1 / 28

Beyond-birthday-bound Security Based on Tweakable Block Ciphers

Beyond-birthday-bound Security Based on Tweakable Block Ciphers. Kazuhiko Minematsu NEC Corporation. Fast Software Encryption 2009, Leuven, Belgium. Doubling the Block Length of a Cipher. Build 2n-bit block cipher using n-bit components Many solutions, e.g., using Feistel Permutation.

kiri
Download Presentation

Beyond-birthday-bound Security Based on Tweakable Block Ciphers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Beyond-birthday-bound Security Based on Tweakable Block Ciphers Kazuhiko Minematsu NEC Corporation Fast Software Encryption 2009, Leuven, Belgium

  2. Doubling the Block Length of a Cipher • Build 2n-bit block cipher using n-bit components • Many solutions, e.g., using Feistel Permutation Plaintext Plaintext n n n E1 E Key E2 … Ciphertext Ciphertext

  3. Security Reduction (the case of Feistel) • Luby-Rackoff [LR88]: 4-round is O(2n/2)-secure for Chosen-ciphertext attacks (CCAs) if E is a pseudorandom function • i.e. hard to distinguish from URP using q ¿ 2n/2 queries • Security is up to the Birthday Bound (for n) Uniform Random Permutation 4-round Feistel 2n/2 CCA queries

  4. Goal: Beyond-birthday-bound Security • O(2+n/2)-security for some >0 (larger  is better) • Very few known schemes (even for a small ) • Most known schemes are O(2n/2)-secure • Useful: it improves the security of block cipher modes w/ O(2block_length/2)-security • quite common (CBC, CTR, CBC-MAC, etc...)

  5. Known Approaches • Direct extension of Luby-Rackoff • use n-bit block PRF & add more (balanced) Feistel rounds to LR results • Patarin [Pat04]: 6-round has O(2n)-sec. (for CCA) • Maurer-Pietrzak [MP03] : (r g1)-round has infinite-sec. • Unbalanced Feistel • use PRF w/ >n-bit input & <n-bit output • Naor-Reingold [NR97] : s-round has O(2n(1-1/s))-sec. (i.e. Adv. converges to 0 as r grows )

  6. n n n n Our Approach • Use Tweakable (Block) Cipher • An extension of block cipher introduced by Liskov et al. [LRW02] • Tweak = public parameter for variability • A tweak determines single instance of a block cipher • Different tweaks should provide pseudo-independent instances of a block cipher P C TEK TDK T T m m C P

  7. Problem Setting • Tweakable Cipher w/ n-bit block & m-bit tweak (we call it (n,m)-bit TC) • We assume 1 <= m <= n • We assume our (n,m)-bit TC is perfect (i.e., it is the set of 2m indep. n-bit URPs ) • goal: info-theoretic security proof; once obtained, computational counterpart is trivial Build a 2n-bit cipher w/ (n,m)-bit TCs. How?

  8. Starting Point: NR Mode • Another proposal of Naor-Reingold for Large-block cipher (originally cn-bit for any c>=2, here c=2) • Mix-ECB-Mix, where Mix is a (weak form of) pairwise indep. permutation • O(2n/2)-sec. was obtained PR PL n n mix 1 E E mix 2 n n CL CR

  9. e.g. butterfly trans. can not be used Tweaking ECB • Assume m = n for simplicity • Use tweak to introduce inter-block dependency • ...while keeping it invertible! • Then we get; PR PL tweak TE1 tweak TE2 CL CR note: this is two-key, but one-key version is also possible

  10. distinct fixed distinct fixed Prob. ~ q2/2n no collision The Role of Mix Layers • Tweaked ECB itself is only O(2n/2)-secure • simultaneous collisions of tweak and output can be the source of attack! • Mix must prevent this (in particular a collision of tweaks) mix 1 mix 1 Adv. ~q2/2n TE1 URP

  11. Result : Extended Naor-Reingold (ENR) • Mix is one-round Feistel using -AXU hash func. (i.e., Pr[ H(x)+H(x’) = ] <  for all x x’,  ) • The same key for the top and bottom PR PL H TE1 TE2 H CL CR

  12. Theorem: if H is 2-n-AXU, we have (see paper for a general case (H=-AXU)) (Negl. if q ¿ 2n) Moreover, if our TC is not perfect, we have O(2n)-security is obtained !

  13. Proof Idea • There are four Quasi-Random Functions having 2n-bit input and n-bit output (overlapping each other) • Each QRF has O(22n)-security if H is 2-n-AXU PR PR PL PL H H TE1 TD1 TE2 TD2 H H CL CR CL CR Encryption Decryption

  14. How should we do if m<n ? • Same basic strategy: tweak ECB, then add Mix layers • Need to care more “bad events” • Mix can not be one-round Feistel

  15. Mix 1 is a keyed permutation G G Mix 2 is a mirrored version of G (same key) Grev-1 ENR for m<n PR PL e.g., leftmost m-bit TE1 cut m cut TE2 m CL CR

  16. Security Proof • Condition of G: • Security of ENR for m<n:

  17. Concrete Example PR PL H1 • G is now two-round irregular Feistel • H is an AXU hash using field-multiplication • Security bound: m n-m H2 TE1 cut m TE2 cut m n-m m H2 O(2(n+m)/2)-security is obtained H1 CL CR

  18. Summary so far • ENR • Security: O(2(n+m)/2)-security for any m < n+1 • Efficiency: 2 calls of TC + some UHs • optimal within this setting

  19. Challenging Next Step • Our proof naturally requires a tweakable cipher w/ beyond-birthday-bound security. How to realize it? • From scratch (Mercy, HPC, Threefish etc) • increasing attention, but still less popular • Mode of operation, i.e. from n-bit block ciphers (In Skein hash function)

  20. However… • Known modes have only up-to-birthday-bound security • LRW and (generalized) XEX [LRW02][Rog04][Min06] • no matter how tweak is short; 1-bit is enough to break using 2n/2 queries P T n m E H C LRW mode

  21. Security proof n m A Naive Solution • Tweak-dependent rekeying (TDR) • Simple, but never seriously investigated (to our knowledge) T M E FMK PRF w/ m-bit in, |K|-bit out K = FMK(T) C

  22. m Analysis • Basically, it is difficult to determine how large m is admissible (as AdvE. term would be non-negligible) • For the case of |K| = n; • When m is sufficiently smaller than n/2, seems fairly secure (well beyond the birthday bound) • When m = n/2, a simple birthday attack is possible • Search for a ciphertext collision due to the key collision T1  T2 T1  T2 0n 1n n E E FMK FMK Key collision (prob. 1/2n) Ciphertext collision Ciphertext collision

  23. T P pad n n n m EMK E C TDR for E (w/ n-bit key) • Limit m < n/2 (say, m=n/3) • We can use EMK as FMK, the security bound is; • Of course, still problematic • short tweak • frequent rekeying via PRF-PRP switching

  24. Combining ENR and TDR • Combining ENR and TDR is possible, but difficult to determine how large m is admissible (because of TDR’s security proof) • Bottom line: need to develop a better one. Note: based on a strong assumption on E, we can expect (ENR+TDR) to have O(22/3n)-security by the choice m=n/3

  25. Summary • We built a 2n-bit cipher from (n,m)-bit tweakable ciphers • ENR achieves O(2(n+m)/2)-security for any m<= n, needs 2 TC calls & some UHs • TDR: a way to convert an n-bit cipher into an (n,m)-bit TC • Only a proof of concept: subject to heavy limitations (both theoretical and practical)

  26. Future Directions • Better TC from n-bit cipher w/o rekeying • Extensions of ENR: • Large-block cipher (cn-bit for c>2) • Make ENR tweakable • Basic solution is to use some modes w/ ENR, search for a more efficient way

  27. Thank you!

  28. Memo: Security of TDR & (ENR + TDR) • Assume (maybe this means “the most efficient attack is the exhaustive key search” (by assuming  ~ q)) • Then TDR’s bound implies Thus it is expected to have O(2n-m)-security. • Combining this to the ENR’s bound, we obtain Ignoring the constant, this is maximized by the choice m = n/3. In this case the bound of (ENR+TDR) is O(q2/24n/3), thus it has (based on the above assumption) O(22n/3)-security.

More Related