Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung - PowerPoint PPT Presentation

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST

Outline • Tweakable block ciphers • Our contribution • Proof overview • Conclusion 2

Tweakable Block Ciphers (TBCs) 𝑳 𝑭 𝒀 𝒁 3

Tweakable Block Ciphers (TBCs) 𝑳 𝑼 ෩ 𝑭 𝒀 𝒁  A tweakable block cipher ෨ 𝐹 accepts an additional input “ tweak ” - Tweaks are publicly used (like IVs in modes of operation) - Changing tweaks should be efficient (compared to changing keys) - Each tweak should give an independent permutation - Can be used to construct various cryptographic schemes

Construction of TBCs  Dedicated construction - Hasty Pudding, Mercy, Threefish, TWEAKEY framework, etc.  Permutation-based construction - TEM, XPX, etc.  Block cipher-based construction - LRW, XEX, XHX, etc. 5

Block cipher-based Construction  Using fixed keys (independent of tweaks) - Security is proved in the standard model - The underlying BC is replaced by an ideal random permutation (up to the security of TBC)  Using tweak-dependent keys - Suitable when the underlying block cipher 𝐹 uses a lightweight key schedule - Security is proved in the ideal cipher model - An adversary is allowed oracle access to 𝐹 6

𝑮 𝟐 , ෩ 𝑮 𝟑 (Mennink, FSE 2015) ෩ ෨ With 𝑜 -bit block cipher using 𝑜 -bit keys, 𝐺 1 𝐺 1 is secure up to 2 2𝑜/3 queries ෨  - BBB-secure with one BC call 𝐺[2] is secure up to 2 𝑜 queries ෨  ෨ 𝐺 2 - Fully secure with two BC calls 7

𝑮 𝟐 , ෩ 𝑮 𝟑 (Mennink, FSE 2015) ෩ ෨ With 𝑜 -bit block cipher using 𝑜 -bit keys, 𝐺 1 𝐺 1 is secure up to 2 2𝑜/3 queries ෨  - BBB-secure with one BC call 𝐺[2] is secure up to 2 𝑜 queries ෨  ෨ 𝐺 2 - Fully secure with two BC calls  Both uses tweak dependent keys 8

𝑭𝟒𝟑 (Wang, et. al., AC 2016) 𝑭𝟐, … , ෫ ෪ With 𝑜 -bit block cipher using 𝑜 -bit keys,  only xor operation is used  secure up to 2 𝑜 queries - Fully secure with two BC calls 9

𝑭𝟒𝟑 (Wang, et. al., AC 2016) 𝑭𝟐, … , ෫ ෪ With 𝑜 -bit block cipher using 𝑜 -bit keys,  only xor operation is used Can be precomputed and viewed as a subkey  secure up to 2 𝑜 queries - Fully secure with two BC calls - One call can be saved by precomputation 10

XHX (Jha, et. al., Latincrypt 2017)  XHX uses two types of hash functions - 𝑕: 𝜀 -almost xor-universal and uniform hash function - ℎ: 𝜀′ -almost universal and uniform hash function - Accepts arbitrary length tweak  𝑕 and ℎ are keyed hash function generated from 𝑕(𝑢) ℎ(𝑢) the master key, but we omit the key and view them as secret key of the construction 𝑛  With 𝑜 -bit block cipher using 𝑛 -bit keys, 𝑜 𝑜+𝑛 XHX is secure up to 2 queries 𝑦 𝑧 2 𝐹 11

Outline • Tweakable block ciphers • Our contribution • Proof overview • Conclusion 12

Motivation  The input size of an 𝑜 -bit block cipher using 𝑛 -bit key is 𝑜 + 𝑛 bits  In the ideal cipher model, its information-theoretic security cannot go beyond 𝑜 + 𝑛 bits (due to key exhaustive search) 𝑜+𝑛  With respect to this size, the birthday bound should be 2 - If 𝑛 = 𝑜 , it become 𝑜 , so previous results are birthday bound in this view 13

Motivation  The input size of an 𝑜 -bit block cipher using 𝑛 -bit key is 𝑜 + 𝑛 bits  In the ideal cipher model, its information-theoretic security cannot go beyond 𝑜 + 𝑛 bits (due to key exhaustive search) 𝑜+𝑛  With respect to this size, the birthday bound should be 2 - If 𝑛 = 𝑜 , it become 𝑜 , so previous results are birthday bound in this view  Can we go beyond the birthday bound? 14

XHX2  Cascade of two independent copies of XHX - 𝐹 1 and 𝐹 2 are 𝑜 -bit block ciphers using 𝑛 -bit keys - 𝑕 1 and 𝑕 2 are 𝜀 -almost uniform and xor-universal functions, and - ℎ 1 and ℎ 2 are 𝜀 ′ -almost uniform and universal function - Accepts arbitrary length tweak ℎ 1 (𝑢) 𝑕 1 (𝑢) 𝑕 2 (𝑢) ℎ 2 (𝑢) 𝑦 𝑧 𝐹 1 𝐹 2

XHX2  Cascade of two independent copies of XHX - 𝐹 1 and 𝐹 2 are 𝑜 -bit block ciphers using 𝑛 -bit keys ⨂ (finite field mult) can be used - 𝑕 1 and 𝑕 2 are 𝜀 -almost uniform and xor-universal functions, and - ℎ 1 and ℎ 2 are 𝜀 ′ -almost uniform and universal function - Accepts arbitrary length tweak ℎ 1 (𝑢) 𝑕 1 (𝑢) 𝑕 2 (𝑢) ℎ 2 (𝑢) 𝑦 𝑧 𝐹 1 𝐹 2

XHX2  Cascade of two independent copies of XHX - 𝐹 1 and 𝐹 2 are 𝑜 -bit block ciphers using 𝑛 -bit keys If 𝑢 = 𝑛 , ⨁ can be used - 𝑕 1 and 𝑕 2 are 𝜀 -almost uniform and xor-universal functions, and else, ⨂ can be used - ℎ 1 and ℎ 2 are 𝜀 ′ -almost uniform and universal function - Accepts arbitrary length tweak ℎ 1 (𝑢) 𝑕 1 (𝑢) 𝑕 2 (𝑢) ℎ 2 (𝑢) 𝑦 𝑧 𝐹 1 𝐹 2

XHX2  Cascade of two independent copies of XHX - 𝐹 1 and 𝐹 2 are 𝑜 -bit block ciphers using 𝑛 -bit keys - 𝑕 1 and 𝑕 2 are 𝜀 -almost uniform and xor-universal functions, and - ℎ 1 and ℎ 2 are 𝜀 ′ -almost uniform and universal function - Accepts arbitrary length tweak ℎ 1 (𝑢) 𝑕 1 (𝑢) 𝑕 2 (𝑢) ℎ 2 (𝑢) Secure up to 2 min 2 𝑜+𝑛 ,𝑜+ 𝑛  queries 3 2 𝑦 𝑧 𝐹 1 𝐹 2 2 𝑜+𝑛 𝑛 2 𝑜+𝑛  If 𝑛 ≤ 2𝑜 , min , 𝑜 + = 3 2 3

Security of XHX2 When 𝑕 1 and 𝑕 2 are 𝑜 -bit 𝜀 -almost uniform and xor-universal hash functions, and ℎ 1 and ℎ 2 are 𝑛 -bit 𝜀′ -almost uniform and universal hash functions, one has 1 1 where 𝜀 ≈ 2 𝑜 , 𝜀′ ≈ 2 𝑛 , 𝑞 and 𝑟 are the number of queries to underlying block ciphers and construction 19

Comparison Efficiency Construction Key size Security Ref. E ⨂ / H LRW 2𝑜 𝑜/2 1 1 [LRW02] LRW[2] 4𝑜 2𝑜/3 , (or 3𝑜/4 ) 2 2 [LST12, Men18] 2𝑡𝑜 𝑡𝑜/(𝑡 + 2) 𝑡 𝑡 LRW[s] [LS13] ෨ 𝑜 2𝑜/3 1 1 𝐺[1] [Men15] ෨ 𝐺[2] 𝑜 𝑜 2 0 [Men15] 𝐹1, ⋯ , ෪ ෪ 𝐹32 𝑜 𝑜 2 0 [Lei + 16] [Jha + 17] 𝑜 + 𝑛 (𝑜 + 𝑛)/2 1 1 XHX 2𝑜 + 2𝑛 𝑛𝑗𝑜(2(𝑜 + 𝑛)/3, 𝑜 + 𝑛/2) 2 2 XHX2 Our work 20

Security of the 2-round XTX  XTX is a tweak-length extension scheme (Minematsu and Iwata, IMACC 2015) 𝑕(𝑢) ℎ(𝑢) ෨ 𝑦 𝐹 𝐿 𝑧  Without allowing block cipher queries ( 𝑞 = 0 ), we can prove beyond-birthday- bound security for the cascade of two independent XTX constructions. ℎ 1 (𝑢) 𝑕 1 (𝑢) 𝑕 2 (𝑢) ℎ 2 (𝑢) ෨ ෨ 𝑦 𝑧 𝐹 𝐿 1 𝐹 𝐿 2 21

Outline • Tweakable block ciphers • Our contribution • Proof overview • Conclusion 22

Distinguishing game 𝑕 1 (𝑢) ℎ 1 (𝑢) 𝑕 2 (𝑢) ℎ 2 (𝑢) Real? or Ideal? ෨ 𝑄 𝐹 1 /𝐹 2 𝐹 1 /𝐹 2 𝑦 𝐹 1 𝐹 2 𝑧 Real world Ideal world • Adversary tries to distinguish two worlds by making oracle queries • All the information obtained during the attack is represented by a transcript: 𝜐 = 𝑅 𝐷 = 𝑢 1 , 𝑦 1 , 𝑧 1 , ⋯ , 𝑢 𝑟 , 𝑦 𝑟 , 𝑧 𝑟 , 𝑅 𝐹 𝑘 = 𝑘, 𝑙 1 , 𝑣 1 , 𝑤 1 , ⋯ , 𝑘, 𝑙 𝑞 , 𝑣 𝑞 , 𝑤 𝑞 23

Distinguishing game 𝑕 1 (𝑢) ℎ 1 (𝑢) 𝑕 2 (𝑢) ℎ 2 (𝑢) Real? or Ideal? ෨ 𝑄 𝐹 1 /𝐹 2 𝐹 1 /𝐹 2 𝑦 𝐹 1 𝐹 2 𝑧 Real world Ideal world Assume to be revealed • Adversary tries to distinguish two worlds by making oracle queries after the attack is finished • All the information obtained during the attack is represented by a transcript: 𝜐 = 𝑅 𝐷 = 𝑢 1 , 𝑦 1 , 𝑧 1 , ⋯ , 𝑢 𝑟 , 𝑦 𝑟 , 𝑧 𝑟 , 𝑅 𝐹 𝑘 = 𝑘, 𝑙 1 , 𝑣 1 , 𝑤 1 , ⋯ , 𝑘, 𝑙 𝑞 , 𝑣 𝑞 , 𝑤 𝑞 , 𝑕 1 , 𝑕 2 , ℎ 1 , ℎ 2 24

Upper Bounding the Distinguishing Advantage  T id : Probability distribution of τ in the ideal world  T re : Probability distribution of τ in the real world 𝐁𝐞𝐰 ෨ 𝐹 𝒠 ≤ T id − T re Probability to appear 1 real ideal 0 Transcripts 25

Proof technique We can use following lemma to upper bound the statistical distance Patarin’s H-coefficient lemma (informal) 1) Define bad transcripts Θ bad • Pr T id ∈ Θ bad ≤ ϵ 1 ∥ T id − T re ∥ ≤ ϵ 1 + ϵ 2 2) With 𝜐 ∉ Θ bad Pr T re =𝜐 • Pr T id =𝜐 ≥ 1 − ϵ 2 26

Security Proof of XHX2 (Sketch) 1) Give free queries to the adversary 2) Define bad transcripts 3) Lower bound the ratio of probabilities of obtaining a good transcript in the real world and in the ideal world - Pr T id = 𝜐 is easy to compute, while Pr T re = 𝜐 is challenging 4) Apply the H-coefficient lemma 27

Representation of Construction Queries ℎ 1 (𝑢) 𝑕 1 (𝑢) 𝑕 2 (𝑢) ℎ 2 (𝑢) 𝑦 𝑧 𝐹 1 𝐹 2  Reduced query: combine keys and construction queries 𝑢, 𝑦, 𝑧 ↦ ℎ 1 𝑢 , ℎ 2 𝑢 , 𝑦⨁𝑕 1 𝑢 , 𝑧⨁𝑕 2 𝑢 , 𝑕 1 (𝑢)⨁𝑕 2 𝑢 = (𝑙, 𝑚, 𝑣, 𝑤, Δ) 28