160 likes | 375 Views
On Provable Security of Block Ciphers. Kouichi SAKURAI. def. f. can not be distinguished from truly Random. f : Pseudo-Random. Poly. Timing Machine. ・ Truly Random :. ・ Pseudo-Random Generator Poly. size. '80. ・ Factoring Blim-Micals
E N D
On Provable Security of Block Ciphers Kouichi SAKURAI
def f can not be distinguished from truly Random • f:Pseudo-Random Poly. Timing Machine ・ Truly Random : ・ Pseudo-Random Generator Poly. size. '80 ・Factoring Blim-Micals ・Discrete.-Log Goldwasson ・One-way functions Levin Lvly.
Design of Crypto systems C D f f Basic function Cryptosystem D : good Design def { f : (Pseudo) RANDOM ⇒C=D(f) : (Pseudo) RANDOM [LR’86] DES-Transformation [BKR’94] CBC-MAC [ANSI X.99] [BR’95] Key Distribution from Kerberos
Pseudo-Randomness • Theoretical (Asympotic) • Ideal Assumption • Not sufficient criteria for security Non-Randomness implies Constructive (Practical) attacks Important Design Criteria
[Ruby-Raekoff ’86] Pseudo-Random functions Pseudo-Random Permutation DES-Tuas. 3 round DES is a good Design Note: No 2-round!! Practical Aspect : Pseudo-Random : Too ideal! Existing f of DES 16 round is required for profeeting Diff. Attack
DES (NSA/IBM ‘76) 64bit C = DES(M,Key) DES(C,Key) = M 56bit One pair Correct Key Exahastive Search DES ??
Linear Crypt Analysis Matsui '96 DES(M,K) prob. app. f (M,K) : Linear Max. Like huel Principal guess Correct Key 56 << 2
Provable Immunity Against Linear Attack Th. (Nyberg ’95) N : required Number of plaintexts for breaking 1-round function f . (required Number of plaintexts for breaking 3-round DES) Question : (6-round DES) ? Not yet proven/disproven !!
A solution by Matsui : Recursive structure : MISTY 2 N 4 N Note: Misty : 8 rounds N : required Number of Plaintexts
MISTY : A New Block Cipher ’96 Matsui (Mitsubishi) ・ Provable Immunity against Diff./Linear Attack Complexity ・ Faster than DES(twice) Basic Structures DES MISTY Motivation Compare w.r.t. other measure of security
Our Results : 1. : No. P.R. : No. P.R. 2. 3. : No. P.R. Remark : P.R. in all cases for DES.
Pseudo-Random Permutation Generator Remark : Provable Immunity Against Diff./Linear Crypt. [Nyberg ’95. Matsui ’95 , OA ’96] “3 rounds” is sufficient. DES & MISTY
why is not P.R. L R Algebraic Relation known-plaintext Attack
Practical Consequences MISTY : 8-rounds Each F-function : Mini-Misty : 3-rounds No. P.R. Algebraic Structure High Ovd. Diff. Cvy. Auy.
Concluding Remarks ・ DES v.s. MISTY ・ Provable Immunity Against Linear Attack ・ Pseudo-Random Generators P.R. Super P.R. } open? Generalized Structures
Recent Results ・ Sugita ◎NTT ・ Uandeny -Moriai ・ Iwata -Kurosawa AdvancedEncryptionStandards (after DES) RC6 Serpent Mars Twofish Rijndael E2 On pseudo-Randomness.