|
Part I Definitions and First Security Results |
|
|
|
1 Introduction: General Definitions |
|
|
3 | (8) |
|
|
|
3 | (2) |
|
|
|
5 | (1) |
|
|
|
6 | (1) |
|
|
|
6 | (2) |
|
1.5 Kerckhoffs's Principle |
|
|
8 | (3) |
|
|
|
9 | (2) |
|
2 Balanced Feistel Ciphers, First Properties |
|
|
11 | (10) |
|
|
|
11 | (1) |
|
2.2 Definition of Classical Feistel Ciphers |
|
|
11 | (3) |
|
2.3 Signature of Balanced Feistel Networks |
|
|
14 | (1) |
|
2.4 Random Feistel Ciphers |
|
|
15 | (1) |
|
2.5 Efficient Attacks for One, Two, and Three Rounds |
|
|
15 | (4) |
|
2.5.1 KPA for One Round with q = 1 |
|
|
16 | (1) |
|
2.5.2 NCPA for Two Rounds with q = 2 |
|
|
16 | (1) |
|
2.5.3 CCA for Three Rounds with q = 3 |
|
|
17 | (2) |
|
|
|
19 | (2) |
|
|
|
19 | (1) |
|
|
|
19 | (2) |
|
3 The H-Coefficient Method |
|
|
21 | (24) |
|
3.1 Six "H-coefficient" Theorems |
|
|
21 | (13) |
|
3.1.1 Notation: Definition of H |
|
|
22 | (1) |
|
|
|
22 | (3) |
|
|
|
25 | (1) |
|
|
|
25 | (3) |
|
|
|
28 | (5) |
|
3.1.6 Comments about These Theorems |
|
|
33 | (1) |
|
3.2 How to Distinguish Random functions from Random Permutations |
|
|
34 | (1) |
|
3.3 Triangular Evaluation on Generic Designs |
|
|
35 | (1) |
|
3.4 Example: Exact Values of H for ψr and q = 2 |
|
|
35 | (3) |
|
3.5 Two Simple Composition Theorems in CCA |
|
|
38 | (7) |
|
3.5.1 A Simple Mathematical Property |
|
|
38 | (1) |
|
3.5.2 A Composition Theorem in CCA with H-Coefficients |
|
|
39 | (2) |
|
3.5.3 A Composition Theorem to Eliminate a "hole" |
|
|
41 | (1) |
|
3.5.4 Comments about the Composition Theorems |
|
|
42 | (1) |
|
|
|
43 | (2) |
|
|
|
45 | (12) |
|
4.1 Pseudo-Randomness Notions |
|
|
45 | (2) |
|
|
|
47 | (1) |
|
4.2.1 The "H-Property of ψ3 |
|
|
47 | (1) |
|
4.2.2 "Main Lemma" of Luby and Racckoff for ψ3 from the "H-property" |
|
|
48 | (1) |
|
|
|
48 | (2) |
|
4.3.1 The "H-property" for ψ4 |
|
|
48 | (2) |
|
4.3.2 "Main Lemma" of Luby and Rackoff for ψ4 from the "H-property" of ψ4 |
|
|
50 | (1) |
|
4.4 Conclusion: ψ3 is Pseudo-Random, ψ4 Is Super Pseudo-Random |
|
|
50 | (2) |
|
4.4.1 Comments about Luby-Rackoff Theorems |
|
|
51 | (1) |
|
|
|
52 | (5) |
|
|
|
52 | (1) |
|
|
|
53 | (4) |
|
|
|
|
5 Introduction to Cryptanalysis and Generic Attacks |
|
|
57 | (8) |
|
5.1 Generic Attacks: Distinguishers |
|
|
57 | (1) |
|
5.2 2-Point Attacks and φ-Point Attacks and the Variance Method |
|
|
58 | (2) |
|
5.2.1 General Description of the Attacks |
|
|
58 | (1) |
|
5.2.2 Distinguishing Attacks |
|
|
59 | (1) |
|
5.3 Attacks with More Than 2kn Computations |
|
|
60 | (2) |
|
5.3.1 Attacks on Generators |
|
|
60 | (1) |
|
5.3.2 Brute Force Attacks |
|
|
60 | (1) |
|
5.3.3 Attack by the Signature |
|
|
61 | (1) |
|
|
|
62 | (3) |
|
|
|
62 | (3) |
|
6 Generic Attacks on Classical Feistel Ciphers |
|
|
65 | (10) |
|
|
|
65 | (1) |
|
6.2 Generic Attacks on 1, 2, 3 and 4 Rounds |
|
|
66 | (3) |
|
|
|
67 | (1) |
|
|
|
67 | (1) |
|
|
|
67 | (1) |
|
|
|
68 | (1) |
|
6.3 Generic Attacks on ψ5 |
|
|
69 | (1) |
|
|
|
69 | (1) |
|
|
|
69 | (1) |
|
6.4 Attacks on ψr Generators, r ≥ 6 |
|
|
70 | (2) |
|
|
|
70 | (1) |
|
|
|
71 | (1) |
|
6.5 Summary of the Best Known Results on Random Feistel Ciphers |
|
|
72 | (1) |
|
|
|
72 | (3) |
|
|
|
73 | (1) |
|
|
|
73 | (2) |
|
7 Generic Attacks on Classical Feistel Ciphers with Internal Permutations |
|
|
75 | (20) |
|
|
|
75 | (1) |
|
7.2 Generic Attacks for a Small Numbers of Rounds (r ≤ 5) |
|
|
76 | (3) |
|
7.2.1 Generic Attacks on 3-Round Feistel Networks with Internal Permutations |
|
|
76 | (2) |
|
7.2.2 Generic Attacks on 4-Round Feistel Networks with Internal Permutations |
|
|
78 | (1) |
|
7.2.3 Generic Attacks on 5 Rounds Feistel Networks with Internal Permutations |
|
|
78 | (1) |
|
7.3 Generic Attacks for Any Number of Rounds: General Method |
|
|
79 | (4) |
|
7.3.1 Computation of the Probabilities |
|
|
80 | (1) |
|
7.3.2 All Possible 2-Point Attacks |
|
|
81 | (2) |
|
|
|
83 | (1) |
|
7.4 Computation of the H-Coefficients |
|
|
83 | (10) |
|
7.4.1 General Ideas for the Computation of the H-Coefficients |
|
|
83 | (2) |
|
7.4.2 Exact Formulas for H-Coefficients |
|
|
85 | (4) |
|
7.4.3 Exact H-Coefficient Values for r ≤ 5 |
|
|
89 | (2) |
|
7.4.4 Table of Leading Terms of H·24n/|jn|r --- 1/1---1/22n and Example of Attack |
|
|
91 | (2) |
|
7.5 Table of Results for Any Number of Rounds |
|
|
93 | (2) |
|
|
|
94 | (1) |
|
8 Generic Attacks on Contracting Feistel Ciphers |
|
|
95 | (22) |
|
|
|
95 | (2) |
|
8.2 Simple Attacks on the First k Rounds |
|
|
97 | (3) |
|
8.2.1 Attacks on Grk for 1 ≤ r ≤ k -- 1 |
|
|
98 | (2) |
|
8.3 Generic Attacks When k = 3 |
|
|
100 | (12) |
|
8.3.1 Attacks on 4 Rounds: G43 |
|
|
100 | (2) |
|
8.3.2 Attacks on 5 Rounds: G43 |
|
|
102 | (6) |
|
8.3.3 Attacks on 6 Rounds: G63 |
|
|
108 | (1) |
|
8.3.4 Attacks on 7 Rounds: G73 |
|
|
109 | (1) |
|
8.3.5 Attacks on Gr3 Generators for r ≥ 8 |
|
|
110 | (2) |
|
8.3.6 Summary of the Attacks on Gr3 |
|
|
112 | (1) |
|
8.4 Generic Attacks When k ≥ 4 and r > k |
|
|
112 | (5) |
|
8.4.1 Attacks for k + t Rounds, with 1 ≤ t < k -- 1 |
|
|
113 | (1) |
|
8.4.2 Attacks for 2k -- 1 Rounds |
|
|
113 | (1) |
|
8.4.3 Attacks on Generators |
|
|
114 | (1) |
|
8.4.4 Summary of the Results for r > 4 |
|
|
115 | (2) |
|
9 Generic Attacks on Expanding Feistel Ciphers |
|
|
117 | (22) |
|
9.1 Notation: Definition---Properties |
|
|
118 | (2) |
|
9.2 Attacks on the First k + 2 Rounds |
|
|
120 | (5) |
|
|
|
121 | (1) |
|
9.2.2 2-Point NCPA and KPA on Frk, 2 ≤ r ≤ k |
|
|
121 | (2) |
|
9.2.3 2-Point NCPA and KPA on Fkk=1 |
|
|
123 | (1) |
|
9.2.4 2-Point NCPA and KPA on Fkk+2 |
|
|
124 | (1) |
|
9.3 Rectangle Attacks for r ≥ k + 3 |
|
|
125 | (11) |
|
9.3.1 Notation: First Examples |
|
|
125 | (3) |
|
9.3.2 Generation of All Possible Attacks for k ≤ 7 |
|
|
128 | (1) |
|
9.3.3 Different Kinds of Rectangle Attacks: R1, R2, R3, and R4 |
|
|
129 | (2) |
|
9.3.4 Best KPA Attacks: R1, R2 |
|
|
131 | (1) |
|
|
|
132 | (3) |
|
9.3.6 Best NCPA: R1, R2---Simulations |
|
|
135 | (1) |
|
9.4 Summary of the Attacks |
|
|
136 | (3) |
|
|
|
138 | (1) |
|
|
|
138 | (1) |
|
10 Generic Attacks on Generalized Feistel Ciphers |
|
|
139 | (18) |
|
10.1 Type-1 Feistel Ciphers |
|
|
139 | (8) |
|
10.1.1 Notation: Definition |
|
|
139 | (1) |
|
10.1.2 Simple Attacks on the First Rounds |
|
|
140 | (2) |
|
10.1.3 NCPA and KPA Using the Expectation |
|
|
142 | (1) |
|
10.1.4 NCPA and KPA Using the Standard Deviation |
|
|
143 | (3) |
|
10.1.5 Summary of the Results |
|
|
146 | (1) |
|
10.1.6 Signature of Type-1 Feistel Ciphers |
|
|
146 | (1) |
|
10.2 Type-2 Feistel Ciphers |
|
|
147 | (4) |
|
10.2.1 Notation: Definition |
|
|
147 | (1) |
|
|
|
147 | (1) |
|
|
|
148 | (2) |
|
10.2.4 Summary of the Results |
|
|
150 | (1) |
|
10.2.5 Signature of Type-2 Feistel Ciphers |
|
|
150 | (1) |
|
10.3 Type-3 Feistel Ciphers |
|
|
151 | (6) |
|
10.3.1 Notation: Definition |
|
|
151 | (1) |
|
|
|
151 | (1) |
|
|
|
152 | (1) |
|
10.3.4 Summary of the Results |
|
|
152 | (1) |
|
10.3.5 Signature of Type-3 Feistel Ciphers |
|
|
153 | (4) |
|
Part III DES and Other Specific Feistel Ciphers |
|
|
|
11 DES and Variants: 3DES, DES -- X |
|
|
157 | (20) |
|
|
|
157 | (7) |
|
11.1.1 General Description of DES |
|
|
157 | (2) |
|
11.1.2 Design of the Functions Fi |
|
|
159 | (5) |
|
|
|
164 | (1) |
|
|
|
164 | (1) |
|
11.2.2 Brute Force Attack |
|
|
164 | (1) |
|
11.2.3 Linear Cryptanalysis |
|
|
165 | (1) |
|
11.2.4 Biham Type Attack [ 1] |
|
|
165 | (1) |
|
11.2.5 Conclusion on Simple DES |
|
|
165 | (1) |
|
|
|
165 | (5) |
|
|
|
166 | (1) |
|
11.3.2 Brute Force Attack |
|
|
166 | (1) |
|
11.3.3 Merle-Hellman Attack [ 10] |
|
|
166 | (1) |
|
11.3.4 Van Oorschot and Wiener Attack [ 14] |
|
|
167 | (1) |
|
11.3.5 Mitchell Attack [ 11] |
|
|
168 | (1) |
|
|
|
168 | (1) |
|
11.3.7 Attack with Partial Decryption |
|
|
169 | (1) |
|
11.3.8 Biham Type Attack [ 1] |
|
|
169 | (1) |
|
11.3.9 Related-Key Attack |
|
|
170 | (1) |
|
11.3.10 Related-Key Distinguisher |
|
|
170 | (1) |
|
11.3.11 Conclusion on 3DES with Two Keys |
|
|
170 | (1) |
|
|
|
170 | (3) |
|
|
|
170 | (1) |
|
11.4.2 Man-in-the-Middle Attack and Refinements by Lucks |
|
|
171 | (1) |
|
|
|
171 | (1) |
|
11.4.4 Attack with Partial Decryption |
|
|
171 | (1) |
|
11.4.5 Biham Type Attack [ 1] |
|
|
171 | (1) |
|
11.4.6 Related-Key Attack |
|
|
172 | (1) |
|
11.4.7 Related-Key Distinguisher |
|
|
172 | (1) |
|
11.4.8 Conclusion on 3DES with Three Keys |
|
|
172 | (1) |
|
|
|
173 | (4) |
|
|
|
173 | (1) |
|
|
|
173 | (1) |
|
11.5.3 Linear Cryptanalysis [ 12] |
|
|
173 | (1) |
|
|
|
174 | (1) |
|
11.5.5 Attack with Partial Decryption |
|
|
174 | (1) |
|
|
|
174 | (1) |
|
11.5.7 Related-Key Attack |
|
|
174 | (1) |
|
11.5.8 Related-Key Distinguisher |
|
|
175 | (1) |
|
11.5.9 Conclusion on DES -- X |
|
|
175 | (1) |
|
|
|
175 | (1) |
|
|
|
175 | (2) |
|
12 GOST, SIMON, BEAR-LION, CAST-256, CLEFIA |
|
|
177 | (16) |
|
12.1 Ciphers Based on Balanced Feistel Constructions |
|
|
177 | (3) |
|
|
|
177 | (3) |
|
|
|
180 | (1) |
|
12.2 Ciphers Based on Expanding and/or Feistel Constructions |
|
|
180 | (2) |
|
|
|
180 | (2) |
|
12.2.2 Other Examples of Unbalanced Feistel Ciphers |
|
|
182 | (1) |
|
12.3 Ciphers Based on Generalized Feistel Constructions |
|
|
182 | (11) |
|
|
|
182 | (2) |
|
|
|
184 | (4) |
|
|
|
188 | (5) |
|
Part IV Advanced Security Results |
|
|
|
13 Proof Beyond the Birthday Bound with the Coupling Technique |
|
|
193 | (10) |
|
13.1 Feistel Networks as Shuffles |
|
|
193 | (1) |
|
13.2 Definition and History of the Coupling Technique |
|
|
194 | (1) |
|
13.3 Application to Feistel Ciphers |
|
|
195 | (6) |
|
|
|
201 | (2) |
|
|
|
201 | (2) |
|
14 Introduction to Mirror Theory |
|
|
203 | (20) |
|
|
|
203 | (4) |
|
|
|
207 | (2) |
|
14.2.1 Typical Theorem in Mirror Theory |
|
|
209 | (1) |
|
|
|
209 | (6) |
|
14.4 About Computer Simulations |
|
|
215 | (1) |
|
14.5 Marshall Hall Jr Theorem and Conjectures of 2008 |
|
|
216 | (2) |
|
|
|
217 | (1) |
|
14.5.2 Computer Simulations |
|
|
217 | (1) |
|
14.6 Examples of Connections Between Mirror Systems and Cryptographic Security of Generic Schemes |
|
|
218 | (2) |
|
14.6.1 Xor of 2 Bijections, H Standard Technique |
|
|
218 | (1) |
|
14.6.2 Xor of 2 Bijections, Hσ Technique |
|
|
218 | (1) |
|
14.6.3 Security of Balanced Feistel Schemes |
|
|
219 | (1) |
|
14.6.4 Security of ƒ(x||0) + ƒ(x||1) When ƒ Is a Bijection |
|
|
219 | (1) |
|
|
|
220 | (1) |
|
|
|
220 | (3) |
|
|
|
220 | (3) |
|
15 "Pi + Pj Theorem" When ξmax = 2 |
|
|
223 | (34) |
|
15.1 Presentation of "Pi + Pj Theorem" When ξmax = 2 |
|
|
223 | (2) |
|
15.2 Security When α3 << 22n |
|
|
225 | (1) |
|
|
|
226 | (4) |
|
15.3.1 Inclusion-Exclusion Formula for hα+1 |
|
|
226 | (1) |
|
15.3.2 Analysis of the Term Σi=l2a |Bi| |
|
|
227 | (1) |
|
15.3.3 Analysis of the Term Σil <i2 |Bi1 ∩ Bi2| |
|
|
228 | (1) |
|
15.3.4 General Proof Strategy |
|
|
229 | (1) |
|
15.4 Security When α4 << 23n |
|
|
230 | (6) |
|
15.4.1 Approximation in O(α/2n) of hrα |
|
|
230 | (1) |
|
15.4.2 Evaluation of |Mα| |
|
|
231 | (1) |
|
15.4.3 Ordering the Equations Such That Δ ≤ δ + 1 |
|
|
232 | (1) |
|
15.4.4 Security in α4 << 23n from the Orange Equation, Method 1 |
|
|
233 | (1) |
|
15.4.5 Security in α4 << 23n from the Orange Equation, Method 2 |
|
|
234 | (2) |
|
15.5 The First Purple Equations |
|
|
236 | (3) |
|
15.5.1 Inclusion-Exclusion Formula for hα+1 |
|
|
236 | (1) |
|
15.5.2 Evaluation of Σ2a--4i=1 |Bi| |
|
|
237 | (1) |
|
15.5.3 Evaluation of Σi1, <i2 |Bi1 ∩ Bi2| |
|
|
238 | (1) |
|
15.6 Approximation in O(α/2n) of hα and hα--k |
|
|
239 | (2) |
|
15.7 Security When α6 << 25n |
|
|
241 | (3) |
|
15.8 Approximation in 0(α/2n) of h(d)α |
|
|
244 | (1) |
|
15.9 All the Purple Equations |
|
|
244 | (6) |
|
15.9.1 Inclusion-Exclusion for h(d)α+d |
|
|
244 | (2) |
|
15.9.2 Evaluation of Σ2d(a--2) i=1 |Bi|: 1 Equation βi1 |
|
|
246 | (1) |
|
15.9.3 Evaluation of Σi, 1 <i2 |Bi1 ∩ Bi2|: 2 Equations βi1 and βi2 |
|
|
246 | (1) |
|
15.9.4 Evaluation of Σi1<i2<...<iφ |Bi1 ∩ ... ∩ Biφ|: φ Equations βi1, ..., βiφ |
|
|
247 | (3) |
|
15.10 Second Purple Equation |
|
|
250 | (1) |
|
15.11 Induction on the Deviation Terms |
|
|
251 | (2) |
|
15.12 Application with d = 1 and d = 2 |
|
|
253 | (1) |
|
15.13 Alternative Proof, Improved Coefficients |
|
|
254 | (1) |
|
15.13.1 Sign of the Coefficients |
|
|
254 | (1) |
|
15.13.2 Induction by Blocks of 2 Variables |
|
|
254 | (1) |
|
15.14 Summary of the Proof |
|
|
255 | (2) |
|
|
|
255 | (1) |
|
|
|
256 | (1) |
|
16 "Pi + Pj Theorem" on Standard Systems and "Pi + Pj Theorem" with Any ξmax |
|
|
257 | (14) |
|
16.1 Presentation of "Pi + Pj Theorems" on Standard Systems, and for Any ξmax |
|
|
257 | (2) |
|
16.2 First Results: Security When a3ξ2max << 22n |
|
|
259 | (2) |
|
|
|
261 | (5) |
|
16.3.1 Inclusion-Exclusion Formula for hα+1 |
|
|
261 | (1) |
|
|
|
262 | (1) |
|
16.3.3 Terms in |Bi1 ∩ Bi2| |
|
|
262 | (2) |
|
16.3.4 Term in |Bi1 ∩ ... ∩ Biφ|: φ Equations βi |
|
|
264 | (2) |
|
16.4 Ordering the Equations Such That Δ ≤ δ + ξ/2 |
|
|
266 | (1) |
|
16.5 Analysis of the Orange Equations |
|
|
267 | (4) |
|
|
|
267 | (1) |
|
|
|
267 | (1) |
|
|
|
268 | (1) |
|
16.5.4 Solution 1: For Standard Systems, Without Using the Alternating Signs + and - |
|
|
269 | (1) |
|
16.5.5 Solution 2: Using the Alternating Signs + and - |
|
|
269 | (1) |
|
|
|
270 | (1) |
|
|
|
270 | (1) |
|
17 Proofs Beyond the Birthday Bound on ψk with the H-Coefficient Method |
|
|
271 | (20) |
|
17.1 Exact Formulas for H and ψk with "frameworks" |
|
|
271 | (4) |
|
17.2 Standard Systems Dominate |
|
|
275 | (1) |
|
|
|
275 | (1) |
|
|
|
276 | (1) |
|
|
|
276 | (5) |
|
17.3.1 Security in q << 2n Instead of q << 2n/n2 |
|
|
281 | (1) |
|
|
|
281 | (4) |
|
17.4.1 Security in q << 2n Instead of q << 2n/n2 |
|
|
285 | (1) |
|
|
|
285 | (1) |
|
17.5.1 Case 1: j Is a Direct Query Such That Ei < j, Ri = Rj |
|
|
285 | (1) |
|
17.5.2 Case 2: j Is an Inverse Query Such That Ei < j, Si = Sj |
|
|
286 | (1) |
|
|
|
286 | (1) |
|
17.6.1 Security in q << 2n Instead of q << 2n/n2 |
|
|
287 | (1) |
|
17.7 Security Results on ψk, k ≥ 6, with the Composition Theorem |
|
|
287 | (1) |
|
17.8 Results from Mirror Theory Compared with Results from Coupling on ψk |
|
|
288 | (3) |
|
|
|
289 | (2) |
|
|
|
291 | (6) |
|
|
|
291 | (1) |
|
18.2 Formal Definition of Indifferentiability |
|
|
292 | (1) |
|
18.3 Five Rounds of Balanced Feistel is not Indifferentiable from an Ideal Cipher |
|
|
293 | (2) |
|
|
|
295 | (1) |
|
|
|
295 | (2) |
|
|
|
296 | (1) |
| Solutions |
|
297 | (12) |
| Reference |
|
309 | |
