Length-Doubling Ciphers and Tweakable Ciphers
Haibin Zhang
Computer Science DepartmentUniversity of California, [email protected]://csiflabs.cs.ucdavis.edu/~hbzhang/
Our Contribution
2
HEM: a VIL cipher on [n..2n-1]
THEM: a VIL tweakable cipher on [n..2n-1]
Both HEM and THEM uses two blockcipher calls
Symmetric-Key Encryption(Confidentiality Modes of Operation)
3
Probabilistic/stateful encryption (length-expanding) IND-CPA: CBC, CTR, … (IND-CCA)
AE :IND-CPA+INT-CTXT: CCM, GCM, OCB, …
Deterministic encryption (length-preserving encryption; cipher)
PRP (CPA) security: SPRP (CCA) security: CMC, EME2, …
SPRP ciphers are useful in disk sector encryption, encipher and encode applications, hybrid encryption, … IEEE P1619.2 (EME2)
Blockciphers
Adv (A) = Pr[A 1] – Pr[A p 1]E prp
Adv (A) = Pr[A 1] – Pr[A p, p 1]E
A
EK( )
EK ( )-1
p ( )
p ( )-1
-1-1
PRP (CPA) security
PRP (CCA) security
random permutation over {0,1}n
4
E: K{0,1}n {0,1}n
+-
EK()
EK(),EK()prp+-
General Ciphers
AεK( )
-1
p ( )
p ( )-1εK ( )
Adv (A) = Pr[A 1] – Pr[A p 1]εprp
Adv (A) = Pr[A 1] – Pr[A p, p 1]
prp -1-1
PRP (CPA) security
PRP (CCA) security
ε
εK()
5
ε : K X X
+- +- εK() ,εK()
random length-preservingpermutation over X
A cipher for |X|=[n..2n-1]
6
AEK (, )
-1
p ( , )
p ( , )-1
random permutation over Perm(T, n) EK (, )
Adv (A) = Pr[A 1] – Pr[A p 1]Εprp
Adv (A) = Pr[A 1] – Pr[A p , p 1]prp -1
PRP security
PRP security
E
+- +-
~
~
~~
~~ ~
Tweakable Blockcipher Security
E: KT {0,1}n {0,1}n~
[Liskov, Rivest, Wagner 2002]
EK()
-1
EK(), EK()
7
AEK (, )
-1
p ( , )
p ( , )-1
random permutation over Perm(T, X) EK (, )
Adv (A) = Pr[A 1] – Pr[A p 1]Εprp
Adv (A) = Pr[A 1] – Pr[A p , p 1]prp -1
PRP security
PRP security
E
+- +-
~
~
~~
~~ ~
Tweakable Cipher Security
E: KT X X~
[Liskov, Rivest, Wagner 2002]
EK()
-1
EK(), EK()
A tweakable cipher for |X|=[n..2n-1]
8
A historically and theoretically interesting problemHow is Length-Doubling Cipher ([n..2n-1]) USEFUL?
A FIL cipher from n to 2n “Doubling” the length of a cipher
[Luby and Rackoff, 1988]
Our Goal: A VIL cipher from n to [n..2n-1] “Doubling” the length of a cipher in the VIL sense
9
A tweakable cipher of length [n..2n-1]
[Rogaway and Zhang, 2011]
How is Length-Doubling Cipher ([n..2n-1]) USEFUL?
TC3* Online Cipher
10
How is Length-Doubling Cipher ([n..2n-1]) USEFUL?
Ciphertext Stealing did not seem to do a good job.
[IEEE, P1619]
XTS Mode
A tweakable cipher of length [n..2n-1]
11
EME2 [Halevi, 2004]
Four-round Feistel
XLS[Ristenpart,Rogaway,2007]
Previous constructions for [n..2n-1]
Two-blockcipher-call solution? Our algorithms
Two blockcipher calls Two AXU hash calls One mixing function call (inexpensive; non-cryptographic tool)
12
AXU Hash Function Almost XOR Universal hash functions:
For our constructions, X = Y = {0,1}n H: KX Y H: K{0,1}n {0,1}n
Essential for efficiency and security
13
For all X ¹ X ’ and all C Y, Pr[Hk(x) Å Hk(X ’) = C] ≤ ε
H: KX Y
HK(x) =KX Galois Field Multiplication
[Krawczyk, 1994]
Mixing Function
Mixing Function:
14
A construction by Ristenpart and Rogaway takes three xors and a single one-bit circular rotation.
Let mixL( , ) and mixR( , ) be the left and right projection of mix respectively. For any A S , mixL(A, ), mixL( ,A), mixR(A, ), and mixR( ,A) are all permutations.
mix: SS S S
[Rogaway and Ristenpart, 2007]
An inefficient 2-blockcipher-call solution
Variationally universal hash
Variationally universal hash
[Rogaway and Krovetz, 2006]
Feistel networks
[Luby and Rackoff, 1988] [Naor and Reingold, 1997] [Patel, Ramzan and Sundaram,1997]
A FIL cipher of length 2n
An improved FIL cipher of length 2n
A FIL cipher of length ≥2n
FHEM: A FIL Cipher of length n+s
AXU Hash
Blockcipher Encryption
AXU Hash
MIX function 1.permutation2. SPRP
Blockcipher Encryption
FHEM of length n+s security
Theorem: Let e = FHEM[H, Perm(n),mix]. If A asks at most q queries then
eAdv (A) 3 q2/2n prp+-
FHEM is not VIL secure
0n 0 0n 00
If D1=C1 output 1 else 0
FHEM is not VIL secure
0n 0 0n 00
If D1=C1 output 1 else 0
21
HEM: A Length-Doubling Cipher
Can be Precomputed !
FHEM HEM
HEM security
Theorem: Let e = HEM[H, Perm(n),mix]. If A asks at most q queries then
eAdv (A) 3 q2/2n prp+-
23
THEM: A Length-Doubling Tweakable Cipher
A way of adding tweaks
Theorem: Let e = THEM[H, Perm(n),mix]. If A asks at most q queries then
eAdv (A) 3 q2/2n prp+-
THEM security
~
~
25
A More Compact Variant (Tweak Stealing)
Open questions
26
A more elegant cipher on X = {0,1} [n..2n)
How do we achieve an efficient VIL cipher with the domain {0,1}>n using the least blockcipher calls?
(Informally) Does there exist a lower bound for the number of blockcipher calls for an efficient SPRP secure cipher with the domain {0,1}>n ?
Thank you!
27