Just tweak! Asymptotically optimal security for the cascaded LRW1 tweakable blockcipher

Abstract

Recent work of Bao et al. (in: Canteaut and Ishai (eds) EUROCRYPT 2020, Part II. LNCS. Springer, Heidelberg 2020) repopularized tweakable blockciphers minimizing the overhead due to changing the tweak. Essentially, they considered cascading two (independently keyed) \(\textsf {LRW1}\) constructions \(\textsf {LRW1} _k(x) = E_k \big ( t \oplus E_k ( x ) \big ) \) of Liskov et al. (JoC 2011), and proved security up to \(2^{2n/3}\) adversarial queries. This paper considers the natural extension of r cascades, i.e., \(\textsf {CLRW1} _{k_1,\ldots ,k_r}^{r,E} ( t,x ) = E_{k_r} \big ( t \oplus ... E_{k_2} \big ( t \oplus E_{k_1} ( x ) \big ) ... \big )\), and proves asymptotically optimal security. Concretely, we show that \(\textsf {CLRW1} ^{r,E}\) ensures NCPA security up to \(2^{(r-1)n/r}\) adversarial queries and CCA security up to \(2^{(r-2)n/r}\) adversarial queries. Our analysis makes use of a coupling argument, and in particular gains inspiration from Patarin’s analysis of Feistel networks (Nachef et al. in Feistel ciphers–security proofs and cryptanalysis, Springer, Berlin, Chapter 13, 2017. https://doi.org/10.1007/978-3-319-49530-9).

Appendices

Proof of Lemma 1

The original statement and proof of the Coupling Lemma is due to Aldous [1]. Our proof in this appendix is due to Lampe and Seurin [30]. In detail, let \(\lambda \) be a coupling of \(\mu \) and \(\nu \), and \((X,Y) \sim \lambda \). By definition, we have that for any \(z\in \omega \), \(\lambda (z,z)\le \min \{\mu (z),\nu (z)\}\). Moreover, \(\Pr [X=Y]=\sum _{z\in \omega }\lambda (z,z)\). Hence we have:

$$\begin{aligned} \Pr [X=Y]\le \sum _{z\in \Omega }\min \{\mu (z),\nu (z)\}. \end{aligned}$$

Thus,

$$\begin{aligned} \Pr [X\ne Y]\ge ~&1-\sum _{z\in \Omega }\min \{\mu (z),\nu (z)\} \\ =~&\sum _{z\in \Omega } \big ( \mu (z)-\min \{\mu (z),\nu (z)\} \big ) \\ =~&\sum _{\begin{array}{c} z\in \Omega , \ \mu (z)\ge \nu (z) \end{array}} \big ( \mu (z)-\nu (z) \big ) \\ =~&\max _{S\subset \Omega }\{\mu (S)-\nu (S)\} \\ =~&\Vert \mu -\nu \Vert . \end{aligned}$$

Proof of Theorem 1

1.1 Proof setup

Fix some message space \({\mathcal {D}}\) and tweak space \({\mathcal {T}}\), denote \(D = |{\mathcal {D}} |\). We denote \(({\mathcal {D}})_q\) the set of all q-tuple of pairwise distinct elements of \({\mathcal {D}}\). Let \({\widetilde{E}}\) be a tweakable blockcipher with message space \({\mathcal {D}} \), key space \({\mathcal {K}},\) and tweak space \({\mathcal {T}} \).Let \(q_t\) be the number of queries with tweak t. Given an integer \(q \ge 1\) and three q-tuples \({\textbf{t}}= (t_1,\ldots ,t_q) \in {\mathcal {T}} ^q\), \({\textbf{x}}= (x_1,\ldots ,x_q) \in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}\), and \({\textbf{y}}= (y_1,\ldots ,y_q) \in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}\), we denote

$$\begin{aligned} \textsf {p}_{{\widetilde{E}}}({\textbf{t}},{\textbf{x}},{\textbf{y}})=\Pr [K\xleftarrow {\$}{\mathcal {K}}:{\widetilde{E}}_K({\textbf{t}},{\textbf{x}})={\textbf{y}}]=\frac{|\{K\in {\mathcal {K}}:{\widetilde{E}}_K({\textbf{t}},{\textbf{x}})={\textbf{y}}\}|}{|{\mathcal {K}} |}, \end{aligned}$$

where the notation \({\widetilde{E}}_K({\textbf{t}},{\textbf{x}})={\textbf{y}}\) is a shorthand meaning that \({\widetilde{E}}_K(t_i,x_i)=y_i\) for all \(1\le i\le q\) (to wit, the tuples \(({\textbf{t}},{\textbf{x}},{\textbf{y}})\) constitute a transcript that records q adversarial queries to \({\widetilde{E}}_K\) and their responses). We also denote

$$\begin{aligned} {\textsf{p}}^*=\Pr [ {\widetilde{\pi }}\xleftarrow {\$} \text {BC} (\mathcal {T,D}) : {\widetilde{\pi }}({\textbf{t}},{\textbf{x}})={\textbf{y}}]=\prod _{t}\frac{1}{D(D-1)\cdots (D-q_t+1) }. \end{aligned}$$

When \({\textbf{t}}\) and \({\textbf{x}}\) is fixed,

$$\begin{aligned} \textsf {p}_{{\widetilde{E}},{\textbf{t}},{\textbf{x}}}:{\textbf{y}}\mapsto \textsf {p}_{{\widetilde{E}}} ({\textbf{t}},{\textbf{x}},{\textbf{y}}) \end{aligned}$$

is the probability distribution (over the choice of a uniformly random key \(K \xleftarrow {\$}{\mathcal {K}} \)) of the q-tuple of ciphertexts when \({\widetilde{E}}\) receives the q-tuple of plaintexts \({\textbf{x}}\) and the q-tuple of tweaks \({\textbf{t}}\). Similarly, when \({\textbf{t}}\) and \({\textbf{y}}\) is fixed,

$$\begin{aligned} \textsf {p}_{{\widetilde{E}}^{-1},{\textbf{t}},{\textbf{y}}}:{\textbf{x}}\mapsto \textsf {p}_{{\widetilde{E}}} ({\textbf{t}},{\textbf{x}},{\textbf{y}}) \end{aligned}$$

is the probability distribution of the q-tuples of plaintexts when \({\widetilde{E}}^{-1}\) receives the q-tuple of ciphertexts \({\textbf{y}}\) and the q-tuple of tweaks \({\textbf{t}}\). Overloading the notation, \(\textsf {p}^{*}\) will also denote the uniform probability distribution over \(({\mathcal {D}})_q\). Note that for any \({\textbf{x}}= (x_1,\ldots ,x_q) \in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}{}\), any \({\textbf{y}}= (y_1,\ldots ,y_q) \in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}\), and any \({\textbf{t}}= (t_1,\ldots ,t_q) \in {\mathcal {T}} ^q\),

$$\begin{aligned} \sum _{{\textbf{z}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}}(\textsf {p}_{{\widetilde{E}}}({\textbf{t}},{\textbf{x}},{\textbf{z}})-\textsf {p}^*)=\sum _{{\textbf{z}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}}(\textsf {p}_{{\widetilde{E}}}({\textbf{t}},{\textbf{z}},{\textbf{y}})-\textsf {p}^*)=0. \end{aligned}$$

(12)

Our analysis will rely on Patarin’s H-coefficient method [47]. To this end, we recall the two fundamental results of H-coefficient method regarding NCPA and CCA security of TBCs. They may be viewed trivial generalizations of Lemmas 1 and 2 of [9], and their proofs could be found in many [9, 46, 47].

Lemma 3

[NCPA security] Let \({\widetilde{E}}\) be a tweakable blockcipher with message space \({\mathcal {D}}\) and tweak space \({\mathcal {T}}\). Then

$$\begin{aligned} \textbf{Adv}^{\widetilde{\textrm{ncpa}}}_{{\widetilde{E}}}(q,+\infty )=\max _{{\textbf{t}}\in {\mathcal {T}} ^q,{\textbf{x}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}} \Vert \textsf {p}_{{\widetilde{E}},{\textbf{t}},{\textbf{x}}}-\textsf {p}^{*}\Vert \end{aligned}$$

Lemma 4

[CCA security] Let \({\widetilde{E}}\) be a tweakable blockcipher with message space \({\mathcal {D}}\) and tweak space \({\mathcal {T}}\). Assume that there exists \(\varepsilon \) such that for any q-tuples \({\textbf{t}}\in {\mathcal {T}} ^q\) and \({\textbf{x}},{\textbf{y}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}\), one has

$$\begin{aligned} \textsf {p}_{{\widetilde{E}}}({\textbf{t}},{\textbf{x}},{\textbf{y}})\ge (1-\varepsilon )\textsf {p}^{*}. \end{aligned}$$

Then it holds

$$\begin{aligned} \textbf{Adv}_{{\widetilde{E}}}^{\widetilde{\textrm{cca }}}(q,+\infty ) \le \varepsilon . \end{aligned}$$

1.2 Main arguments for composition

By Lemma 4, the CCA advantage on \({\widetilde{F}}\circ {\widetilde{E}}\) is related to \(\textsf {p}_{{\widetilde{F}}\circ {\widetilde{E}}}({\textbf{t}},{\textbf{x}},{\textbf{y}})\), the probability of observing an arbitrary tuple. The first step is to “cut” the tuples \(({\textbf{t}},{\textbf{x}},{\textbf{y}})\) “in the middle”, such that it can be related to \(\textsf {p}_{{\widetilde{E}}}({\textbf{t}},{\textbf{x}},{\textbf{z}})\) and \(\textsf {p}_{{\widetilde{F}}}({\textbf{t}},{\textbf{z}},{\textbf{y}})\).

Lemma 5

Let \({\widetilde{E}}\in \text {TBC} ({\mathcal {K}} _1,{\mathcal {T}},{\mathcal {D}} \)) and \({\widetilde{F}}\in \text {TBC} ({\mathcal {K}} _2,{\mathcal {T}},{\mathcal {D}} \)) be two TBCs. Then, for any q-tuples \({\textbf{t}}\in {\mathcal {T}} ^q\) and \({\textbf{x}},{\textbf{y}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}\), it holds

$$\begin{aligned} \textsf {p}_{{\widetilde{F}}\circ {\widetilde{E}}}({\textbf{t}},{\textbf{x}},{\textbf{y}})=\textsf {p}^*+\sum _{z\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}{}}(\textsf {p}_{{\widetilde{E}}}({\textbf{t}},{\textbf{x}},{\textbf{z}})-\textsf {p}^*)(\textsf {p}_{{\widetilde{F}}}({\textbf{t}},{\textbf{z}},{\textbf{y}})-\textsf {p}^*). \end{aligned}$$

(13)

Proof

One has

$$\begin{aligned} \textsf {p}_{{\widetilde{F}}\circ {\widetilde{E}}}({\textbf{t}},{\textbf{x}}, {\textbf{y}})=&\sum _{{\textbf{z}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}} \textsf {p}_{{\widetilde{E}}}({\textbf{t}},{\textbf{x}}, {\textbf{z}}) \textsf {p}_{{\widetilde{F}}}({\textbf{t}},{\textbf{z}}, {\textbf{y}}) \\=&\sum _{{\textbf{z}}}\left( \textsf {p}_{{\widetilde{E}}}({\textbf{t}},{\textbf{x}}, {\textbf{z}})-\textsf {p}^{*}+\textsf {p}^{*}\right) \left( \textsf {p}_{{\widetilde{F}}}({\textbf{t}},{\textbf{z}}, {\textbf{y}})-\textsf {p}^{*}+\textsf {p}^{*}\right) \\=&\sum _{{\textbf{z}}}\left( \textsf {p}_{{\widetilde{E}}}({\textbf{t}},{\textbf{x}}, {\textbf{z}})-\textsf {p}^{*}\right) \left( \textsf {p}_{{\widetilde{F}}}({\textbf{t}},{\textbf{z}}, {\textbf{y}})-\textsf {p}^{*}\right) \\ {}&+\textsf {p}^{*} \underbrace{\sum _{{\textbf{z}}}\left( \textsf {p}_{{\widetilde{E}}}({\textbf{t}},{\textbf{x}}, {\textbf{z}})-\textsf {p}^{*}\right) }_{=0 \text { by } (12)}+\textsf {p}^{*} \underbrace{\sum _{{\textbf{z}}}\left( \textsf {p}_{{\widetilde{F}}}({\textbf{t}},{\textbf{z}}, {\textbf{y}})-\textsf {p}^{*}\right) }_{=0 \text { by } (12)}+\underbrace{\sum _{{\textbf{z}}}\left( \textsf {p}^{*}\right) ^{2}}_{=\textsf {p}^{*}} \\=&\textsf {p}^{*}+\sum _{{\textbf{z}}}\left( \textsf {p}_{{\widetilde{E}}}({\textbf{t}},{\textbf{x}}, {\textbf{z}})-\textsf {p}^{*}\right) \left( \textsf {p}_{{\widetilde{F}}}({\textbf{t}},{\textbf{z}}, {\textbf{y}})-\textsf {p}^{*}\right) , \end{aligned}$$

for which the result follows. \(\square \)

We now relate the right hand side of Eq. (13) to NCPA attacks.

Lemma 6

Let \({\widetilde{E}}\in \text {TBC} ({\mathcal {K}} _1,{\mathcal {T}},{\mathcal {D}} \)) and \({\widetilde{F}}\in \text {TBC} ({\mathcal {K}} _2,{\mathcal {T}},{\mathcal {D}} \)) be two TBCs. Then, for any q-tuples \({\textbf{t}}\in {\mathcal {T}} ^q\) and \({\textbf{x}},{\textbf{y}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}\), it holds

$$\begin{aligned}&\sum _{{\textbf{z}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}}\left( \textsf {p}_{{\widetilde{E}}}({\textbf{t}},{\textbf{x}}, {\textbf{z}})-\textsf {p}^{*}\right) \left( \textsf {p}_{{\widetilde{F}}}({\textbf{t}},{\textbf{z}}, {\textbf{y}})-\textsf {p}^{*}\right) \\&\quad \ge -\textsf {p}^{*}\left( \left\| \textsf {p}_{{\widetilde{E}}, {\textbf{t}},{\textbf{x}}}-\textsf {p}^{*}\right\| +\left\| \textsf {p}_{{\widetilde{F}}^{-1},{\textbf{t}}, {\textbf{y}}}-\textsf {p}^{*}\right\| \right) \end{aligned}$$

Proof

Let

$$\begin{aligned} S {\mathop {=}\limits ^{ \text{ def } }}&\sum _{{\textbf{z}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}{}}\left( \textsf {p}_{{\widetilde{E}}}({\textbf{t}},{\textbf{x}}, {\textbf{z}})-\textsf {p}^{*}\right) \left( \textsf {p}_{{\widetilde{F}}}({\textbf{t}},{\textbf{z}}, {\textbf{y}})-\textsf {p}^{*}\right) \ \\ =&\sum _{{\textbf{z}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}}\left( \textsf {p}_{{\widetilde{E}},{\textbf{t}},{\textbf{x}}}({\textbf{z}})-\textsf {p}^{*}\right) \left( \textsf {p}_{{\widetilde{F}}^{-1},{\textbf{t}}, {\textbf{y}}}({\textbf{z}})-\textsf {p}^{*}\right) \end{aligned}$$

To simplify notation, we rename the probability distributions as \(\mu := \textsf {p}_{{\widetilde{E}},{\textbf{t}},{\textbf{x}}}\) and \(\nu :=\textsf {p}_{{\widetilde{F}}^{-1},{\textbf{t}},{\textbf{y}}}\). Then, keeping only the negative terms in the sum, we have

$$\begin{aligned} S&\ge \sum _{{\textbf{z}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}:\left\{ \begin{array}{c} \mu ({\textbf{z}})>\textsf {p}^{*} \\ \nu ({\textbf{z}})<\textsf {p}^{*} \end{array}\right. }\left( \mu ({\textbf{z}})-\textsf {p}^{*}\right) \left( \nu ({\textbf{z}})-\textsf {p}^{*}\right) \\&\qquad \qquad +\sum _{{\textbf{z}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}:\left\{ \begin{array}{c} \mu ({\textbf{z}})<\textsf {p}^{*} \\ \nu ({\textbf{z}})>\textsf {p}^{*} \end{array}\right. }\left( \mu ({\textbf{z}})-\textsf {p}^{*}\right) \left( \nu ({\textbf{z}})-\textsf {p}^{*}\right) \\&\ge \sum _{{\textbf{z}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}:\left\{ \begin{array}{c} \mu ({\textbf{z}})>\textsf {p}^{*} \\ \nu ({\textbf{z}})<\textsf {p}^{*} \end{array}\right. }\left( \mu ({\textbf{z}})-\textsf {p}^{*}\right) \left( -\textsf {p}^{*}\right) \\&\qquad \qquad +\sum _{{\textbf{z}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}:\left\{ \begin{array}{c} \mu ({\textbf{z}})<\textsf {p}^{*} \\ \nu ({\textbf{z}})>\textsf {p}^{*} \end{array}\right. }\left( -\textsf {p}^{*}\right) \left( \nu ({\textbf{z}})-\textsf {p}^{*}\right) \\&=-\textsf {p}^{*}\left( \sum _{{\textbf{z}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}:\left\{ \begin{array}{c} \mu ({\textbf{z}})>\textsf {p}^{*} \\ \nu ({\textbf{z}})<\textsf {p}^{*} \end{array}\right. }\left( \mu ({\textbf{z}})-\textsf {p}^{*}\right) +\sum _{{\textbf{z}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}:\left\{ \begin{array}{c} \mu ({\textbf{z}})<\textsf {p}^{*} \\ \nu ({\textbf{z}})>\textsf {p}^{*} \end{array}\right. }\left( \nu (z)-\textsf {p}^{*}\right) \right) \\&\ge -\textsf {p}^{*}\left( \left\| \mu -\textsf {p}^{*}\right\| +\left\| \nu -\textsf {p}^{*}\right\| \right) \text{, } \end{aligned}$$

where for the last inequality we used that

$$\begin{aligned} \left\| \mu -\textsf {p}^{*}\right\| =\max _{S\subseteq ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}}\sum _{{\textbf{z}}\in S}(\mu ({\textbf{z}})-\textsf {p}^{*}) \end{aligned}$$

(and the analogue equality for \(\nu \)). This proves the result. \(\square \)

Gathering the above, we are able to prove Theorem 1.

Proof

Fix any q-tuples \({\textbf{t}}\in {\mathcal {T}} ^q,{\textbf{x}},{\textbf{y}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}\). Then

$$\begin{aligned} \textsf {p}_{{\widetilde{F}}\circ {\widetilde{E}}}({\textbf{t}},{\textbf{x}},{\textbf{y}})&=\textsf {p}^{*}+\sum _{{\textbf{z}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}}(\textsf {p}_{{\widetilde{E}}}({\textbf{t}},{\textbf{x}},{\textbf{z}})-\textsf {p}^{*})(\textsf {p}_{{\widetilde{F}}}({\textbf{t}},{\textbf{z}},{\textbf{y}})-\textsf {p}^{*})\qquad \qquad {(Lemma~5)} \\&\ge \textsf {p}^{*}-\textsf {p}^{*}\left( \left\| \mu -\textsf {p}^{*}\right\| +\left\| \nu -\textsf {p}^{*}\right\| \right) \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad {(Lemma~6)} \\&\ge \textsf {p}^{*}\big (1-\textbf{Adv}_{{\widetilde{E}}}^{\widetilde{\textrm{ncpa}}}(q,+\infty )-\textbf{Adv}_{{\widetilde{F}}^{-1}}^{\widetilde{\textrm{ncpa}}}(q,+\infty ) \big ) \qquad \qquad \qquad \qquad \qquad {(Lemma~3)} \end{aligned}$$

The result follows by Lemma 4. \(\square \)