Multi-user Security of the Elephant v2 Authenticated Encryption Mode

Abstract

One of the finalists in the NIST Lightweight Cryptography competition is \(\mathsf {Elephant}\) v2, a parallelizable, permutation-based authenticated encryption scheme. The original first/second-round submission \(\mathsf {Elephant}\) v1/v1.1 was proven secure against nonce-respecting adversaries in the single-user setting. For the final round, the mode has undergone certain subtle modifications, the most important one being a change in the authentication portion of the mode. These changes require a new dedicated security proof.

In this work, we prove the security of the \(\mathsf {Elephant}\) v2 mode. First of all, our proof shows that \(\mathsf {Elephant}\) v2 is indeed a secure authenticated encryption scheme and that its security against nonce-respecting adversaries is on par with that of \(\mathsf {Elephant}\) v1/v1.1. In addition, our security analysis is in the multi-user setting and demonstrates that \(\mathsf {Elephant}\) v2 fares well if multiple devices use \(\mathsf {Elephant}\) v2 with independent keys. Moreover, our proof shows that \(\mathsf {Elephant}\) v2 even ensures authenticity under nonce misuse.

A  Proof of Theorem 1 (on SiM)

The proof closely follows Granger et al. [20], just like that of Beyne et al. [9] did, and is performed using the H-coefficient technique [13, 27]. The main difference is in the fact that we consider multi-user security, where the adversary can query \(\mu \ge 1\) construction oracles.

Let \(K_1,\ldots ,K_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\), \(\mathsf {P}\xleftarrow {{\scriptscriptstyle \$}}\mathrm {perm}(n)\), and \(\widetilde{\pi }_1,\ldots ,\widetilde{\pi }_\mu \xleftarrow {{\scriptscriptstyle \$}}\mathrm {perm}(\mathcal {T},n)\), where \(\mathcal {T}\) is \(2^{-\alpha }\)-proper with respect to LFSRs \((\varphi _1,\ldots ,\varphi _z)\). Consider a computationally unbounded adversary \(\mathcal {A}\) that tries to distinguish \(\mathcal {O} := ((\widetilde{\mathsf {E}}_{K_j}^{\mathsf {P}})_{j=1}^\mu ,\mathsf {P}^{\pm })\) from \(\mathcal {P} := ((\widetilde{\pi }_j)_{j=1}^\mu ,\mathsf {P}^{\pm })\). Without loss of generality, we can consider it to be deterministic: for any probabilistic adversary there exists a deterministic one that has at least the same success probability. The interaction of \(\mathcal {A}\) with its oracle (\(\mathcal {O}\) or \(\mathcal {P}\)) is gathered in a view \(\nu \). Denote by \(D_{\mathcal {O}}\) (resp., \(D_{\mathcal {P}}\)) the probability distribution of views in interaction with \(\mathcal {O}\) (resp., \(\mathcal {P}\)). Denote by \(\mathcal {V}\) the set of “attainable views”, i.e., views \(\nu \) such that \(\mathbf {Pr}\left( D_{\mathcal {P}}=\nu \right) >0\).

Lemma 1 (H-coefficient technique)

Consider a partition \(\mathcal {V}=\mathcal {V}_{\mathrm {good}}\cup \mathcal {V}_{\mathrm {bad}}\) of the set of views into “good” and “bad” views. Let \(\varepsilon \in [0,1]\) be such that \(\frac{\mathbf {Pr}\left( D_{\mathcal {O}}=\nu \right) }{\mathbf {Pr}\left( D_{\mathcal {P}}=\nu \right) } \ge 1-\varepsilon \) for all \(\nu \in \mathcal {V}_{\mathrm {good}}\). Then,

$$\begin{aligned} \varDelta _{\mathcal {A}}\left( \mathcal {O}\;;\;\mathcal {P}\right) \le \varepsilon + \mathbf {Pr}\left( D_{\mathcal {P}}\in \mathcal {V}_{\mathrm {bad}}\right) \,. \end{aligned}$$

(19)

For view \(\nu = \{(x_1,y_1),\ldots ,(x_q,y_q)\}\) consisting of q input/output tuples, we denote by \(\mathcal {O}\vdash \nu \) the event that oracle \(\mathcal {O}\) satisfies that \(\mathcal {O}(x_i)=y_i\) for all \(i=\{1,\ldots ,q\}\).

The remainder of the proof is structured as follows. We specify the views of an adversary in Sect. A.1 and define the bad views in Sect. A.2. The probability of bad views is analyzed in Sect. A.3 and the probability ratio for good views is considered in Sect. A.4. Section A.5 concludes the proof.

1.1 A.1  Views

The adversary can make q construction queries to \((\widetilde{\mathsf {E}}_{K_j}^{\mathsf {P}})_{j=1}^\mu \) or \((\widetilde{\pi })_{j=1}^\mu \), all in forward direction only. Each such query is made for user index \(j_i\in \{1,\ldots ,\mu \}\), some tweak \(\bar{a}_i=(a_1,\ldots ,a_z)_i\), and message input \(M_i\), and results in an output \(C_i\). The q queries are summarized in a view

$$\begin{aligned} \nu _c = \{(j_1,\bar{a}_1,M_1,C_1),\ldots ,(j_q,\bar{a}_q,M_q,C_q)\}\,. \end{aligned}$$

The adversary can make p primitive queries to \(\mathsf {P}^{\pm }\), and these are likewise summarized in a view

$$\begin{aligned} \nu _p = \{(X_1,Y_1),\ldots ,(X_p,Y_p)\}\,. \end{aligned}$$

After the conversation of \(\mathcal {A}\) with its oracle, but before it makes its final decision, we reveal the key material used in the interaction. This can be done without loss of generality; it only improves the adversarial success probability. The first values that are revealed are values \(K_1,\ldots ,K_\mu \). In the real world, these are the keys \(K_1,\ldots ,K_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\) that are actually used by the construction oracle; in the ideal world, these are dummy keys \(K_1,\ldots ,K_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\). The second values that are revealed are values \(L_1,\ldots ,L_\mu \in \{0,1\}^{n}\). In the real world, these are the values \(L_j=\mathsf {P}(K_j\Vert 0^{n-k})\) for \(j=1,\ldots ,\mu \); in the ideal world, these are dummy keys \(L_1,\ldots ,L_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\).³ The revealed data is summarized in a view

$$\begin{aligned} \nu _k = \{(K_1,L_1),\ldots ,(K_\mu ,L_\mu )\}. \end{aligned}$$

(Note that in the single-user setting, where \(\mu =1\), \(\nu _k\) is a singleton.) The complete view is defined as \(\nu =(\nu _c,\nu _p,\nu _k)\). We assume that the adversary never makes any duplicate query, hence \(\nu _c\) and \(\nu _p\) contain no duplicate elements.

1.2 A.2  Definition of Good and Bad Views

In the real world, all tuples in \(\nu _p\) define exactly one input-output pair for \(\mathsf {P}\). Likewise, the tuples in \(\nu _k\) are input-output pairs for \(\mathsf {P}\). Using these tuples, one can observe that any tuple \((j_i,\bar{a}_i,M_i,C_i)\in \nu _c\) also defines an input-output pair for \(\mathsf {P}\), namely

$$\begin{aligned} \left( M_i \oplus \bar{\varphi }^{\bar{a}_i}(L_{j_i}), C_i \oplus \bar{\varphi }^{\bar{a}_i}(L_{j_i})\right) , \end{aligned}$$

see (7), where we define \(\bar{\varphi }^{\bar{a}_i}:=\varphi _z^{{a_z}_i}\circ \cdots \circ \varphi _1^{{a_1}_i}\) for brevity. If among all these \(q+p+\mu \) input-output pairs defined by \(\nu \), there are two that have colliding input or output values, we consider \(\nu \) to be a bad view. Formally, \(\nu \) is called “bad” if one of the following conditions is satisfied, where we recall that the user index j in a tuple in \(\nu _c\) determines which key tuple from \(\nu _k\) has to be used:

$$\begin{aligned} \mathrm {bad}_{c,c}:\;\;&\text {for some distinct } (j,\bar{a},M,C),(j',\bar{a}',M',C')\in \nu _c{:}\\&\bar{\varphi }^{\bar{a}}(L_j) \oplus \bar{\varphi }^{\bar{a}'}(L_{j'}) \in \{M \oplus M', C\oplus C' \},\\ \mathrm {bad}_{c,p}:\;\;&\text {for some } (j,\bar{a},M,C)\in \nu _c \text { and }(X,Y)\in \nu _p{:}\\&\bar{\varphi }^{\bar{a}}(L_j) \in \{M \oplus X, C\oplus Y\},\\ \mathrm {bad}_{c,k}:\;\;&\text {for some } (j,\bar{a},M,C)\in \nu _c \text { and } (K,L)\in \nu _k{:}\\&\bar{\varphi }^{\bar{a}}(L_j) \in \{M \oplus K\Vert 0^{n-k}, C\oplus L\},\\ \mathrm {bad}_{p,k}:\;\;&\text {for some }(X,Y)\in \nu _p \text { and }(K,L)\in \nu _k{:}\\&X=K\Vert 0^{n-k} \text { or } Y=L,\\ \mathrm {bad}_{k,k}:\;\;&\text {for some distinct }(K,L),(K',L')\in \nu _k{:}\\&K=K' \text { or } L=L'. \end{aligned}$$

We write \(\mathrm {bad}=\mathrm {bad}_{c,c}\vee \mathrm {bad}_{c,p}\vee \mathrm {bad}_{c,k}\vee \mathrm {bad}_{p,k}\vee \mathrm {bad}_{k,k}\).

The definition of bad events differs from the single-user analysis of Beyne et al. [9] in the adjustment of bad events \(\mathrm {bad}_{c,k}\) and \(\mathrm {bad}_{p,k}\) and the addition of the bad event \(\mathrm {bad}_{k,k}\). The events \(\mathrm {bad}_{c,k}\) and \(\mathrm {bad}_{p,k}\) have been adjusted as construction or permutation queries may now collide with \(\mu \) different key tuples. The addition of the new bad event \(\mathrm {bad}_{k,k}\) come from the fact that different key tuples might collide.

1.3 A.3  Probability of Bad View in Ideal World

Our goal is to bound \(\mathbf {Pr}\left( D_{\mathcal {P}}\in \mathcal {V}_{\mathrm {bad}}\right) \), the probability of a bad view in the ideal world \(\mathcal {P}=((\widetilde{\pi }_j)_{j=1}^\mu ,\mathsf {P}^{\pm })\). For brevity, denote by \(D_{\mathcal {P}}\propto \mathrm {bad}\) the event that \(D_{\mathcal {P}}\) satisfies \(\mathrm {bad}\). By the union bound,

$$\begin{aligned} \mathbf {Pr}\left( D_{\mathcal {P}}\propto \mathrm {bad}\right)&= \mathbf {Pr}\left( D_{\mathcal {P}}\propto \mathrm {bad}_{c,c}\vee \mathrm {bad}_{c,p}\vee \mathrm {bad}_{c,k}\vee \mathrm {bad}_{p,k}\vee \mathrm {bad}_{k,k}\right) \nonumber \\&\le \mathbf {Pr}\left( D_{\mathcal {P}}\propto \mathrm {bad}_{c,c}\right) + \mathbf {Pr}\left( D_{\mathcal {P}}\propto \mathrm {bad}_{c,p}\right) + \mathbf {Pr}\left( D_{\mathcal {P}}\propto \mathrm {bad}_{c,k}\right) \nonumber \\&+\, \mathbf {Pr}\left( D_{\mathcal {P}}\propto \mathrm {bad}_{p,k}\right) + \mathbf {Pr}\left( D_{\mathcal {P}}\propto \mathrm {bad}_{k,k}\right) . \end{aligned}$$

(20)

We will analyze the five probabilities separately, thereby noticing that (i) \(K_1,\) \(\smash {\ldots ,K_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}}\) and \(\smash {L_1,\ldots ,L_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}}\) are random variables in the ideal world, and (ii) as the adversary only makes forward construction queries, each tuple \((j,\bar{a},M,C)\in \nu _c\) satisfies that C is randomly drawn from a set of size at least \(2^n-q\).

Event \(\mathrm {bad}_{c,c}\). For \(\mathrm {bad}_{c,c}\), let \((j,\bar{a},M,C),(j',\bar{a}',M',C')\in \nu _c\) be any two distinct tuples. If \(j=j'\) and \(\bar{a}=\bar{a}'\), then necessarily \(M\ne M'\) and \(C\ne C'\), and \(\mathrm {bad}_{c,c}\) holds with probability 0. Otherwise, if \(j=j'\) but \(\bar{a}\ne \bar{a}'\), we can deduce from \(2^{-\alpha }\)-properness of \(\mathcal {T}\), namely property 2 of Definition 1, that event \(\mathrm {bad}_{c,c}\) holds with probability at most \(2/2^{\alpha }\). Finally, if \(j\ne j'\), the subkeys \(L_j,L_{j'}\) are independent and we can likewise deduce from \(2^{-\alpha }\)-properness of \(\mathcal {T}\), namely property 1 of Definition 1, that event \(\mathrm {bad}_{c,c}\) holds with probability at most \(2/2^{\alpha }\). Thus, summing over all \({q\atopwithdelims ()2}\) possible choices of queries,

$$\begin{aligned} \mathbf {Pr}\left( D_{\mathcal {P}}\propto \mathrm {bad}_{c,c}\right) \le \frac{q(q-1)}{2^{\alpha }}. \end{aligned}$$

Event \(\mathrm {bad}_{c,p}\). For \(\mathrm {bad}_{c,p}\), let \((j,\bar{a},M,C)\in \nu _c\) and \((X,Y)\in \nu _p\) be any two tuples. We can deduce from \(2^{-\alpha }\)-properness of \(\mathcal {T}\), namely property 1 of Definition 1, that event \(\mathrm {bad}_{c,p}\) holds with probability at most \(2/2^{\alpha }\). Thus, summing over all qp possible choices of queries,

$$\begin{aligned} \mathbf {Pr}\left( D_{\mathcal {P}}\propto \mathrm {bad}_{c,p}\right) \le \frac{2qp}{2^{\alpha }}. \end{aligned}$$

Event \(\mathrm {bad}_{c,k}\). For \(\mathrm {bad}_{c,k}\), let \((j,\bar{a},M,C)\in \nu _c\) and \((K,L)\in \nu _k\) be any two tuples. We consider the two equations of \(\mathrm {bad}_{c,k}\) separately. For the first equation,

$$\begin{aligned} \bar{\varphi }^{\bar{a}}(L_j) = M \oplus K\Vert 0^{n-k}, \end{aligned}$$

we will use that \(L_j\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\) is a randomly generated value independent of K. We can deduce from \(2^{-\alpha }\)-properness of \(\mathcal {T}\), namely property 1 of Definition 1, that this equation holds with probability at most \(1/2^{\alpha }\).

For the second equation,

$$\begin{aligned} \bar{\varphi }^{\bar{a}}(L_j) = C\oplus L, \end{aligned}$$

it might be that \(L=L_j\), and we cannot rely on Definition 1. Instead, we will use that all construction queries are made in the forward direction, and that C is randomly drawn from a set of size at least \(2^n-q\) elements. The above equation thus holds with probability at most \(1/(2^n-q)\).

Thus, summing over all \(\mu q\) possible choices of queries,

$$\begin{aligned} \mathbf {Pr}\left( D_{\mathcal {P}}\propto \mathrm {bad}_{c,k}\right) \le \frac{\mu q}{2^{\alpha }} + \frac{\mu q}{2^n-q}. \end{aligned}$$

Event \(\mathrm {bad}_{p,k}\). For \(\mathrm {bad}_{p,k}\), let \((X,Y)\in \nu _p\) and \((K,L)\in \nu _k\) be any two tuples. As \(K\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\) and \(L\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\), the tuples set \(\mathrm {bad}_{p,k}\) with probability at most \(1/2^k + 1/2^n\). Thus, summing over all \(\mu p\) possible choices of queries,

$$\begin{aligned} \mathbf {Pr}\left( D_{\mathcal {P}}\propto \mathrm {bad}_{p,k}\right) \le \frac{\mu p}{2^k} + \frac{\mu p}{2^n}. \end{aligned}$$

Event \(\mathrm {bad}_{k,k}\). For \(\mathrm {bad}_{k,k}\), let \((K,L),(K',L')\in \nu _k\) be any two distinct tuples. As \(K,K'\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\) and \(L,L'\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\), the tuples set \(\mathrm {bad}_{k,k}\) with probability at most \(1/2^k + 1/2^n\). Thus, summing over all \({\mu \atopwithdelims ()2}\) possible choices of queries,

$$\begin{aligned} \mathbf {Pr}\left( D_{\mathcal {P}}\propto \mathrm {bad}_{k,k}\right) \le \frac{\mu (\mu -1)}{2^{k+1}} + \frac{\mu (\mu -1)}{2^{n+1}}. \end{aligned}$$

Conclusion. Concluding, we obtain for (20):

$$\begin{aligned} \mathbf {Pr}\left( D_{\mathcal {P}}\propto \mathrm {bad}\right) \le \frac{q^2 + 2qp + (\mu -1)q}{2^{\alpha }} + \frac{\mu \cdot (2q + p + \frac{\mu -1}{2})}{2^n} + \frac{\mu \cdot (p + \frac{\mu -1}{2})}{2^k}, \end{aligned}$$

(21)

using that \(2^n-q\ge 2^{n-1}\).

1.4 A.4  Probability Ratio for Good Views

Consider any good view \(\nu \in \mathcal {V}_{\mathrm {good}}\). We will prove the inequality \(\mathbf {Pr}\left( D_{\mathcal {O}}=\nu \right) \ge \mathbf {Pr}\left( D_{\mathcal {P}}=\nu \right) \). The proof is a direct generalization of that of Granger et al. [20], noting that in our case, we consider multi-user security. The proof is included for completeness.

Real World. In the real world \(\mathcal {O} = ((\widetilde{\mathsf {E}}_{K_j}^{\mathsf {P}})_{j=1}^\mu ,\mathsf {P}^{\pm })\), goodness of the view means that \(\nu =(\nu _c,\nu _p,\nu _k)\) defines exactly \(q+p+\mu \) input-output pairs for \(\mathsf {P}\), and no two of them collide on the input or output, and \(\nu _k\) consists of random values \(K_1,\ldots ,K_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\). Therefore, we obtain:

$$\begin{aligned} \mathbf {Pr}\left( D_{\mathcal {O}}=\nu \right) =&\;\mathbf {Pr}\left( K'_1,\ldots ,K'_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k} \;:\; K'_1=K_1 \wedge \cdots \wedge K'_\mu =K_\mu \right) \cdot \nonumber \\&\;\mathbf {Pr}\left( \mathsf {P}\xleftarrow {{\scriptscriptstyle \$}}\mathrm {perm}(n) \;:\; (\widetilde{\mathsf {E}}_{K_j}^{\mathsf {P}})_{j=1}^\mu \vdash \nu _c \wedge \mathsf {P}\vdash \nu _p \wedge \mathsf {P}\vdash \nu _k \right) \nonumber \\ =&\;\frac{1}{2^{k\mu }}\cdot \frac{(2^n-(q+p+\mu ))!}{2^n!}. \end{aligned}$$

(22)

Ideal World. In the ideal world \(\mathcal {P} = ((\widetilde{\pi }_j)_{j=1}^\mu ,\mathsf {P}^{\pm })\), the view \(\nu =(\nu _c,\nu _p,\nu _k)\) consists of three lists of independent tuples: \(\nu _c\) defines exactly q input-output pairs for \(\widetilde{\pi }_j\), \(\nu _p\) defines exactly p input-output pairs for \(\mathsf {P}\), and \(\nu _k\) consists of \(\mu \) random tuples \((K_1,L_1),\ldots ,(K_\mu ,L_\mu )\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k}\times \{0,1\}^{n}\). For counting, it is convenient to group the tuples in \(\nu _c\) depending on the user index j and tweak value \(\bar{a}\). For \(J\in \{1,\ldots ,\mu \}\) and \(T\in \mathcal {T}\), define

$$\begin{aligned} q_{J,T} = \left| \{ (j,\bar{a},M,C)\in \nu _c \mid j=J \wedge \bar{a}=T \}\right| , \end{aligned}$$

where \(\sum _{(J,T)\in \{1,\ldots ,\mu \}\times \mathcal {T}} q_{J,T} = q\). We obtain:

$$\begin{aligned} \mathbf {Pr}\left( D_{\mathcal {P}}=\nu \right) =&\;\mathbf {Pr}\left( K'_1,\ldots ,K'_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{k} \;:\; K'_1=K_1 \wedge \cdots \wedge K'_\mu =K_\mu \right) \cdot \nonumber \\&\;\mathbf {Pr}\left( L'_1,\ldots ,L'_\mu \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n} \;:\; L'_1=L_1 \wedge \cdots \wedge L'_\mu =L_\mu \right) \cdot \nonumber \\&\;\mathbf {Pr}\left( \widetilde{\pi }_1,\ldots ,\widetilde{\pi }_\mu \xleftarrow {{\scriptscriptstyle \$}}\mathrm {perm}(\mathcal {T},n) \;:\; (\widetilde{\pi }_j)_{j=1}^\mu \vdash \nu _c\right) \cdot \nonumber \\&\;\mathbf {Pr}\left( \mathsf {P}\xleftarrow {{\scriptscriptstyle \$}}\mathrm {perm}(n) \;:\; \mathsf {P}\vdash \nu _p\right) \nonumber \\ =&\;\frac{1}{2^{(k+n)\mu }}\cdot \prod _{\begin{array}{c} J\in \{1,\ldots ,\mu \}\\ T\in \mathcal {T} \end{array}}\frac{(2^n-q_{J,T})!}{2^n!}\cdot \frac{(2^n-p)!}{2^n!}\nonumber \\ =&\;\frac{1}{2^{k\mu }}\cdot \left( \frac{(2^n-1)!}{2^n!}\right) ^\mu \cdot \prod _{\begin{array}{c} J\in \{1,\ldots ,\mu \}\\ T\in \mathcal {T} \end{array}}\frac{(2^n-q_{J,T})!}{2^n!}\cdot \frac{(2^n-p)!}{2^n!}\nonumber \\ \le&\;\frac{1}{2^{k\mu }}\cdot \frac{(2^n-(q+p+\mu ))!}{2^n!}, \end{aligned}$$

(23)

using that for any \(\sigma +\tau \le 2^n\) we have \(\frac{(2^n-\sigma )!}{2^n!}\cdot \frac{(2^n-\tau )!}{2^n!}\le \frac{(2^n-(\sigma +\tau ))!}{2^n!}\).

Conclusion. Combining (22) and (23), we obtain that for any good view \(\nu \in \mathcal {V}_{\mathrm {good}}\):

$$\begin{aligned} \frac{\mathbf {Pr}\left( D_{\mathcal {O}}=\nu \right) }{\mathbf {Pr}\left( D_{\mathcal {P}}=\nu \right) } \ge 1. \end{aligned}$$

(24)

1.5 A.5 Conclusion

By the H-coefficient technique (Lemma 1), we directly obtain from (21) and (24):

$$\begin{aligned} \mathbf {Adv}_{\widetilde{\mathsf {E}}}^{\mathrm {\mu \text {-}tprp}}(\mathcal {A}) \le 0 + \frac{q^2 + 2qp + (\mu -1)q}{2^{\alpha }} + \frac{\mu \cdot (2q + p + \frac{\mu -1}{2})}{2^n} + \frac{\mu \cdot (p + \frac{\mu -1}{2})}{2^k}. \end{aligned}$$