4 research outputs found
Multi-user Security Bound for Filter Permutators in the Random Oracle Model
At EUROCRYPT 2016, MĂ©aux et al. introduced a new design
strategy for symmetric ciphers for Fully Homomorphic Encryption (FHE),
which they dubbed filter permutators. Although less efficient than classical
stream ciphers, when used in conjunction with an adequate FHE scheme,
they allow constant and small noise growth when homomorphically evaluating
decryption circuit. In this article, we present a security proof up to the birthday
bound (with respect to the size of the IV and the size of the key space) for this
new structure in the random oracle model and in the multi-user setting. In
particular, this result justifies the theoretical soundness of filter permutators.
We also provide a related-key attack against all instances of FLIP, a stream
cipher based on this design
Tweaking a block cipher: multi-user beyond-birthday-bound security in the standard model
In this paper, we present a generic construction to create a secure tweakable block cipher from a secure block cipher. Our construction is very natural, requiring four calls to the underlying block cipher for each call of the tweakable block cipher. Moreover, it is provably secure in the standard model while keeping the security degradation minimal in the multi-user setting. In more details, if the underlying blockcipher E uses n-bit blocks and 2n-bit keys, then our construction is proven secure against multi-user adversaries using up to roughly 2n time and queries as long as E is a secure block cipher
Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks
Substitution-Permutation Networks (SPNs) refer to a family
of constructions which build a wn-bit block cipher from n-bit public
permutations (often called S-boxes), which alternate keyless and “local”
substitution steps utilizing such S-boxes, with keyed and “global” permu-
tation steps which are non-cryptographic. Many widely deployed block
ciphers are constructed based on the SPNs, but there are essentially no
provable-security results about SPNs.
In this work, we initiate a comprehensive study of the provable security
of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying
n-bit permutation is modeled as a public random permutation. When the
permutation step is linear (which is the case for most existing designs),
we show that 3 SPN rounds are necessary and sufficient for security. On
the other hand, even 1-round SPNs can be secure when non-linearity
is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond-
birthday” (up to 2 2n/3 adversarial queries) security, and, as the number
of non-linear rounds increases, our bounds are meaningful for the number
of queries approaching 2 n . Finally, our non-linear SPNs can be made
tweakable by incorporating the tweak into the permutation layer, and
provide good multi-user security.
As an application, our construction can turn two public n-bit permuta-
tions (or fixed-key block ciphers) into a tweakable block cipher working
on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w ≥ 2); the
tweakable block cipher provides security up to 2 2n/3 adversarial queries
in the random permutation model, while only requiring w calls to each
permutation, and 3w field multiplications for each wn-bit input
CTET+: A Beyond-Birthday-Bound Secure Tweakable Enciphering Scheme Using a Single Pseudorandom Permutation
In this work, we propose a construction of 2-round tweakable substitution-
permutation networks using a single secret S-box. This construction is based on
non-linear permutation layers using independent round keys, and achieves security
beyond the birthday bound in the random permutation model. When instantiated
with an n-bit block cipher with Îş-bit keys, the resulting tweakable block cipher,
dubbed CTET+, can be viewed as a tweakable enciphering scheme that encrypts
wn-bit messages for any integer w ≥2 using 5n + κ-bit keys and n-bit tweaks,
providing 2n/3-bit security.
Compared to the 2-round non-linear SPN analyzed in [CDK+18], we both minimize
it by requiring a single permutation, and weaken the requirements on the middle
linear layer, allowing better performance. As a result, CTET+ becomes the first
tweakable enciphering scheme that provides beyond-birthday-bound security using
a single permutation, while its efficiency is still comparable to existing schemes
including AES-XTS, EME, XCB and TET. Furthermore, we propose a new tweakable
enciphering scheme, dubbed AES6-CTET+, which is an actual instantiation of CTET+
using a reduced round AES block cipher as the underlying secret S-box. Extensive
cryptanalysis of this algorithm allows us to claim 127 bits of security.
Such tweakable enciphering schemes with huge block sizes become desirable in the
context of disk encryption, since processing a whole sector as a single block significantly
worsens the granularity for attackers when compared to, for example, AES-XTS, which
treats every 16-byte block on the disk independently. Besides, as a huge amount
of data is being stored and encrypted at rest under many different keys in clouds,
beyond-birthday-bound security will most likely become necessary in the short term