Abstract
Pseudorandomness is a classical model for the security of block ciphers. In this paper we propose convenient tools in order to study it in connection with the Shannon Theory, the Carter–Wegman universal hash functions paradigm, and the Luby–Rackoff approach. This enables the construction of new ciphers with security proofs under specific models. We show how to ensure security against basic differential and linear cryptanalysis and even more general attacks. We propose practical construction schemes.
Article PDF
Similar content being viewed by others
References
Data Encryption Standard. Federal Information Processing Standard Publication 46, U.S. National\linebreak[4] Bureau of Standards, 1977.
ETSI. Universal Mobile Telecommunications System (UMTS); specification of the 3GPP confidentiality and integrity algorithms. Document 2: Kasumi algorithm specification (3GPP TS 35.202 version 3.1.2 Release 1999). http://www.etsi.org/
Méthode de chiffrement fondée sur la décorrélation. In 100 Faits Marquants du Département des Sciences Pour l’Ingénieur}, p. 15, CNRS, 1997.
K. Aoki K. Ohta (1997) ArticleTitleStrict Evaluation of the Maximum Average of Differential Probability and the Maximum Average of Linear Probability. IEICE Transactions on Fundamentals E80-A 1–8
K. Aoki, S. Vaudenay. On the Use of GF-Inversion as a Cryptographic Primitive. To appear in Selected Areas in Cryptography ‘03, Ottawa, Ontario, Canada, Lecture Notes in Computer Science, Springer-Verlag, Berlin.
E. Biham. On Matsui’s Linear Cryptanalysis. eurocrypt 94, 341–355
E. Biham (1994) ArticleTitleNew Types of Cryptanalytic Attacks using Related Keys. J Cryptology 7 229–246 Occurrence Handle0812.94012
E. Biham. A fast new DES Implementation in Software. fse 97, 260–272
E. Biham, O. Dunkelman, N. Keller. The Rectangle Attack—Rectangling the Serpent. In Advances in Cryptology, EUROCRYPT ‘01, Innsbruck, Austria, Lecture Notes in Computer Science 2045, pp. 340–357, Springer-Verlag, Berlin, 2001.
E. Biham, O. Dunkelman, N. Keller. Enhancing Differential-Linear Cryptanalysis. In Advances in Cryptology, ASIACRYPT ‘02, Queenstown, New Zealand, Lecture Notes in Computer Science 2501, pp. 254–266, Springer-Verlag, Berlin, 2002.
E. Biham, A. Shamir. Differential Cryptanalysis of DES-Like Cryptosystems. In Advances in Cryptology, CRYPTO ‘90, Santa Barbara, California, U.S.A., Lecture Notes in computer Science 537, pp. 2–21, Springer-Verlag, Berlin, 1991.
E. Biham A. Shamir (1991) ArticleTitleDifferential Cryptanalysis of DES-Like Cryptosystems. J Cryptology 4 3–72 Occurrence Handle93j:94020 Occurrence Handle0929.68047
E. Biham, A. Shamir. Differential Cryptanalysis of the Full 16-Round DES. In Advances in Cryptology, CRYPTO ‘92, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 740, pp. 487–496, Springer-Verlag, Berlin, 1993.
E. Biham, A. Shamir. Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, Berlin, 1993.
J.L. Carter M.N. Wegman (197) ArticleTitleUniversal Classes of Hash Functions. J Computer System Sciences 18 143–154 Occurrence Handle0412.68090
F. Chabaud, S. Vaudenay. Links between Differential and Linear Cryptanalysis. In Advances in Cryptology, EUROCRYPT ‘94, Perugia, Italy, Lecture Notes in Computer Science 950, pp. 356–365, Springer-Verlag, Berlin, 1995.
D.H. Cheon, S.J. Lee, J.I. Lim, S.J. Lee. New Block Cipher DONUT Using Pairwise Perfect Decorrelation. In Progress in Cryptology, INDOCRYPT ‘00, Calcutta, India, Lecture Notes in Computer Science 1997, pp. 262–270, Springer-Verlag, Berlin, 2000.
H. Feistel (1973) ArticleTitleCryptography and Computer Privacy. Scientific American 228 15–23
H. Gilbert. Cryptanalyse Statistique des Algorithmes de Chiffrement et Sécurité des Schémas d’Authentification, Thése de Doctorat de l’Université de Paris 11, 1997.
H. Gilbert, G. Chassé. A Statistical Attack of the FEAL-8 Cryptosystem. In Advances in Cryptology, CRYPTO ‘90, Santa Barbara, California, U.S.A. Lecture Notes in Computer Science 537, pp. 22–33, Springer-Verlag, Berlin, 1991.
H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay. Decorrelated Fast Cipher: an AES Candidate. (Extended Abstract.) In Proceedings from the First Advanced Encryption Standard Candidate Conference, National Institute of Standards and Technology (NIST), Ventura, California, U.S.A., August 1998.
H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay. Decorrelated Fast Cipher: an AES Candidate. Submitted to the Advanced Encryption Standard process. In CD-ROM “AES CD-1: Documentation”, National Institute of Standards and Technology (NIST), August 1998.
H. Gilbert, M. Minier. New Results on the Pseudorandomness of Some Blockcipher Constructions. In Fast Software Encryption ‘01, Yokohama, Japan, Lecture Notes in Computer Science 2355, pp. 248–266, Springer-Verlag, Berlin, 2002.
O. Goldreich, S. Goldwasser, S. Micali. How to Construct Random Functions. FOCS 84, 464–479
L. Granboulan, P. Nguyen, F. Noilhan, S. Vaudenay. DFCv2. In Selected Areas in Cryptography ‘00, Waterloo, Ontario, Canada, Lecture Notes in Computer Science 2012, pp. 57–71, Springer-Verlag, Berlin, 2001.
S. Halevi, H. Krawczyk. MMH: Software Message Authentication in the Gbit/second Rates. In Fast Software Encryption ‘97, Haifa, Israel, Lecture Notes in Computer Science 1267, pp. 172–189, Springer-Verlag, Berlin, 1997.
H.M. Heys. The Design of Substitution-Permutation Network Ciphers Resistant to Cryptanalysis, Ph.D. Thesis of Queen’s University, Kingston, Ontario, Canada 1994.
M.E. Hellman, R. Merkle, R. Schroeppel, L. Washington, W. Diffie, S. Pohlig, P. Schweitzer. Results of an Initial Attempt to Cryptanalyze the NBS Data Encryption Standard, Stanford University, September 1976
H.M. Heys S.E. Tavares (1996) ArticleTitleSubstitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis. J Cryptology 9 1–19 Occurrence Handle10.1007/s001459900001 Occurrence Handle96k:94010 Occurrence Handle0843.94009
A.Hodges. Alan Turing: The Enigma of Intelligence, Unwin Paperbacks, 1985
T. Iwata, K. Kurosawa. On the Pseudorandomness of the AES Finalists—RC6 and Serpent. In Fast Software Encryption ‘00, New York, U.S.A., Lecture Notes in Computer Science 1978, pp. 231–243, Springer-Verlag, Berlin, 2001.
T. Iwata, T. Yoshino, T. Yuasa, K. Kurosawa. Round Security and Super-Pseudorandomness of MISTY Type Structure. In Fast Software Encryption ‘01, Yokohama, Japan, Lecture Notes in Computer Science 2355, pp. 233–247, Springer-Verlag, Berlin, 2002.
T. Jakobsen, L.R. Knudsen. The Interpolation Attack on Block Ciphers. In Fast Software Encryption ‘97, Haifa, Israel, Lecture Notes in Computer Science 1267, pp. 28–40, Springer-Verlag, Berlin, 1997.
P. Junod. On the Complexity of Matsui’s Attack. In Selected Areas in Cryptography ‘01, Toronto, Ontario, Canada, Lecture Notes in Computer Science 2259, pp. 199–211, Springer-Verlag, Berlin, 2001.
P. Junod, S. Vaudenay. Optimal Key Ranking Procedures in a Statistical Cryptanalysis. To appear in Fast Software Encryption ‘03, Lund, Sweden, Lecture Notes in Computer Science, Springer-Verlag, Berlin.
P. Junod. On the Optimality of Linear, Differential and Sequential Distinguishers. In Advances in Cryptology, EUROCRYPT ‘03, Warsaw, Poland, Lecture Notes in Computer Science 2656, pp. 17–32, Springer-Verlag, Berlin, 2003.
B. R. Kaliski Jr., M. J. B. Robshaw. Linear Cryptanalysis Using Multiple Approximations. In Advances in Cryptology, CRYPTO ‘94, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 839, pp. 26–39, Springer-Verlag, Berlin, 1994.
J.-S. Kang, S.-U. Shin, D. Hong, O. Yi. Provable Security of KASUMI and 3GPP Encryption Mode f8. In Advances in Cryptology, ASIACRYPT ‘00, Brisbane, Australia, Lecture Notes in Computer Science 2248, pp. 255–271, Springer-Verlag, Berlin, 2001.
L. Keliher, H. Meijer, S. Tavares. New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs. In Advances in Cryptology, EUROCRYPT ‘01, Innsbruck, Austria, Lecture Notes in Computer Science 2045, pp. 420–436, Springer-Verlag, Berlin, 2001.
L. Keliher, H. Meijer, S. Tavares. Improving the Upper Bound on the Maximum Average Linear Hull Probability for Rijndael. In Selected Areas in Cryptography ‘01, Toronto, Ontario, Canada, Lecture Notes in Computer Science 2259, pp. 112–128, Springer-Verlag, Berlin, 2001.
A. Kerckhoffs. La Cryptographie Militaire, Librairie militaire de L. Baudouin & Cie., Paris 1883.
L. R. Knudsen. Block Ciphers—Analysis, Design and Applications, Aarhus University 1994.
X. Lai. On the Design and Security of Block Ciphers, ETH Series in Information Processing, vol. 1, Hartung-Gorre Verlag Konstanz, 1992.
X. Lai, J. L. Massey, S. Murphy. Markov Ciphers and Differential Cryptanalysis. In Advances in Cryptology, EUROCRYPT ‘91, Brighton, England, Lecture Notes in Computer Science 547, pp. 17--38, Springer-Verlag, Berlin, 1991.
S. K. Langford, M. E. Hellman Differential-linear Cryptanalysis. In Advances in Cryptology, CRYPTO ‘94, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 839, pp. 17–25, Springer-Verlag, Berlin, 1994.
M. Luby, C. Rackoff. Pseudo-Random Permutation Generators and Cryptographic Composition. In Proceedings of the 17th ACM Symposioum on Theory of Computing, Providence, Rhode Island, U.S.A., pp. 363–365, AMC Press, New York, 1985.
M. Luby, C. Rackoff. How to Construct Pseudorandom Permutations from Pseudorandom Functions. vol. 17, pp. 373–386, 1988.
S. Lucks. Faster Luby-Rackoff Ciphers. FSE, 96, 189–203
M. Matsui. Linear Cryptanalysis Methods for DES Cipher. In Advances in Cryptology, EUROCRYPT ‘93, Lofthus, Norway, Lecture Notes in Computer Science 765, pp. 386–397, Springer-Verlag, Berlin, 1994.
M. Matsui. The First Experimental Cryptanalysis of the Data Encryption Standard. In Advances in Cryptology, CRYPTO ‘94, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 839, pp. 1–11, Springer-Verlag, Berlin, 1994.
M. Matsui. New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis. In Fast Software Encryption’96, Cambrige, England, Lecture Notes in Computer Science 1039, pp. 205–218, Springer-Verlag, Berlin, 1996.
M. Matsui. New Block Encryption Algorithm MISTY. In Fast Software Encryption ‘97, Haifa, Israel, Lecture Notes in Computer Science 1267, pp. 54–68, Springer-Verlag, Berlin, 1997.
U. M. Maurer J. L. Massey (1993) ArticleTitleCascade Ciphers: The Importance of Being First. J Cryptology 6 55–61 Occurrence Handle0775.94096
U. Maurer, K. Pietrzak. The Security of Many-Round Luby–Rackoff Pseudo-Random Permutations. In Advances in Cryptology, Eurocrypt ‘03, Warsaw, Poland, Lecture Notes in Computer Science 2656, pp. 544–561, Springer-Verlag, Berlin, 2003.
S. Moriai, S. Vaudenay. On the Pseudorandomness of Top-Level Schemes of Block Ciphers. In Advances in Cryptology, ASIACRYPT ‘00, Kyoto, Japan, Lecture Notes in Computer Science 1976, pp. 289--302, Springer-Verlag, Berlin, 2000.
S. Murphy, F. Piper, M. Walker, P. Wild. Likelihood Estimation for Block Cipher Keys. Unpublished.
W. Meier, O. Staffelbach. % Nonlinearity Criteria for Cryptographic Functions. Eurocrypt, 89, 549–562
M. Naor, O. Reingold. On the Construction of Pseudorandom Permutations: Luby–Rackoff Revisited. Journal of Cryptology, vol. 12, pp. 29–66, 1999.
K. Nyberg. Perfect Nonlinear S-Boxes. In Advances in Cryptology, EUROCRYPT ‘91, Brighton, England, Lecture Notes in Computer Science 547, pp. 378–385, Springer-Verlag, Berlin, 1991.
K. Nyberg, L. R. Knudsen. Provable Security against a Differential Cryptanalysis. In Advances in Cryptology, CRYPTO ‘94, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 839, pp. 566–574, Springer-Verlag, Berlin, 1994.
K. Nyberg L. R. Knudsen (1995) ArticleTitleProvable Security against a Differential Cryptanalysis. J Cryptology 8 27–37 Occurrence Handle95m:94007 Occurrence Handle0817.94016
S. Park, S. H. Sung, S. Chee, E-J. Yoon, J. Lim On the Security of Rijndael-Like Structures against Differential and Linear Cryptanalysis. In Advances in Cryptology, ASIACRYPT ‘02, Queenstown, New Zealand, Lecture Notes in Computer Science 2501, pp. 176–191, Springer-Verlag, Berlin, 2002.
S. Park, S. H. Sung, S. Lee, J. Lim. Improving the Upper Bound on the Maximum Differential and Maximum Linear Hull Probability for SPN Structures and AES. To appear in Fast Software Encryption ‘03, Lund, Sweden, Lecture Notes in Computer Science, Springer-Verlag, Berlin.
J. Patarin. Etude des Générateurs de Permutations Basés sur le Schéma du D.E.S., Thése de Doctorat de l’Université de Paris 6, 1991.
J. Patarin. About Feistel Schemes with Six (or More) Rounds. In Fast Software Encryption’98, Paris France, Lecture Notes in Computer Science 1372, pp. 103–121, Springer-Verlag, Berlin, 1998.
G. Poupard, S. Vaudenay. Decorrelated Fast Cipher: an AES Candidate Well Suited for Low Cost Smart Cards Applications. In CARDIS ‘98, Louvain-la-Neuve, Belgium, Lecture Notes in Computer Science 1820, pp. 254–264, Springer-Verlag, Berlin, 2000.
A. Rényi. Probability Theory, Elsevier, Amsterdam, 1970.
O. S. Rothaus (1976) ArticleTitleOn Bent Functions. J Combinatorial Theory A20 300–305
C. E. Shannon. Communication Theory of Secrecy Systems. Bell System Technical Journal, vol. 28, pp. 656–715, 1949. %
C. P. Schnorr, S. Vaudenay. Black Box Cryptanalysis of Cryptographic Primitives. Submitted.
A. Tardy-Corfdir, H. Gilbert. A Known Plaintext Attack of FEAL-4 and FEAL-6. In Advances in Cryptology, CRYPTO ‘91, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 576, pp. 172–181, Springer-Verlag, Berlin, 1992
S. Vaudenay. On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER. FSE, 95, 286–297
S. Vaudenay. La Sécurité des Primitives Cryptographiques, Thése de Doctorat de l’Université de Paris 7, Technical Report LIENS-95-10 of the Laboratoire d’Informatique de l’Ecole Normale Supérieure, 1995.
S. Vaudenay. An Experiment on DES—Statistical Cryptanalysis. In Proceedings of the 3rd ACM Conference on Computer and Communications Security, New Delhi, India, pp. 139–147, ACM Press, New York, 1996.
S. Vaudenay. A Cheap Paradigm for Block Cipher Security Strengthening. Technical Report LIENS-97-3, 1997.
S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. in STACS ‘98 Paris, France, Lecture Notes in Computer Science 1373 pp. 249–275, Springer-Verlag, Berlin, 1998.
S. Vaudenay. On Perfect Secrecy, Differential Cryptanalysis, one-time Pad, two-time Pad, ... Presented at the Rump Session of the Fast Software Encryption 1998 Workshop.
S. Vaudenay. Feistel Ciphers with L_2-Decorrelation. In Selected Areas in Cryptography ‘98, Kingston, Ontario, Canada, Lecture Notes in Computer Science 1556, pp. 1–14, Springer-Verlag, Berlin, 1999.
S. Vaudenay. The Decorrelation Technique Home-Page. URL: http://lasecwww.epfl.ch/decorrelation.shtml
S. Vaudenay. Resistance against General Iterated Attacks. In Advances in Cryptology, EUROCRYPT ‘99, Prague, Czech Republic, Lecture Notes in Computer Science 1592, pp. 255–271, Springer-Verlag, Berlin, 1999.
S. Vaudenay. On Provable Security for Conventional Cryptography. Invited talk. In Information Security and Cryptography ICISC ‘99, Seoul, Korea, Lecture Notes in Computer Science 1787, pp. 1–16, Springer-Verlag, Berlin, 1999.
S. Vaudenay. On the Lai–Massey Scheme. In Advances in Cryptology, ASIACRYPT ‘99, Singapore, Lecture Notes in Computer Science 1716, pp. 8–19, Springer-Verlag, Berlin, 2000.
S. Vaudenay. Adaptive-Attack Norm for Decorrelation and Super-Pseudorandomness. In Selected Areas in Cryptography ‘99, Kingston, Ontario, Canada, Lecture Notes in Computer Science 1758, pp. 49–61, Springer-Verlag, Berlin, 2000.
G. S. Vernam. Cipher Printing Telegraph Systems for Secret Wire and Radio Telegraphic communications. Journal of the American Institute of Electrical Engineers, vol. 45, pp. 109–115, 1926.
D. Wagner. The Boomerang Attack. In Fast Software Encryption ‘99, Rome, Italy, Lecture Notes in Computer Science 1636, pp. 156–170, Springer-Verlag, Berlin, 1999.
M. N. Wegman J. L. Carter (1981) ArticleTitleNew Hash Functions and Their Use in Authentication and Set Equality. Journal of Computer and System Sciences 22 265–279 Occurrence Handle82i:68017 Occurrence Handle0461.68074
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Eli Biham
Rights and permissions
About this article
Cite this article
Vaudenay, S. Decorrelation: A Theory for Block Cipher Security. J Cryptology 16, 249–286 (2003). https://doi.org/10.1007/s00145-003-0220-6
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-003-0220-6