Beyond-birthday-bound Security Based on Tweakable Block Ciphers Kazuhiko Minematsu NEC Corporation Fast Software Encryption 2009, Leuven, Belgium

1 Doubling the Block Length of a Cipher  Build 2n-bit block cipher using n-bit components  Many solutions, e.g., using Feistel Permutation E Key Plaintext Ciphertext n Plaintext Ciphertext E1E1 E2E2 nn …

2 Security Reduction (the case of Feistel)  Luby-Rackoff [LR88] : 4-round is O(2 n/2 )-secure for Chosen-ciphertext attacks (CCAs) if E is a pseudorandom function i.e. hard to distinguish from URP using q ¿ 2 n/2 queries  Security is up to the Birthday Bound (for n) 4-round Feistel Uniform Random Permutation 2 n/2 CCA queries

3 Goal: Beyond-birthday-bound Security  O(2  +n/2 )-security for some  >0 (larger  is better)  Very few known schemes (even for a small  ) Most known schemes are O(2 n/2 )-secure  Useful: it improves the security of block cipher modes w/ O(2 block_length/2 )-security quite common (CBC, CTR, CBC-MAC, etc...)

4 Known Approaches  Direct extension of Luby-Rackoff use n-bit block PRF & add more (balanced) Feistel rounds to LR results Patarin [Pat04] : 6-round has O(2 n )-sec. (for CCA) Maurer-Pietrzak [MP03] : (r  1 )-round has infinite-sec.  Unbalanced Feistel use PRF w/ >n-bit input & <n-bit output Naor-Reingold [NR97] : s-round has O(2 n(1-1/s) )- sec. (i.e. Adv. converges to 0 as r grows )

5 Our Approach  Use Tweakable (Block) Cipher  An extension of block cipher introduced by Liskov et al. [LRW02]  Tweak = public parameter for variability A tweak determines single instance of a block cipher Different tweaks should provide pseudo-independent instances of a block cipher TE K P T C n n m TD K C T P n n m

6 Problem Setting  Tweakable Cipher w/ n-bit block & m-bit tweak (we call it (n,m)-bit TC)  We assume 1 <= m <= n  We assume our (n,m)-bit TC is perfect (i.e., it is the set of 2 m indep. n-bit URPs ) goal: info-theoretic security proof; once obtained, computational counterpart is trivial Build a 2n-bit cipher w/ (n,m)-bit TCs. How?

7 Starting Point: NR Mode  Another proposal of Naor-Reingold for Large- block cipher (originally cn-bit for any c>=2, here c=2)  Mix-ECB-Mix, where Mix is a (weak form of) pairwise indep. permutation  O(2 n/2 )-sec. was obtained PLPL PRPR CLCL CRCR nn nn mix 2 mix 1 E E

8 Tweaking ECB  Assume m = n for simplicity  Use tweak to introduce inter-block dependency ...while keeping it invertible!  Then we get; note: this is two-key, but one-key version is also possible e.g. butterfly trans. can not be used PLPL PRPR CLCL CRCR TE1 TE2 tweak

9 The Role of Mix Layers  Tweaked ECB itself is only O(2 n/2 )-secure simultaneous collisions of tweak and output can be the source of attack!  Mix must prevent this (in particular a collision of tweaks) URP TE1 no collision Adv. ~ q 2 /2 n mix 1 Prob. ~ q 2 /2 n mix 1 distinct fixed distinct fixed

10 Result : Extended Naor-Reingold (ENR)  Mix is one-round Feistel using  -AXU hash func. (i.e., Pr[ H(x)+H(x’) =  ] <  for all x  x’,  ) The same key for the top and bottom PLPL PRPR CLCL CRCR TE1 TE2 H H

11 (see paper for a general case (H=  -AXU)) Theorem: if H is 2 -n -AXU, we have O(2 n )-security is obtained ! (Negl. if q ¿ 2 n ) Moreover, if our TC is not perfect, we have

12 Proof Idea  There are four Quasi-Random Functions having 2n-bit input and n-bit output (overlapping each other)  Each QRF has O(2 2n )-security if H is 2 -n -AXU PLPL PRPR CLCL CRCR TE1 TE2 H H PLPL PRPR CLCL CRCR TD1 TD2 H H EncryptionDecryption

13 How should we do if m<n ?  Same basic strategy: tweak ECB, then add Mix layers  Need to care more “bad events”  Mix can not be one-round Feistel

14 ENR for m<n PLPL PRPR CLCL CRCR TE1 TE2 cut m m G Mix 1 is a keyed permutation G G rev -1 Mix 2 is a mirrored version of G (same key) e.g., leftmost m-bit

15 Security Proof  Condition of G:  Security of ENR for m<n:

16 TE2 TE1 Concrete Example  G is now two-round irregular Feistel  H is an AXU hash using field-multiplication  Security bound: PLPL PRPR CLCL CRCR m m mn-m m cut H1 H2 H1 H2 n-m O(2 (n+m)/2 )-security is obtained

17 Summary so far  ENR  Security: O(2 (n+m)/2 )-security for any m < n+1  Efficiency: 2 calls of TC + some UHs optimal within this setting

18 Challenging Next Step  Our proof naturally requires a tweakable cipher w/ beyond-birthday-bound security. How to realize it? 1. From scratch (Mercy, HPC, Threefish etc)  increasing attention, but still less popular 2. Mode of operation, i.e. from n-bit block ciphers (In Skein hash function)

19 However…  Known modes have only up-to-birthday- bound security LRW and (generalized) XEX [LRW02][Rog04][Min06]  no matter how tweak is short; 1-bit is enough to break using 2 n/2 queries E P C H T LRW mode m n

20 A Naive Solution  Tweak-dependent rekeying (TDR)  Simple, but never seriously investigated (to our knowledge) E M T n m F MK K = F MK (T) C PRF w/ m-bit in, |K|-bit out Security proof

21 Analysis  Basically, it is difficult to determine how large m is admissible (as  Adv E. term would be non-negligible)  For the case of |K| = n; When m is sufficiently smaller than n/2, seems fairly secure (well beyond the birthday bound) When m = n/2, a simple birthday attack is possible Search for a ciphertext collision due to the key collision E 0n0n m F MK E 1n1n T1  T2 F MK Key collision (prob. 1/2 n ) Ciphertext collision n T1  T2 Ciphertext collision

22 TDR for E (w/ n-bit key)  Limit m < n/2 (say, m=n/3)  We can use E MK as F MK, the security bound is;  Of course, still problematic short tweak frequent rekeying E P T C n n E MK pad m n via PRF-PRP switching

23 Combining ENR and TDR  Combining ENR and TDR is possible, but difficult to determine how large m is admissible (because of TDR’s security proof)  Bottom line: need to develop a better one. Note: based on a strong assumption on E, we can expect (ENR+TDR) to have O(2 2/3n )-security by the choice m=n/3

24 Summary  We built a 2n-bit cipher from (n,m)-bit tweakable ciphers  ENR achieves O(2 (n+m)/2 )-security for any m<= n, needs 2 TC calls & some UHs  TDR: a way to convert an n-bit cipher into an (n,m)-bit TC Only a proof of concept: subject to heavy limitations (both theoretical and practical)

25 Future Directions  Better TC from n-bit cipher w/o rekeying  Extensions of ENR: Large-block cipher (cn-bit for c>2) Make ENR tweakable Basic solution is to use some modes w/ ENR, search for a more efficient way

26 Thank you!

27 Memo: Security of TDR & (ENR + TDR)  Assume (maybe this means “the most efficient attack is the exhaustive key search” (by assuming  ~ q))  Then TDR’s bound implies Thus it is expected to have O(2 n-m )-security.  Combining this to the ENR’s bound, we obtain Ignoring the constant, this is maximized by the choice m = n/3. In this case the bound of (ENR+TDR) is O(q 2 /2 4n/3 ), thus it has (based on the above assumption) O(2 2n/3 )- security.