Short Variable Length Domain Extenders With Beyond Birthday Bound - - PowerPoint PPT Presentation

short variable length domain extenders with beyond
SMART_READER_LITE
LIVE PREVIEW

Short Variable Length Domain Extenders With Beyond Birthday Bound - - PowerPoint PPT Presentation

Aug 15, 2022 376 likes •858 views

Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart Mennink 2 Mridul Nandi 3 imec-COSIC, KU Leuven Digital Security Group, Radboud University, Nijmegen Indian Statistical Institute, Kolkata December 3,

slide-1
SLIDE 1

Short Variable Length Domain Extenders With Beyond Birthday Bound Security

Yu Long Chen1 Bart Mennink2 Mridul Nandi3

imec-COSIC, KU Leuven Digital Security Group, Radboud University, Nijmegen Indian Statistical Institute, Kolkata

December 3, 2018

1 / 23

slide-2
SLIDE 2

Modes of Operation

◮ Block cipher: fixed-input-length (FIL)

2 / 23

slide-3
SLIDE 3

Modes of Operation

◮ Block cipher: fixed-input-length (FIL) ◮ Apply block cipher iteratively

CBC mode M1 M2 Ml−1 Ml + IV + + + EK EK EK EK C1 C2 Cl−1 Cl . . . . . .

2 / 23

slide-4
SLIDE 4

Modes of Operation

Fractional data = ⇒ padding

CBC+padding

M1 M2 Ml−1 M∗

l

. . .

3 / 23

slide-5
SLIDE 5

Modes of Operation

Fractional data = ⇒ padding

CBC+padding

M1 M2 Ml−1 M∗

l

10∗ . . .

3 / 23

slide-6
SLIDE 6

Modes of Operation

Fractional data = ⇒ padding

CBC+padding

M1 M2 Ml−1 M∗

l

10∗ + IV + + + EK EK EK EK C1 C2 Cl−1 Cl . . . . . .

3 / 23

slide-7
SLIDE 7

Modes of Operation

Fractional data = ⇒ padding

CBC+padding

M1 M2 Ml−1 M∗

l

10∗ + IV + + + EK EK EK EK C1 C2 Cl−1 Cl . . . . . .

Ciphertext expansion: |C| > |M|

3 / 23

slide-8
SLIDE 8

Avoiding Ciphertext Expansion

  • 1. CTR: turns block cipher into stream cipher

= ⇒ not suitable for some applications

4 / 23

slide-9
SLIDE 9

Avoiding Ciphertext Expansion

  • 1. CTR: turns block cipher into stream cipher

= ⇒ not suitable for some applications

  • 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB

4 / 23

slide-10
SLIDE 10

Avoiding Ciphertext Expansion

  • 1. CTR: turns block cipher into stream cipher

= ⇒ not suitable for some applications

  • 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB
  • 3. Ciphertext stealing:

M1 M2 Ml−1 M∗

l

. . .

4 / 23

slide-11
SLIDE 11

Avoiding Ciphertext Expansion

  • 1. CTR: turns block cipher into stream cipher

= ⇒ not suitable for some applications

  • 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB
  • 3. Ciphertext stealing:

M1 M2 Ml−1 M∗

l

10∗ . . .

4 / 23

slide-12
SLIDE 12

Avoiding Ciphertext Expansion

  • 1. CTR: turns block cipher into stream cipher

= ⇒ not suitable for some applications

  • 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB
  • 3. Ciphertext stealing:

M1 M2 Ml−1 M∗

l

10∗ + IV + + + EK EK EK EK C1 C2 Cl−1 Cl . . . . . .

4 / 23

slide-13
SLIDE 13

Avoiding Ciphertext Expansion

  • 1. CTR: turns block cipher into stream cipher

= ⇒ not suitable for some applications

  • 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB
  • 3. Ciphertext stealing:

M1 M2 Ml−1 M∗

l

10∗ + IV + + + EK EK EK EK C1 C2 Cl−1 Cl . . . . . .

4 / 23

slide-14
SLIDE 14

Avoiding Ciphertext Expansion

  • 1. CTR: turns block cipher into stream cipher

= ⇒ not suitable for some applications

  • 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB
  • 3. Ciphertext stealing:

M1 M2 Ml−1 M∗

l

10∗ + IV + + + EK EK EK EK C1 C2 Cl−1 Cl Cl C∗

l−1

. . . . . .

4 / 23

slide-15
SLIDE 15

Avoiding Ciphertext Expansion

  • 1. CTR: turns block cipher into stream cipher

= ⇒ not suitable for some applications

  • 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB
  • 3. Ciphertext stealing:

M1 M2 Ml−1 M∗

l

10∗ + IV + + + EK EK EK EK C1 C2 Cl−1 Cl Cl C∗

l−1

. . . . . .

◮ Condition: Ci’s need to be decrypted independently

4 / 23

slide-16
SLIDE 16

Length Doublers

M1 M2

length doubler

[n-bit enciphering scheme]

C1 C2 ◮ |M1| = |C1| = n = block size ◮ |M2| = |C2| ∈ [0, n − 1]

5 / 23

slide-17
SLIDE 17

Beyond Birthday Bound Length Doubler

◮ Format-preserving encryption ◮ Electronic product code tag encryption

6 / 23

slide-18
SLIDE 18

Beyond Birthday Bound Length Doubler

◮ Format-preserving encryption ◮ Electronic product code tag encryption M 2n/2 doubler [64-bit BC] C

80 80

32-bits security

6 / 23

slide-19
SLIDE 19

Beyond Birthday Bound Length Doubler

◮ Format-preserving encryption ◮ Electronic product code tag encryption M 2n/2 doubler [64-bit BC] C

80 80

32-bits security M 23n/4 doubler [64-bit BC] C

80 80

48-bits security

6 / 23

slide-20
SLIDE 20

Security Definition

K

ρ± adversary A ◮ Adversary A makes q queries to oracle (EK or ρ)

7 / 23

slide-21
SLIDE 21

Security Definition

K

ρ± adversary A ◮ Adversary A makes q queries to oracle (EK or ρ) ◮ Strong length-preserving pseudorandom permutation ⇐ ⇒ A cannot determine which world it is interacting with

7 / 23

slide-22
SLIDE 22

Round Function F[˜ EK]

M1 M2 ˜ EK1

10∗

C1 C2

n s

T1

  • n − s

leftn−s(Y) rights(Y)

s n

8 / 23

slide-23
SLIDE 23

2-LDT

Security upper bound: ◮ 2n−(s/2) Security lower bound ◮ 2n/2 (ToSC 2017(3))

9 / 23

slide-24
SLIDE 24

2-LDT

Security upper bound: ◮ 2n−(s/2) Security lower bound ◮ 2n/2 (ToSC 2017(3)) ◮ “New bound”

9 / 23

slide-25
SLIDE 25

3-LDT

Security lower bound ◮ “New bound” ◮ Better bound than 2-LDT

10 / 23

slide-26
SLIDE 26

Security Analysis of 3-LDT

smin security const n/4 n/2 3n/4 n − 2 log2(n) n/2 5n/8 2n/3 3n/4 5n/6 7n/8 11n/12 n smax ≈ smin smax ≈ (n + smin)/2

smin ≤ smax ≤ (n + smin)/2

11 / 23

slide-27
SLIDE 27

Security Bound of 2-LDT and 3-LDT

input size security n 5n/4 3n/2 7n/4 2n − 1 n/2 7n/12 2n/3 3n/4 5n/6 11n/12 n

⋆ ⋆ ⋆ ⋆

  • = 2-LDT

⋆ = 3-LDT

12 / 23

slide-28
SLIDE 28

Harmonic Permutation Primitives

(Tweakable) pseudorandom permutation Ga,b and Ha,b ◮ a, b ∈ {0, 1} ◮ a = forward, b = inverse ◮ 0 = random permutation, 1 = special

13 / 23

slide-29
SLIDE 29

Harmonic Permutation Primitives

(Tweakable) pseudorandom permutation Ga,b and Ha,b ◮ a, b ∈ {0, 1} ◮ a = forward, b = inverse ◮ 0 = random permutation, 1 = special a = 0 b = 0

13 / 23

slide-30
SLIDE 30

Harmonic Permutation Primitives

(Tweakable) pseudorandom permutation Ga,b and Ha,b ◮ a, b ∈ {0, 1} ◮ a = forward, b = inverse ◮ 0 = random permutation, 1 = special a = 0 b = 0

ideal primitive

13 / 23

slide-31
SLIDE 31

Harmonic Permutation Primitives

(Tweakable) pseudorandom permutation Ga,b and Ha,b ◮ a, b ∈ {0, 1} ◮ a = forward, b = inverse ◮ 0 = random permutation, 1 = special a = 0 b = 1 a = 1 b = 1 a = 0 b = 0

ideal primitive

a = 1 b = 0

13 / 23

slide-32
SLIDE 32

Harmonic Permutation Primitives

If a = 1 or b = 1, then part of permutation random

14 / 23

slide-33
SLIDE 33

Harmonic Permutation Primitives

If a = 1 or b = 1, then part of permutation random

s-bits

14 / 23

slide-34
SLIDE 34

Harmonic Permutation Primitives

If a = 1 or b = 1, then

s-bits

part of permutation random

(n − s)-bits (n − s)-bits

permutation

14 / 23

slide-35
SLIDE 35

Harmonic Permutation Primitives

If a = 1 or b = 1, then

s-bits

part of permutation random

(n − s)-bits (n − s)-bits

permutation part of permutation random

14 / 23

slide-36
SLIDE 36

Proof Idea

M1 M2 ˜ EK1

10∗

˜ EK2

10∗

˜ EK3

10∗

C1 C2

n s

T1

  • n–s

leftn−s(Y1) rights(Y1)

s

T2

  • n–s

leftn−s(Y2) rights(Y2) T3

n s

M1 M2 ρ C1 C2

n s n s

15 / 23

slide-37
SLIDE 37

Proof Idea

˜ π1, ˜ π2, ˜ π3

$

← − Perm(n, n)

M1 M2 ˜ π1

10∗

˜ π2

10∗

˜ π3

10∗

C1 C2

n s

T1

  • n–s

leftn−s(Y1) rights(Y1)

s

T2

  • n–s

leftn−s(Y2) rights(Y2) T3

n s

M1 M2 ρ C1 C2

n s n s

16 / 23

slide-38
SLIDE 38

Proof Idea

M1 M2 G0,0

10∗

G0,0

10∗

G0,0

10∗

C1 C2

n s

T1

  • n–s

leftn−s(Y1) rights(Y1)

s

T2

  • n–s

leftn−s(Y2) rights(Y2) T3

n s

M1 M2 H0,0 C1 C2

n s n s

17 / 23

slide-39
SLIDE 39

Proof Idea [Reduction]

18 / 23

slide-40
SLIDE 40

Proof Idea [Step 1]

M1 M2 G0,0

10∗

G0,0

10∗

G0,0

10∗

C1 C2

n s

T1

  • n–s

leftn−s(Y1) rights(Y1)

s

T2

  • n–s

leftn−s(Y2) rights(Y2) T3

n s

M1 M2 G0,1

10∗

G1,1

10∗

G1,0

10∗

C1 C2

n s

T1

  • n–s

leftn−s(Y1) rights(Y1)

s

T2

  • n–s

leftn−s(Y2) rights(Y2) T3

n s

19 / 23

slide-41
SLIDE 41

Proof Idea [Step 1]

G0,1 M C T G1,1 M C T G1,0 M C T G0,0 M C T

20 / 23

slide-42
SLIDE 42

Proof Idea [Step 2]

M1 M2 G0,1

10∗

G1,1

10∗

G1,0

10∗

C1 C2

n s

T1

  • n–s

leftn−s(Y1) rights(Y1)

s

T2

  • n–s

leftn−s(Y2) rights(Y2) T3

n s

M1 M2 H1,1 C1 C2

n s n s

21 / 23

slide-43
SLIDE 43

Proof Idea [Step 2]

M1 M2 G0,1

10∗

G1,1

10∗

G1,0

10∗

C1 C2

n s

T1

  • n–s

leftn−s(Y1) rights(Y1)

s

T2

  • n–s

leftn−s(Y2) rights(Y2) T3

n s

M1 M2 H1,1 C1 C2

n s n s

21 / 23

Indistinguishable

slide-44
SLIDE 44

Proof Idea [Step 3]

M1 M2 H1,1 C1 C2

n s n s

M1 M2 H0,0 C1 C2

n s n s

22 / 23

slide-45
SLIDE 45

Conclusion

New results ◮ Harmonic primitives ◮ 2-LDT: beyond birthday bound ◮ 3-LDT: better bound

23 / 23

slide-46
SLIDE 46

Conclusion

New results ◮ Harmonic primitives ◮ 2-LDT: beyond birthday bound ◮ 3-LDT: better bound Further research ◮ 2-LDT and 3-LDT: tight bound? ◮ 3-LDT: optimal security? ◮ Harmonic primitives: tight bound and use for other constructions?

23 / 23

slide-47
SLIDE 47

Conclusion

New results ◮ Harmonic primitives ◮ 2-LDT: beyond birthday bound ◮ 3-LDT: better bound Further research ◮ 2-LDT and 3-LDT: tight bound? ◮ 3-LDT: optimal security? ◮ Harmonic primitives: tight bound and use for other constructions?

Thank you for your attention!

23 / 23