121 research outputs found
Designing Tweakable Enciphering Schemes Using Public Permutations
A tweakable enciphering scheme (TES) is a length preserving (tweakable) encryption scheme that provides (tweakable) strong pseudorandom permutation security on arbitrarily long messages. TES is traditionally built using block ciphers and the security of the mode depends on the strong pseudorandom permutation security of the underlying block cipher. In this paper, we construct TESs using public random permutations. Public random permutations are being considered as a replacement of block cipher in several cryptographic schemes including AEs, MACs, etc. However, to our knowledge, a systematic study of constructing TES using public random permutations is missing. In this paper, we give a generic construction of a TES which uses a public random permutation, a length expanding public permutation based PRF and a hash function which is both almost xor universal and almost regular. Further, we propose a concrete length expanding public permutation based PRF construction. We also propose a single keyed TES using a public random permutation and an AXU and almost regular hash function
An Inverse-free Single-Keyed Tweakable Enciphering Scheme
In CRYPTO 2003, Halevi and Rogaway proposed CMC, a tweakable enciphering scheme (TES) based on a blockcipher. It requires two blockcipher keys and it is not inverse-free (i.e., the decryption algorithm uses the inverse (decryption) of the underlying blockcipher). We present here a new inverse-free, single-keyed TES. Our construction is a tweakable strong pseudorandom permutation (tsprp), i.e., it is secure against chosen-plaintext-ciphertext adversaries assuming that the underlying blockcipher is a pseudorandom permutation (prp), i.e., secure against chosen-plaintext adversaries. In comparison, sprp assumption of the blockcipher is required for the sprp security of CMC. Our scheme can be viewed as a mixture of type-1 and type-3 Feistel cipher and so we call it FMix or mixed-type Feistel cipher
Tweakable Enciphering Schemes Using Only the Encryption Function of a Block Cipher
A new construction of block cipher based tweakable enciphering schemes (TES) is described. The
major improvement over existing TES is that the construction uses only the encryption function
of the underlying block cipher. Consequently, this leads to substantial savings in the size of
hardware implementation of TES applications such as disk encryption. This improvement is achieved
without loss in efficiency of encryption and decryption compared to the best previously known
schemes
Double Ciphertext Mode : A Proposal for Secure Backup
Security of data stored in bulk storage devices like the hard disk has gained a lot of importance in the current days.
Among the variety of paradigms which are available for disk encryption, low level disk encryption is well accepted because of
the high security guarantees it provides. In this paper we view the problem of disk encryption from a different direction.
We explore the possibility of how one can maintain secure backups of the data, such that loss of a physical device will
mean neither loss of the data nor the fact that the data gets revealed to the adversary. We propose an efficient solution to this problem
through a new cryptographic scheme which we call as the double ciphertext mode (DCM). In this paper we describe the syntax of DCM,
define security for it and give some efficient constructions. Moreover we argue regarding the
suitability of DCM for the secure backup application
and also explore other application areas where a DCM can be useful
Efficient Tweakable Enciphering Schemes from (Block-Wise) Universal Hash Functions
This paper describes several constructions of tweakable strong pseudorandom
permutations (SPRPs) built from different modes of operations of a block cipher
and suitable universal hash functions. For the electronic codebook (ECB) based
construction, an invertible blockwise universal hash function is required.
We simplify an earlier construction of such a function described by Naor and
Reingold. The other modes of operations considered are the counter mode
and the output feedback (OFB) mode. All the constructions make the same
number of block cipher calls and the same number of multiplications. Combined
with a class of polynomials defined by Bernstein, the new constructions provide
the currently best known algorithms for the important practical problem of
disk encryption
Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications
Universal hash functions (UHFs) have been extensively used in the design of cryptographic schemes. If we consider the related-key attack (RKA) against these UHF-based schemes, some of them may not be secure, especially those using the key of UHF as a part of the whole key of scheme, due to the weakness of UHF in the RKA setting. In order to solve the issue, we propose a new concept of related-key almost universal hash function, which is a natural extension to almost universal hash function in the RKA setting. We define related-key almost universal (RKA-AU) hash function and related-key almost XOR universal (RKA-AXU) hash function. However almost all the existing UHFs do not satisfy the new definitions. We construct one fixed-input-length universal hash functions named RH1 and two variable-input-length universal hash functions named RH2, RH3. We show that RH1 and RH2 are both RKA-AXU, and RH3 is RKA-AU for the RKD set . Furthermore, RH1, RH2 and RH3 are nearly as efficient as previous similar constructions. RKA-AU (RKA-AXU) hash functions can be used as components in the related-key secure cryptographic schemes. If we replace the universal hash functions in the schemes with our corresponding constructions, the problems about related-key attack can be solved for some RKD sets. More specifically, we give four concrete applications of RKA-AU and RKA-AXU in related-key secure message authentication codes and tweakable block ciphers
Disk Encryption: Do We Need to Preserve Length?
In the last one-and-a-half decade there has been a lot of activity towards development of cryptographic techniques for disk
encryption. It has been almost canonised that an encryption scheme suitable for the application of disk encryption must be
length preserving, i.e., it rules out the use of schemes like authenticated encryption where an authentication tag is also
produced as a part of the ciphertext resulting in ciphertexts being longer than the corresponding plaintexts. The notion of
a tweakable enciphering scheme (TES) has been formalised as the appropriate primitive for disk encryption and it has been argued
that they provide the maximum security possible for a tag-less scheme. On the other hand, TESs are less efficient than some
existing authenticated encryption schemes. Also TES cannot provide true authentication as they do not have authentication tags.
In this paper, we analyze the possibility of the use of encryption schemes where length expansion is produced for
the purpose of disk encryption. On the negative side, we argue that nonce based authenticated encryption schemes are not appropriate
for this application. On the positive side, we demonstrate that deterministic authenticated encryption (DAE) schemes may
have more advantages than disadvantages compared to a TES when used for disk encryption. Finally, we propose a new deterministic
authenticated encryption scheme called BCTR which is suitable for this purpose. We provide the full specification of BCTR, prove
its security and also report an efficient implementation in reconfigurable hardware. Our experiments suggests that BCTR performs
significantly better than existing TESs and existing DAE schemes
Another Look at XCB
XCB is a tweakable enciphering scheme (TES) which was first proposed in 2004. The scheme was modified in 2007. We call these
two versions of XCB as XCBv1 and XCBv2 respectively. XCBv2 was later proposed as a standard for encryption of sector oriented
storage media in IEEE-std 1619.2 2010. There is no known proof of security for XCBv1 but the authors provided a concrete security bound for XCBv2 and
a ``proof\u27\u27 for justifying the bound. In this paper we show that XCBv2 is not secure as a TES by showing an easy distinguishing attack on it.
For XCBv2 to be secure, the message space should contain only messages whose lengths are multiples of the block length of the block cipher.
For such restricted message spaces also, the bound that the authors claim is not justified. We show this by pointing out some errors in the proof.
For XCBv2 on full block messages, we provide a new security analysis. The resulting bound that can be proved
is much worse than what has been claimed by the authors.
Further, we provide the first concrete security bound for XCBv1, which holds for all message lengths. In terms of known security bounds,
both XCBv1 and XCBv2 are worse compared to existing alternative TES
- …