Length-Doubling Ciphers and Tweakable Ciphers Haibin Zhang Computer Science Department University of California, Davis

Our Contribution 2  HEM: a VIL cipher on [n..2n-1]  THEM: a VIL tweakable cipher on [n..2n-1]  Both HEM and THEM uses two blockcipher calls

Symmetric-Key Encryption (Confidentiality Modes of Operation) 3  Probabilistic/stateful encryption (length-expanding) IND-CPA: CBC, CTR, … (IND-CCA) AE :IND-CPA+INT-CTXT: CCM, GCM, OCB, …  Deterministic encryption (length-preserving encryption; cipher) PRP (CPA) security: SPRP (CCA) security: CMC, EME2, … SPRP ciphers are useful in disk sector encryption, encipher and encode applications, hybrid encryption, … IEEE P (EME2)

Blockciphers Adv (A) = Pr[A  1] – Pr[A   1] E prp Adv (A) = Pr[A  1] – Pr[A   1] E A EKEK E K (  ) 11  () ()  (  ) 11 11 11 PRP (CPA) security PRP (CCA) security random permutation over {0,1} n 4 E : K  {0,1} n  {0,1} n + - EKEK E K  EKEK prp + -

General Ciphers A εK()εK() 11  () ()  (  ) 11 ε K (  ) Adv (A) = Pr[A  1] – Pr[A   1] ε prp Adv (A) = Pr[A  1] – Pr[A   1] prp 11 11 PRP (CPA) security PRP (CCA) security ε εK() εK() 5 ε : K  X  X εK() εK(),ε K (  ) random length-preserving permutation over X A cipher for | X |=[n..2n-1]

6 A E K (  ) 11  (  ) 11 random permutation over Perm( T, n) E K (  ) Adv (A) = Pr[A  1] – Pr[A   1] Ε prp Adv (A) = Pr[A  1] – Pr[A   1] prp 11 PRP security E ~ ~ ~ ~ ~ ~~ Tweakable Blockcipher Security E : K  T  {0,1} n  {0,1} n ~ [Liskov, Rivest, Wagner 2002] EKEK 11 E K  E K 

7 A E K (  ) 11  (  ) 11 random permutation over Perm( T, X ) E K (  ) Adv (A) = Pr[A  1] – Pr[A   1] Ε prp Adv (A) = Pr[A  1] – Pr[A   1] prp 11 PRP security E ~ ~ ~ ~ ~ ~~ Tweakable Cipher Security E : K  T  X  X ~ [Liskov, Rivest, Wagner 2002] EKEK 11 E K  E K  A tweakable cipher for | X |=[n..2n-1]

8  A historically and theoretically interesting problem How is Length-Doubling Cipher ([n..2n-1]) USEFUL? A FIL cipher from n to 2n “Doubling” the length of a cipher [Luby and Rackoff, 1988] Our Goal: A VIL cipher from n to [n..2n-1] “Doubling” the length of a cipher in the VIL sense

9 A tweakable cipher of length [n..2n-1] [Rogaway and Zhang, 2011] How is Length-Doubling Cipher ([n..2n-1]) USEFUL? TC3* Online Cipher

10 How is Length-Doubling Cipher ([n..2n-1]) USEFUL? Ciphertext Stealing did not seem to do a good job. [IEEE, P1619] XTS Mode A tweakable cipher of length [n..2n-1]

11 EME2 [Halevi, 2004] Four-round Feistel XLS[Ristenpart,Rogaway,2007] Previous constructions for [n..2n-1]

Two-blockcipher-call solution? Our algorithms  Two blockcipher calls  Two AXU hash calls  One mixing function call (inexpensive; non-cryptographic tool) 12

AXU Hash Function  Almost XOR Universal hash functions:  For our constructions, X = Y = {0,1} n H : K  X  Y H : K  {0,1} n  {0,1} n Essential for efficiency and security 13 For all X   X ’ and all C  Y, Pr[H k (x)  H k (X ’ ) = C] ≤ ε H : K  X  Y H K (x) =K  X Galois Field Multiplication [Krawczyk, 1994]

Mixing Function  Mixing Function: 14 A construction by Ristenpart and Rogaway takes three xors and a single one-bit circular rotation. Let mix L ( ,  ) and mix R ( ,  ) be the left and right projection of mix respectively. For any A  S, mix L (A,  ), mix L ( ,A), mix R (A,  ), and mix R ( ,A) are all permutations. mix : S  S  S  S [Rogaway and Ristenpart, 2007]

An inefficient 2-blockcipher-call solution Variationally universal hash [Rogaway and Krovetz, 2006]

Feistel networks [Luby and Rackoff, 1988][Naor and Reingold, 1997][Patel, Ramzan and Sundaram,1997] A FIL cipher of length 2n An improved FIL cipher of length 2n A FIL cipher of length ≥ 2n

FHEM: A FIL Cipher of length n+s AXU Hash Blockcipher Encryption AXU Hash MIX function 1.permutation 2. SPRP Blockcipher Encryption

FHEM of length n+s security Theorem: Let  FHEM[H, Perm(n),mix]. If A asks at most q queries then  Adv (A)  3 q 2 /2 n prp + -

FHEM is not VIL secure 0n0n 0 0n0n 00 If D 1 =C 1 output 1 else 0

FHEM is not VIL secure 0n0n 0 0n0n 00 If D 1 =C 1 output 1 else 0

21 HEM: A Length-Doubling Cipher Can be Precomputed ! FHEMHEM

HEM security Theorem: Let  HEM[H, Perm(n),mix]. If A asks at most q queries then  Adv (A)  3 q 2 /2 n prp + -

23 THEM: A Length-Doubling Tweakable Cipher A way of adding tweaks

Theorem: Let  THEM[H, Perm(n),mix]. If A asks at most q queries then  Adv (A)  3 q 2 /2 n prp + - THEM security ~ ~

25 A More Compact Variant (Tweak Stealing)

Open questions 26  A more elegant cipher on X  {0,1} [n..2n)  How do we achieve an efficient VIL cipher with the domain {0,1} >n using the least blockcipher calls?  (Informally) Does there exist a lower bound for the number of blockcipher calls for an efficient SPRP secure cipher with the domain  {0,1} >n ?

Thank you! 27