length doubling ciphers and tweakable ciphers n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Length-Doubling Ciphers and Tweakable Ciphers PowerPoint Presentation
Download Presentation
Length-Doubling Ciphers and Tweakable Ciphers

Loading in 2 Seconds...

play fullscreen
1 / 27

Length-Doubling Ciphers and Tweakable Ciphers - PowerPoint PPT Presentation


  • 81 Views
  • Uploaded on

Length-Doubling Ciphers and Tweakable Ciphers. Haibin Zhang Computer Science Department University of California, Davis hbzhang@cs.ucdavis.edu http://csiflabs.cs.ucdavis.edu/~hbzhang/. Our Contribution. HEM: a VIL cipher on [n..2n-1] THEM: a VIL tweakable cipher on [n..2n-1]

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Length-Doubling Ciphers and Tweakable Ciphers' - khalil


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
length doubling ciphers and tweakable ciphers

Length-Doubling Ciphers and Tweakable Ciphers

Haibin Zhang

Computer Science Department

University of California, Davis

hbzhang@cs.ucdavis.edu

http://csiflabs.cs.ucdavis.edu/~hbzhang/

our contribution
Our Contribution
  • HEM: a VIL cipher on [n..2n-1]
  • THEM: a VIL tweakable cipher on [n..2n-1]
  • Both HEM and THEM usestwo blockcipher calls
symmetric key encryption confidentiality modes of operation
Symmetric-Key Encryption(Confidentiality Modes of Operation)
  • Probabilistic/stateful encryption (length-expanding)
  • IND-CPA: CBC, CTR, …
  • (IND-CCA)
    • AE :IND-CPA+INT-CTXT: CCM, GCM, OCB, …
  • Deterministic encryption (length-preserving encryption; cipher)
  • PRP (CPA) security:
  • SPRP (CCA) security: CMC, EME2, …

SPRP ciphers are useful in disk sector encryption, encipher and encode applications, hybrid encryption, … IEEE P1619.2 (EME2)

blockciphers

E: K{0,1}n {0,1}n

Blockciphers

p()

EK()

random

permutation over {0,1}n

A

-1

-1

p()

EK()

PRP (CPA) security

prp

EK()

Adv(A) = Pr[A  1] – Pr[A p 1]

E

+

PRP (CCA) security

-

-1

+

-1

prp

-

EK(),

EK()

Adv(A) = Pr[A  1] – Pr[Ap, p  1]

E

general ciphers

ε : K XX

General Ciphers

A cipher for |X|=[n..2n-1]

p()

εK()

random

length-preserving

permutation over X

A

εK ()

-1

p()

-1

PRP (CPA) security

εK()

prp

Adv(A) = Pr[A  1] – Pr[A p 1]

ε

+

PRP (CCA) security

-

-1

-1

εK()

,εK()

+

prp

-

Adv(A) = Pr[A  1] – Pr[Ap, p  1]

ε

tweakable blockcipher security

~

[Liskov, Rivest, Wagner 2002]

E: KT{0,1}n {0,1}n

Tweakable Blockcipher Security

p(, )

~

EK(,)

random

permutation over Perm(T, n)

A

EK(,)

-1

~

p(, )

-1

PRP security

~

prp

EK()

Adv(A) = Pr[A  1] – Pr[Ap 1]

~

Ε

+

PRP security

-

~

~

-1

+

-1

prp

-

EK(),

EK()

Adv(A) = Pr[A  1] – Pr[A p , p  1]

~

E

tweakable cipher security

~

[Liskov, Rivest, Wagner 2002]

E: KTXX

Tweakable Cipher Security

p(, )

~

EK(,)

random

permutation over Perm(T, X)

A

A tweakable cipher for |X|=[n..2n-1]

EK(,)

-1

~

p(, )

-1

PRP security

~

prp

EK()

Adv(A) = Pr[A  1] – Pr[Ap 1]

~

Ε

+

PRP security

-

~

~

-1

+

-1

prp

-

EK(),

EK()

Adv(A) = Pr[A  1] – Pr[A p , p  1]

~

E

slide8

How is Length-Doubling Cipher ([n..2n-1]) USEFUL?

  • A historicallyand theoretically interesting problem

[Luby and Rackoff, 1988]

A FIL cipher from n to 2n “Doubling” the length of a cipher

Our Goal: A VIL cipher from n to [n..2n-1] “Doubling” the length of a cipher in the VIL sense

slide9

How is Length-Doubling Cipher ([n..2n-1]) USEFUL?

[Rogaway and Zhang, 2011]

TC3* Online Cipher

A tweakable cipher of length [n..2n-1]

slide10

How is Length-Doubling Cipher ([n..2n-1]) USEFUL?

[IEEE, P1619]

XTS Mode

Ciphertext Stealing did not seem to do a good job.

A tweakable cipher of length [n..2n-1]

slide11

Previous constructions for [n..2n-1]

EME2 [Halevi, 2004]

Four-round Feistel

XLS[Ristenpart,Rogaway,2007]

two blockcipher call solution our algorithms
Two-blockcipher-call solution? Our algorithms
  • Two blockcipher calls

Two AXU hash calls

One mixing function call

(inexpensive; non-cryptographic tool)

axu hash function

H: KXY

[Krawczyk, 1994]

AXU Hash Function
  • Almost XOR Universal hash functions:
  • For our constructions,

X = Y = {0,1}n

H: KXYH: K{0,1}n{0,1}n

Essential for efficiency and security

For all X¹X ’and all CY,

Pr[Hk(x) ÅHk(X ’) = C] ≤ ε

HK(x) =KX Galois Field Multiplication

mixing function

[Rogaway and Ristenpart, 2007]

Mixing Function
  • Mixing Function:

mix: SSS S

Let mixL(,) and mixR(,) be the left and right

projection of mix respectively. For any A  S,

mixL(A,), mixL(,A), mixR(A,), and mixR(,A)

are all permutations.

A construction by Ristenpart and Rogaway takes three xorsand a single one-bit circular rotation.

an inefficient 2 blockcipher call solution
An inefficient 2-blockcipher-call solution

Variationally universal hash

[Rogaway and Krovetz, 2006]

Variationally universal hash

feistel networks
Feistel networks

[Luby and Rackoff, 1988]

[Naor and Reingold, 1997]

[Patel, Ramzan and Sundaram,1997]

A FIL cipher of length 2n

An improved FIL cipher of length 2n

A FIL cipher of length ≥2n

fhem a fil cipher of length n s
FHEM: A FIL Cipher of length n+s

AXU Hash

Blockcipher Encryption

1.permutation

2. SPRP

MIX function

Blockcipher Encryption

AXU Hash

fhem of length n s security
FHEM of length n+s security

Theorem: Let e = FHEM[H, Perm(n),mix]. If A asks at most q queries then

+

prp

-

Adv(A)  3 q2/2n

e

fhem is not vil secure
FHEM is not VIL secure

0n

0

0n

00

If D1=C1output 1

else 0

fhem is not vil secure1
FHEM is not VIL secure

0n

0

0n

00

If D1=C1output 1

else 0

hem a length doubling cipher
HEM: A Length-Doubling Cipher

FHEM

HEM

Can be Precomputed !

hem security
HEM security

Theorem: Let e = HEM[H, Perm(n),mix]. If A asks at most q queries then

+

prp

-

Adv(A)  3 q2/2n

e

slide24

THEM security

~

Theorem: Let e = THEM[H, Perm(n),mix]. If A asks at most q queries then

+

prp

-

Adv(A)  3 q2/2n

~

e

open questions
Open questions
  • A more elegant cipher on X= {0,1}[n..2n)
  • How do we achieve an efficient VIL cipher with the domain {0,1}>n using the least blockcipher calls?
  • (Informally) Does there exist a lower bound for the number of blockcipher calls for an efficient SPRP secure cipher with the domain{0,1}>n ?