[PPT] - Constructing Tweakable Block Ciphers in the Random Permutation Model PowerPoint Presentation

SLIDE 1

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Constructing Tweakable Block Ciphers in the Random Permutation Model

Yannick Seurin

ANSSI, France

September 30, 2015 — ASK 2015 Based on joint work with Benoît Cogliati and Rodolphe Lampe

Yannick Seurin Constructing TBCs in the RPM ASK 2015 1 / 36

SLIDE 2

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Outline

Background: Tweakable Block Ciphers Tweakable Even-Mansour Constructions Birthday-Bound Secure Constructions Beyond-Birthday-Bound Secure Constructions Conclusion and Perspectives

Yannick Seurin Constructing TBCs in the RPM ASK 2015 2 / 36

SLIDE 3

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Outline

Background: Tweakable Block Ciphers Tweakable Even-Mansour Constructions Birthday-Bound Secure Constructions Beyond-Birthday-Bound Secure Constructions Conclusion and Perspectives

Yannick Seurin Constructing TBCs in the RPM ASK 2015 3 / 36

SLIDE 4

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Tweakable Block Ciphers (TBCs)

E

x k y

tweak t: brings variability to the block cipher
t assumed public or even adversarially controlled
each tweak should give an “independent” permutation
few “natively tweakable” BCs:
Hasty Pudding Cipher [Sch98]
Mercy [Cro00]
Threefish [FLS+10]
CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM,

Minalpher

Yannick Seurin Constructing TBCs in the RPM ASK 2015 4 / 36

SLIDE 5

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Tweakable Block Ciphers (TBCs)

E

x k y t

tweak t: brings variability to the block cipher
t assumed public or even adversarially controlled
each tweak should give an “independent” permutation
few “natively tweakable” BCs:
Hasty Pudding Cipher [Sch98]
Mercy [Cro00]
Threefish [FLS+10]
CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM,

Minalpher

Yannick Seurin Constructing TBCs in the RPM ASK 2015 4 / 36

SLIDE 6

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Tweakable Block Ciphers (TBCs)

E

x k y t

tweak t: brings variability to the block cipher
t assumed public or even adversarially controlled
each tweak should give an “independent” permutation
few “natively tweakable” BCs:
Hasty Pudding Cipher [Sch98]
Mercy [Cro00]
Threefish [FLS+10]
CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM,

Minalpher

Yannick Seurin Constructing TBCs in the RPM ASK 2015 4 / 36

SLIDE 7

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Tweakable Block Ciphers (TBCs)

E

x k y t

tweak t: brings variability to the block cipher
t assumed public or even adversarially controlled
each tweak should give an “independent” permutation
few “natively tweakable” BCs:
Hasty Pudding Cipher [Sch98]
Mercy [Cro00]
Threefish [FLS+10]
CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM,

Minalpher

Yannick Seurin Constructing TBCs in the RPM ASK 2015 4 / 36

SLIDE 8

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Tweakable Block Ciphers (TBCs)

E

x k y t

tweak t: brings variability to the block cipher
t assumed public or even adversarially controlled
each tweak should give an “independent” permutation
few “natively tweakable” BCs:
Hasty Pudding Cipher [Sch98]
Mercy [Cro00]
Threefish [FLS+10]
CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM,

Minalpher

Yannick Seurin Constructing TBCs in the RPM ASK 2015 4 / 36

SLIDE 9

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Generic Constructions of TBCs: LRW

A generic TBC construction turns a conventional block cipher E

into a TBC E

example: LRW construction by Liskov et al. [LRW02]

x E k y

h is XOR-universal, e.g. hk′(t) = k′ ⊗ t (field mult.)
secure up to ∼ 2n/2 queries
related construction XEX [Rog04] uses Ek(t) instead of hk′(t)

(used e.g. in the XTS disk encryption mode)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 5 / 36

SLIDE 10

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Generic Constructions of TBCs: LRW

A generic TBC construction turns a conventional block cipher E

into a TBC E

example: LRW construction by Liskov et al. [LRW02]

x E k y

h is XOR-universal, e.g. hk′(t) = k′ ⊗ t (field mult.)
secure up to ∼ 2n/2 queries
related construction XEX [Rog04] uses Ek(t) instead of hk′(t)

(used e.g. in the XTS disk encryption mode)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 5 / 36

SLIDE 11

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Generic Constructions of TBCs: LRW

A generic TBC construction turns a conventional block cipher E

into a TBC E

example: LRW construction by Liskov et al. [LRW02]

x E k y hk′(t) hk′(t)

h is XOR-universal, e.g. hk′(t) = k′ ⊗ t (field mult.)
secure up to ∼ 2n/2 queries
related construction XEX [Rog04] uses Ek(t) instead of hk′(t)

(used e.g. in the XTS disk encryption mode)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 5 / 36

SLIDE 12

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Generic Constructions of TBCs: LRW

A generic TBC construction turns a conventional block cipher E

into a TBC E

example: LRW construction by Liskov et al. [LRW02]

x E k y hk′(t) hk′(t)

h is XOR-universal, e.g. hk′(t) = k′ ⊗ t (field mult.)
secure up to ∼ 2n/2 queries
related construction XEX [Rog04] uses Ek(t) instead of hk′(t)

(used e.g. in the XTS disk encryption mode)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 5 / 36

SLIDE 13

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Generic Constructions of TBCs: LRW

A generic TBC construction turns a conventional block cipher E

into a TBC E

example: LRW construction by Liskov et al. [LRW02]

x E k y hk′(t) hk′(t)

h is XOR-universal, e.g. hk′(t) = k′ ⊗ t (field mult.)
secure up to ∼ 2n/2 queries
related construction XEX [Rog04] uses Ek(t) instead of hk′(t)

(used e.g. in the XTS disk encryption mode)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 5 / 36

SLIDE 14

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Other Generic Constructions

Constructions achieving beyond-birthday-bound security:

Minematsu [Min09]

tweak length < n/2

Cascaded LRW [LST12, LS13]

larger key length and block cipher calls

Mennink [Men15]

security proof needs ideal cipher model

Only LRW (or rather XEX) is used in practice (e.g. in the XTS disk encryption mode)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 6 / 36

SLIDE 15

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Other Generic Constructions

Constructions achieving beyond-birthday-bound security:

Minematsu [Min09]

tweak length < n/2

Cascaded LRW [LST12, LS13]

larger key length and block cipher calls

Mennink [Men15]

security proof needs ideal cipher model

Only LRW (or rather XEX) is used in practice (e.g. in the XTS disk encryption mode)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 6 / 36

SLIDE 16

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Other Generic Constructions

Constructions achieving beyond-birthday-bound security:

Minematsu [Min09]

tweak length < n/2

Cascaded LRW [LST12, LS13]

larger key length and block cipher calls

Mennink [Men15]

security proof needs ideal cipher model

Only LRW (or rather XEX) is used in practice (e.g. in the XTS disk encryption mode)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 6 / 36

SLIDE 17

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Other Generic Constructions

Constructions achieving beyond-birthday-bound security:

Minematsu [Min09]

tweak length < n/2

Cascaded LRW [LST12, LS13]

larger key length and block cipher calls

Mennink [Men15]

security proof needs ideal cipher model

Only LRW (or rather XEX) is used in practice (e.g. in the XTS disk encryption mode)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 6 / 36

SLIDE 18

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Other Generic Constructions

Constructions achieving beyond-birthday-bound security:

Minematsu [Min09]

tweak length < n/2

Cascaded LRW [LST12, LS13]

larger key length and block cipher calls

Mennink [Men15]

security proof needs ideal cipher model

Only LRW (or rather XEX) is used in practice (e.g. in the XTS disk encryption mode)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 6 / 36

SLIDE 19

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Outline

Background: Tweakable Block Ciphers Tweakable Even-Mansour Constructions Birthday-Bound Secure Constructions Beyond-Birthday-Bound Secure Constructions Conclusion and Perspectives

Yannick Seurin Constructing TBCs in the RPM ASK 2015 7 / 36

SLIDE 20

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

TBCs: Dedicated Designs

Our Goal

Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher).

“from scratch” → from some lower level primitive
from a PRF: Feistel schemes [GHL+07, MI08]
this talk: SPN ciphers (more gen. key-alternating ciphers)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 8 / 36

SLIDE 21

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

TBCs: Dedicated Designs

Our Goal

Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher).

“from scratch” → from some lower level primitive
from a PRF: Feistel schemes [GHL+07, MI08]
this talk: SPN ciphers (more gen. key-alternating ciphers)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 8 / 36

SLIDE 22

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

TBCs: Dedicated Designs

Our Goal

Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher).

“from scratch” → from some lower level primitive
from a PRF: Feistel schemes [GHL+07, MI08]
this talk: SPN ciphers (more gen. key-alternating ciphers)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 8 / 36

SLIDE 23

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

TBCs: Dedicated Designs

Our Goal

Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher).

“from scratch” → from some lower level primitive
from a PRF: Feistel schemes [GHL+07, MI08]
this talk: SPN ciphers (more gen. key-alternating ciphers)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 8 / 36

SLIDE 24

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Key-Alternating Ciphers

x n P1 P2 Pr y k0 k1 kr k f0 f1 fr

An r-round key-alternating cipher:

the Pi’s are public permutations on {0, 1}n
the fi’s map k to n-bit “round keys”
examples: most SPNs (AES, SERPENT, PRESENT, LED. . . )
a.k.a. (iterated) Even-Mansour construction

Yannick Seurin Constructing TBCs in the RPM ASK 2015 9 / 36

SLIDE 25

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Key-Alternating Ciphers

x n P1 P2 Pr y k0 k1 kr k f0 f1 fr

An r-round key-alternating cipher:

the Pi’s are public permutations on {0, 1}n
the fi’s map k to n-bit “round keys”
examples: most SPNs (AES, SERPENT, PRESENT, LED. . . )
a.k.a. (iterated) Even-Mansour construction

Yannick Seurin Constructing TBCs in the RPM ASK 2015 9 / 36

SLIDE 26

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Key-Alternating Ciphers

x n P1 P2 Pr y k0 k1 kr k f0 f1 fr

An r-round key-alternating cipher:

the Pi’s are public permutations on {0, 1}n
the fi’s map k to n-bit “round keys”
examples: most SPNs (AES, SERPENT, PRESENT, LED. . . )
a.k.a. (iterated) Even-Mansour construction

Yannick Seurin Constructing TBCs in the RPM ASK 2015 9 / 36

SLIDE 27

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Tweakable Even-Mansour Constructions

x k P1 f0 P2 f1 Pr y fr

let the round keys depend on the key and the tweak t
⇒ “tweakable” Even-Mansour (TEM) construction(s)
fi’s = “tweak and key schedule” (TKS)
high-level abstraction of the TWEAKEY constructions [JNP14]
analysis in the Random Permutation Model

Yannick Seurin Constructing TBCs in the RPM ASK 2015 10 / 36

SLIDE 28

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Tweakable Even-Mansour Constructions

x (k, t) P1 f0 P2 f1 Pr y fr

let the round keys depend on the key and the tweak t
⇒ “tweakable” Even-Mansour (TEM) construction(s)
fi’s = “tweak and key schedule” (TKS)
high-level abstraction of the TWEAKEY constructions [JNP14]
analysis in the Random Permutation Model

Yannick Seurin Constructing TBCs in the RPM ASK 2015 10 / 36

SLIDE 29

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Tweakable Even-Mansour Constructions

x (k, t) P1 f0 P2 f1 Pr y fr

let the round keys depend on the key and the tweak t
⇒ “tweakable” Even-Mansour (TEM) construction(s)
fi’s = “tweak and key schedule” (TKS)
high-level abstraction of the TWEAKEY constructions [JNP14]
analysis in the Random Permutation Model

Yannick Seurin Constructing TBCs in the RPM ASK 2015 10 / 36

SLIDE 30

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Tweakable Even-Mansour Constructions

x (k, t) P1 f0 P2 f1 Pr y fr

let the round keys depend on the key and the tweak t
⇒ “tweakable” Even-Mansour (TEM) construction(s)
fi’s = “tweak and key schedule” (TKS)
high-level abstraction of the TWEAKEY constructions [JNP14]
analysis in the Random Permutation Model

Yannick Seurin Constructing TBCs in the RPM ASK 2015 10 / 36

SLIDE 31

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Tweakable Even-Mansour Constructions

x (k, t) P1 f0 P2 f1 Pr y fr

let the round keys depend on the key and the tweak t
⇒ “tweakable” Even-Mansour (TEM) construction(s)
fi’s = “tweak and key schedule” (TKS)
high-level abstraction of the TWEAKEY constructions [JNP14]
analysis in the Random Permutation Model

Yannick Seurin Constructing TBCs in the RPM ASK 2015 10 / 36

SLIDE 32

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

The Random Permutation Model (RPM)

qc

x (k, t) P1 f0 P2 f1 Pr y fr

P1 · · · Pr qp qp

the Pi’s are modeled as public random permutation oracles

(adversary can only make black-box queries)

adversary cannot exploit any weakness of the Pi’s

⇒ generic attacks

complexity measure of the adversary:
qc = # construction queries = pt/ct pairs (data D)
qp = # queries to each internal permutation oracle (time T)
but otherwise computationally unbounded
⇒ information-theoretic proof of security

Yannick Seurin Constructing TBCs in the RPM ASK 2015 11 / 36

SLIDE 33

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

The Random Permutation Model (RPM)

qc

x (k, t) P1 f0 P2 f1 Pr y fr

P1 · · · Pr qp qp

the Pi’s are modeled as public random permutation oracles

(adversary can only make black-box queries)

adversary cannot exploit any weakness of the Pi’s

⇒ generic attacks

complexity measure of the adversary:
qc = # construction queries = pt/ct pairs (data D)
qp = # queries to each internal permutation oracle (time T)
but otherwise computationally unbounded
⇒ information-theoretic proof of security

Yannick Seurin Constructing TBCs in the RPM ASK 2015 11 / 36

SLIDE 34

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

The Random Permutation Model (RPM)

qc

x (k, t) P1 f0 P2 f1 Pr y fr

P1 · · · Pr qp qp

the Pi’s are modeled as public random permutation oracles

(adversary can only make black-box queries)

adversary cannot exploit any weakness of the Pi’s

⇒ generic attacks

complexity measure of the adversary:
qc = # construction queries = pt/ct pairs (data D)
qp = # queries to each internal permutation oracle (time T)
but otherwise computationally unbounded
⇒ information-theoretic proof of security

Yannick Seurin Constructing TBCs in the RPM ASK 2015 11 / 36

SLIDE 35

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

The Random Permutation Model (RPM)

qc

x (k, t) P1 f0 P2 f1 Pr y fr

P1 · · · Pr qp qp

the Pi’s are modeled as public random permutation oracles

(adversary can only make black-box queries)

adversary cannot exploit any weakness of the Pi’s

⇒ generic attacks

complexity measure of the adversary:
qc = # construction queries = pt/ct pairs (data D)
qp = # queries to each internal permutation oracle (time T)
but otherwise computationally unbounded
⇒ information-theoretic proof of security

Yannick Seurin Constructing TBCs in the RPM ASK 2015 11 / 36

SLIDE 36

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Formalization of the Security Experiment

Real world 0/1 qc

x (k, t) P1 f0 P2 f1 Pr y fr

P1, . . . , Pr qp Ideal world 0/1

P0

qc P1, . . . , Pr qp

real world: TEM construction with random master key k
ideal world: random tweakable permutation

P0 independent from P1, . . . , Pr

RPM: D has oracle access to P1, . . . , Pr in both worlds

Yannick Seurin Constructing TBCs in the RPM ASK 2015 12 / 36

SLIDE 37

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Formalization of the Security Experiment

Real world 0/1 qc

x (k, t) P1 f0 P2 f1 Pr y fr

P1, . . . , Pr qp Ideal world 0/1

P0

qc P1, . . . , Pr qp

real world: TEM construction with random master key k
ideal world: random tweakable permutation

P0 independent from P1, . . . , Pr

RPM: D has oracle access to P1, . . . , Pr in both worlds

Yannick Seurin Constructing TBCs in the RPM ASK 2015 12 / 36

SLIDE 38

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Outline

Background: Tweakable Block Ciphers Tweakable Even-Mansour Constructions Birthday-Bound Secure Constructions Beyond-Birthday-Bound Secure Constructions Conclusion and Perspectives

Yannick Seurin Constructing TBCs in the RPM ASK 2015 13 / 36

SLIDE 39

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

First Try: One Round, Linear TKS

P1 x k y k

2 queries to the encryption oracle, 0 queries to P1
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36

SLIDE 40

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

First Try: One Round, Linear TKS

P1 x k ⊕ t y k ⊕ t

2 queries to the encryption oracle, 0 queries to P1
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36

SLIDE 41

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

First Try: One Round, Linear TKS

P1

2 queries to the encryption oracle, 0 queries to P1
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36

SLIDE 42

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

First Try: One Round, Linear TKS

P1 (t1, x1) u v y1 = v ⊕ k ⊕ t1 k ⊕ t1

2 queries to the encryption oracle, 0 queries to P1
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36

SLIDE 43

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

First Try: One Round, Linear TKS

P1 (t1, x1) u v y1 = v ⊕ k ⊕ t1 k ⊕ t1 (t2, x2) x1 ⊕ x2 = t1 ⊕ t2 k ⊕ t2

2 queries to the encryption oracle, 0 queries to P1
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36

SLIDE 44

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

First Try: One Round, Linear TKS

P1 (t1, x1) u v y1 = v ⊕ k ⊕ t1 k ⊕ t1 (t2, x2) x1 ⊕ x2 = t1 ⊕ t2 k ⊕ t2 y2 = v ⊕ k ⊕ t2 Check that y1 ⊕ y2 = t1 ⊕ t2 (∗)

2 queries to the encryption oracle, 0 queries to P1
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36

SLIDE 45

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

First Try: One Round, Linear TKS

P1 (t1, x1) u v y1 = v ⊕ k ⊕ t1 k ⊕ t1 (t2, x2) x1 ⊕ x2 = t1 ⊕ t2 k ⊕ t2 y2 = v ⊕ k ⊕ t2 Check that y1 ⊕ y2 = t1 ⊕ t2 (∗)

2 queries to the encryption oracle, 0 queries to P1
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36

SLIDE 46

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

First Try: One Round, Linear TKS

P1 (t1, x1) u v y1 = v ⊕ k ⊕ t1 k ⊕ t1 (t2, x2) x1 ⊕ x2 = t1 ⊕ t2 k ⊕ t2 y2 = v ⊕ k ⊕ t2 Check that y1 ⊕ y2 = t1 ⊕ t2 (∗)

2 queries to the encryption oracle, 0 queries to P1
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36

SLIDE 47

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Second Try: Two Rounds, Linear TKS

P1 P2 x k ⊕ t k ⊕ t y k ⊕ t

4 queries to the enc/dec oracle, 0 queries to P1, P2
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

SLIDE 48

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Second Try: Two Rounds, Linear TKS

P1 P2

4 queries to the enc/dec oracle, 0 queries to P1, P2
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

SLIDE 49

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Second Try: Two Rounds, Linear TKS

P1 P2 (t1, x1) y1 u1 v1 u2 v2 k ⊕ t1

4 queries to the enc/dec oracle, 0 queries to P1, P2
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

SLIDE 50

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Second Try: Two Rounds, Linear TKS

P1 P2 (t1, x1) y1 u1 v1 u2 v2 k ⊕ t1 (t2, x2) y2 u′

2

v ′

2

k ⊕ t2

4 queries to the enc/dec oracle, 0 queries to P1, P2
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

SLIDE 51

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Second Try: Two Rounds, Linear TKS

P1 P2 (t1, x1) y1 u1 v1 u2 v2 k ⊕ t1 (t2, x2) y2 u′

2

v ′

2

k ⊕ t2 x3 (t3, y3) u′

1

v ′

1

k ⊕ t3

4 queries to the enc/dec oracle, 0 queries to P1, P2
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

SLIDE 52

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Second Try: Two Rounds, Linear TKS

P1 P2 (t1, x1) y1 u1 v1 u2 v2 k ⊕ t1 (t2, x2) y2 u′

2

v ′

2

k ⊕ t2 x3 (t3, y3) u′

1

v ′

1

k ⊕ t3 (t4, y4) k ⊕ t4 t1 ⊕ t2 ⊕ t3 ⊕ t4 = 0

4 queries to the enc/dec oracle, 0 queries to P1, P2
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

SLIDE 53

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Second Try: Two Rounds, Linear TKS

P1 P2 (t1, x1) y1 u1 v1 u2 v2 k ⊕ t1 (t2, x2) y2 u′

2

v ′

2

k ⊕ t2 x3 (t3, y3) u′

1

v ′

1

k ⊕ t3 (t4, y4) k ⊕ t4 t1 ⊕ t2 ⊕ t3 ⊕ t4 = 0 x4 Check that x3 ⊕ x4 = t3 ⊕ t4 (∗)

4 queries to the enc/dec oracle, 0 queries to P1, P2
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

SLIDE 54

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Second Try: Two Rounds, Linear TKS

P1 P2 (t1, x1) y1 u1 v1 u2 v2 k ⊕ t1 (t2, x2) y2 u′

2

v ′

2

k ⊕ t2 x3 (t3, y3) u′

1

v ′

1

k ⊕ t3 (t4, y4) k ⊕ t4 t1 ⊕ t2 ⊕ t3 ⊕ t4 = 0 x4 Check that x3 ⊕ x4 = t3 ⊕ t4 (∗)

4 queries to the enc/dec oracle, 0 queries to P1, P2
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

SLIDE 55

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Second Try: Two Rounds, Linear TKS

P1 P2 (t1, x1) y1 u1 v1 u2 v2 k ⊕ t1 (t2, x2) y2 u′

2

v ′

2

k ⊕ t2 x3 (t3, y3) u′

1

v ′

1

k ⊕ t3 (t4, y4) k ⊕ t4 t1 ⊕ t2 ⊕ t3 ⊕ t4 = 0 x4 Check that x3 ⊕ x4 = t3 ⊕ t4 (∗)

4 queries to the enc/dec oracle, 0 queries to P1, P2
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

SLIDE 56

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Second Try: Two Rounds, Linear TKS

P1 P2 (t1, x1) y1 u1 v1 u2 v2 k ⊕ t1 (t2, x2) y2 u′

2

v ′

2

k ⊕ t2 x3 (t3, y3) u′

1

v ′

1

k ⊕ t3 (t4, y4) k ⊕ t4 t1 ⊕ t2 ⊕ t3 ⊕ t4 = 0 x4 Check that x3 ⊕ x4 = t3 ⊕ t4 (∗)

4 queries to the enc/dec oracle, 0 queries to P1, P2
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

SLIDE 57

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Second Try: Two Rounds, Linear TKS

P1 P2 (t1, x1) y1 u1 v1 u2 v2 k ⊕ t1 (t2, x2) y2 u′

2

v ′

2

k ⊕ t2 x3 (t3, y3) u′

1

v ′

1

k ⊕ t3 (t4, y4) k ⊕ t4 t1 ⊕ t2 ⊕ t3 ⊕ t4 = 0 x4 Check that x3 ⊕ x4 = t3 ⊕ t4 (∗)

4 queries to the enc/dec oracle, 0 queries to P1, P2
(∗) holds with proba. 1 for the TEM construction
(∗) holds with proba. 2−n for a random tweakable permutation
works for any linear TKS

Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

SLIDE 58

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Security for Three Rounds

x P1 k ⊕ t P2 k ⊕ t P3 k ⊕ t y k ⊕ t

Theorem ([CS15, FP15])

The 3-round TEM with linear TKS is a strong tweakable PRP: Adv(qc, qp) ≤ 6qcqp 2n + 4q2

c

2n .

Proof sketch:

adversary can create collisions at input of P1 or output of P3
but proba. to create a collision at P2 is q2

c/2n

no collision at P2

⇒ ∼ single-key security of 1-round EM qcqp/2n

Yannick Seurin Constructing TBCs in the RPM ASK 2015 16 / 36

SLIDE 59

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Security for Three Rounds

x P1 k ⊕ t P2 k ⊕ t P3 k ⊕ t y k ⊕ t

Theorem ([CS15, FP15])

The 3-round TEM with linear TKS is a strong tweakable PRP: Adv(qc, qp) ≤ 6qcqp 2n + 4q2

c

2n .

Proof sketch:

adversary can create collisions at input of P1 or output of P3
but proba. to create a collision at P2 is q2

c/2n

no collision at P2

⇒ ∼ single-key security of 1-round EM qcqp/2n

Yannick Seurin Constructing TBCs in the RPM ASK 2015 16 / 36

SLIDE 60

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Security for Three Rounds

x P1 k ⊕ t P2 k ⊕ t P3 k ⊕ t y k ⊕ t

Theorem ([CS15, FP15])

The 3-round TEM with linear TKS is a strong tweakable PRP: Adv(qc, qp) ≤ 6qcqp 2n + 4q2

c

2n .

Proof sketch:

adversary can create collisions at input of P1 or output of P3
but proba. to create a collision at P2 is q2

c/2n

no collision at P2

⇒ ∼ single-key security of 1-round EM qcqp/2n

Yannick Seurin Constructing TBCs in the RPM ASK 2015 16 / 36

SLIDE 61

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Security for Three Rounds

x P1 k ⊕ t P2 k ⊕ t P3 k ⊕ t y k ⊕ t

Theorem ([CS15, FP15])

The 3-round TEM with linear TKS is a strong tweakable PRP: Adv(qc, qp) ≤ 6qcqp 2n + 4q2

c

2n .

Proof sketch:

adversary can create collisions at input of P1 or output of P3
but proba. to create a collision at P2 is q2

c/2n

no collision at P2

⇒ ∼ single-key security of 1-round EM qcqp/2n

Yannick Seurin Constructing TBCs in the RPM ASK 2015 16 / 36

SLIDE 62

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Tightness of the Bound

x P1 k ⊕ t P2 k ⊕ t P3 k ⊕ t y k ⊕ t

can be written

E(k, t, x) = E(k⊕t, x) where E is the conventional 3-round EM cipher with trivial key-schedule

⇒ secure up to 2n/2 queries at best by a simple collision attack:
1. query ci =

Ek∗(ti, 0) = E(k∗ ⊕ ti, 0) for 2n/2 tweaks ti

2. compute c′

j =

Ekj(0, 0) = E(kj, 0) for 2n/2 keys kj

3. look for a collision ci = c′

j

4. w.h.p., the real key is k∗ = ti ⊕ kj
⇒ increasing the number of rounds does not improve security

Yannick Seurin Constructing TBCs in the RPM ASK 2015 17 / 36

SLIDE 63

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Tightness of the Bound

x P1 k ⊕ t P2 k ⊕ t P3 k ⊕ t y k ⊕ t

can be written

E(k, t, x) = E(k⊕t, x) where E is the conventional 3-round EM cipher with trivial key-schedule

⇒ secure up to 2n/2 queries at best by a simple collision attack:
1. query ci =

Ek∗(ti, 0) = E(k∗ ⊕ ti, 0) for 2n/2 tweaks ti

2. compute c′

j =

Ekj(0, 0) = E(kj, 0) for 2n/2 keys kj

3. look for a collision ci = c′

j

4. w.h.p., the real key is k∗ = ti ⊕ kj
⇒ increasing the number of rounds does not improve security

Yannick Seurin Constructing TBCs in the RPM ASK 2015 17 / 36

SLIDE 64

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Tightness of the Bound

x P1 k ⊕ t P2 k ⊕ t P3 k ⊕ t y k ⊕ t

can be written

E(k, t, x) = E(k⊕t, x) where E is the conventional 3-round EM cipher with trivial key-schedule

⇒ secure up to 2n/2 queries at best by a simple collision attack:
1. query ci =

Ek∗(ti, 0) = E(k∗ ⊕ ti, 0) for 2n/2 tweaks ti

2. compute c′

j =

Ekj(0, 0) = E(kj, 0) for 2n/2 keys kj

3. look for a collision ci = c′

j

4. w.h.p., the real key is k∗ = ti ⊕ kj
⇒ increasing the number of rounds does not improve security

Yannick Seurin Constructing TBCs in the RPM ASK 2015 17 / 36

SLIDE 65

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Tightness of the Bound

x P1 k ⊕ t P2 k ⊕ t P3 k ⊕ t y k ⊕ t

can be written

E(k, t, x) = E(k⊕t, x) where E is the conventional 3-round EM cipher with trivial key-schedule

⇒ secure up to 2n/2 queries at best by a simple collision attack:
1. query ci =

Ek∗(ti, 0) = E(k∗ ⊕ ti, 0) for 2n/2 tweaks ti

2. compute c′

j =

Ekj(0, 0) = E(kj, 0) for 2n/2 keys kj

3. look for a collision ci = c′

j

4. w.h.p., the real key is k∗ = ti ⊕ kj
⇒ increasing the number of rounds does not improve security

Question

Construction with less permutations?

Yannick Seurin Constructing TBCs in the RPM ASK 2015 17 / 36

SLIDE 66

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Back to LRW

instantiate E with the 1-round Even-Mansour construction

x E k′ y k ⊗ t k ⊗ t

provably secure in the RPM up to ∼ 2n/2 queries [FP15, CLS15]:

Adv(qc, qp) ≤ q2

c

2n + 2qcqp 2n .

t = 0 ⇒ k′ is superfluous (k ⊗ t unif. random for any t = 0)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36

SLIDE 67

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Back to LRW

instantiate E with the 1-round Even-Mansour construction

x E k′ P k′ k′ y k ⊗ t k ⊗ t

provably secure in the RPM up to ∼ 2n/2 queries [FP15, CLS15]:

Adv(qc, qp) ≤ q2

c

2n + 2qcqp 2n .

t = 0 ⇒ k′ is superfluous (k ⊗ t unif. random for any t = 0)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36

SLIDE 68

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Back to LRW

instantiate E with the 1-round Even-Mansour construction

x P y (k ⊗ t) ⊕ k′ (k ⊗ t) ⊕ k′

provably secure in the RPM up to ∼ 2n/2 queries [FP15, CLS15]:

Adv(qc, qp) ≤ q2

c

2n + 2qcqp 2n .

t = 0 ⇒ k′ is superfluous (k ⊗ t unif. random for any t = 0)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36

SLIDE 69

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Back to LRW

instantiate E with the 1-round Even-Mansour construction

x P y (k ⊗ t) ⊕ k′ (k ⊗ t) ⊕ k′

provably secure in the RPM up to ∼ 2n/2 queries [FP15, CLS15]:

Adv(qc, qp) ≤ q2

c

2n + 2qcqp 2n .

t = 0 ⇒ k′ is superfluous (k ⊗ t unif. random for any t = 0)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36

SLIDE 70

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Back to LRW

instantiate E with the 1-round Even-Mansour construction

x P y k ⊗ t k ⊗ t

provably secure in the RPM up to ∼ 2n/2 queries [FP15, CLS15]:

Adv(qc, qp) ≤ q2

c

2n + 2qcqp 2n .

t = 0 ⇒ k′ is superfluous (k ⊗ t unif. random for any t = 0)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36

SLIDE 71

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Back to LRW

instantiate E with the 1-round Even-Mansour construction

x P y k ⊗ t k ⊗ t Non-Linear Tweakable Even-Mansour (NL-TEM) construction

provably secure in the RPM up to ∼ 2n/2 queries [FP15, CLS15]:

Adv(qc, qp) ≤ q2

c

2n + 2qcqp 2n .

t = 0 ⇒ k′ is superfluous (k ⊗ t unif. random for any t = 0)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36

SLIDE 72

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Birthday-Bound Security: Wrap-up

Two constructions provably secure up to the birthday bound:

1. linear TKS

x P1 k ⊕ t P2 k ⊕ t P3 k ⊕ t y k ⊕ t

2. nonlinear TKS

x P y k ⊗ t k ⊗ t

Question

Constructions secure beyond the birthday-bound?

Yannick Seurin Constructing TBCs in the RPM ASK 2015 19 / 36

SLIDE 73

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Birthday-Bound Security: Wrap-up

Two constructions provably secure up to the birthday bound:

1. linear TKS

x P1 k ⊕ t P2 k ⊕ t P3 k ⊕ t y k ⊕ t

2. nonlinear TKS

x P y k ⊗ t k ⊗ t

Question

Constructions secure beyond the birthday-bound?

Yannick Seurin Constructing TBCs in the RPM ASK 2015 19 / 36

SLIDE 74

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Birthday-Bound Security: Wrap-up

Two constructions provably secure up to the birthday bound:

1. linear TKS

x P1 k ⊕ t P2 k ⊕ t P3 k ⊕ t y k ⊕ t

2. nonlinear TKS

x P y k ⊗ t k ⊗ t

Question

Constructions secure beyond the birthday-bound?

Yannick Seurin Constructing TBCs in the RPM ASK 2015 19 / 36

SLIDE 75

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Birthday-Bound Security: Wrap-up

Two constructions provably secure up to the birthday bound:

1. linear TKS

x P1 k ⊕ t P2 k ⊕ t P3 k ⊕ t y k ⊕ t

2. nonlinear TKS

x P y k ⊗ t k ⊗ t

Question

Constructions secure beyond the birthday-bound?

Yannick Seurin Constructing TBCs in the RPM ASK 2015 19 / 36

SLIDE 76

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Outline

Background: Tweakable Block Ciphers Tweakable Even-Mansour Constructions Birthday-Bound Secure Constructions Beyond-Birthday-Bound Secure Constructions Conclusion and Perspectives

Yannick Seurin Constructing TBCs in the RPM ASK 2015 20 / 36

SLIDE 77

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Cascading the LRW Construction

x Ek1 k′

1 ⊗ t

k1, . . . , kr and k′

1, . . . , k′ r independent keys

⇒ total key-length = r(κ + n)

2 rounds: provably secure up to ∼ 22n/3 queries [LST12]
r rounds, r even: provably secure up to ∼ 2

rn r+2 queries [LS13]

NB: only assuming E is a PRP

(standard security notion, no ideal model)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 21 / 36

SLIDE 78

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Cascading the LRW Construction

x Ek1 k′

1 ⊗ t

Ek2 k′

2 ⊗ t

Ekr k′

r ⊗ t

y

k1, . . . , kr and k′

1, . . . , k′ r independent keys

⇒ total key-length = r(κ + n)

2 rounds: provably secure up to ∼ 22n/3 queries [LST12]
r rounds, r even: provably secure up to ∼ 2

rn r+2 queries [LS13]

NB: only assuming E is a PRP

(standard security notion, no ideal model)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 21 / 36

SLIDE 79

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Cascading the LRW Construction

x Ek1 k′

1 ⊗ t

Ek2 k′

2 ⊗ t

Ekr k′

r ⊗ t

y

k1, . . . , kr and k′

1, . . . , k′ r independent keys

⇒ total key-length = r(κ + n)

2 rounds: provably secure up to ∼ 22n/3 queries [LST12]
r rounds, r even: provably secure up to ∼ 2

rn r+2 queries [LS13]

NB: only assuming E is a PRP

(standard security notion, no ideal model)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 21 / 36

SLIDE 80

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Cascading the LRW Construction

x Ek1 k′

1 ⊗ t

Ek2 k′

2 ⊗ t

Ekr k′

r ⊗ t

y

k1, . . . , kr and k′

1, . . . , k′ r independent keys

⇒ total key-length = r(κ + n)

2 rounds: provably secure up to ∼ 22n/3 queries [LST12]
r rounds, r even: provably secure up to ∼ 2

rn r+2 queries [LS13]

NB: only assuming E is a PRP

(standard security notion, no ideal model)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 21 / 36

SLIDE 81

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Cascading the LRW Construction

x Ek1 k′

1 ⊗ t

Ek2 k′

2 ⊗ t

Ekr k′

r ⊗ t

y

k1, . . . , kr and k′

1, . . . , k′ r independent keys

⇒ total key-length = r(κ + n)

2 rounds: provably secure up to ∼ 22n/3 queries [LST12]
r rounds, r even: provably secure up to ∼ 2

rn r+2 queries [LS13]

NB: only assuming E is a PRP

(standard security notion, no ideal model)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 21 / 36

SLIDE 82

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Cascading the NL-TEM Construction

k1, k2 independent n-bit keys

x P1 k1 ⊗ t P2 k2 ⊗ t y

Theorem ([CLS15])

The 2-round NL-TEM construction is secure up to ∼ 22n/3 queries in the RPM: Adv(qc, qp) ≤ 34q3/2

c

2n + 30√qcqp 2n .

Yannick Seurin Constructing TBCs in the RPM ASK 2015 22 / 36

SLIDE 83

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Cascading the NL-TEM Construction

k1, k2 independent n-bit keys

x P1 k1 ⊗ t P2 k2 ⊗ t y

Theorem ([CLS15])

The 2-round NL-TEM construction is secure up to ∼ 22n/3 queries in the RPM: Adv(qc, qp) ≤ 34q3/2

c

2n + 30√qcqp 2n .

Yannick Seurin Constructing TBCs in the RPM ASK 2015 22 / 36

SLIDE 84

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Proof Technique: H-coefficients

Real world qc

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

P1, . . . , Pr qp Ideal world

P0

qc P1, . . . , Pr qp

1. consider the transcript of all queries of D to the construction

and to the inner permutations

2. define bad transcripts and show that their probability is small (in

the ideal world)

3. show that good transcripts are almost as probable in the real

and the ideal world

Yannick Seurin Constructing TBCs in the RPM ASK 2015 23 / 36

SLIDE 85

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Proof Technique: H-coefficients

Real world qc

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

P1, . . . , Pr qp Ideal world

P0

qc P1, . . . , Pr qp

1. consider the transcript of all queries of D to the construction

and to the inner permutations

2. define bad transcripts and show that their probability is small (in

the ideal world)

3. show that good transcripts are almost as probable in the real

and the ideal world

Yannick Seurin Constructing TBCs in the RPM ASK 2015 23 / 36

SLIDE 86

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Proof Technique: H-coefficients

Real world qc

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

P1, . . . , Pr qp Ideal world

P0

qc P1, . . . , Pr qp

1. consider the transcript of all queries of D to the construction

and to the inner permutations

2. define bad transcripts and show that their probability is small (in

the ideal world)

3. show that good transcripts are almost as probable in the real

and the ideal world

Yannick Seurin Constructing TBCs in the RPM ASK 2015 23 / 36

SLIDE 87

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y

Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

SLIDE 88

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y

Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

SLIDE 89

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y u1 v1

Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

SLIDE 90

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y u1 v1 u2 v2

Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

SLIDE 91

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y u1 v1 u2 v2 (t, x)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

SLIDE 92

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y u1 v1 u2 v2 (t, x)

proba ≤

qcq2

p

22n

Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

SLIDE 93

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y u1 v1 u2 v2 (t, x)

proba ≤

qcq2

p

22n

Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

SLIDE 94

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y u1 v1 u2 v2 (t, x)

proba ≤

qcq2

p

22n

(t, x)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

SLIDE 95

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y u1 v1 u2 v2 (t, x)

proba ≤

qcq2

p

22n

(t, x) (t′, x′)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

SLIDE 96

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y u1 v1 u2 v2 (t, x)

proba ≤

qcq2

p

22n

(t, x) (t′, x′)

proba ≤ q2

c

22n

Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

SLIDE 97

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

The Ten “Bad Collision” Cases

P1 P2 (t, x) u1 (t, y) v2 (t, x) u1 v1 u2 v1 (t, y) u2 v2 (t, x) (t′, x ′) (t, y) (t′′, y ′′) (t, x) (t′, x ′) (t, y) (t′, y ′) (t, x) u1 (t, y) (t′, y ′) (t, x) (t′, x ′) (t, y) v2 (t, x) (t′, x ′) u1 u′

1

v1 v ′

1

(t, y) (t′, y ′) u2 u′

2

v2 v ′

2

Yannick Seurin Constructing TBCs in the RPM ASK 2015 25 / 36

SLIDE 98

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Distribution of Good Transcripts

P1 P2 QU1 U1 V1

U2
V2

QV2 U2 V2

U1
V1

QX U′

1

V ′

1

U′

2

V ′

2

QY U′′

1

V ′′

1

U′′

2

V ′′

2

Q0

assuming there are no

bad collisions, show that the answers of the TEM construction are close to answers of a random tweakable permutation

for each query, there is

a “fresh” value of P1 or P2 which randomizes the output

Yannick Seurin Constructing TBCs in the RPM ASK 2015 26 / 36

SLIDE 99

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Distribution of Good Transcripts

P1 P2 QU1 U1 V1

U2
V2

QV2 U2 V2

U1
V1

QX U′

1

V ′

1

U′

2

V ′

2

QY U′′

1

V ′′

1

U′′

2

V ′′

2

Q0

assuming there are no

bad collisions, show that the answers of the TEM construction are close to answers of a random tweakable permutation

for each query, there is

a “fresh” value of P1 or P2 which randomizes the output

Yannick Seurin Constructing TBCs in the RPM ASK 2015 26 / 36

SLIDE 100

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Longer Cascades of the NL-TEM Construction

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

r rounds, r even, with independent keys k1, . . . , kr secure up to

∼ 2

rn r+2 = 2 (r/2)n (r/2)+1 queries

proof:
1. non-adaptive security for r/2 rounds (coupling technique)
2. adaptive security for r rounds (“two weak make one strong”

composition theorem)

conjecture: secure up to ∼ 2

rn r+1 queries Yannick Seurin Constructing TBCs in the RPM ASK 2015 27 / 36

SLIDE 101

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Longer Cascades of the NL-TEM Construction

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

r rounds, r even, with independent keys k1, . . . , kr secure up to

∼ 2

rn r+2 = 2 (r/2)n (r/2)+1 queries

proof:
1. non-adaptive security for r/2 rounds (coupling technique)
2. adaptive security for r rounds (“two weak make one strong”

composition theorem)

conjecture: secure up to ∼ 2

rn r+1 queries Yannick Seurin Constructing TBCs in the RPM ASK 2015 27 / 36

SLIDE 102

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Longer Cascades of the NL-TEM Construction

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

r rounds, r even, with independent keys k1, . . . , kr secure up to

∼ 2

rn r+2 = 2 (r/2)n (r/2)+1 queries

proof:
1. non-adaptive security for r/2 rounds (coupling technique)
2. adaptive security for r rounds (“two weak make one strong”

composition theorem)

conjecture: secure up to ∼ 2

rn r+1 queries Yannick Seurin Constructing TBCs in the RPM ASK 2015 27 / 36

SLIDE 103

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Longer Cascades of the NL-TEM Construction

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

r rounds, r even, with independent keys k1, . . . , kr secure up to

∼ 2

rn r+2 = 2 (r/2)n (r/2)+1 queries

proof:
1. non-adaptive security for r/2 rounds (coupling technique)
2. adaptive security for r rounds (“two weak make one strong”

composition theorem)

conjecture: secure up to ∼ 2

rn r+1 queries Yannick Seurin Constructing TBCs in the RPM ASK 2015 27 / 36

SLIDE 104

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

BBB Security with a Linear TKS

k1, k2 independent n-bit keys

x P1 k1 ⊕ t P2 k2 ⊕ t P3 k1 ⊕ t P4 k2 ⊕ t y k1 ⊕ t

Theorem (B. Cogliati, Y.S., AC 2015)

The 4-round TEM with “alternating” linear TKS is secure up to ∼ 22n/3 queries in the RPM. Proof idea:

exclude bad events related to P1 and P4
“reduction” to 2-round NL-TEM security based on (P2, P3)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 28 / 36

SLIDE 105

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

BBB Security with a Linear TKS

k1, k2 independent n-bit keys

x P1 k1 ⊕ t P2 k2 ⊕ t P3 k1 ⊕ t P4 k2 ⊕ t y k1 ⊕ t

Theorem (B. Cogliati, Y.S., AC 2015)

The 4-round TEM with “alternating” linear TKS is secure up to ∼ 22n/3 queries in the RPM. Proof idea:

exclude bad events related to P1 and P4
“reduction” to 2-round NL-TEM security based on (P2, P3)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 28 / 36

SLIDE 106

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

BBB Security with a Linear TKS

k1, k2 independent n-bit keys

x P1 k1 ⊕ t P2 k2 ⊕ t P3 k1 ⊕ t P4 k2 ⊕ t y k1 ⊕ t

Theorem (B. Cogliati, Y.S., AC 2015)

The 4-round TEM with “alternating” linear TKS is secure up to ∼ 22n/3 queries in the RPM. Proof idea:

exclude bad events related to P1 and P4
“reduction” to 2-round NL-TEM security based on (P2, P3)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 28 / 36

SLIDE 107

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Outline

Background: Tweakable Block Ciphers Tweakable Even-Mansour Constructions Birthday-Bound Secure Constructions Beyond-Birthday-Bound Secure Constructions Conclusion and Perspectives

Yannick Seurin Constructing TBCs in the RPM ASK 2015 29 / 36

SLIDE 108

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Conclusion

22n/3-secure constructions:

1. linear TKS

x P1 k1 ⊕ t P2 k2 ⊕ t P3 k1 ⊕ t P4 k2 ⊕ t y k1 ⊕ t

2. nonlinear TKS

x P1 k1 ⊗ t P2 k2 ⊗ t y

Open problems:

1. prove tight 2

rn r+1 -security for r-round NL-TEM, r ≥ 3

2. propose a construction with linear TKS and security > 22n/3
3. reduce key length for BBB-security

Yannick Seurin Constructing TBCs in the RPM ASK 2015 30 / 36

SLIDE 109

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Conclusion

22n/3-secure constructions:

1. linear TKS

x P1 k1 ⊕ t P2 k2 ⊕ t P3 k1 ⊕ t P4 k2 ⊕ t y k1 ⊕ t

2. nonlinear TKS

x P1 k1 ⊗ t P2 k2 ⊗ t y

Open problems:

1. prove tight 2

rn r+1 -security for r-round NL-TEM, r ≥ 3

2. propose a construction with linear TKS and security > 22n/3
3. reduce key length for BBB-security

Yannick Seurin Constructing TBCs in the RPM ASK 2015 30 / 36

SLIDE 110

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Conclusion

22n/3-secure constructions:

1. linear TKS

x P1 k1 ⊕ t P2 k2 ⊕ t P3 k1 ⊕ t P4 k2 ⊕ t y k1 ⊕ t

2. nonlinear TKS

x P1 k1 ⊗ t P2 k2 ⊗ t y

Open problems:

1. prove tight 2

rn r+1 -security for r-round NL-TEM, r ≥ 3

2. propose a construction with linear TKS and security > 22n/3
3. reduce key length for BBB-security

Yannick Seurin Constructing TBCs in the RPM ASK 2015 30 / 36

SLIDE 111

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Conclusion

22n/3-secure constructions:

1. linear TKS

x P1 k1 ⊕ t P2 k2 ⊕ t P3 k1 ⊕ t P4 k2 ⊕ t y k1 ⊕ t

2. nonlinear TKS

x P1 k1 ⊗ t P2 k2 ⊗ t y

Open problems:

1. prove tight 2

rn r+1 -security for r-round NL-TEM, r ≥ 3

2. propose a construction with linear TKS and security > 22n/3
3. reduce key length for BBB-security

Yannick Seurin Constructing TBCs in the RPM ASK 2015 30 / 36

SLIDE 112

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Link with the TWEAKEY Framework

proposed by Jean, Nikolić, and Peyrin [JNP14]
Superposition TWEAKEY (STK) constructions:

x k t P1 f g P2 f g Pr y f g

sufficient conditions on f and g to have provable

beyond-birthday-bound security in the RPM?

NB: f = g linear does not work since

E(k, t, x) = E(k ⊕ t, x)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 31 / 36

SLIDE 113

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Link with the TWEAKEY Framework

proposed by Jean, Nikolić, and Peyrin [JNP14]
Superposition TWEAKEY (STK) constructions:

x k t P1 f g P2 f g Pr y f g

sufficient conditions on f and g to have provable

beyond-birthday-bound security in the RPM?

NB: f = g linear does not work since

E(k, t, x) = E(k ⊕ t, x)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 31 / 36

SLIDE 114

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Link with the TWEAKEY Framework

proposed by Jean, Nikolić, and Peyrin [JNP14]
Superposition TWEAKEY (STK) constructions:

x k t P1 f g P2 f g Pr y f g

sufficient conditions on f and g to have provable

beyond-birthday-bound security in the RPM?

NB: f = g linear does not work since

E(k, t, x) = E(k ⊕ t, x)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 31 / 36

SLIDE 115

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

Link with the TWEAKEY Framework

proposed by Jean, Nikolić, and Peyrin [JNP14]
Superposition TWEAKEY (STK) constructions:

x k t P1 f g P2 f g Pr y f g

sufficient conditions on f and g to have provable

beyond-birthday-bound security in the RPM?

NB: f = g linear does not work since

E(k, t, x) = E(k ⊕ t, x)

Yannick Seurin Constructing TBCs in the RPM ASK 2015 31 / 36

SLIDE 116

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion

The end. . .

Thanks for your attention! Comments or questions?

Yannick Seurin Constructing TBCs in the RPM ASK 2015 32 / 36

SLIDE 117

References

References I

Benoît Cogliati, Rodolphe Lampe, and Yannick Seurin. Tweaking Even-Mansour Ciphers. In Rosario Gennaro and Matthew Robshaw, editors, Advances in Cryptology - CRYPTO 2015 - Proceedings, Part I, volume 9215 of LNCS, pages 189–208. Springer, 2015. Full version available at http://eprint.iacr.org/2015/539. Paul Crowley. Mercy: A Fast Large Block Cipher for Disk Sector

Encryption. In Bruce Schneier, editor, Fast Software Encryption - FSE

2000, volume 1978 of LNCS, pages 49–63. Springer, 2000. Benoît Cogliati and Yannick Seurin. On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Attacks. In Elisabeth Oswald and Marc Fischlin, editors, Advances in

Cryptology - EUROCRYPT 2015 - Proceedings, Part I, volume 9056 of LNCS, pages 584–613. Springer, 2015. Full version available at http://eprint.iacr.org/2015/069. Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker. The Skein Hash Function Family. SHA3 Submission to NIST (Round 3), 2010.

Yannick Seurin Constructing TBCs in the RPM ASK 2015 33 / 36

SLIDE 118

References

References II

Pooya Farshim and Gordon Procter. The Related-Key Security of Iterated Even-Mansour Ciphers. In Gregor Leander, editor, Fast Software Encryption - FSE 2015, volume 9054 of LNCS, pages 342–363. Springer,

2015. Full version available at http://eprint.iacr.org/2014/953.

David Goldenberg, Susan Hohenberger, Moses Liskov, Elizabeth Crump Schwartz, and Hakan Seyalioglu. On Tweaking Luby-Rackoff Blockciphers. In Kaoru Kurosawa, editor, Advances in Cryptology - ASIACRYPT 2007, volume 4833 of LNCS, pages 342–356. Springer, 2007. Jérémy Jean, Ivica Nikolic, and Thomas Peyrin. Tweaks and Keys for Block Ciphers: The TWEAKEY Framework. In Palash Sarkar and Tetsu Iwata, editors, Advances in Cryptology - ASIACRYPT 2014 - Proceedings, Part II, volume 8874 of LNCS, pages 274–288. Springer, 2014. Moses Liskov, Ronald L. Rivest, and David Wagner. Tweakable Block

Ciphers. In Moti Yung, editor, Advances in Cryptology - CRYPTO 2002,

volume 2442 of LNCS, pages 31–46. Springer, 2002.

Yannick Seurin Constructing TBCs in the RPM ASK 2015 34 / 36

SLIDE 119

References

References III

Rodolphe Lampe and Yannick Seurin. Tweakable Blockciphers with Asymptotically Optimal Security. In Shiho Moriai, editor, Fast Software Encryption - FSE 2013, volume 8424 of LNCS, pages 133–151. Springer, 2013. Will Landecker, Thomas Shrimpton, and R. Seth Terashima. Tweakable Blockciphers with Beyond Birthday-Bound Security. In Reihaneh Safavi-Naini and Ran Canetti, editors, Advances in Cryptology - CRYPTO 2012, volume 7417 of LNCS, pages 14–30. Springer, 2012. Full version available at http://eprint.iacr.org/2012/450. Bart Mennink. Optimally Secure Tweakable Blockciphers. In Gregor Leander, editor, Fast Software Encryption - FSE 2015, volume 9054 of LNCS, pages 428–448. Springer, 2015. Full version available at http://eprint.iacr.org/2015/363. Atsushi Mitsuda and Tetsu Iwata. Tweakable Pseudorandom Permutation from Generalized Feistel Structure. In Joonsang Baek, Feng Bao, Kefei Chen, and Xuejia Lai, editors, ProvSec 2008, volume 5324 of LNCS, pages 22–37. Springer, 2008.

Yannick Seurin Constructing TBCs in the RPM ASK 2015 35 / 36

SLIDE 120

References

References IV

Kazuhiko Minematsu. Beyond-Birthday-Bound Security Based on Tweakable Block Cipher. In Orr Dunkelman, editor, Fast Software Encryption - FSE 2009, volume 5665 of LNCS, pages 308–326. Springer, 2009. Phillip Rogaway. Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC. In Pil Joong Lee, editor, Advances in Cryptology - ASIACRYPT 2004, volume 3329 of LNCS, pages 16–31. Springer, 2004. Richard Schroeppel. The Hasty Pudding Cipher. AES submission to NIST, 1998.

Yannick Seurin Constructing TBCs in the RPM ASK 2015 36 / 36