scholarly journals CTET+: A Beyond-Birthday-Bound Secure Tweakable Enciphering Scheme Using a Single Pseudorandom Permutation

Author(s):  
Benoît Cogliati ◽  
Jordan Ethan ◽  
Virginie Lallemand ◽  
Byeonghak Lee ◽  
Jooyoung Lee ◽  
...  

In this work, we propose a construction of 2-round tweakable substitutionpermutation networks using a single secret S-box. This construction is based on non-linear permutation layers using independent round keys, and achieves security beyond the birthday bound in the random permutation model. When instantiated with an n-bit block cipher with ωn-bit keys, the resulting tweakable block cipher, dubbed CTET+, can be viewed as a tweakable enciphering scheme that encrypts ωκ-bit messages for any integer ω ≥ 2 using 5n + κ-bit keys and n-bit tweaks, providing 2n/3-bit security.Compared to the 2-round non-linear SPN analyzed in [CDK+18], we both minimize it by requiring a single permutation, and weaken the requirements on the middle linear layer, allowing better performance. As a result, CTET+ becomes the first tweakable enciphering scheme that provides beyond-birthday-bound security using a single permutation, while its efficiency is still comparable to existing schemes including AES-XTS, EME, XCB and TET. Furthermore, we propose a new tweakable enciphering scheme, dubbed AES6-CTET+, which is an actual instantiation of CTET+ using a reduced round AES block cipher as the underlying secret S-box. Extensivecryptanalysis of this algorithm allows us to claim 127 bits of security.Such tweakable enciphering schemes with huge block sizes become desirable in the context of disk encryption, since processing a whole sector as a single block significantly worsens the granularity for attackers when compared to, for example, AES-XTS, which treats every 16-byte block on the disk independently. Besides, as a huge amount of data is being stored and encrypted at rest under many different keys in clouds, beyond-birthday-bound security will most likely become necessary in the short term.

Symmetry ◽  
2019 ◽  
Vol 11 (12) ◽  
pp. 1485
Author(s):  
Yasir Nawaz ◽  
Lei Wang

Designing a secure construction has always been a fascinating area for the researchers in the field of symmetric key cryptography. This research aimed to make contributions to the design of secure block cipher in the ideal cipher model whose underlying primitive is a family of n − b i t to n − b i t random permutations indexed by secret key. Our target construction of a secure block ciphers denoted as E [ s ] is built on a simple XOR operation and two block cipher invocations, under the assumptions that the block cipher in use is a pseudorandom permutation. One out of these two block cipher invocations produce a subkey that is derived from the secret key. It has been accepted that at least two block cipher invocations with XOR operations are required to achieve beyond birthday bound security. In this paper, we investigated the E [ s ] instances with the advanced proof technique and efficient block cipher constructions that bypass the birthday-bound up to 2 n provable security was achieved. Our study provided new insights to the block cipher that is beyond birthday bound security.


Author(s):  
Bart Mennink ◽  
Samuel Neves

AbstractSymmetric cryptographic primitives are often exposed to invariances: deterministic relations between plaintexts and ciphertexts that propagate through the primitive. Recent invariant subspace attacks have shown that these can be a serious issue. One way to mitigate invariant subspace attacks is at the primitive level, namely by proper use of round constants (Beierle et al., CRYPTO 2017). In this work, we investigate how to thwart invariance exploitation at the mode level, namely by assuring that a mode never evaluates its underlying primitive under any invariance. We first formalize the use of invariant cryptographic permutations from a security perspective, and analyze the Even-Mansour block cipher construction. We further demonstrate how the model composes, and apply it to the keyed sponge construction. The security analyses exactly pinpoint how the presence of linear invariances affects the bounds compared with analyses in the random permutation model. As such, they give an exact indication how invariances can be exploited. From a practical side, we apply the derived security bounds to the case where the Even-Mansour construction is instantiated with the 512-bit ChaCha permutation, and derive a distinguishing attack against Even-Mansour-ChaCha in $$2^{128}$$ 2 128 queries, faster than the birthday bound. Comparable results are derived for instantiation using the 200-bit Keccak permutation without round constants (attack in $$2^{50}$$ 2 50 queries), the 1024-bit CubeHash permutation (attack in $$2^{256}$$ 2 256 queries), and the 384-bit Gimli permutation without round constants (attack in $$2^{96}$$ 2 96 queries). The attacks do not invalidate the security of the permutations themselves, but rather they demonstrate the tightness of our bounds and confirm that care should be taken when employing a cryptographic primitive that has nontrivial linear invariances.


2018 ◽  
Vol 12 (4) ◽  
pp. 241-259
Author(s):  
Avik Chakraborti ◽  
Nilanjan Datta ◽  
Mridul Nandi

Abstract A block is an n-bit string, and a (possibly keyed) block-function is a non-linear mapping that maps one block to another, e.g., a block-cipher. In this paper, we consider various symmetric key primitives with {\ell} block inputs and raise the following question: what is the minimum number of block-function invocations required for a mode to be secure? We begin with encryption modes that generate {\ell^{\prime}} block outputs and show that at least {(\ell+\ell^{\prime}-1)} block-function invocations are necessary to achieve the PRF security. In presence of a nonce, the requirement of block-functions reduces to {\ell^{\prime}} blocks only. If {\ell=\ell^{\prime}} , in order to achieve SPRP security, the mode requires at least {2\ell} many block-function invocations. We next consider length preserving r-block (called chunk) online encryption modes and show that, to achieve online PRP security, each chunk should have at least {2r-1} many and overall at least {2r\ell-1} many block-functions for {\ell} many chunks. Moreover, we show that it can achieve online SPRP security if each chunk contains at least {2r} non-linear block-functions. We next analyze affine MAC modes and show that an integrity-secure affine MAC mode requires at least {\ell} many block-function invocations to process an {\ell} block message. Finally, we consider affine mode authenticated encryption and show that in order to achieve INT-RUP security or integrity security under a nonce-misuse scenario, either (i) the number of non-linear block-functions required to generate the ciphertext is more than {\ell} or (ii) the number of extra non-linear block-functions required to generate the tag depends on {\ell} .


2005 ◽  
Vol 40 (5) ◽  
pp. 463-476 ◽  
Author(s):  
M Ciavarella ◽  
G Demelio ◽  
C Murolo

In this paper, a numerical algorithm is developed to solve the elastic contact problem accurately for two-dimensional rough surfaces. A first version of the method gives a full numerical solution for the discrete problem with all the details of the profile included, and the second version simulates approximately the roughness on a smaller scale with the presence of a non-linear elastic layer (as in the classical Winkler foundation model). In the literature, usually the solution of line contact is given by assuming displacements relative to a datum point, to overcome the difficulty that in two dimensions the displacements are undefined to an arbitrary constant. In the present work, the compliance matrix of the elastic half-plane is calculated starting from a self-equilibrated load distribution with periodic boundary conditions. Some examples are shown to validate the methods. Finally, the method is applied to discuss previous results by the present authors on rough contact problems defined by Weierstrass series profiles, and a discussion follows. In particular, it is found that the Winkler non-linear layer model is surprisingly useful for evaluating the electrical conductance, since (at least in the limited case of two superposed sinusoids) it does not require the wavelength and amplitude of the microscopic component of roughness to be much smaller than the macroscopic component. Some aspects of the mutual role of various components of roughness in the compliance and conductance are elucidated by means of example cases.


Author(s):  
Kamel Mohammed Faraoun

This paper proposes a semantically secure construction of pseudo-random permutations using second-order reversible cellular automata. We show that the proposed construction is equivalent to the Luby-Rackoff model if it is built using non-uniform transition rules, and we prove that the construction is strongly secure if an adequate number of iterations is performed. Moreover, a corresponding symmetric block cipher is constructed and analysed experimentally in comparison with popular ciphers. Obtained results approve robustness and efficacy of the construction, while achieved performances overcome those of some existing block ciphers.


Author(s):  
Yusuke Naito

PMAC is a rate-1, parallelizable, block-cipher-based message authentication code (MAC), proposed by Black and Rogaway (EUROCRYPT 2002). Improving the security bound is a main research topic for PMAC. In particular, showing a tight bound is the primary goal of the research, since Luykx et al.’s paper (EUROCRYPT 2016). Regarding the pseudo-random-function (PRF) security of PMAC, a collision of the hash function, or the difference between a random permutation and a random function offers the lower bound Ω(q2/2n) for q queries and the block cipher size n. Regarding the MAC security (unforgeability), a hash collision for MAC queries, or guessing a tag offers the lower bound Ω(q2m /2n + qv/2n) for qm MAC queries and qv verification queries (forgery attempts). The tight upper bound of the PRF-security O(q2/2n) of PMAC was given by Gaži et el. (ToSC 2017, Issue 1), but their proof requires a 4-wise independent masking scheme that uses 4 n-bit random values. Open problems from their work are: (1) find a masking scheme with three or less random values with which PMAC has the tight upper bound for PRF-security; (2) find a masking scheme with which PMAC has the tight upper bound for MAC-security.In this paper, we consider PMAC with two powering-up masks that uses two random values for the masking scheme. Using the structure of the powering-up masking scheme, we show that the PMAC has the tight upper bound O(q2/2n) for PRF-security, which answers the open problem (1), and the tight upper bound O(q2m /2n + qv/2n) for MAC-security, which answers the open problem (2). Note that these results deal with two-key PMACs, thus showing tight upper bounds of PMACs with single-key and/or with one powering-up mask are open problems.


Sign in / Sign up

Export Citation Format

Share Document