Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal - - PowerPoint PPT Presentation
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used
Jooyoung Lee, Byeonghak Lee KAIST
accepts an additional input "tweakβ
ο Provide variability to the block cipher ο Can be used to construct various cryptographic schemes Vs.
ο Tweakable Authenticated Encryption (Liskov, Rivest, Wagner)
OCB modes of operation)
ο Dedicated construction
ο Block cipher-based construction
ο Permutation-based construction
ο Using fixed keys (independent of tweaks)
random permutation (up to the security of TBC)
ο Using tweak-dependent keys
primitive
ο How should we model secure tweakable block ciphers?
make the keyed block cipher behave like an independent random permutation
allowed oracle access to the underlying tweakable block cipher
Vs.
ο A tweakable block cipher on {0,1}π with key space π§ and tweak space π° is a function πΉ: π§ Γ π° Γ {0,1}π β {0,1}π such that πΉ (πΏ, π,β) (also denoted πΉ πΏ(π,β)) is a permutation on {0,1}π for each pair of key and tweak (πΏ, π). ο A tweakable permutation on {0,1}π with tweak space π° is a function π: π° Γ {0,1}π β {0,1}π such that π (π,β) is a permutation on {0,1}π for each tweak π.
ο An ideal tweakable permutation is a tweakable permutation that has been chosen uniformly at random from the set of all possible tweakable permutations. ο Any distinguisher should not be able to distinguish a tweakable block cipher with a secret random key and an ideal tweakable permutation by making a certain number of oracle queries.
πΉ πΏ π
Real world Ideal world Real? or Ideal?
ο An (information-theoretic) adversary is allowed oracle access to both the construction and the ideal cipher
πΉ
π(π’)
x
β(π’)
y πΉ π πΉ
Real world Ideal world Real? or Ideal?
πΉ
ο For a distinguisher π , its distinguishing advantage is defined by πππ°πΉ
π = Pr 1 $
π π
,πΉ β Pr 1 $
π πΉ
πΏ,πΉ
where π is an ideal random tweakable permutation and a key πΏ is uniform random ο For positive integers π and π, πππ°πΉ
π, π = maxπ πππ°πΉ π
, where the maximum is taken over all the distinguishers making π block cipher queries and π construction queries
When it is based on an π-bit block block cipher using π-bit keys, ο πΊ 1 is secure up to 22π/3 queries
ο πΊ [2] is secure up to 2π queries
πΊ 1 πΊ 2
When it is based on an π -bit block block cipher using π-bit keys, ο πΉi is secure up to 2π queries
block cipher call by precomputation)
ο XHX uses two types of hash functions
ο When it is based on an π-bit block block cipher using π-bit keys, XHX is secure up to 2
π+π 2 queries
πΉ π(π’) π¦ β(π’) π§
For (small) π > 0, ο A keyed function β is π-almost uniform if for any π¦ and π§, Pr[β π¦ = π§] β€ π. ο A keyed function β is π-almost universal if for any π¦ and π¦β², Pr[β π¦ = β(π¦β²)] β€ π. ο A keyed function β is π-almost xor-universal if for any π¦ and π§, Pr[β π¦ β β π¦β² = π§] β€ π.
Cryptology Laboratory @ GSIS, KAIST 15
ο The input size of an π-bit block block cipher using π-bit key is π + π bits. ο In the ideal cipher model, its information-theoretic security cannot go beyond π + π bits. (due to key exhaustive search) ο With respect to this size, the birthday bound should be
π+π 2 .
ο Can we go beyond the birthday bound?
ο Cascade of two independent copies of XHX
πΉ1 π1(π’) π¦ β1(π’) πΉ2 π2(π’) β2(π’) π§
When π1 and π2 are π-bit π-almost uniform and universal hash functions, and β1 and β2 are π-bit πβ²-almost uniform and xor-universal hash functions,
πππ°ππΌπ2 π, π β€ 64π
2 3π 2 3ππβ² + 256 8π3 + 2ππ2 1 2π 1 2πβ²
2
π 2
+ 160 16π3 + 8ππ2 + π2π
1 2πβ²
2π + 256 16π3 + 8ππ2 + 2π2 + 3π2π π2(πβ²)2 + 131072π2π2πβ² 22π , where π β
1 2π , πβ² β 1 2π
Construction Key size Security Efficiency Ref. E β¨/H LRW 2π π/2 1 1 [LRW02] LRW[2] 4π 2π/3 2 2 [LST12] LRW[s] 2π‘π π‘π/(π‘ + 2) π‘ π‘ [LS13] πΊ [1] π 2π/3 1 1 [Men15] πΊ [2] π π 2 [Men15] πΉ1 , β― , πΉ32 π π 2 [Lei+16] XHX π + π (π + π)/2 1 1 [Jha+ 17] XHX2 2π + 2π πππ(2(π + π)/3, π + π/2) 2 2 Our work
Cryptology Laboratory @ GSIS, KAIST 19
ο XTX is a tweak-length extension scheme (Minematsu and Iwata, IMACC 2015) ο Without allowing block cipher queries (π = 0), we can prove beyond- birthday-bound security for the cascade of two independent XTX constructions.
πΉ1 π1(π’) π¦ β1(π’) πΉ2 π2(π’) β2(π’) π§
πΉ
π(π’) π¦ β(π’) π§
ο In the ideal cipher model, each key should define an independent random permutation ο The BBB bound might be useful when the underlying block cipher is relatively small (lightweight) ο Such a small block cipher might be vulnerable to related key attacks (i.e., does not fit the ideal cipher model) ο XHX2 is suitable for a block cipher with the small block size (with a strong key schedule):
π = π π· = π’1, π¦1, π§1 , β― , π’π, π¦π, π§π , π πΉπ = π, π1, π£1, π€1 , β― , π, ππ, π£π, π€π , π1, π2, β1, β1
Cryptology Laboratory @ GSIS, KAIST 22
πΉ1/πΉ2
π
πΉ1/πΉ2
Real world Ideal world Real? or Ideal?
πΉ1
π1(π’)
π¦
β1(π’)
πΉ2
π2(π’) β2(π’)
π§
1) Tid : Probability distribution of Ο in the ideal world 2) Tre : Probability distribution of Ο in the real world πππ°πΉ
π β€
Tid β Tre
Transcripts 1 Probability to appear real ideal
Cryptology Laboratory @ GSIS, KAIST 23
Let Ξ = Ξgood β Ξbad be a partition of the set of transcripts. Assume that there exist Ο΅1, Ο΅2 > 0 such that Pr Tid β Ξbad β€ Ο΅2, and for any π β Ξgood, Pr Tre = π Pr Tid = π β₯ 1 β Ο΅1. Then one has β₯ Tid β Tre β₯ β€ Ο΅1 + Ο΅2. We can use following lemma to upper bound the statistical distance.
Cryptology Laboratory @ GSIS, KAIST 24
1) Define bad transcripts 2) Lower bounding the ratio of probabilities of obtaining a good transcript in the real world and in the ideal world
3) Apply the H-coefficients Lemma
Cryptology Laboratory @ GSIS, KAIST 25
ο Reduced query: combine keys and construction queries π’, π¦, π§ β¦ β1 π’ , β2 π’ , π¦β¨π1 π’ , π§β¨π2 π’ , π1(π’)β¨π2 π’ ο Black dots represent values fixed by block cipher queries, while white dots are βfreeβ
Cryptology Laboratory @ GSIS, KAIST 26
πΉ1 π1(π’) π¦ β1(π’) πΉ2 π2(π’) β2(π’) π§
β€ π2 2π+2π
ο Avoid revealing any colliding internal path ο Upper bound the number of colliding pairs ο Avoid a multi-collision with a large multiplicity
Cryptology Laboratory @ GSIS, KAIST 27
β€ π/4
ο Classify good queries into 5 classes ο Estimate the probability of completing the queries in each class ο In this way, we can lower bound Pr Tre = π
Cryptology Laboratory @ GSIS, KAIST 28
ο XHX2 is a TBC that is based on an π-bit key π-bit block cipher providing πππ(
2(π+π) 3
, π +
π 2) bit security in the ideal cipher model
As open problems; ο Can we improve our security bound using an alternative approach (e.g., the expectation method)? ο What is the security of the 3-round XHX?
Cryptology Laboratory @ GSIS, KAIST 29