Constructing Tweakable Block Ciphers in the Random ... - (SPMS), NTU

Sep 30, 2015 - secure up to ∼ 2n/2 queries. • related construction XEX [Rog04] uses Ek(t) instead of hk (t). (used e.g. in the XTS disk encryption mode).
819KB taille 8 téléchargements 269 vues
Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI, France

September 30, 2015 — ASK 2015

Based on joint work with Benoît Cogliati and Rodolphe Lampe

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

1 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Outline

Background: Tweakable Block Ciphers Tweakable Even-Mansour Constructions Birthday-Bound Secure Constructions Beyond-Birthday-Bound Secure Constructions Conclusion and Perspectives

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

2 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Outline

Background: Tweakable Block Ciphers Tweakable Even-Mansour Constructions Birthday-Bound Secure Constructions Beyond-Birthday-Bound Secure Constructions Conclusion and Perspectives

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

3 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Tweakable Block Ciphers (TBCs) k x

• • • •

Ee

y

tweak t: brings variability to the block cipher t assumed public or even adversarially controlled each tweak should give an “independent” permutation few “natively tweakable” BCs: • • • •

Hasty Pudding Cipher [Sch98] Mercy [Cro00] Threefish [FLS+ 10] CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

4 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Tweakable Block Ciphers (TBCs) k x

Ee

y

t • • • •

tweak t: brings variability to the block cipher t assumed public or even adversarially controlled each tweak should give an “independent” permutation few “natively tweakable” BCs: • • • •

Hasty Pudding Cipher [Sch98] Mercy [Cro00] Threefish [FLS+ 10] CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

4 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Tweakable Block Ciphers (TBCs) k x

Ee

y

t • • • •

tweak t: brings variability to the block cipher t assumed public or even adversarially controlled each tweak should give an “independent” permutation few “natively tweakable” BCs: • • • •

Hasty Pudding Cipher [Sch98] Mercy [Cro00] Threefish [FLS+ 10] CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

4 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Tweakable Block Ciphers (TBCs) k x

Ee

y

t • • • •

tweak t: brings variability to the block cipher t assumed public or even adversarially controlled each tweak should give an “independent” permutation few “natively tweakable” BCs: • • • •

Hasty Pudding Cipher [Sch98] Mercy [Cro00] Threefish [FLS+ 10] CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

4 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Tweakable Block Ciphers (TBCs) k x

Ee

y

t • • • •

tweak t: brings variability to the block cipher t assumed public or even adversarially controlled each tweak should give an “independent” permutation few “natively tweakable” BCs: • • • •

Hasty Pudding Cipher [Sch98] Mercy [Cro00] Threefish [FLS+ 10] CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

4 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Generic Constructions of TBCs: LRW • A generic TBC construction turns a conventional block cipher E into a TBC Ee • example: LRW construction by Liskov et al. [LRW02]

k x

E

y

• h is XOR-universal, e.g. hk 0 (t) = k 0 ⊗ t (field mult.) • secure up to ∼ 2n/2 queries • related construction XEX [Rog04] uses Ek (t) instead of hk 0 (t)

(used e.g. in the XTS disk encryption mode) Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

5 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Generic Constructions of TBCs: LRW • A generic TBC construction turns a conventional block cipher E into a TBC Ee • example: LRW construction by Liskov et al. [LRW02]

k x

E

y

• h is XOR-universal, e.g. hk 0 (t) = k 0 ⊗ t (field mult.) • secure up to ∼ 2n/2 queries • related construction XEX [Rog04] uses Ek (t) instead of hk 0 (t)

(used e.g. in the XTS disk encryption mode) Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

5 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Generic Constructions of TBCs: LRW • A generic TBC construction turns a conventional block cipher E into a TBC Ee • example: LRW construction by Liskov et al. [LRW02]

hk 0 (t) x

k

hk 0 (t)

E

y

• h is XOR-universal, e.g. hk 0 (t) = k 0 ⊗ t (field mult.) • secure up to ∼ 2n/2 queries • related construction XEX [Rog04] uses Ek (t) instead of hk 0 (t)

(used e.g. in the XTS disk encryption mode) Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

5 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Generic Constructions of TBCs: LRW • A generic TBC construction turns a conventional block cipher E into a TBC Ee • example: LRW construction by Liskov et al. [LRW02]

hk 0 (t) x

k

hk 0 (t)

E

y

• h is XOR-universal, e.g. hk 0 (t) = k 0 ⊗ t (field mult.) • secure up to ∼ 2n/2 queries • related construction XEX [Rog04] uses Ek (t) instead of hk 0 (t)

(used e.g. in the XTS disk encryption mode) Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

5 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Generic Constructions of TBCs: LRW • A generic TBC construction turns a conventional block cipher E into a TBC Ee • example: LRW construction by Liskov et al. [LRW02]

hk 0 (t) x

k

hk 0 (t)

E

y

• h is XOR-universal, e.g. hk 0 (t) = k 0 ⊗ t (field mult.) • secure up to ∼ 2n/2 queries • related construction XEX [Rog04] uses Ek (t) instead of hk 0 (t)

(used e.g. in the XTS disk encryption mode) Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

5 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Other Generic Constructions

Constructions achieving beyond-birthday-bound security: • Minematsu [Min09]

/ tweak length < n/2

• Cascaded LRW [LST12, LS13]

/ larger key length and block cipher calls

• Mennink [Men15]

/ security proof needs ideal cipher model

Only LRW (or rather XEX) is used in practice (e.g. in the XTS disk encryption mode)

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

6 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Other Generic Constructions

Constructions achieving beyond-birthday-bound security: • Minematsu [Min09]

/ tweak length < n/2

• Cascaded LRW [LST12, LS13]

/ larger key length and block cipher calls

• Mennink [Men15]

/ security proof needs ideal cipher model

Only LRW (or rather XEX) is used in practice (e.g. in the XTS disk encryption mode)

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

6 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Other Generic Constructions

Constructions achieving beyond-birthday-bound security: • Minematsu [Min09]

/ tweak length < n/2

• Cascaded LRW [LST12, LS13]

/ larger key length and block cipher calls

• Mennink [Men15]

/ security proof needs ideal cipher model

Only LRW (or rather XEX) is used in practice (e.g. in the XTS disk encryption mode)

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

6 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Other Generic Constructions

Constructions achieving beyond-birthday-bound security: • Minematsu [Min09]

/ tweak length < n/2

• Cascaded LRW [LST12, LS13]

/ larger key length and block cipher calls

• Mennink [Men15]

/ security proof needs ideal cipher model

Only LRW (or rather XEX) is used in practice (e.g. in the XTS disk encryption mode)

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

6 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Other Generic Constructions

Constructions achieving beyond-birthday-bound security: • Minematsu [Min09]

/ tweak length < n/2

• Cascaded LRW [LST12, LS13]

/ larger key length and block cipher calls

• Mennink [Men15]

/ security proof needs ideal cipher model

Only LRW (or rather XEX) is used in practice (e.g. in the XTS disk encryption mode)

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

6 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Outline

Background: Tweakable Block Ciphers Tweakable Even-Mansour Constructions Birthday-Bound Secure Constructions Beyond-Birthday-Bound Secure Constructions Conclusion and Perspectives

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

7 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

TBCs: Dedicated Designs

Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL+ 07, MI08] • this talk: SPN ciphers (more gen. key-alternating ciphers)

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

8 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

TBCs: Dedicated Designs

Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL+ 07, MI08] • this talk: SPN ciphers (more gen. key-alternating ciphers)

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

8 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

TBCs: Dedicated Designs

Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL+ 07, MI08] • this talk: SPN ciphers (more gen. key-alternating ciphers)

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

8 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

TBCs: Dedicated Designs

Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL+ 07, MI08] • this talk: SPN ciphers (more gen. key-alternating ciphers)

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

8 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Key-Alternating Ciphers k

x

f0

f1

fr

k0

k1

kr

n

P1

P2

Pr

y

An r -round key-alternating cipher: • the Pi ’s are public permutations on {0, 1}n • the fi ’s map k to n-bit “round keys” • examples: most SPNs (AES, SERPENT, PRESENT, LED. . . ) • a.k.a. (iterated) Even-Mansour construction Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

9 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Key-Alternating Ciphers k

x

f0

f1

fr

k0

k1

kr

n

P1

P2

Pr

y

An r -round key-alternating cipher: • the Pi ’s are public permutations on {0, 1}n • the fi ’s map k to n-bit “round keys” • examples: most SPNs (AES, SERPENT, PRESENT, LED. . . ) • a.k.a. (iterated) Even-Mansour construction Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

9 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Key-Alternating Ciphers k

x

f0

f1

fr

k0

k1

kr

n

P1

P2

Pr

y

An r -round key-alternating cipher: • the Pi ’s are public permutations on {0, 1}n • the fi ’s map k to n-bit “round keys” • examples: most SPNs (AES, SERPENT, PRESENT, LED. . . ) • a.k.a. (iterated) Even-Mansour construction Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

9 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Tweakable Even-Mansour Constructions k f0 x

f1 P1

fr P2

Pr

y

• let the round keys depend on the key and the tweak t • ⇒ “tweakable” Even-Mansour (TEM) construction(s) • fi ’s = “tweak and key schedule” (TKS) • high-level abstraction of the TWEAKEY constructions [JNP14] • analysis in the Random Permutation Model

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

10 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Tweakable Even-Mansour Constructions (k, t) f0 x

f1 P1

fr P2

Pr

y

• let the round keys depend on the key and the tweak t • ⇒ “tweakable” Even-Mansour (TEM) construction(s) • fi ’s = “tweak and key schedule” (TKS) • high-level abstraction of the TWEAKEY constructions [JNP14] • analysis in the Random Permutation Model

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

10 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Tweakable Even-Mansour Constructions (k, t) f0 x

f1 P1

fr P2

Pr

y

• let the round keys depend on the key and the tweak t • ⇒ “tweakable” Even-Mansour (TEM) construction(s) • fi ’s = “tweak and key schedule” (TKS) • high-level abstraction of the TWEAKEY constructions [JNP14] • analysis in the Random Permutation Model

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

10 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Tweakable Even-Mansour Constructions (k, t) f0 x

f1 P1

fr P2

Pr

y

• let the round keys depend on the key and the tweak t • ⇒ “tweakable” Even-Mansour (TEM) construction(s) • fi ’s = “tweak and key schedule” (TKS) • high-level abstraction of the TWEAKEY constructions [JNP14] • analysis in the Random Permutation Model

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

10 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Tweakable Even-Mansour Constructions (k, t) f0 x

f1 P1

fr P2

Pr

y

• let the round keys depend on the key and the tweak t • ⇒ “tweakable” Even-Mansour (TEM) construction(s) • fi ’s = “tweak and key schedule” (TKS) • high-level abstraction of the TWEAKEY constructions [JNP14] • analysis in the Random Permutation Model

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

10 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

The Random Permutation Model (RPM) (k, t) f0 x

f1 P1

fr P2

P1

y

Pr

qc

qp

···

Pr

qp

• the Pi ’s are modeled as public random permutation oracles

(adversary can only make black-box queries) • adversary cannot exploit any weakness of the Pi ’s

⇒ generic attacks • complexity measure of the adversary: • qc = # construction queries = pt/ct pairs (data D) • qp = # queries to each internal permutation oracle (time T ) • but otherwise computationally unbounded • ⇒ information-theoretic proof of security Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

11 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

The Random Permutation Model (RPM) (k, t) f0 x

f1 P1

fr P2

P1

y

Pr

qc

qp

···

Pr

qp

• the Pi ’s are modeled as public random permutation oracles

(adversary can only make black-box queries) • adversary cannot exploit any weakness of the Pi ’s

⇒ generic attacks • complexity measure of the adversary: • qc = # construction queries = pt/ct pairs (data D) • qp = # queries to each internal permutation oracle (time T ) • but otherwise computationally unbounded • ⇒ information-theoretic proof of security Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

11 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

The Random Permutation Model (RPM) (k, t) f0 x

f1 P1

fr P2

P1

y

Pr

qc

qp

···

Pr

qp

• the Pi ’s are modeled as public random permutation oracles

(adversary can only make black-box queries) • adversary cannot exploit any weakness of the Pi ’s

⇒ generic attacks • complexity measure of the adversary: • qc = # construction queries = pt/ct pairs (data D) • qp = # queries to each internal permutation oracle (time T ) • but otherwise computationally unbounded • ⇒ information-theoretic proof of security Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

11 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

The Random Permutation Model (RPM) (k, t) f0 x

f1 P1

fr P2

P1

y

Pr

qc

qp

···

Pr

qp

• the Pi ’s are modeled as public random permutation oracles

(adversary can only make black-box queries) • adversary cannot exploit any weakness of the Pi ’s

⇒ generic attacks • complexity measure of the adversary: • qc = # construction queries = pt/ct pairs (data D) • qp = # queries to each internal permutation oracle (time T ) • but otherwise computationally unbounded • ⇒ information-theoretic proof of security Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

11 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Formalization of the Security Experiment Real world

Ideal world

(k, t) f0 x

f1 P1

fr P2

y

Pr

P1 , . . . , Pr

e P 0

P1 , . . . , Pr

qp

qc

qp

qc

0/1

0/1

• real world: TEM construction with random master key k e0 independent • ideal world: random tweakable permutation P

from P1 , . . . , Pr • RPM: D has oracle access to P1 , . . . , Pr in both worlds Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

12 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Formalization of the Security Experiment Real world

Ideal world

(k, t) f0 x

f1 P1

fr P2

y

Pr

P1 , . . . , Pr

e P 0

P1 , . . . , Pr

qp

qc

qp

qc

0/1

0/1

• real world: TEM construction with random master key k e0 independent • ideal world: random tweakable permutation P

from P1 , . . . , Pr • RPM: D has oracle access to P1 , . . . , Pr in both worlds Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

12 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Outline

Background: Tweakable Block Ciphers Tweakable Even-Mansour Constructions Birthday-Bound Secure Constructions Beyond-Birthday-Bound Secure Constructions Conclusion and Perspectives

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

13 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

First Try: One Round, Linear TKS k

x

k

P1

y

• 2 queries to the encryption oracle, 0 queries to P1 • (∗) holds with proba. 1 for the TEM construction • (∗) holds with proba. 2−n for a random tweakable permutation • works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

14 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

First Try: One Round, Linear TKS k ⊕t

x

k ⊕t

P1

y

• 2 queries to the encryption oracle, 0 queries to P1 • (∗) holds with proba. 1 for the TEM construction • (∗) holds with proba. 2−n for a random tweakable permutation • works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

14 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

First Try: One Round, Linear TKS P1

• 2 queries to the encryption oracle, 0 queries to P1 • (∗) holds with proba. 1 for the TEM construction • (∗) holds with proba. 2−n for a random tweakable permutation • works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

14 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

First Try: One Round, Linear TKS P1 y1 = v ⊕ k ⊕ t1

(t1 , x1 ) u

v

k ⊕ t1

• 2 queries to the encryption oracle, 0 queries to P1 • (∗) holds with proba. 1 for the TEM construction • (∗) holds with proba. 2−n for a random tweakable permutation • works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

14 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

First Try: One Round, Linear TKS P1 y1 = v ⊕ k ⊕ t1

(t1 , x1 ) x1 ⊕ x2 = t1 ⊕ t2

u

v

(t2 , x2 )

k ⊕ t1

k ⊕ t2

• 2 queries to the encryption oracle, 0 queries to P1 • (∗) holds with proba. 1 for the TEM construction • (∗) holds with proba. 2−n for a random tweakable permutation • works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

14 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

First Try: One Round, Linear TKS P1 y1 = v ⊕ k ⊕ t1

(t1 , x1 ) x1 ⊕ x2 = t1 ⊕ t2

u

v y2 = v ⊕ k ⊕ t2

(t2 , x2 )

k ⊕ t1

k ⊕ t2

Check that y1 ⊕ y2 = t1 ⊕ t2 (∗)

• 2 queries to the encryption oracle, 0 queries to P1 • (∗) holds with proba. 1 for the TEM construction • (∗) holds with proba. 2−n for a random tweakable permutation • works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

14 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

First Try: One Round, Linear TKS P1 y1 = v ⊕ k ⊕ t1

(t1 , x1 ) x1 ⊕ x2 = t1 ⊕ t2

u

v y2 = v ⊕ k ⊕ t2

(t2 , x2 )

k ⊕ t1

k ⊕ t2

Check that y1 ⊕ y2 = t1 ⊕ t2 (∗)

• 2 queries to the encryption oracle, 0 queries to P1 • (∗) holds with proba. 1 for the TEM construction • (∗) holds with proba. 2−n for a random tweakable permutation • works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

14 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

First Try: One Round, Linear TKS P1 y1 = v ⊕ k ⊕ t1

(t1 , x1 ) x1 ⊕ x2 = t1 ⊕ t2

u

v y2 = v ⊕ k ⊕ t2

(t2 , x2 )

k ⊕ t1

k ⊕ t2

Check that y1 ⊕ y2 = t1 ⊕ t2 (∗)

• 2 queries to the encryption oracle, 0 queries to P1 • (∗) holds with proba. 1 for the TEM construction • (∗) holds with proba. 2−n for a random tweakable permutation • works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

14 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Second Try: Two Rounds, Linear TKS k ⊕t

x

• • • •

k ⊕t

P1

k ⊕t

P2

y

4 queries to the enc/dec oracle, 0 queries to P1 , P2 (∗) holds with proba. 1 for the TEM construction (∗) holds with proba. 2−n for a random tweakable permutation works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

15 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Second Try: Two Rounds, Linear TKS P1

• • • •

P2

4 queries to the enc/dec oracle, 0 queries to P1 , P2 (∗) holds with proba. 1 for the TEM construction (∗) holds with proba. 2−n for a random tweakable permutation works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

15 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Second Try: Two Rounds, Linear TKS P1

(t1 , x1 ) u1

P2 v1

u2

y1 v2

k ⊕ t1

• • • •

4 queries to the enc/dec oracle, 0 queries to P1 , P2 (∗) holds with proba. 1 for the TEM construction (∗) holds with proba. 2−n for a random tweakable permutation works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

15 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Second Try: Two Rounds, Linear TKS P1

(t1 , x1 ) u1

(t2 , x2 )

P2 v1

y1

u2

v2

u20

v20 y2

k ⊕ t1

• • • •

k ⊕ t2

4 queries to the enc/dec oracle, 0 queries to P1 , P2 (∗) holds with proba. 1 for the TEM construction (∗) holds with proba. 2−n for a random tweakable permutation works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

15 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Second Try: Two Rounds, Linear TKS P1

(t1 , x1 )

P2

y1

(t2 , x2 )

u1

v1

u2

v2

x3

u10

v10

u20

v20

(t3 , y3 )

y2 k ⊕ t1

• • • •

k ⊕ t2

k ⊕ t3

4 queries to the enc/dec oracle, 0 queries to P1 , P2 (∗) holds with proba. 1 for the TEM construction (∗) holds with proba. 2−n for a random tweakable permutation works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

15 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Second Try: Two Rounds, Linear TKS P1

(t1 , x1 )

P2

y1

(t2 , x2 )

u1

v1

u2

v2

(t3 , y3 )

x3

u10

v10

u20

v20

(t4 , y4 ) y2

k ⊕ t1

k ⊕ t2

k ⊕ t3

k ⊕ t4

t1 ⊕ t2 ⊕ t3 ⊕ t4 = 0

• • • •

4 queries to the enc/dec oracle, 0 queries to P1 , P2 (∗) holds with proba. 1 for the TEM construction (∗) holds with proba. 2−n for a random tweakable permutation works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

15 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Second Try: Two Rounds, Linear TKS P1

(t1 , x1 )

P2

y1

(t2 , x2 )

u1

v1

u2

v2

(t3 , y3 )

x3

u10

v10

u20

v20

(t4 , y4 ) y2

x4 k ⊕ t1

k ⊕ t2

k ⊕ t3

k ⊕ t4

t1 ⊕ t2 ⊕ t3 ⊕ t4 = 0 Check that x3 ⊕ x4 = t3 ⊕ t4 (∗)

• • • •

4 queries to the enc/dec oracle, 0 queries to P1 , P2 (∗) holds with proba. 1 for the TEM construction (∗) holds with proba. 2−n for a random tweakable permutation works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

15 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Second Try: Two Rounds, Linear TKS P1

(t1 , x1 )

P2

y1

(t2 , x2 )

u1

v1

u2

v2

(t3 , y3 )

x3

u10

v10

u20

v20

(t4 , y4 ) y2

x4 k ⊕ t1

k ⊕ t2

k ⊕ t3

k ⊕ t4

t1 ⊕ t2 ⊕ t3 ⊕ t4 = 0 Check that x3 ⊕ x4 = t3 ⊕ t4 (∗)

• • • •

4 queries to the enc/dec oracle, 0 queries to P1 , P2 (∗) holds with proba. 1 for the TEM construction (∗) holds with proba. 2−n for a random tweakable permutation works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

15 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Second Try: Two Rounds, Linear TKS P1

(t1 , x1 )

P2

y1

(t2 , x2 )

u1

v1

u2

v2

(t3 , y3 )

x3

u10

v10

u20

v20

(t4 , y4 ) y2

x4 k ⊕ t1

k ⊕ t2

k ⊕ t3

k ⊕ t4

t1 ⊕ t2 ⊕ t3 ⊕ t4 = 0 Check that x3 ⊕ x4 = t3 ⊕ t4 (∗)

• • • •

4 queries to the enc/dec oracle, 0 queries to P1 , P2 (∗) holds with proba. 1 for the TEM construction (∗) holds with proba. 2−n for a random tweakable permutation works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

15 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Second Try: Two Rounds, Linear TKS P1

(t1 , x1 )

P2

y1

(t2 , x2 )

u1

v1

u2

v2

(t3 , y3 )

x3

u10

v10

u20

v20

(t4 , y4 ) y2

x4 k ⊕ t1

k ⊕ t2

k ⊕ t3

k ⊕ t4

t1 ⊕ t2 ⊕ t3 ⊕ t4 = 0 Check that x3 ⊕ x4 = t3 ⊕ t4 (∗)

• • • •

4 queries to the enc/dec oracle, 0 queries to P1 , P2 (∗) holds with proba. 1 for the TEM construction (∗) holds with proba. 2−n for a random tweakable permutation works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

15 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Second Try: Two Rounds, Linear TKS P1

(t1 , x1 )

P2

y1

(t2 , x2 )

u1

v1

u2

v2

(t3 , y3 )

x3

u10

v10

u20

v20

(t4 , y4 ) y2

x4 k ⊕ t1

k ⊕ t2

k ⊕ t3

k ⊕ t4

t1 ⊕ t2 ⊕ t3 ⊕ t4 = 0 Check that x3 ⊕ x4 = t3 ⊕ t4 (∗)

• • • •

4 queries to the enc/dec oracle, 0 queries to P1 , P2 (∗) holds with proba. 1 for the TEM construction (∗) holds with proba. 2−n for a random tweakable permutation works for any linear TKS Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

15 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Security for Three Rounds k ⊕t x

k ⊕t P1

k ⊕t P2

k ⊕t P3

y

Theorem ([CS15, FP15]) The 3-round TEM with linear TKS is a strong tweakable PRP: Adv(qc , qp ) ≤

6qc qp 4qc2 + . 2n 2n

Proof sketch: • adversary can create collisions at input of P1 or output of P3 • but proba. to create a collision at P2 is . qc2 /2n • no collision at P2

⇒ ∼ single-key security of 1-round EM . qc qp /2n Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

16 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Security for Three Rounds k ⊕t x

k ⊕t P1

k ⊕t P2

k ⊕t P3

y

Theorem ([CS15, FP15]) The 3-round TEM with linear TKS is a strong tweakable PRP: Adv(qc , qp ) ≤

6qc qp 4qc2 + . 2n 2n

Proof sketch: • adversary can create collisions at input of P1 or output of P3 • but proba. to create a collision at P2 is . qc2 /2n • no collision at P2

⇒ ∼ single-key security of 1-round EM . qc qp /2n Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

16 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Security for Three Rounds k ⊕t x

k ⊕t P1

k ⊕t P2

k ⊕t P3

y

Theorem ([CS15, FP15]) The 3-round TEM with linear TKS is a strong tweakable PRP: Adv(qc , qp ) ≤

6qc qp 4qc2 + . 2n 2n

Proof sketch: • adversary can create collisions at input of P1 or output of P3 • but proba. to create a collision at P2 is . qc2 /2n • no collision at P2

⇒ ∼ single-key security of 1-round EM . qc qp /2n Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

16 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Security for Three Rounds k ⊕t x

k ⊕t P1

k ⊕t P2

k ⊕t P3

y

Theorem ([CS15, FP15]) The 3-round TEM with linear TKS is a strong tweakable PRP: Adv(qc , qp ) ≤

6qc qp 4qc2 + . 2n 2n

Proof sketch: • adversary can create collisions at input of P1 or output of P3 • but proba. to create a collision at P2 is . qc2 /2n • no collision at P2

⇒ ∼ single-key security of 1-round EM . qc qp /2n Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

16 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Tightness of the Bound k ⊕t x

k ⊕t P1

k ⊕t P2

k ⊕t P3

y

e (k, t, x ) = E (k⊕t, x ) where E is the • can be written E

conventional 3-round EM cipher with trivial key-schedule • ⇒ secure up to 2n/2 queries at best by a simple collision attack: 1. 2. 3. 4.

ek ∗ (ti , 0) = E (k ∗ ⊕ ti , 0) for 2n/2 tweaks ti query ci = E ek (0, 0) = E (kj , 0) for 2n/2 keys kj compute cj0 = E j look for a collision ci = cj0 w.h.p., the real key is k ∗ = ti ⊕ kj

• ⇒ increasing the number of rounds does not improve security

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

17 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Tightness of the Bound k ⊕t x

k ⊕t P1

k ⊕t P2

k ⊕t P3

y

e (k, t, x ) = E (k⊕t, x ) where E is the • can be written E

conventional 3-round EM cipher with trivial key-schedule • ⇒ secure up to 2n/2 queries at best by a simple collision attack: 1. 2. 3. 4.

ek ∗ (ti , 0) = E (k ∗ ⊕ ti , 0) for 2n/2 tweaks ti query ci = E ek (0, 0) = E (kj , 0) for 2n/2 keys kj compute cj0 = E j look for a collision ci = cj0 w.h.p., the real key is k ∗ = ti ⊕ kj

• ⇒ increasing the number of rounds does not improve security

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

17 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Tightness of the Bound k ⊕t x

k ⊕t P1

k ⊕t P2

k ⊕t P3

y

e (k, t, x ) = E (k⊕t, x ) where E is the • can be written E

conventional 3-round EM cipher with trivial key-schedule • ⇒ secure up to 2n/2 queries at best by a simple collision attack: 1. 2. 3. 4.

ek ∗ (ti , 0) = E (k ∗ ⊕ ti , 0) for 2n/2 tweaks ti query ci = E ek (0, 0) = E (kj , 0) for 2n/2 keys kj compute cj0 = E j look for a collision ci = cj0 w.h.p., the real key is k ∗ = ti ⊕ kj

• ⇒ increasing the number of rounds does not improve security

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

17 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Tightness of the Bound k ⊕t x

k ⊕t P1

k ⊕t P2

k ⊕t P3

y

e (k, t, x ) = E (k⊕t, x ) where E is the • can be written E

conventional 3-round EM cipher with trivial key-schedule • ⇒ secure up to 2n/2 queries at best by a simple collision attack: 1. 2. 3. 4.

ek ∗ (ti , 0) = E (k ∗ ⊕ ti , 0) for 2n/2 tweaks ti query ci = E ek (0, 0) = E (kj , 0) for 2n/2 keys kj compute cj0 = E j look for a collision ci = cj0 w.h.p., the real key is k ∗ = ti ⊕ kj

• ⇒ increasing the number of rounds does not improve security

Question Construction with less permutations? Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

17 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Back to LRW • instantiate E with the 1-round Even-Mansour construction

k ⊗t x

k0

k ⊗t y

E

• provably secure in the RPM up to ∼ 2n/2 queries [FP15, CLS15]:

Adv(qc , qp ) ≤

qc2 2qc qp + . 2n 2n

• t 6= 0 ⇒ k 0 is superfluous (k ⊗ t unif. random for any t 6= 0) Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

18 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Back to LRW • instantiate E with the 1-round Even-Mansour construction

k0

k0 P

k ⊗t x

k0

k ⊗t y

E

• provably secure in the RPM up to ∼ 2n/2 queries [FP15, CLS15]:

Adv(qc , qp ) ≤

qc2 2qc qp + . 2n 2n

• t 6= 0 ⇒ k 0 is superfluous (k ⊗ t unif. random for any t 6= 0) Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

18 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Back to LRW • instantiate E with the 1-round Even-Mansour construction

(k ⊗ t) ⊕ k 0 x

(k ⊗ t) ⊕ k 0 y

P

• provably secure in the RPM up to ∼ 2n/2 queries [FP15, CLS15]:

Adv(qc , qp ) ≤

qc2 2qc qp + . 2n 2n

• t 6= 0 ⇒ k 0 is superfluous (k ⊗ t unif. random for any t 6= 0) Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

18 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Back to LRW • instantiate E with the 1-round Even-Mansour construction

(k ⊗ t) ⊕ k 0 x

(k ⊗ t) ⊕ k 0 y

P

• provably secure in the RPM up to ∼ 2n/2 queries [FP15, CLS15]:

Adv(qc , qp ) ≤

qc2 2qc qp + . 2n 2n

• t 6= 0 ⇒ k 0 is superfluous (k ⊗ t unif. random for any t 6= 0) Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

18 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Back to LRW • instantiate E with the 1-round Even-Mansour construction

k ⊗t x

k ⊗t y

P

• provably secure in the RPM up to ∼ 2n/2 queries [FP15, CLS15]:

Adv(qc , qp ) ≤

qc2 2qc qp + . 2n 2n

• t 6= 0 ⇒ k 0 is superfluous (k ⊗ t unif. random for any t 6= 0) Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

18 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Back to LRW • instantiate E with the 1-round Even-Mansour construction

Non-Linear Tweakable Even-Mansour (NL-TEM) construction k ⊗t x

k ⊗t y

P

• provably secure in the RPM up to ∼ 2n/2 queries [FP15, CLS15]:

Adv(qc , qp ) ≤

qc2 2qc qp + . 2n 2n

• t 6= 0 ⇒ k 0 is superfluous (k ⊗ t unif. random for any t 6= 0) Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

18 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Birthday-Bound Security: Wrap-up Two constructions provably secure up to the birthday bound: 1. linear TKS k ⊕t x

k ⊕t P1

k ⊕t

k ⊕t

P2

P3

y

2. nonlinear TKS k ⊗t x

k ⊗t P

y

Question Constructions secure beyond the birthday-bound?

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

19 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Birthday-Bound Security: Wrap-up Two constructions provably secure up to the birthday bound: 1. linear TKS k ⊕t x

k ⊕t P1

k ⊕t

k ⊕t

P2

P3

y

2. nonlinear TKS k ⊗t x

k ⊗t P

y

Question Constructions secure beyond the birthday-bound?

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

19 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Birthday-Bound Security: Wrap-up Two constructions provably secure up to the birthday bound: 1. linear TKS k ⊕t x

k ⊕t P1

k ⊕t

k ⊕t

P2

P3

y

2. nonlinear TKS k ⊗t x

k ⊗t P

y

Question Constructions secure beyond the birthday-bound?

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

19 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Birthday-Bound Security: Wrap-up Two constructions provably secure up to the birthday bound: 1. linear TKS k ⊕t x

k ⊕t P1

k ⊕t

k ⊕t

P2

P3

y

2. nonlinear TKS k ⊗t x

k ⊗t P

y

Question Constructions secure beyond the birthday-bound?

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

19 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Outline

Background: Tweakable Block Ciphers Tweakable Even-Mansour Constructions Birthday-Bound Secure Constructions Beyond-Birthday-Bound Secure Constructions Conclusion and Perspectives

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

20 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Cascading the LRW Construction k10 ⊗ t

x

Ek 1

• k1 , . . . , kr and k10 , . . . , kr0 independent keys

⇒ total key-length = r (κ + n) • 2 rounds: provably secure up to ∼ 22n/3 queries [LST12] rn

• r rounds, r even: provably secure up to ∼ 2 r +2 queries [LS13] • NB: only assuming E is a PRP

(standard security notion, no ideal model)

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

21 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Cascading the LRW Construction k10 ⊗ t

k20 ⊗ t

kr0 ⊗ t

Ek 1

Ek2

Ek r

x

y

• k1 , . . . , kr and k10 , . . . , kr0 independent keys

⇒ total key-length = r (κ + n) • 2 rounds: provably secure up to ∼ 22n/3 queries [LST12] rn

• r rounds, r even: provably secure up to ∼ 2 r +2 queries [LS13] • NB: only assuming E is a PRP

(standard security notion, no ideal model)

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

21 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Cascading the LRW Construction k10 ⊗ t

k20 ⊗ t

kr0 ⊗ t

Ek 1

Ek2

Ek r

x

y

• k1 , . . . , kr and k10 , . . . , kr0 independent keys

⇒ total key-length = r (κ + n) • 2 rounds: provably secure up to ∼ 22n/3 queries [LST12] rn

• r rounds, r even: provably secure up to ∼ 2 r +2 queries [LS13] • NB: only assuming E is a PRP

(standard security notion, no ideal model)

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

21 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Cascading the LRW Construction k10 ⊗ t

k20 ⊗ t

kr0 ⊗ t

Ek 1

Ek2

Ek r

x

y

• k1 , . . . , kr and k10 , . . . , kr0 independent keys

⇒ total key-length = r (κ + n) • 2 rounds: provably secure up to ∼ 22n/3 queries [LST12] rn

• r rounds, r even: provably secure up to ∼ 2 r +2 queries [LS13] • NB: only assuming E is a PRP

(standard security notion, no ideal model)

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

21 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Cascading the LRW Construction k10 ⊗ t

k20 ⊗ t

kr0 ⊗ t

Ek 1

Ek2

Ek r

x

y

• k1 , . . . , kr and k10 , . . . , kr0 independent keys

⇒ total key-length = r (κ + n) • 2 rounds: provably secure up to ∼ 22n/3 queries [LST12] rn

• r rounds, r even: provably secure up to ∼ 2 r +2 queries [LS13] • NB: only assuming E is a PRP

(standard security notion, no ideal model)

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

21 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Cascading the NL-TEM Construction • k1 , k2 independent n-bit keys

k1 ⊗ t

k2 ⊗ t

P1

P2

x

y

Theorem ([CLS15]) The 2-round NL-TEM construction is secure up to ∼ 22n/3 queries in the RPM: 3/2

34qc Adv(qc , qp ) ≤ 2n Yannick Seurin

√ 30 qc qp + . 2n

Constructing TBCs in the RPM

ASK 2015

22 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Cascading the NL-TEM Construction • k1 , k2 independent n-bit keys

k1 ⊗ t

k2 ⊗ t

P1

P2

x

y

Theorem ([CLS15]) The 2-round NL-TEM construction is secure up to ∼ 22n/3 queries in the RPM: 3/2

34qc Adv(qc , qp ) ≤ 2n Yannick Seurin

√ 30 qc qp + . 2n

Constructing TBCs in the RPM

ASK 2015

22 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Proof Technique: H-coefficients Real world

x

k1 ⊗ t

k2 ⊗ t

kr ⊗ t

P1

P2

Pr

qc

Ideal world

y

P1 , . . . , Pr

e P 0

P1 , . . . , Pr

qp

qc

qp

1. consider the transcript of all queries of D to the construction and to the inner permutations 2. define bad transcripts and show that their probability is small (in the ideal world) 3. show that good transcripts are almost as probable in the real and the ideal world Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

23 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Proof Technique: H-coefficients Real world

x

k1 ⊗ t

k2 ⊗ t

kr ⊗ t

P1

P2

Pr

qc

Ideal world

y

P1 , . . . , Pr

e P 0

P1 , . . . , Pr

qp

qc

qp

1. consider the transcript of all queries of D to the construction and to the inner permutations 2. define bad transcripts and show that their probability is small (in the ideal world) 3. show that good transcripts are almost as probable in the real and the ideal world Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

23 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Proof Technique: H-coefficients Real world

x

k1 ⊗ t

k2 ⊗ t

kr ⊗ t

P1

P2

Pr

qc

Ideal world

y

P1 , . . . , Pr

e P 0

P1 , . . . , Pr

qp

qc

qp

1. consider the transcript of all queries of D to the construction and to the inner permutations 2. define bad transcripts and show that their probability is small (in the ideal world) 3. show that good transcripts are almost as probable in the real and the ideal world Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

23 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Bad Transcripts • one needs to avoid “two-fold” collisions:

x

Yannick Seurin

k1 ⊗ t

k2 ⊗ t

P1

P2

Constructing TBCs in the RPM

y

ASK 2015

24 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Bad Transcripts • one needs to avoid “two-fold” collisions:

x

Yannick Seurin

k1 ⊗ t

k2 ⊗ t

P1

P2

Constructing TBCs in the RPM

y

ASK 2015

24 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Bad Transcripts • one needs to avoid “two-fold” collisions:

x

k1 ⊗ t

k2 ⊗ t

P1

P2

y

u1 v1

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

24 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Bad Transcripts • one needs to avoid “two-fold” collisions:

x

Yannick Seurin

k1 ⊗ t

k2 ⊗ t

P1

P2

u1 v1

u2 v2

Constructing TBCs in the RPM

y

ASK 2015

24 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Bad Transcripts • one needs to avoid “two-fold” collisions: k1 ⊗ t

k2 ⊗ t

x

P1

P2

(t, x )

u1 v1

u2 v2

Yannick Seurin

Constructing TBCs in the RPM

y

ASK 2015

24 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Bad Transcripts • one needs to avoid “two-fold” collisions: k1 ⊗ t

k2 ⊗ t

x

P1

P2

(t, x )

u1 v1

u2 v2

Yannick Seurin

Constructing TBCs in the RPM

y

proba ≤

qc qp2 22n

ASK 2015

24 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Bad Transcripts • one needs to avoid “two-fold” collisions: k1 ⊗ t

k2 ⊗ t

x

P1

P2

(t, x )

u1 v1

u2 v2

Yannick Seurin

Constructing TBCs in the RPM

y

proba ≤

qc qp2 22n

ASK 2015

24 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Bad Transcripts • one needs to avoid “two-fold” collisions: k1 ⊗ t

k2 ⊗ t

x

P1

P2

(t, x )

u1 v1

u2 v2

y

proba ≤

qc qp2 22n

(t, x )

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

24 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Bad Transcripts • one needs to avoid “two-fold” collisions: k1 ⊗ t

k2 ⊗ t

x

P1

P2

(t, x )

u1 v1

u2 v2

y

proba ≤

qc qp2 22n

(t, x ) (t 0, x 0)

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

24 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Bad Transcripts • one needs to avoid “two-fold” collisions: k1 ⊗ t

k2 ⊗ t

x

P1

P2

(t, x )

u1 v1

u2 v2

(t, x ) (t 0, x 0)

Yannick Seurin

Constructing TBCs in the RPM

y

proba ≤

qc qp2 22n

proba ≤

qc2 22n

ASK 2015

24 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

The Ten “Bad Collision” Cases P1

(t, x )

(t, x )

u1

v1

u1

P2

v2

u2

(t, y )

v1

(t, x )

(t, y )

(t 0 , x 0 )

(t 00 , y 00 )

u2

v2

(t, y )

(t, x )

(t, y )

(t 0 , x 0 )

(t 0 , y 0 )

(t, x )

u1

(t, y )

(t, x )

(t 0 , y 0 )

(t 0 , x 0 )

v2

(t, y )

(t, x )

u1

v1

u2

v2

(t, y )

(t 0 , x 0 )

u10

v10

u20

v20

(t 0 , y 0 )

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

25 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Distribution of Good Transcripts P1 QU1

QV2

• assuming there are no

P2

U1

V1

f U 1

f V 1

f U 2

f V 2

U2

V2

bad collisions, show that the answers of the TEM construction are close to answers of a random tweakable permutation • for each query, there is

QX

U10

V10

U20

V20

QY

U100

V100

U200

V200

a “fresh” value of P1 or P2 which randomizes the output

Q0

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

26 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Distribution of Good Transcripts P1 QU1

QV2

• assuming there are no

P2

U1

V1

f U 1

f V 1

f U 2

f V 2

U2

V2

bad collisions, show that the answers of the TEM construction are close to answers of a random tweakable permutation • for each query, there is

QX

U10

V10

U20

V20

QY

U100

V100

U200

V200

a “fresh” value of P1 or P2 which randomizes the output

Q0

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

26 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Longer Cascades of the NL-TEM Construction k1 ⊗ t

k2 ⊗ t

kr ⊗ t

P1

P2

Pr

x

y

• r rounds, r even, with independent keys k1 , . . . , kr secure up to (r /2)n

rn

∼ 2 r +2 = 2 (r /2)+1 queries • proof: 1. non-adaptive security for r /2 rounds (coupling technique) 2. adaptive security for r rounds (“two weak make one strong” composition theorem) rn

• conjecture: secure up to ∼ 2 r +1 queries Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

27 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Longer Cascades of the NL-TEM Construction k1 ⊗ t

k2 ⊗ t

kr ⊗ t

P1

P2

Pr

x

y

• r rounds, r even, with independent keys k1 , . . . , kr secure up to (r /2)n

rn

∼ 2 r +2 = 2 (r /2)+1 queries • proof: 1. non-adaptive security for r /2 rounds (coupling technique) 2. adaptive security for r rounds (“two weak make one strong” composition theorem) rn

• conjecture: secure up to ∼ 2 r +1 queries Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

27 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Longer Cascades of the NL-TEM Construction k1 ⊗ t

k2 ⊗ t

kr ⊗ t

P1

P2

Pr

x

y

• r rounds, r even, with independent keys k1 , . . . , kr secure up to (r /2)n

rn

∼ 2 r +2 = 2 (r /2)+1 queries • proof: 1. non-adaptive security for r /2 rounds (coupling technique) 2. adaptive security for r rounds (“two weak make one strong” composition theorem) rn

• conjecture: secure up to ∼ 2 r +1 queries Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

27 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Longer Cascades of the NL-TEM Construction k1 ⊗ t

k2 ⊗ t

kr ⊗ t

P1

P2

Pr

x

y

• r rounds, r even, with independent keys k1 , . . . , kr secure up to (r /2)n

rn

∼ 2 r +2 = 2 (r /2)+1 queries • proof: 1. non-adaptive security for r /2 rounds (coupling technique) 2. adaptive security for r rounds (“two weak make one strong” composition theorem) rn

• conjecture: secure up to ∼ 2 r +1 queries Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

27 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

BBB Security with a Linear TKS • k1 , k2 independent n-bit keys k1 ⊕ t x

k2 ⊕ t P1

k1 ⊕ t P2

k2 ⊕ t P3

k1 ⊕ t P4

y

Theorem (B. Cogliati, Y.S., AC 2015) The 4-round TEM with “alternating” linear TKS is secure up to ∼ 22n/3 queries in the RPM. Proof idea: • exclude bad events related to P1 and P4 • “reduction” to 2-round NL-TEM security based on (P2 , P3 )

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

28 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

BBB Security with a Linear TKS • k1 , k2 independent n-bit keys k1 ⊕ t x

k2 ⊕ t P1

k1 ⊕ t P2

k2 ⊕ t P3

k1 ⊕ t P4

y

Theorem (B. Cogliati, Y.S., AC 2015) The 4-round TEM with “alternating” linear TKS is secure up to ∼ 22n/3 queries in the RPM. Proof idea: • exclude bad events related to P1 and P4 • “reduction” to 2-round NL-TEM security based on (P2 , P3 )

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

28 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

BBB Security with a Linear TKS • k1 , k2 independent n-bit keys k1 ⊕ t x

k2 ⊕ t P1

k1 ⊕ t P2

k2 ⊕ t P3

k1 ⊕ t P4

y

Theorem (B. Cogliati, Y.S., AC 2015) The 4-round TEM with “alternating” linear TKS is secure up to ∼ 22n/3 queries in the RPM. Proof idea: • exclude bad events related to P1 and P4 • “reduction” to 2-round NL-TEM security based on (P2 , P3 )

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

28 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Outline

Background: Tweakable Block Ciphers Tweakable Even-Mansour Constructions Birthday-Bound Secure Constructions Beyond-Birthday-Bound Secure Constructions Conclusion and Perspectives

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

29 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Conclusion 22n/3 -secure constructions: 1. linear TKS k1 ⊕ t

k2 ⊕ t

x

P1

k1 ⊕ t P2

k2 ⊕ t P3

k1 ⊕ t P4

y

2. nonlinear TKS

x

k1 ⊗ t

k2 ⊗ t

P1

P2

y

Open problems: rn

1. prove tight 2 r +1 -security for r -round NL-TEM, r ≥ 3 2. propose a construction with linear TKS and security > 22n/3 3. reduce key length for BBB-security Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

30 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Conclusion 22n/3 -secure constructions: 1. linear TKS k1 ⊕ t

k2 ⊕ t

x

P1

k1 ⊕ t P2

k2 ⊕ t P3

k1 ⊕ t P4

y

2. nonlinear TKS

x

k1 ⊗ t

k2 ⊗ t

P1

P2

y

Open problems: rn

1. prove tight 2 r +1 -security for r -round NL-TEM, r ≥ 3 2. propose a construction with linear TKS and security > 22n/3 3. reduce key length for BBB-security Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

30 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Conclusion 22n/3 -secure constructions: 1. linear TKS k1 ⊕ t

k2 ⊕ t

x

P1

k1 ⊕ t P2

k2 ⊕ t P3

k1 ⊕ t P4

y

2. nonlinear TKS

x

k1 ⊗ t

k2 ⊗ t

P1

P2

y

Open problems: rn

1. prove tight 2 r +1 -security for r -round NL-TEM, r ≥ 3 2. propose a construction with linear TKS and security > 22n/3 3. reduce key length for BBB-security Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

30 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Conclusion 22n/3 -secure constructions: 1. linear TKS k1 ⊕ t

k2 ⊕ t

x

P1

k1 ⊕ t P2

k2 ⊕ t P3

k1 ⊕ t P4

y

2. nonlinear TKS

x

k1 ⊗ t

k2 ⊗ t

P1

P2

y

Open problems: rn

1. prove tight 2 r +1 -security for r -round NL-TEM, r ≥ 3 2. propose a construction with linear TKS and security > 22n/3 3. reduce key length for BBB-security Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

30 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Link with the TWEAKEY Framework • proposed by Jean, Nikolić, and Peyrin [JNP14] • Superposition TWEAKEY (STK) constructions: g

t k

g

f

x

g

f P1

f P2

Pr

y

• sufficient conditions on f and g to have provable

beyond-birthday-bound security in the RPM? e (k, t, x ) = E (k ⊕ t, x ) • NB: f = g linear does not work since E

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

31 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Link with the TWEAKEY Framework • proposed by Jean, Nikolić, and Peyrin [JNP14] • Superposition TWEAKEY (STK) constructions: g

t k

g

f

x

g

f P1

f P2

Pr

y

• sufficient conditions on f and g to have provable

beyond-birthday-bound security in the RPM? e (k, t, x ) = E (k ⊕ t, x ) • NB: f = g linear does not work since E

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

31 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Link with the TWEAKEY Framework • proposed by Jean, Nikolić, and Peyrin [JNP14] • Superposition TWEAKEY (STK) constructions: g

t k

g

f

x

g

f P1

f P2

Pr

y

• sufficient conditions on f and g to have provable

beyond-birthday-bound security in the RPM? e (k, t, x ) = E (k ⊕ t, x ) • NB: f = g linear does not work since E

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

31 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

Link with the TWEAKEY Framework • proposed by Jean, Nikolić, and Peyrin [JNP14] • Superposition TWEAKEY (STK) constructions: g

t k

g

f

x

g

f P1

f P2

Pr

y

• sufficient conditions on f and g to have provable

beyond-birthday-bound security in the RPM? e (k, t, x ) = E (k ⊕ t, x ) • NB: f = g linear does not work since E

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

31 / 36

Tweakable BC

Tweakable EM

Birthday Security

BBB Security

Conclusion

The end. . .

Thanks for your attention! Comments or questions?

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

32 / 36

References

References I Benoît Cogliati, Rodolphe Lampe, and Yannick Seurin. Tweaking Even-Mansour Ciphers. In Rosario Gennaro and Matthew Robshaw, editors, Advances in Cryptology - CRYPTO 2015 - Proceedings, Part I, volume 9215 of LNCS, pages 189–208. Springer, 2015. Full version available at http://eprint.iacr.org/2015/539. Paul Crowley. Mercy: A Fast Large Block Cipher for Disk Sector Encryption. In Bruce Schneier, editor, Fast Software Encryption - FSE 2000, volume 1978 of LNCS, pages 49–63. Springer, 2000. Benoît Cogliati and Yannick Seurin. On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks. In Elisabeth Oswald and Marc Fischlin, editors, Advances in Cryptology - EUROCRYPT 2015 - Proceedings, Part I, volume 9056 of LNCS, pages 584–613. Springer, 2015. Full version available at http://eprint.iacr.org/2015/069. Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker. The Skein Hash Function Family. SHA3 Submission to NIST (Round 3), 2010. Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

33 / 36

References

References II Pooya Farshim and Gordon Procter. The Related-Key Security of Iterated Even-Mansour Ciphers. In Gregor Leander, editor, Fast Software Encryption - FSE 2015, volume 9054 of LNCS, pages 342–363. Springer, 2015. Full version available at http://eprint.iacr.org/2014/953. David Goldenberg, Susan Hohenberger, Moses Liskov, Elizabeth Crump Schwartz, and Hakan Seyalioglu. On Tweaking Luby-Rackoff Blockciphers. In Kaoru Kurosawa, editor, Advances in Cryptology - ASIACRYPT 2007, volume 4833 of LNCS, pages 342–356. Springer, 2007. Jérémy Jean, Ivica Nikolic, and Thomas Peyrin. Tweaks and Keys for Block Ciphers: The TWEAKEY Framework. In Palash Sarkar and Tetsu Iwata, editors, Advances in Cryptology - ASIACRYPT 2014 - Proceedings, Part II, volume 8874 of LNCS, pages 274–288. Springer, 2014. Moses Liskov, Ronald L. Rivest, and David Wagner. Tweakable Block Ciphers. In Moti Yung, editor, Advances in Cryptology - CRYPTO 2002, volume 2442 of LNCS, pages 31–46. Springer, 2002.

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

34 / 36

References

References III Rodolphe Lampe and Yannick Seurin. Tweakable Blockciphers with Asymptotically Optimal Security. In Shiho Moriai, editor, Fast Software Encryption - FSE 2013, volume 8424 of LNCS, pages 133–151. Springer, 2013. Will Landecker, Thomas Shrimpton, and R. Seth Terashima. Tweakable Blockciphers with Beyond Birthday-Bound Security. In Reihaneh Safavi-Naini and Ran Canetti, editors, Advances in Cryptology - CRYPTO 2012, volume 7417 of LNCS, pages 14–30. Springer, 2012. Full version available at http://eprint.iacr.org/2012/450. Bart Mennink. Optimally Secure Tweakable Blockciphers. In Gregor Leander, editor, Fast Software Encryption - FSE 2015, volume 9054 of LNCS, pages 428–448. Springer, 2015. Full version available at http://eprint.iacr.org/2015/363. Atsushi Mitsuda and Tetsu Iwata. Tweakable Pseudorandom Permutation from Generalized Feistel Structure. In Joonsang Baek, Feng Bao, Kefei Chen, and Xuejia Lai, editors, ProvSec 2008, volume 5324 of LNCS, pages 22–37. Springer, 2008. Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

35 / 36

References

References IV

Kazuhiko Minematsu. Beyond-Birthday-Bound Security Based on Tweakable Block Cipher. In Orr Dunkelman, editor, Fast Software Encryption - FSE 2009, volume 5665 of LNCS, pages 308–326. Springer, 2009. Phillip Rogaway. Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC. In Pil Joong Lee, editor, Advances in Cryptology - ASIACRYPT 2004, volume 3329 of LNCS, pages 16–31. Springer, 2004. Richard Schroeppel. The Hasty Pudding Cipher. AES submission to NIST, 1998.

Yannick Seurin

Constructing TBCs in the RPM

ASK 2015

36 / 36