Optimally Secure Block Ciphers from Ideal Primitives [chapter]

Stefano Tessaro
2015 Lecture Notes in Computer Science  
Recent advances in block-cipher theory deliver security analyses in models where one or more underlying components (e.g., a function or a permutation) are ideal (i.e., randomly chosen). This paper addresses the question of finding new constructions achieving the highest possible security level under minimal assumptions in such ideal models. We present a new block-cipher construction, derived from the Swap-or-Not construction by Hoang et al. (CRYPTO '12). With n-bit block length, our
more » ... is a secure pseudorandom permutation (PRP) against attackers making 2 n−O(log n) block-cipher queries, and 2 n−O(1) queries to the underlying component (which has itself domain size roughly n). This security level is nearly optimal. So far, only key-alternating ciphers have been known to achieve comparable security using O(n) independent random permutations. In contrast, we only use a single function or permutation, and still achieve similar efficiency. Our second contribution is a generic method to enhance a block cipher, initially only secure as a PRP, to additionally withstand related-key attacks without substantial loss in terms of concrete security.
doi:10.1007/978-3-662-48800-3_18 fatcat:bffmqpewvrddfpsyghe5jlhyoq