Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST
Tweakable Block Cipher β’ A tweakable block cipher πΉ accepts an additional input "tweak β - Tweaks are publicly used (like IVs and nonces in modes of operation) - Changing tweaks should be efficient (compared to changing keys)
Motivation: why do we need tweaks ο Provide variability to the block cipher ο Can be used to construct various cryptographic schemes Vs.
Application: Authenticated Encryption ο Tweakable Authenticated Encryption (Liskov, Rivest, Wagner) - TAE can be proved to be secure if the underlying TBC is secure - Typically, the TBC is replaced by a block cipher-based construction (e.g., OCB modes of operation)
Construction of Tweakable Block Ciphers ο Dedicated construction - Hasty Pudding, Mercy, Threefish, etc. ο Block cipher-based construction - LRW1, LRW2, XEX, XHX, etc. ο Permutation-based construction - TEM, XPX, etc.
Block cipher-based Construction ο Using fixed keys (independent of tweaks) - Security is proved in the standard model - The underlying BC is replaced by an ideal random permutation (up to the security of TBC) ο Using tweak-dependent keys - Security is proved in the ideal cipher model - An adversary is allowed oracle access to the primitive
Security Notion ο How should we model secure tweakable block ciphers? - When a secret key is chosen uniformly at random, each tweak should make the keyed block cipher behave like an independent random permutation - This model is similar to the ideal cipher model, but an adversary is not allowed oracle access to the underlying tweakable block cipher Vs.
Security Notion ο A tweakable block cipher on {0,1} π with key space π§ and tweak space π° is a function π§ Γ π° Γ {0,1} π β {0,1} π πΉ: such that πΉ (πΏ, π,β) (also denoted πΉ πΏ (π,β) ) is a permutation on {0,1} π for each pair of key and tweak (πΏ, π) . ο A tweakable permutation on {0,1} π with tweak space π° is a function π° Γ {0,1} π β {0,1} π π: such that π (π,β) is a permutation on {0,1} π for each tweak π .
Security Notion ο An ideal tweakable permutation is a tweakable permutation that has been chosen uniformly at random from the set of all possible tweakable permutations. ο Any distinguisher should not be able to distinguish a tweakable block cipher with a secret random key and an ideal tweakable permutation by making a certain number of oracle queries. Real? or Ideal? πΏ πΉ π Real world Ideal world
Security Notion for Ideal Cipher-based Construction ο An (information-theoretic) adversary is allowed oracle access to both the construction and the ideal cipher Real? or Ideal? π(π’) β(π’) πΉ πΉ π πΉ x y πΉ Real world Ideal world
Security Notion for Ideal Cipher-based Construction ο For a distinguisher π , its distinguishing advantage is defined by πΏ ,πΉ ,πΉ β Pr 1 $ π π π πΉ πππ° πΉ π = Pr 1 $ where π is an ideal random tweakable permutation and a key πΏ is uniform random ο For positive integers π and π , , πππ° πΉ π, π = max π πππ° πΉ π where the maximum is taken over all the distinguishers making π block cipher queries and π construction queries
1 , πΊ 2 (Mennink, FSE 2015) πΊ When it is based on an π -bit block block 1 πΊ cipher using π -bit keys, 1 is secure up to 2 2π/3 queries ο πΊ - BBB-secure with one BC calls [2] is secure up to 2 π queries ο πΊ - Fully secure with two BC calls 2 πΊ
(Wang, et. al., Aisacrypt 2016) , β¦ , πΉ32 πΉ1 When it is based on an π -bit block block cipher using π -bit keys, is secure up to 2 π queries ο πΉi ο Make two block cipher calls (or a single block cipher call by precomputation) ο Only xor operation is used
XHX (Jha, et. al., Latincrypt 2017) ο XHX uses two types of hash functions - π: π -almost xor-universal and uniform hash function - β: πβ² -almost universal and uniform hash function ο When it is based on an π -bit block block cipher using π -bit keys, π+π π(π’) β(π’) 2 queries XHX is secure up to 2 π¦ π§ πΉ
Uniform/Universal Hash Functions For (small) π > 0 , ο A keyed function β is π -almost uniform if for any π¦ and π§ , Pr[β π¦ = π§] β€ π. ο A keyed function β is π -almost universal if for any π¦ and π¦β² , Pr[β π¦ = β(π¦β²)] β€ π. ο A keyed function β is π -almost xor-universal if for any π¦ and π§ , Pr[β π¦ β β π¦ β² = π§] β€ π. ο These functions can be defined as polynomials over a finite field. Cryptology Laboratory @ GSIS, KAIST 15
XHX2: Motivation ο The input size of an π -bit block block cipher using π -bit key is π + π bits. ο In the ideal cipher model, its information-theoretic security cannot go beyond π + π bits. (due to key exhaustive search) π+π ο With respect to this size, the birthday bound should be 2 . ο Can we go beyond the birthday bound?
XHX2: Construction ο Cascade of two independent copies of XHX - πΉ 1 and πΉ 2 are π -bit block ciphers using π -bit keys - π 1 and π 2 are π -almost uniform and universal hash functions - β 1 and β 2 is πβ² -almost uniform and xor-universal hash functions β 1 (π’) π 1 (π’) π 2 (π’) β 2 (π’) π¦ π§ πΉ 1 πΉ 2
Provable Security of XHX2 When π 1 and π 2 are π -bit π -almost uniform and universal hash functions, and β 1 and β 2 are π -bit πβ² -almost uniform and xor-universal hash functions, one has πππ° ππΌπ2 π, π 3 ππ β² + 256 8π 3 + 2ππ 2 1 1 1 + 160 16π 3 + 8ππ 2 + π 2 π 2 π β² 2 π β² 2 π 2 2 β€ 64π 3 π π 2 π 2 2 + 256 16π 3 + 8ππ 2 + 2π 2 + 3π 2 π π 2 (π β² ) 2 + 131072π 2 π 2 π β² , 2 2π 1 1 where π β 2 π , πβ² β 2 π
Comparison Efficiency Construction Key size Security Ref. E β¨ / H LRW 2π π/2 1 1 [LRW02] LRW[2] 4π 2π/3 2 2 [LST12] LRW[s] 2π‘π π‘π/(π‘ + 2) π‘ π‘ [LS13] [1] π 2π/3 1 1 [Men15] πΊ [2] π π 2 0 [Men15] πΊ , β― , πΉ32 π π 2 0 [Lei + 16] πΉ1 XHX π + π (π + π)/2 1 1 [Jha + 17] XHX2 2π + 2π πππ(2(π + π)/3, π + π/2) 2 2 Our work Cryptology Laboratory @ GSIS, KAIST 19
Security of the 2-round XTX ο XTX is a tweak-length extension scheme (Minematsu and Iwata, IMACC 2015) π(π’) β(π’) π¦ π§ πΉ ο Without allowing block cipher queries ( π = 0 ), we can prove beyond- birthday-bound security for the cascade of two independent XTX β 1 (π’) constructions. π 1 (π’) π 2 (π’) β 2 (π’) π¦ π§ πΉ 1 πΉ 2
XHX2 from a Practical Viewpoint ο In the ideal cipher model, each key should define an independent random permutation ο The BBB bound might be useful when the underlying block cipher is relatively small (lightweight) ο Such a small block cipher might be vulnerable to related key attacks (i.e., does not fit the ideal cipher model) ο XHX2 is suitable for a block cipher with the small block size (with a strong key schedule): - when π = 64 and π = 128 , XHX2 provides 128 bit security
Transcripts π 1 (π’) β 1 (π’) π 2 (π’) β 2 (π’) Real? or Ideal? π πΉ 1 /πΉ 2 πΉ 1 /πΉ 2 π¦ π§ πΉ 1 πΉ 2 Real world Ideal world Adversary tries to distinguish two worlds by making oracle queries β’ All the information obtained during the attack is represented by a transcript: β’ , π 1 , π 2 , β 1 , β 1 π = π π· = π’ 1 , π¦ 1 , π§ 1 , β― , π’ π , π¦ π , π§ π , π πΉ π = π, π 1 , π£ 1 , π€ 1 , β― , π, π π , π£ π , π€ π Cryptology Laboratory @ GSIS, KAIST 22
Upper Bounding the Distinguishing Advantage 1) T id : Probability distribution of Ο in the ideal world 2) T re : Probability distribution of Ο in the real world T id β T re πππ° πΉ π β€ Probability to appear 1 real ideal 0 Transcripts Cryptology Laboratory @ GSIS, KAIST 23
H-Coefficient Lemma We can use following lemma to upper bound the statistical distance. Let Ξ = Ξ good β Ξ bad be a partition of the set of transcripts. Assume that there exist Ο΅ 1 , Ο΅ 2 > 0 such that Pr T id β Ξ bad β€ Ο΅ 2 , and for any π β Ξ good , Pr T re = π Pr T id = π β₯ 1 β Ο΅ 1 . Then one has β₯ T id β T re β₯ β€ Ο΅ 1 + Ο΅ 2 . Cryptology Laboratory @ GSIS, KAIST 24
Security Proof of XHX2 (Sketch) 1) Define bad transcripts 2) Lower bounding the ratio of probabilities of obtaining a good transcript in the real world and in the ideal world - Pr T id = π is easy to compute, while Pr T re = π is challenging 3) Apply the H-coefficients Lemma Cryptology Laboratory @ GSIS, KAIST 25
Representation of Construction Queries β 1 (π’) π 1 (π’) π 2 (π’) β 2 (π’) π¦ π§ πΉ 1 πΉ 2 ο Reduced query: combine keys and construction queries π’, π¦, π§ β¦ β 1 π’ , β 2 π’ , π¦β¨π 1 π’ , π§β¨π 2 π’ , π 1 (π’)β¨π 2 π’ ο Black dots represent values fixed by block cipher queries, while white dots are βfreeβ Cryptology Laboratory @ GSIS, KAIST 26
Recommend
More recommend
