Beyond-birthday-bound Security Based on Tweakable Block Ciphers
description
Transcript of Beyond-birthday-bound Security Based on Tweakable Block Ciphers
![Page 1: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/1.jpg)
Beyond-birthday-bound Security Based on Tweakable Block Ciphers
Kazuhiko Minematsu
NEC Corporation
Fast Software Encryption 2009, Leuven, Belgium
![Page 2: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/2.jpg)
2
Doubling the Block Length of a Cipher
Build 2n-bit block cipher using n-bit componentsMany solutions, e.g., using Feistel Permutation
EKey
Plaintext
Ciphertext
n
Plaintext
Ciphertext
E1
E2
n n…
![Page 3: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/3.jpg)
3
Security Reduction (the case of Feistel)
Luby-Rackoff [LR88]: 4-round is O(2n/2)-secure for Chosen-ciphertext attacks (CCAs) if E is a pseudorandom function i.e. hard to distinguish from URP using q ¿ 2n/2 queries
Security is up to the Birthday Bound (for n)
4-round Feistel
Uniform Random Permutation
2n/2 CCA queries
![Page 4: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/4.jpg)
4
Goal: Beyond-birthday-bound Security
O(2+n/2)-security for some >0 (larger is better)Very few known schemes (even for a small )
Most known schemes are O(2n/2)-secureUseful: it improves the security of block cipher
modes w/ O(2block_length/2)-securityquite common (CBC, CTR, CBC-MAC, etc...)
![Page 5: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/5.jpg)
5
Known Approaches
Direct extension of Luby-Rackoffuse n-bit block PRF & add more (balanced) Fe
istel rounds to LR resultsPatarin [Pat04]: 6-round has O(2n)-sec. (for CCA)Maurer-Pietrzak [MP03] : (r 1)-round has infinite-
sec.
Unbalanced Feisteluse PRF w/ >n-bit input & <n-bit outputNaor-Reingold [NR97] : s-round has O(2n(1-1/s))-se
c.
(i.e. Adv. converges to 0 as r grows )
![Page 6: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/6.jpg)
6
Our Approach
Use Tweakable (Block) Cipher An extension of block cipher introduced by Liskov
et al. [LRW02]
Tweak = public parameter for variabilityA tweak determines single instance of a block cipherDifferent tweaks should provide pseudo-independent i
nstances of a block cipher
TEK
P
T
C
n
n mTDK
C
T
P
n
nm
![Page 7: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/7.jpg)
7
Problem Setting
Tweakable Cipher w/ n-bit block & m-bit tweak (we call it (n,m)-bit TC)
We assume 1 <= m <= n We assume our (n,m)-bit TC is perfect (i.e.,
it is the set of 2m indep. n-bit URPs )goal: info-theoretic security proof; once obtaine
d, computational counterpart is trivial
Build a 2n-bit cipher w/ (n,m)-bit TCs.How?
![Page 8: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/8.jpg)
8
Starting Point: NR Mode
Another proposal of Naor-Reingold for Large-block cipher (originally cn-bit for any c>=2, here c=2)
Mix-ECB-Mix, where Mix is a (weak form of) pairwise indep. permutation
O(2n/2)-sec. was obtainedPL
PR
CL CR
n n
n n
mix 2
mix 1
E E
![Page 9: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/9.jpg)
9
Tweaking ECB
Assume m = n for simplicityUse tweak to introduce inter-block dependency...while keeping it invertible!Then we get;
note: this is two-key, but one-key version is also possible
e.g. butterfly trans. can not be usedPL
PR
CL CR
TE1
TE2
tweak
tweak
![Page 10: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/10.jpg)
10
The Role of Mix Layers
Tweaked ECB itself is only O(2n/2)-securesimultaneous collisions of tweak and output
can be the source of attack!Mix must prevent this (in particular a collision of tweaks)
URPTE1
no collision
Adv. ~ q2/2nmix 1
Prob. ~ q2/2n
mix 1
distinct fixed distinct fixed
![Page 11: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/11.jpg)
11
Result : Extended Naor-Reingold (ENR)
Mix is one-round Feistel using -AXU hash func. (i.e., Pr[ H(x)+H(x’) = ] < for all x x’, ) The same key for the top and bottom
PLPR
CL CR
TE1
TE2
H
H
![Page 12: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/12.jpg)
12
(see paper for a general case (H=-AXU))
Theorem: if H is 2-n-AXU, we have
O(2n)-security is obtained !
(Negl. if q ¿ 2n)
Moreover, if our TC is not perfect, we have
![Page 13: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/13.jpg)
13
Proof Idea There are four Quasi-Random Functions having 2n-bit
input and n-bit output (overlapping each other) Each QRF has O(22n)-security if H is 2-n-AXU
PLPR
CL CR
TE1
TE2
H
H
PLPR
CL CR
TD1
TD2
H
H
Encryption Decryption
![Page 14: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/14.jpg)
14
How should we do if m<n ?
Same basic strategy: tweak ECB, then add Mix layers
Need to care more “bad events”Mix can not be one-round Feistel
![Page 15: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/15.jpg)
15
ENR for m<n
PLPR
CL CR
TE1
TE2
cut
cutm
m
GMix 1 is a keyed permutation G
Grev-1 Mix 2 is a
mirrored version of G (same key)
e.g., leftmost m-bit
![Page 16: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/16.jpg)
16
Security ProofCondition of G:
Security of ENR for m<n:
![Page 17: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/17.jpg)
17
TE2
TE1
Concrete Example
G is now two-round irregular Feistel
H is an AXU hash using field-multiplication
Security bound:
PLPR
CL CR
m
m
m n-m
m
cut
cut
H1
H2
H1
H2n-m
O(2(n+m)/2)-security is obtained
![Page 18: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/18.jpg)
18
Summary so far
ENRSecurity: O(2(n+m)/2)-security for any m < n+1Efficiency: 2 calls of TC + some UHs
optimal within this setting
![Page 19: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/19.jpg)
19
Challenging Next Step
Our proof naturally requires a tweakable cipher w/ beyond-birthday-bound security. How to realize it?
1. From scratch (Mercy, HPC, Threefish etc) increasing attention, but still less popular
2. Mode of operation, i.e. from n-bit block ciphers
(In Skein hash function)
![Page 20: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/20.jpg)
20
However…
Known modes have only up-to-birthday-bound securityLRW and (generalized) XEX [LRW02][Rog04][Min06]
no matter how tweak is short; 1-bit is enough to break using 2n/2 queries
E
P
C
H
T
LRW mode
mn
![Page 21: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/21.jpg)
21
A Naive Solution Tweak-dependent rekeying (TDR) Simple, but never seriously investigated (to our
knowledge)
E
M Tn m
FMK
K = FMK(T)
C
PRF w/ m-bit in, |K|-bit out
Security proof
![Page 22: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/22.jpg)
22
Analysis Basically, it is difficult to determine how large m is admissi
ble (as AdvE. term would be non-negligible) For the case of |K| = n;
When m is sufficiently smaller than n/2, seems fairly secure (well beyond the birthday bound)
When m = n/2, a simple birthday attack is possible Search for a ciphertext collision due to the key collision
E
0n
m
FMK E
1nT1 T2
FMK
Key collision (prob. 1/2n) Ciphertext
collision
n
T1 T2
Ciphertext collision
![Page 23: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/23.jpg)
23
TDR for E (w/ n-bit key) Limit m < n/2 (say, m=n/3) We can use EMK as FMK, the security bound is;
Of course, still problematic short tweak frequent rekeying
E
P T
C
n
n
EMK
pad
m
n
via PRF-PRP switching
![Page 24: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/24.jpg)
24
Combining ENR and TDR
Combining ENR and TDR is possible, but difficult to determine how large m is admissible (because of TDR’s security proof)
Bottom line: need to develop a better one.
Note: based on a strong assumption on E, we can expect (ENR+TDR) to have O(22/3n)-security by the choice m=n/3
![Page 25: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/25.jpg)
25
Summary
We built a 2n-bit cipher from (n,m)-bit tweakable ciphers
ENR achieves O(2(n+m)/2)-security for any m<= n, needs 2 TC calls & some UHs
TDR: a way to convert an n-bit cipher into an (n,m)-bit TCOnly a proof of concept: subject to heavy limita
tions (both theoretical and practical)
![Page 26: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/26.jpg)
26
Future Directions
Better TC from n-bit cipher w/o rekeyingExtensions of ENR:
Large-block cipher (cn-bit for c>2)Make ENR tweakableBasic solution is to use some modes w/ ENR,
search for a more efficient way
![Page 27: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/27.jpg)
27
Thank you!
![Page 28: Beyond-birthday-bound Security Based on Tweakable Block Ciphers](https://reader036.fdocuments.in/reader036/viewer/2022062321/56813ce7550346895da692c6/html5/thumbnails/28.jpg)
28
Memo: Security of TDR & (ENR + TDR) Assume
(maybe this means “the most efficient attack is the exhaustive key search” (by assuming ~ q))
Then TDR’s bound implies
Thus it is expected to have O(2n-m)-security.
Combining this to the ENR’s bound, we obtain
Ignoring the constant, this is maximized by the choice m = n/3. In this case the bound of (ENR+TDR) is O(q2/24n/3), thus it has (based on the above assumption) O(22n/3)-security.