Abstract
A dedicated pseudorandom function (PRF) called AES-PRF was proposed by Mennink and Neves at FSE 2018 (ToSC 2017, Issue 3). AES-PRF is obtained from AES by using the output of the 5-th round as the feed-forward to the output state. This paper presents extensive security analysis of AES-PRF and its variants. Specifically, we consider unbalanced variants where the output of the s-th round is used as the feed-forward. We also analyze the security of “dual” constructions of the unbalanced variants, where the input state is used as the feed-forward to the output of the s-th round. We apply an impossible differential attack, zero-correlation linear attack, traditional differential attack, zero correlation linear distinguishing attack and a meet-in-the-middle attack on these PRFs and reduced round versions. We show that AES-PRF is broken whenever s ≤ 2 or s ≥ 6, or reduced to 7 rounds, and Dual-AES-PRF is broken whenever s ≤ 4 or s ≥ 8. Our results on AES-PRF improve the initial security evaluation by the designers in various ways, and our results on Dual-AES-PRF give the first insight to its security.
Highlights
A pseudorandom permutation (PRP) is one of the main primitives in symmetric-key cryptography to realize security functionalities such as encryption, authentication and authenticated encryption
We consider a set of rich cryptanalytic techniques that we find to be effective on these pseudorandom function (PRF), and we apply an impossible differential attack [BBS99, Knu98], zero correlation linear attack [BLNW12, BR14], traditional differential attack [BS90], zero correlation linear distinguishing attack [BLNW12, BR14] and a meet-in-the-middle attack [DS08, DKS10, DFJ13]
We performed an extensive security analysis of the pseudo-random function AES-PRF proposed by Mennink and Neves at FSE 2018
Summary
A pseudorandom permutation (PRP) is one of the main primitives in symmetric-key cryptography to realize security functionalities such as encryption, authentication and authenticated encryption. The same argument holds for the authenticated encryption GCM [MV04, Dwo07] This limitation of the query complexity is often referred to as the birthday bound, and the examples illustrate that highly secure symmetric-key schemes can be obtained once we have a highly secure PRF. The truncation method decreases the rate at which randomness is generated, and each of the other three methods is twice as expensive as one block cipher call To maintain both efficiency and beyond the birthday bound security, based on the design called SURF by Bernstein [Ber97] and inspired by EDMD [MN17a], Mennink and Neves [MN17b] explored a dedicated design of a PRF.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
