Advertisement

Journal of Computer Science and Technology

, Volume 33, Issue 6, pp 1261–1277 | Cite as

Generalized Tweakable Even-Mansour Cipher and Its Applications

  • Ping Zhang
  • Hong-Gang HuEmail author
Regular Paper
  • 15 Downloads

Abstract

This paper describes a generalized tweakable blockcipher HPH (Hash-Permutation-Hash), which is based on a public random permutation P and a family of almost-XOR-universal hash functions \( \mathcal{H}={\left\{ HK\right\}}_{K\in \mathcal{K}} \) as a tweak and key schedule, and defined as y = HPHK((t1, t2), x) = P(xHK(t1)) ⊕ HK(t2), where K is a key randomly chosen from a key space \( \mathcal{K} \), (t1, t2) is a tweak chosen from a valid tweak space \( \mathcal{T} \), x is a plaintext, and y is a ciphertext. We prove that HPH is a secure strong tweakable pseudorandom permutation (STPRP) by using H-coefficients technique. Then we focus on the security of HPH against multi-key and related-key attacks. We prove that HPH achieves both multi-key STPRP security and related-key STPRP security. HPH can be extended to wide applications. It can be directly applied to authentication and authenticated encryption modes. We apply HPH to PMAC1 and OPP, provide an improved authentication mode HPMAC and a new authenticated encryption mode OPH, and prove that the two modes achieve single-key security, multi-key security, and related-key security.

Keywords

tweakable blockcipher H-coefficients technique authentication authenticated encryption provable security 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Supplementary material

11390_2018_1886_MOESM1_ESM.pdf (120 kb)
ESM 1 (PDF 119 kb)

References

  1. [1]
    Halevi S, Rogaway P. A tweakable enciphering mode. In Lecture Notes in Computer Science 2729, Boneh D (ed.), Springer-Verlag, 2003, pp.482-499.Google Scholar
  2. [2]
    Liskov M, Rivest R L, Wagner D. Tweakable block ciphers. In Lecture Notes in Computer Science 2442, Yung M (ed.), Springer-Verlag, 2002, pp.31-46.Google Scholar
  3. [3]
    Halevi S, Rogaway P. A parallelizable enciphering mode. In Lecture Notes in Computer Science 2964, Okamoto T (ed.), Springer-Verlag, 2004, pp.292-304.Google Scholar
  4. [4]
    Rogaway P, Zhang H. Online ciphers from tweakable blockciphers. In Lecture Notes in Computer Science 6558, Kiayias A (ed.), Springer-Verlag, 2011, pp.237-249.Google Scholar
  5. [5]
    Rogaway P. Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In Lecture Notes in Computer Science 3329, Lee P J (ed.), Springer-Verlag, 2004, pp.16-31.Google Scholar
  6. [6]
    Landecker W, Shrimpton T, Terashima R S. Tweakable blockciphers with beyond birthday-bound security. In Lecture Notes in Computer Science 7417, Safavi-Naini R, Canetti R (eds.), Springer-Verlag, 2012, pp.14-30.Google Scholar
  7. [7]
    Krovetz T, Rogaway P. The software performance of authenticated-encryption modes. In Lecture Notes in Computer Science 6733, Joux A (ed.), Springer-Verlag, 2011, pp.306-327.Google Scholar
  8. [8]
    Andreeva E, Bogdanov A, Luykx A, Mennink B, Tischhauser E, Yasuda K. Parallelizable and authenticated online ciphers. In Lecture Notes in Computer Science 8269, Sako K, Sarkar P (eds.), Springer-Verlag, 2013, pp.424-443.Google Scholar
  9. [9]
    Granger R, Jovanovic P, Mennink B, Neves S. Improved masking for tweakable blockciphers with applications to authenticated encryption. In Lecture Notes in Computer Science 9665, Fischlin M, Coron J S (eds.), Springer-Verlag, 2016, pp.263-293.Google Scholar
  10. [10]
    Bossuet L, Datta N, Mancillas-López C, Nandi M. ELmD: A pipelineable authenticated encryption and its hardware implementation. IEEE Trans. Computers, 2016, 65(11): 3318-3331.MathSciNetCrossRefGoogle Scholar
  11. [11]
    Chakraborty D, Sarkar P. On modes of operations of a block cipher for authentication and authenticated encryption. Cryptography and Communications, 2016, 8(4): 455-511.MathSciNetCrossRefGoogle Scholar
  12. [12]
    Peyrin T, Seurin Y. Counter-in-Tweak: Authenticated encryption modes for tweakable block ciphers. In Lecture Notes in Computer Science 9814, Robshaw M, Katz J (eds.), Springer-Verlag, 2016, pp.33-63.Google Scholar
  13. [13]
    Wang L, Guo J, Zhang G, Zhao J, Gu D. How to build fully secure tweakable blockciphers from classical blockciphers. In Lecture Notes in Computer Science 10031, Cheon J, Takagi T (eds.), Springer-Verlag, 2016, pp.455-483.Google Scholar
  14. [14]
    Cogliati B, Lampe R, Seurin Y. Tweaking Even-Mansour ciphers. In Lecture Notes in Computer Science 9215, Gennaro R, Robshaw M (eds.), Springer-Verlag, 2015, pp.189-208.Google Scholar
  15. [15]
    Cogliati B, Seurin Y. Beyond-birthday-bound security for tweakable Even-Mansour ciphers with linear tweak and key mixing. In Lecture Notes in Computer Science 9453, Iwata T, Cheon H (eds.), Springer-Verlag, 2015, pp.134-158.Google Scholar
  16. [16]
    Mennink B. XPX: Generalized tweakable Even-Mansour with improved security guarantees. In Lecture Notes in Computer Science 9814, Robshaw M, Katz J (eds.), Springer-Verlag, 2016, pp.64-94.Google Scholar
  17. [17]
    Reyhanitabar R, Vaudenay S, Vizár D. Misuse-resistant variants of the OMD authenticated encryption mode. In Lecture Notes in Computer Science 8782, Chow S S M, Liu J K, Hui L C K, Yiu S (eds.), Springer-Verlag, 2014, pp.55-70.Google Scholar
  18. [18]
    Reyhanitabar R, Vaudenay S, Vizár D. Boosting OMD for almost free authentication of associated data. In Lecture Notes in Computer Science 9054, Leander G (ed.), Springer-Verlag, 2015, pp.411-427.Google Scholar
  19. [19]
    Mouha N, Luykx A. Multi-key security: The Even-Mansour construction revisited. In Lecture Notes in Computer Science 9215, Gennaro R, Robshaw M (eds.), Springer-Verlag, 2015, pp.209-223.Google Scholar
  20. [20]
    Reyhanitabar R, Vaudenay S, Vizár D. Authenticated encryption with variable stretch. In Lecture Notes in Computer Science 10031, Cheon J, Takagi T (eds.), Springer-Verlag, 2016, pp.396-425.Google Scholar
  21. [21]
    Chatterjee S, Menezes A, Sarkar P. Another look at tightness. In Lecture Notes in Computer Science 10031, Miri A, Vaudenay S (eds.), Springer-Verlag, 2011, pp.293-319.Google Scholar
  22. [22]
    Mantin I, Shamir A. A practical attack on broadcast RC4. In Lecture Notes in Computer Science 10031, Matsui M (ed.), Springer-Verlag, 2001, pp.152-164.Google Scholar
  23. [23]
    Fouque P, Joux A, Mavromati C. Multi-user collisions: Applications to discrete logarithm, Even-Mansour and PRINCE. In Lecture Notes in Computer Science 8873, Sarkar P, Iwata T (eds.), Springer-Verlag, 2014, pp.420-438.Google Scholar
  24. [24]
    Bellare M, Bernstein D J, Tessaro S. Hash-function based PRFs: AMAC and its multi-user security. In Lecture Notes in Computer Science 9665, Fischlin M, Coron J S (eds.), Springer-Verlag, 2016, pp.566-595.Google Scholar
  25. [25]
    Bellare M, Tackmann B. The multi-user security of authenticated encryption: AES-GCM in TLS 1.3. In Lecture Notes in Computer Science 9665, Robshaw M, Katz J (eds.), Springer-Verlag, 2016, pp.247-276.Google Scholar
  26. [26]
    Hoang V T, Tessaro S. Key-alternating ciphers and key-length extension: Exact bounds and multi-user security. In Lecture Notes in Computer Science 9814, Robshaw M, Katz J (eds.), Springer-Verlag, 2016, pp.3-32.Google Scholar
  27. [27]
    Guo Z, Wu W, Liu R, Zhang L. Multi-key analysis of tweakable Even-Mansour with applications to minalpher and OPP. IACR Transactions on Symmetric Cryptology, 2016, 2016(2): 288-306.Google Scholar
  28. [28]
    Biham E. New types of cryptoanalytic attacks using related keys (extended abstract). In Lecture Notes in Computer Science 765, Helleseth T (ed.), Springer-Verlag, 1993, pp.398-409.Google Scholar
  29. [29]
    Biham E. New types of cryptanalytic attacks using related keys. Journal of Cryptology, 1994, 7(4): 229-246.CrossRefGoogle Scholar
  30. [30]
    Bellare M, Kohno T. A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In Lecture Notes in Computer Science 2656, Biham E (ed.), Springer-Verlag, 2003, pp.491-506.Google Scholar
  31. [31]
    Biryukov A, Khovratovich D. Related-key cryptanalysis of the full AES-192 and AES-256. In Lecture Notes in Computer Science 5912, Matsui M (ed.), Springer-Verlag, 2009, pp.1-18.Google Scholar
  32. [32]
    Sun S, Hu L, Wang P, Qiao K, Ma X, Song L. Automatic security evaluation and (related-key) differential characteristic search: Application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In Lecture Notes in Computer Science 8873, Sarkar P, Iwata T (eds.), Springer-Verlag, 2014, pp.158-178.Google Scholar
  33. [33]
    Chen J, Miyaji A. A new practical key recovery attack on the stream cipher RC4 under related-key model. In Lecture Notes in Computer Science 6584, Lai X, Yung M, Lin D (eds.), Springer-Verlag, 2010, pp.62-76.Google Scholar
  34. [34]
    Cogliati B, Seurin Y. On the provable security of the iterated Even-Mansour cipher against related-key and chosen-key attacks. In Lecture Notes in Computer Science 9056, Oswald E, Fischlin M (eds.), Springer-Verlag, 2015, pp.584-613.Google Scholar
  35. [35]
    Wang P, Li Y, Zhang L, Zheng K. Related-key almost universal hash functions: Definitions, constructions and applications. In Lecture Notes in Computer Science 9783, Peyrin T (ed.), Springer-Verlag, 2016, pp.514-532.Google Scholar
  36. [36]
    Peyrin T, Sasaki Y, Wang L. Generic related-key attacks for HMAC. In Lecture Notes in Computer Science 7658, Wang X, Sako K (eds.), Springer-Verlag, 2012, pp.580-597.Google Scholar
  37. [37]
    Bhattacharyya R, Roy A. Secure message authentication against related-key attack. In Lecture Notes in Computer Science 8424, Moriai S (ed.), Springer-Verlag, 2013, pp.305-324.Google Scholar
  38. [38]
    Dobraunig C, Eichlseder M, Mendel F. Related-key forgeries for Prost-OTR. In Lecture Notes in Computer Science 9054, Leander G (ed.), Springer-Verlag, 2015, pp.282-296.Google Scholar
  39. [39]
    Patarin J. The “Coefficients H” technique. In Lecture Notes in Computer Science 5381, Avanzi R M, Keliher L, Sica F (eds.), Springer-Verlag, 2008, pp.328-345.Google Scholar
  40. [40]
    Kurosawa K. Power of a public random permutation and its application to authenticated encryption. IEEE Transactions on Information Theory, 2010, 5(10): 5366-5374.MathSciNetCrossRefGoogle Scholar
  41. [41]
    Chen S, Steinberger J P. Tight security bounds for key-alternating ciphers. In Lecture Notes in Computer Science 8441, Nguyen P Q, Oswald E (eds.), Springer-Verlag, 2014, pp.327-350.Google Scholar
  42. [42]
    Cogliati B, Seurin Y. EWCDM: An efficient, beyond-birthday secure, nonce-misuse resistant MAC. In Lecture Notes in Computer Science 9814, Robshaw M, Katz J (eds.), Springer-Verlag, 2016, pp.121-149.Google Scholar
  43. [43]
    Datta N, Nandi M. ELmE: A misuse resistant parallel authenticated encryption. In Lecture Notes in Computer Science 8544, Susilo W, Mu Y (eds.), Springer-Verlag, 2014, pp.306-321.Google Scholar
  44. [44]
    Daemen J, Lamberger M, Pramstaller N, Rijmen V, Vercauteren F. Computational aspects of the expected differential probability of 4-round AES and AES-like ciphers. Computing, 2009, 85(1): 85-104.MathSciNetCrossRefGoogle Scholar
  45. [45]
    Rogaway P, Bellare M, Black J. OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM Transactions on Information and System Security, 2003, 6(3): 365-403.CrossRefGoogle Scholar
  46. [46]
    Sasaki Y, Yasuda K. A new mode of operation for incremental authenticated encryption with associated data. In Lecture Notes in Computer Science 9566, Dunkelman O, Keliher L (eds.), Springer-Verlag, 2016, pp.397-416.Google Scholar
  47. [47]
    Sarkar P. Modes of operations for encryption and authentication using stream ciphers supporting an initialisation vector. Cryptography and Communications, 2014, 6(3): 189-231.MathSciNetCrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Key Laboratory of Electromagnetic Space InformationChinese Academy of SciencesHefeiChina
  2. 2.School of Information Science and TechnologyUniversity of Science and Technology of ChinaHefeiChina

Personalised recommendations