-
On the provable security of BEAR and LION schemes
Authors:
Lara Maines,
Matteo Piva,
Anna Rimoldi,
Massimiliano Sala
Abstract:
BEAR, LION and LIONESS are block ciphers presented by Biham and Anderson (1996), inspired by the famous Luby-Rackoff constructions of block ciphers from other cryptographic primitives (1988). The ciphers proposed by Biham and Anderson are based on one stream cipher and one hash function. Good properties of the primitives ensure good properties of the block cipher. In particular, they are able to p…
▽ More
BEAR, LION and LIONESS are block ciphers presented by Biham and Anderson (1996), inspired by the famous Luby-Rackoff constructions of block ciphers from other cryptographic primitives (1988). The ciphers proposed by Biham and Anderson are based on one stream cipher and one hash function. Good properties of the primitives ensure good properties of the block cipher. In particular, they are able to prove that their ciphers are immune to any efficient known-plaintext key-recovery attack that can use as input only one plaintext-ciphertext pair. Our contribution is showing that these ciphers are actually immune to any efficient known-plaintext key-recovery attack that can use as input any number of plaintext-ciphertext pairs. We are able to get this improvement by using slightly weaker hypotheses on the primitives. We also discuss the attack by Morin (1996).
△ Less
Submitted 2 May, 2011;
originally announced May 2011.
-
On weakly APN functions and 4-bit S-Boxes
Authors:
Claudio Fontanari,
Valentina Pulice,
Anna Rimoldi,
Massimiliano Sala
Abstract:
S-Boxes are important security components of block ciphers. We provide theoretical results on necessary or sufficient criteria for an (invertible) 4-bit S-Box to be weakly APN. Thanks to a classification of 4-bit invertible S-Boxes achieved independently by De CanniƩre and Leander-Poschmann, we can strengthen our results with a computer-aided proof.
S-Boxes are important security components of block ciphers. We provide theoretical results on necessary or sufficient criteria for an (invertible) 4-bit S-Box to be weakly APN. Thanks to a classification of 4-bit invertible S-Boxes achieved independently by De CanniƩre and Leander-Poschmann, we can strengthen our results with a computer-aided proof.
△ Less
Submitted 2 August, 2011; v1 submitted 17 February, 2011;
originally announced February 2011.
-
Do AES encryptions act randomly?
Authors:
Anna Rimoldi,
Massimiliano Sala,
Enrico Bertolazzi
Abstract:
The Advanced Encryption Standard (AES) is widely recognized as the most important block cipher in common use nowadays. This high assurance in AES is given by its resistance to ten years of extensive cryptanalysis, that has shown no weakness, not even any deviation from the statistical behaviour expected from a random permutation. Only reduced versions of the ciphers have been broken, but they are…
▽ More
The Advanced Encryption Standard (AES) is widely recognized as the most important block cipher in common use nowadays. This high assurance in AES is given by its resistance to ten years of extensive cryptanalysis, that has shown no weakness, not even any deviation from the statistical behaviour expected from a random permutation. Only reduced versions of the ciphers have been broken, but they are not usually implemented. In this paper we build a distinguishing attack on the AES, exploiting the properties of a novel cipher embedding. With our attack we give some statistical evidence that the set of AES-$128$ encryptions acts on the message space in a way significantly different than that of the set of random permutations acting on the same space. While we feel that more computational experiments by independent third parties are needed in order to validate our statistical results, we show that the non-random behaviour is the same as we would predict using the property of our embedding. Indeed, the embedding lowers the nonlinearity of the AES rounds and therefore the AES encryptions tend, on average, to keep low the rank of low-rank matrices constructed in the large space. Our attack needs $2^{23}$ plaintext-ciphertext pairs and costs the equivalent of $2^{48}$ encryptions.
We expect our attack to work also for AES-$192$ and AES-$256$, as confirmed by preliminary experiments.
△ Less
Submitted 11 November, 2010;
originally announced November 2010.
-
A possible intrinsic weakness of AES and other cryptosystems
Authors:
Anna Rimoldi,
Massimiliano Sala,
Ilia Toli
Abstract:
It has been suggested that the algebraic structure of AES (and other similar block ciphers) could lead to a weakness exploitable in new attacks. In this paper, we use the algebraic structure of AES-like ciphers to construct a cipher embedding where the ciphers may lose their non-linearity. We show some examples and we discuss the limitations of our approach.
It has been suggested that the algebraic structure of AES (and other similar block ciphers) could lead to a weakness exploitable in new attacks. In this paper, we use the algebraic structure of AES-like ciphers to construct a cipher embedding where the ciphers may lose their non-linearity. We show some examples and we discuss the limitations of our approach.
△ Less
Submitted 11 November, 2010; v1 submitted 30 June, 2010;
originally announced June 2010.
