Paper 2015/636

Analyzing Constructions for key-alternating Pseudorandom Functions with Applications to Stream Cipher Operation Modes

Matthias Krause

Abstract

In the last years, much research work has been invested into the security analysis of key alternating ciphers in the random oracle model. These are pseudorandom permutations (PRPs), sometimes also called iterated Even-Mansour ciphers, which are defined by alternatingly adding $n$-bit sub-keys $k_i$ and calling public $n$-bit permutations $P_i$. Besides the fact, that results of this kind concern the fundamental questions of understanding the nature of pseudorandomness, a practical motivation for this study is that many modern block cipher designs correspond exactly to variants of iterated Even-Mansour ciphers. In this paper, we study similar construction for pseudorandom functions (PRFs), where additionally the access to a public $n$-bit (one-way) function $F$ is allowed. In particular, we show a sharp $n/2$-security bound for the simplest possible construction $F(x\oplus k)$ and a sharp $2/3\cdot n$-bound for the $FP(1)$-construction $F(P(x\oplus k)\oplus k)$, both in the random oracle model. The latter result contrasts with a sharp bound of the same order for $P(P(x\oplus k)\oplus \pi(k))\oplus k$, recently proved by Chen et. al. One practical motivation for our research is due to the fact that operation modes of key stream generator based (KSG-based) stream ciphers can be modeled in a very straightforward way by FP-constructions. Our research shows a way to save KSG inner state length by using operation modes, which yield provable security beyond the birthday bound against time-space-data tradeoff attacks. For instance, we demonstrate that a slight change in the operation mode of the Bluetooth cipher (adding the session key twice in the initialization phase) raises the security w.r.t. to generic time-space-data tradeoff attacks from $n/2$ to $2/3\cdot n$, where $n$ denotes the KSG inner state length.