Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweaking Even-Mansour Ciphers Benoît Cogliati1 Rodolphe Lampe1 Yannick Seurin2 1Versailles University, France 2ANSSI, France August 17, 2015 — CRYPTO 2015 Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 1 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Outline Background: Tweakable Block Ciphers Our Contribution Overview of the Proof for Two Rounds Longer Cascades Conclusion and Perspectives Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 2 / 26 t Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Block Ciphers (TBCs) k x Ee y • tweak t: brings variability to the block cipher • t assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS+10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Block Ciphers (TBCs) k x Ee y t • tweak t: brings variability to the block cipher • t assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS+10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Block Ciphers (TBCs) k x Ee y t • tweak t: brings variability to the block cipher • t assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS+10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Block Ciphers (TBCs) k x Ee y t • tweak t: brings variability to the block cipher • t assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS+10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Block Ciphers (TBCs) k x Ee y t • tweak t: brings variability to the block cipher • t assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS+10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26 hk0 (t) hk0 (t) Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Generic Constructions of TBCs • A generic TBC construction turns a conventional block cipher E into a TBC Ee • example: LRW construction by Liskov et al. [LRW02] k x E y 0 • h is XOR-universal, e.g. hk0 (t) = k ⊗ t (field mult.) • secure up to ∼ 2n/2 queries • related construction XEX [Rog04] uses Ek (t) instead of hk0 (t) (used e.g. in the XTS disk encryption mode) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26 hk0 (t) hk0 (t) Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Generic Constructions of TBCs • A generic TBC construction turns a conventional block cipher E into a TBC Ee • example: LRW construction by Liskov et al. [LRW02] k x E y 0 • h is XOR-universal, e.g. hk0 (t) = k ⊗ t (field mult.) • secure up to ∼ 2n/2 queries • related construction XEX [Rog04] uses Ek (t) instead of hk0 (t) (used e.g. in the XTS disk encryption mode) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Generic Constructions of TBCs • A generic TBC construction turns a conventional block cipher E into a TBC Ee • example: LRW construction by Liskov et al. [LRW02] hk0 (t) k hk0 (t) x E y 0 • h is XOR-universal, e.g. hk0 (t) = k ⊗ t (field mult.) • secure up to ∼ 2n/2 queries • related construction XEX [Rog04] uses Ek (t) instead of hk0 (t) (used e.g. in the XTS disk encryption mode) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Generic Constructions of TBCs • A generic TBC construction turns a conventional block cipher E into a TBC Ee • example: LRW construction by Liskov et al. [LRW02] hk0 (t) k hk0 (t) x E y 0 • h is XOR-universal, e.g. hk0 (t) = k ⊗ t (field mult.) • secure up to ∼ 2n/2 queries • related construction XEX [Rog04] uses Ek (t) instead of hk0 (t) (used e.g. in the XTS disk encryption mode) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Generic Constructions of TBCs • A generic TBC construction turns a conventional block cipher E into a TBC Ee • example: LRW construction by Liskov et al. [LRW02] hk0 (t) k hk0 (t) x E y 0 • h is XOR-universal, e.g. hk0 (t) = k ⊗ t (field mult.) • secure up to ∼ 2n/2 queries • related construction XEX [Rog04] uses Ek (t) instead of hk0 (t) (used e.g. in the XTS disk encryption mode) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Cascading the LRW Construction 0 0 0 k1 ⊗ t k2 ⊗ t kr ⊗ t x Ek1 Ek2 Ekr y 0 0 • k1,..., kr and k1,..., kr independent keys ⇒ total key-length = r(κ + n) • 2 rounds: provably secure up to ∼ 22n/3 queries [LST12] rn • r rounds, r even: provably secure up to ∼ 2 r+2 queries [LS13] • NB: only assuming E is a PRP (standard security notion, no ideal model) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 5 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Cascading the LRW Construction 0 0 0 k1 ⊗ t k2 ⊗ t kr ⊗ t x Ek1 Ek2 Ekr y 0 0 • k1,..., kr and k1,..., kr independent keys ⇒ total key-length = r(κ + n) • 2 rounds: provably secure up to ∼ 22n/3 queries [LST12] rn • r rounds, r even: provably secure up to ∼ 2 r+2 queries [LS13] • NB: only assuming E is a PRP (standard security notion, no ideal model) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 5 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Cascading the LRW Construction 0 0 0 k1 ⊗ t k2 ⊗ t kr ⊗ t x Ek1 Ek2 Ekr y 0 0 • k1,..., kr and k1,..., kr independent keys ⇒ total key-length = r(κ + n) • 2 rounds: provably secure up to ∼ 22n/3 queries [LST12] rn • r rounds, r even: provably secure up to ∼ 2 r+2 queries [LS13] • NB: only assuming E is a PRP (standard security notion, no ideal model) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 5 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Cascading the LRW Construction 0 0 0 k1 ⊗ t k2 ⊗ t kr ⊗ t x Ek1 Ek2 Ekr y 0 0 • k1,..., kr and k1,..., kr independent keys ⇒ total key-length = r(κ + n) • 2 rounds: provably secure up to ∼ 22n/3 queries [LST12] rn • r rounds, r even: provably secure up to ∼ 2 r+2 queries [LS13] • NB: only assuming E is a PRP (standard security notion, no ideal model) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 5 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Outline Background: Tweakable Block Ciphers Our Contribution Overview of the Proof for Two Rounds Longer Cascades Conclusion and Perspectives Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 6 / 26 ( , t) Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Even-Mansour Constructions Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL+07, MI08] • this work: SPN ciphers (more gen. key-alternating ciphers) k f0 f1 fr x P1 P2 Pr y • analysis in the Random Permutation Model ⇒ “tweakable” Even-Mansour construction(s) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26 ( , t) Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Even-Mansour Constructions Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL+07, MI08] • this work: SPN ciphers (more gen. key-alternating ciphers) k f0 f1 fr x P1 P2 Pr y • analysis in the Random Permutation Model ⇒ “tweakable” Even-Mansour construction(s) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26 ( , t) Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Even-Mansour Constructions Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL+07, MI08] • this work: SPN ciphers (more gen. key-alternating ciphers) k f0 f1 fr x P1 P2 Pr y • analysis in the Random Permutation Model ⇒ “tweakable” Even-Mansour construction(s) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26 ( , t) Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Even-Mansour Constructions Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher).