The Summation-Truncation Hybrid: Reusing Discarded Bits for Free

A well-established PRP-to-PRF conversion design is truncation: one evaluates an n-bit pseudorandom permutation on a certain input, and truncates the result to a bits. The construction is known to achieve tight \(2^{n-a/2}\) security. Truncation has gained popularity due to its appearance in the GCM-SIV key derivation function (ACM CCS 2015). This key derivation function makes four evaluations of AES, truncates the outputs to n/2 bits, and concatenates these to get a 2n-bit subkey.

[1]  Karthikeyan Bhargavan,et al.  On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN , 2016, CCS.

[2]  Jongsung Kim,et al.  HIGHT: A New Block Cipher Suitable for Low-Resource Device , 2006, CHES.

[3]  Yehuda Lindell,et al.  AES-GCM-SIV: Specification and Analysis , 2017, IACR Cryptol. ePrint Arch..

[4]  Yehuda Lindell,et al.  GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte , 2015, CCS.

[5]  Mridul Nandi,et al.  Revisiting Variable Output Length XOR Pseudorandom Function , 2018, IACR Trans. Symmetric Cryptol..

[6]  A. J. Stam Distance between sampling with and without replacement , 1978 .

[7]  Christophe De Cannière,et al.  KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[8]  David A. Freedman,et al.  A Remark on the Difference between Sampling with and without Replacement , 1977 .

[9]  Bart Mennink,et al.  Optimal PRFs from Blockcipher Designs , 2017, IACR Trans. Symmetric Cryptol..

[10]  Daniel J. Bernstein,et al.  Stronger Security Bounds for Wegman-Carter-Shoup Authenticators , 2005, EUROCRYPT.

[11]  Mihir Bellare,et al.  Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-invertible , 1998, EUROCRYPT.

[12]  Chae Hoon Lim,et al.  mCrypton - A Lightweight Block Cipher for Security of Low-Cost RFID Tags and Sensors , 2005, WISA.

[13]  Bart Preneel,et al.  Optimal Forgeries Against Polynomial-Based MACs and GCM , 2018, IACR Cryptol. ePrint Arch..

[14]  Benoit Cogliati,et al.  EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC , 2016, CRYPTO.

[15]  Tetsu Iwata,et al.  Breaking and Repairing GCM Security Proofs , 2012, IACR Cryptol. ePrint Arch..

[16]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[17]  Kyoji Shibutani,et al.  Piccolo: An Ultra-Lightweight Blockcipher , 2011, CHES.

[18]  Jason Smith,et al.  The SIMON and SPECK Families of Lightweight Block Ciphers , 2013, IACR Cryptol. ePrint Arch..

[19]  A. J. Stam A NOTE ON SAMPLING WITH AND WITHOUT REPLACEMENT , 1986 .

[20]  Tetsu Iwata,et al.  New Blockcipher Modes of Operation with Beyond the Birthday Bound Security , 2006, FSE.

[21]  Mihir Bellare,et al.  The Security of Cipher Block Chaining , 1994, CRYPTO.

[22]  Mridul Nandi,et al.  A note on the chi-square method: A tool for proving cryptographic security , 2018, Cryptography and Communications.

[23]  Jacques Patarin,et al.  Security in O(2n) for the Xor of Two Random Permutations \\ - Proof with the standard H technique - , 2013, IACR Cryptol. ePrint Arch..

[24]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[25]  Victor Shoup,et al.  On Fast and Provably Secure Message Authentication Based on Universal Hashing , 1996, CRYPTO.

[26]  Yannick Seurin,et al.  Reconsidering the Security Bound of AES-GCM-SIV , 2017, IACR Trans. Symmetric Cryptol..

[27]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[28]  Bruce Schneier,et al.  Building PRFs from PRPs , 1998, CRYPTO.

[29]  Daniel J. Bernstein,et al.  How to Stretch Random Functions: The Security of Protected Counter Sums , 1999, Journal of Cryptology.

[30]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[31]  Stefano Tessaro,et al.  Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation, and Better Bounds , 2018, IACR Cryptol. ePrint Arch..

[32]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[33]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[34]  Bart Mennink,et al.  Linking Stam's Bounds with Generalized Truncation , 2019, CT-RSA.

[35]  Yehuda Lindell,et al.  AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption , 2019, RFC.

[36]  Donghoon Chang,et al.  A Short Proof of the PRP/PRF Switching Lemma , 2008, IACR Cryptol. ePrint Arch..

[37]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[38]  Russell Impagliazzo,et al.  Limits on the provable consequences of one-way permutations , 1988, STOC '89.

[39]  Gilles Brassard,et al.  On Computationally Secure Authentication Tags Requiring Short Secret Shared Keys , 1982, CRYPTO.

[40]  Bart Mennink,et al.  CENC is Optimally Secure , 2016, IACR Cryptol. ePrint Arch..

[41]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[42]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[43]  Jacques Patarin,et al.  Introduction to Mirror Theory: Analysis of Systems of Linear Equalities and Linear Non Equalities for Cryptography , 2010, IACR Cryptol. ePrint Arch..

[44]  Yehuda Lindell,et al.  Better Bounds for Block Cipher Modes of Operation via Nonce-Based Key Derivation , 2017, IACR Cryptol. ePrint Arch..

[45]  Yee Wei Law,et al.  KLEIN: A New Family of Lightweight Block Ciphers , 2010, RFIDSec.

[46]  Wenling Wu,et al.  LBlock: A Lightweight Block Cipher , 2011, ACNS.

[47]  Shay Gueron,et al.  The Advantage of Truncated Permutations , 2016, CSCML.

[48]  Jacques Patarin,et al.  A Proof of Security in O(2n) for the Xor of Two Random Permutations , 2008, ICITS.

[49]  Thomas Peyrin,et al.  The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS , 2016, IACR Cryptol. ePrint Arch..

[50]  Stefan Lucks,et al.  The Sum of PRPs Is a Secure PRF , 2000, EUROCRYPT.

[51]  Stefano Tessaro,et al.  Information-Theoretic Indistinguishability via the Chi-Squared Method , 2017, CRYPTO.

[52]  Tetsu Iwata,et al.  Stronger Security Variants of GCM-SIV , 2016, IACR Trans. Symmetric Cryptol..

[53]  Anne Canteaut,et al.  PRINCE - A Low-Latency Block Cipher for Pervasive Computing Applications - Extended Abstract , 2012, ASIACRYPT.

[54]  Shay Gueron,et al.  How Many Queries are Needed to Distinguish a Truncated Random Permutation from a Random Function? , 2014, Journal of Cryptology.

[55]  Mihir Bellare,et al.  A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion , 1999, IACR Cryptol. ePrint Arch..

[56]  Bart Mennink,et al.  Encrypted Davies-Meyer and Its Dual: Towards Optimal Security Using Mirror Theory , 2017, CRYPTO.

[57]  David A. McGrew,et al.  Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes , 2012, IACR Cryptol. ePrint Arch..

[58]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[59]  Mihir Bellare,et al.  XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions , 1995, CRYPTO.