EME : extending EME to handle arbitrary-length messages with associated data

Similar documents
A Parallelizable Enciphering Mode

A Domain Extender for the Ideal Cipher

A Pseudo-Random Encryption Mode

Improving Upon the TET Mode of Operation

Modes of Operations for Wide-Block Encryption

Studies on Disk Encryption

A New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation

Characterization of EME with Linear Mixing

Tweakable Enciphering Schemes From Stream Ciphers With IV

Authenticated Encryption Mode for Beyond the Birthday Bound Security

Solution of Exercise Sheet 7

A Tweakable Enciphering Mode

ECS 189A Final Cryptography Spring 2011

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Improved security analysis of OMAC

The Indistinguishability of the XOR of k permutations

Semantic Security of RSA. Semantic Security

On the Security of CTR + CBC-MAC

Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications

A block cipher enciphers each block with the same key.

CPSC 467: Cryptography and Computer Security

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

On High-Rate Cryptographic Compression Functions

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Improved Security Analysis for OMAC as a Pseudo Random Function

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

A Composition Theorem for Universal One-Way Hash Functions

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

EME : extending EME to handle arbitrary-length messages with associated data

ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls

5199/IOC5063 Theory of Cryptology, 2014 Fall

Symmetric Encryption

On the Round Security of Symmetric-Key Cryptographic Primitives

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

OMAC: One-Key CBC MAC

Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs

A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes

Lecture 10 - MAC s continued, hash & MAC

Blockcipher-based MACs: Beyond the Birthday Bound without Message Length

Introduction to Cryptography Lecture 4

Tweakable Blockciphers with Beyond Birthday-Bound Security

Differential-Linear Cryptanalysis of Serpent

Fast and Secure CBC-Type MAC Algorithms

Block ciphers And modes of operation. Table of contents

Chosen Ciphertext Security with Optimal Ciphertext Overhead

CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions

CPA-Security. Definition: A private-key encryption scheme

Integrity Analysis of Authenticated Encryption Based on Stream Ciphers

Another Look at XCB. Indian Statistical Institute 203 B.T. Road, Kolkata , India

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

AES-OTR v3. Designer/Submitter: Kazuhiko Minematsu (NEC Corporation, Japan) Contact Address:

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

The Random Oracle Model and the Ideal Cipher Model are Equivalent

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Boneh-Franklin Identity Based Encryption Revisited

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Online Ciphers and the Hash-CBC Construction

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

The HMAC brawl. Daniel J. Bernstein University of Illinois at Chicago

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions

Cryptanalysis of Tweaked Versions of SMASH and Reparation

Provably Secure Double-Block-Length Hash Functions in a Black-Box Model

The Security of Abreast-DM in the Ideal Cipher Model

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Linear Cryptanalysis

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

How Fast can be Algebraic Attacks on Block Ciphers?

AES side channel attacks protection using random isomorphisms

New Preimage Attack on MDC-4

Modern Cryptography Lecture 4

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Efficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading

A New Paradigm of Hybrid Encryption Scheme

Evaluation of Security Level of Cryptography: The HIME(R) Encryption Scheme. Alfred Menezes University of Waterloo Contact:

Higher Order Universal One-Way Hash Functions

Introduction to Cryptology. Lecture 2

Linear Cryptanalysis of Reduced-Round Speck

Second Preimages for Iterated Hash Functions and their Implications on MACs

New Attacks against Standardized MACs

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Further More on Key Wrapping. 2011/2/17 SKEW2011 Lyngby Nagoya University Yasushi Osaki, Tetsu Iwata

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

CTR mode of operation

On the Counter Collision Probability of GCM*

Invariant Subspace Attack Against Full Midori64

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

CS 6260 Applied Cryptography

Benes and Butterfly schemes revisited

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Public Key Cryptography

AES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION.

A Weak Cipher that Generates the Symmetric Group

Transcription:

EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher into a lengthpreserving enciphering scheme for messages of (almost) arbitrary length. Specifically, the resulting scheme can handle any bit-length, not shorter than the block size of the underlying cipher. In addition, it handles associated data of arbitrary bit-length. EME is a refinment of the EME mode of Halevi and Rogaway, and it inherits the efficency and parallelizm from the original mode. 1 Specification of EME Mode We construct from block cipher E: K {0, 1} n {0, 1} n a enciphering scheme with associated data that we denote by EME [E]: (K {0, 1} 2n ) T M M, where K is the same as the underlying cipher, T = {0, 1}, and M = {0, 1} n+. In words, the key for enciphering scheme EME [E] consists of one key K of the underlying block cipher and two n-bit blocks, L and R. EME [E] accepts messages of any bit length grater than or equal to n, and associated data of arbitrary bit-length. The scheme EME [E] follows the same general principles of the tweakable scheme EME from [3]. Roughly, it consists of two layers of masked ECB encryption, with a layer of lightweight mixing in between. A complete specification of the enciphering scheme EME [E] is given in Figure 1, and an illustration (for a message of less than n 2 bits) is provided in Figure 2. For those familiar with EME, the differences between EME and EME are as follows: More than one mask. The EME scheme uses (multiples of) a single mask value M in the lightweight masking layer. It was shown in [3], however, that this masking technique with just one mask cannot be used for messages longer than n 2 bits. To handle longer messages we adopt the approach that was proposed in the appendix of [3], breaking the message to chuncks of at most n 2 bits each, and computing a different mask value for every chunk. As we explain below, we use yet another mask to handle the last partial block (if needed). IBM T.J. Watson Research Center, P.O. Box 704, Yorktown Heights, NY 10598, USA, shaih@watson.ibm.com http://www.research.ibm.com/people/s/shaih/ 1

function F K,R (T 1 T l 1, T l ) T 1 = = T l 1 = n, 0 < T l n 00 if T is empty return E K (R) R 10 for i [1..l 1] do 11 TT i 2 i R T i 12 TTT i E K (T T i ) 2 i R 20 if T l = n then 21 TT l 2 l R T l 22 TTT l E K (T T i ) 2 l R 23 else TT l (2 l + 1)R (T l 10..0) 24 TTT l E K (T T i ) (2 l + 1)R 30 return T T T 1 T T T l Algorithm E K,L,R (T ; P 1 P m ) P 1 = = P m 1 = n, 0 < P m n 101 H F K,R (T ) 102 if P m = n then lastfull m 103 else lastfull m 1 104 PPP m P m padded with 10..0 110 for i 1 to lastfull do 111 PP i 2 i 1 L P i ; PPP i E K (PP i ) 120 SP PPP 2 PPP m 121 MP 1 PPP 1 SP H 122 if P m = n then MC 1 E K (MP 1 ) 123 else MM E K (MP 1 ); MC 1 E K (MM ) 124 C m P m (MM truncated) 125 CCC m C m padded with 10..0 126 M 1 MP 1 MC 1 130 for i = 2 to lastfull do 131 j = i/n, k = (i 1) mod n 132 if k = 0 then 133 MP j PPP i M 1 ; MC j E K (MP j ) 134 M j MP j MC j 135 CCC i MC j M 1 136 else CCC i PPP i 2 k M j 140 SC CCC 2 CCC m 141 CCC 1 MC 1 SC H 142 for i 1 to lastfull do 143 CC i E K (CCC i ); C i CC i 2 i 1 L 150 return C 1... C m Figure 1: Enciphering under E = EME [E], where E: K {0, 1} n {0, 1} n is a block cipher. The associated data is T {0, 1}, the plaintext is P = P 1 P m and the ciphertext is C = C 1 C m. The deciphering procedure D T K can be obtained from ET K by replaceing E K( ) by E 1 K ( ) everywhere (but without modifying the function F K,R ). 2

Associated data P 1 P 2 P n P n+1 P n+2 P n+3 L 2L 2 n 1 L 2 n L 2 n+1 L F PP 1 PP 2... PP n PP n+1 PP n+2 pad H PPP 1 PPP 2 PPP n PPP n+1 PPP n+2 PPP n+3 SP H MP 1 M 1 MM 2M 1 2 n 1 M 1 MP 2 2M 2 MM MC 2 M 1 MC 1 SC H CCC 1 CCC 2... CCC n CCC n+1 CCC n+2 CCC n+3 pad L CC 1 2L CC 2 2 n 1 L CC n 2 n L CC n+1 2 n+1 L CC n+2 C 1 C 2 C n C n+1 C n+2 C n+3 Figure 2: Enciphering under EME a buffer with n + 2 full blocks and one partial block. The boxes represent E K. We set the masks as SP = PPP 2 PPP n+3, M i = MP i MC i, and SC = CCC 2 CCC n+3. 3

Hashing the tweak. The original EME scheme requires that the tweak value be an n-bit string, whereas here we allow associated data of any length. For this purpose, we hash the associated data to an n-bit string. The hash function that we use should only be xor-universal, yet we chose to implement it using the underlying block cipher in a PMAC-like mode [1]. The partial block. To handle the last partical block (if any), we compute yet another mask and add it into the last partial plaintext block, thus getting the last partial ciphertext block. Also, we add the partial plaintext block and the hashed tweak after the first masked-ecb layer and before computing the first mask, and then we add the partial ciphertext block and the hashed tweak again before the second masked-ecb layer. If needed, one could derive the blocks L, R from the key K, say by setting L = 2E K (0) and R = 3E K (0)). The only drawback is that this will add a few more pages to the proof of security. 2 Security of EME The following theorem relates the advantage an adversary can get in attacking EME [E] to the advantage an adversary can get in attacking the block cipher E. Theorem 1 [EME security] Any adversary that tries to distinguish EME [Perm(n)] from a truely random tweakable length-presenring permutation, using at most q queries totalling at most σ n blocks (some of which may be partial), has advantage at most (2q + (2 + 1 n )σ n) 2 /2 n+1. Namely, Adv ± prp EME [Perm(n)] (q, σ n) (2q + (2 + 1 n )σ n) 2 2 n+1 (1) Corollary 1 Fix n, t, q, σ n N and a block cipher E: K {0, 1} n {0, 1} n. Then Adv ± prp EME [E] (t, q, σ n) (2q + (2 + 1 n )σ n) 2 ( 2 n+1 + 2 Adv ±prp E t, 2q + (2 + 1 ) n σ n) where t = t + O(nσ n ). We note that the theorem and corollary do not restrict messages to one particular length: proven security is for a variable-input-length (VIL) cipher, not just fixed-input-length (FIL) one. The proof of Theorem 1 is given in Appendix A. Corollary 1 embodies the standard way to pass from the information-theoretic setting to the complexity-theoretic one. References [1] J. Black and P. Rogaway. A block-cipher mode of operation for parallelizable message authentication. In L. Knudsen, editor, Advances in Cryptology EUROCRYPT 02, volume 2332 of Lecture Notes in Computer Science, pages 384 397. Springer-Verlag, 2002. [2] S. Halevi and P. Rogaway. A tweakable enciphering mode. In D. Boneh, editor, Advances in Cryptology CRYPTO 03, volume 2729 of Lecture Notes in Computer Science, pages 482 499. Springer-Verlag, 2003. Full version available on the eprint archive, http://eprint.iacr.org/2003/148/. 4

[3] S. Halevi and P. Rogaway. A parallelizable enciphering mode. In The RSA conference Cryptographer s track, RSA-CT 04, volume 2964 of Lecture Notes in Computer Science, pages 292 304. Springer-Velrag, 2004. Full version available on the eprint archive, http://eprint.iacr.org/2003/147/. [4] J. Kilian and P. Rogaway. How to protect DES against exhaustive key search. Journal of Cryptology, 14(1):17 35, 2001. Earlier version in CRYPTO 96. www.cs.ucdavis.edu/ rogaway. A Proof of Theorem 1 Security of EME 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback