Beyond-birthday-bound Security Based on Tweakable Block Ciphers

Kazuhiko Minematsu

NEC Corporation

Fast Software Encryption 2009, Leuven, Belgium

2

Doubling the Block Length of a Cipher

Build 2n-bit block cipher using n-bit componentsMany solutions, e.g., using Feistel Permutation

EKey

Plaintext

Ciphertext

n

Plaintext

Ciphertext

E1

E2

n n…

3

Security Reduction (the case of Feistel)

Luby-Rackoff [LR88]: 4-round is O(2n/2)-secure for Chosen-ciphertext attacks (CCAs) if E is a pseudorandom function i.e. hard to distinguish from URP using q ¿ 2n/2 queries

Security is up to the Birthday Bound (for n)

4-round Feistel

Uniform Random Permutation

2n/2 CCA queries

4

Goal: Beyond-birthday-bound Security

O(2+n/2)-security for some >0 (larger is better)Very few known schemes (even for a small )

Most known schemes are O(2n/2)-secureUseful: it improves the security of block cipher

modes w/ O(2block_length/2)-securityquite common (CBC, CTR, CBC-MAC, etc...)

5

Known Approaches

Direct extension of Luby-Rackoffuse n-bit block PRF & add more (balanced) Fe

istel rounds to LR resultsPatarin [Pat04]: 6-round has O(2n)-sec. (for CCA)Maurer-Pietrzak [MP03] : (r 1)-round has infinite-

sec.

Unbalanced Feisteluse PRF w/ >n-bit input & <n-bit outputNaor-Reingold [NR97] : s-round has O(2n(1-1/s))-se

c.

(i.e. Adv. converges to 0 as r grows )

6

Our Approach

Use Tweakable (Block) Cipher An extension of block cipher introduced by Liskov

et al. [LRW02]

Tweak = public parameter for variabilityA tweak determines single instance of a block cipherDifferent tweaks should provide pseudo-independent i

nstances of a block cipher

TEK

P

T

C

n

n mTDK

C

T

P

n

nm

7

Problem Setting

Tweakable Cipher w/ n-bit block & m-bit tweak (we call it (n,m)-bit TC)

We assume 1 <= m <= n We assume our (n,m)-bit TC is perfect (i.e.,

it is the set of 2m indep. n-bit URPs )goal: info-theoretic security proof; once obtaine

d, computational counterpart is trivial

Build a 2n-bit cipher w/ (n,m)-bit TCs.How?

8

Starting Point: NR Mode

Another proposal of Naor-Reingold for Large-block cipher (originally cn-bit for any c>=2, here c=2)

Mix-ECB-Mix, where Mix is a (weak form of) pairwise indep. permutation

O(2n/2)-sec. was obtainedPL

PR

CL CR

n n

n n

mix 2

mix 1

E E

9

Tweaking ECB

Assume m = n for simplicityUse tweak to introduce inter-block dependency...while keeping it invertible!Then we get;

note: this is two-key, but one-key version is also possible

e.g. butterfly trans. can not be usedPL

PR

CL CR

TE1

TE2

tweak

tweak

10

The Role of Mix Layers

Tweaked ECB itself is only O(2n/2)-securesimultaneous collisions of tweak and output

can be the source of attack!Mix must prevent this (in particular a collision of tweaks)

URPTE1

no collision

Adv. ~ q2/2nmix 1

Prob. ~ q2/2n

mix 1

distinct fixed distinct fixed

11

Result : Extended Naor-Reingold (ENR)

Mix is one-round Feistel using -AXU hash func. (i.e., Pr[ H(x)+H(x’) = ] < for all x x’, ) The same key for the top and bottom

PLPR

CL CR

TE1

TE2

H

H

12

(see paper for a general case (H=-AXU))

Theorem: if H is 2-n-AXU, we have

O(2n)-security is obtained !

(Negl. if q ¿ 2n)

Moreover, if our TC is not perfect, we have

13

Proof Idea There are four Quasi-Random Functions having 2n-bit

input and n-bit output (overlapping each other) Each QRF has O(22n)-security if H is 2-n-AXU

PLPR

CL CR

TE1

TE2

H

H

PLPR

CL CR

TD1

TD2

H

H

Encryption Decryption

14

How should we do if m<n ?

Same basic strategy: tweak ECB, then add Mix layers

Need to care more “bad events”Mix can not be one-round Feistel

15

ENR for m<n

PLPR

CL CR

TE1

TE2

cut

cutm

m

GMix 1 is a keyed permutation G

Grev-1 Mix 2 is a

mirrored version of G (same key)

e.g., leftmost m-bit

16

Security ProofCondition of G:

Security of ENR for m<n:

17

TE2

TE1

Concrete Example

G is now two-round irregular Feistel

H is an AXU hash using field-multiplication

Security bound:

PLPR

CL CR

m

m

m n-m

m

cut

cut

H1

H2

H1

H2n-m

O(2(n+m)/2)-security is obtained

18

Summary so far

ENRSecurity: O(2(n+m)/2)-security for any m < n+1Efficiency: 2 calls of TC + some UHs

optimal within this setting

19

Challenging Next Step

Our proof naturally requires a tweakable cipher w/ beyond-birthday-bound security. How to realize it?

1. From scratch (Mercy, HPC, Threefish etc) increasing attention, but still less popular

2. Mode of operation, i.e. from n-bit block ciphers

(In Skein hash function)

20

However…

Known modes have only up-to-birthday-bound securityLRW and (generalized) XEX [LRW02][Rog04][Min06]

no matter how tweak is short; 1-bit is enough to break using 2n/2 queries

E

P

C

H

T

LRW mode

mn

21

A Naive Solution Tweak-dependent rekeying (TDR) Simple, but never seriously investigated (to our

knowledge)

E

M Tn m

FMK

K = FMK(T)

C

PRF w/ m-bit in, |K|-bit out

Security proof

22

Analysis Basically, it is difficult to determine how large m is admissi

ble (as AdvE. term would be non-negligible) For the case of |K| = n;

When m is sufficiently smaller than n/2, seems fairly secure (well beyond the birthday bound)

When m = n/2, a simple birthday attack is possible Search for a ciphertext collision due to the key collision

E

0n

m

FMK E

1nT1 T2

FMK

Key collision (prob. 1/2n) Ciphertext

collision

n

T1 T2

Ciphertext collision

23

TDR for E (w/ n-bit key) Limit m < n/2 (say, m=n/3) We can use EMK as FMK, the security bound is;

Of course, still problematic short tweak frequent rekeying

E

P T

C

n

n

EMK

pad

m

n

via PRF-PRP switching

24

Combining ENR and TDR

Combining ENR and TDR is possible, but difficult to determine how large m is admissible (because of TDR’s security proof)

Bottom line: need to develop a better one.

Note: based on a strong assumption on E, we can expect (ENR+TDR) to have O(22/3n)-security by the choice m=n/3

25

Summary

We built a 2n-bit cipher from (n,m)-bit tweakable ciphers

ENR achieves O(2(n+m)/2)-security for any m<= n, needs 2 TC calls & some UHs

TDR: a way to convert an n-bit cipher into an (n,m)-bit TCOnly a proof of concept: subject to heavy limita

tions (both theoretical and practical)

26

Future Directions

Better TC from n-bit cipher w/o rekeyingExtensions of ENR:

Large-block cipher (cn-bit for c>2)Make ENR tweakableBasic solution is to use some modes w/ ENR,

search for a more efficient way

27

Thank you!

28

Memo: Security of TDR & (ENR + TDR) Assume

(maybe this means “the most efficient attack is the exhaustive key search” (by assuming ~ q))

Then TDR’s bound implies

Thus it is expected to have O(2n-m)-security.

Combining this to the ENR’s bound, we obtain

Ignoring the constant, this is maximized by the choice m = n/3. In this case the bound of (ENR+TDR) is O(q2/24n/3), thus it has (based on the above assumption) O(22n/3)-security.