Kazuhiko Minematsu

Improving the generalized Feistel

The generalized Feistel structure (GFS) is a generalized form of the classical Feistel cipher. A popular version of GFS, called Type-II, divides a message into k > 2 sub blocks and applies a (classical) Feistel transformation for every two sub blocks, and then performs a cyclic shift of k sub blocks. Type-II GFS has many desirable features for implementation. A drawback, however, is its low diffusion property with a large k. This weakness can be exploited by some attacks, such as impossible differential attack. To protect from them, Type-II GFS generally needs a large number of rounds. In this paper, we improve the Type-II GFSs diffusion property by replacing the cyclic shift with a different permutation. Our proposal enables to reduce the number of rounds to attain a sufficient level of security. Thus, we improve the security-efficiency treading off of Type-II GFS. In particular, when k is a power of two, we obtain a significant improvement using a highly effective permutation based on the de Bruijn graph.

\textnormal{\textsc{TWINE}}: A Lightweight Block Cipher for Multiple Platforms

This paper presents a 64-bit lightweight block cipher \(\textnormal{\textsc{TWINE}}\) supporting 80 and 128-bit keys. \(\textnormal{\textsc{TWINE}}\) realizes quite small hardware implementation similar to the previous lightweight block cipher proposals, yet enables efficient software implementations on various CPUs, from micro-controllers to high-end CPUs. This characteristic is obtained by the use of generalized Feistel combined with an improved block shuffle, introduced at FSE 2010.

Beyond-Birthday-Bound Security Based on Tweakable Block Cipher

This paper studies how to build a 2n-bit block cipher which is hard to distinguish from a truly random permutation against attacks with q ≈ 2 n/2 queries, i.e., birthday attacks. Unlike previous approaches using pseudorandom functions, we present a simple and efficient proposal using a tweakable block cipher as an internal module. Our proposal is provably secure against birthday attacks, if underlying tweakable block cipher is also secure against birthday attacks. We also study how to build such tweakable block ciphers from ordinary block ciphers, which may be of independent interest.

Parallelizable Rate-1 Authenticated Encryption from Pseudorandom Functions

This paper proposes a new scheme for authenticated encryption (AE) which is typically realized as a blockcipher mode of operation. The proposed scheme has attractive features for fast and compact operation. When it is realized with a blockcipher, it requires one blockcipher call to process one input block (i.e. rate-1), and uses the encryption function of the blockcipher for both encryption and decryption. Moreover, the scheme enables one-pass, parallel operation under two-block partition. The proposed scheme thus attains similar characteristics as the seminal OCB mode, without using the inverse blockcipher. The key idea of our proposal is a novel usage of two-round Feistel permutation, where the round functions are derived from the theory of tweakable blockcipher. We also provide basic software results, and describe some ideas on using a non-invertible primitive, such as a keyed hash function.

Breaking and Repairing GCM Security Proofs

In this paper, we study the security proofs of GCM Galois/Counter Mode of Operation. We first point out that a lemma, which is related to the upper bound on the probability of a counter collision, is invalid. Both the original privacy and authenticity proofs by the designers are based on the lemma. We further show that the observation can be translated into a distinguishing attack that invalidates the main part of the privacy proof. It turns out that the original security proofs of GCM contain a flaw, and hence the claimed security bounds are not justified. A very natural question is then whether the proofs can be repaired. We give an affirmative answer to the question by presenting new security bounds, both for privacy and authenticity. As a result, although the security bounds are larger than what were previously claimed, GCM maintains its provable security. We also show that, when the nonce length is restricted to 96 bits, GCM has better security bounds than a general case of variable length nonces.

Improved security analysis of XEX and LRW modes

We study block cipher modes that turn a block cipher into a tweakable block cipher, which accepts an auxiliary variable called tweak in addition to the key and message. Liskov et al. first showed such a mode using two keys, where one is the block ciphers key and the other is used for some non-cryptographic function. Later, Rogaway proposed the XEX mode to reduce these two keys to one key. In this paper, we propose a generalization of the Liskov et al.s scheme with a concrete security proof. Using this, we provide an improved security proof of the XEX and some improvements to the LRW-AES, which is a straightforward AES-based instantiation of Liskov et al.s scheme proposed by the IEEE Security in Storage Workgroup.

Provably secure MACs from differentially-uniform permutations and AES-Based implementations

We propose message authentication codes (MACs) that combine a block cipher and an additional (keyed or unkeyed) permutation. Our MACs are provably secure if the block cipher is pseudorandom and the additional permutation has a small differential probability. We also demonstrate that our MACs are easily implemented with AES and its 4-round version to obtain MACs that are provably secure and 1.4 to 2.5 times faster than the previous MAC modes of AES such as the CBC-MAC-AES.

New bounds for PMAC, TMAC, and XCBC

We provide new security proofs for PMAC, TMAC, and XCBC message authentication modes. The previous security bounds for these modes were σ2/2n, where n is the block size in bits and σ is the total number of queried message blocks. Our new bounds are lq2/2n for PMAC and lq2/2n + 4q2/22n for TMAC and XCBC, where q is the number of queries and l is the maximum message length in n-bit blocks. This improves the previous results under most practical cases, e.g., when no message is exceptionally long compared to other messages.

CLOC: Authenticated Encryption for Short Input

We define and analyze the security of a blockcipher mode of operation, \(\mathrm {CLOC}\), for provably secure authenticated encryption with associated data. The design of \(\mathrm {CLOC}\) aims at optimizing previous schemes, CCM, EAX, and EAX-prime, in terms of the implementation overhead beyond the blockcipher, the precomputation complexity, and the memory requirement. With these features, \(\mathrm {CLOC}\) is suitable for handling short input data, say 16 bytes, without needing precomputation nor large memory. This property is especially beneficial to small microprocessors, where the word size is typically 8 bits or 16 bits, and there are significant restrictions in the size and the number of registers. \(\mathrm {CLOC}\) uses a variant of CFB mode in its encryption part and a variant of CBC MAC in the authentication part. We introduce various design techniques in order to achieve the above mentioned design goals. We prove \(\mathrm {CLOC}\) secure, in a reduction-based provable security paradigm, under the assumption that the blockcipher is a pseudorandom permutation. We also present our preliminary implementation results.

Improving cache attacks by considering cipher structure

A concrete attack using side channel information from cache memory behaviour was proposed for the first time at ISITA 2002. The attack uses the difference between execution times associated with S-box cache-hits and cache-misses to recover the intermediate key. Recently, a theoretical estimation of the number of messages needed for the attack was proposed and it was reported that the average method obtains key information with fewer messages than maximum threshold or intermediate threshold method. Taking the structure of cipher into account, this paper provided the cache attack in which the average method is embodied, and provides improved key estimation. This paper includes the study on the attack that exploits internal collision.