Beyond-birthday-bound Security Based on Tweakable Block Ciphers
Kazuhiko Minematsu
NEC Corporation
Fast Software Encryption 2009, Leuven, Belgium
2
Doubling the Block Length of a Cipher
Build 2n-bit block cipher using n-bit componentsMany solutions, e.g., using Feistel Permutation
EKey
Plaintext
Ciphertext
n
Plaintext
Ciphertext
E1
E2
n n…
3
Security Reduction (the case of Feistel)
Luby-Rackoff [LR88]: 4-round is O(2n/2)-secure for Chosen-ciphertext attacks (CCAs) if E is a pseudorandom function i.e. hard to distinguish from URP using q ¿ 2n/2 queries
Security is up to the Birthday Bound (for n)
4-round Feistel
Uniform Random Permutation
2n/2 CCA queries
4
Goal: Beyond-birthday-bound Security
O(2+n/2)-security for some >0 (larger is better)Very few known schemes (even for a small )
Most known schemes are O(2n/2)-secureUseful: it improves the security of block cipher
modes w/ O(2block_length/2)-securityquite common (CBC, CTR, CBC-MAC, etc...)
5
Known Approaches
Direct extension of Luby-Rackoffuse n-bit block PRF & add more (balanced) Fe
istel rounds to LR resultsPatarin [Pat04]: 6-round has O(2n)-sec. (for CCA)Maurer-Pietrzak [MP03] : (r 1)-round has infinite-
sec.
Unbalanced Feisteluse PRF w/ >n-bit input & <n-bit outputNaor-Reingold [NR97] : s-round has O(2n(1-1/s))-se
c.
(i.e. Adv. converges to 0 as r grows )
6
Our Approach
Use Tweakable (Block) Cipher An extension of block cipher introduced by Liskov
et al. [LRW02]
Tweak = public parameter for variabilityA tweak determines single instance of a block cipherDifferent tweaks should provide pseudo-independent i
nstances of a block cipher
TEK
P
T
C
n
n mTDK
C
T
P
n
nm
7
Problem Setting
Tweakable Cipher w/ n-bit block & m-bit tweak (we call it (n,m)-bit TC)
We assume 1 <= m <= n We assume our (n,m)-bit TC is perfect (i.e.,
it is the set of 2m indep. n-bit URPs )goal: info-theoretic security proof; once obtaine
d, computational counterpart is trivial
Build a 2n-bit cipher w/ (n,m)-bit TCs.How?
8
Starting Point: NR Mode
Another proposal of Naor-Reingold for Large-block cipher (originally cn-bit for any c>=2, here c=2)
Mix-ECB-Mix, where Mix is a (weak form of) pairwise indep. permutation
O(2n/2)-sec. was obtainedPL
PR
CL CR
n n
n n
mix 2
mix 1
E E
9
Tweaking ECB
Assume m = n for simplicityUse tweak to introduce inter-block dependency...while keeping it invertible!Then we get;
note: this is two-key, but one-key version is also possible
e.g. butterfly trans. can not be usedPL
PR
CL CR
TE1
TE2
tweak
tweak
10
The Role of Mix Layers
Tweaked ECB itself is only O(2n/2)-securesimultaneous collisions of tweak and output
can be the source of attack!Mix must prevent this (in particular a collision of tweaks)
URPTE1
no collision
Adv. ~ q2/2nmix 1
Prob. ~ q2/2n
mix 1
distinct fixed distinct fixed
11
Result : Extended Naor-Reingold (ENR)
Mix is one-round Feistel using -AXU hash func. (i.e., Pr[ H(x)+H(x’) = ] < for all x x’, ) The same key for the top and bottom
PLPR
CL CR
TE1
TE2
H
H
12
(see paper for a general case (H=-AXU))
Theorem: if H is 2-n-AXU, we have
O(2n)-security is obtained !
(Negl. if q ¿ 2n)
Moreover, if our TC is not perfect, we have
13
Proof Idea There are four Quasi-Random Functions having 2n-bit
input and n-bit output (overlapping each other) Each QRF has O(22n)-security if H is 2-n-AXU
PLPR
CL CR
TE1
TE2
H
H
PLPR
CL CR
TD1
TD2
H
H
Encryption Decryption
14
How should we do if m<n ?
Same basic strategy: tweak ECB, then add Mix layers
Need to care more “bad events”Mix can not be one-round Feistel
15
ENR for m<n
PLPR
CL CR
TE1
TE2
cut
cutm
m
GMix 1 is a keyed permutation G
Grev-1 Mix 2 is a
mirrored version of G (same key)
e.g., leftmost m-bit
16
Security ProofCondition of G:
Security of ENR for m<n:
17
TE2
TE1
Concrete Example
G is now two-round irregular Feistel
H is an AXU hash using field-multiplication
Security bound:
PLPR
CL CR
m
m
m n-m
m
cut
cut
H1
H2
H1
H2n-m
O(2(n+m)/2)-security is obtained
18
Summary so far
ENRSecurity: O(2(n+m)/2)-security for any m < n+1Efficiency: 2 calls of TC + some UHs
optimal within this setting
19
Challenging Next Step
Our proof naturally requires a tweakable cipher w/ beyond-birthday-bound security. How to realize it?
1. From scratch (Mercy, HPC, Threefish etc) increasing attention, but still less popular
2. Mode of operation, i.e. from n-bit block ciphers
(In Skein hash function)
20
However…
Known modes have only up-to-birthday-bound securityLRW and (generalized) XEX [LRW02][Rog04][Min06]
no matter how tweak is short; 1-bit is enough to break using 2n/2 queries
E
P
C
H
T
LRW mode
mn
21
A Naive Solution Tweak-dependent rekeying (TDR) Simple, but never seriously investigated (to our
knowledge)
E
M Tn m
FMK
K = FMK(T)
C
PRF w/ m-bit in, |K|-bit out
Security proof
22
Analysis Basically, it is difficult to determine how large m is admissi
ble (as AdvE. term would be non-negligible) For the case of |K| = n;
When m is sufficiently smaller than n/2, seems fairly secure (well beyond the birthday bound)
When m = n/2, a simple birthday attack is possible Search for a ciphertext collision due to the key collision
E
0n
m
FMK E
1nT1 T2
FMK
Key collision (prob. 1/2n) Ciphertext
collision
n
T1 T2
Ciphertext collision
23
TDR for E (w/ n-bit key) Limit m < n/2 (say, m=n/3) We can use EMK as FMK, the security bound is;
Of course, still problematic short tweak frequent rekeying
E
P T
C
n
n
EMK
pad
m
n
via PRF-PRP switching
24
Combining ENR and TDR
Combining ENR and TDR is possible, but difficult to determine how large m is admissible (because of TDR’s security proof)
Bottom line: need to develop a better one.
Note: based on a strong assumption on E, we can expect (ENR+TDR) to have O(22/3n)-security by the choice m=n/3
25
Summary
We built a 2n-bit cipher from (n,m)-bit tweakable ciphers
ENR achieves O(2(n+m)/2)-security for any m<= n, needs 2 TC calls & some UHs
TDR: a way to convert an n-bit cipher into an (n,m)-bit TCOnly a proof of concept: subject to heavy limita
tions (both theoretical and practical)
26
Future Directions
Better TC from n-bit cipher w/o rekeyingExtensions of ENR:
Large-block cipher (cn-bit for c>2)Make ENR tweakableBasic solution is to use some modes w/ ENR,
search for a more efficient way
27
Thank you!
28
Memo: Security of TDR & (ENR + TDR) Assume
(maybe this means “the most efficient attack is the exhaustive key search” (by assuming ~ q))
Then TDR’s bound implies
Thus it is expected to have O(2n-m)-security.
Combining this to the ENR’s bound, we obtain
Ignoring the constant, this is maximized by the choice m = n/3. In this case the bound of (ENR+TDR) is O(q2/24n/3), thus it has (based on the above assumption) O(22n/3)-security.
Top Related