TY - JOUR
T1 - Cryptanalytic Time–Memory–Data Trade-offs for FX-Constructions and the Affine Equivalence Problem
AU - Dinur, Itai
N1 - Funding Information:
The author would like to thank the anonymous reviewers of EUROCRYPT 2015 and the Journal of Cryptology for their valuable comments that helped improve the presentation of this paper. The author was supported in part by the Israeli Science Foundation through Grant No. 573/16.
Funding Information:
The author would like to thank the anonymous reviewers of EUROCRYPT 2015 and the Journal of Cryptology for their valuable comments that helped improve the presentation of this paper. The author was supported in part by the Israeli Science Foundation through Grant No.?573/16.
Publisher Copyright:
© 2019, International Association for Cryptologic Research.
PY - 2020/7/1
Y1 - 2020/7/1
N2 - The FX-construction was proposed in 1996 by Kilian and Rogaway as a generalization of the DESX scheme. The construction increases the security of an n-bit core block cipher with a κ-bit key by using two additional n-bit masking keys. Recently, several concrete instances of the FX-construction were proposed, including PRINCE, PRIDE and MANTIS (presented at ASIACRYPT 2012, CRYPTO 2014 and CRYPTO 2016, respectively). In this paper, we devise new cryptanalytic time–memory–data trade-off attacks on FX-constructions. By fine-tuning the parameters to the recent FX-construction proposals, we show that the security margin of these ciphers against practical attacks is smaller than expected. Our techniques combine a special form of time–memory–data trade-offs, typically applied to stream ciphers, with a cryptanalytic technique by Fouque, Joux and Mavromati. In the final part of the paper, we show that the techniques we use in cryptanalysis of the FX-construction are applicable to additional schemes. In particular, we use related methods in order to devise new time–memory trade-offs for solving the affine equivalence problem. In this problem, the input consists of two functions F, G: { 0 , 1 } n→ { 0 , 1 } n, and the goal is to determine whether there exist invertible affine transformations A1, A2 over GF(2) n such that G= A2∘ F∘ A1.
AB - The FX-construction was proposed in 1996 by Kilian and Rogaway as a generalization of the DESX scheme. The construction increases the security of an n-bit core block cipher with a κ-bit key by using two additional n-bit masking keys. Recently, several concrete instances of the FX-construction were proposed, including PRINCE, PRIDE and MANTIS (presented at ASIACRYPT 2012, CRYPTO 2014 and CRYPTO 2016, respectively). In this paper, we devise new cryptanalytic time–memory–data trade-off attacks on FX-constructions. By fine-tuning the parameters to the recent FX-construction proposals, we show that the security margin of these ciphers against practical attacks is smaller than expected. Our techniques combine a special form of time–memory–data trade-offs, typically applied to stream ciphers, with a cryptanalytic technique by Fouque, Joux and Mavromati. In the final part of the paper, we show that the techniques we use in cryptanalysis of the FX-construction are applicable to additional schemes. In particular, we use related methods in order to devise new time–memory trade-offs for solving the affine equivalence problem. In this problem, the input consists of two functions F, G: { 0 , 1 } n→ { 0 , 1 } n, and the goal is to determine whether there exist invertible affine transformations A1, A2 over GF(2) n such that G= A2∘ F∘ A1.
KW - Affine equivalence problem
KW - Block cipher
KW - Cryptanalysis
KW - DESX
KW - FX-construction
KW - MANTIS
KW - PRIDE
KW - PRINCE
KW - Time–memory–data trade-off
UR - http://www.scopus.com/inward/record.url?scp=85073962809&partnerID=8YFLogxK
U2 - 10.1007/s00145-019-09332-0
DO - 10.1007/s00145-019-09332-0
M3 - Article
AN - SCOPUS:85073962809
VL - 33
SP - 874
EP - 909
JO - Journal of Cryptology
JF - Journal of Cryptology
SN - 0933-2790
IS - 3
ER -