A Pseudorandom-Function Mode Based on Lesamnta-LW and the MDP Domain Extension and Its Applications

This paper discusses a mode for pseudorandom functions (PRFs) based on the hashing mode of Lesamnta-LW and the domain extension called Merkle-Damgård with permutation (MDP). The hashing mode of Lesamnta-LW is a plain Merkle-Damgård iteration of a block cipher with its key size half of its block size. First, a PRF mode is presented which produces multiple independent PRFs with multiple permutations and initialization vectors if the underlying block cipher is a PRP. Then, two applications of the PRF mode are presented. One is a PRF with minimum padding. Here, padding is said to be minimum if the produced message blocks do not include message blocks only with the padded sequence for any non-empty input message. The other is a vector-input PRF using the PRFs with minimum padding.This work was supported in part by JSPS KAKENHI GrantNumber JP16H02828.IEICE Transactions Online TOP (https://search.ieice.org/

Elastic-Tweak: A Framework for Short Tweak Tweakable Block Cipher

Tweakable block cipher (TBC), a stronger notion than standard block ciphers, has wide-scale applications in symmetric-key schemes. At a high level, it provides flexibility in design and (possibly) better security bounds. In multi-keyed applications, a TBC with short tweak values can be used to replace multiple keys. However, the existing TBC construction frameworks, including TWEAKEY and XEX, are designed for general purpose tweak sizes. Specifically, they are not optimized for short tweaks, which might render them inefficient for certain resource constrained applications. So a dedicated paradigm to construct short-tweak TBCs (tBC) is highly desirable. In this paper, as a first contribution, we present a dedicated framework, called the Elastic-Tweak framework (ET in short), to convert any reasonably secure SPN block cipher into a secure tBC. We apply the ET framework on GIFT and AES to construct efficient tBCs, named TweGIFT and TweAES. These short-tweak TBCs have already been employed in recent NIST lightweight competition candidates, LOTUS-LOCUS and ESTATE. As our second contribution, we show some concrete applications of ET-based tBCs, which are better than their block cipher counterparts in terms of key size, state size, number of block cipher calls, and short message processing. Some notable applications include, Twe-FCBC (reduces the key size of FCBC and gives better security than CMAC), Twe-LightMAC Plus (better rate than LightMAC Plus), Twe-CLOC, and Twe-SILC (reduces the number of block cipher calls and simplifies the design of CLOC and SILC)

Pseudo-Random Functions and Parallelizable Modes of Operations of a Block Cipher

This paper considers the construction and analysis of pseudo-random functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis of relevant PRFs to some probability calculations. In the first part of the paper, we revisit this result and use it to prove a general result on constructions which use a PRF with a ``small\u27\u27 domain to build a PRF with a ``large\u27\u27 domain. This result is used to analyse two new parallelizable PRFs which are suitable for use as MAC schemes. The first scheme, called {\iPMAC}, is based on a block cipher and improves upon the well-known PMAC algorithm. The improvements consist in faster masking operations and the removal of a design stage discrete logarithm computation. The second scheme, called {\VPMAC}, uses a keyed compression function rather than a block cipher. The only previously known compression function based parallelizable PRF is called the protected counter sum (PCS) and is due to Bernstein. {\VPMAC} improves upon PCS by requiring lesser number of calls to the compression function. The second part of the paper takes a new look at the construction and analysis of modes of operations for authenticated encryption (AE) and for authenticated encryption with associated data (AEAD). Usually, the most complicated part in the security analysis of such modes is the analysis of authentication security. Previous work by Liskov, Rivest and Wagner and later Rogaway had suggested that this analysis is simplified by using a primitive called a tweakable block cipher (TBC). In contrast, we take a direct approach. We prove a general result which shows that the authentication security of an AE scheme can be proved from the privacy of the scheme and by showing a certain associated function to be a PRF. Two new AE schemes \sym{PAE} and \sym{PAE}-1 are described and analysed using this approach. In particular, it is shown that the authentication security of \sym{PAE} follows easily from the security of {\iPMAC}. As a result, no separate extensive analysis of the authentication security of \sym{PAE} is required. An AEAD scheme can be obtained by combining an AE scheme and an authentication scheme and it has been suggested earlier that a TBC based approach simplifies the analysis. Again, in contrast to the TBC based approach, we take a direct approach based on a simple masking strategy. Our idea uses double encryption of a fixed string and achieves the same effect of mask separation as in the TBC based approach. Using this idea, two new AEAD schemes \sym{PAEAD} and \sym{PAEAD}-1 are described. An important application of AEAD schemes is in the encryption of IP packets. The new schemes offer certain advantages over previously well known schemes such as the offset codebook (OCB) mode. These improvements include providing a wider variety of easily reconfigurable family of schemes, a small speed-up, a smaller size decryption algorithm for hardware implementation and uniform processing of only full-block messages

Merkle-Damgård Construction Method and Alternatives: A Review

Cryptographic hash function is an important cryptographic tool in the field of information security. Design of most widely used hash functions such as MD5 and SHA-1 is based on the iterations of compression function by Merkle-Damgård construction method with constant initialization vector. Merkle-Damgård construction showed that the security of hash function depends on the security of the compression function. Several attacks on Merkle-Damgård construction based hash functions motivated researchers to propose different cryptographic constructions to enhance the security of hash functions against the differential and generic attacks. Cryptographic community had been looking for replacements for these weak hash functions and they have proposed new hash functions based on different variants of Merkle-Damgård construction. As a result of an open competition NIST announced Keccak as a SHA-3 standard. This paper provides a review of cryptographic hash function, its security requirements and different design methods of compression function