Abstract
The tweakable Even-Mansour construction generalizes the conventional Even-Mansour scheme through replacing round keys by strings derived from a master key and a tweak. Besides providing plenty of inherent variability, such a design builds a tweakable block cipher from some lower level primitive. In the present paper, we evaluate the multi-key security of TEM-1, one of the most commonly used one-round tweakable Even-Mansour schemes (formally introduced at CRYPTO 2015), which is constructed from a single n-bit permutation P and a function f(k, t) linear in k from some tweak space to {0, 1} n. Based on giant component theorem in random graph theory, we propose a collision-based multi-key attack on TEM-1 in the known-plaintext setting. Furthermore, inspired by the methodology of Fouque et al. presented at ASIACRYPT 2014, we devise a novel way of detecting collisions and eventually obtain a memory-efficient multi-key attack in the adaptive chosen-plaintext setting. As important applications, we utilize our techniques to analyze the authenticated encryption algorithms Minalpher (a second-round candidate of CAESAR) and OPP (proposed at EUROCRYPT 2016) in the multi-key setting. We describe knownplaintext attacks on Minalpher and OPP without nonce misuse, which enable us to recover almost all O(2n/3) independent masks by making O(2n/3) queries per key and costing O(22n/3) memory overall. After defining appropriate iterated functions and accordingly changing the mode of creating chains, we improve the basic blockwiseadaptive chosen-plaintext attack to make it also applicable for the nonce-respecting setting. While our attacks do not contradict the security proofs of Minalpher and OPP in the classical setting, nor pose an immediate threat to their uses, our results demonstrate their security margins in the multi-user setting should be carefully considered. We emphasize this is the very first third-party analysis on Minalpher and OPP.
Highlights
1.1 Multi-key AnalysisWith regard to the cryptanalysis, cryptosystems are mostly evaluated in the single-key and related-key models
We evaluate the multi-key security of TEM-1, a one-round tweakable Even-Mansour scheme shown in Figure 1, which can be characterized as: T EM (k, t, m) = f (k, t) ⊕ P (f (k, t) ⊕ m), where P is an n-bit public permutation, k is a secret key, t is a tweak, and f (k, t) is a function linear in k
It is not difficult to see that TEM-1 we study in this present paper naturally generalizes the tweakable Even-Mansour scheme adopted in Minalpher
Summary
With regard to the cryptanalysis, cryptosystems are mostly evaluated in the single-key and related-key models. In the former, adversaries have access to the scheme equipped. Received: 2016-09-01, Accepted: 2016-11-01, Published: 2017-02-03 with a uniformly random key, without any knowledge of the key. In the latter, the scheme is equipped individually with related keys, whose values are secret but relations are known. The scheme is equipped individually with related keys, whose values are secret but relations are known Both models have shown great benefits in analyzing cryptographic schemes, and continuously motivated the advance of practically secure new designs [BW00, BK09, DFJ13, Mav15]. The renewed keys should be random as well as independent from all previously used keys
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
