Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers

Emmanuel Bresson; Anne Canteaut; Benoit Chevallier-Mames; Christophe Clavier; Thomas Fuhr; Aline Gouget; Thomas Icart; Jean-Francois Misarsky; Maria Naya-Plasencia; Pascal Paillier; Thomas Pornin; Jean-Rene Reinhard; Celine Thuillet; Marion Videau

Reports (Research Report) Year : 2009

Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers

(1) , (2) , (1) , (3) , (1) , (3) , (4) , (5) , (2) , (3) , (6) , (1) , (7) , (1, 8)

1
2
3
4
5
6
7
8

Emmanuel Bresson

Function : Author

Laboratoire des Technologies de l'Information

Anne Canteaut

Function : Author
PersonId : 742251
IdHAL : anne-canteaut
ORCID : 0000-0002-6292-8336
IdRef : 035315873

Security, Cryptology and Transmissions

Benoit Chevallier-Mames

Function : Author

Laboratoire des Technologies de l'Information

Christophe Clavier

Function : Author
PersonId : 182703
IdHAL : christophe-clavier
ORCID : 0000-0002-0767-3684
IdRef : 146458176

Gemalto [Meudon]

Thomas Fuhr

Function : Author

Laboratoire des Technologies de l'Information

Aline Gouget

Function : Author

Gemalto [Meudon]

Thomas Icart

Function : Author

SAGEM Défense Sécurité [Massy]

Jean-Francois Misarsky

Function : Author

Orange Labs [Caen]

Maria Naya-Plasencia

Function : Author

Security, Cryptology and Transmissions

Pascal Paillier

Function : Author

Gemalto [Meudon]

Thomas Pornin

Function : Author

Cryptolog International

Jean-Rene Reinhard

Function : Author

Laboratoire des Technologies de l'Information

Celine Thuillet

Function : Author

Astrium [Toulouse]

Marion Videau

Function : Author

Laboratoire des Technologies de l'Information

Curves, Algebra, Computer Arithmetic, and so On

Abstract

Shabal is based on a new provably secure mode of operation. Some related-key distinguishers for the underlying keyed permutation have been exhibited recently by Aumasson et al. and Knudsen et al., but with no visible impact on the security of Shabal. This paper then aims at extensively studying such distinguishers for the keyed permutation used in Shabal, and at clarifying the impact that they exert on the security of the full hash function. Most interestingly, a new security proof for Shabal's mode of operation is provided where the keyed permutation is not assumed to be an ideal cipher anymore, but observes a distinguishing property i.e., an explicit relation verified by all its inputs and outputs. As a consequence of this extended proof, all known distinguishers for the keyed permutation are proven not to weaken the security of Shabal. In our study, we provide the foundation of a generalization of the indifferentiability framework to biased random primitives, this part being of independent interest.

Domains

Computer Science [cs] Cryptography and Security [cs.CR]

Marion Videau : Connect in order to contact the contributor

https://hal.inria.fr/hal-00771272

Submitted on : Tuesday, January 8, 2013-12:23:50 PM

Last modification on : Tuesday, February 7, 2023-2:44:48 PM

Dates and versions

hal-00771272 , version 1 (08-01-2013)

Identifiers

HAL Id : hal-00771272 , version 1

Cite

Emmanuel Bresson, Anne Canteaut, Benoit Chevallier-Mames, Christophe Clavier, Thomas Fuhr, et al.. Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers. [Research Report] 2009/299, IACR Cryptology ePrint Archive. 2009. ⟨hal-00771272⟩

Export

BibTeX TEI Dublin Core DC Terms EndNote Datacite

Collections

CNRS INRIA UNIV-LORRAINE INRIA2 LORIA LARA

332 View

0 Download

Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers

Abstract

Domains

Dates and versions

Identifiers

Cite

Export

Collections

Share