Optimally secure block ciphers from ideal primitives

Abstract

Recent advances in block-cipher theory deliver security analyses in models where one or more underlying components (e.g., a function or a permutation) are ideal (i.e., randomly chosen). This paper addresses the question of finding new constructions achieving the highest possible security level under minimal assumptions in such ideal models. We present a new block-cipher construction, derived from the Swapor-Not construction by Hoang et al. (CRYPTO‘12). With n-bit block length, our construction is a secure pseudorandom permutation (PRP) against attackers making 2n−O(log n) block-cipher queries, and 2n−O(1) queries to the underlying component (which has itself domain size roughly n). This security level is nearly optimal. So far, only keyalternating ciphers have been known to achieve comparable security using O(n) independent random permutations. In contrast, we only use a single function or permutation, and still achieve similar efficiency. Our second contribution is a generic method to enhance a block cipher, initially only secure as a PRP, to additionally withstand related key attacks without substantial loss in terms of concrete security.