On The Security And Component Design Of Block Ciphers

Block ciphers play fundamental roles in modern cryptography,which has been widely applied in the related field of information security due to its high encryption/decryption speed,easy standardization and excellent soft-ware/hardware performance.In addition to achieving fundamental functions of data encryption,block ciphers can be used as the underlying components to construct hash functions,message authentication codes,pseudo-random number generators,stream ciphers and so on.The research of block cipher can be divided into two branches:crypt-analysis and cipher design.They are united as well as opposite to each other.In terms of cryptanalysis,for block ciphers in the real world,many crypt-analysis(attack)methods have been proposed,the most important of which are differential cryptanalysis and linear cryptanalysis,as well as a series of variants.Others include integral cryptanalysis,algebraic cryptanalysis,meet-in-the-middle attacks,and so on;for abstract models of block ciphers,provable security theory is used in their security evaluation.In terms of cipher design,the designed block cipher is expected to be resistant to all known attacks and to be provable secure;the overall structure as well as the internal components(S-box,P-permutation,round functions,key scheduling algorithm,tweak,etc.)should be taken into consideration.In this paper,in terms of secuirty analysis,we focus on integral crypt-analysis and other variants.As for the design aspect,we study the design of key schedule,the construction and provable security of tweakable block ciphers.More specifically,our contributions include:1.A Propagation Rule of The Division Property in S-boxes.Follow-ing the work pioneered by Todo at CRYPTO 2015,we formalize and prove a more delicate propagation rule of the division property—a generalized integral property that was initially used in the integral cryptanalysis—under the assumption that the S-box's specification is known to attackers.Then,we apply this rule to S-boxes in KECCAK and ASCON with a further study on properties of its algebraic degree.As a result,we improved the propagation characteristic of the division property in the inverse of these S-boxes from D45?D25 to D45?D35.Meanwhile,we find that the decline rate of the division property is gentler for S-boxes with lower product degree.Based on these finding,we suggest a guideline for designing S-boxes in terms of resisting integral cryptanalysis.2.Zero-Sum Distinguishers Based on The Division Property.Zero-sum distinguishers are usually constructed by the degree estimation.In this paper,we consider constructing zero-sum distinguishers in a new direction,which is developed by using the division property.First,combined with the above vulnerable property in Contribution 1,we improve the higher-order differential characteristics against the inverse of KECCAK-f as well as ASCON permutation,reducing the required number of chosen plaintexts.Then,we construct zero-sum distinguishers on full 24-round KECCAK-f of size 21573.To our knowledge,this is currently the best zero-sum distinguish-ers of full-round KECCAK-f permutation.Besides,we give new zero-sum distinguishers on 12-round ASCON permutation with size 2130.3.Analysis and Design of RECTANGLE Key Schedule.We evaluate the security of RECTANGLE from the perspective of actual key information(AKI).By considering the interaction between the key schedule's diffusion and the round function's diffusion,we find there exists AKI insufficiency in 4 consecutive rounds for RECTANGLE-80 and 6 consecutive rounds for RECTANGLE-128.With such weakness of the key schedule,we give a generic meet-in-the-middle attack on 12-round reduced RECTANGLE-128 with only 8 known plaintexts.Finally,we slightly modify the key schedule of RECTANGLE-128.Compared with the original one,this new key schedule matches better with the round function in terms of maximizing AKI.On the other hand,we analyze some variants of RECTANGLE as well as PRESENT.Surprisingly,we find that both RECTANGLE-128 and PRESENT-128 with no key schedule involve more AKI than the original one,which is somewhat counter-intuitive,but indicating that designing block cipher without key scheduling seems to be reasonable.4.Construction of Tweakable Key-Alternating Feistel Ciphers.We consider how to build a tweakable block cipher from the key-alternating feistel(KAF)structure.Our proposed constructions are based on the simplest KAF structures,with tweaks incorporated to the round-key XOR operations by(almost)universal hash functions.Our results are two-fold,depending on the provable security bound.·For the birthday-bound security,we present a 4-round construction with two independent round keys,a single round function and two universal hash functions.·For the beyond-birthday-bound security,we present a 10-round con-struction secure up to O(min{22n/3,(?)})adversarial queries,where n is the input length of underlying round functions and ? is the upper bound of collision probability of the universal hash function.Our security proofs exploit the hybrid argument combined with the H-coefficient technique.This is the first paper on tweaking the key-alternating Feistel construction,to our best knowledge.