differential cryptanalysis is one of the factors that affect the success probability directly besides the signal-to-noise ratio and the available plaintext amount.     

基于多阶段相关功耗分析的SM4-XTS侧信道分析方法

带密文挪用的XEX可调分组密码(XTS)被广泛应用于存储加密中,随着大数据计算与新型侧信道分析方法的提出与应用,XTS加密模式的安全性成为一个值得关注的问题。近年来,已有部分研究针对XTS模式进行了侧信道的分析研究,通过确定部分密钥与调整值tweak,进而缩小密钥检索范围,但并没有实现对XTS模式系统的分析。该文提出一种针对SM4-XTS电路的侧信道分析技术,通过结合传统的相关功耗分析(CPA)与多阶段融合的CPA技术,解决了针对调整值模乘迭代导致的二进制数移位问题,从而实现调整值与密钥的精确提取。为了验证这种分析技术的有效性,在FPGA上实现了SM4-XTS加密模块来模拟实际情况中的加密存储器。实验结果表明,在10000条功耗曲线下,该技术可以成功提取目标加密电路的部分调整值与密钥。     

CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions

We suggest some simple variants of the CBC MAC that enable the efficient authentication of arbitrary-length messages. Our constructions use three keys, K1, K2, K3, to avoid unnecessary padding and MAC any message M {0,1}* using max{1, |M|/n} applications of the underlying n-bit block cipher. Our favorite construction, XCBC, works like this: if |M| is a positive multiple of n then XOR the n-bit key K2 with the last block of M and compute the CBC MAC keyed with K1; otherwise, extend Ms length to the next multiple of n by appending minimal 10 padding ( 0), XOR the n-bit key K3 with the last block of the padded message, and compute the CBC MAC keyed with K1. We prove the security of this and other constructions, giving concrete bounds on an adversarys inability to forge in terms of his inability to distinguish the block cipher from a random permutation. Our analysis exploits new ideas which simplify proofs compared with prior work.