42 research outputs found
XLS is not a Strong Pseudorandom Permutation
In FSE 2007, Ristenpart and Rogaway had described a generic
method XLS to construct a length-preserving strong pseudorandom per-
mutation (SPRP) over bit-strings of size at least n. It requires a length-preserving permutation E over all bits of size multiple of n and a blockcipher E with block size n. The SPRP security of XLS was proved from the SPRP assumptions of both E and E. In this paper we disprove the claim by demonstrating a SPRP distinguisher of XLS which makes only
three queries and has distinguishing advantage about 1/2. XLS uses a
multi-permutation linear function, called mix2. In this paper, we also
show that if we replace mix2 by any invertible linear functions, the construction XLS still remains insecure. Thus the mode has inherit weakness
How to Enrich the Message Space of a Cipher
Given (deterministic) ciphers \calE and~ that can encipher messages of \el and bits, respectively, we construct a cipher~\calE^*=XLS[\calE,E] that can encipher messages of \el+s bits for any . Enciphering such a string will take one call to~\calE and two calls to~. We prove that~\calE^* is a strong pseudorandom permutation as long as~\calE and~ are. Our construction works even in the tweakable and VIL (variable-input-length) settings. It makes use of a multipermutation (a pair of orthogonal Latin squares), a combinatorial object not previously used to get a provable-security result
Revisiting Security Claims of XLS and COPA
Ristenpart and Rogaway proposed XLS in 2007 which is a
generic method to encrypt messages with incomplete last blocks. Later
Andreeva et al., in 2013 proposed an authenticated encryption COPA
which uses XLS while processing incomplete message blocks. Following
the design of COPA, several other CAESAR candidates used the similar
approach. Surprisingly in 2014, Nandi showed a three-query distinguisher against XLS which violates the security claim of XLS and puts a question mark on all schemes using XLS. However, due to the interleaved nature of encryption and decryption queries of the distinguisher, it was not clear whether the security claims of COPA remains true or not. This paper revisits XLS and COPA both in the direction of cryptanalysis and provable security. Our contribution of the paper can be summarized into following two parts:
1. Cryptanalysis: We describe two attacks - (i) a new distinguisher
against XLS and extending this attack to obtain (ii) a forging algo-
rithm with query complexity about 2^n/3 against COPA where n is
the block size of the underlying blockcipher.
2. Security Proof: Due to the above attacks the main claims of XLS
(already known before) and COPA are wrong. So we revise the security analysis of both and show that (i) both XLS and COPA are
pseudorandom function or PRF up to 2^n/2 queries and (ii) COPA is
integrity-secure up to 2^n/3 queries (matching the query complexity
of our forging algorithm)
A Generic Method to Extend Message Space of a Strong Pseudorandom Permutation
In this paper we present an efficient and secure generic method
which can encrypt messages of size at least . This generic
encryption algorithm needs a secure encryption algorithm for
messages of multiple of . The first generic construction, XLS,
has been proposed by Ristenpart and Rogaway in FSE-07. It needs
two extra invocations of an independently chosen strong
pseudorandom permutation or SPRP defined over \s^n for
encryption of an incomplete message block. Whereas our
construction needs only one invocation of a weak pseudorandom
function and two multiplications over a finite field
(equivalently, two invocations of an universal hash function). We
prove here that the proposed method preserves (tweakable) SPRP.
This new construction is meaningful for two reasons. Firstly, it
is based on weak pseudorandom function which is a weaker security
notion than SPRP. Thus we are able to achieve stronger security
from a weaker one. Secondly, in practice, finite field
multiplication is more efficient than an invocation of SPRP. Hence
our method can be more efficient than XLS
On the Optimality of Non-Linear Computations of Length-Preserving Encryption Schemes
It is well known that three and four rounds of balanced Feistel cipher or Luby-Rackoff (LR) encryption for two blocks messages are pseudorandom permutation (PRP) and strong pseudorandom permutation (SPRP) respectively. A {\bf block} is -bit long for some positive integer and a (possibly keyed) {\bf block-function} is a nonlinear function mapping all blocks to themselves, e.g. blockcipher. XLS (eXtended Latin Square) with three blockcipher calls was claimed to be SPRP and later which is shown to be wrong. Motivating with these observations, we consider the following questions in this paper: {\em What is the minimum number of invocations of block-functions required to achieve PRP or SPRP security over blocks inputs}? To answer this question, we consider all those length-preserving encryption schemes, called {\bf linear encryption mode}, for which only nonlinear operations are block-functions. Here, we prove the following results for these encryption schemes:
(1) At least (or ) invocations of block-functions are required to achieve SPRP (or PRP respectively). These bounds are also tight.
(2) To achieve the above bound for PRP over blocks, either we need at least two keys or it can not be {\em inverse-free} (i.e., need to apply the inverses of block-functions in the decryption). In particular, we show that a single-keyed block-function based, inverse-free PRP needs invocations.
(3) We show that 3-round LR using a single-keyed pseudorandom function (PRF) is PRP if we xor a block of input by a masking key
An Inverse-free Single-Keyed Tweakable Enciphering Scheme
In CRYPTO 2003, Halevi and Rogaway proposed CMC, a tweakable enciphering scheme (TES) based on a blockcipher. It requires two blockcipher keys and it is not inverse-free (i.e., the decryption algorithm uses the inverse (decryption) of the underlying blockcipher). We present here a new inverse-free, single-keyed TES. Our construction is a tweakable strong pseudorandom permutation (tsprp), i.e., it is secure against chosen-plaintext-ciphertext adversaries assuming that the underlying blockcipher is a pseudorandom permutation (prp), i.e., secure against chosen-plaintext adversaries. In comparison, sprp assumption of the blockcipher is required for the sprp security of CMC. Our scheme can be viewed as a mixture of type-1 and type-3 Feistel cipher and so we call it FMix or mixed-type Feistel cipher
Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model
We present two tweakable wide block cipher modes from doubly-extendable cryptographic keyed (deck) functions and a keyed hash function: double-decker and docked-double-decker. Double-decker is a direct generalization of Farfalle-WBC of Bertoni et al. (ToSC 2017(4)), and is a four-round Feistel network on two arbitrarily large branches, where the middle two rounds call deck functions and the first and last rounds call the keyed hash function. Docked-double-decker is a variant of double-decker where the bulk of the input to the deck functions is moved to the keyed hash functions. We prove that the distinguishing advantage of the resulting wide block ciphers is simply two times the sum of the pseudorandom function distinguishing advantage of the deck function and the blinded keyed hashing distinguishing advantage of the keyed hash functions. We demonstrate that blinded keyed hashing is more general than the conventional notion of XOR-universality, and that it allows us to instantiate our constructions with keyed hash functions that have a very strong claim on bkh security but not necessarily on XOR-universality, such as Xoofffie (ePrint 2018/767). The bounds of double-decker and docked-double-decker are moreover reduced tweak-dependent, informally meaning that collisions on the keyed hash function for different tweaks only have a limited impact. We describe two use cases that can exploit this property opportunistically to get stronger security than what would be achieved with prior solutions: SSD encryption, where each sector can only be written to a limited number of times, and incremental tweaks, where one includes the state of the system in the variable-length tweak and appends new data incrementally
General Classification of the Authenticated Encryption Schemes for the CAESAR Competition
An Authenticated encryption scheme is a scheme which provides privacy and integrity by using a secret key. In 2013, CAESAR (the ``Competition for Authenticated Encryption: Security, Applicability, and Robustness\u27\u27) was co-founded by NIST and Dan Bernstein with the aim of finding authenticated encryption schemes
that offer advantages over AES-GCM and are suitable for widespread adoption.
The first round started with 57 candidates in March 2014; and nine of these
first-round candidates where broken and withdrawn from the competition. The
remaining 48 candidates went through an intense process of review, analysis
and comparison. While the cryptographic community benefits greatly from the
manifold different submission designs, their sheer number
implies a challenging amount of study. This paper provides
an easy-to-grasp overview over functional aspects, security parameters, and
robustness offerings by the CAESAR candidates, clustered by their underlying
designs (block-cipher-, stream-cipher-, permutation-/sponge-,
compression-function-based, dedicated). After intensive review and analysis of all 48 candidates by the community, the CAESAR committee selected only 30 candidates for the second round. The announcement for the third round candidates was made on 15th August 2016 and 15 candidates were chosen for the third round
Quantum Algorithms for the k-xor Problem
International audienceThe k-xor (or generalized birthday) problem is a widely studied question with many applications in cryptography. It aims at finding k elements of n bits, drawn at random, such that the xor of all of them is 0. The algorithms proposed by Wagner more than fifteen years ago remain the best known classical algorithms for solving them, when disregarding logarithmic factors. In this paper we study these problems in the quantum setting, when considering that the elements are created by querying a random function (or k random functions) H : {0, 1} n → {0, 1} n. We consider two scenarios: in one we are able to use a limited amount of quantum memory (i.e. a number O(n) of qubits, the same as the one needed by Grover's search algorithm), and in the other we consider that the algorithm can use an exponential amount of qubits. Our newly proposed algorithms are of general interest. In both settings, they provide the best known quantum time complexities. In particular, we are able to considerately improve the 3-xor algorithm: with limited qubits, we reach a complexity considerably better than what is currently possible for quantum collision search. Furthermore, when having access to exponential amounts of quantum memory, we can take this complexity below O(2 n/3), the well-known lower bound of quantum collision search, clearly improving the best known quantum time complexity also in this setting. We illustrate the importance of these results with some cryptographic applications
Critical Perspectives on Provable Security: Fifteen Years of Another Look Papers
We give an overview of our critiques of “proofs” of security and a guide to
our papers on the subject that have appeared over the past decade and a half. We also
provide numerous additional examples and a few updates and errata