Length-Doubling Ciphers and Tweakable Ciphers

Haibin Zhang

Computer Science DepartmentUniversity of California, Davishbzhang@cs.ucdavis.eduhttp://csiflabs.cs.ucdavis.edu/~hbzhang/

Our Contribution

2

HEM: a VIL cipher on [n..2n-1]

THEM: a VIL tweakable cipher on [n..2n-1]

Both HEM and THEM uses two blockcipher calls

Symmetric-Key Encryption(Confidentiality Modes of Operation)

3

Probabilistic/stateful encryption (length-expanding) IND-CPA: CBC, CTR, … (IND-CCA)

AE :IND-CPA+INT-CTXT: CCM, GCM, OCB, …

Deterministic encryption (length-preserving encryption; cipher)

PRP (CPA) security: SPRP (CCA) security: CMC, EME2, …

SPRP ciphers are useful in disk sector encryption, encipher and encode applications, hybrid encryption, … IEEE P1619.2 (EME2)

Blockciphers

Adv (A) = Pr[A 1] – Pr[A p 1]E prp

Adv (A) = Pr[A 1] – Pr[A p, p 1]E

A

EK( )

EK ( )-1

p ( )

p ( )-1

-1-1

PRP (CPA) security

PRP (CCA) security

random permutation over {0,1}n

4

E: K{0,1}n {0,1}n

+-

EK()

EK(),EK()prp+-

General Ciphers

AεK( )

-1

p ( )

p ( )-1εK ( )

Adv (A) = Pr[A 1] – Pr[A p 1]εprp

Adv (A) = Pr[A 1] – Pr[A p, p 1]

prp -1-1

PRP (CPA) security

PRP (CCA) security

ε

εK()

5

ε : K X X

+- +- εK() ,εK()

random length-preservingpermutation over X

A cipher for |X|=[n..2n-1]

6

AEK (, )

-1

p ( , )

p ( , )-1

random permutation over Perm(T, n) EK (, )

Adv (A) = Pr[A 1] – Pr[A p 1]Εprp

Adv (A) = Pr[A 1] – Pr[A p , p 1]prp -1

PRP security

PRP security

E

+- +-

~

~

~~

~~ ~

Tweakable Blockcipher Security

E: KT {0,1}n {0,1}n~

[Liskov, Rivest, Wagner 2002]

EK()

-1

EK(), EK()

7

AEK (, )

-1

p ( , )

p ( , )-1

random permutation over Perm(T, X) EK (, )

Adv (A) = Pr[A 1] – Pr[A p 1]Εprp

Adv (A) = Pr[A 1] – Pr[A p , p 1]prp -1

PRP security

PRP security

E

+- +-

~

~

~~

~~ ~

Tweakable Cipher Security

E: KT X X~

[Liskov, Rivest, Wagner 2002]

EK()

-1

EK(), EK()

A tweakable cipher for |X|=[n..2n-1]

8

A historically and theoretically interesting problemHow is Length-Doubling Cipher ([n..2n-1]) USEFUL?

A FIL cipher from n to 2n “Doubling” the length of a cipher

[Luby and Rackoff, 1988]

Our Goal: A VIL cipher from n to [n..2n-1] “Doubling” the length of a cipher in the VIL sense

9

A tweakable cipher of length [n..2n-1]

[Rogaway and Zhang, 2011]

How is Length-Doubling Cipher ([n..2n-1]) USEFUL?

TC3* Online Cipher

10

How is Length-Doubling Cipher ([n..2n-1]) USEFUL?

Ciphertext Stealing did not seem to do a good job.

[IEEE, P1619]

XTS Mode

A tweakable cipher of length [n..2n-1]

11

EME2 [Halevi, 2004]

Four-round Feistel

XLS[Ristenpart,Rogaway,2007]

Previous constructions for [n..2n-1]

Two-blockcipher-call solution? Our algorithms

Two blockcipher calls Two AXU hash calls One mixing function call (inexpensive; non-cryptographic tool)

12

AXU Hash Function Almost XOR Universal hash functions:

For our constructions, X = Y = {0,1}n H: KX Y H: K{0,1}n {0,1}n

Essential for efficiency and security

13

For all X ¹ X ’ and all C Y, Pr[Hk(x) Å Hk(X ’) = C] ≤ ε

H: KX Y

HK(x) =KX Galois Field Multiplication

[Krawczyk, 1994]

Mixing Function

Mixing Function:

14

A construction by Ristenpart and Rogaway takes three xors and a single one-bit circular rotation.

Let mixL( , ) and mixR( , ) be the left and right projection of mix respectively. For any A S , mixL(A, ), mixL( ,A), mixR(A, ), and mixR( ,A) are all permutations.

mix: SS S S

[Rogaway and Ristenpart, 2007]

An inefficient 2-blockcipher-call solution

Variationally universal hash

Variationally universal hash

[Rogaway and Krovetz, 2006]

Feistel networks

[Luby and Rackoff, 1988] [Naor and Reingold, 1997] [Patel, Ramzan and Sundaram,1997]

A FIL cipher of length 2n

An improved FIL cipher of length 2n

A FIL cipher of length ≥2n

FHEM: A FIL Cipher of length n+s

AXU Hash

Blockcipher Encryption

AXU Hash

MIX function 1.permutation2. SPRP

Blockcipher Encryption

FHEM of length n+s security

Theorem: Let e = FHEM[H, Perm(n),mix]. If A asks at most q queries then

eAdv (A) 3 q2/2n prp+-

FHEM is not VIL secure

0n 0 0n 00

If D1=C1 output 1 else 0

FHEM is not VIL secure

0n 0 0n 00

If D1=C1 output 1 else 0

21

HEM: A Length-Doubling Cipher

Can be Precomputed !

FHEM HEM

HEM security

Theorem: Let e = HEM[H, Perm(n),mix]. If A asks at most q queries then

eAdv (A) 3 q2/2n prp+-

23

THEM: A Length-Doubling Tweakable Cipher

A way of adding tweaks

Theorem: Let e = THEM[H, Perm(n),mix]. If A asks at most q queries then

eAdv (A) 3 q2/2n prp+-

THEM security

~

~

25

A More Compact Variant (Tweak Stealing)

Open questions

26

A more elegant cipher on X = {0,1} [n..2n)

How do we achieve an efficient VIL cipher with the domain {0,1}>n using the least blockcipher calls?

(Informally) Does there exist a lower bound for the number of blockcipher calls for an efficient SPRP secure cipher with the domain {0,1}>n ?

Thank you!

27