Results 1  10
of
10
Tweaks and Keys for Block Ciphers: the TWEAKEY Framework
"... Abstract. We propose the TWEAKEY framework with goal to unify the design of tweakable block ciphers and of block ciphers resistant to relatedkey attacks. Our framework is simple, extends the keyalternating construction, and allows to build a primitive with arbitrary tweak and key sizes, given the ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We propose the TWEAKEY framework with goal to unify the design of tweakable block ciphers and of block ciphers resistant to relatedkey attacks. Our framework is simple, extends the keyalternating construction, and allows to build a primitive with arbitrary tweak and key sizes, given the public round permutation (for instance, the AES round). Increasing the sizes renders the security analysis very difficult and thus we identify a subclass of TWEAKEY, that we name STK, which solves the size issue by the use of finite field multiplications on low hamming weight constants. We give very efficient instances of STK, in particular, a 128bit tweak/key/state block cipher DeoxysBC that is the first AESbased adhoc tweakable block cipher. At the same time, DeoxysBC could be seen as a secure alternative to AES256, which is known to be insecure in the relatedkey model. As another member of the TWEAKEY framework, we describe KiasuBC, which is a very simple and even more efficient tweakable variation of AES128 when the tweak size is limited to 64 bits. In addition to being efficient, our proposals, compared to the previous schemes that use AES as a black box, offer security beyond the birthday bound. DeoxysBC and KiasuBC represent interesting pluggable primitives for authenticated encryption schemes, for instance, ΘCB3 instantiated with KiasuBC runs at about 0.75 c/B on Intel Haswell. Our work can also be seen as advances on the topic of secure key schedule design for AESlike ciphers, describing several proposals in this direction.
Optimally Secure Tweakable Blockciphers
 Software Encryption  FSE 2015, volume 9054 of LNCS
, 2015
"... Abstract. We consider the generic design of a tweakable blockcipher from one or more evaluations of a classical blockcipher, in such a way that all input and output wires are of size n bits. As a first contribution, we show that any tweakable blockcipher with one primitive call and arbitrary linear ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the generic design of a tweakable blockcipher from one or more evaluations of a classical blockcipher, in such a way that all input and output wires are of size n bits. As a first contribution, we show that any tweakable blockcipher with one primitive call and arbitrary linear pre and postprocessing functions can be distinguished from an ideal one with an attack complexity of about 2n/2. Next, we introduce the tweakable blockcipher F ̃ [1]. It consists of one multiplication and one blockcipher call with tweakdependent key, and achieves 22n/3 security. Finally, we introduce F ̃ [2], which makes two blockcipher calls, one of which with tweakdependent key, and achieves optimal 2n security. Both schemes are more efficient than all existing beyond birthday bound tweakable blockciphers known to date, as long as one blockcipher key renewal is cheaper than one blockcipher evaluation plus one universal hash evaluation.
A Modular Framework for Building VariableInputLength Tweakable Ciphers
"... Abstract. We present the ProtectedIV construction (PIV) a simple, modular method for building variableinputlength tweakable ciphers. At our level of abstraction, many interesting design opportunities surface. For example, an obvious pathway to building beyond birthdaybound secure tweakable ciphe ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present the ProtectedIV construction (PIV) a simple, modular method for building variableinputlength tweakable ciphers. At our level of abstraction, many interesting design opportunities surface. For example, an obvious pathway to building beyond birthdaybound secure tweakable ciphers with performance competitive with existing birthdayboundlimited constructions. As part of our design space exploration, we give two fully instantiated PIV constructions, TCT1 and TCT2; the latter is fast and has beyond birthdaybound security, the former is faster and has birthdaybound security. Finally, we consider a generic method for turning a VIL tweakable cipher (like PIV) into an authenticated encryption scheme that admits associated data, can withstand noncemisuse, and allows for multiple decryption error messages. Thus, the method offers robustness even in the face of certain sidechannels, and common implementation mistakes.
XPX: Generalized Tweakable EvenMansour with Improved Security Guarantees. Cryptology ePrint Archive
"... Abstract. We present XPX, a tweakable blockcipher based on a single permutation P. On input of a tweak (t11, t12, t21, t22) ∈ T and a message m, it outputs ciphertext c = P (m⊕∆1)⊕∆2, where ∆1 = t11k⊕t12P (k) and ∆2 = t21k⊕t22P (k). Here, the tweak space T is required to satisfy a certain set of tr ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present XPX, a tweakable blockcipher based on a single permutation P. On input of a tweak (t11, t12, t21, t22) ∈ T and a message m, it outputs ciphertext c = P (m⊕∆1)⊕∆2, where ∆1 = t11k⊕t12P (k) and ∆2 = t21k⊕t22P (k). Here, the tweak space T is required to satisfy a certain set of trivial conditions (such as (0, 0, 0, 0) 6 ∈ T). We prove that XPX with any such tweak space is a strong tweakable pseudorandom permutation. Next, we consider the security of XPX under relatedkey attacks, where the adversary can freely select a keyderiving function upon every evaluation. We prove that XPX achieves various levels of relatedkey security, depending on the set of keyderiving functions and the properties of T. For instance, if t12, t22 6 = 0 and (t21, t22) 6 = (0, 1) for all tweaks, XPX is XORrelatedkey secure. XPX generalizes EvenMansour (EM), but also Rogaway’s XEX based on EM, and tweakable EM used in Minalpher. As such, XPX finds a wide range of applications. We show how our results on XPX directly imply relatedkey security of the authenticated encryption schemes PrøstCOPA and Minalpher, and how a straightforward adjustment to the MAC function Chaskey and to keyed Sponges makes them provably relatedkey secure.
Tweakable Blockciphers with Asymptotically Optimal Security?
"... Abstract. We consider tweakable blockciphers with beyond the birthday bound security. Landecker, Shrimpton, and Terashima (CRYPTO 2012) gave the first construction with security up to O(22n/3) adversarial queries (n denotes the block size in bits of the underlying blockcipher), and for which chang ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We consider tweakable blockciphers with beyond the birthday bound security. Landecker, Shrimpton, and Terashima (CRYPTO 2012) gave the first construction with security up to O(22n/3) adversarial queries (n denotes the block size in bits of the underlying blockcipher), and for which changing the tweak does not require changing the keys for blockcipher calls. In this paper, we extend this construction, which consists of two rounds of a previous proposal by Liskov, Rivest, and Wagner (CRYPTO 2002), by considering larger numbers of rounds r> 2. We show that asymptotically, as r increases, the resulting tweakable blockcipher approaches security up to the information bound, namely O(2n) queries. Our analysis makes use of a coupling argument, and carries some similarities with the analysis of the iterated EvenMansour cipher by Lampe, Patarin, and Seurin (ASIACRYPT 2012).
BeyondBirthdayBound Security for Tweakable EvenMansour Ciphers with Linear Tweak and Key Mixing?
, 2015
"... Abstract. The iterated EvenMansour construction defines a block cipher from a tuple of public nbit permutations (P1,..., Pr) by alternatively xoring some nbit round key ki, i = 0,..., r, and applying permutation Pi to the state. The tweakable EvenMansour construction generalizes the conventional ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. The iterated EvenMansour construction defines a block cipher from a tuple of public nbit permutations (P1,..., Pr) by alternatively xoring some nbit round key ki, i = 0,..., r, and applying permutation Pi to the state. The tweakable EvenMansour construction generalizes the conventional EvenMansour construction by replacing the nbit round keys by nbit strings derived from a master key and a tweak, thereby defining a tweakable block cipher. Constructions of this type have been previously analyzed, but they were either secure only up to the birthday bound, or they used a nonlinear mixing function of the key and the tweak (typically, multiplication of the key and the tweak seen as elements of some finite field) which might be costly to implement. In this paper, we tackle the question of whether it is possible to achieve beyondbirthdaybound security for such a construction by using only linear operations for mixing the key and the tweak into the state. We answer positively, describing a 4round construction with a 2nbit master key and an nbit tweak which is provably secure in the Random Permutation Model up to roughly 22n/3 adversarial queries.
unknown title
, 2015
"... Abstract. We study how to construct efficient tweakable block ciphers in the Random Permutation model, where all parties have access to public random permutation oracles. We propose a construction that combines, more efficiently than by mere blackbox composition, the CLRW construction (which turns ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We study how to construct efficient tweakable block ciphers in the Random Permutation model, where all parties have access to public random permutation oracles. We propose a construction that combines, more efficiently than by mere blackbox composition, the CLRW construction (which turns a traditional block cipher into a tweakable block cipher) of Landecker et al. (CRYPTO 2012) and the iterated EvenMansour construction (which turns a tuple of public permutations into a traditional block cipher) that has received considerable attention since the work of Bogdanov et al. (EUROCRYPT 2012). More concretely, we introduce the (oneround) tweakable EvenMansour (TEM) cipher, constructed from a single nbit permutation P and a uniform and almost XORuniversal family of hash functions (Hk) from some tweak space to {0, 1}n, and defined as (k, t, x) 7 → Hk(t) ⊕ P (Hk(t) ⊕ x), where k is the key, t is the tweak, and x is the nbit message, as well as its generalization obtained by cascading r independently keyed rounds of this construction. Our main result is a security bound up to approximately 22n/3 adversarial queries against adaptive chosenplaintext and ciphertext distinguishers for the tworound TEM construction, using Patarin’s Hcoefficients technique. We also provide an analysis based on the coupling technique showing that asymptotically, as the number of rounds r grows, the security provided by the rround TEM construction approaches the informationtheoretic bound of 2n adversarial queries.
CounterinTweak: Authenticated Encryption Modes for Tweakable Block Ciphers
, 2015
"... Abstract. We propose the Synthetic CounterinTweak (SCT) mode, which turns a tweakable block cipher into a noncebased authenticated encryption scheme (with associated data). The SCT mode combines in a SIVlike manner a WegmanCarter MAC inspired from PMAC for the authentication part and a new coun ..."
Abstract
 Add to MetaCart
Abstract. We propose the Synthetic CounterinTweak (SCT) mode, which turns a tweakable block cipher into a noncebased authenticated encryption scheme (with associated data). The SCT mode combines in a SIVlike manner a WegmanCarter MAC inspired from PMAC for the authentication part and a new counterlike mode for the encryption part, with the unusual property that the counter is applied on the tweak input of the underlying tweakable block cipher rather than on the plaintext input. Unlike many previous authenticated encryption modes, SCT enjoys provable security beyond the birthday bound (and even up to roughly 2n tweakable block cipher calls, where n is the block length, when the tweak length is sufficiently large) in the noncerespecting scenario where nonces are never repeated. In addition, SCT ensures security up to the birthday bound even when nonces are reused, in the strong noncemisuse resistance sense (MRAE) of Rogaway and Shrimpton (EUROCRYPT 2006). To the best of our knowledge, this is the first authenticated encryption mode that provides at the same time closetooptimal security in the noncerespecting scenario and birthdaybound security for the noncemisuse scenario. While two passes are necessary to achieve MRAEsecurity, our mode enjoys a number of desirable features: it is simple, parallelizable, it requires the encryption direction only, it is particularly efficient for small messages (no precomputation is required) and it allows incremental update of associated data.
Onekey DoubleSum MAC with BeyondBirthday Security
"... Abstract. MACs (Message Authentication Codes) are widely adopted in communication systems to ensure data integrity and data origin authentication, e.g. CBCMACs in the ISO standard 97971. However, all the current designs either suffer from birthday attacks or require long key sizes. In this paper, ..."
Abstract
 Add to MetaCart
Abstract. MACs (Message Authentication Codes) are widely adopted in communication systems to ensure data integrity and data origin authentication, e.g. CBCMACs in the ISO standard 97971. However, all the current designs either suffer from birthday attacks or require long key sizes. In this paper, we focus on designing beyondbirthdaybound MAC modes with a single key, and investigate their design principles. First, we review the current proposals, e.g. 3kf9 and PMAC Plus, and identify that the security primarily comes from the construction of a coverfree function and the advantage of the sum of PRPs. The main challenge in reducing their key size is to find a mechanism to carefully separate the block cipher inputs to the coverfree construction and the sum of PRPs that work in cascade with such a construction. Secondly, we develop several tools on sampling distributions that are quite useful in analysis of the MAC mode of operations and by which we unify the proofs for three/twokey beyondbirthdaybound MACs. Thirdly, we establish our main theorem that upperbounds the PRF security of the onekey constructions by extendedcoverfree, pseudocoverfree, blockwise universal and the normal PRP assumption on block ciphers. Finally, we apply our main theorem to 3kf9 and PMAC Plus, and successfully reduce their key sizes to the minimum possible. Thus, we solve a longstanding open problem in designing beyondbirthdaybound MAC with a single key.
Faster BinaryField Multiplication and Faster BinaryField MACs
"... Abstract. This paper shows how to securely authenticate messages using just 29 bit operations per authenticated bit, plus a constant overhead per message. The authenticator is a standard type of “universal ” hash function providing informationtheoretic security; what is new is computing this type ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. This paper shows how to securely authenticate messages using just 29 bit operations per authenticated bit, plus a constant overhead per message. The authenticator is a standard type of “universal ” hash function providing informationtheoretic security; what is new is computing this type of hash function at very high speed. At a lower level, this paper shows how to multiply two elements of a field of size 2128 using just 9062 ≈ 71 · 128 bit operations, and how to multiply two elements of a field of size 2256 using just 22164 ≈ 87 · 256 bit operations. This performance relies on a new representation of field elements and new FFTbased multiplication techniques. This paper’s constanttime software uses just 1.89 Core 2 cycles per byte to authenticate very long messages. On a Sandy Bridge it takes 1.43 cycles per byte, without using Intel’s PCLMULQDQ polynomialmultiplication hardware. This is much faster than the speed records for constanttime implementations of GHASH without PCLMULQDQ (over 10 cycles/byte), even faster than Intel’s best Sandy Bridge implementation of GHASH with PCLMULQDQ (1.79 cycles/byte), and almost as fast as stateoftheart 128bit primefield MACs using Intel’s integermultiplication hardware (around 1 cycle/byte).