[PPT] - Tweaking Even-Mansour Ciphers Benot Cogliati 1 Rodolphe Lampe 1 PowerPoint Presentation

SLIDE 1

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Tweaking Even-Mansour Ciphers

Benoît Cogliati1 Rodolphe Lampe1 Yannick Seurin2

1Versailles University, France 2ANSSI, France

August 17, 2015 — CRYPTO 2015

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 1 / 26

SLIDE 2

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Outline

Background: Tweakable Block Ciphers Our Contribution Overview of the Proof for Two Rounds Longer Cascades Conclusion and Perspectives

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 2 / 26

SLIDE 3

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Tweakable Block Ciphers (TBCs)

E

x k y

tweak t: brings variability to the block cipher
t assumed public or even adversarially controlled
each tweak should give an “independent” permutation
few “natively tweakable” BCs:
Hasty Pudding Cipher [Sch98]
Mercy [Cro00]
Threefish [FLS+10]
CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM,

Minalpher

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26

SLIDE 4

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Tweakable Block Ciphers (TBCs)

E

x k y t

tweak t: brings variability to the block cipher
t assumed public or even adversarially controlled
each tweak should give an “independent” permutation
few “natively tweakable” BCs:
Hasty Pudding Cipher [Sch98]
Mercy [Cro00]
Threefish [FLS+10]
CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM,

Minalpher

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26

SLIDE 5

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Tweakable Block Ciphers (TBCs)

E

x k y t

tweak t: brings variability to the block cipher
t assumed public or even adversarially controlled
each tweak should give an “independent” permutation
few “natively tweakable” BCs:
Hasty Pudding Cipher [Sch98]
Mercy [Cro00]
Threefish [FLS+10]
CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM,

Minalpher

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26

SLIDE 6

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Tweakable Block Ciphers (TBCs)

E

x k y t

tweak t: brings variability to the block cipher
t assumed public or even adversarially controlled
each tweak should give an “independent” permutation
few “natively tweakable” BCs:
Hasty Pudding Cipher [Sch98]
Mercy [Cro00]
Threefish [FLS+10]
CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM,

Minalpher

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26

SLIDE 7

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Tweakable Block Ciphers (TBCs)

E

x k y t

tweak t: brings variability to the block cipher
t assumed public or even adversarially controlled
each tweak should give an “independent” permutation
few “natively tweakable” BCs:
Hasty Pudding Cipher [Sch98]
Mercy [Cro00]
Threefish [FLS+10]
CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM,

Minalpher

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26

SLIDE 8

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Generic Constructions of TBCs

A generic TBC construction turns a conventional block cipher E

into a TBC E

example: LRW construction by Liskov et al. [LRW02]

x E k y

h is XOR-universal, e.g. hk′(t) = k′ ⊗ t (field mult.)
secure up to ∼ 2n/2 queries
related construction XEX [Rog04] uses Ek(t) instead of hk′(t)

(used e.g. in the XTS disk encryption mode)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26

SLIDE 9

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Generic Constructions of TBCs

A generic TBC construction turns a conventional block cipher E

into a TBC E

example: LRW construction by Liskov et al. [LRW02]

x E k y

h is XOR-universal, e.g. hk′(t) = k′ ⊗ t (field mult.)
secure up to ∼ 2n/2 queries
related construction XEX [Rog04] uses Ek(t) instead of hk′(t)

(used e.g. in the XTS disk encryption mode)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26

SLIDE 10

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Generic Constructions of TBCs

A generic TBC construction turns a conventional block cipher E

into a TBC E

example: LRW construction by Liskov et al. [LRW02]

x E k y hk′(t) hk′(t)

h is XOR-universal, e.g. hk′(t) = k′ ⊗ t (field mult.)
secure up to ∼ 2n/2 queries
related construction XEX [Rog04] uses Ek(t) instead of hk′(t)

(used e.g. in the XTS disk encryption mode)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26

SLIDE 11

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Generic Constructions of TBCs

A generic TBC construction turns a conventional block cipher E

into a TBC E

example: LRW construction by Liskov et al. [LRW02]

x E k y hk′(t) hk′(t)

h is XOR-universal, e.g. hk′(t) = k′ ⊗ t (field mult.)
secure up to ∼ 2n/2 queries
related construction XEX [Rog04] uses Ek(t) instead of hk′(t)

(used e.g. in the XTS disk encryption mode)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26

SLIDE 12

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Generic Constructions of TBCs

A generic TBC construction turns a conventional block cipher E

into a TBC E

example: LRW construction by Liskov et al. [LRW02]

x E k y hk′(t) hk′(t)

h is XOR-universal, e.g. hk′(t) = k′ ⊗ t (field mult.)
secure up to ∼ 2n/2 queries
related construction XEX [Rog04] uses Ek(t) instead of hk′(t)

(used e.g. in the XTS disk encryption mode)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26

SLIDE 13

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Cascading the LRW Construction

x Ek1 k′

1 ⊗ t

Ek2 k′

2 ⊗ t

Ekr k′

r ⊗ t

y

k1, . . . , kr and k′

1, . . . , k′ r independent keys

⇒ total key-length = r(κ + n)

2 rounds: provably secure up to ∼ 22n/3 queries [LST12]
r rounds, r even: provably secure up to ∼ 2

rn r+2 queries [LS13]

NB: only assuming E is a PRP

(standard security notion, no ideal model)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 5 / 26

SLIDE 14

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Cascading the LRW Construction

x Ek1 k′

1 ⊗ t

Ek2 k′

2 ⊗ t

Ekr k′

r ⊗ t

y

k1, . . . , kr and k′

1, . . . , k′ r independent keys

⇒ total key-length = r(κ + n)

2 rounds: provably secure up to ∼ 22n/3 queries [LST12]
r rounds, r even: provably secure up to ∼ 2

rn r+2 queries [LS13]

NB: only assuming E is a PRP

(standard security notion, no ideal model)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 5 / 26

SLIDE 15

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Cascading the LRW Construction

x Ek1 k′

1 ⊗ t

Ek2 k′

2 ⊗ t

Ekr k′

r ⊗ t

y

k1, . . . , kr and k′

1, . . . , k′ r independent keys

⇒ total key-length = r(κ + n)

2 rounds: provably secure up to ∼ 22n/3 queries [LST12]
r rounds, r even: provably secure up to ∼ 2

rn r+2 queries [LS13]

NB: only assuming E is a PRP

(standard security notion, no ideal model)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 5 / 26

SLIDE 16

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Cascading the LRW Construction

x Ek1 k′

1 ⊗ t

Ek2 k′

2 ⊗ t

Ekr k′

r ⊗ t

y

k1, . . . , kr and k′

1, . . . , k′ r independent keys

⇒ total key-length = r(κ + n)

2 rounds: provably secure up to ∼ 22n/3 queries [LST12]
r rounds, r even: provably secure up to ∼ 2

rn r+2 queries [LS13]

NB: only assuming E is a PRP

(standard security notion, no ideal model)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 5 / 26

SLIDE 17

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Outline

Background: Tweakable Block Ciphers Our Contribution Overview of the Proof for Two Rounds Longer Cascades Conclusion and Perspectives

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 6 / 26

SLIDE 18

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Tweakable Even-Mansour Constructions

Our Goal

Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher).

“from scratch” → from some lower level primitive
from a PRF: Feistel schemes [GHL+07, MI08]
this work: SPN ciphers (more gen. key-alternating ciphers)

x k P1 f0 P2 f1 Pr y fr

analysis in the Random Permutation Model

⇒ “tweakable” Even-Mansour construction(s)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26

SLIDE 19

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Tweakable Even-Mansour Constructions

Our Goal

Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher).

“from scratch” → from some lower level primitive
from a PRF: Feistel schemes [GHL+07, MI08]
this work: SPN ciphers (more gen. key-alternating ciphers)

x k P1 f0 P2 f1 Pr y fr

analysis in the Random Permutation Model

⇒ “tweakable” Even-Mansour construction(s)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26

SLIDE 20

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Tweakable Even-Mansour Constructions

Our Goal

Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher).

“from scratch” → from some lower level primitive
from a PRF: Feistel schemes [GHL+07, MI08]
this work: SPN ciphers (more gen. key-alternating ciphers)

x k P1 f0 P2 f1 Pr y fr

analysis in the Random Permutation Model

⇒ “tweakable” Even-Mansour construction(s)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26

SLIDE 21

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Tweakable Even-Mansour Constructions

Our Goal

Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher).

“from scratch” → from some lower level primitive
from a PRF: Feistel schemes [GHL+07, MI08]
this work: SPN ciphers (more gen. key-alternating ciphers)

x k P1 f0 P2 f1 Pr y fr

analysis in the Random Permutation Model

⇒ “tweakable” Even-Mansour construction(s)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26

SLIDE 22

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Tweakable Even-Mansour Constructions

Our Goal

Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher).

“from scratch” → from some lower level primitive
from a PRF: Feistel schemes [GHL+07, MI08]
this work: SPN ciphers (more gen. key-alternating ciphers)

x k P1 f0 P2 f1 Pr y fr

analysis in the Random Permutation Model

⇒ “tweakable” Even-Mansour construction(s)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26

SLIDE 23

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Tweakable Even-Mansour Constructions

Our Goal

Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher).

“from scratch” → from some lower level primitive
from a PRF: Feistel schemes [GHL+07, MI08]
this work: SPN ciphers (more gen. key-alternating ciphers)

x (k, t) P1 f0 P2 f1 Pr y fr

analysis in the Random Permutation Model

⇒ “tweakable” Even-Mansour construction(s)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26

SLIDE 24

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Tweakable Even-Mansour Constructions

Our Goal

Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher).

“from scratch” → from some lower level primitive
from a PRF: Feistel schemes [GHL+07, MI08]
this work: SPN ciphers (more gen. key-alternating ciphers)

x (k, t) P1 f0 P2 f1 Pr y fr

analysis in the Random Permutation Model

⇒ “tweakable” Even-Mansour construction(s)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26

SLIDE 25

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

The Random Permutation Model (RPM)

qc

x (k, t) P1 f0 P2 f1 Pr y fr

P1 · · · Pr qp qp

the Pi’s are modeled as public random permutation oracles

(adversary can only make black-box queries)

adversary cannot exploit any weakness of the Pi’s

⇒ generic attacks

complexity measure of the adversary:
qc = # construction queries = pt/ct pairs (data D)
qp = # queries to each internal permutation oracle (time T)
but otherwise computationally unbounded
⇒ information-theoretic proof of security

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 8 / 26

SLIDE 26

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

The Random Permutation Model (RPM)

qc

x (k, t) P1 f0 P2 f1 Pr y fr

P1 · · · Pr qp qp

the Pi’s are modeled as public random permutation oracles

(adversary can only make black-box queries)

adversary cannot exploit any weakness of the Pi’s

⇒ generic attacks

complexity measure of the adversary:
qc = # construction queries = pt/ct pairs (data D)
qp = # queries to each internal permutation oracle (time T)
but otherwise computationally unbounded
⇒ information-theoretic proof of security

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 8 / 26

SLIDE 27

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

The Random Permutation Model (RPM)

qc

x (k, t) P1 f0 P2 f1 Pr y fr

P1 · · · Pr qp qp

the Pi’s are modeled as public random permutation oracles

(adversary can only make black-box queries)

adversary cannot exploit any weakness of the Pi’s

⇒ generic attacks

complexity measure of the adversary:
qc = # construction queries = pt/ct pairs (data D)
qp = # queries to each internal permutation oracle (time T)
but otherwise computationally unbounded
⇒ information-theoretic proof of security

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 8 / 26

SLIDE 28

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

The Random Permutation Model (RPM)

qc

x (k, t) P1 f0 P2 f1 Pr y fr

P1 · · · Pr qp qp

the Pi’s are modeled as public random permutation oracles

(adversary can only make black-box queries)

adversary cannot exploit any weakness of the Pi’s

⇒ generic attacks

complexity measure of the adversary:
qc = # construction queries = pt/ct pairs (data D)
qp = # queries to each internal permutation oracle (time T)
but otherwise computationally unbounded
⇒ information-theoretic proof of security

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 8 / 26

SLIDE 29

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Previous Result

x P1 k⊕t P2 k⊕t P3 k⊕t y k⊕t

provably secure in the RPM up to ∼ 2n/2 queries [CS15, FP15]
can be written

E(k, t, x) = E(k⊕t, x) where E is the conventional 3-round EM cipher with trivial key-schedule

⇒ secure up to 2n/2 queries at best by a simple collision attack

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 9 / 26

SLIDE 30

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Previous Result

x P1 k⊕t P2 k⊕t P3 k⊕t y k⊕t

provably secure in the RPM up to ∼ 2n/2 queries [CS15, FP15]
can be written

E(k, t, x) = E(k⊕t, x) where E is the conventional 3-round EM cipher with trivial key-schedule

⇒ secure up to 2n/2 queries at best by a simple collision attack

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 9 / 26

SLIDE 31

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Previous Result

x P1 k⊕t P2 k⊕t P3 k⊕t y k⊕t

provably secure in the RPM up to ∼ 2n/2 queries [CS15, FP15]
can be written

E(k, t, x) = E(k⊕t, x) where E is the conventional 3-round EM cipher with trivial key-schedule

⇒ secure up to 2n/2 queries at best by a simple collision attack

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 9 / 26

SLIDE 32

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Previous Result

x P1 k⊕t P2 k⊕t P3 k⊕t y k⊕t

provably secure in the RPM up to ∼ 2n/2 queries [CS15, FP15]
can be written

E(k, t, x) = E(k⊕t, x) where E is the conventional 3-round EM cipher with trivial key-schedule

⇒ secure up to 2n/2 queries at best by a simple collision attack

Question

How can we obtain a construction with security beyond the birthday-bound?

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 9 / 26

SLIDE 33

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Back to LRW

instantiate E with the 1-round Even-Mansour construction

x E k′ y k ⊗ t k ⊗ t

provably secure in the RPM up to ∼ 2n/2 queries:

Adv(qc, qp) ≤ q2

c

2n + 2qcqp 2n .

t = 0 ⇒ k′ is superfluous (k ⊗ t unif. random for any t = 0)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 10 / 26

SLIDE 34

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Back to LRW

instantiate E with the 1-round Even-Mansour construction

x E k′ P k′ k′ y k ⊗ t k ⊗ t

provably secure in the RPM up to ∼ 2n/2 queries:

Adv(qc, qp) ≤ q2

c

2n + 2qcqp 2n .

t = 0 ⇒ k′ is superfluous (k ⊗ t unif. random for any t = 0)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 10 / 26

SLIDE 35

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Back to LRW

instantiate E with the 1-round Even-Mansour construction

x P y (k ⊗ t) ⊕ k′ (k ⊗ t) ⊕ k′

provably secure in the RPM up to ∼ 2n/2 queries:

Adv(qc, qp) ≤ q2

c

2n + 2qcqp 2n .

t = 0 ⇒ k′ is superfluous (k ⊗ t unif. random for any t = 0)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 10 / 26

SLIDE 36

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Back to LRW

instantiate E with the 1-round Even-Mansour construction

x P y (k ⊗ t) ⊕ k′ (k ⊗ t) ⊕ k′

provably secure in the RPM up to ∼ 2n/2 queries:

Adv(qc, qp) ≤ q2

c

2n + 2qcqp 2n .

t = 0 ⇒ k′ is superfluous (k ⊗ t unif. random for any t = 0)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 10 / 26

SLIDE 37

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Back to LRW

instantiate E with the 1-round Even-Mansour construction

x P y k ⊗ t k ⊗ t

provably secure in the RPM up to ∼ 2n/2 queries:

Adv(qc, qp) ≤ q2

c

2n + 2qcqp 2n .

t = 0 ⇒ k′ is superfluous (k ⊗ t unif. random for any t = 0)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 10 / 26

SLIDE 38

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Back to LRW

instantiate E with the 1-round Even-Mansour construction

x P y k ⊗ t k ⊗ t (1-round) Tweakable Even-Mansour (TEM) construction

provably secure in the RPM up to ∼ 2n/2 queries:

Adv(qc, qp) ≤ q2

c

2n + 2qcqp 2n .

t = 0 ⇒ k′ is superfluous (k ⊗ t unif. random for any t = 0)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 10 / 26

SLIDE 39

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Cascading the TEM Construction

k1, k2 independent n-bit keys

x P1 k1 ⊗ t P2 k2 ⊗ t y

our main result: secure up to ∼ 22n/3 queries in the RPM:

Adv(qc, qp) ≤ 34q3/2

c

2n + 30√qcqp 2n .

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 11 / 26

SLIDE 40

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Cascading the TEM Construction

k1, k2 independent n-bit keys

x P1 k1 ⊗ t P2 k2 ⊗ t y

our main result: secure up to ∼ 22n/3 queries in the RPM:

Adv(qc, qp) ≤ 34q3/2

c

2n + 30√qcqp 2n .

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 11 / 26

SLIDE 41

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Outline

Background: Tweakable Block Ciphers Our Contribution Overview of the Proof for Two Rounds Longer Cascades Conclusion and Perspectives

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 12 / 26

SLIDE 42

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Formalization of the Security Experiment

Real world 0/1 qc

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

P1, . . . , Pr qp Ideal world 0/1

P0

qc P1, . . . , Pr qp

real world: TEM construction with random keys k1, . . . , kr
ideal world: random tweakable permutation

P0 independent from P1, . . . , Pr

RPM: D has oracle access to P1, . . . , Pr in both worlds

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 13 / 26

SLIDE 43

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Formalization of the Security Experiment

Real world 0/1 qc

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

P1, . . . , Pr qp Ideal world 0/1

P0

qc P1, . . . , Pr qp

real world: TEM construction with random keys k1, . . . , kr
ideal world: random tweakable permutation

P0 independent from P1, . . . , Pr

RPM: D has oracle access to P1, . . . , Pr in both worlds

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 13 / 26

SLIDE 44

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Proof Technique: H-coefficients

Real world qc

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

P1, . . . , Pr qp Ideal world

P0

qc P1, . . . , Pr qp

1. consider the transcript of all queries of D to the construction

and to the inner permutations

2. define bad transcripts and show that their probability is small (in

the ideal world)

3. show that good transcripts are almost as probable in the real

and the ideal world

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 14 / 26

SLIDE 45

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Proof Technique: H-coefficients

Real world qc

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

P1, . . . , Pr qp Ideal world

P0

qc P1, . . . , Pr qp

1. consider the transcript of all queries of D to the construction

and to the inner permutations

2. define bad transcripts and show that their probability is small (in

the ideal world)

3. show that good transcripts are almost as probable in the real

and the ideal world

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 14 / 26

SLIDE 46

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Proof Technique: H-coefficients

Real world qc

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

P1, . . . , Pr qp Ideal world

P0

qc P1, . . . , Pr qp

1. consider the transcript of all queries of D to the construction

and to the inner permutations

2. define bad transcripts and show that their probability is small (in

the ideal world)

3. show that good transcripts are almost as probable in the real

and the ideal world

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 14 / 26

SLIDE 47

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26

SLIDE 48

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26

SLIDE 49

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y u1 v1

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26

SLIDE 50

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y u1 v1 u2 v2

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26

SLIDE 51

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y u1 v1 u2 v2 (t, x)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26

SLIDE 52

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y u1 v1 u2 v2 (t, x)

proba ≤

qcq2

p

22n

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26

SLIDE 53

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y u1 v1 u2 v2 (t, x)

proba ≤

qcq2

p

22n

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26

SLIDE 54

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y u1 v1 u2 v2 (t, x)

proba ≤

qcq2

p

22n

(t, x)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26

SLIDE 55

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y u1 v1 u2 v2 (t, x)

proba ≤

qcq2

p

22n

(t, x) (t′, x′)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26

SLIDE 56

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Bad Transcripts

one needs to avoid “two-fold” collisions:

x P1 k1 ⊗ t P2 k2 ⊗ t y u1 v1 u2 v2 (t, x)

proba ≤

qcq2

p

22n

(t, x) (t′, x′)

proba ≤ q2

c

22n

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26

SLIDE 57

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

The Ten “Bad Collision” Cases

P1 P2 (t, x) u1 (t, y) v2 (t, x) u1 v1 u2 v1 (t, y) u2 v2 (t, x) (t′, x ′) (t, y) (t′′, y ′′) (t, x) (t′, x ′) (t, y) (t′, y ′) (t, x) u1 (t, y) (t′, y ′) (t, x) (t′, x ′) (t, y) v2 (t, x) (t′, x ′) u1 u′

1

v1 v ′

1

(t, y) (t′, y ′) u2 u′

2

v2 v ′

2

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 16 / 26

SLIDE 58

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Distribution of Good Transcripts

P1 P2 QU1 U1 V1

U2
V2

QV2 U2 V2

U1
V1

QX U′

1

V ′

1

U′

2

V ′

2

QY U′′

1

V ′′

1

U′′

2

V ′′

2

Q0

assuming there are no

bad collisions, show that the answers of the TEM construction are close to answers of a random tweakable permutation

for each query, there is

a “fresh” value of P1 or P2 which randomizes the output

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 17 / 26

SLIDE 59

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Distribution of Good Transcripts

P1 P2 QU1 U1 V1

U2
V2

QV2 U2 V2

U1
V1

QX U′

1

V ′

1

U′

2

V ′

2

QY U′′

1

V ′′

1

U′′

2

V ′′

2

Q0

assuming there are no

bad collisions, show that the answers of the TEM construction are close to answers of a random tweakable permutation

for each query, there is

a “fresh” value of P1 or P2 which randomizes the output

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 17 / 26

SLIDE 60

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Outline

Background: Tweakable Block Ciphers Our Contribution Overview of the Proof for Two Rounds Longer Cascades Conclusion and Perspectives

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 18 / 26

SLIDE 61

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Longer Cascades of the TEM Construction

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

r rounds, r even, with independent keys k1, . . . , kr secure up to

∼ 2

rn r+2 = 2 (r/2)n (r/2)+1 queries

proof:
1. non-adaptive security for r/2 rounds (coupling technique)
2. adaptive security for r rounds (“two weak make one strong”

composition theorem)

conjecture: secure up to ∼ 2

rn r+1 queries Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 19 / 26

SLIDE 62

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Longer Cascades of the TEM Construction

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

r rounds, r even, with independent keys k1, . . . , kr secure up to

∼ 2

rn r+2 = 2 (r/2)n (r/2)+1 queries

proof:
1. non-adaptive security for r/2 rounds (coupling technique)
2. adaptive security for r rounds (“two weak make one strong”

composition theorem)

conjecture: secure up to ∼ 2

rn r+1 queries Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 19 / 26

SLIDE 63

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Longer Cascades of the TEM Construction

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

r rounds, r even, with independent keys k1, . . . , kr secure up to

∼ 2

rn r+2 = 2 (r/2)n (r/2)+1 queries

proof:
1. non-adaptive security for r/2 rounds (coupling technique)
2. adaptive security for r rounds (“two weak make one strong”

composition theorem)

conjecture: secure up to ∼ 2

rn r+1 queries Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 19 / 26

SLIDE 64

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Longer Cascades of the TEM Construction

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

r rounds, r even, with independent keys k1, . . . , kr secure up to

∼ 2

rn r+2 = 2 (r/2)n (r/2)+1 queries

proof:
1. non-adaptive security for r/2 rounds (coupling technique)
2. adaptive security for r rounds (“two weak make one strong”

composition theorem)

conjecture: secure up to ∼ 2

rn r+1 queries Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 19 / 26

SLIDE 65

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Outline

Background: Tweakable Block Ciphers Our Contribution Overview of the Proof for Two Rounds Longer Cascades Conclusion and Perspectives

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 20 / 26

SLIDE 66

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Conclusion

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

we analyzed the “public permutation” variant of the LRW

construction, and proved tight 22n/3-security for 2 rounds

similar security level as LRW, yet in an idealized model
open problem 1: prove tight security up to 2

rn r+1 queries for r ≥ 3

open problem 2: can we avoid non-linear mixing of the key and

the tweak and still get beyond-birthday security?

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 21 / 26

SLIDE 67

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Conclusion

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

we analyzed the “public permutation” variant of the LRW

construction, and proved tight 22n/3-security for 2 rounds

similar security level as LRW, yet in an idealized model
open problem 1: prove tight security up to 2

rn r+1 queries for r ≥ 3

open problem 2: can we avoid non-linear mixing of the key and

the tweak and still get beyond-birthday security?

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 21 / 26

SLIDE 68

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Conclusion

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

we analyzed the “public permutation” variant of the LRW

construction, and proved tight 22n/3-security for 2 rounds

similar security level as LRW, yet in an idealized model
open problem 1: prove tight security up to 2

rn r+1 queries for r ≥ 3

open problem 2: can we avoid non-linear mixing of the key and

the tweak and still get beyond-birthday security?

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 21 / 26

SLIDE 69

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Conclusion

x P1 k1 ⊗ t P2 k2 ⊗ t Pr kr ⊗ t y

we analyzed the “public permutation” variant of the LRW

construction, and proved tight 22n/3-security for 2 rounds

similar security level as LRW, yet in an idealized model
open problem 1: prove tight security up to 2

rn r+1 queries for r ≥ 3

open problem 2: can we avoid non-linear mixing of the key and

the tweak and still get beyond-birthday security?

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 21 / 26

SLIDE 70

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

The TWEAKEY Framework

proposed by Jean, Nikolić, and Peyrin [JNP14]
Superposition TWEAKEY (STK) constructions:

x k t P1 f g P2 f g Pr y f g

sufficient conditions on f and g to have provable

beyond-birthday security in the RPM?

NB: f = g linear does not work since

E(k, t, x) = E(k ⊕ t, x)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 22 / 26

SLIDE 71

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

The TWEAKEY Framework

proposed by Jean, Nikolić, and Peyrin [JNP14]
Superposition TWEAKEY (STK) constructions:

x k t P1 f g P2 f g Pr y f g

sufficient conditions on f and g to have provable

beyond-birthday security in the RPM?

NB: f = g linear does not work since

E(k, t, x) = E(k ⊕ t, x)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 22 / 26

SLIDE 72

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

The TWEAKEY Framework

proposed by Jean, Nikolić, and Peyrin [JNP14]
Superposition TWEAKEY (STK) constructions:

x k t P1 f g P2 f g Pr y f g

sufficient conditions on f and g to have provable

beyond-birthday security in the RPM?

NB: f = g linear does not work since

E(k, t, x) = E(k ⊕ t, x)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 22 / 26

SLIDE 73

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

The TWEAKEY Framework

proposed by Jean, Nikolić, and Peyrin [JNP14]
Superposition TWEAKEY (STK) constructions:

x k t P1 f g P2 f g Pr y f g

sufficient conditions on f and g to have provable

beyond-birthday security in the RPM?

NB: f = g linear does not work since

E(k, t, x) = E(k ⊕ t, x)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 22 / 26

SLIDE 74

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

The end. . .

Thanks for your attention! Comments or questions?

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 23 / 26

SLIDE 75

References

References I

Paul Crowley. Mercy: A Fast Large Block Cipher for Disk Sector

Encryption. In Bruce Schneier, editor, Fast Software Encryption - FSE

2000, volume 1978 of LNCS, pages 49–63. Springer, 2000. Benoît Cogliati and Yannick Seurin. On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Attacks. In Elisabeth Oswald and Marc Fischlin, editors, Advances in

Cryptology - EUROCRYPT 2015 - Proceedings, Part I, volume 9056 of LNCS, pages 584–613. Springer, 2015. Full version available at http://eprint.iacr.org/2015/069. Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker. The Skein Hash Function Family. SHA3 Submission to NIST (Round 3), 2010. Pooya Farshim and Gordon Procter. The Related-Key Security of Iterated Even-Mansour Ciphers. In Fast Software Encryption - FSE 2015, 2015. To

appear. Full version available at http://eprint.iacr.org/2014/953.

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 24 / 26

SLIDE 76

References

References II

David Goldenberg, Susan Hohenberger, Moses Liskov, Elizabeth Crump Schwartz, and Hakan Seyalioglu. On Tweaking Luby-Rackoff Blockciphers. In Kaoru Kurosawa, editor, Advances in Cryptology - ASIACRYPT 2007, volume 4833 of LNCS, pages 342–356. Springer, 2007. Jérémy Jean, Ivica Nikolic, and Thomas Peyrin. Tweaks and Keys for Block Ciphers: The TWEAKEY Framework. In Palash Sarkar and Tetsu Iwata, editors, Advances in Cryptology - ASIACRYPT 2014 - Proceedings, Part II, volume 8874 of LNCS, pages 274–288. Springer, 2014. Moses Liskov, Ronald L. Rivest, and David Wagner. Tweakable Block

Ciphers. In Moti Yung, editor, Advances in Cryptology - CRYPTO 2002,

volume 2442 of LNCS, pages 31–46. Springer, 2002. Rodolphe Lampe and Yannick Seurin. Tweakable Blockciphers with Asymptotically Optimal Security. In Shiho Moriai, editor, Fast Software Encryption - FSE 2013, volume 8424 of LNCS, pages 133–151. Springer, 2013.

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 25 / 26

SLIDE 77

References

References III

Will Landecker, Thomas Shrimpton, and R. Seth Terashima. Tweakable Blockciphers with Beyond Birthday-Bound Security. In Reihaneh Safavi-Naini and Ran Canetti, editors, Advances in Cryptology - CRYPTO 2012, volume 7417 of LNCS, pages 14–30. Springer, 2012. Full version available at http://eprint.iacr.org/2012/450. Atsushi Mitsuda and Tetsu Iwata. Tweakable Pseudorandom Permutation from Generalized Feistel Structure. In Joonsang Baek, Feng Bao, Kefei Chen, and Xuejia Lai, editors, ProvSec 2008, volume 5324 of LNCS, pages 22–37. Springer, 2008. Phillip Rogaway. Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC. In Pil Joong Lee, editor, Advances in Cryptology - ASIACRYPT 2004, volume 3329 of LNCS, pages 16–31. Springer, 2004. Richard Schroeppel. The Hasty Pudding Cipher. AES submission to NIST, 1998.

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 26 / 26