Minimizing the Two-Round Even-Mansour Cipher - Yannick Seurin's

Aug 18, 2014 - qp = number of queries to each internal permutation oracle. Chen, Lampe, Lee, Seurin, Steinberger. Minimizing the 2-Round EM Cipher.
Télécharger le PDF
1MB taille 6 téléchargements 228 vues
commentaire
Report
Minimizing the Two-Round Even-Mansour Cipher Shan Chen1 Rodolphe Lampe2 Jooyoung Lee3 Yannick Seurin4 John Steinberger1 1 Tsinghua 2 University 3 Sejong

University, China

of Versailles, France University, Korea

4 ANSSI,

France

August 18, 2014 - CRYPTO 2014

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

1 / 29

Outline

1

Context: Security Proofs for Key-Alternating Ciphers

2

Overview of our Results

3

Sketch of the Security Proof

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

2 / 29

Key-alternating ciphers k

x

n

n

γ0

γ1

γr

k0

k1

kr

P1

P2

Pr

y

An r -round key-alternating cipher k ∈ {0, 1}n is the (master) key, x the plaintext, y the ciphertext The Pi ’s are public permutations on {0, 1}n The γi ’s are key derivation functions mapping k to n-bit “round keys” prominent example: AES-128 Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

3 / 29

Key-alternating ciphers k

x

n

n

γ0

γ1

γr

k0

k1

kr

P1

P2

Pr

y

An r -round key-alternating cipher k ∈ {0, 1}n is the (master) key, x the plaintext, y the ciphertext The Pi ’s are public permutations on {0, 1}n The γi ’s are key derivation functions mapping k to n-bit “round keys” prominent example: AES-128 Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

3 / 29

Proving the security of key-alternating ciphers k

n γ0

x

n

γ1 P1

γr P2

Pr

y

Question How can we “prove” security? (for this talk, security = pseudorandomness) against a general adversary: too hard! (unconditional complexity lower bound) against specific attacks (differential, linear. . . ): use specific design of P1 , . . . , Pr , count active S-boxes, etc. against generic attacks: Random Permutation Model for P1 , . . . , Pr Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

4 / 29

Proving the security of key-alternating ciphers k

n γ0

x

n

γ1 P1

γr P2

Pr

y

Question How can we “prove” security? (for this talk, security = pseudorandomness) against a general adversary: too hard! (unconditional complexity lower bound) against specific attacks (differential, linear. . . ): use specific design of P1 , . . . , Pr , count active S-boxes, etc. against generic attacks: Random Permutation Model for P1 , . . . , Pr Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

4 / 29

Proving the security of key-alternating ciphers k

n γ0

x

n

γ1 P1

γr P2

Pr

y

Question How can we “prove” security? (for this talk, security = pseudorandomness) against a general adversary: too hard! (unconditional complexity lower bound) against specific attacks (differential, linear. . . ): use specific design of P1 , . . . , Pr , count active S-boxes, etc. against generic attacks: Random Permutation Model for P1 , . . . , Pr Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

4 / 29

Proving the security of key-alternating ciphers k

n γ0

x

n

γ1 P1

γr P2

Pr

y

Question How can we “prove” security? (for this talk, security = pseudorandomness) against a general adversary: too hard! (unconditional complexity lower bound) against specific attacks (differential, linear. . . ): use specific design of P1 , . . . , Pr , count active S-boxes, etc. against generic attacks: Random Permutation Model for P1 , . . . , Pr Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

4 / 29

Analyzing KA ciphers in the Random Permutation Model

k

n γ0

x

n

γ1 P1

γr P2

y

Pr

the Pi ’s are viewed as public random permutation oracles to which the adversary can only make black-box queries (both to Pi and Pi−1 ). trades complexity for randomness and allows for a completely information-theoretic proof (' Random Oracle Model) complexity measure of the adversary: qe = number of queries to the cipher (plaintext/ciphertext pairs) qp = number of queries to each internal permutation oracle

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

5 / 29

Analyzing KA ciphers in the Random Permutation Model

k

n γ0

x

n

γ1 P1

γr P2

y

Pr

the Pi ’s are viewed as public random permutation oracles to which the adversary can only make black-box queries (both to Pi and Pi−1 ). trades complexity for randomness and allows for a completely information-theoretic proof (' Random Oracle Model) complexity measure of the adversary: qe = number of queries to the cipher (plaintext/ciphertext pairs) qp = number of queries to each internal permutation oracle

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

5 / 29

Analyzing KA ciphers in the Random Permutation Model

k

n γ0

x

n

γ1 P1

γr P2

y

Pr

the Pi ’s are viewed as public random permutation oracles to which the adversary can only make black-box queries (both to Pi and Pi−1 ). trades complexity for randomness and allows for a completely information-theoretic proof (' Random Oracle Model) complexity measure of the adversary: qe = number of queries to the cipher (plaintext/ciphertext pairs) qp = number of queries to each internal permutation oracle

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

5 / 29

Analyzing KA ciphers in the Random Permutation Model This model was already considered 15 years ago by Even and Mansour [EM97] for r = 1 round: they showed that the following cipher is secure up n to O(2 2 ) queries of the adversary to P and E : k0 x

k1 y

P |

{z

E

}

Similar result when k0 = k1 [DKS12] Wording: “(iterated) Even-Mansour cipher” = shorthand for “analyzing the class of key-alternating ciphers in the Random Permutation Model”

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

6 / 29

Analyzing KA ciphers in the Random Permutation Model This model was already considered 15 years ago by Even and Mansour [EM97] for r = 1 round: they showed that the following cipher is secure up n to O(2 2 ) queries of the adversary to P and E : k x

k y

P |

{z

E

}

Similar result when k0 = k1 [DKS12] Wording: “(iterated) Even-Mansour cipher” = shorthand for “analyzing the class of key-alternating ciphers in the Random Permutation Model”

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

6 / 29

Analyzing KA ciphers in the Random Permutation Model This model was already considered 15 years ago by Even and Mansour [EM97] for r = 1 round: they showed that the following cipher is secure up n to O(2 2 ) queries of the adversary to P and E : k x

k y

P |

{z

E

}

Similar result when k0 = k1 [DKS12] Wording: “(iterated) Even-Mansour cipher” = shorthand for “analyzing the class of key-alternating ciphers in the Random Permutation Model”

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

6 / 29

Outline

1

Context: Security Proofs for Key-Alternating Ciphers

2

Overview of our Results

3

Sketch of the Security Proof

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

7 / 29

State of the art k0 x

k1 P1

kr P2

Pr

y

Closing a series of recent results [BKL+ 12, Ste12, LPS12], Chen and Steinberger [CS14] showed that assuming 1

independent round keys (k0 , k1 , . . . , kr ),

2

independent inner permutations P1 , . . . , Pr ,

KA ciphers are secure against generic attacks as long as rn

qe and qp  O(2 r +1 ). This result is tight (in terms of query complexity). Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

8 / 29

State of the art k0 x

k1 P1

kr P2

Pr

y

Closing a series of recent results [BKL+ 12, Ste12, LPS12], Chen and Steinberger [CS14] showed that assuming 1

independent round keys (k0 , k1 , . . . , kr ),

2

independent inner permutations P1 , . . . , Pr ,

KA ciphers are secure against generic attacks as long as rn

qe and qp  O(2 r +1 ). This result is tight (in terms of query complexity). Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

8 / 29

Our problem Main question rn

Is it possible to prove a similar O(2 r +1 ) bound when: the round keys (k0 , . . . , kr ) are derived from an n-bit master key and/or when the same permutation P is used at each round as is the case in many concrete designs (AES-128, etc.)? k

x

n γ0

γ1

γr

k0

k1

kr

n

P1

P2

Pr

y

2n

We give a positive answer for r = 2 rounds: O(2 3 )-security bound. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

9 / 29

Our problem Main question rn

Is it possible to prove a similar O(2 r +1 ) bound when: the round keys (k0 , . . . , kr ) are derived from an n-bit master key and/or when the same permutation P is used at each round as is the case in many concrete designs (AES-128, etc.)? k

x

n γ0

γ1

γr

k0

k1

kr

n

P1

P2

Pr

y

2n

We give a positive answer for r = 2 rounds: O(2 3 )-security bound. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

9 / 29

Our problem Main question rn

Is it possible to prove a similar O(2 r +1 ) bound when: the round keys (k0 , . . . , kr ) are derived from an n-bit master key and/or when the same permutation P is used at each round as is the case in many concrete designs (AES-128, etc.)? k

x

n γ0

γ1

γr

k0

k1

kr

n

P

P

P

y

2n

We give a positive answer for r = 2 rounds: O(2 3 )-security bound. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

9 / 29

Our problem Main question rn

Is it possible to prove a similar O(2 r +1 ) bound when: the round keys (k0 , . . . , kr ) are derived from an n-bit master key and/or when the same permutation P is used at each round as is the case in many concrete designs (AES-128, etc.)? k

x

n γ0

γ1

γr

k0

k1

kr

n

P

P

P

y

2n

We give a positive answer for r = 2 rounds: O(2 3 )-security bound. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

9 / 29

Our problem Main question rn

Is it possible to prove a similar O(2 r +1 ) bound when: the round keys (k0 , . . . , kr ) are derived from an n-bit master key and/or when the same permutation P is used at each round as is the case in many concrete designs (AES-128, etc.)? k

x

n γ0

γ1

γr

k0

k1

kr

n

P

P

P

y

2n

We give a positive answer for r = 2 rounds: O(2 3 )-security bound. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

9 / 29

Our results (1/2): two independent permutations

First, we deal with the (simpler) case where the two inner permutations are independent. Then the trivial key-schedule is sufficient.

Theorem The 2-round EM cipher with independent random permutations and e 2n3 ) queries of the adversary. identical round keys is secure up to O(2

k x

Chen, Lampe, Lee, Seurin, Steinberger

k P1

k P2

Minimizing the 2-Round EM Cipher

y

CRYPTO 2014

10 / 29

Our results (2/2): one single permutation Theorem 2n

e 3 ) queries of the The 2-round EM cipher below is secure up to O(2 adversary. k π x

P

y

P

π can be any fixed (F2 -linear) orthomorphism (i.e., π is a permutation and k 7→ k ⊕ π(k) is a permutation), for instance π :(kL , kR ) 7→ (kR , kL ⊕ kR )

(Feistel)

π :k 7→ c k,

(field mult.)

Chen, Lampe, Lee, Seurin, Steinberger

for c 6= 0, 1

Minimizing the 2-Round EM Cipher

CRYPTO 2014

11 / 29

Our results (2/2): one single permutation Theorem (more general) e 2n3 ) queries when The 2-round EM cipher below is secure up to O(2

(i) γ0 , γ1 , γ2 are F2 -linear permutations; (ii) γ0 ⊕ γ1 and γ1 ⊕ γ2 are permutations; (iii) γ0 ⊕ γ1 ⊕ γ2 is a permutation. k

x

γ0

γ1

γ2

k0

k1

k2

P

P

y

Conjecture: F2 -linearity and (iii) are not needed. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

12 / 29

Our results (2/2): one single permutation Theorem (more general) e 2n3 ) queries when The 2-round EM cipher below is secure up to O(2

(i) γ0 , γ1 , γ2 are F2 -linear permutations; (ii) γ0 ⊕ γ1 and γ1 ⊕ γ2 are permutations;

OK for (k, π(k), k)

(iii) γ0 ⊕ γ1 ⊕ γ2 is a permutation. k

x

γ0

γ1

γ2

k0

k1

k2

P

P

y

Conjecture: F2 -linearity and (iii) are not needed. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

12 / 29

Our results (2/2): one single permutation Theorem (more general) e 2n3 ) queries when The 2-round EM cipher below is secure up to O(2

(i) γ0 , γ1 , γ2 are F2 -linear permutations; (ii) γ0 ⊕ γ1 and γ1 ⊕ γ2 are permutations;

OK for (k, π(k), k)

(iii) γ0 ⊕ γ1 ⊕ γ2 is a permutation. k

x

γ0

γ1

γ2

k0

k1

k2

P

P

y

Conjecture: F2 -linearity and (iii) are not needed. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

12 / 29

Minimality of the construction k π x

P

k y

P

y0

P

x0

2n

This construction is “minimal” to achieve O(2 3 ) security. n Removing any component causes security to drop back to O(2 2 ): n

removing one of the P’s: 1-round Even-Mansour, O(2 2 )-secure n

removing π: slide attack with O(2 2 ) complexity: find (x , y ), (x 0 , y 0 ) such that x 0 = P(x ⊕ k) (slid pair) can be detected by checking that x ⊕ P(y ) = y 0 ⊕ P −1 (x 0 ) works for any number of rounds for id. round keys and id. permutations

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

13 / 29

Minimality of the construction k π x

k y

P

y0

P

x0

2n

This construction is “minimal” to achieve O(2 3 ) security. n Removing any component causes security to drop back to O(2 2 ): n

removing one of the P’s: 1-round Even-Mansour, O(2 2 )-secure n

removing π: slide attack with O(2 2 ) complexity: find (x , y ), (x 0 , y 0 ) such that x 0 = P(x ⊕ k) (slid pair) can be detected by checking that x ⊕ P(y ) = y 0 ⊕ P −1 (x 0 ) works for any number of rounds for id. round keys and id. permutations

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

13 / 29

Minimality of the construction k k x

P

y

P

y0

P

x0

2n

This construction is “minimal” to achieve O(2 3 ) security. n Removing any component causes security to drop back to O(2 2 ): n

removing one of the P’s: 1-round Even-Mansour, O(2 2 )-secure n

removing π: slide attack with O(2 2 ) complexity: find (x , y ), (x 0 , y 0 ) such that x 0 = P(x ⊕ k) (slid pair) can be detected by checking that x ⊕ P(y ) = y 0 ⊕ P −1 (x 0 ) works for any number of rounds for id. round keys and id. permutations

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

13 / 29

Minimality of the construction k k x

P

y

P

y0

P

x0

2n

This construction is “minimal” to achieve O(2 3 ) security. n Removing any component causes security to drop back to O(2 2 ): n

removing one of the P’s: 1-round Even-Mansour, O(2 2 )-secure n

removing π: slide attack with O(2 2 ) complexity: find (x , y ), (x 0 , y 0 ) such that x 0 = P(x ⊕ k) (slid pair) can be detected by checking that x ⊕ P(y ) = y 0 ⊕ P −1 (x 0 ) works for any number of rounds for id. round keys and id. permutations

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

13 / 29

Minimality of the construction k π x

P

k y

P

y0

P

x0

2n

This construction is “minimal” to achieve O(2 3 ) security. n Removing any component causes security to drop back to O(2 2 ): n

removing one of the P’s: 1-round Even-Mansour, O(2 2 )-secure n

removing π: slide attack with O(2 2 ) complexity: find (x , y ), (x 0 , y 0 ) such that x 0 = P(x ⊕ k) (slid pair) can be detected by checking that x ⊕ P(y ) = y 0 ⊕ P −1 (x 0 ) works for any number of rounds for id. round keys and id. permutations

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

13 / 29

Outline

1

Context: Security Proofs for Key-Alternating Ciphers

2

Overview of our Results

3

Sketch of the Security Proof

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

14 / 29

Formalizing indistinguishability (in the RP Model) Real world

Ideal world

k π x

P

P

y

P

E qp

qe

P qp

qe

D

D

0/1

0/1

real world: cipher with a random key k ←$ {0, 1}n ideal world: E is a random permutation independent from P Random Permutation Model: D has oracle access to P in both worlds for this talk, qe = qp = q Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

15 / 29

Formalizing indistinguishability (in the RP Model) Real world

Ideal world

k π x

P

P

y

P

E qp

qe

P qp

qe

D

D

0/1

0/1

real world: cipher with a random key k ←$ {0, 1}n ideal world: E is a random permutation independent from P Random Permutation Model: D has oracle access to P in both worlds for this talk, qe = qp = q Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

15 / 29

Formalizing indistinguishability (in the RP Model) Real world

Ideal world

k π x

P

P

y

P

E qp

qe

P qp

qe

D

D

0/1

0/1

real world: cipher with a random key k ←$ {0, 1}n ideal world: E is a random permutation independent from P Random Permutation Model: D has oracle access to P in both worlds for this talk, qe = qp = q Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

15 / 29

Query transcript E

P X

U

P V

U

V

Y

The distinguisher can query: oracle E forward: E (x ) = y , and backward: E −1 (y ) = x oracle P forward: P(u) = v , and backward: P −1 (v ) = u This results in a query transcript τ = (QE , QP ): QE = {(x1 , y1 ), . . . , (xq , yq )} QP = {(u1 , v1 ), . . . , (uq , vq )}. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

16 / 29

Query transcript E ◦ P X

U

P V

U

V

Y

The distinguisher can query: oracle E forward: E (x ) = y , and backward: E −1 (y ) = x oracle P forward: P(u) = v , and backward: P −1 (v ) = u This results in a query transcript τ = (QE , QP ): QE = {(x1 , y1 ), . . . , (xq , yq )} QP = {(u1 , v1 ), . . . , (uq , vq )}. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

16 / 29

Query transcript E ◦

◦ P

X

U

P V

U

V

Y

The distinguisher can query: oracle E forward: E (x ) = y , and backward: E −1 (y ) = x oracle P forward: P(u) = v , and backward: P −1 (v ) = u This results in a query transcript τ = (QE , QP ): QE = {(x1 , y1 ), . . . , (xq , yq )} QP = {(u1 , v1 ), . . . , (uq , vq )}. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

16 / 29

Query transcript E ◦ P X

U

◦ ◦

P V

U

V

Y

The distinguisher can query: oracle E forward: E (x ) = y , and backward: E −1 (y ) = x oracle P forward: P(u) = v , and backward: P −1 (v ) = u This results in a query transcript τ = (QE , QP ): QE = {(x1 , y1 ), . . . , (xq , yq )} QP = {(u1 , v1 ), . . . , (uq , vq )}. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

16 / 29

Query transcript E ◦ ◦ X

P U

◦ ◦

P V

U

V

Y

The distinguisher can query: oracle E forward: E (x ) = y , and backward: E −1 (y ) = x oracle P forward: P(u) = v , and backward: P −1 (v ) = u This results in a query transcript τ = (QE , QP ): QE = {(x1 , y1 ), . . . , (xq , yq )} QP = {(u1 , v1 ), . . . , (uq , vq )}. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

16 / 29

Query transcript E ◦ ◦





X

U

P

◦ ◦

P V

U

V

Y

The distinguisher can query: oracle E forward: E (x ) = y , and backward: E −1 (y ) = x oracle P forward: P(u) = v , and backward: P −1 (v ) = u This results in a query transcript τ = (QE , QP ): QE = {(x1 , y1 ), . . . , (xq , yq )} QP = {(u1 , v1 ), . . . , (uq , vq )}. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

16 / 29

Query transcript E ◦ ◦





X

U



P



◦ ◦

V

Y

P V

U

The distinguisher can query: oracle E forward: E (x ) = y , and backward: E −1 (y ) = x oracle P forward: P(u) = v , and backward: P −1 (v ) = u This results in a query transcript τ = (QE , QP ): QE = {(x1 , y1 ), . . . , (xq , yq )} QP = {(u1 , v1 ), . . . , (uq , vq )}. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

16 / 29

Query transcript E ◦ ◦



X

U

P

◦ ◦



V

U

P

◦ ◦

◦ ◦

V

Y

The distinguisher can query: oracle E forward: E (x ) = y , and backward: E −1 (y ) = x oracle P forward: P(u) = v , and backward: P −1 (v ) = u This results in a query transcript τ = (QE , QP ): QE = {(x1 , y1 ), . . . , (xq , yq )} QP = {(u1 , v1 ), . . . , (uq , vq )}. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

16 / 29

Query transcript E ◦ ◦

◦ ◦

X

U

P

◦ ◦

◦ ◦

V

U

P

◦ ◦

◦ ◦

V

Y

The distinguisher can query: oracle E forward: E (x ) = y , and backward: E −1 (y ) = x oracle P forward: P(u) = v , and backward: P −1 (v ) = u This results in a query transcript τ = (QE , QP ): QE = {(x1 , y1 ), . . . , (xq , yq )} QP = {(u1 , v1 ), . . . , (uq , vq )}. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

16 / 29

Query transcript E ◦ ◦

◦ ◦ ◦

X

U

P

◦ ◦ ◦

◦ ◦ ◦

V

U

P

◦ ◦ ◦

◦ ◦

V

Y

The distinguisher can query: oracle E forward: E (x ) = y , and backward: E −1 (y ) = x oracle P forward: P(u) = v , and backward: P −1 (v ) = u This results in a query transcript τ = (QE , QP ): QE = {(x1 , y1 ), . . . , (xq , yq )} QP = {(u1 , v1 ), . . . , (uq , vq )}. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

16 / 29

Query transcript E ◦ ◦

◦ ◦ ◦ ◦

X

U

P

◦ ◦ ◦ ◦

◦ ◦ ◦ ◦

V

U

P

◦ ◦ ◦ ◦

◦ ◦

V

Y

The distinguisher can query: oracle E forward: E (x ) = y , and backward: E −1 (y ) = x oracle P forward: P(u) = v , and backward: P −1 (v ) = u This results in a query transcript τ = (QE , QP ): QE = {(x1 , y1 ), . . . , (xq , yq )} QP = {(u1 , v1 ), . . . , (uq , vq )}. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

16 / 29

Query transcript E ◦ ◦ X

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ Y

The distinguisher can query: oracle E forward: E (x ) = y , and backward: E −1 (y ) = x oracle P forward: P(u) = v , and backward: P −1 (v ) = u This results in a query transcript τ = (QE , QP ): QE = {(x1 , y1 ), . . . , (xq , yq )} QP = {(u1 , v1 ), . . . , (uq , vq )}. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

16 / 29

Query transcript E ◦ ◦ ◦ X

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ Y

The distinguisher can query: oracle E forward: E (x ) = y , and backward: E −1 (y ) = x oracle P forward: P(u) = v , and backward: P −1 (v ) = u This results in a query transcript τ = (QE , QP ): QE = {(x1 , y1 ), . . . , (xq , yq )} QP = {(u1 , v1 ), . . . , (uq , vq )}. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

16 / 29

Query transcript E ◦ ◦ ◦ ◦ X

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ Y

The distinguisher can query: oracle E forward: E (x ) = y , and backward: E −1 (y ) = x oracle P forward: P(u) = v , and backward: P −1 (v ) = u This results in a query transcript τ = (QE , QP ): QE = {(x1 , y1 ), . . . , (xq , yq )} QP = {(u1 , v1 ), . . . , (uq , vq )}. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

16 / 29

Query transcript E ◦ ◦ ◦ ◦ ◦ X

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ Y

The distinguisher can query: oracle E forward: E (x ) = y , and backward: E −1 (y ) = x oracle P forward: P(u) = v , and backward: P −1 (v ) = u This results in a query transcript τ = (QE , QP ): QE = {(x1 , y1 ), . . . , (xq , yq )} QP = {(u1 , v1 ), . . . , (uq , vq )}. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

16 / 29

Query transcript E ◦ ◦ ◦ ◦ ◦ X

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ Y

The distinguisher can query: oracle E forward: E (x ) = y , and backward: E −1 (y ) = x oracle P forward: P(u) = v , and backward: P −1 (v ) = u This results in a query transcript τ = (QE , QP ): QE = {(x1 , y1 ), . . . , (xq , yq )} QP = {(u1 , v1 ), . . . , (uq , vq )}. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

16 / 29

H-coefficient framework E ◦ ◦ ◦ ◦ ◦ X

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ Y

Adv(D) ≤ kTreal − Tideal k (statistical distance)

Treal/ideal = distribution of transcript (QE , QP ) in the real/ideal world Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

17 / 29

H-coefficient framework E ◦ ◦ ◦ ◦ ◦ X

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ Y

Lemma Partition the set of transcripts into “good” ones Tgood and “bad” ones Tbad . Then Pr[Treal =τ ] Tgood , Pr[T ideal =τ ]

    ≥ 1 − ε1 

Pr[Tideal ∈ Tbad ] ≤ ε2

   

∀τ ∈

Chen, Lampe, Lee, Seurin, Steinberger

⇒ Adv(D) ≤ ε1 + ε2

Minimizing the 2-Round EM Cipher

CRYPTO 2014

18 / 29

Bad keys and bad transcripts (simplified) E ◦ ◦ ◦ ◦ ◦ X

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ Y

A key k 0 is bad if D can check its “compatibility” with the transcript: 1 ∃(x , y ) ∈ Q , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v E 2 ∃(u, v ) ∈ Q , x ∈ X , u 0 ∈ U: k 0 = x ⊕ u and π(k 0 ) = v ⊕ u 0 P 3 ∃(u, v ) ∈ Q , y ∈ Y , v 0 ∈ V : k 0 = v ⊕ y and π(k 0 ) = v 0 ⊕ u P A transcript (QE , QP ) is bad if it has too many bad keys. We must show that with high probability, # bad keys  2n . Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

19 / 29

Bad keys and bad transcripts (simplified) E ◦ ◦ ◦ ◦ ◦ • X

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦• Y

A key k 0 is bad if D can check its “compatibility” with the transcript: 1 ∃(x , y ) ∈ Q , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v E 2 ∃(u, v ) ∈ Q , x ∈ X , u 0 ∈ U: k 0 = x ⊕ u and π(k 0 ) = v ⊕ u 0 P 3 ∃(u, v ) ∈ Q , y ∈ Y , v 0 ∈ V : k 0 = v ⊕ y and π(k 0 ) = v 0 ⊕ u P A transcript (QE , QP ) is bad if it has too many bad keys. We must show that with high probability, # bad keys  2n . Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

19 / 29

Bad keys and bad transcripts (simplified) E ◦ ◦ 0 ◦ k ◦ ◦ • X

◦ ◦ ◦• ◦ ◦ U

P

◦ ◦ ◦• ◦ ◦ V

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦• Y

A key k 0 is bad if D can check its “compatibility” with the transcript: 1 ∃(x , y ) ∈ Q , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v E 2 ∃(u, v ) ∈ Q , x ∈ X , u 0 ∈ U: k 0 = x ⊕ u and π(k 0 ) = v ⊕ u 0 P 3 ∃(u, v ) ∈ Q , y ∈ Y , v 0 ∈ V : k 0 = v ⊕ y and π(k 0 ) = v 0 ⊕ u P A transcript (QE , QP ) is bad if it has too many bad keys. We must show that with high probability, # bad keys  2n . Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

19 / 29

Bad keys and bad transcripts (simplified) E ◦ ◦ 0 ◦ k ◦ ◦ • X

◦ ◦ ◦• ◦ ◦ U

P

◦ ◦ ◦• ◦ ◦ V

◦ ◦ ◦ ◦• ◦ U

P

◦ ◦ ◦ k0 ◦• ◦ V

◦ ◦ ◦ ◦ ◦• Y

A key k 0 is bad if D can check its “compatibility” with the transcript: 1 ∃(x , y ) ∈ Q , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v E 2 ∃(u, v ) ∈ Q , x ∈ X , u 0 ∈ U: k 0 = x ⊕ u and π(k 0 ) = v ⊕ u 0 P 3 ∃(u, v ) ∈ Q , y ∈ Y , v 0 ∈ V : k 0 = v ⊕ y and π(k 0 ) = v 0 ⊕ u P A transcript (QE , QP ) is bad if it has too many bad keys. We must show that with high probability, # bad keys  2n . Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

19 / 29

Bad keys and bad transcripts (simplified) E ◦ ◦ 0 ◦ k ◦ ◦ • X

◦ ◦ ◦• ◦ ◦ U

P

◦ ◦ ◦ π(k 0 )? ◦ ◦• ◦ ◦ ◦• ◦ ◦ V U

P

◦ ◦ ◦ k0 ◦• ◦ V

◦ ◦ ◦ ◦ ◦• Y

A key k 0 is bad if D can check its “compatibility” with the transcript: 1 ∃(x , y ) ∈ Q , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v E 2 ∃(u, v ) ∈ Q , x ∈ X , u 0 ∈ U: k 0 = x ⊕ u and π(k 0 ) = v ⊕ u 0 P 3 ∃(u, v ) ∈ Q , y ∈ Y , v 0 ∈ V : k 0 = v ⊕ y and π(k 0 ) = v 0 ⊕ u P A transcript (QE , QP ) is bad if it has too many bad keys. We must show that with high probability, # bad keys  2n . Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

19 / 29

Bad keys and bad transcripts (simplified) E ◦ ◦ ◦ ◦ ◦ X

◦ ◦• ◦ ◦ ◦ U

P

◦ ◦• ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ Y

A key k 0 is bad if D can check its “compatibility” with the transcript: 1 ∃(x , y ) ∈ Q , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v E 2 ∃(u, v ) ∈ Q , x ∈ X , u 0 ∈ U: k 0 = x ⊕ u and π(k 0 ) = v ⊕ u 0 P 3 ∃(u, v ) ∈ Q , y ∈ Y , v 0 ∈ V : k 0 = v ⊕ y and π(k 0 ) = v 0 ⊕ u P A transcript (QE , QP ) is bad if it has too many bad keys. We must show that with high probability, # bad keys  2n . Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

19 / 29

Bad keys and bad transcripts (simplified) E ◦ 0 ◦ k ◦ ◦ • ◦ X

◦ ◦• ◦ ◦ ◦ U

P

◦ ◦• ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦• ◦ Y

A key k 0 is bad if D can check its “compatibility” with the transcript: 1 ∃(x , y ) ∈ Q , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v E 2 ∃(u, v ) ∈ Q , x ∈ X , u 0 ∈ U: k 0 = x ⊕ u and π(k 0 ) = v ⊕ u 0 P 3 ∃(u, v ) ∈ Q , y ∈ Y , v 0 ∈ V : k 0 = v ⊕ y and π(k 0 ) = v 0 ⊕ u P A transcript (QE , QP ) is bad if it has too many bad keys. We must show that with high probability, # bad keys  2n . Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

19 / 29

Bad keys and bad transcripts (simplified) E ◦ 0 ◦ k ◦ ◦ • ◦ X

◦ ◦• ◦ ◦ ◦ U

◦ π(k 0 ) ◦• P ◦ ◦ ◦ V

◦ ◦ ◦• ◦ ◦ U

P

◦ ◦ ◦• ◦ ◦ V

◦ ◦ ◦ ◦• ◦ Y

A key k 0 is bad if D can check its “compatibility” with the transcript: 1 ∃(x , y ) ∈ Q , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v E 2 ∃(u, v ) ∈ Q , x ∈ X , u 0 ∈ U: k 0 = x ⊕ u and π(k 0 ) = v ⊕ u 0 P 3 ∃(u, v ) ∈ Q , y ∈ Y , v 0 ∈ V : k 0 = v ⊕ y and π(k 0 ) = v 0 ⊕ u P A transcript (QE , QP ) is bad if it has too many bad keys. We must show that with high probability, # bad keys  2n . Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

19 / 29

Bad keys and bad transcripts (simplified) E ◦ 0 ◦ k ◦ ◦ • ◦ X

◦ ◦• ◦ ◦ ◦ U

◦ π(k 0 ) ◦• P ◦ ◦ ◦ V

◦ ◦ ◦• ◦ ◦ U

P

◦ ◦ k 0? ◦• ◦ ◦ V

◦ ◦ ◦ ◦• ◦ Y

A key k 0 is bad if D can check its “compatibility” with the transcript: 1 ∃(x , y ) ∈ Q , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v E 2 ∃(u, v ) ∈ Q , x ∈ X , u 0 ∈ U: k 0 = x ⊕ u and π(k 0 ) = v ⊕ u 0 P 3 ∃(u, v ) ∈ Q , y ∈ Y , v 0 ∈ V : k 0 = v ⊕ y and π(k 0 ) = v 0 ⊕ u P A transcript (QE , QP ) is bad if it has too many bad keys. We must show that with high probability, # bad keys  2n . Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

19 / 29

Bad keys and bad transcripts (simplified) E ◦ ◦ ◦ ◦ ◦ X

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦• U

P

◦ ◦ ◦ ◦ ◦• V

◦ ◦ ◦ ◦ ◦ Y

A key k 0 is bad if D can check its “compatibility” with the transcript: 1 ∃(x , y ) ∈ Q , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v E 2 ∃(u, v ) ∈ Q , x ∈ X , u 0 ∈ U: k 0 = x ⊕ u and π(k 0 ) = v ⊕ u 0 P 3 ∃(u, v ) ∈ Q , y ∈ Y , v 0 ∈ V : k 0 = v ⊕ y and π(k 0 ) = v 0 ⊕ u P A transcript (QE , QP ) is bad if it has too many bad keys. We must show that with high probability, # bad keys  2n . Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

19 / 29

Bad keys and bad transcripts (simplified) E ◦ ◦ ◦ • ◦ ◦ X

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦• U

P

◦ ◦ 0 ◦ k ◦ ◦• V

◦ ◦ ◦• ◦ ◦ Y

A key k 0 is bad if D can check its “compatibility” with the transcript: 1 ∃(x , y ) ∈ Q , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v E 2 ∃(u, v ) ∈ Q , x ∈ X , u 0 ∈ U: k 0 = x ⊕ u and π(k 0 ) = v ⊕ u 0 P 3 ∃(u, v ) ∈ Q , y ∈ Y , v 0 ∈ V : k 0 = v ⊕ y and π(k 0 ) = v 0 ⊕ u P A transcript (QE , QP ) is bad if it has too many bad keys. We must show that with high probability, # bad keys  2n . Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

19 / 29

Bad keys and bad transcripts (simplified) E ◦ ◦ ◦ • ◦ ◦ X

◦ ◦• ◦ ◦ ◦ U

P

◦ ◦• π(k 0 ) ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦• U

P

◦ ◦ 0 ◦ k ◦ ◦• V

◦ ◦ ◦• ◦ ◦ Y

A key k 0 is bad if D can check its “compatibility” with the transcript: 1 ∃(x , y ) ∈ Q , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v E 2 ∃(u, v ) ∈ Q , x ∈ X , u 0 ∈ U: k 0 = x ⊕ u and π(k 0 ) = v ⊕ u 0 P 3 ∃(u, v ) ∈ Q , y ∈ Y , v 0 ∈ V : k 0 = v ⊕ y and π(k 0 ) = v 0 ⊕ u P A transcript (QE , QP ) is bad if it has too many bad keys. We must show that with high probability, # bad keys  2n . Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

19 / 29

Bad keys and bad transcripts (simplified) E ◦ k 0? ◦ ◦ • ◦ ◦ X

◦ ◦• ◦ ◦ ◦ U

P

◦ ◦• π(k 0 ) ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦• U

P

◦ ◦ 0 ◦ k ◦ ◦• V

◦ ◦ ◦• ◦ ◦ Y

A key k 0 is bad if D can check its “compatibility” with the transcript: 1 ∃(x , y ) ∈ Q , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v E 2 ∃(u, v ) ∈ Q , x ∈ X , u 0 ∈ U: k 0 = x ⊕ u and π(k 0 ) = v ⊕ u 0 P 3 ∃(u, v ) ∈ Q , y ∈ Y , v 0 ∈ V : k 0 = v ⊕ y and π(k 0 ) = v 0 ⊕ u P A transcript (QE , QP ) is bad if it has too many bad keys. We must show that with high probability, # bad keys  2n . Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

19 / 29

Bad keys and bad transcripts (simplified) E ◦ ◦ ◦ ◦ ◦ X

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ U

P

◦ ◦ ◦ ◦ ◦ V

◦ ◦ ◦ ◦ ◦ Y

A key k 0 is bad if D can check its “compatibility” with the transcript: 1 ∃(x , y ) ∈ Q , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v E 2 ∃(u, v ) ∈ Q , x ∈ X , u 0 ∈ U: k 0 = x ⊕ u and π(k 0 ) = v ⊕ u 0 P 3 ∃(u, v ) ∈ Q , y ∈ Y , v 0 ∈ V : k 0 = v ⊕ y and π(k 0 ) = v 0 ⊕ u P A transcript (QE , QP ) is bad if it has too many bad keys. We must show that with high probability, # bad keys  2n . Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

19 / 29

Upper bounding the number of bad keys E ◦ ◦ 0 ◦ k ◦ ◦ • X

◦ ◦ ◦• ◦ ◦ U

P

◦ ◦ ◦• ◦ ◦ V

◦ ◦ ◦ ◦• ◦ U

P

◦ ◦ ◦ k0 ◦• ◦ V

◦ ◦ ◦ ◦ ◦• Y

Focus on case 1: ∃(x , y ) ∈ QE , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v Then # bad keys ≤ #{((x , y ), u, v ) ∈ QE × U × V :

x ⊕y

= u ⊕ v}

| {z }

' random Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

20 / 29

Upper bounding the number of bad keys E ◦ ◦ 0 ◦ k ◦ ◦ • X

◦ ◦ ◦• ◦ ◦ U

P

◦ ◦ ◦• ◦ ◦ V

◦ ◦ ◦ ◦• ◦ U

P

◦ ◦ ◦ k0 ◦• ◦ V

◦ ◦ ◦ ◦ ◦• Y

Focus on case 1: ∃(x , y ) ∈ QE , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v Then # bad keys ≤ #{((x , y ), u, v ) ∈ QE × U × V :

x ⊕y

= u ⊕ v}

| {z }

' random Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

20 / 29

Upper bounding the number of bad keys E ◦ ◦ 0 ◦ k ◦ ◦ • X

◦ ◦ ◦• ◦ ◦ U

P

◦ ◦ ◦• ◦ ◦ V

◦ ◦ ◦ ◦• ◦ U

P

◦ ◦ ◦ k0 ◦• ◦ V

◦ ◦ ◦ ◦ ◦• Y

Focus on case 1: ∃(x , y ) ∈ QE , u ∈ U, v ∈ V : k 0 = x ⊕ u = y ⊕ v Then # bad keys ≤ #{((x , y ), u, v ) ∈ QE × U × V :

x ⊕y

= u ⊕ v}

| {z }

' random Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

20 / 29

The sum-capture problem For A = {a1 , . . . , aq } ⊆ {0, 1}n , let µ(A) =

max

U,V ⊆{0,1}n |U|=|V |=q

|{(a, u, v ) ∈ A × U × V : a = u ⊕ v }|

If A is “structured”, e.g. a vector space, then µ(A) = q 2 Sum-capture problem: find upper bounds on µ(A) for a random set A

Theorem ([Bab89, Ste13]) 2n

For q ≤ 2 3 , then with overwhelming probability for a random set A, 3

µ(A) . q 2 . 2n

(Hence µ(A)  2n when q  2 3 .)

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

21 / 29

The sum-capture problem For A = {a1 , . . . , aq } ⊆ {0, 1}n , let µ(A) =

max

U,V ⊆{0,1}n |U|=|V |=q

|{(a, u, v ) ∈ A × U × V : a = u ⊕ v }|

If A is “structured”, e.g. a vector space, then µ(A) = q 2 Sum-capture problem: find upper bounds on µ(A) for a random set A

Theorem ([Bab89, Ste13]) 2n

For q ≤ 2 3 , then with overwhelming probability for a random set A, 3

µ(A) . q 2 . 2n

(Hence µ(A)  2n when q  2 3 .)

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

21 / 29

The sum-capture problem For A = {a1 , . . . , aq } ⊆ {0, 1}n , let µ(A) =

max

U,V ⊆{0,1}n |U|=|V |=q

|{(a, u, v ) ∈ A × U × V : a = u ⊕ v }|

If A is “structured”, e.g. a vector space, then µ(A) = q 2 Sum-capture problem: find upper bounds on µ(A) for a random set A

Theorem ([Bab89, Ste13]) 2n

For q ≤ 2 3 , then with overwhelming probability for a random set A, 3

µ(A) . q 2 . 2n

(Hence µ(A)  2n when q  2 3 .)

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

21 / 29

A new sum-capture theorem In our case, we need to adapt the theorem to the case where A = {x1 ⊕ y1 , . . . , xq ⊕ yq } ' random

Theorem Let D be an adversary interacting with a random permutation E of {0, 1}n , resulting in a query transcript QE = {(x1 , y1 ), . . . , (xq , yq )}. Let µ(QE ) =

max

U,V ⊆{0,1}n |U|=|V |=q

|{((x , y ), u, v ) ∈ QE × U × V : x ⊕ y = u ⊕ v }|

2n

If q ≤ 2 3 , then with overwhelming probability, √ 3 # bad keys ≤ µ(QE ) ≤ 3( n + 1)q 2 . Proof: Fourier analysis. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

22 / 29

A new sum-capture theorem In our case, we need to adapt the theorem to the case where A = {x1 ⊕ y1 , . . . , xq ⊕ yq } ' random

Theorem Let D be an adversary interacting with a random permutation E of {0, 1}n , resulting in a query transcript QE = {(x1 , y1 ), . . . , (xq , yq )}. Let µ(QE ) =

max

U,V ⊆{0,1}n |U|=|V |=q

|{((x , y ), u, v ) ∈ QE × U × V : x ⊕ y = u ⊕ v }|

2n

If q ≤ 2 3 , then with overwhelming probability, √ 3 # bad keys ≤ µ(QE ) ≤ 3( n + 1)q 2 . Proof: Fourier analysis. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

22 / 29

A new sum-capture theorem In our case, we need to adapt the theorem to the case where A = {x1 ⊕ y1 , . . . , xq ⊕ yq } ' random

Theorem Let D be an adversary interacting with a random permutation E of {0, 1}n , resulting in a query transcript QE = {(x1 , y1 ), . . . , (xq , yq )}. Let µ(QE ) =

max

U,V ⊆{0,1}n |U|=|V |=q

|{((x , y ), u, v ) ∈ QE × U × V : x ⊕ y = u ⊕ v }|

2n

If q ≤ 2 3 , then with overwhelming probability, √ 3 # bad keys ≤ µ(QE ) ≤ 3( n + 1)q 2 . Proof: Fourier analysis. Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

22 / 29

Good transcripts For a “good” transcript τ = (QE , QP ) with the expected number of bad keys, we are reduced to the following permutation counting problem.

Permutation counting problem (simplified) Let X = {x1 , . . . , xq } and Y = {y1 , . . . , yq } with X ∩ Y “small”. Compare preal = Pr[P ←$ Pn : P ◦ P(xi ) = yi for i = 1, . . . , q] 1 (Pr[E (xi ) = yi ]) and pideal = n n 2 (2 − 1) · · · (2n − q + 1)

Lemma Assume |X ∩ Y | ≤ q/2n/3 . Then preal ≥ (1 − ε1 ) pideal with ε1 = O Proof: intricate counting Chen, Lampe, Lee, Seurin, Steinberger



q3 22n



.

/ Minimizing the 2-Round EM Cipher

CRYPTO 2014

23 / 29

Good transcripts For a “good” transcript τ = (QE , QP ) with the expected number of bad keys, we are reduced to the following permutation counting problem.

Permutation counting problem (simplified) Let X = {x1 , . . . , xq } and Y = {y1 , . . . , yq } with X ∩ Y “small”. Compare preal = Pr[P ←$ Pn : P ◦ P(xi ) = yi for i = 1, . . . , q] 1 (Pr[E (xi ) = yi ]) and pideal = n n 2 (2 − 1) · · · (2n − q + 1)

Lemma Assume |X ∩ Y | ≤ q/2n/3 . Then preal ≥ (1 − ε1 ) pideal with ε1 = O Proof: intricate counting Chen, Lampe, Lee, Seurin, Steinberger



q3 22n



.

/ Minimizing the 2-Round EM Cipher

CRYPTO 2014

23 / 29

Random square permutation vs. random permutation

P

E

P

D

D

0/1

0/1

Random Square Permutation Problem How many queries needs D to distinguish a random square permutation P ◦ P from a perfectly random permutation E ? Conjecture: indistinguishable up to ∼ 2n queries Best known attack: find a fixed point (P ◦ P has twice more fixed points than a random permutation) Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

24 / 29

Random square permutation vs. random permutation

P

E

P

D

D

0/1

0/1

Random Square Permutation Problem How many queries needs D to distinguish a random square permutation P ◦ P from a perfectly random permutation E ? Conjecture: indistinguishable up to ∼ 2n queries Best known attack: find a fixed point (P ◦ P has twice more fixed points than a random permutation) Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

24 / 29

Conclusion minimal Even-Mansour cipher secure against generic attacks up to 2n O(2 3 ) queries: k π x

P

P

y

first “beyond birthday-bound” security result for AES-like ciphers that does not require the “independent round keys” assumption open problems: remove technical restrictions (mainly F2 -linear key-schedule) extend the result to r ≥ 3 rounds! (generalization of the sum-capture problem?) Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

25 / 29

Conclusion minimal Even-Mansour cipher secure against generic attacks up to 2n O(2 3 ) queries: k π x

P

P

y

first “beyond birthday-bound” security result for AES-like ciphers that does not require the “independent round keys” assumption open problems: remove technical restrictions (mainly F2 -linear key-schedule) extend the result to r ≥ 3 rounds! (generalization of the sum-capture problem?) Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

25 / 29

Conclusion minimal Even-Mansour cipher secure against generic attacks up to 2n O(2 3 ) queries: k π x

P

P

y

first “beyond birthday-bound” security result for AES-like ciphers that does not require the “independent round keys” assumption open problems: remove technical restrictions (mainly F2 -linear key-schedule) extend the result to r ≥ 3 rounds! (generalization of the sum-capture problem?) Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

25 / 29

The end. . .

Thanks for your attention! Comments or questions?

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

26 / 29

References I

László Babai. The Fourier Transform and Equations over Finite Abelian Groups: An introduction to the method of trigonometric sums. Lecture notes, December 1989. Available at http://people.cs.uchicago.edu/~laci/reu02/fourier.pdf. Andrey Bogdanov, Lars R. Knudsen, Gregor Leander, François-Xavier Standaert, John P. Steinberger, and Elmar Tischhauser. Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations - (Extended Abstract). In David Pointcheval and Thomas Johansson, editors, Advances in Cryptology EUROCRYPT 2012, volume 7237 of Lecture Notes in Computer Science, pages 45–62. Springer, 2012.

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

27 / 29

References II Shan Chen and John Steinberger. Tight Security Bounds for Key-Alternating Ciphers. In Phong Q. Nguyen and Elisabeth Oswald, editors, Advances in Cryptology EUROCRYPT 2014, volume 8441 of Lecture Notes in Computer Science, pages 327–350. Springer, 2014. Full version available at http://eprint.iacr.org/2013/222. Orr Dunkelman, Nathan Keller, and Adi Shamir. Minimalism in Cryptography: The Even-Mansour Scheme Revisited. In David Pointcheval and Thomas Johansson, editors, Advances in Cryptology EUROCRYPT 2012, volume 7237 of Lecture Notes in Computer Science, pages 336–354. Springer, 2012. Shimon Even and Yishay Mansour. A Construction of a Cipher from a Single Pseudorandom Permutation. Journal of Cryptology, 10(3):151–162, 1997.

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

28 / 29

References III Rodolphe Lampe, Jacques Patarin, and Yannick Seurin. An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher. In Xiaoyun Wang and Kazue Sako, editors, Advances in Cryptology - ASIACRYPT 2012, volume 7658 of Lecture Notes in Computer Science, pages 278–295. Springer, 2012. John Steinberger. Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance. IACR Cryptology ePrint Archive, Report 2012/481, 2012. Available at http://eprint.iacr.org/2012/481. John Steinberger. Counting solutions to additive equations in random sets. arXiv Report 1309.5582, 2013. Available at http://arxiv.org/abs/1309.5582.

Chen, Lampe, Lee, Seurin, Steinberger

Minimizing the 2-Round EM Cipher

CRYPTO 2014

29 / 29