Beyond-birthday-bound Security Based on Tweakable Block Ciphers

1
Beyond-birthday-bound Security Based on Tweakable
Block Ciphers

• Kazuhiko Minematsu
• NEC Corporation

Fast Software Encryption 2009, Leuven, Belgium
2
Doubling the Block Length of a Cipher

• Build 2n-bit block cipher using n-bit components
• Many solutions, e.g., using Feistel Permutation

Plaintext
Plaintext
n
n
n
E1
E
Key
E2

Ciphertext
Ciphertext
3
Security Reduction (the case of Feistel)

• Luby-Rackoff LR88 4-round is O(2n/2)-secure
  for Chosen-ciphertext attacks (CCAs) if E is a
  pseudorandom function
• i.e. hard to distinguish from URP using q 2n/2
  queries
• Security is up to the Birthday Bound (for n)

Uniform Random Permutation
4-round Feistel
2n/2 CCA queries
4
Goal Beyond-birthday-bound Security

• O(2?n/2)-security for some ?gt0 (larger ? is
  better)
• Very few known schemes (even for a small ?)
• Most known schemes are O(2n/2)-secure
• Useful it improves the security of block cipher
  modes w/ O(2block_length/2)-security
• quite common (CBC, CTR, CBC-MAC, etc...)

5
Known Approaches

• Direct extension of Luby-Rackoff
• use n-bit block PRF add more (balanced) Feistel
  rounds to LR results
• Patarin Pat04 6-round has O(2n)-sec. (for CCA)
• Maurer-Pietrzak MP03 (r g1)-round has
  infinite-sec.
• Unbalanced Feistel
• use PRF w/ gtn-bit input ltn-bit output
• Naor-Reingold NR97 s-round has
  O(2n(1-1/s))-sec.

(i.e. Adv. converges to 0 as r grows )
6
Our Approach

• Use Tweakable (Block) Cipher
• An extension of block cipher introduced by Liskov
  et al. LRW02
• Tweak public parameter for variability
• A tweak determines single instance of a block
  cipher
• Different tweaks should provide
  pseudo-independent instances of a block cipher

P
C
TEK
T
TDK
T
m
m
C
P
7
Problem Setting

• Tweakable Cipher w/ n-bit block m-bit tweak (we
  call it (n,m)-bit TC)
• We assume 1 lt m lt n
• We assume our (n,m)-bit TC is perfect (i.e., it
  is the set of 2m indep. n-bit URPs )
• goal info-theoretic security proof once
  obtained, computational counterpart is trivial

Build a 2n-bit cipher w/ (n,m)-bit TCs. How?
8
Starting Point NR Mode

• Another proposal of Naor-Reingold for Large-block
  cipher (originally cn-bit for any cgt2, here c2)
• Mix-ECB-Mix, where Mix is a (weak form of)
  pairwise indep. permutation
• O(2n/2)-sec. was obtained

PR
PL
n
n
mix 1
E
E
mix 2
n
n
CL
CR
9
Tweaking ECB

• Assume m n for simplicity
• Use tweak to introduce inter-block dependency
• ...while keeping it invertible!
• Then we get

PR
PL
tweak
TE1
tweak
TE2
CL
CR
note this is two-key, but one-key version is
also possible
10
The Role of Mix Layers

• Tweaked ECB itself is only O(2n/2)-secure
• simultaneous collisions of tweak and output can
  be the source of attack!
• Mix must prevent this (in particular a collision
  of tweaks)

mix 1
mix 1
Adv. q2/2n
TE1
URP
11
Result Extended Naor-Reingold (ENR)

• Mix is one-round Feistel using ?-AXU hash func.
  (i.e., Pr H(x)H(x) ? lt ? for all x? x, ? )
  
• The same key for the top and bottom

PR
PL
H
TE1
TE2
H
CL
CR
12
Theorem if H is 2-n-AXU, we have
(see paper for a general case (H?-AXU))
(Negl. if q 2n)
Moreover, if our TC is not perfect, we have
O(2n)-security is obtained !
13
Proof Idea

• There are four Quasi-Random Functions having
  2n-bit input and n-bit output (overlapping each
  other)
• Each QRF has O(22n)-security if H is 2-n-AXU

PR
PR
PL
PL
H
H
TE1
TD1
TE2
TD2
H
H
CL
CR
CL
CR
Encryption
Decryption
14
How should we do if mltn ?

• Same basic strategy tweak ECB, then add Mix
  layers
• Need to care more bad events
• Mix can not be one-round Feistel

15
ENR for mltn
PR
PL
e.g., leftmost m-bit
TE1
cut
m
cut
TE2
m
CL
CR
16
Security Proof

• Condition of G

• Security of ENR for mltn

17
Concrete Example
PR
PL
H1

• G is now two-round irregular Feistel
• H is an AXU hash using field-multiplication
• Security bound

m
n-m
H2
TE1
cut
m
TE2
cut
m
m
n-m
H2
O(2(nm)/2)-security is obtained
H1
CL
CR
18
Summary so far

• ENR
• Security O(2(nm)/2)-security for any m lt n1
• Efficiency 2 calls of TC some UHs
• optimal within this setting

19
Challenging Next Step

• Our proof naturally requires a tweakable cipher
  w/ beyond-birthday-bound security. How to realize
  it?
• From scratch (Mercy, HPC, Threefish etc)
• increasing attention, but still less popular
• Mode of operation, i.e. from n-bit block ciphers

(In Skein hash function)
20
However

• Known modes have only up-to-birthday-bound
  security
• LRW and (generalized) XEX LRW02Rog04Min06
• no matter how tweak is short 1-bit is enough to
  break using 2n/2 queries

P
T
n
m
E
H
C
LRW mode
21
A Naive Solution

• Tweak-dependent rekeying (TDR)
• Simple, but never seriously investigated (to our
  knowledge)

T
M
E
FMK
PRF w/ m-bit in, K-bit out
K FMK(T)
C
22
Analysis

• Basically, it is difficult to determine how large
  m is admissible (as ?AdvE. term would be
  non-negligible)
• For the case of K n
• When m is sufficiently smaller than n/2, seems
  fairly secure (well beyond the birthday bound)
• When m n/2, a simple birthday attack is
  possible
• Search for a ciphertext collision due to the key
  collision

T1 ? T2
T1 ? T2
0n
1n
n
E
FMK
E
FMK
Key collision (prob. 1/2n)
Ciphertext collision
Ciphertext collision
23
TDR for E (w/ n-bit key)

• Limit m lt n/2 (say, mn/3)
• We can use EMK as FMK, the security bound is
• Of course, still problematic
• short tweak
• frequent rekeying

via PRF-PRP switching
24
Combining ENR and TDR

• Combining ENR and TDR is possible, but difficult
  to determine how large m is admissible (because
  of TDRs security proof)
• Bottom line need to develop a better one.

Note based on a strong assumption on E, we can
expect (ENRTDR) to have O(22/3n)-security by the
choice mn/3
25
Summary

• We built a 2n-bit cipher from (n,m)-bit tweakable
  ciphers
• ENR achieves O(2(nm)/2)-security for any mlt n,
  needs 2 TC calls some UHs
• TDR a way to convert an n-bit cipher into an
  (n,m)-bit TC
• Only a proof of concept subject to heavy
  limitations (both theoretical and practical)

26
Future Directions

• Better TC from n-bit cipher w/o rekeying
• Extensions of ENR
• Large-block cipher (cn-bit for cgt2)
• Make ENR tweakable
• Basic solution is to use some modes w/ ENR,
  search for a more efficient way

27
Thank you!
28
Memo Security of TDR (ENR TDR)

• Assume

(maybe this means the most efficient attack is
the exhaustive key search (by assuming ? q))

• Then TDRs bound implies

Thus it is expected to have O(2n-m)-security.

• Combining this to the ENRs bound, we obtain

Ignoring the constant, this is maximized by the
choice m n/3. In this case the bound of
(ENRTDR) is O(q2/24n/3), thus it has (based on
the above assumption) O(22n/3)-security.