Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion TBCs: Dedicated Designs Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL + 07, MI08] • this talk: SPN ciphers (more gen. key-alternating ciphers) Yannick Seurin Constructing TBCs in the RPM ASK 2015 8 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion TBCs: Dedicated Designs Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL + 07, MI08] • this talk: SPN ciphers (more gen. key-alternating ciphers) Yannick Seurin Constructing TBCs in the RPM ASK 2015 8 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion TBCs: Dedicated Designs Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL + 07, MI08] • this talk: SPN ciphers (more gen. key-alternating ciphers) Yannick Seurin Constructing TBCs in the RPM ASK 2015 8 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion TBCs: Dedicated Designs Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL + 07, MI08] • this talk: SPN ciphers (more gen. key-alternating ciphers) Yannick Seurin Constructing TBCs in the RPM ASK 2015 8 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Key-Alternating Ciphers k f 0 f 1 f r k 0 k 1 k r n y x P 1 P 2 P r An r -round key-alternating cipher: • the P i ’s are public permutations on { 0 , 1 } n • the f i ’s map k to n -bit “round keys” • examples: most SPNs (AES, SERPENT, PRESENT, LED. . . ) • a.k.a. (iterated) Even-Mansour construction Yannick Seurin Constructing TBCs in the RPM ASK 2015 9 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Key-Alternating Ciphers k f 0 f 1 f r k 0 k 1 k r n y x P 1 P 2 P r An r -round key-alternating cipher: • the P i ’s are public permutations on { 0 , 1 } n • the f i ’s map k to n -bit “round keys” • examples: most SPNs (AES, SERPENT, PRESENT, LED. . . ) • a.k.a. (iterated) Even-Mansour construction Yannick Seurin Constructing TBCs in the RPM ASK 2015 9 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Key-Alternating Ciphers k f 0 f 1 f r k 0 k 1 k r n y x P 1 P 2 P r An r -round key-alternating cipher: • the P i ’s are public permutations on { 0 , 1 } n • the f i ’s map k to n -bit “round keys” • examples: most SPNs (AES, SERPENT, PRESENT, LED. . . ) • a.k.a. (iterated) Even-Mansour construction Yannick Seurin Constructing TBCs in the RPM ASK 2015 9 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tweakable Even-Mansour Constructions k f 0 f 1 f r y x P 1 P 2 P r • let the round keys depend on the key and the tweak t • ⇒ “tweakable” Even-Mansour (TEM) construction(s) • f i ’s = “tweak and key schedule” (TKS) • high-level abstraction of the TWEAKEY constructions [JNP14] • analysis in the Random Permutation Model Yannick Seurin Constructing TBCs in the RPM ASK 2015 10 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tweakable Even-Mansour Constructions ( k , t ) f 0 f 1 f r y x P 1 P 2 P r • let the round keys depend on the key and the tweak t • ⇒ “tweakable” Even-Mansour (TEM) construction(s) • f i ’s = “tweak and key schedule” (TKS) • high-level abstraction of the TWEAKEY constructions [JNP14] • analysis in the Random Permutation Model Yannick Seurin Constructing TBCs in the RPM ASK 2015 10 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tweakable Even-Mansour Constructions ( k , t ) f 0 f 1 f r y x P 1 P 2 P r • let the round keys depend on the key and the tweak t • ⇒ “tweakable” Even-Mansour (TEM) construction(s) • f i ’s = “tweak and key schedule” (TKS) • high-level abstraction of the TWEAKEY constructions [JNP14] • analysis in the Random Permutation Model Yannick Seurin Constructing TBCs in the RPM ASK 2015 10 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tweakable Even-Mansour Constructions ( k , t ) f 0 f 1 f r y x P 1 P 2 P r • let the round keys depend on the key and the tweak t • ⇒ “tweakable” Even-Mansour (TEM) construction(s) • f i ’s = “tweak and key schedule” (TKS) • high-level abstraction of the TWEAKEY constructions [JNP14] • analysis in the Random Permutation Model Yannick Seurin Constructing TBCs in the RPM ASK 2015 10 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tweakable Even-Mansour Constructions ( k , t ) f 0 f 1 f r y x P 1 P 2 P r • let the round keys depend on the key and the tweak t • ⇒ “tweakable” Even-Mansour (TEM) construction(s) • f i ’s = “tweak and key schedule” (TKS) • high-level abstraction of the TWEAKEY constructions [JNP14] • analysis in the Random Permutation Model Yannick Seurin Constructing TBCs in the RPM ASK 2015 10 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion The Random Permutation Model (RPM) ( k , t ) f 0 f 1 f r · · · P 1 P r x P 1 P 2 P r y q c q p q p • the P i ’s are modeled as public random permutation oracles (adversary can only make black-box queries) • adversary cannot exploit any weakness of the P i ’s ⇒ generic attacks • complexity measure of the adversary: • q c = # construction queries = pt/ct pairs (data D ) • q p = # queries to each internal permutation oracle (time T ) • but otherwise computationally unbounded • ⇒ information-theoretic proof of security Yannick Seurin Constructing TBCs in the RPM ASK 2015 11 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion The Random Permutation Model (RPM) ( k , t ) f 0 f 1 f r · · · P 1 P r x P 1 P 2 P r y q c q p q p • the P i ’s are modeled as public random permutation oracles (adversary can only make black-box queries) • adversary cannot exploit any weakness of the P i ’s ⇒ generic attacks • complexity measure of the adversary: • q c = # construction queries = pt/ct pairs (data D ) • q p = # queries to each internal permutation oracle (time T ) • but otherwise computationally unbounded • ⇒ information-theoretic proof of security Yannick Seurin Constructing TBCs in the RPM ASK 2015 11 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion The Random Permutation Model (RPM) ( k , t ) f 0 f 1 f r · · · P 1 P r x P 1 P 2 P r y q c q p q p • the P i ’s are modeled as public random permutation oracles (adversary can only make black-box queries) • adversary cannot exploit any weakness of the P i ’s ⇒ generic attacks • complexity measure of the adversary: • q c = # construction queries = pt/ct pairs (data D ) • q p = # queries to each internal permutation oracle (time T ) • but otherwise computationally unbounded • ⇒ information-theoretic proof of security Yannick Seurin Constructing TBCs in the RPM ASK 2015 11 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion The Random Permutation Model (RPM) ( k , t ) f 0 f 1 f r · · · P 1 P r x P 1 P 2 P r y q c q p q p • the P i ’s are modeled as public random permutation oracles (adversary can only make black-box queries) • adversary cannot exploit any weakness of the P i ’s ⇒ generic attacks • complexity measure of the adversary: • q c = # construction queries = pt/ct pairs (data D ) • q p = # queries to each internal permutation oracle (time T ) • but otherwise computationally unbounded • ⇒ information-theoretic proof of security Yannick Seurin Constructing TBCs in the RPM ASK 2015 11 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Formalization of the Security Experiment Real world Ideal world ( k , t ) f 0 f 1 f r � P 1 , . . . , P r P 1 , . . . , P r P 0 y x P 1 P 2 P r q p q p q c q c 0 / 1 0 / 1 • real world: TEM construction with random master key k • ideal world: random tweakable permutation � P 0 independent from P 1 , . . . , P r • RPM: D has oracle access to P 1 , . . . , P r in both worlds Yannick Seurin Constructing TBCs in the RPM ASK 2015 12 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Formalization of the Security Experiment Real world Ideal world ( k , t ) f 0 f 1 f r � P 1 , . . . , P r P 1 , . . . , P r P 0 y x P 1 P 2 P r q p q p q c q c 0 / 1 0 / 1 • real world: TEM construction with random master key k • ideal world: random tweakable permutation � P 0 independent from P 1 , . . . , P r • RPM: D has oracle access to P 1 , . . . , P r in both worlds Yannick Seurin Constructing TBCs in the RPM ASK 2015 12 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Outline Background: Tweakable Block Ciphers Tweakable Even-Mansour Constructions Birthday-Bound Secure Constructions Beyond-Birthday-Bound Secure Constructions Conclusion and Perspectives Yannick Seurin Constructing TBCs in the RPM ASK 2015 13 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion First Try: One Round, Linear TKS k k y x P 1 • 2 queries to the encryption oracle, 0 queries to P 1 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion First Try: One Round, Linear TKS k ⊕ t k ⊕ t y x P 1 • 2 queries to the encryption oracle, 0 queries to P 1 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion First Try: One Round, Linear TKS P 1 • 2 queries to the encryption oracle, 0 queries to P 1 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion First Try: One Round, Linear TKS P 1 ( t 1 , x 1 ) y 1 = v ⊕ k ⊕ t 1 u v k ⊕ t 1 • 2 queries to the encryption oracle, 0 queries to P 1 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion First Try: One Round, Linear TKS P 1 ( t 1 , x 1 ) y 1 = v ⊕ k ⊕ t 1 x 1 ⊕ x 2 = t 1 ⊕ t 2 u v ( t 2 , x 2 ) k ⊕ t 1 k ⊕ t 2 • 2 queries to the encryption oracle, 0 queries to P 1 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion First Try: One Round, Linear TKS P 1 ( t 1 , x 1 ) y 1 = v ⊕ k ⊕ t 1 x 1 ⊕ x 2 = t 1 ⊕ t 2 u v ( t 2 , x 2 ) y 2 = v ⊕ k ⊕ t 2 k ⊕ t 1 k ⊕ t 2 Check that y 1 ⊕ y 2 = t 1 ⊕ t 2 ( ∗ ) • 2 queries to the encryption oracle, 0 queries to P 1 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion First Try: One Round, Linear TKS P 1 ( t 1 , x 1 ) y 1 = v ⊕ k ⊕ t 1 x 1 ⊕ x 2 = t 1 ⊕ t 2 u v ( t 2 , x 2 ) y 2 = v ⊕ k ⊕ t 2 k ⊕ t 1 k ⊕ t 2 Check that y 1 ⊕ y 2 = t 1 ⊕ t 2 ( ∗ ) • 2 queries to the encryption oracle, 0 queries to P 1 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion First Try: One Round, Linear TKS P 1 ( t 1 , x 1 ) y 1 = v ⊕ k ⊕ t 1 x 1 ⊕ x 2 = t 1 ⊕ t 2 u v ( t 2 , x 2 ) y 2 = v ⊕ k ⊕ t 2 k ⊕ t 1 k ⊕ t 2 Check that y 1 ⊕ y 2 = t 1 ⊕ t 2 ( ∗ ) • 2 queries to the encryption oracle, 0 queries to P 1 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 k ⊕ t 1 • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 ( t 2 , x 2 ) u ′ v ′ 2 2 y 2 k ⊕ t 1 k ⊕ t 2 • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 ( t 2 , x 2 ) ( t 3 , y 3 ) x 3 u ′ v ′ u ′ v ′ 1 1 2 2 y 2 k ⊕ t 1 k ⊕ t 2 k ⊕ t 3 • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 ( t 2 , x 2 ) ( t 3 , y 3 ) x 3 u ′ v ′ u ′ v ′ ( t 4 , y 4 ) 1 1 2 2 y 2 k ⊕ t 1 k ⊕ t 2 k ⊕ t 3 k ⊕ t 4 t 1 ⊕ t 2 ⊕ t 3 ⊕ t 4 = 0 • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 ( t 2 , x 2 ) ( t 3 , y 3 ) x 3 u ′ v ′ u ′ v ′ ( t 4 , y 4 ) 1 1 2 2 x 4 y 2 k ⊕ t 1 k ⊕ t 2 k ⊕ t 3 k ⊕ t 4 t 1 ⊕ t 2 ⊕ t 3 ⊕ t 4 = 0 Check that x 3 ⊕ x 4 = t 3 ⊕ t 4 ( ∗ ) • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 ( t 2 , x 2 ) ( t 3 , y 3 ) x 3 u ′ v ′ u ′ v ′ ( t 4 , y 4 ) 1 1 2 2 x 4 y 2 k ⊕ t 1 k ⊕ t 2 k ⊕ t 3 k ⊕ t 4 t 1 ⊕ t 2 ⊕ t 3 ⊕ t 4 = 0 Check that x 3 ⊕ x 4 = t 3 ⊕ t 4 ( ∗ ) • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 ( t 2 , x 2 ) ( t 3 , y 3 ) x 3 u ′ v ′ u ′ v ′ ( t 4 , y 4 ) 1 1 2 2 x 4 y 2 k ⊕ t 1 k ⊕ t 2 k ⊕ t 3 k ⊕ t 4 t 1 ⊕ t 2 ⊕ t 3 ⊕ t 4 = 0 Check that x 3 ⊕ x 4 = t 3 ⊕ t 4 ( ∗ ) • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 ( t 2 , x 2 ) ( t 3 , y 3 ) x 3 u ′ v ′ u ′ v ′ ( t 4 , y 4 ) 1 1 2 2 x 4 y 2 k ⊕ t 1 k ⊕ t 2 k ⊕ t 3 k ⊕ t 4 t 1 ⊕ t 2 ⊕ t 3 ⊕ t 4 = 0 Check that x 3 ⊕ x 4 = t 3 ⊕ t 4 ( ∗ ) • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 ( t 2 , x 2 ) ( t 3 , y 3 ) x 3 u ′ v ′ u ′ v ′ ( t 4 , y 4 ) 1 1 2 2 x 4 y 2 k ⊕ t 1 k ⊕ t 2 k ⊕ t 3 k ⊕ t 4 t 1 ⊕ t 2 ⊕ t 3 ⊕ t 4 = 0 Check that x 3 ⊕ x 4 = t 3 ⊕ t 4 ( ∗ ) • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Security for Three Rounds k ⊕ t k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 P 3 Theorem ([CS15, FP15]) The 3-round TEM with linear TKS is a strong tweakable PRP: + 4 q 2 Adv ( q c , q p ) ≤ 6 q c q p c 2 n . 2 n Proof sketch: • adversary can create collisions at input of P 1 or output of P 3 • but proba. to create a collision at P 2 is � q 2 c / 2 n • no collision at P 2 ⇒ ∼ single-key security of 1-round EM � q c q p / 2 n Yannick Seurin Constructing TBCs in the RPM ASK 2015 16 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Security for Three Rounds k ⊕ t k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 P 3 Theorem ([CS15, FP15]) The 3-round TEM with linear TKS is a strong tweakable PRP: + 4 q 2 Adv ( q c , q p ) ≤ 6 q c q p c 2 n . 2 n Proof sketch: • adversary can create collisions at input of P 1 or output of P 3 • but proba. to create a collision at P 2 is � q 2 c / 2 n • no collision at P 2 ⇒ ∼ single-key security of 1-round EM � q c q p / 2 n Yannick Seurin Constructing TBCs in the RPM ASK 2015 16 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Security for Three Rounds k ⊕ t k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 P 3 Theorem ([CS15, FP15]) The 3-round TEM with linear TKS is a strong tweakable PRP: + 4 q 2 Adv ( q c , q p ) ≤ 6 q c q p c 2 n . 2 n Proof sketch: • adversary can create collisions at input of P 1 or output of P 3 • but proba. to create a collision at P 2 is � q 2 c / 2 n • no collision at P 2 ⇒ ∼ single-key security of 1-round EM � q c q p / 2 n Yannick Seurin Constructing TBCs in the RPM ASK 2015 16 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Security for Three Rounds k ⊕ t k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 P 3 Theorem ([CS15, FP15]) The 3-round TEM with linear TKS is a strong tweakable PRP: + 4 q 2 Adv ( q c , q p ) ≤ 6 q c q p c 2 n . 2 n Proof sketch: • adversary can create collisions at input of P 1 or output of P 3 • but proba. to create a collision at P 2 is � q 2 c / 2 n • no collision at P 2 ⇒ ∼ single-key security of 1-round EM � q c q p / 2 n Yannick Seurin Constructing TBCs in the RPM ASK 2015 16 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tightness of the Bound k ⊕ t k ⊕ t k ⊕ t k ⊕ t x y P 1 P 2 P 3 • can be written � E ( k , t , x ) = E ( k ⊕ t , x ) where E is the conventional 3-round EM cipher with trivial key-schedule • ⇒ secure up to 2 n / 2 queries at best by a simple collision attack: E k ∗ ( t i , 0 ) = E ( k ∗ ⊕ t i , 0 ) for 2 n / 2 tweaks t i 1. query c i = � E k j ( 0 , 0 ) = E ( k j , 0 ) for 2 n / 2 keys k j j = � 2. compute c ′ 3. look for a collision c i = c ′ j 4. w.h.p., the real key is k ∗ = t i ⊕ k j • ⇒ increasing the number of rounds does not improve security Yannick Seurin Constructing TBCs in the RPM ASK 2015 17 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tightness of the Bound k ⊕ t k ⊕ t k ⊕ t k ⊕ t x y P 1 P 2 P 3 • can be written � E ( k , t , x ) = E ( k ⊕ t , x ) where E is the conventional 3-round EM cipher with trivial key-schedule • ⇒ secure up to 2 n / 2 queries at best by a simple collision attack: E k ∗ ( t i , 0 ) = E ( k ∗ ⊕ t i , 0 ) for 2 n / 2 tweaks t i 1. query c i = � E k j ( 0 , 0 ) = E ( k j , 0 ) for 2 n / 2 keys k j j = � 2. compute c ′ 3. look for a collision c i = c ′ j 4. w.h.p., the real key is k ∗ = t i ⊕ k j • ⇒ increasing the number of rounds does not improve security Yannick Seurin Constructing TBCs in the RPM ASK 2015 17 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tightness of the Bound k ⊕ t k ⊕ t k ⊕ t k ⊕ t x y P 1 P 2 P 3 • can be written � E ( k , t , x ) = E ( k ⊕ t , x ) where E is the conventional 3-round EM cipher with trivial key-schedule • ⇒ secure up to 2 n / 2 queries at best by a simple collision attack: E k ∗ ( t i , 0 ) = E ( k ∗ ⊕ t i , 0 ) for 2 n / 2 tweaks t i 1. query c i = � E k j ( 0 , 0 ) = E ( k j , 0 ) for 2 n / 2 keys k j j = � 2. compute c ′ 3. look for a collision c i = c ′ j 4. w.h.p., the real key is k ∗ = t i ⊕ k j • ⇒ increasing the number of rounds does not improve security Yannick Seurin Constructing TBCs in the RPM ASK 2015 17 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tightness of the Bound k ⊕ t k ⊕ t k ⊕ t k ⊕ t x y P 1 P 2 P 3 • can be written � E ( k , t , x ) = E ( k ⊕ t , x ) where E is the conventional 3-round EM cipher with trivial key-schedule • ⇒ secure up to 2 n / 2 queries at best by a simple collision attack: E k ∗ ( t i , 0 ) = E ( k ∗ ⊕ t i , 0 ) for 2 n / 2 tweaks t i 1. query c i = � E k j ( 0 , 0 ) = E ( k j , 0 ) for 2 n / 2 keys k j j = � 2. compute c ′ 3. look for a collision c i = c ′ j 4. w.h.p., the real key is k ∗ = t i ⊕ k j • ⇒ increasing the number of rounds does not improve security Question Construction with less permutations? Yannick Seurin Constructing TBCs in the RPM ASK 2015 17 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction k ⊗ t k ⊗ t k ′ y x E • provably secure in the RPM up to ∼ 2 n / 2 queries [FP15, CLS15]: Adv ( q c , q p ) ≤ q 2 2 n + 2 q c q p c . 2 n • t � = 0 ⇒ k ′ is superfluous ( k ⊗ t unif. random for any t � = 0) Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction k ′ k ′ P k ⊗ t k ⊗ t k ′ y x E • provably secure in the RPM up to ∼ 2 n / 2 queries [FP15, CLS15]: Adv ( q c , q p ) ≤ q 2 2 n + 2 q c q p c . 2 n • t � = 0 ⇒ k ′ is superfluous ( k ⊗ t unif. random for any t � = 0) Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction ( k ⊗ t ) ⊕ k ′ ( k ⊗ t ) ⊕ k ′ y x P • provably secure in the RPM up to ∼ 2 n / 2 queries [FP15, CLS15]: Adv ( q c , q p ) ≤ q 2 2 n + 2 q c q p c . 2 n • t � = 0 ⇒ k ′ is superfluous ( k ⊗ t unif. random for any t � = 0) Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction ( k ⊗ t ) ⊕ k ′ ( k ⊗ t ) ⊕ k ′ y x P • provably secure in the RPM up to ∼ 2 n / 2 queries [FP15, CLS15]: Adv ( q c , q p ) ≤ q 2 2 n + 2 q c q p c . 2 n • t � = 0 ⇒ k ′ is superfluous ( k ⊗ t unif. random for any t � = 0) Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction k ⊗ t k ⊗ t y x P • provably secure in the RPM up to ∼ 2 n / 2 queries [FP15, CLS15]: Adv ( q c , q p ) ≤ q 2 2 n + 2 q c q p c . 2 n • t � = 0 ⇒ k ′ is superfluous ( k ⊗ t unif. random for any t � = 0) Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction Non-Linear Tweakable Even-Mansour (NL-TEM) construction k ⊗ t k ⊗ t y x P • provably secure in the RPM up to ∼ 2 n / 2 queries [FP15, CLS15]: Adv ( q c , q p ) ≤ q 2 2 n + 2 q c q p c . 2 n • t � = 0 ⇒ k ′ is superfluous ( k ⊗ t unif. random for any t � = 0) Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Birthday-Bound Security: Wrap-up Two constructions provably secure up to the birthday bound: 1. linear TKS k ⊕ t k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 P 3 2. nonlinear TKS k ⊗ t k ⊗ t y x P Question Constructions secure beyond the birthday-bound? Yannick Seurin Constructing TBCs in the RPM ASK 2015 19 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Birthday-Bound Security: Wrap-up Two constructions provably secure up to the birthday bound: 1. linear TKS k ⊕ t k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 P 3 2. nonlinear TKS k ⊗ t k ⊗ t y x P Question Constructions secure beyond the birthday-bound? Yannick Seurin Constructing TBCs in the RPM ASK 2015 19 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Birthday-Bound Security: Wrap-up Two constructions provably secure up to the birthday bound: 1. linear TKS k ⊕ t k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 P 3 2. nonlinear TKS k ⊗ t k ⊗ t y x P Question Constructions secure beyond the birthday-bound? Yannick Seurin Constructing TBCs in the RPM ASK 2015 19 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Birthday-Bound Security: Wrap-up Two constructions provably secure up to the birthday bound: 1. linear TKS k ⊕ t k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 P 3 2. nonlinear TKS k ⊗ t k ⊗ t y x P Question Constructions secure beyond the birthday-bound? Yannick Seurin Constructing TBCs in the RPM ASK 2015 19 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Outline Background: Tweakable Block Ciphers Tweakable Even-Mansour Constructions Birthday-Bound Secure Constructions Beyond-Birthday-Bound Secure Constructions Conclusion and Perspectives Yannick Seurin Constructing TBCs in the RPM ASK 2015 20 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Cascading the LRW Construction k ′ 1 ⊗ t x E k 1 • k 1 , . . . , k r and k ′ 1 , . . . , k ′ r independent keys ⇒ total key-length = r ( κ + n ) • 2 rounds: provably secure up to ∼ 2 2 n / 3 queries [LST12] rn r + 2 queries [LS13] • r rounds, r even: provably secure up to ∼ 2 • NB: only assuming E is a PRP (standard security notion, no ideal model) Yannick Seurin Constructing TBCs in the RPM ASK 2015 21 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Cascading the LRW Construction k ′ 1 ⊗ t k ′ 2 ⊗ t k ′ r ⊗ t y x E k 1 E k 2 E k r • k 1 , . . . , k r and k ′ 1 , . . . , k ′ r independent keys ⇒ total key-length = r ( κ + n ) • 2 rounds: provably secure up to ∼ 2 2 n / 3 queries [LST12] rn r + 2 queries [LS13] • r rounds, r even: provably secure up to ∼ 2 • NB: only assuming E is a PRP (standard security notion, no ideal model) Yannick Seurin Constructing TBCs in the RPM ASK 2015 21 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Cascading the LRW Construction k ′ 1 ⊗ t k ′ 2 ⊗ t k ′ r ⊗ t y x E k 1 E k 2 E k r • k 1 , . . . , k r and k ′ 1 , . . . , k ′ r independent keys ⇒ total key-length = r ( κ + n ) • 2 rounds: provably secure up to ∼ 2 2 n / 3 queries [LST12] rn r + 2 queries [LS13] • r rounds, r even: provably secure up to ∼ 2 • NB: only assuming E is a PRP (standard security notion, no ideal model) Yannick Seurin Constructing TBCs in the RPM ASK 2015 21 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Cascading the LRW Construction k ′ 1 ⊗ t k ′ 2 ⊗ t k ′ r ⊗ t y x E k 1 E k 2 E k r • k 1 , . . . , k r and k ′ 1 , . . . , k ′ r independent keys ⇒ total key-length = r ( κ + n ) • 2 rounds: provably secure up to ∼ 2 2 n / 3 queries [LST12] rn r + 2 queries [LS13] • r rounds, r even: provably secure up to ∼ 2 • NB: only assuming E is a PRP (standard security notion, no ideal model) Yannick Seurin Constructing TBCs in the RPM ASK 2015 21 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Cascading the LRW Construction k ′ 1 ⊗ t k ′ 2 ⊗ t k ′ r ⊗ t y x E k 1 E k 2 E k r • k 1 , . . . , k r and k ′ 1 , . . . , k ′ r independent keys ⇒ total key-length = r ( κ + n ) • 2 rounds: provably secure up to ∼ 2 2 n / 3 queries [LST12] rn r + 2 queries [LS13] • r rounds, r even: provably secure up to ∼ 2 • NB: only assuming E is a PRP (standard security notion, no ideal model) Yannick Seurin Constructing TBCs in the RPM ASK 2015 21 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Cascading the NL-TEM Construction • k 1 , k 2 independent n -bit keys k 1 ⊗ t k 2 ⊗ t y x P 1 P 2 Theorem ([CLS15]) The 2-round NL-TEM construction is secure up to ∼ 2 2 n / 3 queries in the RPM: + 30 √ q c q p Adv ( q c , q p ) ≤ 34 q 3 / 2 c . 2 n 2 n Yannick Seurin Constructing TBCs in the RPM ASK 2015 22 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Cascading the NL-TEM Construction • k 1 , k 2 independent n -bit keys k 1 ⊗ t k 2 ⊗ t y x P 1 P 2 Theorem ([CLS15]) The 2-round NL-TEM construction is secure up to ∼ 2 2 n / 3 queries in the RPM: + 30 √ q c q p Adv ( q c , q p ) ≤ 34 q 3 / 2 c . 2 n 2 n Yannick Seurin Constructing TBCs in the RPM ASK 2015 22 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Proof Technique: H-coefficients Real world Ideal world k 1 ⊗ t k 2 ⊗ t k r ⊗ t � P 1 , . . . , P r P 1 , . . . , P r P 0 y x P 1 P 2 P r q p q p q c q c 1. consider the transcript of all queries of D to the construction and to the inner permutations 2. define bad transcripts and show that their probability is small (in the ideal world) 3. show that good transcripts are almost as probable in the real and the ideal world Yannick Seurin Constructing TBCs in the RPM ASK 2015 23 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Proof Technique: H-coefficients Real world Ideal world k 1 ⊗ t k 2 ⊗ t k r ⊗ t � P 1 , . . . , P r P 1 , . . . , P r P 0 y x P 1 P 2 P r q p q p q c q c 1. consider the transcript of all queries of D to the construction and to the inner permutations 2. define bad transcripts and show that their probability is small (in the ideal world) 3. show that good transcripts are almost as probable in the real and the ideal world Yannick Seurin Constructing TBCs in the RPM ASK 2015 23 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Proof Technique: H-coefficients Real world Ideal world k 1 ⊗ t k 2 ⊗ t k r ⊗ t � P 1 , . . . , P r P 1 , . . . , P r P 0 y x P 1 P 2 P r q p q p q c q c 1. consider the transcript of all queries of D to the construction and to the inner permutations 2. define bad transcripts and show that their probability is small (in the ideal world) 3. show that good transcripts are almost as probable in the real and the ideal world Yannick Seurin Constructing TBCs in the RPM ASK 2015 23 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 u 1 v 1 Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 u 1 v 1 u 2 v 2 Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 u 1 v 1 u 2 v 2 ( t , x ) Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 q c q 2 u 1 v 1 u 2 v 2 ( t , x ) p proba ≤ 2 2 n Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 q c q 2 u 1 v 1 u 2 v 2 ( t , x ) p proba ≤ 2 2 n Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 q c q 2 u 1 v 1 u 2 v 2 ( t , x ) p proba ≤ 2 2 n ( t , x ) Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 q c q 2 u 1 v 1 u 2 v 2 ( t , x ) p proba ≤ 2 2 n ( t , x ) ( t ′ , x ′ ) Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 q c q 2 u 1 v 1 u 2 v 2 ( t , x ) p proba ≤ 2 2 n ( t , x ) proba ≤ q 2 c 2 2 n ( t ′ , x ′ ) Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion The Ten “Bad Collision” Cases P 1 P 2 ( t , x ) u 1 v 2 ( t , y ) ( t , x ) u 1 v 1 u 2 v 1 u 2 v 2 ( t , y ) ( t , x ) ( t , y ) ( t ′ , x ′ ) ( t ′′ , y ′′ ) ( t , x ) ( t , y ) ( t ′ , x ′ ) ( t ′ , y ′ ) u 1 v 2 ( t , x ) ( t , y ) ( t , x ) ( t , y ) ( t ′ , y ′ ) ( t ′ , x ′ ) u 1 v 1 u 2 v 2 ( t , x ) ( t , y ) ( t ′ , x ′ ) u ′ v ′ u ′ v ′ ( t ′ , y ′ ) 1 1 2 2 Yannick Seurin Constructing TBCs in the RPM ASK 2015 25 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Distribution of Good Transcripts • assuming there are no P 1 P 2 bad collisions, show that Q U 1 � � U 2 V 2 the answers of the TEM U 1 V 1 construction are close to answers of a random Q V 2 � � U 1 V 1 tweakable permutation U 2 V 2 • for each query, there is a “fresh” value of P 1 or U ′ V ′ U ′ V ′ Q X 1 1 2 2 P 2 which randomizes the output U ′′ V ′′ U ′′ V ′′ Q Y 2 2 1 1 Q 0 Yannick Seurin Constructing TBCs in the RPM ASK 2015 26 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Distribution of Good Transcripts • assuming there are no P 1 P 2 bad collisions, show that Q U 1 � � U 2 V 2 the answers of the TEM U 1 V 1 construction are close to answers of a random Q V 2 � � U 1 V 1 tweakable permutation U 2 V 2 • for each query, there is a “fresh” value of P 1 or U ′ V ′ U ′ V ′ Q X 1 1 2 2 P 2 which randomizes the output U ′′ V ′′ U ′′ V ′′ Q Y 2 2 1 1 Q 0 Yannick Seurin Constructing TBCs in the RPM ASK 2015 26 / 36
Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Longer Cascades of the NL-TEM Construction k 1 ⊗ t k 2 ⊗ t k r ⊗ t y x P 1 P 2 P r • r rounds, r even, with independent keys k 1 , . . . , k r secure up to ( r / 2 ) n rn ( r / 2 )+ 1 queries r + 2 = 2 ∼ 2 • proof: 1. non-adaptive security for r / 2 rounds (coupling technique) 2. adaptive security for r rounds (“two weak make one strong” composition theorem) rn r + 1 queries • conjecture: secure up to ∼ 2 Yannick Seurin Constructing TBCs in the RPM ASK 2015 27 / 36
Recommend
More recommend