Conference PaperPDF Available

HCTR: A variable-input-length enciphering mode

Authors:
Zhepeng Wang at Washington University in St. Louis
Zhepeng Wang
Dengguo Feng
Dengguo Feng
Dengguo Feng
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Wenling Wu at Chinese Academy of Sciences
Wenling Wu
Download full-text PDF
Read full-text
Download citation

Abstract

This paper proposes a blockcipher mode of operation, HCTR, which is a length-preserving encryption mode. HCTR turns an n-bit blockcipher into a tweakable blockcipher that supports arbitrary variable input length which is no less than n bits. The tweak length of HCTR is fixed and can be zero. We prove that HCTR is a strong tweakable pseudorandom permutation ( [(sprp)\tilde]\widetilde{sprp}), when the underlying blockcipher is a strong pseudorandom permutation (sprp). HCTR is shown to be a very efficient mode of operation when some pre-computations are taken into consideration. Arbitrary variable input length brings much flexibility in various application environments. HCTR can be used in disk sector encryption, and other length-preserving encryptions, especially for the message that is not multiple of n bits.
Content uploaded by Wenling Wu
Author content
All content in this area was uploaded by Wenling Wu on Feb 11, 2015
Content may be subject to copyright.
HCTR: A Variable-Input-Length
Enciphering Mode
Peng Wang1, Dengguo Feng1,2, and Wenling Wu2
1State Key Laboratory of Information Security,
Graduate School of Chinese Academy of Sciences, Beijing 100049, China
w.rocking@gmail.com
2State Key Laboratory of Information Security,
Institution of Software of Chinese Academy of Sciences, Beijing 100080, China
{feng, wwl}@is.iscas.ac.cn
Abstract. This paper proposes a blockcipher mode of operation,
HCTR, which is a length-preserving encryption mode. HCTR turns an
n-bit blockcipher into a tweakable blockcipher that supports arbitrary
variable input length which is no less than nbits. The tweak length of
HCTR is fixed and can be zero. We prove that HCTR is a strong tweak-
able pseudorandom permutation (sprp), when the underlying blockcipher
is a strong pseudorandom permutation (sprp). HCTR is shown to be a
very efficient mode of operation when some pre-computations are taken
into consideration. Arbitrary variable input length brings much flexibility
in various application environments. HCTR can be used in disk sector
encryption, and other length-preserving encryptions, especially for the
message that is not multiple of nbits.
Keywords: Blockcipher, tweakable blockcipher, disk sector encryption,
modes of operation, symmetric encryption.
1 Introduction
Basic encryption modes, such as CBC [27], increase the message length. But
in many scenarios, we need a length-preserving encryption (enciphering). For
example, in networking application, some packet format was not defined for
cryptographic purposes, and can not be altered. So when we want add privacy
features, we can not even lengthen one bit. The other example is disk sector
encryption. A disk is partitioned into fixed-length sectors. The sector-level en-
cryption is a low-level encryption. The encryption device knows nothing about
the information of files or directories. It encrypts or decrypts sectors when they
arrive. Suppose the plaintext at the sector location of Tis P, and the encryp-
tion algorithm is
E, then the ciphertext stored in this sector is C=
ET
K(M),
where Kis the secret key. Of course we can not expand the message length, so
|M|=|
ET
K(M)|. That is why we need the concept of tweakable blockcipher in
disk sector encryption. The sector location Tis call tweak, which is also called
associated data in [15, 13].
D. Feng, D. Lin, and M. Yung (Eds.): CISC 2005, LNCS 3822, pp. 175–188, 2005.
c
Springer-Verlag Berlin Heidelberg 2005
176 P. Wang, D. Feng, and W. Wu
In the above example the message length is not always fixed and the same as,
but usually much longer than, that of well known blockciphers such as DES (64
bits) or AES (128 bits) [6]. For example the sector length is typically 512 bytes.
So we need wide-block-length enciphering modes based on blockciphers. When
we have a wide-block-length enciphering mode, we can easily put the tweak into
it using the method in [11] or [8], to get a tweakable enciphering mode.
This paper proposes a tweakable enciphering mode, or an arbitrary-variable-
input-length tweakable blockcipher. We name it HCTR, for it makes use of a
special universal hash function and the CTR mode. If the underlying blockcipher
is E:{0,1}k×{0,1}n→{0,1}n, then our mode supports arbitrary variable
length of at lest nbits, using a (k+n)-bit key and mblockcipher calls to encipher
mblocks plaintext. The length of tweak in HCTR is fixed and can be zero. When
it is zero, HCTR becomes an enciphering mode, or a arbitrary-variable-input-
length blockcipher.
Our HCTR mode is a hash-encipher-hash construction, part of the middle
layer uses the CTR encryption mode. HCTR is similar to the XCB mode [13],
and also can be viewed as a generalization to the basic construction of sprp
in [11]. The ABL mode [15] and the XCB mode [13] are unbalanced Feistel
constructions using universal hash functions as their components. They also
support variable input length, but the secret key is very long (4 keys in ABL
and 5 keys in XCB) and have to be generated from a main key. The CMC
mode [8] and the EME mode [9] are modes without using any universal hash
functions. But they only support the message that is multiple of a block. HCTR
has great advantage among these modes.
The attack-model is an adaptive chosen plaintext/ciphertext attack: an ad-
versary can choose a tweak T,aplaintextPand get a ciphertext C=
ET
K(P); or
choose a tweak T, a ciphertext Cand get a plaintext P=(
ET
K)1(C). The cur-
rent query can base on previous answers. We prove that HCTR is a strong secure
tweakable blockcipher ( sprp), which is defined as the one indistinguishable from
the independently random permutations indexed by the tweak T. If HCTR is
used in disk sector encryption, the effect is that each sector is encrypted with a
different random permutation independently. This kind of tweakable blockcipher
is under standardization [19] by the IEEE Security in Storage Working Group.
Our proof method adopts the game-play technique [2,26], which was first used
in [10].
We give basic definitions in Section 2. Specification of HCTR is in Section 3.
Section 4 discusses some insure modifications and compares HCTR with other
modes. The concrete security bound is given in Section 5.
1.1 Related Work
Constructions of large-block-size blockciphers from small-block-size blockciphers
can date back to the pioneering work of Luby and Rackoff [12]. They showed that
three rounds of the Feistel structure turns n-bit to n-bit random functions into
a2n-bit secure blockcipher, and four rounds into a strong secure one. Naor and
Reingold [18] showed that two rounds Feistel construction with initial and final
HCTR: A Variable-Input-Length Enciphering Mode 177
strong universal invertible hash functions is enough to construct a strong secure
blockcipher. In [17], they further used this hash-encipher-hash construction to get
a mode of operation, but the hash function is quiet complex. Patel etc. further
discussed the function of universal hash functions in the Feistel construction
[20]. Bellare and Rogaway [1] used a special pseudorandom function and a special
encryption mode to construct a variable-input-length cipher. Patel etc. [21] made
some efficiency improvement to this scheme and the other unbalanced Feistel
construction by using universal hash functions.
The constructions of tweakable blockciphers from scratch involve HPC [24]
and Mercy [5] (although it has been broken by Fluhrer [7]).
Tweakable blockcipher is not only a suitable model for disk sector encryption
and useful in length-preserving encryption, but also a good starting point to do
design problem [11]. Following this thought, Rogaway [22] made refinement to
modes OCB [23] and PMAC [3] using tweakable blockciphers.
2 Basic Definitions
BLOCKCIPHERS AND TWEAKABLE BLOCKCIPHERS.Ablockcipher is a function E:
K×MMwhere EK(·)=E(K, ·)isalength-preserving permutation for
all K∈K.K =φis a key space and M =φis a message space.Atweakable
blockcipher is a function
E:K×T ×MMwhere
ET
K(·)=
EK(T,·)=
E(K, T, ·)isalength-preserving permutation for all K∈Kand T∈T.Tis a
tweak space.
We write sR
Sto denote choosing a random element sfrom a set Sby
uniform distribution. Let Perm(M) be the set of all length-preserving permuta-
tions on M.WhenM={0,1}n,wedenoteitasPerm(n). Let PermT(M)be
the set of all mappings from Tto Perm(M). PermT(M) can also be viewed as
the set of all blockciphers E:MM.IfπR
PermT(M), then for every
T∈T,πT(·)=π(T,·) is a random permutation. When M={0,1}n,wedenote
it as PermT(n).
An adversary is a (randomized) algorithm with access to one or more oracles
which are written as superscripts. Without loss of generality, we assume that
adversaries never ask trivial queries whose answers are already known. For ex-
ample, an adversary never repeats a query and never asks (
EK)1(T,C)after
receiving Cas an answer to
EK(T,M), and so forth. Let Aρ1 be the event
that adversary Awith oracle ρoutputs the bit 1.
prp AND sprp. A tweakable blockcipher
E:K×T ×M→ Mis a (strong)
pseudorandom tweakable permutation (prp or sprp), if it is indistinguishable
from a random tweakable permutation πR
PermT(M). More specifically, if
the advantage function
Advprp
E(A)=Pr[KR
−K:AEK(·,·)1]
Pr[πR
PermT(M):Aπ(·,·)1]
178 P. Wang, D. Feng, and W. Wu
is sufficiently small for any Awith reasonable resources, then
Eis said to be a
pseudorandom tweakable permutation (prp), or a secure tweakable blockcipher,
or secure against chosen plaintext attack. If the advantage function
Advsprp
E(A)=Pr[KR
−K:AEK(·,·),E1
K(·,·)1]
Pr[πR
PermT(M):Aπ(·,·)1(·,·)1]
is sufficiently small for any Awith reasonable resources, then
Eis said to be a
strong pseudorandom tweakable permutation (sprp),orastrongsecuretweakable
blockcipher, or secure against chosen ciphertext attack.
prp AND sprp. When the tweak space T=φ, the tweakable blockcipher becomes
the blockcipher. A blockcipher E:K×MMis a (strong) pseudorandom
permutation (prp or sprp), if it is indistinguishable from a random permutation
πR
Perm(M). prp and sprp correspond to prp and sprp respectively.
3 Specification of HCTR
3.1 Notations
Astring is a finite sequence of symbols, each symbol being 0 or 1. A block is a
string of fixed length. The blockcipher and multiplication of the finite field are
operations over blocks. Let {0,1}be the set of all strings. If X, Y ∈{0,1},then
X||Yis their concatenation. If X∈{0,1}, then the bit-length of X, denoted as
|X|, is the number of bits in X.|X|=0ifandonlyifXis the empty string ε.If
one block is nbits, we can parse Xinto m=|X|/nblocks: X=X1,···,X
m,
where |Xm|≤n,and|X1|=··· =|Xm1|=n.Let|X|n=|X|/n.Wesay
that |X|has |X|nblocks. X[s] denotes the sth bit of Xfrom left to right. X[s, t]
denotes the substring from the sth bit to the tth bit in Xfrom left to right. For
example, if X= 110011, then X[2,4] = 100. If X, Y ∈{0,1},thenXYis
slightly different to XY.If|X|<|Y|then XY=XY[1,|X|]. If |X|=|Y|
then XY=XY.If|X|>|Y|then XY=XY0.
3.2 Multiplication in GF (2n)
We interchangeably think of a block L=(L1,··· ,L
n) as an abstract point in
the finite field GF (2n) and as a polynomial L(x)=L1+L2x+···+Lnxn1in
GF (2)[x]/(p(x)), where p(x) is an irreducible polynomial of degree nin GF (2)[x].
The addition in GF (2n)isbitwisexor. The multiplication of A, B GF (2n)
is denoted as A·Bwhich can be calculated as A(x)B(x)inGF (2)[x]/(p(x)). If
we choose the blockcipher as AES [6], then the bit-length of a block is 128 bits.
The corresponding irreducible polynomial can be chosen as p(x)=1+x+x2+
x7+x128.
HCTR: A Variable-Input-Length Enciphering Mode 179
3.3 Universal Hash Function
His a function family: H={Hh:{0,1}→{0,1}n|h∈{0,1}n}. For any X
{0,1},Xis padded into complete blocks and then the polynomial evaluation [4]
is used. Suppose |X|n=m,weparseXinto X=X1,···,X
m.Weappend0s,
possibly none, at the end of Xto complete the block and append |X|,whichis
written as a n-bit string, as the last block. Then we use polynomial evaluation
hash function in hon the padding result. More specifically, Hhis defined as:
Hh(X)=X1·hm+1 ⊕···Xm0·h2⊕|Xh
which can be calculated as following:
Algorithm Hh(X)
parse Xas X1,···,X
m
Y00n
for i1to mdo
Yi(Yi1Xi)·h
Ym+1 (Ym⊕|X|)·h
return Ym+1
When Xis empty string, we define that Hh(X)=h.His a special AXU (Almost
Xor Universal) hash function. It has following properties which will be used in
thesecurityproofofHCTR.
1. For any X1,X
2∈{0,1},Y ∈{0,1}nand X1=X2,Hh(X1)Hh(X2)
is a nonzero polynomial in hwithout constant term. So Pr[hR
−{0,1}n:
Hh(X1)Hh(X2)=Y]l/2n,wherel=max{|X|n,|Y|n}+1.Inother
words, His a l/2n-AXU hash function.
2. For any X, Y, Z ∈{0,1},|X|=|Y|,wehaveH(X)H(Y)H(Z)isa
nonzero polynomial in hwithout constant term.
3.4 The CTR Mode
In HCTR we use a special form of the CTR mode:
Algorithm CTRS
K(N)
YEK(S1)||···||EK(Sm1)
DNY
return D
where |N|n=m1, Kis the key and Sis the counter.
3.5 The HCTR Mode
The HCTR mode makes use of a blockcipher Eand the special universal hash
function H. Assume that the blockcipher is E:{0,1}k×{0,1}n→{0,1}n.Then
HCTR[E,H]is
HCTR[E,H]:{0,1}k+n×{0,1}t×{0,1}n→{0,1}n
where {0,1}n=mn{0,1}mand t0.
180 P. Wang, D. Feng, and W. Wu
Hh
Hh
EKCTRK
MN
CD
T
Fig. 1. The HCTR Mode
HCTR[E,H] is illustrated in figure 1. we split the plaintext/ciphertext into
two strings. One is the left nbits, and the other is the rest. We assume that
plaintext/ciphertext has mblocks. More specifically, HCTR is the following
algorithm.
Algorithm HCTRT
K,h(M, N)
MM MHh(N||T)
CC EK(MM)
SMM CC
DCTRS
K(N)
CCC Hh(D||T)
return (C, D)
Algorithm (HCTRT
K,h)1(C, D)
CC CHh(D||T)
MM E1
K(CC)
SMM CC
NCTRS
K(D)
MMM Hh(N||T)
return (M, N)
4 Discussions
UNIVERSAL HASH FUNCTION.Hin HCTR is a special AXU hash function. We
can not substitute Hby a general AXU hash function. We define a different
universal hash function H
h(X) base on which HCTR is not secure. The main
difference is the padding rule. In the HCTR mode, the padding rule is to append
0s and then the bit-length of Xas in H. Now we first append 1 and then 0s to
turn the bit-length of Xinto multiple of nand then use polynomial evaluation
hash function. Suppose X=X1,···,X
mwhere |X|n=m,and|X1|=··· =
|Xm1|=n.If|Xm|=n,thenH
h(X)=X1·hm+1 ⊕···Xm·h210n1·h.
If |Xm|<n,thenH
h(X)=X1·hm···Xm10·h. We can prove that
Pr[hR
H:h(X)h(Y)=Z]εfor all X, Y ∈{0,1},Z ∈{0,1}n,X =Y.
Here ε=l/2nwhere l=max{|X|n,|Y|n}+1.
HCTR: A Variable-Input-Length Enciphering Mode 181
We now chose the length of tweak as 0: T=φ. In this situation, we can show
that HCTR[E,H] is not even a prp. We first make an arbitrary enciphering
query (M1,N1) such that |N1|=n1 and get an answer (C1,D
1). If D1[n
1] = N1[n1], then we do it again until D1[n1] =N1[n1]. Now we
make the other enciphering query (M2,N2) such that M2=M1C1and
N2=(N1D1)[1,n2]. We get the answer (C2,D
2). Then the input to the
second blockcipher in the last but one query is the same as the input to the
first blockcipher in the last query. Therefore we have that (N1D1)[1,n2] =
(C2H
h(D2))[1,n2] or (N1D1)[1,n2] = (C2h·D210)[1,n2]. So we
can recover hwith successful probability of 1/4 and get rid of the hash function
layers. Without the hash function layers, we can easily distinguish HCTR from
a random permutation.
LENGTH of TWEAK. The length of tweak is fixed, because in most application
environment there is no need for variable length tweak. We can chose the length
of tweak according to the practical application environment. If we really need
the variable length tweak, we can choose GHASH in [16,14, 13] which is similar
to Hand takes two inputs.
MULTIPLICATION. The multiplication in finite field dominates the efficiency of the
hash function layers. A simple implement of multiplication is even much slower
than one AES call. But notice that the key his a constant during the enciphering
course, therefore we can do some pre-computations before enciphering. This
time-memory tradeoffs greatly speeds up the hash function, though a bit more
storage is needed. See [16, 25] for specific discussions.
CMC EME ABL XCB HCTR
Keys 2 1 4 5 2
Blockciphers 2m+1 2m+1 2m2m+1 m
Universal hash 0 0 2 2 2
Variable Input ×Multiple √ √ √
Length of nbits
Parallelizable ×Almost Partially Partially Partially
COMPARISONS. We compare HCTR with other enciphering modes, such as CMC,
EME, ABL, and XCB, from several aspects. Suppose that we encrypt an message
of mblocks. We list the comparisons in the above table. The first is the number
of key. The second and third are the invocation number of the blockcipher and
universal hash function. The following is whether the mode is parallelizable. In
blockciphers, every bit of input bit must effect every bit of output. So there is
no full parallelization. Even in the EME mode, the last layer must begin after
the first layer is completely finished. In the HCTR mode, the CTR encryption
can be parallelizable.
182 P. Wang, D. Feng, and W. Wu
5 Security of HCTR
We prove that HCTR is a sprp. A concrete security bound for HCTR is given
in theorem 1. Lemma 1 shows that the random tweakable permutation and its
inverse are indistinguishable from oracles that return random bits. This lemma
greatly facilitates the proof procedure of lemma 2 which shows the security of
HCTR when EKis replaced by a random permutation.
Lemma 1 (lemma 6 in [8]). Let πR
PermT(M). Then for any adversary
Athat makes qqueries,
Pr[Aπ(·,·)1(·,·)1] Pr[A$(·,·),$(·,·)1] q2/2N+1
where $(T,M)returns |M|random bits and Nis the bit-length of a shortest
string in M.
Let HCTR[Perm(n),H] be a variant of HCTR that uses a random permuta-
tion on nbits instead of EK. Specifically, the key generation algorithm returns a
random permutation πR
Perm(n) and a random string hR
−{0,1}n.Wefirst
give a concrete security bound for HCTR[Perm(n),H].
Lemma 2. Let E= HCTR[Perm(n),H]. Then for any adversary Athat asks
enciphering/deciphering queries totalling σblocks,
Pr[AE(·,·),E1(·,·)1] Pr[A$(·,·),$(·,·)1] ((2 + t0)σ2+σ3)/2n
where $(T,M)returns |M|random bits and t0=|T|n.
A proof is given in Appendix B.
We now present our result for HCTR[E, H]. Our theorem shows that if Eis
sprp, then HCTR[E, H]isa sprp. More specifically, our theorem states that if
there is an adversary Aattacking the strong pseudorandomness of HCTR[E, H]
asking at most σblocks queries, then there is an adversary Battacking the
strong pseudorandomness of E, such that Advsprp
E(B)Advsprp
HCTR[E,H](A)
q2/2n+1 ((2 + t0)σ2+σ3)/2n.SowhenAdvsprp
E(B)issmallforanyBwith
reasonable resources, Advsprp
HCTR[E,H](A) must be small. This means that the
strong security of Eimplies the strong security of HCTR[E,H]. The theorem
for HCTR[E,H] is given bellow.
Theorem 1. For any adversary Athat makes qqueries totalling σplaintext/-
ciphertext blocks, there is an adversary Bthat makes σqueries, such that
Advsprp
HCTR[E,H](A)Advsprp
E(B)+q2/2n+1 + ((2 + t0)σ2+σ3)/2n
where t0=|T|n.Furthermore,Bruns in approximately the same time as A.
HCTR: A Variable-Input-Length Enciphering Mode 183
Proof (of theorem 1). Let E1= HCTR[E,H]andE2= HCTR[Perm(n),H].
πR
PermT(n)whereT={0,1}t. Consider following probabilities:
p1=Pr[AE1,E1
11] Pr[AE2,E1
21],
p2=Pr[AE2,E1
21] Pr[A$,$1],
p3=Pr[A$,$1] Pr[Aπ,π11].
Adversary Bsimulates Aand returns whatever Areturns. Then p1=
Advsprp
E(B). By lemma 1, we have p3q2/2n+1. By lemma 2, we have
p2((2 + t0)σ2+σ3)/2n.
Acknowledgment
We thank the anonymous referees for their many helpful comments. This re-
search is supported by the National Natural Science Foundation Of China (No.
60273027, 60373047, 60025205); the National Grand Fundamental Research 973
Program of China(No. G1999035802, 2004CB318004).
References
1. M. Bellare and P. Rogaway. On the construction of variable-input-length ciphers.
In L. Knudsen, editor, Fast Software Encryption 1999, volume 1636 of LNCS, pages
231–244. Springer-Verlag, 1999.
2. M. Bellare and P. Rogaway. The game-playing technique. Cryptology ePrint
Archive, Report 2004/331, 2004. http://eprint.iacr.org/ .
3. J. Black and P. Rogaway. A block-cipher mode of operation for parallelizable
message authentication. In L. R. Knudsen, editor, Advances in Cryptology – EU-
ROCRYPT 2002, volume 2332 of LNCS, pages 384–397. Springer-Verlag, 2002.
4. J. L. Carter and M. N. Wegman. Universal classes of hash functions. Journal of
Computer and System Sciences, 18(2):143–154, 1979.
5. P. Crowley. Mercy: A fast large block cipher for disk sector encryption. In
B. Schneier, editor, Fast Software Encryption 2000, volume 1978 of LNCS, pages
49–63. Springer-Verlag, 2001.
6. FIPS-197. Federal information processing standards publication (FIPS
197). Advanced Encryption Standard (AES), 2001. http://csrc.nist.
gov/publications/fips/fips197/fips-197.pdf.
7. S. R. Fluhrer. Cryptanalysis of the Mercy block cipher. In M. Matsui, editor, Fast
Software Encryption 2001, volume 2355 of LNCS, pages 28–36. Springer-Verlag,
2002.
8. S. Halevi and P. Rogaway. A tweakable enciphering mode. In D. Boneh, editor,
Advances in Cryptology – CRYPTO 2003, volume 2729 of LNCS, pages 482–499.
Springer-Verlag, 2003.
9. S. Halevi and P. Rogaway. A parallelizable enciphering mode. In T. Okamoto,
editor, The Cryptographers’ Track at RSA Conference – CT-RSA 2004,volume
2964 of LNCS. Springer-Verlag, 2004.
184 P. Wang, D. Feng, and W. Wu
10. J. Kilian and P. Rogaway. How to protect DES against exhaustive key search.
In N. Koblitz, editor, Advances in Cryptology – CRYPTO 1996, volume 1109 of
LNCS, pages 252–267. Springer-Verlag, 1996.
11. M. Liskov, R. L. Rivest, and D. Wagner. Tweakable block ciphers. In M. Yung,
editor, Advances in Cryptology – CRYPTO 2002, volume 2442 of LNCS, pages
31–46. Springer-Verlag, 2002.
12. M. Luby and C. Rackoff. How to construct pseudorandom permutations from
pseudorandom functions. SIAM Journal on Computing, 17(2):373–386, 1988. Spe-
cial issue on cryptography.
13. D. A. McGrew and S. R. Fluhrer. The extended codebook (XCB) mode
of operation. Cryptology ePrint Archive, Report 2004/278, 2004. http://
eprint.iacr.org/.
14. D. A. McGrew and J. Viega. The security and performance of the galois/counter
mode (GCM) of operation. In A. Canteaut and K. Viswanathan, editors, Ad-
vances in Cryptology – INDOCRYPT 2004, volume 3348 of LNCS, pages 343–355.
Springer-Verlag, 2002.
15. D. A. McGrew and J. Viega. The ABL mode of operation, 2004. http://grouper.
ieee.org/groups/1619/email/pdf00004.pdf.
16. D. A. McGrew and J. Viega. The galois/counter mode of operation (GCM), 2004.
http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes .
17. M. Naor and O. Reingold. A pseudo-random encryption mode. http://wisdom.
weizmann.ac.il/ naor/.
18. M. Naor and O. Reingold. On the construction of pseudo-random permutations:
Luby-rackoff revisited. In Proceedings of the 29th Annual ACM Symposium on the
Theory of Computing (STOC ’97), pages 189–199, New York, 1997. Association
for Computing Machinery.
19. P1619. IEEE Security in Storage Working Group. http://www.siswg.org/.
20. S. Patel, Z. Ramzan, and G. S. Sundaram. Towards making Luby-Rackoff ciphers
optimal and practical. In L. Knudsen, editor, Fast software encryption 1999,vol-
ume 1636 of LNCS, pages 171–185. Springer-Verlag, 1999.
21. S. Patel, Z. Ramzan, and G. S. Sundaram. Efficient constructions of variable-input-
length block ciphers. In H. Handschuh and M. A. Hasan, editors, Selected Areas in
Cryptography 2004, volume 3357 of LNCS, pages 326–340. Springer-Verlag, 2005.
22. P. Rogaway. Efficient instantiations of tweakable blockciphers and refinements to
modes OCB and PMAC. In P. J. Lee, editor, Advances in Cryptology – ASI-
ACRYPT 2004, volume 3329 of LNCS, pages 16–31. Springer-Verlag, 2004.
23. P. Rogaway, M. Bellare, J. Black, and T. Krovetz. OCB: a block-cipher mode of
operation for efficient authenticated encryptiona. In Proceedings of the 8th ACM
Conference on Computer and Communications Security, pages 196–205, 2001.
24. R. Schroeppel. The hasty pudding cipher. http://www.cs.arizona.edu/rcs/
hpc/.
25. V. Shoup. On fast and provably secure message authentication based on universal
hashing. In N. Koblitz, editor, Advances in Cryptology – CRYPTO 1996,volume
1109 of LNCS, pages 313–328. Springer-Verlag, 1996.
26. V. Shoup. Sequences of games: a tool for taming complexity in security proofs.
Cryptology ePrint Archive, Report 2004/332, 2004. http://eprint.iacr.org/.
27. SP-800-38A. Recommendation for block cipher modes of operation - methods
and techniques. NIST Special Publication 800-38A, 2001. http://csrc.nist.gov/
publications/nistpubs/800-38a/sp800-38a.pdf.
HCTR: A Variable-Input-Length Enciphering Mode 185
A Intellectual Property Statement
The authors explicitly release any intellectual property rights to the HCTR mode
into the public domain. Further, the authors are not aware of any patent or
patent application anywhere in the world that cover this mode.
B Proof of Lemma 2
Proof (of lemma 2). Suppose Amakes qqueries. Assume that the rth query is
(Tr,Ur,Vr), where Tris the tweak, (Ur,Vr) is the plaintext(ciphertext). Sup-
pose that mr=|(Ur,Vr)|n.σ=m1+···+mqis the total plaintext/ciphertext
block number. Furthermore, we split Vrinto blocks: Vr=Vr
1,···,Vr
mr1.We
describe the attacking procedure of Aas the interaction with games.
Game 1 and Game 2. The following Game 1 illustrates how HCTR[Perm(n),H]
and its inverse answer A’s queries:
D←R←φ;bad false
If the rth query (Tr,Ur,Vr) is an enciphering query:
UUrUrHh(Vr||Tr)
XXrR
−{0,1}n
if UUr∈Dthen bad true XXrπ(UUr)
if XXr∈Rthen bad true XXrR
¯
R
D←D∪{UUr}
R←R∪{XXr}
SrUUrXXr
for i1to mr1do
YYr
i
R
−{0,1}n
if Sri∈Dthen bad true YYr
iπ(Sri)
if YYr
i∈Rthen bad true YYr
i
R
¯
R
D←D∪{Sri}
R←R∪{YYr
i}
YYrYYr
1||···||YYr
mr1
DrVr YYr
CrXXrHh(Dr||Tr)
return (Cr,D
r)
If the rth query (Tr,Ur,Vr) is an deciphering query:
UUrUrHh(Vr||Tr)
XXrR
−{0,1}n
if UUr∈Rthen bad true XXrπ1(UUr)
if XXr∈Dthen bad true XXrR
¯
D
D←D∪{XXr}
R←R∪{UUr}
186 P. Wang, D. Feng, and W. Wu
SrUUrXXr
for i1to mr1do
YYr
i
R
−{0,1}n
if Sri∈Dthen bad true YYr
iπ(Sri)
if YYr
i∈Rthen bad true YYr
i
R
¯
R
D←D∪{Sri}
R←R∪{YYr
i}
YYrYYr
1||···||YYr
mr1
NrVr YYr
MrXXrHh(Nr||Tr)
return (Mr,Nr)
Notice that the permutation πis not chosen before the attack, but “on the fly”
as needed to answer the queries during the attacking procedure. The sets D
and R, which are multisets in which the element may repeat, keep track of the
domain and the range of πrespectively. Game 2 is obtained by omitting the
boxed statements. Because XXr,XYr(r=1,···,q) are independent random
strings, the answers Aget, when interacts with Game 2, are also independent
random strings. So AGame 2 is the same as A$,$. In Game 1, each boxed statement
is executed if and only if the flag bad is set to be true. Therefor we have
Pr[AE,E11] Pr[A$,$1]
=Pr[AGame 1 1] Pr[AGame 2 1] Pr[AGame 2 set bad].(1)
Game 3. We make some modifications to Game 2. The answer of each query
is directly chosen as random string and the state of bad issetattheendofall
queries. Game 3 is the following:
Initialization :
D←R←φ
On the rth query (Tr,Ur,Vr):
(Xr,Yr)R
−{0,1}mr·n
return (Xr,Yr)[1,|(Ur,Vr)|]
Finalization :
for r1to qdo:
If the rth query (Tr,Ur,Vr) is an enciphering query:
UUrUrHh(Vr||Tr)
XXrXrHh(Yr[1,|Vr|]|| Tr)
D←D∪{UUr}
R←R∪{XXr}
SrUUrXXr
for i1to mr1do
D←D∪{Sri}
R←R∪{Yr
iVr
i}
HCTR: A Variable-Input-Length Enciphering Mode 187
If the rth query (Tr,Ur,Vr) is an deciphering query:
UUrUrHh(Vr||Tr)
XXrXrHh(Yr[1,|Vr|]|| Tr)
D←D∪{XXr}
R←R∪{UUr}
SrUUrXXr
for i1to mr1do
D←D∪{Sri}
R←R∪{Yr
iVr
i}
bad (there is a repetition in D)or (there is a repetition in R)
We have Pr[AGame 2 set bad]=Pr[AGame 3 set bad].(2)
Without lost of generality, suppose that Ais a deterministic algorithm. We
want to prove that for any fixed Xr,Yr(r=1,···,q), the above probability is
negligible. But that is not true. For example when Y1
1V1
1=Y2
1V2
1,the
bad is set to be true. We firstly make some restrictions on the choices of these
random strings.
Restrictions on the choices of (Xr,Yr):
1. Xr,Yr
iare all distinct.
2. Xr=UrXsUsijfor all s<r,1i(mr1), 1 j(ms1).
3. Xr=Usfor all s<r.
4. Yr
i=Ys
j Vs
jVr
i, for all s<rand for all s=r, j < i.
It is easy to calculate that each restriction in the above decreases the choices
of (Xr,Yr)atmostσ2/2n+1. Totally, the choices of (Xr,Yr) are decreased at
most 2σ2/2n.
Game 4. With these restrictions, we fix queries and answers. Suppose that
{Tr,Ur,Vr,Xr,Yr|r=1,···,q}make the probability of setting bad maximum.
Now consider the following non-interactive and non-adaptive Game 4:
for r1to qdo:
If the rth query (Tr,Ur,Vr) is an enciphering query:
UUrUrHh(Vr||Tr)
XXrXrHh(Yr[1,|Vr|]|| Tr)
D←D∪{UUr}
R←R∪{XXr}
SrUUrXXr
for i1to mr1do
D←D∪{Sri}
R←R∪{Yr
iVr
i}
If the rth query (Tr,Ur,Vr) is an deciphering query:
UUrUrHh(Vr||Tr)
XXrXrHh(Yr[1,|Vr|]|| Tr)
D←D∪{XXr}
R←R∪{UUr}
188 P. Wang, D. Feng, and W. Wu
SrUUrXXr
for i1to mr1do
D←D∪{Sri}
R←R∪{Yr
iVr
i}
bad (there is a repetition in D)or (there is a repetition in R)
From the above discussion, we have that
Pr[AGame 3 set bad]Pr[Game 4 set bad]+2σ2/2n.(3)
Let I={1,···,q},I=I1I2,whereI1={sI|(Ts,Us,Vs)isan
enciphering query}and I2={tI|(Tt,Ut,Vt) is a deciphering query}.Let
l=max{m1,···,m
q}.WecanseethatD=D1∪D
2∪D
3,whereD1=
{UUs|sI1},D2={XXt|tI2},andD3={Sri|rI,1i(mr1)}.
R=R1∪R
2∪R
3,whereR1={XXs|sI1},R2={UUt|tI2},and
R3={Yr
i Vr
i|rI,1i(mr1)}.
Any element in Dor Ris a polynomial in hwhose degree is at most (l+t0). We
want to prove that for any X1,X
2∈Dor X1,X
2∈R, the repetition probability
Pr[X1=X2](l+t0)/2n. Because the polynomial of degree (l+t0) has at most
(l+t0) roots in finite field, we only need to prove that X1X2is a nonzero
polynomial in h.
We consider following situations:
X1,X
2∈D
1.(Ts,Us,Vs), sI1are all distinct, because Anever ask trivial
query. By property 1 of H,X1X2is a nonzero polynomial.
X1,X
2∈D
2. By restriction 1, the constant term of X1X2is nonzero.
X1,X
2∈D
3. By restriction 2, the constant term of X1X2is nonzero.
X1∈D
1and X2∈D
2. Suppose X1=UUsand X2=XXt.Ifs<t,then
by restriction 3, the constant term of X1X2is nonzero. If s>t,then
(Ts,Us,Vs)=(Tt,Xt,Y t[1,|Vt|]), because Anever make trivial query. By
property 1 of H,X1X2is a nonzero polynomial.
X1∈D
2and X2∈D
3. By property 2 of H,X1X2is a nonzero polynomial.
X1∈D
1and X2∈D
3. The same reason as the above.
X1,X
2∈R
1. By restriction 1, the constant term of X1X2is nonzero.
X1,X
2∈R
2.(Tt,Ut,Vt), sI2are all distinct, because Anever make
trivial query. By property 1 of H,X1X2is a nonzero polynomial.
X1,X
2∈R
3. By restriction 4, X1X2is a nonzero constant.
X1∈R
1and X2∈R
2. Suppose X1=XXsand X2=UUt.Ifs>t,then
by restriction 3, the constant term of X1X2is nonzero. If s<t,then
(Tt,Ut,Vt)=(Ts,Xs,Ys[1,|Vs|]), because Anever make trivial query. By
property 1 of H,X1X2is a nonzero polynomial.
X1∈R
2and X2∈R
3. By property 2 of H,X1X2is a nonzero polynomial.
X1∈R
1and X2∈R
3. The same reason as the above.
There are totally σ(σ1)/2 pairs of elements in Dand σ(σ1)/2 pairs of
elements in R. So the probability of repetition in Dor Ris at most (l+t0)σ2/2n.
Pr[Game 4 set bad](l+t0)σ2/2n(t0σ2+σ3)/2n.(4)
Combine (1), (2), (3) and (4), we complete the proof.
... In the last two decades there has been some intense work in designing and proving the security of TES. Some of the existing constructions are PEP [5], HCTR [20], HCH [4], TET [6], HEH [18], CMC [7], XCB [11,12] and EME [8]. TES has been standardised because of its practical application in disk encryption. ...
... To hash M using a polynomial hash with a key n bit key H, the polynomial h H (M ) = i M i H i is computed. Variants of this polynomial evaluation hash has been widely used to construct message authentication codes (MAC) [1,13,21], authenticated encryption (AE), TES [11,4,20] and other cryptographic schemes. CTR mode uses the block cipher to generate the key stream used in the message encryption: E K (S i ), i = 1, 2, · · ·, where K is the key of block cipher and S i is the number generated by a counter. ...
... It was proposed by Wang, Feng and Wu in 2005. It is a mode of operation which provides a tweakable strong pseudorandom permutation [20]. We show how the hash function is insecure. ...
Security of XCB and HCTR
Preprint
  • Aug 2023
Tweakable Enciphering Scheme (TES) is a length preserving scheme which provides confidentiality and admissible integrity. XCB (Extended Code Book) is a TES which was introduced in 2004. In 2007, it was modified and security bound was provided. Later, these two versions were referred to as XCBv1 and XCBv2 respectively. XCBv2 was proposed as the IEEE-std 1619.2 2010 for encryption of sector oriented storage media. In 2013, first time Security bound of XCBv1 was given and XCBv2's security bound was enhanced. A constant of $2^{22}$ appears in the security bounds of the XCBv1 and XCBv2. We showed that this constant of $2^{22}$ can be reduced to $2^{5}$. Further, we modified the XCB (MXCB) scheme such that it gives better security bound compared to the present XCB scheme. We also analyzed some weak keys attack on XCB and a type of TES known as HCTR (proposed in 2005). We performed distinguishing attack and the hash key recovery attack on HCTR. Next, we analyzed the dependency of the two different keys in HCTR.
View
... Provable securityresults in symmetric-key can be broadly classified according to the proof techniques used. Different constructions may warrant different proof techniques • (Tweakable) (S)PRPs such as three and four rounds of Feistel [2], CLRW2 [12], etc.; • PRFs and MACs such as CBC-MAC [13,14], ECBC, FCBC and XCBC [15], PMAC+ [16], sum of ECBC [17], etc.; • (Tweakable) enciphering schemes such as CMC [18], EME [19], TET [20], HCH [21], HCTR [22], XLS [23], HEH [24,25], etc.; • Online ciphers such as HCBC1 and HCBC2 [26], TC1, TC2 and TC3 [27], POEx [28], XTC [29], etc.; • AE schemes such as SIV [30], OCB [31][32][33], COPA [34], POET [35], etc. ...
... SPRP enciphering schemes: HCTR [22] and TET [20]. ...
... HCTR is an encryption scheme developed by Wang, Feng and Fu [22], based on the hash-CTR-hash paradigm, which uses a sandwich consisting of the CTR mode in between two executions of an AXU hash function. The CTR mode can be replaced by a pseudorandom function (PRF), which takes n-bit inputs and returns an arbitrarily long bit-stream. ...
A Survey on Applications of H-Technique: Revisiting Security Analysis of PRP and PRF
Article
Full-text available
  • Mar 2022
  • Entropy
The Coefficients H technique (also called the H-technique), developed by Patarin circa 1991, is a tool used to obtain the upper bounds on distinguishing advantages. This tool is known to provide relatively simple and (in some cases) tight bound proofs in comparison to some other well-known tools, such as the game-playing technique and random systems methodology. In this systematization of knowledge (SoK) paper, we aim to provide a brief survey on the H-technique. The SoK is presented in four parts. First, we redevelop the necessary nomenclature and tools required to study the security of any symmetric-key design, especially in the H-technique setting. Second, we provide a full description of the H-technique and some related tools. Third, we present (simple) H-technique-based proofs for some popular symmetric-key designs, across different paradigms. Finally, we show that the H-technique can actually provide optimal bounds on distinguishing advantages.
View
... When starting counter-mode encryption from a random value and incrementing by modular addition, one has to either consider potential carry bits or to reduce the security by fixing a maximal message length. Wang et al. [WFW05] proposed to replace modular addition by XOR, which avoids the need for concerning carry bits. Let E : \{ 0, 1\} k \times \{ 0, 1\} n \rightar \{ 0, 1\} n be a block cipher. ...
... Moreover, since the generic RIV construction bases only on PRF assumptions, this leaves open the possibility for proofs in the indifferentiability setting [MRH04]. RIV is slightly less efficient than earlier STPRP constructions, i.e., it employs three additional calls to an n-bit PRP, compared to a single call in HCTR-based [WFW05] constructions. Since the use of a noncebased encryption scheme (\scrE , \scrD ) poses only the requirement on the IV to be a nonce, it might look to be sufficient to have two calls to universal hash functions instead of to calls to a PRF F . ...
... Thus, one could theoretically adapt any existing BBB-secure TES scheme for DAE [Min09,Min15,ST13]. Though, for the popular approaches Hash-Encrypt-Hash [Sar07], Hash-Counter-Hash [WFW05], and Protected IV [ST13], this strategy would also imply more operations than necessary for DAE, i.e., three passes over the plaintext. While Encrypt- ...
Design, Analysis, and Implementation of Symmetric-key (Authenticated) Ciphers
Thesis
Full-text available
  • Nov 2021
Modern cryptography has become an often ubiquitous but essential part of our daily lives. Protocols for secure authentication and encryption protect our communication with various digital services, from private messaging, online shopping, to bank transactions or exchanging sensitive information. Those high-level protocols can naturally be only as secure as the authentication or encryption schemes underneath. Moreover, on a more detailed level, those schemes can also at best inherit the security of their underlying primitives. While widespread standards in modern symmetric-key cryptography, such as the Advanced Encryption Standard (AES), have shown to resist analysis until now, closer analysis and design of related primitives can deepen our understanding. The present thesis consists of two parts that portray six contributions: The first part considers block-cipher cryptanalysis of the round-reduced AES, the AES-based tweakable block cipher Kiasu-BC, and TNT. The second part studies the design, analysis, and implementation of provably secure authenticated encryption schemes. In general, cryptanalysis aims at finding distinguishable properties in the output distribution. Block ciphers are a core primitive of symmetric-key cryptography which are useful for the construction of various higher-level schemes, ranging from authentication, encryption, authenticated encryption up to integrity protection. Therefore, their analysis is crucial to secure cryptographic schemes at their lowest level. With rare exceptions, block-cipher cryptanalysis employs a systematic strategy of investigating known attack techniques. Modern proposals are expected to be evaluated against these techniques. The considerable effort for evaluation, however, demands efforts not only from the designers but also from external sources. The Advanced Encryption Standard (AES) is one of the most widespread block ciphers nowadays. Therefore, it is naturally an interesting target for further analysis. Tweakable block ciphers augment the usual inputs of a secret key and a public plaintext by an additional public input called tweak. Among various proposals through the previous decade, this thesis identifies Kiasu-BC as a noteworthy attempt to construct a tweakable block cipher that is very close to the AES. Hence, its analysis intertwines closely with that of the AES and illustrates the impact of the tweak on its security best. Moreover, it revisits a generic tweakable block cipher Tweak-and-Tweak (TNT) and its instantiation based on the round-reduced AES. The first part investigates the security of the AES against several forms of differential cryptanalysis, developing distinguishers on four to six (out of ten) rounds of AES. For Kiasu-BC, it exploits the additional freedom in the tweak to develop two forms of differential-based attacks: rectangles and impossible differentials. The results on Kiasu-BC consider an additional round compared to attacks on the (untweaked) AES. The authors of TNT had provided an initial security analysis that still left a gap between provable guarantees and attacks. Our analysis conducts a considerable step towards closing this gap. For TNT-AES - an instantiation of TNT built upon the AES round function - this thesis further shows how to transform our distinguisher into a key-recovery attack. Many applications require the simultaneous authentication and encryption of transmitted data. Authenticated encryption (AE) schemes provide both properties. Modern AE schemes usually demand a unique public input called nonce that must not repeat. Though, this requirement cannot always be guaranteed in practice. As part of a remedy, misuse-resistant and robust AE tries to reduce the impact of occasional misuses. However, robust AE considers not only the potential reuse of nonces. Common authenticated encryption also demanded that the entire ciphertext would have to be buffered until the authentication tag has been successfully verified. In practice, this approach is difficult to ensure since the setting may lack the resources for buffering the messages. Moreover, robustness guarantees in the case of misuse are valuable features. The second part of this thesis proposes three authenticated encryption schemes: RIV, SIV-x, and DCT. RIV is robust against nonce misuse and the release of unverified plaintexts. Both SIV-x and DCT provide high security independent from nonce repetitions. As the core under SIV-x, this thesis revisits the proof of a highly secure parallel MAC, PMAC-x, revises its details, and proposes SIV-x as a highly secure authenticated encryption scheme. Finally, DCT is a generic approach to have n-bit secure deterministic AE but without the need of expanding the ciphertext-tag string by more than n bits more than the plaintext. From its first part, this thesis aims to extend the understanding of the (1) cryptanalysis of round-reduced AES, as well as the understanding of (2) AES-like tweakable block ciphers. From its second part, it demonstrates how to simply extend known approaches for (3) robust nonce-based as well as (4) highly secure deterministic authenticated encryption.
View
... Over the years, there have been several proposals of TES constructions and most of them are build on top of block ciphers. Constructions like CMC [38], EME [39], EME* [37], FMix [11], AEZ [40] are build only using block ciphers whereas XCB [44,17], HCTR [51], HCH [20] uses both block ciphers and universal hash functions. There are few constructions of TES using stream ciphers [18,50]. ...
... HCTR is one of the popular tweakable enciphering modes, proposed by Wang et al. [51], that turns an n-bit strong pseudorandom permutation into a variable length tweakable strong pseudorandom permutation. The encryption and decryption algorithm of HCTR is shown in Fig. 3.1 and its pictorial representation is shown in Fig. 3 ...
... Wang et al. [51] have shown that HCTR is a secure TES against all adaptive chosen plaintext and chosen ciphertext adversaries that make roughly 2 n/3 encryption and decryption queries. Later Chakraborty and Nandi [19] improved its security bound to O(σ 2 /2 n ), where σ is the total number of message blocks among all q queries. ...
View
... HCTR2 [4] is an extension of HCTR [36]. From the likes of the Adiantum, HCTR2's primary focus is also on low powered devices and disk encryption scenarios. ...
Context-Committing Authenticated Encryptions Using Tweakable Stream Cipher
Article
Full-text available
  • Jan 2024
Committing security of authenticated encryption schemes is an emerging area and an active field of research and is highly motivated by real-world scenarios. CMT-4 security of authenticated encryption scheme is a security notion, where an adversary must create two distinct tuples, each containing a key, a nonce, an associated data and a message for the encryption sub-routine of the authenticated encryption scheme, such that outputs produced by the encryption sub-routine for the two tuples are the same. In this paper, we analyze CMT-4 security of four tweakable wide block cipher schemes HBSH, HCTR2, double-decker and docked-double-decker under encode-then-encipher paradigm by prepending zeros, and present CMT-4 attacks with O (1) time complexity for all the four schemes. We introduce the notion of tweakable stream cipher (tS in short) with the property of partial collision resistance, and use it to create four new tweakable wide block cipher schemes: HBtSH, HtS, tS-double-decker and tS-docked-double-decker. These four proposed schemes can be used to create a CMT-4 secure authenticated encryption scheme with the property of partial collision under encode-then-encipher paradigm. Further, we provide security proof with partial collision resistance for the four proposed schemes against a CMT-4 adversary.
View
... The same authors only later formally proved its security in [MF07]. Halevi extended EME into EME* [Hal04], achieving a fully VIL tweakable LPE scheme; Wang et al. [WFW05] proposed HCTR, based on the counter (CTR) mode of encryption, and later Chakraborty and Nandi [CN08] improved its security bound. A series of schemes based on ECB followed, PEP by Chakraborty and Sarkar [CS06], TET by Halevi [Hal07], and HEH by Sarkar [Sar07]. ...
SCB Mode: Semantically Secure Length-Preserving Encryption
Article
Full-text available
  • Dec 2022
To achieve semantic security, symmetric encryption schemes classically require ciphertext expansion. In this paper we provide a means to achieve semantic security while preserving the length of messages at the cost of mildly sacrificing correctness. Concretely, we propose a new scheme that can be interpreted as a secure alternative to (or wrapper around) plain Electronic Codebook (ECB) mode of encryption, and for this reason we name it Secure Codebook (SCB). Our scheme is the first length-preserving encryption scheme to effectively achieve semantic security.
View
Populating the Zoo of Rugged Pseudorandom Permutations
Chapter
  • Dec 2023
A Rugged Pseudorandom Permutation (RPRP) is a variable-input-length tweakable cipher satisfying a security notion that is intermediate between tweakable PRP and tweakable SPRP. It was introduced at CRYPTO 2022 by Degabriele and Karadžić, who additionally showed how to generically convert such a primitive into nonce-based and nonce-hiding AEAD schemes satisfying either misuse-resistance or release-of-unverified-plaintext security as well as Nonce-Set AEAD which has applications in protocols like QUIC and DTLS. Their work shows that RPRPs are powerful and versatile cryptographic primitives. However, the RPRP security notion itself can seem rather contrived, and the motivation behind it is not immediately clear. Moreover, they only provided a single RPRP construction, called UIV, which puts into question the generality of their modular approach and whether other instantiations are even possible. In this work, we address this question positively by presenting new RPRP constructions, thereby validating their modular approach and providing further justification in support of the RPRP security definition. Furthermore, we present a more refined view of their results by showing that strictly weaker RPRP variants, which we introduce, suffice for many of their transformations. From a theoretical perspective, our results show that the well-known three-round Feistel structure achieves stronger security as a permutation than a mere pseudorandom permutation—as was established in the seminal result by Luby and Rackoff. We conclude on a more practical note by showing how to extend the left domain of one RPRP construction for applications that require larger values in order to meet the desired level of security.
View
Implicit Key-Stretching Security of Encryption Schemes
Chapter
  • Mar 2023
When keys are small or parts thereof leak, key-recovery attacks on symmetric-key primitives still pose a plausible threat. Key stretching is one well-known means to throttle potential adversaries, where stretching a key by s bit means that a key-recovery attack has to perform \(\min \{2^{k-1}, 2^{k-\lambda +s-1}\}\) operations on average for \(\lambda \) bit information leakage. However, typical explicit key stretching requires also the defender to pay for the stretch operations.The usual assumption is that a surrounding encryption scheme does not increase the key-recovery security of its internal primitives. This work challenges this assumption by considering the structure of popular encryption schemes. In particular, message lengths may be non-negligible in settings such as full-disk encryption or archiving, where the adversary can obtain only long messages. Surprisingly, the question of whether a surrounding encryption scheme has only a negligible impact on key recovery seems to have remained uninvestigated. Therefore, it is interesting to study if “implicit” key stretching may come for free as an inherent property of popular schemes.We define an encryption scheme as “fully key-stretching-secure” if an adversary that sees plaintext-ciphertext pairs of at least m blocks each must perform at least m primitive calls for testing a key candidate. Using a similar definition of affine modes as Chakraborti et al. in JMC 2018, we systematically explore common encryption schemes with respect to their key-stretching security. In total, we consider five classes of (1) online, (2) SIV-like, (3) parallelizable two-pass (EME-like), (4) sequential two-pass (CMC-like), and (5) three-pass (HCTR-like) encryption schemes. By modeling them as affine modes, we can identify all considered encryption schemes key-stretching-insecure, i.e., one needs only O(1) primitive calls for testing a key candidate. However, for the insecure schemes from types (4) and (5), namely for EME-, CMC-, and HCTR-like schemes, we propose minor tweaks to ensure full key-stretching security. KeywordsSymmetric-key cryptographyProvable securityEncryption
View
Ubiquitous Weak-Key Classes of BRW-Polynomial Function
Chapter
  • Apr 2018
BRW-polynomial function is suggested as a preferred alternative of polynomial function, owing to its high efficiency and seemingly non-existent weak keys. In this paper we investigate the weak-key issue of BRW-polynomial function as well as BRW-instantiated cryptographic schemes. Though, in BRW-polynomial evaluation, the relationship between coefficients and input blocks is indistinct, we give out a recursive algorithm to compute another (2v+1-1)-block message, for any given (2v+1-1)-block message, such that their output-differential through BRW-polynomial evaluation, equals any given s-degree polynomial, where v≥⌊log2(s+1)⌋. With such algorithm, we illustrate that any non-empty key subset is a weak-key class in BRW-polynomial function. Moreover any key subset of BRW-polynomial function, consisting of at least 2 keys, is a weak-key class in BRW-instantiated cryptographic schemes like the Wegman-Carter scheme, the UHF-then-PRF scheme, DCT, etc. Especially in the AE scheme DCT, its confidentiality, as well as its integrity, collapses totally, when using weak keys of BRW-polynomial function, which are ubiquitous.
View
Attacks on Beyond-Birthday-Bound MACs in the Quantum Setting
Chapter
  • Jul 2021
We systematically study the security of twelve Beyond-Birthday-Bound Message Authentication Codes (BBB MACs) in the Q2 model where attackers have quantum-query access to MACs. Assuming the block size of the underlying (tweakable) block cipher is n bits, the security proofs show that they are secure at least up to O(22n/3) queries in the classical setting. The best classical attacks need O(23n/4) queries. We consider secret state recovery against SUM-ECBC-like and PMAC_Plus-like MACs and key recovery against PMAC_Plus-like MACs. Both attacks lead to successful forgeries. The first attack costs O(2n/2n) quantum queries by applying Grover-meet-Simon algorithm. The second attack costs O(2m/2) quantum queries by applying Grover’s algorithm, assuming the key size of (tweakable) block cipher is m bits. As far as we know, these are the first quantum attacks against BBB MACs. It is remarkable that our attacks are suitable even for some optimally secure MACs, such as mPMAC+-f, mPMAC+-p1, and mPMAC+-p2.
View
View
View
Recommendation for Block Cipher Modes of Operation. Methods and Techniques
Article
  • Dec 2001
This recommendation defines five confidentiality modes of operation for use with an underlying symmetric key block cipher algorithm: Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR). Used with an underlying block cipher algorithm that is approved in a Federal Information Processing Standard (FIPS), these modes can provide cryptographic protection for sensitive, but unclassified, computer data.
View
The game-playing technique
Article
  • Jan 2005
In the game-playing technique, one writes a pseudocode game such that an adversary's advantage in attacking some cryptographic construction is bounded above by the probability that the game sets a flag bad. This probability is then upper bounded by making stepwise, syntactical refinements to the pseudocode—a chain of games. The approach was first used by Kilian and Rogaway (1996) and has been used repeatedly since, but it has never received a systematic treatment. In this paper we provide one. We develop the foundations for game-playing, formalizing a general framework for doing game-playing proofs and providing general and useful lemmas that justify various kinds of game-refinement steps. We use this to provide simpler and more easily verifiable proofs of some classic existing results, including the security of the basic CBC MAC. We then extend this to prove a significant new result, namely an improved security bound for the basic CBC MAC.
View
On the Construction of Variable-Input-Length Ciphers
Conference Paper
  • Jan 1999
Whereas a block cipher enciphers messages of some one particular length (the blocklength), a variable-input-length cipher takes messages of varying (and preferably arbitrary) lengths. Still, the length of the ciphertext must equal the length of the plaintext. This paper introduces the problem of constructing such objects, and provides a practical solution. Our VIL mode of operation makes a variable-input-length cipher from any block cipher. The method is demonstrably secure in the provable-security sense of modern cryptography: we give a quantitative security analysis relating the difficulty of breaking the constructed (variable-input-length) cipher to the difficulty of breaking the underlying block cipher.
View
How to Protect DES Against Exhaustive Key Search
Conference Paper
  • Aug 1996
The block cipher DESX is defined by DESX k.k1.k2(x) = k2 ⊕ DESk(k1 ⊕ x), where ⊕ denotes bitwise exclusive-or. This construction was first suggested by Ron Rivest as a computationally-cheap way to protect DES against exhaustive key-search attacks. This paper proves, in a formal model, that the DESX construction is sound. We show that, when F is an idealized block cipher, FX k.k1.k2(x) = k2 ⊕ F k(k1 ⊕ x) is substantially more resistant to key search than is F. In fact, our analysis says that FX has an effective key length of at least k + n − 1 − lg m bits, where k is the key length of F, n is the block length, and m bounds the number of <x, FX K (x)> pairs the adversary can obtain.
View
A Parallelizable Enciphering Mode
Conference Paper
  • Jan 2004
  • Lect Notes Comput Sci
We describe a block-cipher mode of operation, EME, that turns an n-bit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where mε[1..n]. The mode is parallelizable, but as serial-efficient as the non-parallelizable mode CMC [6]. EME can be used to solve the disk-sector encryption problem. The algorithm entails two layers of ECB encryption and a “lightweight mixing” in between. We prove EME secure, in the reduction-based sense of modern cryptography. We motivate some of the design choices in EME by showing that a few simple modifications of this mode are insecure.
View
Towards Making Luby-Rackoff Ciphers Optimal and Practical
Conference Paper
  • Jan 1999
We provide new constructions for Luby-Rackoff block ciphers which are efficient in terms of computations and key material used. Next, we show that we can make some security guarantees for Luby-Rackoff block ciphers under much weaker and more practical assumptions about the underlying function; namely, that the underlying function is a secure Message Authentication Code. Finally, we provide a SHA-1 based example block cipher called Sha-zam.
View
Universal classes of hash functions
Article
  • Apr 1979
This paper gives an input independent average linear time algorithm for storage and retrieval on keys. The algorithm makes a random choice of hash function from a suitable class of hash functions. Given any sequence of inputs the expected time (averaging over all functions in the class) to store and retrieve elements is linear in the length of the sequence. The number of references to the data base required by the algorithm for any input is extremely close to the theoretical minimum for any possible hash function with randomly distributed inputs. We present three suitable classes of hash functions which also can be evaluated rapidly. The ability to analyze the cost of storage and retrieval without worrying about the distribution of the input allows as corollaries improvements on the bounds of several algorithms.
View
OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption
Conference Paper
  • Nov 2001
  • ACM T INFORM SYST SE
We describe a parallelizable block-cipher mode of operation that simultaneously provides privacy and authenticity. OCB encrypts-and-authenticates a nonempty string M ε {0,1}• using \lceil |M|/n\rceil + 2 block-cipher invocations, where n is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Charanjit Jutla. Desirable properties of OCB include: the ability to encrypt a bit string of arbitrary length into a ciphertext of minimal length; cheap offset calculations; cheap session setup; a single underlying cryptographic key; no extended-precision addition; a nearly optimal number of block-cipher calls; and no requirement for a random IV. We prove OCB secure, quantifying the adversary's ability to violate the mode's privacy or authenticity in terms of the quality of its block cipher as a pseudorandom permutation (PRP) or as a strong PRP, respectively.
View