ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls

Similar documents
Characterization of EME with Linear Mixing

CPA-Security. Definition: A private-key encryption scheme

ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication

Block Ciphers/Pseudorandom Permutations

Provable Security in Symmetric Key Cryptography

A Domain Extender for the Ideal Cipher

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Authenticated Encryption Mode for Beyond the Birthday Bound Security

Modes of Operations for Wide-Block Encryption

Notes for Lecture 9. 1 Combining Encryption and Authentication

III. Pseudorandom functions & encryption

Solution of Exercise Sheet 7

A New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation

Tweakable Block Ciphers

Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs

On the Security of Hash Functions Employing Blockcipher Post-processing

Tweakable Blockciphers with Beyond Birthday-Bound Security

Tweakable Enciphering Schemes From Stream Ciphers With IV

Improved Security Analysis for OMAC as a Pseudo Random Function

Improving Upon the TET Mode of Operation

CTR mode of operation

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding

ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding

EME : extending EME to handle arbitrary-length messages with associated data

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

General Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity

The Security of Abreast-DM in the Ideal Cipher Model

A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Block ciphers And modes of operation. Table of contents

Avoiding collisions Cryptographic hash functions. Table of contents

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

XHX A Framework for Optimally Secure Tweakable Block Ciphers from Classical Block Ciphers and Universal Hashing

ECS 189A Final Cryptography Spring 2011

The Random Oracle Model and the Ideal Cipher Model are Equivalent

Foundations of Network and Computer Security

Symmetric Encryption

Foundations of Network and Computer Security

A Modular Framework for Building Variable-Input-Length Tweakable Ciphers

Computational security & Private key encryption

Quantum-secure symmetric-key cryptography based on Hidden Shifts

1 Cryptographic hash functions

Known and Chosen Key Differential Distinguishers for Block Ciphers

On High-Rate Cryptographic Compression Functions

Quantum Chosen-Ciphertext Attacks against Feistel Ciphers

1 Cryptographic hash functions

non-trivial black-box combiners for collision-resistant hash-functions don t exist

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications

2 Message authentication codes (MACs)

Tight Security Analysis of EHtM MAC

CS 6260 Applied Cryptography

Efficient Message Authentication Codes with Combinatorial Group Testing

1 Number Theory Basics

A survey on quantum-secure cryptographic systems

Security of Permutation-based Compression Function lp231

Tweak-Length Extension for Tweakable Blockciphers

Stronger Security Variants of GCM-SIV

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

An Introduction to Authenticated Encryption. Palash Sarkar

Encrypt or Decrypt? To Make a Single-Key Beyond Birthday Secure Nonce-Based MAC

Design Paradigms for Building Multi-Property Hash Functions

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Benes and Butterfly schemes revisited

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Mix-Compress-Mix Revisited: Dispensing with Non-invertible Random Injection Oracles

Lecture 10 - MAC s continued, hash & MAC

The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Preimage Resistance Beyond the Birthday Barrier The Case of Blockcipher Based Hashing

Another Look at XCB. Indian Statistical Institute 203 B.T. Road, Kolkata , India

5199/IOC5063 Theory of Cryptology, 2014 Fall

An introduction to Hash functions

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Cryptanalysis of Tweaked Versions of SMASH and Reparation

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

The Random Oracle Model and the Ideal Cipher Model are Equivalent

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Stronger Security Variants of GCM-SIV

Linear Cryptanalysis: Key Schedules and Tweakable Block Ciphers

Security of Random Feistel Schemes with 5 or more Rounds

Foundations of Network and Computer Security

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

Provably Secure Double-Block-Length Hash Functions in a Black-Box Model

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

The Random Oracle Model and the Ideal Cipher Model Are Equivalent

Lecture 13: Private Key Encryption

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Beyond-Birthday-Bound Security for Tweakable Even-Mansour Ciphers with Linear Tweak and Key Mixing

Fast and Secure CBC-Type MAC Algorithms

How to Build a Hash Function from any Collision-Resistant Function

Transcription:

ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls Ritam Bhaumik, Indian Statistical Institute, Kolkata Eik List, Bauhaus-Universität Weimar, Weimar Mridul Nandi, Indian Statistical Institute, Kolkata ASIACRYPT 2018 Brisbane, Australia 3 December 2018

Introduction

Optimising SPRPs SPRP: Strong Pseudorandom Permutations (indistinguishable under chosen-ciphertext attacks) Common optimisation goals for SPRPs: Low implementation costs High provable-security guarantees High performance

Provable security of SPRPs Adversary A making queries with at most σ blocks in all in CCA setting Birthday Bound: ( ) Distinguishing advantage O σ 2 2 n (n: width of underlying primitive in bits, e.g., 128) Here A needs O ( 2 n/2) query-blocks to attack Beyond Birthday Bound: Number of query-blocks required of a higher order than 2 n/2

Tweakable Block Ciphers Blockcipher with additional public input Dedicated Designs: Deoxys-BC, Joltik-BC, Skinny TBC-based MAC: ZMAC [CRYPTO 17] Parallelisable Single-keyed Based on an internal hash function ZHash

Our Contributions Theoretical: Proof that 1.5 primitive calls per message block is close to optimal Practical: New TBC-based SPRP construction ZCZ: 1.5 TBC calls per message block Full n-bit provable security ZCZ*: Extended version of ZCZ that can handle partial blocks

Preliminaries

Simple Random Sampling Sample space: S = {0,..., N 1} Sample: (X 1,..., X q ) With replacement (SRSWR): X 1,..., X q independent For any x 1,..., x q S, Pr [X 1 = x 1,..., X q = x q ] = 1/N q. Without replacement (SRSWOR): X 1,..., X q distinct, this is the only dependence For any x 1,..., x q S, Pr [X 1 = x 1,..., X q = x q ] = (N q)!/n! when x 1,..., x q are distinct and 0 otherwise.

Collision Probabilities Assume X 1,..., X q is an SRSWR-sample from {0,..., N 1} Single collision: α 0 + α 1 X 1 +... + α q X q = 0 If α i 0 for any i {1,..., q}, the probability is 1/N. Double collision: α 0 + α 1 X 1 +... + α q X q = 0, β 0 + β 1 X 1 +... + β q X q = 0. If α i β j β i α j for any i, j {1,..., k}, the probability is 1/N 2.

Tweakable Blockciphers X T Ẽ K Y Ẽ : K T B B K: Key space, T : Tweak space, B: Block space For fixed K and T, Ẽ K (T, ) is injective

Constraints X 1 X 2 T 1 T 2 Ẽ K Ẽ K Y 1 Y 2 (X 1, T 1 ) = (X 2, T 2 ) = Y 1 = Y 2 (Y 1, T 1 ) = (Y 2, T 2 ) = X 1 = X 2 [No constraints when T 1 T 2 ]

Ideal Tweakable Blockciphers For random K K: For fixed T T, for distinct X 1,..., X q B, (Y 1,..., Y q ) should form an SRSWOR-sample from B. For distinct T 1,..., T q T, for any X 1,..., X q B, (Y 1,..., Y q ) should form an SRSWR-sample from B. T T i X i Ẽ K Y i X i Ẽ K Y i

Construction

The ZCZ Encryption Scheme (a) The first l 1 diblocks (Z i,j, S i mixing variables):

The ZCZ Encryption Scheme (b) The final diblock and the mixing layer:

The ZCZ* Encryption Scheme Version of ZCZ that can handle partial blocks:

Breaking it down L i {(X i, R i ) 1 i l 1}, (L l, R l ) Y i Ẽ t,i K R i Mixing Layer L i Ẽ b,i K X i Top Layer {(L i, Y i) 1 i l 1}, (L l, R l ) R i Bottom Layer (The different tweakable blockciphers used are obtained from a single key using standard domain separation techniques)

Proof Approach

Main Tool Coefficient H Technique: For real oracle O 1 and ideal oracle O 0, consider the conditions below: Condition 1: The probability of certain bad events occurring under the ideal oracle is bounded above by ɛ; Condition 2: When a bad event has not occurred, a transcript is at least as probable under O 1 as under O 0. When these conditions hold, the advantage of an adversary distinguishing between O 0 and O 1 is bounded above by ɛ.

Oracles Real Oracle: Uses ZCZ to answer queries; At the end reveals all internal inputs and outputs to Ẽ K. Ideal Oracle: Uses an ideal random wide permutation to answer queries; At the end samples all internal inputs and outputs to Ẽ K ; Sampling is first done over a basis; This sample is then extended to the other inputs and outputs.

Bad Events: Main Idea Broad strategy: Ban (tweak, input) collisions; Ban (tweak, output) collisions. We need to ensure that each bad event is a double collision.

Bounding Bad Probabilities Approach: Fix all parameters; Identify underlying double collision; Check conditions for 1/N 2 bound (where N = 2 n ). Count over parameter choices; Bound using union bound. Final bound obtained on distinguishing advantage: 21σ2 2 2n

Thank you for your attention The authors regret not being able to attend the conference, and are grateful to Aleksei Udovenko of the University of Luxembourg for agreeing to present the paper on their behalf. Questions on the work are welcome to be addressed to the authors on their listed email addresses.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback