Slide 1

Download Report

Transcript Slide 1 

Length-Doubling Ciphers and Tweakable Ciphers
Haibin Zhang
Computer Science Department
University of California, Davis
[email protected]
http://csiflabs.cs.ucdavis.edu/~hbzhang/
Our Contribution
 HEM: a VIL cipher on [n..2n-1]
 THEM: a VIL tweakable cipher on [n..2n-1]
 Both HEM and THEM uses two blockcipher calls
2
Symmetric-Key Encryption
(Confidentiality Modes of Operation)
 Probabilistic/stateful encryption (length-expanding)
IND-CPA: CBC, CTR, …
(IND-CCA)
AE :IND-CPA+INT-CTXT: CCM, GCM, OCB, …
 Deterministic encryption (length-preserving encryption;
cipher)
PRP (CPA) security:
SPRP (CCA) security: CMC, EME2, …
SPRP ciphers are useful in disk sector encryption,
encipher and encode applications, hybrid
encryption, …
IEEE P1619.2 (EME2)
3
E: K{0,1}n {0,1}n
Blockciphers
EK()
p ()
A
-1
EK ()
PRP (CPA) security
prp
Adv E
(A) =
+-PRP (CCA) security
+-prp
AdvE
(A) =
Pr[A
EK()
Pr[A
random
permutation
-1
p
over {0,1}n
()
 1] – Pr[A
-1
EK(),EK()
4
p
 1]
 1] – Pr[A
p, p -1
 1]
ε:
General Ciphers
εK ()
A
-1
PRP (CPA) security
prp
Advε
(A) =
+-PRP (CCA) security
+-prp
Adv ε
(A) =
Pr[A
A cipher for
|X|=[n..2n-1]
p ()
εK()
εK()
-1
p
random
length-preserving
permutation over X
()
 1] – Pr[A
p
 1]
-1
Pr[A
εK() ,εK()
5
KX X
 1] – Pr[A
p, p -1
 1]
[Liskov, Rivest, Wagner 2002]
Tweakable Blockcipher Security
~
n
n
E: KT {0,1}  {0,1}
p (, )
~
EK (, )
A
~ -1
EK (, )
PRP security
prp
Adv ~
Ε
(A) =
+-PRP security
+-prp
AdvE~
(A) =
Pr[A
~
(, )
p
EK()
Pr[A
-1
p
random
permutation
over Perm(T, n)
 1] – Pr[A  1]
~ -1
EK(), EK()
~
6
 1] – Pr[A
p , p -1
 1]
[Liskov, Rivest, Wagner 2002]
Tweakable Cipher Security
~
E: KT X X
p (, )
~
EK (, )
A
A tweakable cipher
for |X|=[n..2n-1]
~ -1
EK (, )
PRP security
prp
Adv ~
Ε
(A) =
+-PRP security
+-prp
AdvE~
(A) =
Pr[A
~
(, )
p
EK()
Pr[A
-1
p
random
permutation
over Perm(T, X)
 1] – Pr[A  1]
~ -1
EK(), EK()
~
7
 1] – Pr[A
p , p -1
 1]
How is Length-Doubling Cipher ([n..2n-1])
USEFUL?
 A historically and theoretically interesting problem
[Luby and Rackoff, 1988]
A FIL cipher from n to 2n
“Doubling” the length of a cipher
Our Goal: A VIL cipher from n to
[n..2n-1]
“Doubling” the
length of a cipher in the VIL sense
8
How is Length-Doubling Cipher ([n..2n-1]) USEFUL?
[Rogaway and Zhang, 2011]
TC3* Online Cipher
A tweakable cipher of length [n..2n-1]
9
How is Length-Doubling Cipher ([n..2n-1]) USEFUL?
[IEEE, P1619]
XTS Mode
Ciphertext Stealing did not seem to do a good job.
A tweakable cipher10 of length [n..2n-1]
Previous constructions for [n..2n-1]
EME2 [Halevi, 2004]
Four-round Feistel
XLS[Ristenpart,Rogaway,2007]
11
Two-blockcipher-call solution? Our algorithms
 Two blockcipher calls

Two AXU hash calls

One mixing function call
(inexpensive; non-cryptographic tool)
12
H: KX Y
AXU Hash Function
[Krawczyk, 1994]
 Almost XOR Universal hash functions:
For all X  X ’ and all CY,
Pr[Hk(x)  Hk(X ’) = C] ≤ ε
 For our constructions,
n
X = Y = {0,1}
n
n
H: KX Y
H: K{0,1}  {0,1}
Essential for efficiency and security
HK(x) =KX
Galois Field Multiplication
13
[Rogaway and Ristenpart, 2007]
Mixing Function
 Mixing Function:
mix: SS SS
Let mixL(,) and mixR(,) be the left and right
projection of mix respectively. For any A  S,
mixL(A,), mixL(,A), mixR(A,), and mixR(,A)
are all permutations.
A construction by Ristenpart and Rogaway
takes three xors and a single one-bit
circular rotation.
14
An inefficient 2-blockcipher-call solution
Variationally
universal hash
[Rogaway and Krovetz, 2006]
Variationally
universal hash
Feistel networks
[Luby and Rackoff, 1988]
A FIL cipher
of length 2n
[Naor and Reingold, 1997]
An improved FIL
cipher of length 2n
[Patel, Ramzan and Sundaram,1997]
A FIL cipher of
length ≥2n
FHEM: A FIL Cipher of length n+s
AXU Hash
Blockcipher
Encryption
MIX function
Blockcipher
Encryption
AXU Hash
1.permutation
2. SPRP
FHEM of length n+s security
Theorem: Let e = FHEM[H, Perm(n),mix]. If A asks at
most q queries then
+-prp
Adv e (A)  3 q2/2n
FHEM is not VIL secure
0n
0
0n
00
If D1=C1
output 1
else 0
FHEM is not VIL secure
0n
0
0n
00
If D1=C1
output 1
else 0
HEM: A Length-Doubling Cipher
FHEM
HEM
Can be
Precomputed !
21
HEM security
Theorem: Let e
q queries then
= HEM[H, Perm(n),mix]. If A asks at most
+-prp
Adv e (A)  3 q2/2n
THEM: A Length-Doubling Tweakable Cipher
A way of adding tweaks
23
THEM security
~
Theorem: Let e = THEM[H, Perm(n),mix]. If A asks at
most q queries then
+-prp
n
2
Adv ~
(A)

3
q
/2
e
A More Compact Variant (Tweak Stealing)
25
Open questions
[n..2n)
 A more elegant cipher on X = {0,1}
 How do we achieve an efficient VIL cipher with
the domain {0,1}>n using the least blockcipher
calls?
 (Informally) Does there exist a lower bound for
the number of blockcipher calls for an efficient
>n
SPRP secure cipher with the domain {0,1} ?
26
Thank you!
27