Download presentation

Presentation is loading. Please wait.

Published byErika Maher Modified over 2 years ago

1
Length-Doubling Ciphers and Tweakable Ciphers Haibin Zhang Computer Science Department University of California, Davis hbzhang@cs.ucdavis.edu http://csiflabs.cs.ucdavis.edu/~hbzhang/

2
Our Contribution 2 HEM: a VIL cipher on [n..2n-1] THEM: a VIL tweakable cipher on [n..2n-1] Both HEM and THEM uses two blockcipher calls

3
Symmetric-Key Encryption (Confidentiality Modes of Operation) 3 Probabilistic/stateful encryption (length-expanding) IND-CPA: CBC, CTR, … (IND-CCA) AE :IND-CPA+INT-CTXT: CCM, GCM, OCB, … Deterministic encryption (length-preserving encryption; cipher) PRP (CPA) security: SPRP (CCA) security: CMC, EME2, … SPRP ciphers are useful in disk sector encryption, encipher and encode applications, hybrid encryption, … IEEE P1619.2 (EME2)

4
Blockciphers Adv (A) = Pr[A 1] – Pr[A 1] E prp Adv (A) = Pr[A 1] – Pr[A 1] E A EKEK E K ( ) 11 () () ( ) 11 11 11 PRP (CPA) security PRP (CCA) security random permutation over {0,1} n 4 E : K {0,1} n {0,1} n + - EKEK E K EKEK prp + -

5
General Ciphers A εK()εK() 11 () () ( ) 11 ε K ( ) Adv (A) = Pr[A 1] – Pr[A 1] ε prp Adv (A) = Pr[A 1] – Pr[A 1] prp 11 11 PRP (CPA) security PRP (CCA) security ε εK() εK() 5 ε : K X X + - + - εK() εK(),ε K ( ) random length-preserving permutation over X A cipher for | X |=[n..2n-1]

6
6 A E K ( ) 11 ( ) 11 random permutation over Perm( T, n) E K ( ) Adv (A) = Pr[A 1] – Pr[A 1] Ε prp Adv (A) = Pr[A 1] – Pr[A 1] prp 11 PRP security E + - + - ~ ~ ~ ~ ~ ~~ Tweakable Blockcipher Security E : K T {0,1} n {0,1} n ~ [Liskov, Rivest, Wagner 2002] EKEK 11 E K E K

7
7 A E K ( ) 11 ( ) 11 random permutation over Perm( T, X ) E K ( ) Adv (A) = Pr[A 1] – Pr[A 1] Ε prp Adv (A) = Pr[A 1] – Pr[A 1] prp 11 PRP security E + - + - ~ ~ ~ ~ ~ ~~ Tweakable Cipher Security E : K T X X ~ [Liskov, Rivest, Wagner 2002] EKEK 11 E K E K A tweakable cipher for | X |=[n..2n-1]

8
8 A historically and theoretically interesting problem How is Length-Doubling Cipher ([n..2n-1]) USEFUL? A FIL cipher from n to 2n “Doubling” the length of a cipher [Luby and Rackoff, 1988] Our Goal: A VIL cipher from n to [n..2n-1] “Doubling” the length of a cipher in the VIL sense

9
9 A tweakable cipher of length [n..2n-1] [Rogaway and Zhang, 2011] How is Length-Doubling Cipher ([n..2n-1]) USEFUL? TC3* Online Cipher

10
10 How is Length-Doubling Cipher ([n..2n-1]) USEFUL? Ciphertext Stealing did not seem to do a good job. [IEEE, P1619] XTS Mode A tweakable cipher of length [n..2n-1]

11
11 EME2 [Halevi, 2004] Four-round Feistel XLS[Ristenpart,Rogaway,2007] Previous constructions for [n..2n-1]

12
Two-blockcipher-call solution? Our algorithms Two blockcipher calls Two AXU hash calls One mixing function call (inexpensive; non-cryptographic tool) 12

13
AXU Hash Function Almost XOR Universal hash functions: For our constructions, X = Y = {0,1} n H : K X Y H : K {0,1} n {0,1} n Essential for efficiency and security 13 For all X X ’ and all C Y, Pr[H k (x) H k (X ’ ) = C] ≤ ε H : K X Y H K (x) =K X Galois Field Multiplication [Krawczyk, 1994]

14
Mixing Function Mixing Function: 14 A construction by Ristenpart and Rogaway takes three xors and a single one-bit circular rotation. Let mix L ( , ) and mix R ( , ) be the left and right projection of mix respectively. For any A S, mix L (A, ), mix L ( ,A), mix R (A, ), and mix R ( ,A) are all permutations. mix : S S S S [Rogaway and Ristenpart, 2007]

15
An inefficient 2-blockcipher-call solution Variationally universal hash [Rogaway and Krovetz, 2006]

16
Feistel networks [Luby and Rackoff, 1988][Naor and Reingold, 1997][Patel, Ramzan and Sundaram,1997] A FIL cipher of length 2n An improved FIL cipher of length 2n A FIL cipher of length ≥ 2n

17
FHEM: A FIL Cipher of length n+s AXU Hash Blockcipher Encryption AXU Hash MIX function 1.permutation 2. SPRP Blockcipher Encryption

18
FHEM of length n+s security Theorem: Let FHEM[H, Perm(n),mix]. If A asks at most q queries then Adv (A) 3 q 2 /2 n prp + -

19
FHEM is not VIL secure 0n0n 0 0n0n 00 If D 1 =C 1 output 1 else 0

20
FHEM is not VIL secure 0n0n 0 0n0n 00 If D 1 =C 1 output 1 else 0

21
21 HEM: A Length-Doubling Cipher Can be Precomputed ! FHEMHEM

22
HEM security Theorem: Let HEM[H, Perm(n),mix]. If A asks at most q queries then Adv (A) 3 q 2 /2 n prp + -

23
23 THEM: A Length-Doubling Tweakable Cipher A way of adding tweaks

24
Theorem: Let THEM[H, Perm(n),mix]. If A asks at most q queries then Adv (A) 3 q 2 /2 n prp + - THEM security ~ ~

25
25 A More Compact Variant (Tweak Stealing)

26
Open questions 26 A more elegant cipher on X {0,1} [n..2n) How do we achieve an efficient VIL cipher with the domain {0,1} >n using the least blockcipher calls? (Informally) Does there exist a lower bound for the number of blockcipher calls for an efficient SPRP secure cipher with the domain {0,1} >n ?

27
Thank you! 27

Similar presentations

OK

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on solar power plant in india Ppt on thermal conductivity of insulated powder Ppt on eddy current separator Ppt on relays and circuit breakers Ppt on x ray machine 3d backgrounds for ppt on social media Ppt on limits and continuity quiz Free download ppt on indian culture Ppt on ar verbs Download ppt on adolescence and puberty