300 likes | 439 Views
Beyond-birthday-bound Security Based on Tweakable Block Ciphers. Kazuhiko Minematsu NEC Corporation. Fast Software Encryption 2009, Leuven, Belgium. Doubling the Block Length of a Cipher. Build 2n-bit block cipher using n-bit components Many solutions, e.g., using Feistel Permutation.
E N D
Beyond-birthday-bound Security Based on Tweakable Block Ciphers Kazuhiko Minematsu NEC Corporation Fast Software Encryption 2009, Leuven, Belgium
Doubling the Block Length of a Cipher • Build 2n-bit block cipher using n-bit components • Many solutions, e.g., using Feistel Permutation Plaintext Plaintext n n n E1 E Key E2 … Ciphertext Ciphertext
Security Reduction (the case of Feistel) • Luby-Rackoff [LR88]: 4-round is O(2n/2)-secure for Chosen-ciphertext attacks (CCAs) if E is a pseudorandom function • i.e. hard to distinguish from URP using q ¿ 2n/2 queries • Security is up to the Birthday Bound (for n) Uniform Random Permutation 4-round Feistel 2n/2 CCA queries
Goal: Beyond-birthday-bound Security • O(2+n/2)-security for some >0 (larger is better) • Very few known schemes (even for a small ) • Most known schemes are O(2n/2)-secure • Useful: it improves the security of block cipher modes w/ O(2block_length/2)-security • quite common (CBC, CTR, CBC-MAC, etc...)
Known Approaches • Direct extension of Luby-Rackoff • use n-bit block PRF & add more (balanced) Feistel rounds to LR results • Patarin [Pat04]: 6-round has O(2n)-sec. (for CCA) • Maurer-Pietrzak [MP03] : (r g1)-round has infinite-sec. • Unbalanced Feistel • use PRF w/ >n-bit input & <n-bit output • Naor-Reingold [NR97] : s-round has O(2n(1-1/s))-sec. (i.e. Adv. converges to 0 as r grows )
n n n n Our Approach • Use Tweakable (Block) Cipher • An extension of block cipher introduced by Liskov et al. [LRW02] • Tweak = public parameter for variability • A tweak determines single instance of a block cipher • Different tweaks should provide pseudo-independent instances of a block cipher P C TEK TDK T T m m C P
Problem Setting • Tweakable Cipher w/ n-bit block & m-bit tweak (we call it (n,m)-bit TC) • We assume 1 <= m <= n • We assume our (n,m)-bit TC is perfect (i.e., it is the set of 2m indep. n-bit URPs ) • goal: info-theoretic security proof; once obtained, computational counterpart is trivial Build a 2n-bit cipher w/ (n,m)-bit TCs. How?
Starting Point: NR Mode • Another proposal of Naor-Reingold for Large-block cipher (originally cn-bit for any c>=2, here c=2) • Mix-ECB-Mix, where Mix is a (weak form of) pairwise indep. permutation • O(2n/2)-sec. was obtained PR PL n n mix 1 E E mix 2 n n CL CR
e.g. butterfly trans. can not be used Tweaking ECB • Assume m = n for simplicity • Use tweak to introduce inter-block dependency • ...while keeping it invertible! • Then we get; PR PL tweak TE1 tweak TE2 CL CR note: this is two-key, but one-key version is also possible
distinct fixed distinct fixed Prob. ~ q2/2n no collision The Role of Mix Layers • Tweaked ECB itself is only O(2n/2)-secure • simultaneous collisions of tweak and output can be the source of attack! • Mix must prevent this (in particular a collision of tweaks) mix 1 mix 1 Adv. ~q2/2n TE1 URP
Result : Extended Naor-Reingold (ENR) • Mix is one-round Feistel using -AXU hash func. (i.e., Pr[ H(x)+H(x’) = ] < for all x x’, ) • The same key for the top and bottom PR PL H TE1 TE2 H CL CR
Theorem: if H is 2-n-AXU, we have (see paper for a general case (H=-AXU)) (Negl. if q ¿ 2n) Moreover, if our TC is not perfect, we have O(2n)-security is obtained !
Proof Idea • There are four Quasi-Random Functions having 2n-bit input and n-bit output (overlapping each other) • Each QRF has O(22n)-security if H is 2-n-AXU PR PR PL PL H H TE1 TD1 TE2 TD2 H H CL CR CL CR Encryption Decryption
How should we do if m<n ? • Same basic strategy: tweak ECB, then add Mix layers • Need to care more “bad events” • Mix can not be one-round Feistel
Mix 1 is a keyed permutation G G Mix 2 is a mirrored version of G (same key) Grev-1 ENR for m<n PR PL e.g., leftmost m-bit TE1 cut m cut TE2 m CL CR
Security Proof • Condition of G: • Security of ENR for m<n:
Concrete Example PR PL H1 • G is now two-round irregular Feistel • H is an AXU hash using field-multiplication • Security bound: m n-m H2 TE1 cut m TE2 cut m n-m m H2 O(2(n+m)/2)-security is obtained H1 CL CR
Summary so far • ENR • Security: O(2(n+m)/2)-security for any m < n+1 • Efficiency: 2 calls of TC + some UHs • optimal within this setting
Challenging Next Step • Our proof naturally requires a tweakable cipher w/ beyond-birthday-bound security. How to realize it? • From scratch (Mercy, HPC, Threefish etc) • increasing attention, but still less popular • Mode of operation, i.e. from n-bit block ciphers (In Skein hash function)
However… • Known modes have only up-to-birthday-bound security • LRW and (generalized) XEX [LRW02][Rog04][Min06] • no matter how tweak is short; 1-bit is enough to break using 2n/2 queries P T n m E H C LRW mode
Security proof n m A Naive Solution • Tweak-dependent rekeying (TDR) • Simple, but never seriously investigated (to our knowledge) T M E FMK PRF w/ m-bit in, |K|-bit out K = FMK(T) C
m Analysis • Basically, it is difficult to determine how large m is admissible (as AdvE. term would be non-negligible) • For the case of |K| = n; • When m is sufficiently smaller than n/2, seems fairly secure (well beyond the birthday bound) • When m = n/2, a simple birthday attack is possible • Search for a ciphertext collision due to the key collision T1 T2 T1 T2 0n 1n n E E FMK FMK Key collision (prob. 1/2n) Ciphertext collision Ciphertext collision
T P pad n n n m EMK E C TDR for E (w/ n-bit key) • Limit m < n/2 (say, m=n/3) • We can use EMK as FMK, the security bound is; • Of course, still problematic • short tweak • frequent rekeying via PRF-PRP switching
Combining ENR and TDR • Combining ENR and TDR is possible, but difficult to determine how large m is admissible (because of TDR’s security proof) • Bottom line: need to develop a better one. Note: based on a strong assumption on E, we can expect (ENR+TDR) to have O(22/3n)-security by the choice m=n/3
Summary • We built a 2n-bit cipher from (n,m)-bit tweakable ciphers • ENR achieves O(2(n+m)/2)-security for any m<= n, needs 2 TC calls & some UHs • TDR: a way to convert an n-bit cipher into an (n,m)-bit TC • Only a proof of concept: subject to heavy limitations (both theoretical and practical)
Future Directions • Better TC from n-bit cipher w/o rekeying • Extensions of ENR: • Large-block cipher (cn-bit for c>2) • Make ENR tweakable • Basic solution is to use some modes w/ ENR, search for a more efficient way
Memo: Security of TDR & (ENR + TDR) • Assume (maybe this means “the most efficient attack is the exhaustive key search” (by assuming ~ q)) • Then TDR’s bound implies Thus it is expected to have O(2n-m)-security. • Combining this to the ENR’s bound, we obtain Ignoring the constant, this is maximized by the choice m = n/3. In this case the bound of (ENR+TDR) is O(q2/24n/3), thus it has (based on the above assumption) O(22n/3)-security.