Tweakable blockciphers with beyond-birthday-bound security Will - PowerPoint PPT Presentation

Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and Seth Terashima Portland State University 1

Tweakable blockciphers (TBCs) Tweak T Input block X (τ bits) ( n bits) ◮ Add an extra input, a τ -bit tweak , to a blockcipher: Ē K E K : { 0 , 1 } τ × { 0 , 1 } n → { 0 , 1 } n � ◮ Each tweak gives new permutation Output block Y ( n bits) Tweak provides variability, giving a more natural starting point for designing symmetric-key constructions. 2

What are TBCs used for? TBCs are used in algorithms for ◮ Authenticated encryption (OCB) ◮ MACs/PRFs (PMAC, PMAC Plus) ◮ Hash functions (Skein) ◮ Blockcipher domain extenstion (LargeBlock1/2) Other constructions can be viewed as TBC-based, even if this is not explicit (e.g., CBC, EME, EME ∗ ) 3

STPRP experiment for a TBC � E World 1 (T,X) F ( T , X ) = � E K ( T , X ) F F(T,X) For a random key K (T,Y) World 0 F -1 F ( T , X ) = Π T ( X ) F -1 (T,Y) Where Π is a random blockcipher Adversary tries to guess if his oracle is the TBC � E with a random key, or a random blockcipher (an ideal cipher) that uses T as its key. 4

Building a TBC Tweak T Input block X (τ bits) ( n bits) CBC block operation is a TBC Problem: E K E ( T , X ⊕ C ) = � � E ( T ⊕ C , X ) Output block Y ( n bits) 5

Building a TBC Tweak T Input block X (τ bits) ( n bits) Adding another XOR doesn’t accomplish much. . . E K E ( T , X ⊕ C ) = � � E ( T ⊕ C , X ) ⊕ C Output block Y ( n bits) 6

The LRW2 tweakable blockcipher [LRW’02] Tweak T Input block X (τ bits) ( n bits) H K1 ◮ Birthday-bound secure STPRP (Assuming E is a SPRP and H is ǫ -AXU 2 ) E K2 ◮ Matching attacks exist Output block Y ( n bits) 7

Minematsu’s Tweak-Dependent-Rekeying TBC [Min’09] Provides beyond-birthday-bound Input block X 0 n-m Tweak T Tweak security! ( n bits) But. . . E K ◮ Tweak length must be significantly shorter than E n / 2 bits K' ◮ Need to change E ’s key with each tweak Output block Y ( n bits) 8

Our design goals Build a TBC that ◮ Provides beyond-birthday-bound-security ◮ Uses standard primitives (such as blockciphers) ◮ Does not rekey underlying components ◮ Permits arbitrarily-sized tweaks 9

Our construction: Chained LRW2 (CLRW2) Tweak H K1 H K3 E K2 E K4 X Y ◮ Provides beyond-birthday-bound-security ◮ Uses standard primitives (such as blockciphers) ◮ Does not rekey underlying components ◮ Permits arbitrarily-sized tweaks 10

Main result Theorem Let CLRW2 be defined as above, using a blockcipher E and an ǫ -AXU 2 hash function family, H. Then 6 q 3 ˆ ǫ 2 Adv � sprp CLRW2 ( q , t ) ≤ 2 Adv sprp ( q , t ′ ) + E 1 − q 3 ˆ ǫ 2 ǫ = max { ǫ, 1 / (2 n − 2 q ) } and t ′ ≈ t. where ˆ 11

Main result Theorem Let CLRW2 be defined as above, using a blockcipher E and an ǫ -AXU 2 hash function family, H. Then 6 q 3 ˆ ǫ 2 Adv � sprp CLRW2 ( q , t ) ≤ 2 Adv sprp ( q , t ′ ) + E 1 − q 3 ˆ ǫ 2 ǫ = max { ǫ, 1 / (2 n − 2 q ) } and t ′ ≈ t. where ˆ With practical ˆ ǫ , q 3 ˆ ǫ 2 ǫ 2 ≈ q 3 2 2 n . 1 − q 3 ˆ 12

Concrete security bounds 1 CLRW2 Birthday-Bounded TBCs Security bound 0 0 20 40 60 80 100 log 2 q Security bound after q queries (assuming a secure 128-bit blockcipher). 13

Proof intuition Tweak H K1 π 1 X Y "Collision point" Behaves very similarly to an ideal cipher unless there is a collision. 14

Proof intuition Tweak H K1 H K3 π 1 π 2 X Y "Collision points" Behaves very similarly to an ideal cipher unless there are two independent collisions on the same query. 14

Key proof trick CLRW2 distribution Ideal distribution If there’s no first-round collision, the CLRW2 output space { 0 , 1 } n can be partitioned into four sets, with outputs uniformly distributed within each set. Statistical distance between this distribution and ideal distribution proportional to | S 3 | . 15

Some natural questions Tweak H K1 H K3 E K2 E K4 X Y Can we reduce the number of keys? Possibly secure, would require substantive proof changes Would more rounds give even better security? Conjecture: r rounds secure against q ≪ 2 rn / ( r +1) queries Can this be simplified? Removing any ⊕ operation permits attacks with O (2 n / 2 ) queries 16

CLRW2 is our main new result. But let’s look at another. . . 17

TBC-MAC ◮ Proposed (but not analyzed) in LRW paper ◮ Similar to CBC-MAC, but chains through the tweak M 1 M 2 M L Ē K Ē K Ē K 0 n ... Tag E ( B ) + ( q ℓ ) 2 TBCMAC[ E ] ( A ) ≤ Adv � Adv prf prp 2 n Seems like we should be able to do better. . . 18

TBC-MAC2 Nonce-based PRF resistant to nonce-misuse. M 1 M 2 M 3 M L Ē K Ē K Ē K Ē K 0 n | 0 | 0 b • | 0 | 0 b • | 0 | 0 b • | 1 N ... Tag � Adv � prp E ( B ) if nonces are distinct, Adv prf TBCMAC2[ E ] ( A ) ≤ E ( B ) + q 2 ( ℓ +1) 2 Adv � prp constant “nonce” 2 n − 1 In general, the second term is quadratic in the maximum number of times a given nonce is repeated. 19

Thank you! Tweak H K1 H K3 E K2 E K4 X Y 1 CLRW2 Birthday-Bounded TBCs Security bound 0 0 20 40 60 80 100 log 2 q 20