Abstract
Coron et al. showed a construction of a 3-round 2n-bit cryptographic permutation from three independent n-bit ideal ciphers with n-bit keys (TCC 2010). Guo and Lin showed a construction of a (2d − 1)-round dn-bit cryptographic permutation from 2d − 1 independent n-bit ideal ciphers with kn-bit keys, where d = k + 1 (Cryptography and Communications, 2015). These constructions have an indifferentiability security bound of O(q2/2n) against adversaries that make at most q queries. The bound is commonly referred to as birthday-bound security. In this paper, we show that a 5-round version of Coron et al.’s construction and (2d+1)-round version of Guo and Lin’s construction yield a cryptographic permutation with an indifferentiability security bound of O(q2/22n), i.e., by adding two more rounds, these constructions have beyond-birthday-bound security. Furthermore, under the assumption that q ≤ 2n, we show that Guo and Lin’s construction with 2d+2l−1 rounds yields a cryptographic permutation with a security bound of O(q2/2(l+1)n), where 1 ≤ l ≤ d − 1, i.e., the security bound exponentially improves by adding every two more rounds, up to 4d − 3 rounds. To the best of our knowledge, our result gives the first cryptographic permutation that is built from n-bit ideal ciphers and has a full n-bit indifferentiability security bound.
Highlights
We study the problem of constructing a secure cryptographic permutation from block ciphers modeled as ideal ciphers in the provable security paradigm
We prove under the assumption q = qc + qp ≤ 2n that the iterative construction in Fig. 1(c) is indifferentiable from a dn-bit random permutation with an indifferentiability security bound of O(q2/2( +1)n) for r = 2d + 2 − 1, where 1 ≤ ≤ d − 1 is an integer
That is, when we define a bad event in our security proof for the (2d + 2 − 1)-round construction, all the events are defined so that they involve collisions between ( + 1)n-bit random variables, which is the main difference from the birthday-bound security proofs in [CDMS10, GL15]
Summary
In [CDMS10], a 3-round construction of a 2n-bit cryptographic permutation from three independent n-bit block ciphers with n-bit keys (described in Fig. 1(a)) is proposed, and its security was shown in the indifferentiability framework introduced by Maurer et al [MRH04]. Received: 2020-03-02, Accepted: 2020-05-01, Published: 2020-07-24 block length of the ideal cipher) This implies that a 2n-bit random permutation can be securely replaced by the 3-round construction provided that q 2n/2 holds. If we model AES-128 [DR02] as the 128-bit ideal cipher with 128-bit keys, the result in [CDMS10] shows that the 3-round version gives a 256-bit cryptographic. If we model SKINNY-128-384 [BJK+16] as the 128-bit ideal cipher with 384-bit keys, [GL15] shows that the 7-round version gives a 512-bit cryptographic permutation with a security bound of O(q2/2128). See [BLLN19] for an attempt to apply the result of Coron et al [CDMS10] to obtain efficient authenticated encryption schemes
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
