1 / 27

Length-Doubling Ciphers and Tweakable Ciphers

Length-Doubling Ciphers and Tweakable Ciphers. Haibin Zhang Computer Science Department University of California, Davis hbzhang@cs.ucdavis.edu http://csiflabs.cs.ucdavis.edu/~hbzhang/. Our Contribution. HEM: a VIL cipher on [n..2n-1] THEM: a VIL tweakable cipher on [n..2n-1]

eric-barber
Download Presentation

Length-Doubling Ciphers and Tweakable Ciphers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Length-Doubling Ciphers and Tweakable Ciphers Haibin Zhang Computer Science Department University of California, Davis hbzhang@cs.ucdavis.edu http://csiflabs.cs.ucdavis.edu/~hbzhang/

  2. Our Contribution • HEM: a VIL cipher on [n..2n-1] • THEM: a VIL tweakable cipher on [n..2n-1] • Both HEM and THEM usestwo blockcipher calls

  3. Symmetric-Key Encryption(Confidentiality Modes of Operation) • Probabilistic/stateful encryption (length-expanding) • IND-CPA: CBC, CTR, … • (IND-CCA) • AE :IND-CPA+INT-CTXT: CCM, GCM, OCB, … • Deterministic encryption (length-preserving encryption; cipher) • PRP (CPA) security: • SPRP (CCA) security: CMC, EME2, … SPRP ciphers are useful in disk sector encryption, encipher and encode applications, hybrid encryption, … IEEE P1619.2 (EME2)

  4. E: K{0,1}n {0,1}n Blockciphers p() EK() random permutation over {0,1}n A -1 -1 p() EK() PRP (CPA) security prp EK() Adv(A) = Pr[A  1] – Pr[A p 1] E + PRP (CCA) security - -1 + -1 prp - EK(), EK() Adv(A) = Pr[A  1] – Pr[Ap, p  1] E

  5. ε : K XX General Ciphers A cipher for |X|=[n..2n-1] p() εK() random length-preserving permutation over X A εK () -1 p() -1 PRP (CPA) security εK() prp Adv(A) = Pr[A  1] – Pr[A p 1] ε + PRP (CCA) security - -1 -1 εK() ,εK() + prp - Adv(A) = Pr[A  1] – Pr[Ap, p  1] ε

  6. ~ [Liskov, Rivest, Wagner 2002] E: KT{0,1}n {0,1}n Tweakable Blockcipher Security p(, ) ~ EK(,) random permutation over Perm(T, n) A EK(,) -1 ~ p(, ) -1 PRP security ~ prp EK() Adv(A) = Pr[A  1] – Pr[Ap 1] ~ Ε + PRP security - ~ ~ -1 + -1 prp - EK(), EK() Adv(A) = Pr[A  1] – Pr[A p , p  1] ~ E

  7. ~ [Liskov, Rivest, Wagner 2002] E: KTXX Tweakable Cipher Security p(, ) ~ EK(,) random permutation over Perm(T, X) A A tweakable cipher for |X|=[n..2n-1] EK(,) -1 ~ p(, ) -1 PRP security ~ prp EK() Adv(A) = Pr[A  1] – Pr[Ap 1] ~ Ε + PRP security - ~ ~ -1 + -1 prp - EK(), EK() Adv(A) = Pr[A  1] – Pr[A p , p  1] ~ E

  8. How is Length-Doubling Cipher ([n..2n-1]) USEFUL? • A historicallyand theoretically interesting problem [Luby and Rackoff, 1988] A FIL cipher from n to 2n “Doubling” the length of a cipher Our Goal: A VIL cipher from n to [n..2n-1] “Doubling” the length of a cipher in the VIL sense

  9. How is Length-Doubling Cipher ([n..2n-1]) USEFUL? [Rogaway and Zhang, 2011] TC3* Online Cipher A tweakable cipher of length [n..2n-1]

  10. How is Length-Doubling Cipher ([n..2n-1]) USEFUL? [IEEE, P1619] XTS Mode Ciphertext Stealing did not seem to do a good job. A tweakable cipher of length [n..2n-1]

  11. Previous constructions for [n..2n-1] EME2 [Halevi, 2004] Four-round Feistel XLS[Ristenpart,Rogaway,2007]

  12. Two-blockcipher-call solution? Our algorithms • Two blockcipher calls  Two AXU hash calls  One mixing function call (inexpensive; non-cryptographic tool)

  13. H: KXY [Krawczyk, 1994] AXU Hash Function • Almost XOR Universal hash functions: • For our constructions, X = Y = {0,1}n H: KXYH: K{0,1}n{0,1}n Essential for efficiency and security For all X¹X ’and all CY, Pr[Hk(x) ÅHk(X ’) = C] ≤ ε HK(x) =KX Galois Field Multiplication

  14. [Rogaway and Ristenpart, 2007] Mixing Function • Mixing Function: mix: SSS S Let mixL(,) and mixR(,) be the left and right projection of mix respectively. For any A  S, mixL(A,), mixL(,A), mixR(A,), and mixR(,A) are all permutations. A construction by Ristenpart and Rogaway takes three xorsand a single one-bit circular rotation.

  15. An inefficient 2-blockcipher-call solution Variationally universal hash [Rogaway and Krovetz, 2006] Variationally universal hash

  16. Feistel networks [Luby and Rackoff, 1988] [Naor and Reingold, 1997] [Patel, Ramzan and Sundaram,1997] A FIL cipher of length 2n An improved FIL cipher of length 2n A FIL cipher of length ≥2n

  17. FHEM: A FIL Cipher of length n+s AXU Hash Blockcipher Encryption 1.permutation 2. SPRP MIX function Blockcipher Encryption AXU Hash

  18. FHEM of length n+s security Theorem: Let e = FHEM[H, Perm(n),mix]. If A asks at most q queries then + prp - Adv(A)  3 q2/2n e

  19. FHEM is not VIL secure 0n 0 0n 00 If D1=C1output 1 else 0

  20. FHEM is not VIL secure 0n 0 0n 00 If D1=C1output 1 else 0

  21. HEM: A Length-Doubling Cipher FHEM HEM Can be Precomputed !

  22. HEM security Theorem: Let e = HEM[H, Perm(n),mix]. If A asks at most q queries then + prp - Adv(A)  3 q2/2n e

  23. THEM: A Length-DoublingTweakable Cipher A way of adding tweaks

  24. THEM security ~ Theorem: Let e = THEM[H, Perm(n),mix]. If A asks at most q queries then + prp - Adv(A)  3 q2/2n ~ e

  25. A More Compact Variant (Tweak Stealing)

  26. Open questions • A more elegant cipher on X= {0,1}[n..2n) • How do we achieve an efficient VIL cipher with the domain {0,1}>n using the least blockcipher calls? • (Informally) Does there exist a lower bound for the number of blockcipher calls for an efficient SPRP secure cipher with the domain{0,1}>n ?

  27. Thank you!

More Related