DOI QR코드

DOI QR Code

On the Optimal Key Size of the Even-Mansour Cipher in the Random Function Oracle Model

랜덤 오라클 모델에서의 Even-Mansour Cipher에 대한 키 길이 최적화 방법

  • 성재철 (서울시립대학교 수학과)
  • Published : 2007.06.30

Abstract

We describe the problem of reducing the key material in the Even-Mansour cipher without security degradation. Even and Mansour proposed a block cipher based on XORing secret key material just prior to and after applying random oracle permutation P such that $C=k_2\bigoplus P(M\bigoplus k_1)$. Recently, Gentry and Ramzan showed that this scheme in the random permutation oracle can be replaced by the four-round Feistel network construction in the random function oracle and also proved that their scheme is super-pseudorandom. In this paper we reduce the key size from 2n to n, which is the optimal key size of Even-Mansour cipher in the random function oracle model and also give almost the same level of security.

본 논문은 Even-Mansour 암호에 대해 안전성 약화 없이 키 사이즈를 줄이는 방법에 대해 다룬다. Even과 Mansour는 랜덤 순열 모델에서 랜덤 순열 P와 두 개의 키를 이용하여 평문 M을 암호화하는 기법($C=k_2\bigoplus P(M\bigoplus k_1)$)을 제안하였다. ASIACRYPT 2004에서 Gentry와 Ramzen은 4 라운드의 Feistel 구조를 이용하여 Even-Mansour 모델의 랜덤 순열을 랜덤 함수로 대치한 새로운 모델을 제안하고 안전성을 증명하였다. 본 논문에서는 Gentry-Ramzen 모델에 필요한 키 사이를 반으로 줄이는 방법을 살펴보고 제안한 방법에 대한 안전성을 랜덤 함수 모델에서 증명한다.

Keywords

Ⅰ.Introduction

Luby and Rackoff⑺ suggested the formal definitions for pseudorandomness and super-pseudor-andomness(or strong-pseudorandomness) and also showed a method for constructing a pseudorandom permutation from a pseudorandom function. A block cipher is called pseudorandom if it is indistinguishable from a random permutationunder the chosen plaintext attack model. Furthermore, it is called super-pseudoran-

dom if it is indistinguishable from a random permutation under the chosen plaintext and ciphertext attack model.

I3I

Even and Mansour proposed a block cipher based on XORing secret key material just prior to and after applying random oracle permutation P such that C= 1何㊀ RM㊀也)where M is the plaintext, C is the ciphertext, and fcj, are the key materials. In the random permutation oracle model, the permutation P and its inverse are computable by all parties. The only secrete components are and 姻, which is XORed at the beginning and the end. Except this key XORing operation, every component is publicly accessible in this model.

In 2004, Gentry and Ramzan gave the formal proof of the Even-Mansour cipher recently.(4) This implies that the scheme is super-pseudorandom. Furthermore, they replaced the random permutation oracle by random function oracle, which does not need bijective anymore. They just replaced the random permutation P by the fbur-round Feistel permutation W(g, ££g), where W is the Feistel permutation and f, g are random function oracles. We will define the formal definitions of these in the following section.

The advantage of the construction of Gentry and Ramzan over that of Even-Mansour is that the random permutation oracle is replaced by the random function model. Also they permit to access publicly not only to an inner fbur-round Feistel permutation oracle U(g, ££g) but also two random oracles f and g. This model comes from the security notion of 〔12〕, which is called the round security.

However, in two generic models, it is required that the size of key materials is 4〃・bit, where the message space is (0, 1) 2n (See the Fig. 1). We do concentrate to reduce the key size in the random oracle model without security degradation. It means that we hope to prove super-pseudorandomness for the constructions of Even-Mansour and Gentry-Ramzan without security degradation just by reducing the key size. Actually, the full paper of〔4〕, they proposed some methods to reduce the key materials as the followings;

(Fig. 1) Even-Mansour cipher and its variants

(i ) In (b) of Fig.l, set ke = .

(ii) Two key materials are XORed into the right half of the input to the Feistel Networks ((c) of Fig. 1).

(ⅲ) By replacing XOR operation by and group operations in the (c) of Fig. 1, set = *2 .

The first two methods already needs 2n-bit key material. The third method which uses the technique in Patel et al.”" seems to have an optimal key size. However, it needs other group operations rather than an XOR operation, which is not a bit-wise operation. Can we reduce the key size up to n-bit without replacing XOR operation by others?

In this paper we give an answer of it. We reduce the key size o이y by replacing kr2 by c . where c(^ (0, 1)) is publicly known constant (such as 2 or 3) and . means the multiplication in GF(T). We know that the multiplication with the fixed constant can be calculated by some shift operations and XOR operations. In the random function oracle model of the Even-Mansour cipher, our construction has optimal key size. Also we give an explicit proof of ours using the almost same way in〔4〕.

RELATED WORKS : Luby and Rackoff provided a construction of (super) pseudorandom pennutations from pseudorandom functions with the three(fbur)-round Feistel construction. Later there were many approaches to obtain more efficient construction of super-pseudorandom permutation than that of Luby and RackofW"」이"" Among them, Naor and Reingold gave an formal model of this construction and simplified its proof of security. In 2000, Ramzan and Reyzin introduced a new security model, which is called round security. In this model, the adversary can access to some of internal round primitives.

ORGANIZA TIONS : In Section 2 we give some preliminary definitions and security notions. In Section 3 we survey the generic model of〔4〕and its proof skill. In section 4 we proved that our construction is super-pseudorandom without security degradation in comparison with that of [4] and this construction has an optimal key size in random function oracle model of the Even-Mansour cipher.

Ⅱ. Notations and Standard Definitions

For x e (0, l}2n, xL means 나le left n-bit of x and xR means the right n-bit of x. We denote all functions from {0, 1} n to {0, 1} n by Fn and the set of all permutations on (0, 1} 2n by P2n- For a set S, s Q S means the process of picking an element s from S uniformly at random. For two functions f and g, g。f denotes the composition of f and g.

We call a function family keyed if every function in it can be specified by a key a. We denote the function given by a as fa. For a given keyed function family, a key can be any string from (0, 1} 5 where s is known as key length. For a function f g Fn, we define basic Feistel permutatione 与九 as, 如(시户, xR) = , xL®f(xR)). Also define the wound Feistel permutation …£)=勺。…。的

Let be a permutation family on (0, 1} 2n. Then we say that 0 is pseudorandom if it is indistinguishable from P2n, where the adversary is allowed adaptive chosen plaintext attacks. Moreover, we call that is super-pseudorandom if it is indistinguishable from P2n, where the adversary is allowed adaptive chosen plaintext and ciphertext attacks. In this paper we will only consider super-pseudorandomness. Other definitions and notations follows that of [1, 4]. In the general super-pseudorandomness attack model, the adversary have two oracles, the forward direction of the permutation and the backward direction of the permutation. The adversary Z is a program for RAM(Random Access Machine) with black-box access to some number two oracles. We assume that the adversary's computational power is unlimited, but the total number of ora이e calls is limited to q. After making at most q queries to the oracles, A outputs 0 or 1.

Now let us define an advantage of the adversary in the general super-pseudorandomness attack model. (Detinition 1) (SPRP)

Let be a permutation family on (0, 1} 2n. For an adversary A with two-oracles, we define A \ advantage as the following; 加啰叫“)=

I Pr H 0 :"尹=1] - Pr [pQ P2n : W= 1] |. For any integer q, t(> 0), we define Adverp(g, i) =Adverp(_A), as an insecurity function, where the maximum is taken over choices of adversary A such that A makes at most q oracle queries, and the running time of A, plus the time necessary to select ©jR 鱼 and answer A \ queries, is at most t.

The notion of round securityE12] is an extension of the general definition of pseudorandomness. Let 函"기, …, be permutation family on {0, 1} 2n, such that for a function ©u 由, (/>= f o... o y1. Then /기, …, 更 is called r-round decomposition for 0 The adversary Z is a program for RAM(Random Access Machine) with black-box access to some number r+2 oracles. In this model the adversary can access to r oracles fl, and two oracles M尸. Since we will consider the Even-Mansour cipher in the random function oracle, we do not consider i — j in〔12〕, which means being able to give inputs to round i of the forward direction of a block cipher and view outputs after round j. We simplify the definition of 〔12〕.

(Definition 2〕(Round Security)

Let be a permutation family on (0, 1} 2n with r-round decomposition 7711, F1'. For an adversary A with (r+2)-oracles, we define A's advantage as the following;

#

For any integer (그 0), we define Aduerp(q, t) specifies our insecurity function analogous to Definition 1.

HL Ger)try、R터Tian's Generic Mod이 vs. Ours In this section we briefly consider the frame of〔4, 12〕. We denote 헐;爲 the Gentry-Ramzan construction when the internal permutation is replaced by a four-round Feistel network with outer round g and inner round /, i.e., 머為 = 統 &职、

where 腳, 庇 are the key materials and f, g are modeled as random function oracles.

The main theorem of the Gentry and Ramzan in the round-security is as the following.

[Theorem 1)〔4]

Let f an g be modeled as random Junction oracles, let 灯 and /飯 be pricked randomly and independently from (0, 1} 2n. Let 떤;& = 蜘 £ W(gJ, £g)S $禹), and R be a random element in P2n. Then, for any four-oracle adversary A that makes at most % queries to its first two oracle queries (either W, ^-1 or R, R~l) and at most qf and qg queries to its f and g oracles respectively, it follows that :

#

Actually, though the theorem is true itself we can improve the upper bound. The upper bound can be replaced by as the following ;

#

Let # = (”妇产)be in (0, 1) 2n and 用’be a key in {0, 나 n. Let 毗% be the generic Gentry-Ramzan construction. Then our modification can be defined as the following :

#

where c(^ (0, 1)) is be an fixed known constant and . means the multiplication in Gf1(2n)(See the Fig. 1). Then we have the following main result. (Theorem 2] (Main Result)

Let f an g be modeled as random function oracles, let k be picked randomly and independently from {0, 1) n. Let 0攵% means our construction which is defined above, and R be a random element in P2n. Then, for any four-oracle adversary A that makes at most qc queries to its first two oracle queries (either 必, 0—' or R, and at most * and qg queries to its f and g oracles respectively, it follows that : I Pr W'9 = 1] _ Pr '矿=1] |

#

Our upper bound is as same as the previous one, even though we only use one fourth of that of Gentry-Ramzan's construction. We think that this key size is optimal in the random function model of the Even-Mansour cipher. Also this result reduce the sizable gap between the best known key-recovery attack and the security bound in the above.

Ⅳ. Proof of the Main Results

Our construction is almost same as that of the Gentry-Ramzan except the key materials. Therefore, we can directly apply the frame of proof in〔4〕to our construction. The only different part is the definition of the BAD events and their probabilities. To begin with, let P be the permutation oracle, which is either W or R. Let Of and O9 be the oracles that compute the functions f and g, respectively. The adversary A can makes two types of queries to the oracle P、(+, x) which asks to obtain the value

(-, x) which asks to obtain the value P~\x), where x, i/E {0, 1} 2n. This is called the cipher queries. We assume that A makes % queries such that <x1y1 >, …, v%, 偽>尸. We also denote ora이e queries f and 9 as (Of, x) and (O3, x, f) which ask to obtain fix') and g(xr)respectively, where x, xfe (0, 1) n. Let >, ..., Vo/釘摆>}°/be /-oracle-transcript of

A and {<吧, ?/; <吧사尹 be g-orac\e -transcript of A. For the formal definitions, see〔4, 8〕.

We denote the G+顶+k+l)就 query A makes as a function of the first (i+j+k) query-answer pairs in Z's cipher and oracle transcripts by

where % = {<气所>, …, }尸, 角= 그, …, <x, j, y'j> }oh * = >, ...,

그} and either % or j<qf or k< qg.

Let '파 denote the process in which the cipher queries and /-oracle queries answered as they would be 0, however the ^-oracle queries are answered by another independent random function oracle h. Furthermore, R denote the process that answers all oracle queries as W would, but answers the 舟 cipher query of A as follows:

1. If X5s query is (+, and for some j<i the fh query-answer pair is < xv yi >, then R answers 场.

2. If A"s query is (-, 饥)and for some 1< j<i the fh query-answer pair is v 约, 饥>, then R answers x{.

3. If neither of the above happens, then R answers with a uniformly chosen element in {0, 1} 2n. Note that R may be inconsistent. However, if R is consistent, it behaves as same as R which is uniformly chosen ftom the set of random permutations. Now we give the formal definition of these.

(Definition 3] Let a= <x1y1 <xq, yq >P be any A-cipher transcript. Then we say that a is inconsistent if for some 1 < j<i<qc the corresponding query-answer pairs satisfy = x- but 饥 # 务, or 구f x- but 务 = 务. Otherwise a is consistent.

(Definition 4] The random variables %, , 写, , TR, and Tr denote that the cipher and oracle transcripts seen by A when its cipher queries are answered by 虬 矿 r"R respectively, and its oracle queries are answered by 0, and O9.

Using the above definitions and the definition of 0 we can obtain모'* l, f, 9 and CA (7^-) denote the same random variable. The same is true for the other random variables. Then we have the followings. [Proposition 1)

|Pr[C7f(^) = l]-Pr[CA(TR) = l]| < (卽.厂“ The proof of the proposition can be seen in〔4, 8). Now we want to have an upper bound of the advantage between %, and

(Definition 5) For any e {0, 1} n, we define to be the set of all possible and consistent

transcripts a =(TpTfTg), with 7}, -<xliy1 p, 缶={c'0i and

Tg =(<x, /iy\ >, -, , >}ea satisfying at least one of the following events:

. BGk : there exist 1 < i < ^, and 1 < j s.t. ®fc' = x-\ or

. BGZ : there exist 1 < i < and l<j<qg s.t. i/f © c . fc, =灼".

(Proposition 2] Let k be randomly chosen from {0, 1} n. Then, for any possible and consistent A -transcripts {TPTeTe, with 7), = <xlty1

Vx%, yq「그p, Tf= {v九矿1 그, …, v서*/:〃 그}次 and Tg = >, ..., <%"/、>* } we have the following;

PrJbE BAD" < 2%4 . 2-n.

Proof. Since K is randomly chosen from (0, 1} n, for any fixed i and j, BGk and BGZ happens with probability 2-n. So we can have the desired result directly.

Using the above the proposition, we now can show that 乌 and 写, are identically distributed if the following BAD(幻 does not happen.

[Lemma 1] Let a be any possible and consistent transcripts defined as proposition 2. Then we have the following.

Pp, [玷 = 시 b e BADGW)] = Pr詞号, = 이.

The proof of this lemma is identical to that of〔4〕. Now, in order to have a bound of the advantage that A in distinguishing between 鸟 and 7-., we need to define another bad event BAD(Jhg).

[Definition 6)For any Ic e (0, 1) n and random function oracle g, we define BADW, g) to be the set of all possible and consistent transcripts o={TP TeTg), w讷 G = VXi, yi <七必。>p, Tf= >, >}次 amd Ts 가。,

satisfying at least one of the following events: . Bl : there exist 1 < i<j < s.t.

g(节耿')㊉矽=臥'題珞or . Bl : there exist l<i<j<qc s.t.

祐'㊉g(矿任宅9(矽由c"'), or .53 : there exist 1 < i, j < s.t.

g(时您身)㊉矽=(《㊉c3), or

. 34 : there exist 1 <i<^. and l<j<qf s.t. g(:蜡㊉® xf = X-, or

: there exist 1 <i<^ and 1 < j <qf s.t..

疆=X..谴

(Proposition 3] Let be randomly chosen from (0, 1} n. Then, for any possible and consistent A -transcripts a =with 7)>:=<xliy1 Vx%, y%>P, T§= {v40] V서"g板아次 and Tg = >, ■ ■, , <* %//>} we have the following;

丑4刀(矿g)]

#

Proof. For each BL and 52, the probability is bounded by 償)). 2-n. since K is randomly chosen from {0, 1) n. Similarly, For each 及 and 万5, the probability is bounded by qef . 2~n since K is randomly chosen from {0, 1} n For the case of 氏, since k is randomly chosen from (0, 1} n, we can not distinguish the two functions, g(海幻 and g(x®c - fc'). So the probability is bounded by - 2-n.

Furthermore, if BADW, g) does not happen, then 玲 and 7* are identical. So, we have the following lemma.

(Lemma 2〕Let a be any possible and inconsistent transcript as defined Proposition 3. Then

Pr 宓 [弓= 히b 名成刀 (X, g)]= Pr』7参 = 히.

With the above lemma, the rest of the proof of our construction can identically follow that of Gentry-Ramzan. The followings are the brief summary of our proof.

I Pr [A SW'Js = 1] - pr [A 毆技"=1] | 키 Pr[Q(Q) = l]-Pr[CA(TR)= U| W |Pr[0(乌) = 1}-Pr[0(乌, )=叫 + |Pr[^(^-) = l]- Pr[<<4(7s)= l]| 니 Pr[Q(写) = l]-Pr[Q(G)= l]|

< Prk.[aeBADG(k, )] + Prk;g[<reBAD(k, , g)] + 2 .價)).2-2"

M 2级. 2-” + (《+2"2 .(即). 2-" + 2.(即 5

M(《+2驾亥 + 2%£ + £ _勿)2-n

This completes the proof of our main theorem. So we proved that our construction is as secure as that of Gentry-Ramzan.

Ⅴ. Conclusion

We considered how to reduce the key size of the Even-Mansour cipher in the random function model. With compared to generic model of Gentry and Ramzan, we reduce the key size from 4n to n, which is the optimal key size of Even-Mansour cipher in the random function oracle model. Also this work reduce sizable gap between the best known key recovery attack and the security bound in the Even-Mansour cipher.

References

  1. M. Bellare, J. Kilian, and P. Rogaway, 'The Security of Cipher Block Chaining,' Advances in Cryptology - CRYPTO'94, LNCS 839, Springer-Verlag, pp. 341-358, 1994
  2. M. Bellare and P. Rogaway, 'Random Oracles are Practical : A Paradigm for Designing Efficient Protocols,' First ACM Conference on Computer and Communications Security, Fairfax, pp. 62-73, 1993
  3. S. Even and Y. Mansour, 'A Construction of a Cipher from a Single Pseudorandom Permutation,' Journal of Cryptology, vol. 10, no. 3, pp. 151-162, 1997 https://doi.org/10.1007/s001459900025
  4. S. Even and Y. Mansour, 'A Construction of a Cipher from a Single Pseudorandom Permutation,' Earlier version in ASIACRYPT'91, LNCS 739, Springer-Verlag, pp. 210-224, 1991
  5. C. Gentry and Z. Ramzen, 'Eliminating Random Permutation Oracles in the Even-Mansour Cipher,' Advances in Cryptology - ASIACRYPT 2004, LNCS 3329, Springer-Verlag, pp. 32-47, 2004. Full version can be available in IACR Cryptology ePrint archive(or available from the author), 2004
  6. T. Iwata and K. Kurosawa, 'How to Re-use Round Function in Super-Pseudorandom Permutation,' The 9th Austalasian Conference on Information Seucurity and Privacy(ACISP 2004), LNCS 3108, Springer-Verlag, pp. 224- 235, 2004
  7. T. Iwata, T. Yoshino, and K. Kurosawa, 'Noncryptographic Primitive for Pseudorandom Permutation,' The 9th Fast Software Encryption Worksop (FSE 2002), LNCS 2365, Springer-Verlag, pp. 149-163, 2004
  8. M. Luby and C. Rackoff, 'How to Construct Pseudorandom Permutations from Pseudorandom Functions,' SIAM J. Comput., vol. 17, pp. 373-386, 1988 https://doi.org/10.1137/0217022
  9. M. Naor and O. Reingold, 'On the Construction of Pseudorandom Permutations : Luby-Rackoff Revisited,' Journal of Cryptology, vol. 12, pp. 29-66, 1999 https://doi.org/10.1007/PL00003817
  10. J. Patarin, ' New Results of Pseudorandom Permutation Generators based on the DES Scheme,' Advances in Cryptology - CRYPTO'91, LNCS 576, Springer-Verlag, pp. 301-312, 1991
  11. J. Patarin, 'How to Construct Pseudorandom and Super Pseudorandom Permutations from One Single Pseudorandom Function,' Advances in Cryptology - EUROCRYPT'92, LNCS 658, Springer-Verlag, pp. 256-266, 1992
  12. S. Patel, Z. Ramzan, and G. S. Sundaram, 'Luby-Rackoff Ciphers : Why XOR is not Exclusive,' Selected Areas in Cryptography: 9th Annual International Workshop(SAC 2002), LNCS 2595, Springer-Verlag, pp. 271-290, 2002
  13. Z. Ramzan and L. Reyzin, 'On the Round Security of Symmetric-Key Cryptographic Primitives,' Advances in Cryptology - CRYPTO 2000, LNCS 1880, Springer-Verlag, pp. 376-393, 2000