Connecting tweakable and multi-key blockcipher security

The significance of understanding blockcipher security in the multi-key setting is highlighted by the extensive literature on attacks, and how effective key size can be significantly reduced. Nevertheless, little attention has been paid in formally understanding the design of multi-key secure blockciphers. In this work, we formalize the multi-key security of tweakable blockciphers in case of general key derivation functions. We show an equivalence between blockcipher multi-key security and tweakable blockcipher security. Our equivalence connects two objects of study, the iterated Even–Mansour (EUROCRYPT 2012) and the iterated Tweakable Even–Mansour (CRYPTO 2015), which establishes that results in both areas are, to a certain extent, transferable. Using our novel equivalence relation, we derive new bounds for both constructions, pave the path towards the solution of two well-studied conjectures, and show that, contrary to common knowledge, key derivation functions need not necessarily be pseudorandom functions in order to provide security: for the iterated Even–Mansour universal hash functions suffice.

[1]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[2]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[3]  Kazuhiko Minematsu,et al.  Improved Security Analysis of XEX and LRW Modes , 2006, Selected Areas in Cryptography.

[4]  John P. Steinberger,et al.  Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations , 2012, IACR Cryptol. ePrint Arch..

[5]  John P. Steinberger,et al.  Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance , 2012, IACR Cryptol. ePrint Arch..

[6]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[7]  Tetsu Iwata,et al.  Tweakable Pseudorandom Permutation from Generalized Feistel Structure , 2008, ProvSec.

[8]  F. Frances Yao,et al.  Design and analysis of password-based key derivation functions , 2005, IEEE Transactions on Information Theory.

[9]  Richard Taylor,et al.  An Integrity Check Value Algorithm for Stream Ciphers , 1993, CRYPTO.

[10]  John P. Steinberger,et al.  On the Indifferentiability of Key-Alternating Ciphers , 2013, IACR Cryptol. ePrint Arch..

[11]  John P. Steinberger,et al.  Minimizing the Two-Round Even–Mansour Cipher , 2014, Journal of Cryptology.

[12]  Kazuhiko Minematsu,et al.  Beyond-Birthday-Bound Security Based on Tweakable Block Cipher , 2009, FSE.

[13]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[14]  David Pointcheval,et al.  Advances in Cryptology – EUROCRYPT 2012 , 2012, Lecture Notes in Computer Science.

[15]  Yannick Seurin,et al.  An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher , 2012, ASIACRYPT.

[16]  Colin Boyd,et al.  Cryptography and Coding , 1995, Lecture Notes in Computer Science.

[17]  Dongdai Lin,et al.  A Synthetic Indifferentiability Analysis of Interleaved Double-Key Even-Mansour Ciphers , 2015, ASIACRYPT.

[18]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[19]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[20]  Bart Mennink,et al.  Optimally Secure Tweakable Blockciphers , 2015, FSE.

[21]  Gordon Procter A Note on the CLRW2 Tweakable Block Cipher Construction , 2014, IACR Cryptol. ePrint Arch..

[22]  F. Frances Yao,et al.  Design and Analysis of Password-Based Key Derivation Functions , 2005, IEEE Trans. Inf. Theory.

[23]  Adi Shamir,et al.  Minimalism in Cryptography: The Even-Mansour Scheme Revisited , 2012, EUROCRYPT.

[24]  Bert den Boer A Simple and Key-Economical Unconditional Authentication Scheme , 1993, J. Comput. Secur..

[25]  Stefano Tessaro,et al.  Optimally Secure Block Ciphers from Ideal Primitives , 2015, ASIACRYPT.

[26]  Mihir Bellare,et al.  Hash-Function Based PRFs: AMAC and Its Multi-User Security , 2016, EUROCRYPT.

[27]  Benoit Cogliati,et al.  On the Provable Security of the Iterated Even-Mansour Cipher Against Related-Key and Chosen-Key Attacks , 2015, EUROCRYPT.

[28]  Hugo Krawczyk,et al.  MMH: Software Message Authentication in the Gbit/Second Rates , 1997, FSE.

[29]  Moses D. Liskov,et al.  On Tweaking Luby-Rackoff Blockciphers , 2007, ASIACRYPT.

[30]  Hideki Imai,et al.  Advances in Cryptology — ASIACRYPT '91 , 1991, Lecture Notes in Computer Science.

[31]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[32]  Bart Mennink,et al.  Security of Keyed Sponge Constructions Using a Modular Proof Approach , 2015, FSE.

[33]  Palash Sarkar,et al.  A General Construction of Tweakable Block Ciphers and Different Modes of Operations , 2008, IEEE Transactions on Information Theory.

[34]  Hugo Krawczyk,et al.  HMAC-based Extract-and-Expand Key Derivation Function (HKDF) , 2010, RFC.

[35]  Ted Krovetz,et al.  Message Authentication on 64-Bit Architectures , 2006, Selected Areas in Cryptography.

[36]  Alex Biryukov,et al.  Improved Time-Memory Trade-Offs with Multiple Data , 2005, Selected Areas in Cryptography.

[37]  Tetsu Iwata,et al.  Tweak-Length Extension for Tweakable Blockciphers , 2015, IMACC.

[38]  Palash Sarkar,et al.  New Applications of Time Memory Data Tradeoffs , 2005, ASIACRYPT.

[39]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[40]  Yannick Seurin,et al.  Tweakable Blockciphers with Asymptotically Optimal Security , 2013, FSE.

[41]  Eli Biham,et al.  How to decrypt or even substitute DES-encrypted messages in 228 steps , 2002, Inf. Process. Lett..

[42]  Pooya Farshim,et al.  The Related-Key Security of Iterated Even-Mansour Ciphers , 2015, FSE.

[43]  Yannick Seurin,et al.  How to Construct an Ideal Cipher from a Small Set of Public Permutations , 2013, ASIACRYPT.

[44]  Thomas Peyrin,et al.  Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers , 2016, CRYPTO.

[45]  Benoit Cogliati,et al.  Tweaking Even-Mansour Ciphers , 2015, CRYPTO.

[46]  Kenneth G. Paterson,et al.  On Cipher-Dependent Related-Key Attacks in the Ideal-Cipher Model , 2011, IACR Cryptol. ePrint Arch..

[47]  Bart Mennink,et al.  XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees , 2016, CRYPTO.

[48]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[49]  Thomas Shrimpton,et al.  Tweakable Blockciphers with Beyond Birthday-Bound Security , 2012, IACR Cryptol. ePrint Arch..

[50]  Alan Siegel,et al.  On Universal Classes of Extremely Random Constant-Time Hash Functions , 1995, SIAM J. Comput..

[51]  Antoine Joux,et al.  Multi-user Collisions: Applications to Discrete Logarithm, Even-Mansour and PRINCE , 2014, ASIACRYPT.

[52]  Stefano Tessaro,et al.  Key-Alternating Ciphers and Key-Length Extension: Exact Bounds and Multi-user Security , 2016, CRYPTO.

[53]  Mihir Bellare,et al.  A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.

[54]  Thomas Peyrin,et al.  Tweaks and Keys for Block Ciphers: The TWEAKEY Framework , 2014, ASIACRYPT.

[55]  Nilanjan Datta,et al.  ELmE: A Misuse Resistant Parallel Authenticated Encryption , 2014, ACISP.

[56]  Vincent Rijmen,et al.  The Wide Trail Design Strategy , 2001, IMACC.

[57]  Tetsu Iwata,et al.  New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms , 2004, FSE.

[58]  Sanjit Chatterjee,et al.  Another Look at Tightness , 2011, IACR Cryptol. ePrint Arch..

[59]  Andrey Bogdanov,et al.  Parallelizable and Authenticated Online Ciphers , 2013, IACR Cryptol. ePrint Arch..

[60]  Benoit Cogliati,et al.  Beyond-Birthday-Bound Security for Tweakable Even-Mansour Ciphers with Linear Tweak and Key Mixing , 2015, ASIACRYPT.

[61]  Atul Luykx,et al.  Multi-key Security: The Even-Mansour Construction Revisited , 2015, CRYPTO.

[62]  Daniel J. Bernstein,et al.  The Poly1305-AES Message-Authentication Code , 2005, FSE.

[63]  Yishay Mansour,et al.  A Construction of a Cioher From a Single Pseudorandom Permutation , 1991, ASIACRYPT.

[64]  Bart Mennink,et al.  Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption , 2016, IACR Cryptol. ePrint Arch..

[65]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[66]  Joan Daemen,et al.  Limitations of the Even-Mansour Construction , 1991, ASIACRYPT.

[67]  Thomas Johansson,et al.  On Families of Hash Functions via Geometric Codes and Concatenation , 1993, CRYPTO.

[68]  Albert L. Zobrist,et al.  A New Hashing Method with Application for Game Playing , 1990 .

[69]  Alfred Menezes,et al.  Security of Signature Schemes in a Multi-User Setting , 2004, Des. Codes Cryptogr..

[70]  Vincent Rijmen,et al.  ON THE RELATED-KEY ATTACKS AGAINST AES * , 2012 .

[71]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[72]  Stefan Lucks Ciphers Secure against Related-Key Attacks , 2004, FSE.