Download presentation

Presentation is loading. Please wait.

Published byErika Maher Modified about 1 year ago

1
Length-Doubling Ciphers and Tweakable Ciphers Haibin Zhang Computer Science Department University of California, Davis hbzhang@cs.ucdavis.edu http://csiflabs.cs.ucdavis.edu/~hbzhang/

2
Our Contribution 2 HEM: a VIL cipher on [n..2n-1] THEM: a VIL tweakable cipher on [n..2n-1] Both HEM and THEM uses two blockcipher calls

3
Symmetric-Key Encryption (Confidentiality Modes of Operation) 3 Probabilistic/stateful encryption (length-expanding) IND-CPA: CBC, CTR, … (IND-CCA) AE :IND-CPA+INT-CTXT: CCM, GCM, OCB, … Deterministic encryption (length-preserving encryption; cipher) PRP (CPA) security: SPRP (CCA) security: CMC, EME2, … SPRP ciphers are useful in disk sector encryption, encipher and encode applications, hybrid encryption, … IEEE P1619.2 (EME2)

4
Blockciphers Adv (A) = Pr[A 1] – Pr[A 1] E prp Adv (A) = Pr[A 1] – Pr[A 1] E A EKEK E K ( ) 11 () () ( ) 11 11 11 PRP (CPA) security PRP (CCA) security random permutation over {0,1} n 4 E : K {0,1} n {0,1} n + - EKEK E K EKEK prp + -

5
General Ciphers A εK()εK() 11 () () ( ) 11 ε K ( ) Adv (A) = Pr[A 1] – Pr[A 1] ε prp Adv (A) = Pr[A 1] – Pr[A 1] prp 11 11 PRP (CPA) security PRP (CCA) security ε εK() εK() 5 ε : K X X + - + - εK() εK(),ε K ( ) random length-preserving permutation over X A cipher for | X |=[n..2n-1]

6
6 A E K ( ) 11 ( ) 11 random permutation over Perm( T, n) E K ( ) Adv (A) = Pr[A 1] – Pr[A 1] Ε prp Adv (A) = Pr[A 1] – Pr[A 1] prp 11 PRP security E + - + - ~ ~ ~ ~ ~ ~~ Tweakable Blockcipher Security E : K T {0,1} n {0,1} n ~ [Liskov, Rivest, Wagner 2002] EKEK 11 E K E K

7
7 A E K ( ) 11 ( ) 11 random permutation over Perm( T, X ) E K ( ) Adv (A) = Pr[A 1] – Pr[A 1] Ε prp Adv (A) = Pr[A 1] – Pr[A 1] prp 11 PRP security E + - + - ~ ~ ~ ~ ~ ~~ Tweakable Cipher Security E : K T X X ~ [Liskov, Rivest, Wagner 2002] EKEK 11 E K E K A tweakable cipher for | X |=[n..2n-1]

8
8 A historically and theoretically interesting problem How is Length-Doubling Cipher ([n..2n-1]) USEFUL? A FIL cipher from n to 2n “Doubling” the length of a cipher [Luby and Rackoff, 1988] Our Goal: A VIL cipher from n to [n..2n-1] “Doubling” the length of a cipher in the VIL sense

9
9 A tweakable cipher of length [n..2n-1] [Rogaway and Zhang, 2011] How is Length-Doubling Cipher ([n..2n-1]) USEFUL? TC3* Online Cipher

10
10 How is Length-Doubling Cipher ([n..2n-1]) USEFUL? Ciphertext Stealing did not seem to do a good job. [IEEE, P1619] XTS Mode A tweakable cipher of length [n..2n-1]

11
11 EME2 [Halevi, 2004] Four-round Feistel XLS[Ristenpart,Rogaway,2007] Previous constructions for [n..2n-1]

12
Two-blockcipher-call solution? Our algorithms Two blockcipher calls Two AXU hash calls One mixing function call (inexpensive; non-cryptographic tool) 12

13
AXU Hash Function Almost XOR Universal hash functions: For our constructions, X = Y = {0,1} n H : K X Y H : K {0,1} n {0,1} n Essential for efficiency and security 13 For all X X ’ and all C Y, Pr[H k (x) H k (X ’ ) = C] ≤ ε H : K X Y H K (x) =K X Galois Field Multiplication [Krawczyk, 1994]

14
Mixing Function Mixing Function: 14 A construction by Ristenpart and Rogaway takes three xors and a single one-bit circular rotation. Let mix L ( , ) and mix R ( , ) be the left and right projection of mix respectively. For any A S, mix L (A, ), mix L ( ,A), mix R (A, ), and mix R ( ,A) are all permutations. mix : S S S S [Rogaway and Ristenpart, 2007]

15
An inefficient 2-blockcipher-call solution Variationally universal hash [Rogaway and Krovetz, 2006]

16
Feistel networks [Luby and Rackoff, 1988][Naor and Reingold, 1997][Patel, Ramzan and Sundaram,1997] A FIL cipher of length 2n An improved FIL cipher of length 2n A FIL cipher of length ≥ 2n

17
FHEM: A FIL Cipher of length n+s AXU Hash Blockcipher Encryption AXU Hash MIX function 1.permutation 2. SPRP Blockcipher Encryption

18
FHEM of length n+s security Theorem: Let FHEM[H, Perm(n),mix]. If A asks at most q queries then Adv (A) 3 q 2 /2 n prp + -

19
FHEM is not VIL secure 0n0n 0 0n0n 00 If D 1 =C 1 output 1 else 0

20
FHEM is not VIL secure 0n0n 0 0n0n 00 If D 1 =C 1 output 1 else 0

21
21 HEM: A Length-Doubling Cipher Can be Precomputed ! FHEMHEM

22
HEM security Theorem: Let HEM[H, Perm(n),mix]. If A asks at most q queries then Adv (A) 3 q 2 /2 n prp + -

23
23 THEM: A Length-Doubling Tweakable Cipher A way of adding tweaks

24
Theorem: Let THEM[H, Perm(n),mix]. If A asks at most q queries then Adv (A) 3 q 2 /2 n prp + - THEM security ~ ~

25
25 A More Compact Variant (Tweak Stealing)

26
Open questions 26 A more elegant cipher on X {0,1} [n..2n) How do we achieve an efficient VIL cipher with the domain {0,1} >n using the least blockcipher calls? (Informally) Does there exist a lower bound for the number of blockcipher calls for an efficient SPRP secure cipher with the domain {0,1} >n ?

27
Thank you! 27

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google