A Note on the CLRW2 Tweakable Block Cipher Construction Gordon Procter Information Security Group, Royal Holloway, University of London [email protected] Abstract. In this note, we describe an error in the proof for CLRW2 given by Landecker et al. in their paper at CRYPTO 2012 on the beyond-birthday-bound security for tweakable block ciphers. We are able to resolve the issue, give a new bound for the security of CLRW2, and identify a potential limitation of this proof technique when looking to extend the scheme to provide asymptotic security. 1 Introduction Tweakable block ciphers were formalised by Liskov, Rivest, and Wagner at CRYPTO 2002 [18]. A tweakable block cipher is a block cipher that admits an additional input (the tweak) to introduce extra variability at the message-block level, in the same way that a nonce or IV introduces variability at the message level. The Hasty Pudding Cipher [23] and Mercy [7] are early examples of ciphers that natively support a tweak; in the case of the Hasty Pudding Cipher, this was called Spice. The tweak may be public and, informally, the security aim is that, for a single key, the permutations indexed by the tweaks are independent; appropriate security notions are defined more formally in Section 2.2. Liskov et al. [18] describe the syntax and security requirements for tweakable block ciphers and describe two methods for building a tweakable block cipher from a standard block cipher. They also give a method to construct a strong tweakable block cipher1 from a standard block cipher. Several tweakable block ciphers have been proposed including Goldenberg et al.'s work on tweaking Luby-Rackoff ciphers [9]; Rogaway's XE and XEX modes [22], which are closely related to the OCB mode of operation [14]; and Threefish [8], which forms part of the hash function Skein [8]. Many block-cipher-based encryption and authentication schemes are secure up to the birth- n day bound, i.e. provided that fewer than 2 2 queries are made, where n is the width of the block cipher (in bits). Beyond this point, one would expect a collision in the input to the block cipher to occur and for this to perhaps leak some information or simplify forgery attempts (as described in, for example, [1,3,4,20]). Several works have studied the security of schemes beyond the birthday bound (for examples, see [10,12]); one related question is how to acheive beyond-birthday-bound security for tweakable block ciphers. At FSE 2009, Minematsu [21] suggested a method to build a 2n-bit tweakable block cipher n+m that provides O(2 2 ) security from an n-bit block cipher (where m is the size of the tweak). This scheme has a Luby-Rackoff or Feistel structure, but has the disadvantage of only supporting short tweaks and requiring per-invocation block-cipher rekeying which makes changing the tweak computationally expensive. At CRYPTO 2012 Landecker, Shrimpton, and Terashima [16] continued the study of tweak- able block ciphers. Their paper has two main contributions: specifying CLRW2, a tweakable block cipher construction that remains secure beyond the birthday bound (up to approximately 1 Informally, a strong tweakable block cipher is one that remains secure when the adversary is given also access to a decryption oracle. 2n 2 3 queries); and giving a proof that TBC-MAC (the analogue of CBC-MAC defined in terms of tweakable block ciphers) is both a PRF and unforgeable. CLRW2 allows arbitrarily long tweaks and does not require excessive rekeying of the block cipher. The CLRW2 construction was extended by Lampe and Seurin at FSE 2013 [15] who consider longer chains of the LRW2 construction and are able to show (asymptotically in the number of rounds, using a coupling argument) that this provides greater security further beyond the birthday bound than the CLRW2 construction. Their bounds agree with Landecker et al.'s bound in the case of non-adaptive CPA adversaries and they prove a weaker bound for CCA adversaries; they conjecture that the bound proved for non-adaptive CPA adversaries also holds for CCA adversaries. Contributions This is an early draft in which we identify a flaw in the proof given by Landecker et al. for CLRW2 [16,17] and are able to resolve it. We describe modifications that correct the proof and give new bounds for the security of CLRW2. We also identify a potential issue which may prevent this proof technique being used to extend these results asymptotically, although this issue does not appear to affect Lampe and Seurin's results. Landecker et al. have independently identified and corrected the error in their proof [24]; they correct the proof using a neat coupling argument which results in a tighter bound. Structure This note is structured as follows: In Section 2, we introduce the notation, syntax, and security models used in this note; in Section 3, we give a brief summary of Landecker et al.'s scheme and corresponding proof; in Section 4, we describe and demonstrate the error that we have identified in the proof; in Section 5, we give one possible method to fix this error and derive new bounds for the security of CLRW2; and Section 6 contains a description of some issues that may prevent this proof technique being extended asymptotically. 2 Preliminaries 2.1 Notation For a set X , we write x $ X to represent an element x being uniformly sampled from X . For a bitstring x 2 f0; 1g∗ we use jxj to denote its length. We use ξ(p) to represent a Bernoulli random variable that is 1 with probability p and 0 with probability 1 − p. For a set S ⊆ f0; 1gn and an element x 2 f0; 1gn we define S ⊕ x = fs ⊕ x : s 2 Sg. We follow the code-based game paradigm of Bellare and Rogaway [5]. We will use Xi to denote plaintext input to a tweakable block cipher and Yi for ciphertext output. Queries made by an adversary and the value of random variables related to those queries are be indexed by a counter i. In games, all boolean flags are initialised to false and arrays are initially undefined at every point. 2.2 Block Cipher Syntax and Security A block cipher is a family of functions: E : K × f0; 1gn ! f0; 1gn, where K is the keyspace. We require that E(k; ·) is a permutation on f0; 1gn for every choice of key k. We will often denote −1 E(k; ·) by Ek(·) and the inverse of this permutation by Ek (·). We follow Bellare, Kilian, and Rogaway [2] and say that a block cipher is secure if it is a pseudo-random permutation family (PRP). A pseudo-random permutation family is a set of permutations fEkjk 2 Kg that is indistinguishable from a random permutation family Π also indexed by elements of K. A strong pseudo-random permutation family (SPRP) is a pseudo- random permutation family that remains indistinguishable from a random permutation family when an adversary is also given access to either a decryption oracle, or to the random permuta- tion's inverse. Consider an adversary A and define their SPRP advantage against E as sprp (E ;E−1) −1 k k (π,π ) AdvE (A) = Pr[1 A ] − Pr[1 A ] $ $ sprp where k K and π Π. Define AdvE (q; t) to be the maximum advantage that can be realised by an adversary asking no more than q queries and running in time at most t. We say sprp that E is a strong pseudo-random permutation if AdvE (q; t) is sufficiently small. A tweakable block cipher is a family of functions: Ee : K × T × f0; 1gn ! f0; 1gn, where K is the keyspace and T is the tweakspace. We require that, for every k 2 K and Ti 2 T , Ee k(Ti; ·) is a n −1 permutation on f0; 1g and we denote the inverse of this permutation by Ee k (Ti; ·). We remark that in the case of CLRW2, a tweakable block cipher key includes two keys for the underlying block cipher and two keys for the universal hash function family, i.e. k = (k1;H1; k2;H2). We use the definition of tweakable block cipher security given by Liskov et al. [18,19]. A secure tweakable block cipher is one that is indistinguishable from a tweaked random permutation family Πe, where Πe is a set of random permutations on f0; 1gn indexed by elements of K × T . A strong tweakable block cipher is one that is indistinguishable from a tweaked random permutation family when an adversary is given either access to encryption and decryption oracles for the tweakable block cipher or access to a family of tweaked random permutations and their inverses. In the definition of both tweakable block ciphers and strong tweakable block ciphers, the adversary is able to choose both the input and the tweak for each query. Consider an adversary A and define their tweakable-SPRP advantage against Ee as −1 sprp (E ;E ) (π;π−1) Adv g (A) = Pr[1 A e k e k ] − Pr[1 A e e ] Ee $ sprp where k K and π = fπ(k; Ti; ·) 2 Πe : Ti 2 T g. Define Adv g (q; t) to be the maximum e Ee advantage that can be realised by an adversary making no more than q queries and running in sprp time at most t. We say that Ee is a strong tweakable block cipher if Adv g (q; t) is sufficiently Ee small. 2.3 Universal Hash Functions ? n A family of hash functions will be denoted H = fhH : f0; 1g ! f0; 1g j H 2 KHg with each hash function hH indexed by a key H 2 KH.