Turning Online Ciphers Off

CAESAR has caused a heated discussion regarding the merits of one-pass encryption and online ciphers. The latter is a keyed, length preserving function which outputs ciphertext blocks as soon as the respective plaintext block is available as input. The immediacy of an online cipher affords a clear performance advantage, but it comes at a price: ciphertext blocks cannot depend on later plaintext blocks, limiting diffusion and hence security. We show how one can attain the best of both worlds by providing provably secure constructions, achieving full cipher security, based on applications of an online cipher around blockwise reordering layers. Explicitly, we show that with just two calls to the online cipher, prp security up to the birthday bound is both attainable and maximal. Moreover, we demonstrate that three calls to the online cipher suffice to obtain beyond birthday bound security. We provide a full proof of this for a prp construction, and, in the ±prp setting, security against adversaries who make queries of any single length. As part of our investigation, we extend an observation by Rogaway and Zhang by further highlighting the close relationship between online ciphers and tweakable blockciphers with variable-length tweaks.

[1]  Mike Bond,et al.  The Low-Call Diet: Authenticated Encryption for Call Counting HSM Users , 2013, CT-RSA.

[2]  Martijn Stam,et al.  Rogue Decryption Failures: Reconciling AE Robustness Notions , 2015, IMACC.

[3]  Haibin Zhang,et al.  The Security of Ciphertext Stealing , 2012, FSE.

[4]  Shai Halevi,et al.  A Tweakable Enciphering Mode , 2003, CRYPTO.

[5]  Stefan Lucks,et al.  Pipelineable On-line Encryption , 2014, FSE.

[6]  Mridul Nandi Two New Efficient CCA-Secure Online Ciphers: MHCBC and MCBC , 2008, INDOCRYPT.

[7]  Mridul Nandi,et al.  Revisiting Turning Online Cipher Off , 2015, IACR Cryptol. ePrint Arch..

[8]  Haibin Zhang,et al.  Online Ciphers from Tweakable Blockciphers , 2011, CT-RSA.

[9]  Stefan Lucks,et al.  McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes , 2012, FSE.

[10]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[11]  Kenneth G. Paterson,et al.  On Symmetric Encryption with Distinguishable Decryption Failures , 2013, FSE.

[12]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[13]  Kazuhiko Minematsu,et al.  Beyond-Birthday-Bound Security Based on Tweakable Block Cipher , 2009, FSE.

[14]  Morris Dworkin Request for Review of Key Wrap Algorithms , 2004, IACR Cryptol. ePrint Arch..

[15]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[16]  Chanathip Namprempre,et al.  On-line Ciphers and the Hash-CBC Constructions , 2012, Journal of Cryptology.

[17]  Chanathip Namprempre,et al.  Reconsidering Generic Composition , 2014, IACR Cryptol. ePrint Arch..

[18]  John P. Steinberger,et al.  To Hash or Not to Hash Again? (In)differentiability Results for H2 and HMAC , 2012, IACR Cryptol. ePrint Arch..

[19]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[20]  Phillip Rogaway,et al.  The Software Performance of Authenticated-Encryption Modes , 2011, FSE.

[21]  Mihir Bellare,et al.  On the Construction of Variable-Input-Length Ciphers , 1999, FSE.

[22]  Andrey Bogdanov,et al.  How to Securely Release Unverified Plaintext in Authenticated Encryption , 2014, ASIACRYPT.

[23]  Antoine Joux,et al.  Authenticated On-Line Encryption , 2003, Selected Areas in Cryptography.

[24]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[25]  Stefan Lucks,et al.  General classification of the authenticated encryption schemes for the CAESAR competition , 2016, Comput. Sci. Rev..

[26]  Thomas Shrimpton,et al.  A Modular Framework for Building Variable-Input-Length Tweakable Ciphers , 2013, ASIACRYPT.

[27]  Stefan Lucks,et al.  POEx: A beyond-birthday-bound-secure on-line cipher , 2017, Cryptography and Communications.

[28]  Antoine Joux,et al.  Blockwise-Adaptive Attackers: Revisiting the (In)Security of Some Provably Secure Encryption Models: CBC, GEM, IACBC , 2002, CRYPTO.

[29]  A. Joux Authentication Failures in NIST version of GCM , 2006 .

[30]  Pierre-Alain Fouque,et al.  Practical Symmetric On-Line Encryption , 2003, FSE.

[31]  Nilanjan Datta,et al.  ELmE: A Misuse Resistant Parallel Authenticated Encryption , 2014, ACISP.

[32]  Phillip Rogaway,et al.  Robust Authenticated-Encryption AEZ and the Problem That It Solves , 2015, EUROCRYPT.

[33]  Mihir Bellare,et al.  Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[34]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[35]  Alexandra Boldyreva,et al.  Online Encryption Schemes: New Security Notions and Constructions , 2004, CT-RSA.

[36]  Shai Halevi,et al.  Invertible Universal Hashing and the TET Encryption Mode , 2007, CRYPTO.

[37]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, Journal of Cryptology.

[38]  Chanathip Namprempre,et al.  Online Ciphers and the Hash-CBC Construction , 2001, CRYPTO.

[39]  Andrey Bogdanov,et al.  Parallelizable and Authenticated Online Ciphers , 2013, IACR Cryptol. ePrint Arch..