1 / 16

On Provable Security of Block Ciphers

On Provable Security of Block Ciphers. Kouichi SAKURAI. def. f. can not be distinguished from truly Random. f : Pseudo-Random. Poly. Timing Machine. ・ Truly Random :. ・ Pseudo-Random Generator Poly. size. '80. ・ Factoring Blim-Micals

knox
Download Presentation

On Provable Security of Block Ciphers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. On Provable Security of Block Ciphers Kouichi SAKURAI

  2. def f can not be distinguished from truly Random • f:Pseudo-Random Poly. Timing Machine ・ Truly Random : ・ Pseudo-Random Generator Poly. size. '80 ・Factoring Blim-Micals ・Discrete.-Log Goldwasson ・One-way functions Levin Lvly.

  3. Design of Crypto systems C D f f Basic function Cryptosystem D : good Design def { f : (Pseudo) RANDOM ⇒C=D(f) : (Pseudo) RANDOM [LR’86] DES-Transformation [BKR’94] CBC-MAC [ANSI X.99] [BR’95] Key Distribution from Kerberos

  4. Pseudo-Randomness • Theoretical (Asympotic) • Ideal Assumption • Not sufficient criteria for security Non-Randomness implies Constructive (Practical) attacks Important Design Criteria

  5. [Ruby-Raekoff ’86] Pseudo-Random functions Pseudo-Random Permutation DES-Tuas. 3 round DES is a good Design Note: No 2-round!! Practical Aspect : Pseudo-Random : Too ideal! Existing f of DES 16 round is required for profeeting Diff. Attack

  6. DES (NSA/IBM ‘76) 64bit C = DES(M,Key) DES(C,Key) = M 56bit One pair Correct Key Exahastive Search DES ??

  7. Linear Crypt Analysis Matsui '96 DES(M,K) prob. app. f (M,K) : Linear Max. Like huel Principal guess Correct Key 56 << 2

  8. Provable Immunity Against Linear Attack Th. (Nyberg ’95) N : required Number of plaintexts for breaking 1-round function f . (required Number of plaintexts for breaking 3-round DES) Question : (6-round DES) ? Not yet proven/disproven !!

  9. A solution by Matsui : Recursive structure : MISTY 2 N 4 N Note: Misty : 8 rounds N : required Number of Plaintexts

  10. MISTY : A New Block Cipher ’96 Matsui (Mitsubishi) ・ Provable Immunity against Diff./Linear Attack Complexity ・ Faster than DES(twice) Basic Structures DES MISTY Motivation Compare w.r.t. other measure of security

  11. Our Results : 1. : No. P.R. : No. P.R. 2. 3. : No. P.R. Remark : P.R. in all cases for DES.

  12. Pseudo-Random Permutation Generator Remark : Provable Immunity Against Diff./Linear Crypt. [Nyberg ’95. Matsui ’95 , OA ’96] “3 rounds” is sufficient. DES & MISTY

  13. why is not P.R. L R Algebraic Relation known-plaintext Attack

  14. Practical Consequences MISTY : 8-rounds Each F-function : Mini-Misty : 3-rounds No. P.R. Algebraic Structure High Ovd. Diff. Cvy. Auy.

  15. Concluding Remarks ・ DES v.s. MISTY       ・ Provable Immunity Against Linear Attack       ・ Pseudo-Random Generators P.R. Super P.R. } open? Generalized Structures

  16. Recent Results ・ Sugita ◎NTT ・ Uandeny -Moriai ・ Iwata -Kurosawa AdvancedEncryptionStandards (after DES) RC6 Serpent Mars Twofish Rijndael E2 On pseudo-Randomness.

More Related