116 research outputs found
An Inverse-free Single-Keyed Tweakable Enciphering Scheme
In CRYPTO 2003, Halevi and Rogaway proposed CMC, a tweakable enciphering scheme (TES) based on a blockcipher. It requires two blockcipher keys and it is not inverse-free (i.e., the decryption algorithm uses the inverse (decryption) of the underlying blockcipher). We present here a new inverse-free, single-keyed TES. Our construction is a tweakable strong pseudorandom permutation (tsprp), i.e., it is secure against chosen-plaintext-ciphertext adversaries assuming that the underlying blockcipher is a pseudorandom permutation (prp), i.e., secure against chosen-plaintext adversaries. In comparison, sprp assumption of the blockcipher is required for the sprp security of CMC. Our scheme can be viewed as a mixture of type-1 and type-3 Feistel cipher and so we call it FMix or mixed-type Feistel cipher
Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks
Substitution-Permutation Networks (SPNs) refer to a family
of constructions which build a wn-bit block cipher from n-bit public
permutations (often called S-boxes), which alternate keyless and “local”
substitution steps utilizing such S-boxes, with keyed and “global” permu-
tation steps which are non-cryptographic. Many widely deployed block
ciphers are constructed based on the SPNs, but there are essentially no
provable-security results about SPNs.
In this work, we initiate a comprehensive study of the provable security
of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying
n-bit permutation is modeled as a public random permutation. When the
permutation step is linear (which is the case for most existing designs),
we show that 3 SPN rounds are necessary and sufficient for security. On
the other hand, even 1-round SPNs can be secure when non-linearity
is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond-
birthday” (up to 2 2n/3 adversarial queries) security, and, as the number
of non-linear rounds increases, our bounds are meaningful for the number
of queries approaching 2 n . Finally, our non-linear SPNs can be made
tweakable by incorporating the tweak into the permutation layer, and
provide good multi-user security.
As an application, our construction can turn two public n-bit permuta-
tions (or fixed-key block ciphers) into a tweakable block cipher working
on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w ≥ 2); the
tweakable block cipher provides security up to 2 2n/3 adversarial queries
in the random permutation model, while only requiring w calls to each
permutation, and 3w field multiplications for each wn-bit input
Notions and relations for RKA-secure permutation and function families
The theory of designing block ciphers is mature, having seen signi¯cant
progress since the early 1990s for over two decades, especially during the AES devel-
opment e®ort. Nevertheless, interesting directions exist, in particular in the study of
the provable security of block ciphers along similar veins as public-key primitives, i.e.
the notion of pseudorandomness (PRP) and indistinguishability (IND). Furthermore,
recent cryptanalytic progress has shown that block ciphers well designed against known
cryptanalysis techniques including related-key attacks (RKA) may turn out to be less
secure against related-key attacks than expected. The notion of provable security of
block ciphers against related-key attacks was initiated by Bellare and Kohno, and sub-
sequently treated by Lucks. Concrete block cipher constructions were proposed therein
with provable security guarantees. In this paper, we are interested in the security no-
tions for RKA-secure block ciphers
Tweakable Enciphering Schemes Using Only the Encryption Function of a Block Cipher
A new construction of block cipher based tweakable enciphering schemes (TES) is described. The
major improvement over existing TES is that the construction uses only the encryption function
of the underlying block cipher. Consequently, this leads to substantial savings in the size of
hardware implementation of TES applications such as disk encryption. This improvement is achieved
without loss in efficiency of encryption and decryption compared to the best previously known
schemes
Tweakable HCTR: A BBB Secure Tweakable Enciphering Scheme
\textsf{HCTR}, proposed by Wang et al., is one of the most efficient candidates of tweakable enciphering schemes that turns an -bit block cipher into a variable input length tweakable block cipher. Wang et al. have shown that \textsf{HCTR} offers a cubic security bound against all adaptive chosen plaintext and chosen ciphertext adversaries. Later in FSE 2008, Chakraborty and Nandi have improved its bound to , where is the total number of blocks queried and is the block size of the block cipher. In this paper, we propose \textbf{tweakable \textsf{HCTR}} that turns an -bit tweakable block cipher to a variable input length tweakable block cipher by replacing all the block cipher calls of \textsf{HCTR} with tweakable block cipher. We show that when there is no repetition of the tweak, tweakable \textsf{HCTR} enjoys the optimal security against all adaptive chosen plaintext and chosen ciphertext adversaries. However, if the repetition of the tweak is limited, then the security of the construction remains close to the security bound in no repetition of the tweak case. Hence, it gives a graceful security degradation with the maximum number of repetition of tweaks
Robust Authenticated-Encryption: AEZ and the Problem that it Solves
With a scheme for \textit{robust} authenticated-encryption a user can select an arbitrary value and then encrypt a plaintext of any length into a ciphertext that\u27s characters longer. The scheme must provide all the privacy and authenticity possible for the requested~. We formalize and investigate this idea, and construct a well-optimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCB-AES or CTR-AES (on Haswell, AEZ has a peak speed of about 0.7 cpb). To accomplish this we employ an approach we call \textit{prove-then-prune}: prove security and then instantiate with a \textit{scaled-down}
primitive (e.g., reducing rounds for blockcipher calls)
CTET+: A Beyond-Birthday-Bound Secure Tweakable Enciphering Scheme Using a Single Pseudorandom Permutation
International audienceIn this work, we propose a construction of 2-round tweakable substitution permutation networks using a single secret S-box. This construction is based on non-linear permutation layers using independent round keys, and achieves security beyond the birthday bound in the random permutation model. When instantiated with an n-bit block cipher with ωn-bit keys, the resulting tweakable block cipher, dubbed CTET+, can be viewed as a tweakable enciphering scheme that encrypts ωκ-bit messages for any integer ω ≥ 2 using 5n + κ-bit keys and n-bit tweaks, providing 2n/3-bit security. Compared to the 2-round non-linear SPN analyzed in [CDK+18], we both minimize it by requiring a single permutation, and weaken the requirements on the middle linear layer, allowing better performance. As a result, CTET+ becomes the first tweakable enciphering scheme that provides beyond-birthday-bound security using a single permutation, while its efficiency is still comparable to existing schemes including AES-XTS, EME, XCB and TET. Furthermore, we propose a new tweakable enciphering scheme, dubbed AES6-CTET+, which is an actual instantiation of CTET+ using a reduced round AES block cipher as the underlying secret S-box. Extensive cryptanalysis of this algorithm allows us to claim 127 bits of security.Such tweakable enciphering schemes with huge block sizes become desirable in the context of disk encryption, since processing a whole sector as a single block significantly worsens the granularity for attackers when compared to, for example, AES-XTS, which treats every 16-byte block on the disk independently. Besides, as a huge amount of data is being stored and encrypted at rest under many different keys in clouds, beyond-birthday-bound security will most likely become necessary in the short term
Double Ciphertext Mode : A Proposal for Secure Backup
Security of data stored in bulk storage devices like the hard disk has gained a lot of importance in the current days.
Among the variety of paradigms which are available for disk encryption, low level disk encryption is well accepted because of
the high security guarantees it provides. In this paper we view the problem of disk encryption from a different direction.
We explore the possibility of how one can maintain secure backups of the data, such that loss of a physical device will
mean neither loss of the data nor the fact that the data gets revealed to the adversary. We propose an efficient solution to this problem
through a new cryptographic scheme which we call as the double ciphertext mode (DCM). In this paper we describe the syntax of DCM,
define security for it and give some efficient constructions. Moreover we argue regarding the
suitability of DCM for the secure backup application
and also explore other application areas where a DCM can be useful
- …