Abstract
Block-cipher-based authenticated encryption has obtained considerable attention from the ongoing CAESAR competition. While the focus of CAESAR resides primarily on nonce-based authenticated encryption, Deterministic Authenticated Encryption (DAE) is used in domains such as key wrap, where the available message entropy motivates to omit the overhead for nonces. Since the highest possible security is desirable when protecting keys, beyond-birthday-bound (BBB) security is a valuable goal for DAE. In the past, significant efforts had to be invested into designing BBB-secure AE schemes from conventional block ciphers, with the consequences of losing efficiency and sophisticating security proofs.
This work proposes Deterministic Counter in Tweak (DCT), a BBB-secure DAE scheme inspired by the Counter-in-Tweak encryption scheme by Peyrin and Seurin. Our design combines a fast \(\epsilon \)-almost-XOR-universal family of hash functions, for \(\epsilon \) close to \(2^{-2n}\), with a single call to a 2n-bit SPRP, and a BBB-secure encryption scheme. First, we describe our construction generically with three independent keys, one for each component. Next, we present an efficient instantiation which (1) requires only a single key, (2) provides software efficiency by encrypting at less than two cycles per byte on current x64 processors, and (3) produces only the minimal \(\tau \)-bit stretch for \(\tau \) bit authenticity. We leave open two minor aspects for future work: our current generic construction is defined for messages of at least \(2n-\tau \) bits, and the verification algorithm requires the inverse of the used 2n-bit SPRP and the encryption scheme.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note that encoding redundancy into \(M_R\) would require a chosen-ciphertext-secure encryption scheme \(\varPi \).
- 2.
\(F: \mathcal {X} \rightarrow \mathcal {Y} \) is called regular iff all outputs \(Y \in \mathcal {Y} \) are produced by an equal number of preimages \(X \in \mathcal {X} \).
References
Abdelraheem, M.A., Beelen, P., Bogdanov, A., Tischhauser, E.: Twisted polynomials and forgery attacks on GCM. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 762–786. Springer, Heidelberg (2015)
Badertscher, C., Matt, C., Maurer, U., Rogaway, P., Tackmann, B.: Robust authenticated encryption and the limits of symmetric cryptography. In: Groth, J., et al. (eds.) IMACC 2015. LNCS, vol. 9496, pp. 112–129. Springer, Heidelberg (2015). doi:10.1007/978-3-319-27239-9_7
Bellare, M., Anand Desai, E., Jokipii, P.R.: A Concrete Security Treatment of Symmetric Encryption. In: FOCS, pp. 394–403. Springer, 1997
Bellare, M., Rogaway, P.: Encode-Then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000)
Bernstein, D.J.: Polynomial evaluation and message authentication (2007). http://cr.yp.to/papers, permanent ID:b1ef3f2d385a926123e1517392e20f8c, 2
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Using Keccak technology for AE: Ketje, Keyak and more. In: SHA-3 2014 Workshop, UC Santa Barbara, 22 August 2014
Boesgaard, M., Christensen, T., Zenner, E.: Badger – a fast and provably secure MAC. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 176–191. Springer, Heidelberg (2005)
Carter, L., Wegman, N.: Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979)
Chakraborty, Debrup, Mancillas-López, Cuauhtemoc, Sarkar, Palash: Disk Encryption: Do We Need to Preserve Length? IACR Cryptology ePrint Archive 2015:594 (2015)
Chakraborty, D., Sarkar, P.: On modes of operations of a block cipher for authentication and authenticated encryption. Cryptography and Communications, pp. 1–57 (2015)
Coron, J.-S., Dodis, Y., Mandal, A., Seurin, Y.: A domain extender for the ideal cipher. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 273–289. Springer, Heidelberg (2010)
Dobraunig, Christoph, Eichlseder, Maria, Mendel, Florian: Cryptanalysis of Simpira. IACR Cryptology ePrint Archive 2016:244 (2016)
Forler, Christian, List, Eik, Lucks, Stefan, Wenzel, Jakob: Efficient Beyond-Birthday-Bound-Secure Deterministic Authenticated Encryption with Minimal Stretch. IACR Cryptology ePrint Archive 2016:395 (2016)
Granger, R., Jovanovic, P., Mennink, B., Neves, S.: Improved masking for tweakable blockciphers with applications to authenticated encryption. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 263–293. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49890-3_11
Gueron, S., Lindell, Y.: GCM-SIV: Full nonce misuse-resistant authenticated encryption at under one cycle per byte. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM Conference on Computer and Communications Security, pp. 109–119. ACM (2015)
Gueron, S., Mouha, N.: Simpira: A Family of Efficient Permutations Using the AES Round Function. IACR Cryptology ePrint Archive, 2016: 122 version 20160214:005409 (2016)
Gueron, S., Mouha, N.: Simpira v2: A Family of Efficient Permutations Using the AES Round Function. IACR Cryptology ePrint Archive 2016:122 (2016)
Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004)
Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015)
Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003)
Iwata, T., Yasuda, K.: BTM: a single-key, inverse-cipher-free mode for deterministic authenticated encryption. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 313–330. Springer, Heidelberg (2009)
Iwata, T., Yasuda, K.: HBS: a single-key mode of operation for deterministic authenticated encryption. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 394–415. Springer, Heidelberg (2009)
Jean, J., Nikolic, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014)
Jean, J., Nikolić, I., Peyrin, T.: Deoxys v1.3, 2015. Second-round submission to the CAESAR competition, http://competitions.cr.yp.to/caesar-submissions.html
Jean, J., Nikolić, I., Peyrin, T.: Joltik v1.3 (2015). Second-round submission to the CAESAR competition, http://competitions.cr.yp.to/caesar-submissions.html
Ted Krovetz.:HS1-SIV (2014). http://competitions.cr.yp.to/caesar-submissions.html
Minematsu, K.: Beyond-birthday-bound security based on tweakable block cipher. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 308–326. Springer, Heidelberg (2009)
Minematsu, K.: Authenticated Encryption without Tag Expansion (or, How to Accelerate AERO). IACR Cryptology ePrint Archive, 2015:738 (2015)
Minematsu, K.: Building blockcipher from small-block tweakable blockcipher. Des. Code Crypt. 74(3), 645–663 (2015)
Peyrin, T., Seurin, Y.: Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers. Cryptology ePrint Archive, Report 2015/1049 (2015)
Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based mac schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014)
Reyhanitabar, R., Vaudenay, S., Vizár, D.: Misuse-resistant variants of the OMD authenticated encryption mode. In: Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S.M. (eds.) ProvSec 2014. LNCS, vol. 8782, pp. 55–70. Springer, Heidelberg (2014)
Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–359. Springer, Heidelberg (2004)
Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006)
Rogaway, P., Shrimpton, T.: Deterministic authenticated-encryption: a provable-security treatment of the key-wrap problem. Cryptology ePrint Archive, Report 2006/221. (Full Version) (2006)
Rønjom, S.: Invariant subspaces in Simpira. IACR Cryptology ePrint Archive, 2016:248 (2016)
Sarkar, P.: Improving upon the TET mode of operation. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 180–192. Springer, Heidelberg (2007)
Sarkar, P.: Efficient tweakable enciphering schemes from (Block-Wise) universal hash functions. IEEE Trans. Inf. Theory 55(10), 4749–4760 (2009)
Shrimpton, T., Terashima, R.S.: A modular framework for building variable-input-length tweakable ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 405–423. Springer, Heidelberg (2013)
Wang, P., Feng, D., Wu, W.: HCTR: a variable-input-length enciphering mode. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 175–188. Springer, Heidelberg (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Forler, C., List, E., Lucks, S., Wenzel, J. (2016). Efficient Beyond-Birthday-Bound-Secure Deterministic Authenticated Encryption with Minimal Stretch. In: Liu, J., Steinfeld, R. (eds) Information Security and Privacy. ACISP 2016. Lecture Notes in Computer Science(), vol 9723. Springer, Cham. https://doi.org/10.1007/978-3-319-40367-0_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-40367-0_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-40366-3
Online ISBN: 978-3-319-40367-0
eBook Packages: Computer ScienceComputer Science (R0)