We present a length doubler, LDT, that turns an n-bit tweakable block cipher into an efficient and secure cipher that can encrypt any bit string of length [n..2n − 1]. The LDT mode is simple, uses only two cryptographic primitive calls (while prior work needs at least four), and is a strong length-preserving pseudorandom permutation if the underlying tweakable block ciphers are strong tweakable pseudorandom permutations. We demonstrate that LDT can be used to neatly turn an authenticated encryption scheme for integral data into a mode for arbitrary-length data.
At CT-RSA 2017, List and Nandi proposed two variable input length pseudorandom functions (VI-PRFs) called PMACx and PMAC2x, and a deterministic authenticated encryption scheme called SIVx. These schemes use a tweakable block cipher (TBC) as the underlying primitive, and are provably secure up to the query complexity of 2n, where n denotes the block length of the TBC. In this paper, we falsify the provable security claims by presenting concrete attacks. We show that with the query complexity of O(2n/2), i.e., with the birthday complexity, PMACx, PMAC2x, and SIVx are all insecure.
The Traditional Authenticated Encryption (AE) scheme is a single-user cryptographic mechanism which only enables one designated verifier to authenticate the ciphertext. Although several group-oriented AE variants have also been proposed to eliminate such a limitation, they require shared verification. This motivated us to think of a scenario of three-party communication environments where each party runs independent processes without cooperation. In this paper, we realize a novel three-party AE (abbreviated to TPAE) scheme in which two designated verifiers can solely decrypt the same ciphertext and then inspect the validity of embedded signature. Additionally, we also show that our TPAE construction is computationally secure using the well-defined IND-CCA2 and the EF-CMA adversary games in the proof model of random oracles. The comparison results will demonstrate the computational efficiency of our mechanism.
Efficient Length Doubling From Tweakable Block Ciphers
