Abstract
Recent work of Bao et al. (in: Canteaut and Ishai (eds) EUROCRYPT 2020, Part II. LNCS. Springer, Heidelberg 2020) repopularized tweakable blockciphers minimizing the overhead due to changing the tweak. Essentially, they considered cascading two (independently keyed) \(\textsf {LRW1}\) constructions \(\textsf {LRW1} _k(x) = E_k \big ( t \oplus E_k ( x ) \big ) \) of Liskov et al. (JoC 2011), and proved security up to \(2^{2n/3}\) adversarial queries. This paper considers the natural extension of r cascades, i.e., \(\textsf {CLRW1} _{k_1,\ldots ,k_r}^{r,E} ( t,x ) = E_{k_r} \big ( t \oplus ... E_{k_2} \big ( t \oplus E_{k_1} ( x ) \big ) ... \big )\), and proves asymptotically optimal security. Concretely, we show that \(\textsf {CLRW1} ^{r,E}\) ensures NCPA security up to \(2^{(r-1)n/r}\) adversarial queries and CCA security up to \(2^{(r-2)n/r}\) adversarial queries. Our analysis makes use of a coupling argument, and in particular gains inspiration from Patarin’s analysis of Feistel networks (Nachef et al. in Feistel ciphers–security proofs and cryptanalysis, Springer, Berlin, Chapter 13, 2017. https://doi.org/10.1007/978-3-319-49530-9).
Similar content being viewed by others
Data availability
No datasets have been used.
References
Aldous D.: Random walks on finite groups and rapidly mixing markov chains. In: Séminaire de Probabilités XVII 1981/82, pp. 243–297. Springer (1983).
Bao Z., Guo C., Guo J., Song L.: TNT: how to tweak a block cipher. In: Canteaut A., Ishai Y. (eds.) EUROCRYPT 2020, Part II, vol. 12106, pp. 641–673. LNCS. Springer, Heidelberg (2020).
Beierle C., Jean J., Kölbl S., Leander G., Moradi A., Peyrin T., Sasaki Y., Sasdrich P., Sim S.M.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw M., Katz J. (eds.) CRYPTO 2016, Part II, vol. 9815, pp. 123–153. LNCS. Springer, Heidelberg (2016).
Black J., Rogaway P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen L.R. (ed.) EUROCRYPT 2002, vol. 2332, pp. 384–397. LNCS. Springer, Heidelberg (2002).
Chakraborti A., Datta N., Jha A., Lopez C.M., Nandi M., Sasaki Y.: Lotus-aead and locus-aead. Submission to NIST NIST Lightweight Crypto Standardization process (round 2) (2020).
Cogliati B.: Tweaking a block cipher: multi-user beyond-birthday-bound security in the standard model. Des. Codes Cryptogr. 86(12), 2747–2763 (2018). https://doi.org/10.1007/s10623-018-0471-8.
Cogliati B., Dodis Y., Katz J., Lee J., Steinberger J.P., Thiruvengadam A., Zhang Z.: Provable security of (tweakable) block ciphers based on substitution-permutation networks. In: Shacham H., Boldyreva A. (eds.) CRYPTO 2018, Part I, vol. 10991, pp. 722–753. LNCS. Springer, Heidelberg (2018).
Cogliati B., Lampe R., Seurin Y.: Tweaking Even-Mansour ciphers. In: Gennaro R., Robshaw M.J.B. (eds.) CRYPTO 2015, Part I, vol. 9215, pp. 189–208. LNCS. Springer, Heidelberg (2015).
Cogliati B., Patarin J., Seurin Y.: Security amplification for the composition of block ciphers: simpler proofs and new results. In: Joux A., Youssef A.M. (eds.) SAC 2014, vol. 8781, pp. 129–146. LNCS. Springer, Heidelberg (2014).
Cogliati B., Seurin Y.: Beyond-birthday-bound security for tweakable Even-Mansour ciphers with linear tweak and key mixing. In: Iwata T., Cheon J.H. (eds.) ASIACRYPT 2015, Part II, vol. 9453, pp. 134–158. LNCS. Springer, Heidelberg (2015).
Crowley P.: Mercy: a fast large block cipher for disk sector encryption. In: Schneier B. (ed.) FSE 2000, vol. 1978, pp. 49–63. LNCS. Springer, Heidelberg (2001).
Dai W., Hoang V.T., Tessaro S.: Information-theoretic indistinguishability via the chi-squared method. In: Katz J., Shacham H. (eds.) CRYPTO 2017, Part III, vol. 10403, pp. 497–523. LNCS. Springer, Heidelberg (2017).
Dai Y., Seurin Y., Steinberger J.P., Thiruvengadam A.: Indifferentiability of iterated Even-Mansour ciphers with non-idealized key-schedules: five rounds are necessary and sufficient. In: Katz J., Shacham H. (eds.) CRYPTO 2017, Part III, vol. 10403, pp. 524–555. LNCS. Springer, Heidelberg (2017).
Dutta A.: Minimizing the two-round tweakable Even-Mansour cipher. In: ASIACRYPT 2020, pp. 601–629. Part I. LNCS, Springer, Heidelberg (2020).
Even S., Mansour Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997).
Ferguson N., Lucks S., Schneier B., Whiting D., Bellare M., Kohno T., Callas J., Walker J.: The skein hash function family. Submission to NIST (round 3) 7(7.5), 3 (2010).
Goldenberg D., Hohenberger S., Liskov M., Schwartz E.C., Seyalioglu H.: On tweaking Luby-Rackoff blockciphers. In: Kurosawa K. (ed.) ASIACRYPT 2007, vol. 4833, pp. 342–356. LNCS. Springer, Heidelberg (2007).
Guo C.: Understanding the related-key security of Feistel Ciphers from a provable perspective. IEEE Trans. Inf. Theory 65(8), 5260–5280 (2019). https://doi.org/10.1109/TIT.2019.2903796.
Guo C., Lin D.: A synthetic indifferentiability analysis of interleaved double-key Even-Mansour ciphers. In: Iwata T., Cheon J.H. (eds.) ASIACRYPT 2015, Part II, vol. 9453, pp. 389–410. LNCS. Springer, Heidelberg (2015).
Hoang V.T., Krovetz T., Rogaway P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald E., Fischlin M. (eds.) EUROCRYPT 2015, Part I, vol. 9056, pp. 15–44. LNCS. Springer, Heidelberg (2015).
Hoang V.T., Rogaway P.: On generalized Feistel networks. In: Rabin T. (ed.) CRYPTO 2010, vol. 6223, pp. 613–630. LNCS. Springer, Heidelberg (2010).
Jean J., Nikolic I., Peyrin T.: Kiasu v1. Submitted to the CAESAR competition (2014).
Jean J., Nikolic I., Peyrin T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar P., Iwata T. (eds.) ASIACRYPT 2014, Part II, vol. 8874, pp. 274–288. LNCS. Springer, Heidelberg (2014).
Jean J., Nikolić I., Peyrin T., Seurin Y.: The deoxys aead family. J. Cryptol. 34(3), 1–51 (2021).
Jha, A., List, E., Minematsu, K., Mishra, S., Nandi, M.: XHX—A framework for optimally secure tweakable block ciphers from classical block ciphers and universal hashing. Cryptology ePrint Archive, Report 2017/1075 (2017). https://eprint.iacr.org/2017/1075.
Jha A., Nandi M.: Tight security of cascaded LRW2. J. Cryptol. 33(3), 1272–1317 (2020).
Krovetz T., Rogaway P.: The design and evolution of ocb. J. Cryptol. 34(4), 1–32 (2021).
Lampe R., Patarin J., Seurin Y.: An asymptotically tight security analysis of the iterated Even-Mansour cipher. In: Wang X., Sako K. (eds.) ASIACRYPT 2012, vol. 7658, pp. 278–295. LNCS. Springer, Heidelberg (2012).
Lampe R., Seurin Y.: How to construct an ideal cipher from a small set of public permutations. In: Sako K., Sarkar P. (eds.) ASIACRYPT 2013, Part I, vol. 8269, pp. 444–463. LNCS. Springer, Heidelberg (2013).
Lampe R., Seurin Y.: Tweakable blockciphers with asymptotically optimal security. In: Moriai S. (ed.) FSE 2013, vol. 8424, pp. 133–151. LNCS. Springer, Heidelberg (2014).
Lampe R., Seurin Y.: Security analysis of key-alternating Feistel ciphers. In: Cid C., Rechberger C. (eds.) FSE 2014, vol. 8540, pp. 243–264. LNCS. Springer, Heidelberg (2015).
Landecker W., Shrimpton T., Terashima R.S.: Tweakable blockciphers with beyond birthday-bound security. In: Safavi-Naini R., Canetti R. (eds.) CRYPTO 2012, vol. 7417, pp. 14–30. LNCS. Springer, Heidelberg (2012).
Lee B., Lee J.: Tweakable block ciphers secure beyond the birthday bound in the ideal cipher model. In: Peyrin T., Galbraith S. (eds.) ASIACRYPT 2018, Part I, vol. 11272, pp. 305–335. LNCS. Springer, Heidelberg (2018).
Liskov M., Rivest R.L., Wagner D.: Tweakable block ciphers. In: Yung M. (ed.) CRYPTO 2002, vol. 2442, pp. 31–46. LNCS. Springer, Heidelberg (2002).
Liskov M., Rivest R.L., Wagner D.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011).
Maurer U.M., Renner R., Holenstein C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor M. (ed.) TCC 2004, vol. 2951, pp. 21–39. LNCS. Springer, Heidelberg (2004).
Mennink B.: Optimally secure tweakable blockciphers. Cryptology ePrint Archive, Report 2015/363 (2015). https://eprint.iacr.org/2015/363.
Mennink B.: XPX: generalized tweakable Even-Mansour with improved security guarantees. In: Robshaw M., Katz J. (eds.) CRYPTO 2016, Part I, vol. 9814, pp. 64–94. LNCS. Springer, Heidelberg (2016).
Mennink B.: Insuperability of the standard versus ideal model gap for tweakable blockcipher security. In: Katz J., Shacham H. (eds.) CRYPTO 2017, Part II, vol. 10402, pp. 708–732. LNCS. Springer, Heidelberg (2017).
Mennink B.: Towards tight security of cascaded LRW2. In: Beimel A., Dziembowski S. (eds.) TCC 2018, Part II, vol. 11240, pp. 192–222. LNCS. Springer, Heidelberg (2018).
Minematsu K.: Beyond-birthday-bound security based on tweakable block cipher. In: Dunkelman O. (ed.) FSE 2009, vol. 5665, pp. 308–326. LNCS. Springer, Heidelberg (2009).
Mironov I.: (Not so) random shuffles of RC4. In: Yung M. (ed.) CRYPTO 2002, vol. 2442, pp. 304–319. LNCS. Springer, Heidelberg (2002).
Mitsuda A., Iwata T.: Tweakable pseudorandom permutation from generalized Feistel structure. In: Baek J., Bao F., Chen K., Lai X. (eds.) ProvSec 2008, vol. 5324, pp. 22–37. LNCS. Springer, Heidelberg (2008).
Morris B., Rogaway P., Stegers T.: How to encipher messages on a small domain. In: Halevi S. (ed.) CRYPTO 2009, vol. 5677, pp. 286–302. LNCS. Springer, Heidelberg (2009).
Nachef V., Patarin J., Volte E.: Feistel Ciphers. Springer, Cham (2017).
Nachef V., Patarin J., Volte E.: Feistel Ciphers–Security Proofs and Cryptanalysis. Springer, Berlin (2017).
Patarin J.: The “coefficients H’’ technique (invited talk). In: Avanzi R.M., Keliher L., Sica F. (eds.) SAC 2008, vol. 5381, pp. 328–345. LNCS. Springer, Heidelberg (2009).
Rogaway P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee P.J. (ed.) ASIACRYPT 2004, vol. 3329, pp. 16–31. LNCS. Springer, Heidelberg (2004).
Sakamoto K., Minematsu K., Shibata N., Shigeri M., Kubo H., Funabiki Y., Bogdanov A., Morioka S., Isobe T.: Tweakable TWINE: building a tweakable block cipher on generalized Feistel structure. In: Attrapadung N., Yagi T. (eds.) IWSEC 19, vol. 11689, pp. 129–145. LNCS. Springer, Heidelberg (2019).
Schroeppel R.: The hasty pudding cipher, nist aes proposal. http://www.cs.arizona.edu/~rcs/hpc (1998).
Shen Y., Guo C., Wang L.: Improved security bounds for generalized Feistel networks. IACR Trans. Symmetric Cryptol. 2020(1), 425–457 (2020).
Wang L., Guo J., Zhang G., Zhao J., Gu D.: How to build fully secure tweakable blockciphers from classical blockciphers. In: Cheon J.H., Takagi T. (eds.) ASIACRYPT 2016, Part I, vol. 10031, pp. 455–483. LNCS. Springer, Heidelberg (2016).
Acknowledgements
We thank the reviewers of Designs, Codes and Cryptography for their insightful feedback that greatly help us improving the paper. Chun Guo was partly supported by the National Natural Science Foundation of China (Grant No. 62002202), the National Key Research and Development Project under Grant No.2018YFA0704702, and the Shandong Nature Science Foundation of China (Grant No. ZR2020MF053).
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
All authors declare that they no conflict of interest.
Additional information
Communicated by T. Iwata.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Proof of Lemma 1
The original statement and proof of the Coupling Lemma is due to Aldous [1]. Our proof in this appendix is due to Lampe and Seurin [30]. In detail, let \(\lambda \) be a coupling of \(\mu \) and \(\nu \), and \((X,Y) \sim \lambda \). By definition, we have that for any \(z\in \omega \), \(\lambda (z,z)\le \min \{\mu (z),\nu (z)\}\). Moreover, \(\Pr [X=Y]=\sum _{z\in \omega }\lambda (z,z)\). Hence we have:
Thus,
Proof of Theorem 1
1.1 Proof setup
Fix some message space \({\mathcal {D}}\) and tweak space \({\mathcal {T}}\), denote \(D = |{\mathcal {D}} |\). We denote \(({\mathcal {D}})_q\) the set of all q-tuple of pairwise distinct elements of \({\mathcal {D}}\). Let \({\widetilde{E}}\) be a tweakable blockcipher with message space \({\mathcal {D}} \), key space \({\mathcal {K}},\) and tweak space \({\mathcal {T}} \).Let \(q_t\) be the number of queries with tweak t. Given an integer \(q \ge 1\) and three q-tuples \({\textbf{t}}= (t_1,\ldots ,t_q) \in {\mathcal {T}} ^q\), \({\textbf{x}}= (x_1,\ldots ,x_q) \in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}\), and \({\textbf{y}}= (y_1,\ldots ,y_q) \in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}\), we denote
where the notation \({\widetilde{E}}_K({\textbf{t}},{\textbf{x}})={\textbf{y}}\) is a shorthand meaning that \({\widetilde{E}}_K(t_i,x_i)=y_i\) for all \(1\le i\le q\) (to wit, the tuples \(({\textbf{t}},{\textbf{x}},{\textbf{y}})\) constitute a transcript that records q adversarial queries to \({\widetilde{E}}_K\) and their responses). We also denote
When \({\textbf{t}}\) and \({\textbf{x}}\) is fixed,
is the probability distribution (over the choice of a uniformly random key \(K \xleftarrow {\$}{\mathcal {K}} \)) of the q-tuple of ciphertexts when \({\widetilde{E}}\) receives the q-tuple of plaintexts \({\textbf{x}}\) and the q-tuple of tweaks \({\textbf{t}}\). Similarly, when \({\textbf{t}}\) and \({\textbf{y}}\) is fixed,
is the probability distribution of the q-tuples of plaintexts when \({\widetilde{E}}^{-1}\) receives the q-tuple of ciphertexts \({\textbf{y}}\) and the q-tuple of tweaks \({\textbf{t}}\). Overloading the notation, \(\textsf {p}^{*}\) will also denote the uniform probability distribution over \(({\mathcal {D}})_q\). Note that for any \({\textbf{x}}= (x_1,\ldots ,x_q) \in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}{}\), any \({\textbf{y}}= (y_1,\ldots ,y_q) \in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}\), and any \({\textbf{t}}= (t_1,\ldots ,t_q) \in {\mathcal {T}} ^q\),
Our analysis will rely on Patarin’s H-coefficient method [47]. To this end, we recall the two fundamental results of H-coefficient method regarding NCPA and CCA security of TBCs. They may be viewed trivial generalizations of Lemmas 1 and 2 of [9], and their proofs could be found in many [9, 46, 47].
Lemma 3
[NCPA security] Let \({\widetilde{E}}\) be a tweakable blockcipher with message space \({\mathcal {D}}\) and tweak space \({\mathcal {T}}\). Then
Lemma 4
[CCA security] Let \({\widetilde{E}}\) be a tweakable blockcipher with message space \({\mathcal {D}}\) and tweak space \({\mathcal {T}}\). Assume that there exists \(\varepsilon \) such that for any q-tuples \({\textbf{t}}\in {\mathcal {T}} ^q\) and \({\textbf{x}},{\textbf{y}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}\), one has
Then it holds
1.2 Main arguments for composition
By Lemma 4, the CCA advantage on \({\widetilde{F}}\circ {\widetilde{E}}\) is related to \(\textsf {p}_{{\widetilde{F}}\circ {\widetilde{E}}}({\textbf{t}},{\textbf{x}},{\textbf{y}})\), the probability of observing an arbitrary tuple. The first step is to “cut” the tuples \(({\textbf{t}},{\textbf{x}},{\textbf{y}})\) “in the middle”, such that it can be related to \(\textsf {p}_{{\widetilde{E}}}({\textbf{t}},{\textbf{x}},{\textbf{z}})\) and \(\textsf {p}_{{\widetilde{F}}}({\textbf{t}},{\textbf{z}},{\textbf{y}})\).
Lemma 5
Let \({\widetilde{E}}\in \text {TBC} ({\mathcal {K}} _1,{\mathcal {T}},{\mathcal {D}} \)) and \({\widetilde{F}}\in \text {TBC} ({\mathcal {K}} _2,{\mathcal {T}},{\mathcal {D}} \)) be two TBCs. Then, for any q-tuples \({\textbf{t}}\in {\mathcal {T}} ^q\) and \({\textbf{x}},{\textbf{y}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}\), it holds
Proof
One has
for which the result follows. \(\square \)
We now relate the right hand side of Eq. (13) to NCPA attacks.
Lemma 6
Let \({\widetilde{E}}\in \text {TBC} ({\mathcal {K}} _1,{\mathcal {T}},{\mathcal {D}} \)) and \({\widetilde{F}}\in \text {TBC} ({\mathcal {K}} _2,{\mathcal {T}},{\mathcal {D}} \)) be two TBCs. Then, for any q-tuples \({\textbf{t}}\in {\mathcal {T}} ^q\) and \({\textbf{x}},{\textbf{y}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}\), it holds
Proof
Let
To simplify notation, we rename the probability distributions as \(\mu := \textsf {p}_{{\widetilde{E}},{\textbf{t}},{\textbf{x}}}\) and \(\nu :=\textsf {p}_{{\widetilde{F}}^{-1},{\textbf{t}},{\textbf{y}}}\). Then, keeping only the negative terms in the sum, we have
where for the last inequality we used that
(and the analogue equality for \(\nu \)). This proves the result. \(\square \)
Gathering the above, we are able to prove Theorem 1.
Proof
Fix any q-tuples \({\textbf{t}}\in {\mathcal {T}} ^q,{\textbf{x}},{\textbf{y}}\in ({\mathcal {D}})_{q_1}\times \cdots \times ({\mathcal {D}})_{q_t}\). Then
The result follows by Lemma 4. \(\square \)
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Zhang, Z., Qin, Z. & Guo, C. Just tweak! Asymptotically optimal security for the cascaded LRW1 tweakable blockcipher. Des. Codes Cryptogr. 91, 1035–1052 (2023). https://doi.org/10.1007/s10623-022-01137-w
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-022-01137-w