143 research outputs found
How to Build Fully Secure Tweakable Blockciphers from Classical Blockciphers
This paper focuses on building a tweakable blockcipher from a classical blockcipher whose input and output wires all have a size of bits. The main goal is to achieve full security. Such a tweakable blockcipher was proposed by Mennink at FSE\u2715, and it is also the only tweakable blockcipher so far that claimed full security to our best knowledge. However, we find a key-recovery attack on Mennink\u27s proposal (in the proceeding version) with a complexity of about adversarial queries. The attack well demonstrates that Mennink\u27s proposal has at most security, and therefore invalidates its security claim. In this paper, we study a construction of tweakable blockciphers denoted as that is built on invocations of a blockcipher and additional simple XOR operations. As proven in previous work, at least two invocations of blockcipher with linear mixing are necessary to possibly bypass the birthday-bound barrier of security, we carry out an investigation on the instances of with , and find highly efficient tweakable blockciphers , , , that achieve provable security. Each of these tweakable blockciphers uses two invocations of a blockcipher, one of which uses a tweak-dependent key generated by XORing the tweak to the key (or to a secret subkey derived from the key). We point out the provable security of these tweakable blockciphers is obtained in the ideal blockcipher model due to the usage of the tweak-dependent key
Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks
Substitution-Permutation Networks (SPNs) refer to a family
of constructions which build a wn-bit block cipher from n-bit public
permutations (often called S-boxes), which alternate keyless and “local”
substitution steps utilizing such S-boxes, with keyed and “global” permu-
tation steps which are non-cryptographic. Many widely deployed block
ciphers are constructed based on the SPNs, but there are essentially no
provable-security results about SPNs.
In this work, we initiate a comprehensive study of the provable security
of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying
n-bit permutation is modeled as a public random permutation. When the
permutation step is linear (which is the case for most existing designs),
we show that 3 SPN rounds are necessary and sufficient for security. On
the other hand, even 1-round SPNs can be secure when non-linearity
is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond-
birthday” (up to 2 2n/3 adversarial queries) security, and, as the number
of non-linear rounds increases, our bounds are meaningful for the number
of queries approaching 2 n . Finally, our non-linear SPNs can be made
tweakable by incorporating the tweak into the permutation layer, and
provide good multi-user security.
As an application, our construction can turn two public n-bit permuta-
tions (or fixed-key block ciphers) into a tweakable block cipher working
on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w ≥ 2); the
tweakable block cipher provides security up to 2 2n/3 adversarial queries
in the random permutation model, while only requiring w calls to each
permutation, and 3w field multiplications for each wn-bit input
Tweakable Blockciphers for Efficient Authenticated Encryptions with Beyond the Birthday-Bound Security
Modular design via a tweakable blockcipher (TBC) offers efficient authenticated encryption (AE) schemes (with associated data) that call a blockcipher once for each data block (of associated data or a plaintext). However, the existing efficient blockcipher-based TBCs are secure up to the birthday bound, where the underlying keyed blockcipher is a secure strong pseudorandom permutation. Existing blockcipher-based AE schemes with beyond-birthday-bound (BBB) security are not efficient, that is, a blockcipher is called twice or more for each data block. In this paper, we present a TBC, XKX, that offers efficient blockcipher-based AE schemes with BBB security, by combining with efficient TBC-based AE schemes such as ΘCB3 an
Tweaking a block cipher: multi-user beyond-birthday-bound security in the standard model
In this paper, we present a generic construction to create a secure tweakable block cipher from a secure block cipher. Our construction is very natural, requiring four calls to the underlying block cipher for each call of the tweakable block cipher. Moreover, it is provably secure in the standard model while keeping the security degradation minimal in the multi-user setting. In more details, if the underlying blockcipher E uses n-bit blocks and 2n-bit keys, then our construction is proven secure against multi-user adversaries using up to roughly 2n time and queries as long as E is a secure block cipher
Tweak-Length Extension for Tweakable Blockciphers
Tweakable blockcipher (TBC) is an extension of standard blockcipher introduced by Liskov, Rivest and Wagner in 2002. TBC is a versatile building block for efficient symmetric-key cryptographic functions, such as authenticated encryption.
In this paper we study the problem of extending tweak of a given TBC of fixed-length tweak,
which is a variant of popular problem of converting a blockcipher into a TBC, i.e., blockcipher mode of operation.
The problem is particularly important for known dedicated TBCs since they have relatively short tweak.
We propose a simple and efficient solution, called XTX, for this problem.
XTX converts a TBC of fixed-length tweak into another TBC of arbitrarily long tweak, by extending the scheme of Liskov, Rivest and Wagner that converts a blockcipher into a TBC.
Given a TBC of -bit block and -bit tweak, XTX provides -bit security while conventional methods provide or -bit security.
We also show that XTX is even useful when combined with some blockcipher modes for building TBC having security beyond the birthday bound
A Note on the CLRW2 Tweakable Block Cipher Construction
In this note, we describe an error in the proof for CLRW2 given by Landecker et al. in their paper at CRYPTO 2012 on the beyond-birthday-bound security for tweakable block ciphers.
We are able to resolve the issue, give a new bound for the security of CLRW2, and identify a potential limitation of this proof technique when looking to extend the scheme to provide asymptotic security
Cascading Four Round LRW1 is Beyond Birthday Bound Secure
In CRYPTO’02, Liskov et al. introduced the concept of a tweakable block cipher, a novel symmetric key primitive with promising applications. They put forth two constructions for designing such tweakable block ciphers from conventional block ciphers: LRW1 and LRW2. While subsequent efforts extended LRW2 to achieve security beyond the birthday bound (e.g., cascaded LRW2 in CRYPTO’12 by Landecker et al.), the extension of LRW1 remained unexplored until Bao et al.’s work in EUROCRYPT’20 that considered cascaded LRW1, a one-round extension of LRW1 - entailing masking the LRW1 output with the given tweak and re-encrypting it with the same block cipher. They showed that CLRW1 offers security up to 22n/3 queries. However, this result was challenged by Khairallah’s recent birthday bound distinguishing attack on cascaded LRW1, effectively refuting the security claim of Bao et al. Consequently, a pertinent research question emerges: How many rounds of cascaded LRW1 are required to obtain security beyond the birthday bound? This paper addresses this question by establishing that cascading LRW1 for four rounds suffices to ensure security beyond the birthday bound. Specifically, we demonstrate that 4 rounds of CLRW1 guarantees security for up to 23n/4 queries. Our security analysis is based from recent advancements in the mirror theory technique for tweakable random permutations, operating within the framework of the Expectation Method
Tight Security of Cascaded LRW2
At CRYPTO \u2712, Landecker et al. introduced the cascaded LRW2 (or CLRW2) construction, and proved that it is a secure tweakable block cipher up to roughly queries. Recently, Mennink presented a distinguishing attack on CLRW2 in queries. In the same paper, he discussed some non-trivial bottlenecks in proving tight security bound, i.e. security up to queries. Subsequently, he proved security up to queries for a variant of CLRW2 using -wise independent AXU assumption and the restriction that each tweak value occurs at most times. Moreover, his proof relies on a version of mirror theory which is yet to be publicly verified. In this paper, we resolve the bottlenecks in Mennink\u27s approach and prove that the original CLRW2 is indeed a secure tweakable block cipher up to roughly queries. To do so, we develop two new tools: First, we give a probabilistic result that provides improved bound on the joint probability of some special collision events; Second, we present a variant of Patarin\u27s mirror theory in tweakable permutation settings with a self-contained and concrete proof. Both these results are of generic nature, and can be of independent interests. To demonstrate the applicability of these tools, we also prove tight security up to roughly queries for a variant of DbHtS, called DbHtS-p, that uses two independent universal hash functions
Cascading Four Round LRW1 is Beyond Birthday Bound Secure
In CRYPTO\u2702, Liskov et al. have introduced a new symmetric key primitive called tweakable block cipher. They have proposed two constructions of designing a tweakable block cipher from block ciphers. The first proposed construction is called and the second proposed construction is called . Although, has been extended in later works to provide beyond birthday bound security (e.g., cascaded in CRYPTO\u2712 by Landecker et al.), but extension of the has received no attention until the work of Bao et al. in EUROCRYPT\u2720, where the authors have shown that one round extension of , i.e., masking the output of with the given tweak and then re-encrypting it with the same block cipher, gives security up to queries. Recently, Khairallah has shown a birthday bound distinguishing attack on the construction and hence invalidated the security claim of Bao et al. This has led to the open research question, that {\em how many round are required for cascading to achieve beyond birthday bound security ?}
In this paper, we have shown that cascading up to four rounds is sufficient for ensuring beyond the birthday bound security. In particular, we have shown that provides security up to queries. Security analysis of our construction is based on the recent development of the mirror theory technique for tweakable random permutations under the framework of the Expectation Method
- …