Skip to content
BY-NC-ND 3.0 license Open Access Published by De Gruyter June 19, 2018

On the optimality of non-linear computations for symmetric key primitives

  • Avik Chakraborti , Nilanjan Datta EMAIL logo and Mridul Nandi

Abstract

A block is an n-bit string, and a (possibly keyed) block-function is a non-linear mapping that maps one block to another, e.g., a block-cipher. In this paper, we consider various symmetric key primitives with block inputs and raise the following question: what is the minimum number of block-function invocations required for a mode to be secure? We begin with encryption modes that generate block outputs and show that at least (+-1) block-function invocations are necessary to achieve the PRF security. In presence of a nonce, the requirement of block-functions reduces to blocks only. If =, in order to achieve SPRP security, the mode requires at least 2 many block-function invocations. We next consider length preserving r-block (called chunk) online encryption modes and show that, to achieve online PRP security, each chunk should have at least 2r-1 many and overall at least 2r-1 many block-functions for many chunks. Moreover, we show that it can achieve online SPRP security if each chunk contains at least 2r non-linear block-functions. We next analyze affine MAC modes and show that an integrity-secure affine MAC mode requires at least many block-function invocations to process an block message. Finally, we consider affine mode authenticated encryption and show that in order to achieve INT-RUP security or integrity security under a nonce-misuse scenario, either (i) the number of non-linear block-functions required to generate the ciphertext is more than or (ii) the number of extra non-linear block-functions required to generate the tag depends on .

MSC 2010: 94A40; 68P25; 94A62

1 Introduction

The common application of cryptography is to implement a secure communication between two parties Alice and Bob, who want to exchange information over an insecure channel. In the symmetric key setting, it is assumed that Alice and Bob have a secret shared key, either a one-time shared key or through some key-exchange protocols. They use this key to encrypt or authenticate a message using efficient symmetric-key algorithms such as encryption and message authentication codes or MAC. The encryption provides privacy or confidentiality (hiding the sensitive message) resulting in a ciphertext, whereas a MAC provides integrity or authenticity (authenticating the transmitted message M) by generating a tag.

For encryption, the sender takes a message m and the secret key κ, calls the encryption algorithm (κ,m) to produce a ciphertextc and sends it to the receiver. The receiver now executes the decryption algorithm 𝒟(κ,c) that takes as input the ciphertext c and the secret key κ to recover the plain-text m. Since κ is known only to the sender and the receiver, no one else can succeed in decrypting c with non-negligible probability.

In message authentication codes, the sender takes a plain-text m and the secret key κ and executes the message authentication code algorithm (κ,m) to generate a fixed length output called a tagt. The sender sends the pair (m,t) to the receiver. On receiving a message tag pair (m,t), the receiver uses the MAC algorithm (κ,m) to generate a tag t and verify whether t is same as the received tag t. If so, the receiver is convinced about the authenticity of the message m. Again, the secrecy of the key κ ensures that no one other than the sender or the receiver can succeed in generating a valid tag t, with non-negligible probability.

An authenticated encryption (AE) scheme combines the above two algorithms (encryption and MAC) and provides the privacy as well as the authenticity or data integrity of a plain-text m. Along with the plain-text it can also take associated data (e.g., size and header information) d and guarantees only the integrity of d. The authenticated encryption algorithm 𝒜.k(n*,d,m) takes as input a plain-text m, a nonce n* and an associated data d (optional) and returns a ciphertext c along with a tag t. Sometimes we use the notion tagged-ciphertext to refer to (c,t), the ciphertext-tag pair together. The decryption algorithm 𝒜.𝒟κ(n*,d,(c,t)) takes a nonce n*, an associated data d and the tagged-ciphertext (c,t). It returns the corresponding plain-text m if the tagged-ciphertext is valid or an abort symbol (meaning the tagged-ciphertext is not valid).

1.1 Affine mode of operation

An affine mode of operation is defined by an oracle algorithm which interacts with block-functions (usually keyed) as oracles such that all inputs to the block-functions are computed through some public affine functions (determined by the design) of the message and previous obtained responses of the block-functions. Finally, the output is also computed through another public affine function of the message and all the block-function outputs. This class covers a wide range of encryption, MAC and authenticated encryption algorithms.

Popular symmetric key enciphering schemes like Luby–Rackoff (LR) [17], Feistel type encryption schemes [3, 11], CMC [9], EME [10, 7] HCTR [24, 6], TET [8], HEH [23] etc. belong to affine modes of operation. Online constructions like HCBC [1], MHCBC [18], TC3 [22] etc. are also examples of affine modes of operation. Almost all the MAC functions (e.g., CBC-MAC [2], PMAC [4], TMAC [16], OMAC [12], DAG-based constructions [14], a sub-class of affine domain extension or ADE [19] etc.) are also covered by this approach. Moreover, most of the popular AE schemes like CCM, GCM, OCB or ELmD also use the affine modes. Thus, the affine modes of operation includes a wide class of symmetric key algorithms.

1.2 Our contribution

In Section 3, we begin with the affine mode encryption schemes and show that a PRF secure affine mode encryption requires at least +-1 many non-linear computations that process an block message and produces block () ciphertext. Moreover, if the construction is nonce based, then the number of block-functions required to achieve PRP comes down to only . If we consider length-preserving encryption (i.e. =) and we want SPRP security, then at least 2 many block-functions are necessary.

Then we consider r-block affine online modes in Section 4. A sequence of r consecutive blocks are called chunks. Informally, an r-block affine online mode has the chunk-wise online property, meaning if two messages are identical up to the i-th chunk, then their i-th ciphertext chunks will be identical. In this work, we show that an r-block online encryption mode can achieve online PRP security if for any message of chunks it uses at least 2r-1 many block-function invocations. Moreover, each chunk requires at least 2r-1 many block-functions and any two chunks with 2r-1 many block-functions must have at least one chunk with more than 2r many block-functions in between. We also show that in order to achieve the online SPRP security, each chunk requires at least 2r many non-linear computations, and hence to process a message of chunks, at least 2r many non-linear computations are necessary.

Next, in Section 5, we consider linear MAC modes and show that an integrity-secure linear MAC mode requires at least many non-linear computations to process a message of -blocks. For all these cases, we have shown tightness of the bound.

Finally, we consider authenticated encryption modes in Section 6 and show that in order to achieve INT-RUP security and integrity security under a nonce-misuse scenario, either (i) the number of non-linear block-functions required to generate the ciphertext is more than or (ii) the number of additional non-linear block-functions required to generate the tag depends on .

1.3 Published and new contents

In [20], Nandi proved that a length preserving PRF (PRP) secure linear mode encryption requires at least 2-1 many (respectively 2 many) non-linear computations to process an block message. We have extended the results from linear modes to affine modes and from length preserving encryptions to length preserving as well as extending encryptions.

Section 4 is dedicated to find the optimal number of non-linear computations to process an chunk (a chunk is a sequence of r-blocks) messages for r-online affine modes. Section 5 considers affine MAC modes and we find the optimal number of non-linear computations to process blocks of MAC modes. These results are fresh and not published.

In Section 6, we mainly focus on finding the optimal number of non-linear computations to process an block message for an affine mode authenticated encryption scheme. The main result of the chapter is the insecurity of rate-1 authenticated encryptions in INT-RUP as well as in a nonce-misuse scenario. This result was published in [5].

2 Preliminaries

2.1 Notations

Let n be a positive integer. A block is defined as an element of the set 𝔹:={0,1}n. Any element x𝔹 is an -tuple (x1,,x). The number of blocks in x is denoted by :=x. We represent a tuple of blocks (xa,,xb) by xab and (x1,,xa) by xa. For any two -tuples x=(x1,,x) and y=(y1,,y), we denote by xy the -tuple (x1y1,,xy).

Let 𝕄a×b be an a×b matrix with elements from 𝔹. Then we denote the element in the i-th block-row and the j-th block-column by M[i,j]. By M[i,*] and M[*,j], we denote the i-th row and j-th column, respectively. For 1ija, we also write M[ij;*] to mean the sub-matrix consisting of all rows between i and j. We simply write M[j;*] and M[i;*] to denote M[1j;*] and M[ia;*], respectively. We define similar notation for columns. Suppose 𝕄n(a,b) denotes the set of all partitioned matrices Ma×b (of size a×b as a block partitioned matrix and of size an×bn as a binary matrix), where M[i,j] is a block-matrix for all i{1a} and j{1b}. Let M and N be two matrices with the same number of rows. Then the concatenation of M and N is denoted by [M:N]. We use the notation xy to denote the concatenation of two bit strings x and y. For a set S, we let S+=i=1Si, Sn=i=1nSi and S*=S+{λ}, where λ is the empty string. The usual choice of S is {0,1}. Let vtr denote the transpose of a vector v.

2.2 Security definitions

In this section, we discuss various security notions of keyed functions. We call an oracle algorithm 𝒜 a (t,q)-algorithm if it makes at most q queries and runs in time t. For notational simplicity, we skip the time parameter t which is irrelevant in this paper. We also simply write Func(,) and Perm() to denote the set of all functions from 𝔹 to 𝔹 and permutations over 𝔹, respectively. Throughout this paper, we assume 𝒦 to be the key-space.

Definition 2.1 (PRF).

Let F:𝒦×𝔹𝔹 be a (keyed) function. We say that F is (qe,ϵ)-PRF if for any qe-algorithm 𝒜 the prf-distinguishing advantage

𝐀𝐝𝐯Fprf(𝒜):=|𝖯𝗋[𝒜Fκ=1;κ$𝒦]-𝖯𝗋[𝒜G=1;G$Func(,c)]|

is at most ϵ. We call a randomly chosen G to be the (uniform) random function.

Definition 2.2 ((S)PRP).

A keyed permutation F over 𝔹 is a function F:𝒦×𝔹𝔹 such that for all keys κ𝒦 one has Fκ:=F(κ,)Perm(). A keyed permutation F is called (qe,ϵ)-PRP if for any qe-algorithm 𝒜 the prp-distinguishing advantage

𝐀𝐝𝐯Fprp(𝒜):=|𝖯𝗋[𝒜Fκ=1;κ$𝒦]-𝖯𝗋[𝒜Π=1;Π$Perm()]|

is at most ϵ. We call a randomly chosen Π to be the (uniform) random permutation. Similarly, a keyed permutation F is called (qe,ϵ)-SPRP if for any qe-algorithm 𝒜 the sprp-distinguishing advantage

𝐀𝐝𝐯Fsprp(𝒜):=|𝖯𝗋[𝒜Fκ,Fκ-1=1;κ$𝒦]-𝖯𝗋[𝒜Π,Π-1=1;Π$Perm()]|

is at most ϵ.

Definition 2.3 (Integrity or authenticity).

A keyed function F is called (qe,qf,ϵ)-forgeable if for any (qe,qf)-algorithm 𝒜 (an algorithm that makes q many queries and qf many forging attempts) the integrity (INT) advantage

𝐀𝐝𝐯Fint(𝒜):=|𝖯𝗋[𝒜Fκ𝖿𝗈𝗋𝗀𝖾𝗌;κ$𝒦]|

is at most ϵ. We say that 𝒜𝖿𝗈𝗋𝗀𝖾𝗌 if 𝒜 can produce a valid message and tag pair (m*,fκ(m*)) without querying m* during the encryption queries.

Definition 2.4 (Integrity of ciphertext (INT-CTXT)).

A length extending keyed function F is called (qe,qf,ϵ)-forgeable if for any (qe,qf)-algorithm 𝒜 the integrity of ciphertext (INT-CTXT) advantage

𝐀𝐝𝐯Fint_ctxt(𝒜):=|𝖯𝗋[𝒜Fκ𝖿𝗈𝗋𝗀𝖾𝗌;κ$𝒦]|

is at most ϵ. We say that 𝒜𝖿𝗈𝗋𝗀𝖾𝗌 if 𝒜 can produce a valid ciphertext FK(m*) without querying m* during the encryption queries.

Definition 2.5 (Integrity of ciphertext under released unverified plaintext).

Let Dκ be the decryption algorithm without verification that outputs the plaintext without verification. A length extending keyed function F is called (qe,qd,qf,ϵ)-forgeable if for any (qe,qd,qf)-algorithm 𝒜 (an algorithm that makes qe many encryption, qd many unverified decryption and qf many forging queries) the integrity of ciphertext under release of unverified plaintext (INT-RUP) advantage

𝐀𝐝𝐯Fint_rup(𝒜):=|𝖯𝗋[𝒜Fκ,Dκ𝖿𝗈𝗋𝗀𝖾𝗌;κ$𝒦]|

is at most ϵ. The definition of forging is the same as used in INT-CTXT notion.

2.3 Useful properties of matrices

It is well known that the maximum numbers of linearly independent (binary) rows and columns of a matrix A𝕄n(s,t) are the same, and this number is called the rank of the matrix, denoted by rank(A). It is easy to see that rank(A)min{ns,nt}. Consider a system of solvable linear equations Ax=b or wA=b. One can solve the equation for some x or w, respectively, (not necessarily unique) using the Gaussian elimination method, denoted by solve and 𝗌𝗈𝗅𝗏𝖾*, respectively:

x=𝗌𝗈𝗅𝗏𝖾(A,b),w=𝗌𝗈𝗅𝗏𝖾*(A,b).

By convention, whenever a non-zero solution exists, it returns a non-zero solution. Note that if

wtr=𝗌𝗈𝗅𝗏𝖾(Atr,btr),

then wA=b (by applying the transpose). Now we state two important results.

Lemma 2.6.

Let AMn(s,t) and r:=rank(A).

  1. If r<ns (i.e. presence of row-dependency), then 𝘴𝘰𝘭𝘷𝘦(Atr,0) returns a non-zero solution.

  2. Similarly, for r<nt (i.e. presence of column-dependency), 𝘴𝘰𝘭𝘷𝘦(A,0) returns a non-zero solution.

  3. Finally, if r=nt (i.e. full column rank) and b:=Aw, then 𝘴𝘰𝘭𝘷𝘦(A,b) returns a unique solution.

Lemma 2.7.

Suppose AMn(s,s) is a non-singular matrix, i.e. rank(A) =ns. Let t<s and

B=(A[t,*]𝟎𝟎A[t,*]A[t+1,*]A[t+1,*]),

where 0 denotes the zero matrix of appropriate size. Then rank(B)=n(s+t) (i.e. full row-rank).

As the results are straightforward, we skip the proofs.

3 Optimality for PRF and SPRP in affine modes

In this section, we find the tight lower bound on the number of invocations of building blocks for achieving PRP and SPRP security as in Table 1.

To do so, we first provide the formal description of an affine mode encryption scheme.

3.1 Formal definition of affine mode encryption

An affine mode encryption scheme

,,q,Π~,κ:=(1,2),

parameterized by a family of q many permutations Π~=(π1,,πq), takes an -block message m and an optional nonce n* and returns an -block ciphertext c as follows:

ui=1(v1,,vi-1,m,κ,n*),i=1,,q,
vi=πi(ui),i=1,,q,
c=2(v1,,vq,m,κ,n*).

Here ui and vi’s are the i-th non-linear input and output, respectively, and

κ=(1κ),

where κ:=(κ1,,κk-1) is the set of masking keys used. The entry 1 ensures that the construction is affine. It is easy to see that the function ,,q,Π~,κ can alternatively represented by a (q+)×(q++k+1) encryption co-efficient matrix E (with E11 strictly lower triangular) such that

(uc)=((E11)q×q(E12)q×(E13)q×k(E14)q×1(E21)×q(E22)×(E23)×k(E24)×1)(vmκn*),

where πi(ui)=vi. The function needs to be decryptable, meaning there should exist a corresponding (q+)×(q++k+1) decryption matrix D, α:=(α1,,αq){1,-1}q and a permutation β on [1q] such that

(xm)=((D11)q×q(D12)q×(D13)q×k(D14)q×1(D21)×q(D22)×(D23)×k(D24)×1)(ycκn*),

where πβ(i)αi(xi)=yi with the property

(ui,vi)={(xβ(i),yβ(i))if αi=1,(yβ(i),xβ(i))if αi=-1.
Table 1

Optimal block-functions required for affine mode encryption with blocks input and c blocks output (where ).

NonceSecurityOptimal number of block-functionsExamples with tight bound
NoPRF(+-1)3 round LR
NoSPRP2CMC
YesPRFOCB

Now consider a length-preserving encryption scheme ,,q,Π~,K. Until and unless specified, we will assume the encryption scheme does not use any nonce, i.e. E14=E24=D14=D24=0. In the following two subsections, we will show PRF and SPRP distinguishing attacks on this scheme if q(+-2) and q(2-1), respectively. The tightness of the bound is achieved by 3-round Luby–Rackoff (which uses three block-functions to process two blocks and achieves PRP) and CMC (uses 2 block-functions to process an block message and achieves SPRP). Moreover, we will show that under distinct nonce the optimal number of block-functions required to make ,t,q,Π~,K secure drastically reduces to q=.

3.2 PRF distinguishing attack on ,,q,Π~,κ for q+-2

Here we provide the attack assuming q=(+-2). The attack can be trivially extended to all such constructions with q<(+-2).

Description of the PRF Distinguisher 𝒜𝗉𝗋𝖿.

  1. (Finding a suitable difference in a pair of plaintext queries): Find δ𝔹:

    δ=𝗌𝗈𝗅𝗏𝖾(E12[(-1);*],0-1).
  2. (Make the queries with the difference obtained in (step 1)): Now the distinguisher makes two block queries 0 and δ and obtains corresponding responses c=(0) and c=(δ). For simplicity, we ignore the parameter set of as it is clear from the context.

  3. (Find a nullifier of unknown intermediate values): Find δ𝔹:

    δ=𝗌𝗈𝗅𝗏𝖾*(E21[*;(+-2)],0-1).
  4. (The distinguisher event): If δΔc=δE22δ, then it returns 1 (decision for the keyed construction), else it returns 0 (decision for uniform random permutation).

Brief explanation.

In (step 1) and (step 3), we can find such a non-zero δ and δ, respectively, using Lemma 2.6. Now let u1,v1,,u+-2,v+-2 and u1,v1,, u+-2,v+-2 be the intermediate inputs-outputs for the two queries 0 and δ, respectively. From Lemma 2.7 we have 1i(-1), ui=ui and vi=vi, i.e. Δv1(-1)=0, and hence

δΔc=δE21[*;(+-2)]Δv(+-2)+δE22d=δE22d.

The distinguishing advantage of the above distinguisher 𝒜𝗉𝗋𝖿 is at least 12 since for a random permutation the event δΔc=δE22d holds with probability 12, whereas for the keyed construction it holds with probability 1.

A generalized distinguisher 𝒜𝗉𝗋𝖿gen on ,,q,Π~,κ.

Now we define a generalized distinguisher against this mode assuming there exists an integer * such that

rank(E12[*;*])<nandrank(E21[*;(*+1)q])<n.

Note that the above assumptions always hold for *=(-1) when q(+-2). However, if q(+-1), both conditions do not necessarily hold. Whenever the assumptions hold, we have the following similar distinguisher.

Distinguisher 𝒜𝗉𝗋𝖿gen against ,,q,Π~,κ.

  1. Due to our assumptions, we can find δ𝔹 and δ𝔹:

    δ=𝗌𝗈𝗅𝗏𝖾(E12[t;*],0-1),δ=𝗌𝗈𝗅𝗏𝖾*(E21[*;(t+1)q],0-1).
  2. Then we make two queries 0 and δ and obtain responses c and c.

  3. The distinguisher returns 1 if δΔc=δE22δ, else 0.

This distinguisher will be used later while describing SPRP distinguishers.

3.3 SPRP distinguishing attack on ,,q,Π~,κ with q2-1

Now we will show that if q=2-1, then we have an SPRP distinguisher. Again, the attack can be trivially extended to all such constructions with q2-1.

A Rough Sketch of the Distinguisher.

Here we provide a brief idea on how the distinguisher works. The distinguisher first makes two queries so that the first (-1) intermediate inputs and outputs are identical for two encryption queries. Using the invertible property, we can actually obtain all the differences in the intermediate values. As the computation of the decryption algorithm must use the same internal inputs and outputs of the building blocks, we also know the differences of intermediate inputs and outputs if we decrypt the first two encryption queries. Now we find another decryption query for which the first intermediate input and output differences with one of the first two queries are fixed. So we can nullify the unknown (-1) differences and obtain a distinguishing event. The formal attack details are described below: For this attack, we first assume the following:

E21[(2-1);*] and D11[;*] are invertible.

Observe that, if rank(E21[(2-1);*])<n or rank(D11[;*])<n, then the two assumptions mentioned in the generalized distinguisher 𝒜𝗉𝗋𝖿gen hold for t=-1 and we can run the PRF-distinguisher 𝒜𝗉𝗋𝖿gen. So, we assume that E21[(2-1);*] and D11[;*] are invertible. Now we provide the algorithmic description of the distinguisher.

Description of the SPRP-distinguisher 𝒜𝗌𝗉𝗋𝗉.

  1. (Find a suitable difference in a pair of plaintext queries): Find δ=𝗌𝗈𝗅𝗏𝖾(E12[(-1);*],0-1).

  2. (Make the queries with the difference obtained in (step 1)): Now the distinguisher makes two queries 0 and δ and obtains corresponding responses c=(0) and c=(δ), respectively. Let u1,v1,,u2-1,v2-1 and u1,v1,, u2-1,v2-1 respectively denote the intermediate block-cipher inputs and outputs of the two queries. It is easy to see that 1i(-1), ui=ui,vi=vi and

    Δc:=c+c=E21[(2-1);*]Δv+E22δ.
  3. (Solve Δu, Δv for the 2-queries): Using the invertible property of E21[(2-1);*], we can actually solve Δv and hence Δu. Thus, we know Δu and Δv.

  4. (Find Δx, Δy for the 2-queries): Suppose we make two (redundant) decryption queries c and c (whose responses must be 0 and d) and let x1,y1,, x2-1,y2-1 and x1,y1,,x2-1,y2-1 respectively denote the intermediate inputs and outputs for the two queries. Then by the definition of the decryption algorithm we also know Δx and Δy, which are nothing but a (β,π)-reordering of (Δu,Δv).

  5. (Find a difference for the final decryption query): Now we find a difference δ such that

    (D11[;*]D12[;*])(δΔy1)=(Δx10-1).

    We can solve the above equation for a non-zero δ, assuming that Δx10 (since otherwise we do not get a non-zero δ. Note that Δx1 can be written as a function of c and c. So for a random permutation, a function of c and c becoming zero has low probability). Moreover, we already have the assumption that D11[;*] is invertible.

  6. (Make the queries with the difference obtained in (step 5)): Now we make two decryption queries c¯ and c¯, where c¯=c¯+δ, with the first block-cipher input being x1 and x1, respectively. While we set two queries, we should ensure that none of these have been obtained in the first two encryption queries (these are also called non-pointless or non-trivial queries). Let x1,y1,x¯2,y¯2,,x¯2-1,y¯2-1 and x1,y1,x¯2,y¯2,,x¯2-1,y¯2-1 respectively denote the intermediate inputs and outputs for these two queries, and let M¯ and M¯ denote the corresponding responses. By the choice of δ, we know that Δy¯2=0-1.

  7. (Find a nullifier of unknown intermediate values, same as PRP distinguisher): Find

    δ*=𝗌𝗈𝗅𝗏𝖾*(D21[*,+1],0-1).
  8. (The distinguisher event): If δ*ΔM¯=δ*D22d, then it returns 1 (decision for the keyed construction), else it returns 0 (decision for uniform random permutation).

3.4 PRF distinguishing attack on nonce-based ,,q,Π~,κ with q-1

Here we provide the attack assuming q=-1. The attack can be trivially extended to all those constructions with q<-1.

Description of the PRF-distinguisher 𝒜n_prf.

  1. (Finding a suitable difference in a pair of plaintext queries): Let δ be an block non-zero vector. Find δ=𝗌𝗈𝗅𝗏𝖾(E12[;*],E14δ).

  2. (Make the queries with the difference obtained in (step 1)): Now the distinguisher makes two queries (n*,0) and (n*+δ,δ) and obtains corresponding responses c=(n*,0) and c=(n*+δ,δ).

  3. (The distinguisher event): If Δc=(E22δ+E24δ), then it returns 1 (decision for the keyed construction), else it returns 0 (decision for uniform random function).

3.5 Optimal number of block-functions for affine mode enciphering schemes

Here we provide the optimal number of block-functions required for PRF and SPRP security for length preserving encryption schemes and PRF security for length expanding encryption schemes.

Theorem 3.1.

An affine mode encryption that takes a message of length blocks (and outputs blocks), requires at least 2-1 many block-functions to achieve PRP security. If we consider a length-preserving encryption (i.e. =), then it requires at least 2 block-function calls to achieve SPRP security.

Proof.

The result follows from the description of 𝒜𝗉𝗋𝗉 and 𝒜𝗌𝗉𝗋𝗉. ∎

Theorem 3.2.

An affine mode encryption with nonce (non-repeating) that takes a message of length blocks (and outputs blocks) requires at least many block-functions to achieve PRF security.

Proof.

The result follows from the description of 𝒜n_prf. ∎

The optimality is achieved with a simple variant of 3-round Luby Rackoff (PRF with ==2), CMC (SPRP with any ) and OCB (nonce-based PRP with any and =+1).

4 Optimality for online PRF and online SPRP in affine modes

In this section, we concentrate on the affine mode online encryption. First, we provide the formal definition of it, then we find some important properties and use them show the results in Table 2.

Table 2

Optimal block-functions required for length-preserving r-online encryption. Here weconsider the length of a message to be many r-blocks.

SecurityOptimal number ofOptimal number ofExamples with tight bound
total block-functionsblock-functions per chunk
online PRF2r-12r-1A variant of HCBC-1
online SPRP2r2rTC3

4.1 r-block online encryption mode

Tweak-updatable chunk-wise encryption.

We call r-blocks a chunk. In this section, we describe tweak-updatable chunk-wise encryption, the basic building block of r-block online affine mode. Given r, the basic building block q,Π~:=(1,2,3) (parameterized by a family of q many permutations Π~=(π1,,πq)) takes an r-block message m and a tweak value w of t blocks and returns an r-block ciphertext c and an updated tweak w as follows:

ui=1(v1,,vi-1,m,w,κ),i=1,,q,
vi=πi(ui),i=1,,q,
c=2(v1,,vq,m,w,κ),
w=3(v1,,vq,m,w,κ).

It is easy to see that the function q,Π~ can alternatively be represented by a (q+r+t)×(q+r+t+k) encryption co-efficient matrix E (with E11 strictly lower triangular) such that

(ucw)=((E11)q×q(E12)q×r(E13)q×t(E14)q×k(E21)r×q(E22)r×r(E23)r×t(E24)r×k(E31)t×q(E32)t×r(E33)t×t(E34)t×k)(vmwκ),

where πi(ui)=vi. The function needs to be decryptable, meaning there should exist a corresponding (q+r+t)×(q+r+t+k) decryption matrix D, α:=(α1,,αq){1,-1}q and a permutation β on [1q] such that

(xmw)=((D11)q×q(D12)q×r(D13)q×t(D14)q×k(D21)r×q(D22)r×r(D23)r×t(D24)r×k(D31)t×q(D32)t×r(D33)t×t(D34)t×k)(ycwκ),

where πβ(i)αi(xi)=yi with the property

(ui,vi)={(xβ(i),yβ(i))if αi=1,(yβ(i),xβ(i))if αi=-1.

r-block online encryption mode.

The r-block online encryption takes a tweak τ and a message M of chunks (each containing r blocks), and computes the ciphertext C of length as follows:

w(0)=τ,
(c(i),w(i))=qi,Π~ii(m(i),w(i-1))for i=1,,.

Figure 1 r-block linear online encryption mode.
Figure 1

r-block linear online encryption mode.

It is easy to see that an r-block online encryption mode is defined by the sequence of qi,Π~ii matrices seen in Figure 1.

Examples.

HCBC [1], MHCBC [18] and TC3 [22] are some examples of linear online encryption modes with r=1.

4.2 Finding tweak difference Δwi for two messages

Let qi,Π~i be the i-th chunk-wise encryption. Suppose Δwi-1 (the state difference for two messages m1 and m2 of (i-1) chunks) is known. We will show that if Δwi-1=0, then qi2r-1, and if Δwi-1 is non-zero, then qi2r.

Lemma 4.1.

Consider a chunk-wise encryption E2r,Π~i. Given a non-zero Δwi-1 for two messages, one can find two messages for which Δwi is computable.

Proof.

Given a non-zero Δw, we find Δm and calculate the corresponding Δw as follows:

(i) Find Δm, a suitable difference in a pair of plaintext queries:

Δm=𝗌𝗈𝗅𝗏𝖾(E12i[r;*],E13iΔw).

We can find such a Δm given E13iΔw is non-zero. Now we set m1=0r and m1=Δm and make queries to 2r,Π~i. Let the i-th ciphertext chunks be c1 and c1.

(ii) Find a nullifier δ*𝔹r+1 of unknown intermediate values:

δ*=𝗌𝗈𝗅𝗏𝖾*(E*,0r),where E*=(E21i[r;(r+1)2r]E31i[1;(r+1)2r]).

(iii) Find the updated tweak difference Δw from the equation

(4.1)δ*(ΔcΔw)=δ*(E22iE32i)ΔM+δ*(E23iE33i)Δw.

Explanation. Let u1,v1,,u2r,v2r and u1,v1,,u2r,v2r respectively denote the intermediate inputs and outputs for the two queries 0r and Δm. Now we have 1ir, ui=ui,vi=vi and

(ΔcΔw)=(E21i[r;(r+1)2r]E31i[1;(r+1)2r])Δv(r+1)+(E22iE32i)Δm+(E23iE33i)Δw.

Multiplying both sides of the equation by δ*, we obtain equation (4.1). ∎

Corollary 4.2.

Consider a chunk-wise encryption E2r-1,Π~i. Given Δw=0, one can find Δm for which Δw is computable.

Proof.

The proof is similar to the one of the previous lemma. For completeness, we provide the sketch of the proof. First, we find

Δm=𝗌𝗈𝗅𝗏𝖾(E12i[(r-1);*],0r-1)

and make queries with m1=0r and m2=Δm. Let the corresponding responses be c1 and c2. Then we find the nullifier δ*𝔹r+1 similar to the previous proof:

δ*=𝗌𝗈𝗅𝗏𝖾*(E*,0r),where E*=(E21i[r;(r+1)2r]E31i[1;(r+1)2r]).

Now, one can find Δw from the equation

δ*(ΔcΔw)=δ*(E22iE32i)Δm.

4.3 Finding minimum number of block-functions for PRF security of the i-th tweak updatable chunk-wise encryption

Lemma 4.3.

Given a non-zero Δw, the chunk-wise encryption E2r-1,Π~i is not PRF.

Proof.

Here we describe an adversary 𝒜𝗉𝗋𝖿 that distinguishes 2r-1,Π~i from a random function, given a non-zero tweak value difference Δw.

Description of the PRF-distinguisher 𝒜𝗉𝗋𝖿.

  1. (Find the suitable difference in a pair of queries): Find Δm𝔹r:

    Δm=𝗌𝗈𝗅𝗏𝖾(E12i[r;*],E13iΔw).
  2. (Make queries with the difference obtained in (step 1)): Now the distinguisher makes two queries with m1 and (m1+Δm) and obtains corresponding responses c1 and c2.

  3. (Find the nullifier of the unknown intermediate values): By using Lemma 2.6, find δ*𝔹r:

    δ*=𝗌𝗈𝗅𝗏𝖾*(E21i[r;r(2r-1)],E23iΔw).
  4. (The distinguisher event): If δ*(c1+c2)=δ*E22iΔm+δ*E23iΔw, then it returns 1 (decision for the keyed construction), else it returns 0 (decision for uniform random permutation).∎

By using a similar idea, one can also show the following proposition.

Proposition 4.4.

Given Δw=0, the chunk-wise encryption E2r-2,Π~i is not PRF.

So, we observed that if a non-zero input tweak difference can be observed, then a tweak updatable chunk-wise encryption requires at least 2r many block-functions. Similarly, if only zero tweak difference is observed, then it requires at least 2r-1 many block-functions.

4.4 Finding the minimum number of block-functions for SPRP security of tweak updatable chunk-wise encryption

Lemma 4.5.

The chunk-wise encryption E2r-1,Π~i is not SPRP.

Proof.

Here we describe an SPRP distinguisher for an r-online mode having one chunk-wise encryption block 2r-1,Π~i. The idea is similar to the one used by Nandi in [20].

Description of the SPRP-distinguisher 𝒜𝗌𝗉𝗋𝗉.

  1. (Find a suitable difference in a pair of plaintext queries): Find δ𝔹r:

    δ=𝗌𝗈𝗅𝗏𝖾(E12i[r-1;*],0r-1).
  2. (Make the queries with the difference obtained in (step 1)): Now the distinguisher makes two queries mi-10r and mi-1δ and obtains corresponding responses

    ci-1c=(mi-10)andci-1c=(mi-1δ).

    Let u1,v1,,u2r-1,v2r-1 and u1,v1,, u2r-1,v2r-1 respectively denote the intermediate inputs and outputs for the i-th block of the two queries. It is easy to see that 1ir-1, ui=ui,vi=vi and

    Δc:=c+c=E21i[r(2r-1);*]Δvr+E22iδ.
  3. (Solve Δu, Δv for the 2-queries): Using the invertible property of E21i[r(2r-1);*], we can actually solve Δvr and hence Δur. Thus, we know Δu and Δv.

  4. (Find Δx, Δy for the 2-queries): Suppose we make two (redundant) decryption queries ci-1c and ci-1c (whose responses must be mi-10 and mi-1δ) and let x1,y1,,x2r-1,y2r-1 and x1,y1,,x2r-1,y2r-1 respectively denote the intermediate inputs and outputs for the two queries. Then by the definition of the decryption algorithm we also know Δx and Δy, which are nothing but a (β,π)-reordering of (Δu,Δv).

  5. (Find a difference for the final decryption query): Now we find a difference δ such that

    (D11i[r;*]D12i[r;*])(δΔy1)=(Δx10r-1).

    We can solve the above equation for a non-zero δ, assuming that Δx10 (see the remark below). Here we assume that the matrix D11i[r;*] is invertible.

  6. (Make the queries with the difference obtained in (step 5)): Now we make two decryption queries ci-1c¯ and ci-1c¯, where c¯=c¯+δ, with the first block-cipher input of the i-th chunk-wise encryption being x1 and x1. While we set two queries, we should ensure that none of these have been obtained in the first two encryption queries (these are also called non-pointless or non-trivial queries). Let x1,y1,x¯2,y¯2,,x¯2r-1,y¯2r-1 and x1,y1,x¯2,y¯2,, x¯2r-1,y¯2r-1 respectively denote the intermediate inputs and outputs for these two queries, and let m¯ and m¯ denote the corresponding responses. By the choice of δ, we know that Δy¯2r=0r-1.

  7. (Find a nullifier of unknown intermediate values, the same as the PRP distinguisher): Find a non-zero binary vector δ*𝔹r:

    δ*=𝗌𝗈𝗅𝗏𝖾*(D21i[*,r+1],0r-1).
  8. (The distinguisher event): If δ*Δm¯=δ*D22iδ, then it returns 1 (decision for the keyed construction), else it returns 0 (decision for uniform random permutation).∎

Remark.

In the above attack, we assume that Δx10 since otherwise we do not get a non-zero δ. Note that Δx1 can be written as a function of c and c, and for a random permutation the probability of the event Δx1=0 is low.

4.5 Optimal number of block-functions for online PRP and SPRP

Theorem 4.6.

An r-block online encryption mode of chunks requires (i) at least 2r-1 many block-functions with further restrictions that (ii) each chunk requires at least 2r-1 many block-functions and (iii) two chunks with 2r-1 many block-functions must have at least one chunk with more than 2r many block-functions in between.

Proof.

Condition (ii) follows directly from Proposition 4.4. Condition (iii) is obtained from the following arguments:

  1. Let i be the chunk with (2r-1) block-functions. From Proposition 4.2 we can query two messages m1 and m2, of i-chunks each (keeping the first (i-1) chunks identical) such that Δw(i) can be computed.

  2. Now using Lemma 4.3, we claim that i+1 requires at least 2r many block-functions.

  3. As Δw(i) is known, if i+1,,i+j use 2r many block-functions each, then, by applying Lemma 4.1 successively, one can compute Δw(i+j). Hence according to Lemma 4.3, i+j also requires at least 2r many block-functions. So, for any 2 chunks having (2r-1) block-functions there must be one chunk having more than 2r many block-functions.

It is easy to see that conditions (ii) and (iii) imply condition (i), and hence the theorem follows. ∎

Theorem 4.7.

An r-block online encryption mode of chunks requires at least 2r many block-functions with each chunk requiring at least 2r many block-functions.

Proof.

The proof follows from Lemma 4.5. ∎

The optimality is achieved with a simple variant of HCBC-1 (online PRP with r=1) and TC3 (online SPRP with r=1 and any ).

5 Optimality for message authentication codes in affine modes

In this section, we first formally define affine mode message authentication codes and then show that many block-function calls are required to process a message of length . A simple variant of PMAC is an example with the tight bound.

5.1 Affine MAC modes

Given a parameter q and a family of q many permutations Π~=(π1,,πq), an affine mode message authentication code ,q,Π~,κ:=(1,2) takes a message m and returns a b-block tag t as follows:

ui=1(v1,,vi-1,m,κ),i=1,,q,
vi=πi(ui),i=1,,q,
t=2(v1,,vq,m,κ).

It is easy to see that the function ,q,Π~,κ can alternatively be represented by a (q+b)×(q++k) MAC co-efficient matrix F (with F11 being strictly lower triangular) such that

(ut)=((F11)q×q(F12)q×(F13)q×k(F21)b×q(F22)b×(F23)b×k)(vmκ),

where πi(ui)=vi.

Examples.

CBC-MAC [2], PMAC [4], TMAC [16], OMAC [12], DAG-based constructions [14], a sub-class of affine domain extension or ADE [19] etc. are some examples of linear MAC modes.

5.2 Optimal number of block-functions for affine MAC mode

Theorem 5.1.

A secure affine mode MAC requires at least many block-functions to respectively process a message M of -blocks.

Proof.

Here we show an integrity attack on the affine MAC mode ,-1,Π~,K (i.e. an affine MAC mode that uses -1 many block-functions). Assume >b and mount the attack as described below.

Description of the forger 𝒜𝖿𝗈𝗋𝗀𝖾.

  1. (Find a suitable difference in a pair of plain-text queries): Find non-zero δ𝔹:

    δ=𝗌𝗈𝗅𝗏𝖾(F12,0-1).
  2. (Make an encryption query): Make a query m1 of blocks. Let the corresponding tag be t1.

  3. (Make the forging query with the difference obtained in (step 1)): Compute m2=m1+δ and t2=t1+F22δ. Forge with (m2,t2).

The theorem follows from the above attack. ∎

The optimality is achieved by the affine mode construction PMAC, assuming an independent masking key (not generated using block-function).

6 Optimality for authenticated encryption in affine modes

In this section, we consider affine mode authenticated encryption schemes based on four different types of settings, depending on whether we have to respect nonce (i.e. nonce-respecting) or we can repeat nonce (i.e. nonce-misuse) and whether we follow traditional AE settings or INT-RUP security settings. We recall that the rate of an AE scheme denotes the number of message blocks processed per block-function call. We call an AE scheme to be “rate-1” if the following holds: to process a message of blocks (i) exactly many block-function calls are used to generate the ciphertext and (ii) a constant number (denoted by z) of additional block-function calls are required to generate the tag. Instead of showing the exact number of block-functions required, we will find the result in terms of the rate of the mode; see Table 3.

6.1 Rate-1 affine mode authenticated encryption scheme

We represent a “rate-1” affine mode authenticated encryption as

E(κmy*=(yytag))=(x*=(xxtag)c*=(ct)),

where x=x*[1], xtag=x*[(+1)(+z)], y=y*[1] and ytag=y*[(+1)(+z)]. It is easy to see that a “rate-1” affine mode AE scheme has the following structure of E:

E=((E11)×k(E12)×(E13)×(E14)×z(E21)z×k(E22)z×(E23)z×(E24)z×z(E31)×k(E32)×(E33)×(E34)×z(E41)1×k(E42)1×(E43)1×(E44)1×z).

It is easy to check that E13 and E24 are strictly lower triangular matrices and E14=E34 are zero matrices.

Table 3

Optimal rate of affine mode AE to achieve security in different settings.

NonceSecurityOptimal rateExamples
RespectingTraditional1OCB
RespectingINT-RUP<1OCB-IC
MisuseTraditional<1ELmD
MisuseINT-RUP<1OCB-IC

For the decryption, we have identical representations as we replace E by D, x by u, y by v, m by c, and c by m:

D.(κcv*=(vvtag))=(u*=(uutag)(mt)),

where

u=u*[1],utag=u*[(+1)(+z)],v=v*[1],vtag=v*[(+1)(+z)].

It is easy to see that D has the following structure:

D=((D11)×k(D12)×(D13)×(D14)×z(D21)z×k(D22)z×(D23)z×(D24)z×z(D31)×k(D32)×(D33)×(D34)×z(D41)1×k(D42)1×(D43)1×(D44)1×z).

6.1.1 Important properties of the decryption matrix D

Lemma 6.1.

If rank(D33)<(-k)n, then the AE construction does not preserve privacy.

Proof.

We have the condition D31κ+D32c+D33v=m. As the combined rank of [D31:D32:D33] is full (otherwise the scheme is not decryptable), we can find a row vector δ such that δD320 but δD31=0 and δD33=0. This gives a linear equation in c and m:

δD32c=δm.

By using this equation, one can distinguish this scheme from a random function making a single query and checking whether the above equation holds or not. ∎

Lemma 6.2.

If rank(D12)<(-z)n, then the AE construction does not have integrity security.

Proof.

Let the decryption matrix for an AE Scheme be D, with rank(D12)<(-z)n. Now, we describe an integrity attacker (or forger) against the AE scheme as follows.

Description of the forger 𝒜𝗂𝗇𝗍.

  1. (Finding a suitable difference in a pair of queries): Find a non-zero Δc=(Δc1,,Δc) satisfying D12Δc=0 and D22Δc=0. The rank of D12 ensures that we will find such a Δc value for some .

  2. (Make an encryption query): Make an encryption query

    (n*,m=(m1,m2,,m)).

    Suppose c=(c1,c2,,c,t) to be the tagged ciphertext.

  3. (The forging event): Compute Δt=D42Δc, and forge with (n*,c+Δc,t+Δt).∎

6.1.2 Some examples

Here we provide some popular examples of authenticated encryption schemes which are “rate-1” block-cipher based, and for each of them we identify the underlying E matrix (considering complete block messages).

Example (iFeed [25]).

iFeed is an example of a “rate-1” authenticated mode authenticated encryption construction with z=1, key index (π,(κ0,κ1,κ2)), ρμ=(π,,π) and encryption matrix E given as follows:

E11=(𝟎𝟐2𝟏𝟎𝟎𝟐3𝟏𝟎𝟎𝟐+1𝟏𝟎),E12=((𝟎)𝟎𝐈-1(𝟎)),E13=E14=(𝟎),
E21=(𝟎𝟐𝟏𝟎),E22=(𝟎𝟎𝟎𝟏),E23=E24=(𝟎),
E31=(𝟎𝟐3𝟏𝟎𝟎𝟐4𝟏𝟎𝟎𝟐+2𝟏𝟎),E32=𝐈,E33=𝐈,E34=(𝟎),
E41=(𝟎𝟎𝟎𝟏),E42=E43=(𝟎),E44=𝟏.

Example (OCB [21]).

OCB is another example of a “rate-1” authenticated encryption mode (which is not a feedback-based construction) with z=1, key index (π,κ0), ρμ=(π,,π) and encryption matrix E given as follows:

E11=(𝟎γ1𝟏𝟎γ2𝟏𝟎γ-1𝟏<𝐧>(γ+𝟐-1)𝟏),E12=(𝐈-1(𝟎)(𝟎)𝟎),E13=E14=(𝟎),
E21=(𝟎γ𝟏),E22=(𝟏),E23=E24=(𝟎),
E31=(𝟎γ1𝟏𝟎γ2𝟏𝟎γ-1𝟏𝟎γ𝟏),E32=(𝟎-1(𝟎)(𝟎)𝟏),E33=𝐈,E34=(𝟎),
E41=E42=E43=(𝟎),E44=𝟏.

Here, 𝐈 and 𝟎 denote identity and all zero square matrices of dimension , respectively. We use (𝟎) to denote an all-zero sub-matrix of appropriate size. Furthermore, 𝐧 is used to denote the field element corresponding to the integer n (as we consider complete block messages).

6.2 INT-RUP attack on “rate-1” affine mode authenticated encryption

In this section, we prove the following theorem.

Theorem 6.3.

Any “rate-1” block-cipher-based affine mode authenticated encryption scheme is INT-RUP insecure.

Proof.

Here we describe an INT-RUP attacker on generic “rate-1” affine domain authenticated encryption schemes. The attack consists of one encryption and one unverified plaintext query. For any two vectors Aa and Ab, we use the notation ΔAab to denote the vector (Aa+Ab).

Description of the INT-RUP attacker 𝒜int_rup.

  1. (Make an encryption query): The adversary first makes an encryption query

    (n*,m0=(m10,m20,,m0)).

    Let c0=(c10,c20, ,c0,t0) be the tagged ciphertext.

  2. (Make an unverified plaintext query): Next, the adversary makes an unverified plaintext query (n*,c1=(c11,c21,,c1)). Let m1=(m11,m21,,m1) be the corresponding plaintext.

  3. (Find the v-difference of the two queries): Find Δv01 from

    Δv01=D33-1(Δm01+D32Δc01).
  4. (Represent Δc0f in terms of a non-zero vector δ): Given any non-zero binary vector δ=(δ1,,δ), represent Δc0f in terms of δ as follows:

    Δc0f=D12-1D*δ,

    where

    D*=(Δu101+D1311Δv101D1312Δv201D131Δv01D1321Δv101Δu201+D1322Δv201D132Δv01D131Δv101D132Δv201Δu01+D13Δv01).
  5. (Find a suitable δ that makes Δutag0f=0): Solve the following set of equations to find a δ that implies Δutag0f=0:

    D22Δc0f+D23Δv0f=0.

    As Δc0f and Δv0f can be represented as linear combinations of δ, the above equality can be written as (D22D12-1D*+D23v*)δ=0. It is easy to see that this equation has at least one solution as long as >(z-1)n. Let the solution be δ*.

  6. (Compute the ciphertext and tag difference): Find Δc0f and Δt0f as we put δ=δ* in the following equations:

    Δc0f=D12-1D*δ,
    Δt0f=D42Δc0f+D43Δv*δ.

  7. (Forging event): Forge with (n*,cf:=c0+c0f,tf:=t0+t0f).

Brief explanation. The adversarial goal is to construct a forging query (with the same nonce and associated data) (n*,cf=(c1f,c2f,,cf),tf), which realizes a δ=(δ1,,δ) sequence. The ciphertext Cf realizes a δ-sequence if, given a non-zero binary vector δ=(δ1,,δ), uif=uiδi for all i, and uif=ui0 for all i>. Note that, by definition, Δui0f=δiΔui01 and Δvi0f=δiΔvi01. So, one can write both Δu0f and v0f as a linear combination of δ, and hence represent Δc0f in terms of δ:

Δc0f=D12-1(Δu0f+D32Δv0f)=D12-1D*δ.

Now, the adversary chooses a δ (we term it as δ*) such that the second condition (i.e. uif=ui0 for all i>) gets satisfied. Finally, the adversary computes the ciphertext-difference Δc0f and the tag-difference Δt0f corresponding to δ* and mounts the attack.

Case when at least one of D𝟏𝟐 and D𝟑𝟑 does not have full rank. From Lemma 6.1 and 6.2 we already know that rank(D12) and rank(D33) should be high. This ensures that if we set appropriately to a high value, we will have an (n×n) sub-matrix which has full rank for both D12 and D33. More formally, from Lemmas 6.1 and 6.2 we know that rank(D12)>(-(k+1))n and rank(D33)>(-z)n. It is easy to check that we can find a value of such that both the sub-matrices D12[-n,-n] and D33[-n,-n] have full rank. As k and z are small constants, one can ensure that we will find such an . Now one can easily modify the previous attack and apply it here. ∎

Remarks (Extension of the attack for any number of keys).

In the definition of affine domain authenticated encryption, we have assumed k, the number of keys, to be constant. Some constructions like IACBC [15] and IAPM [13] use log many keys while encrypting block messages. It is easy to see that our INT-RUP attack will be valid for these constructions as well. In general, this attack will be applicable for any “rate-1” authenticated encryption scheme for which D11 and D22 are invertible, even if the number of masking keys it uses depends on the message length.

6.3 Integrity attack on “rate-1” affine mode authenticated encryption in nonce-misuse scenario

Theorem 6.4.

Any “rate-1” block-cipher-based AE scheme is not integrity secure against nonce-repeating adversaries.

In this section, we describe a generic INT-CTXT attack under a nonce-misuse scenario on “rate-1” affine AE schemes. The technique is similar to that for the previous attack, except we make two encryption queries with the same nonce instead of one encryption and one INT-RUP query.

Description of the INT-RUP attacker 𝒜int_rup.

  1. (Make first encryption query): Make an encryption query (n*,m0=(m10,m20,,m0)). Let

    c0=(c10,c20,,c0,t0)

    be the tagged ciphertext.

  2. (Make second encryption query): Make another encryption query: (n*,m1=(m11,m21,,m1)). Let c1=(c11,c21,,c1,t1) be the tagged ciphertext.

  3. (Make the forging): Forge with (cf=(c1f,c2f,,cf),tf), where cif=ci0+Δci0f and tf=t0+Δt0f with c0f and t0f being defined as in the previous attack.

Clearly, the main idea of the previously described attack is to find one valid plaintext-ciphertext-tag pair (n*,m0,(c0,t0)) and one plaintext-ciphertext pair (n*,m1,c1) for any choice of n*, m0 and c1. By two nonce-misusing queries we can get (n*,m0,(c0,t0)) and (n*,m1,(c1,t1)) for any choice of n*, m0 and m1. Thus we can follow the same procedure described in the last section and forge a valid ciphertext-tag pair.

6.4 On the optimality of “rate” for affine mode authenticated encryption

Theorem 6.5.

In a traditional nonce-respecting scenario, the optimum rate of a secure affine mode authenticated encryption is 1 (with z=1). But if we consider a nonce-misuse setting or an INT-RUP model, then any block-cipher-based affine mode authenticated encryption must have “rate <1”.

Proof.

From Theorem 3.2 we know that a block-cipher-based affine mode authenticated encryption (that takes blocks and outputs +1 many blocks) needs at least +1 many block-functions to achieve PRF security, assuming distinct nonce criteria. Now, the existing construction OCB (that uses +1 many block-functions) achieves that, and hence provides the optimal bound.

The second part of the theorem follows directly from Theorems 6.3 and 6.4. ∎

7 Conclusion

In this paper, we have considered symmetric key affine modes of operation and determined the optimal number of non-linear computations required to achieve (i) PRF security of encryption modes (with and without nonce), (ii) SPRP security of length-preserving encryption modes, (iii) online PRF and online SPRP security of r-online encryption modes and (iv) message authentication codes. The tightness of these bounds has been shown through some known constructions achieving these bounds. Moreover, we have considered authenticated encryption modes and determined the maximum rate of the construction to achieve security in different settings. These are important theoretical results, which could be used as a guideline while designing new symmetric key algorithms, minimizing the number of block-function invocations.


Communicated by Tor Helleseth


References

[1] M. Bellare, A. Boldyreva, L. Knudsen and C. Namprempre, On-line ciphers and the hash-cbc constructions, Advances in Cryptology—CRYPTO 2001, Lecture Notes in Comput. Sci. 2139, Springer, Berlin (2001), 292–309. 10.1007/s00145-011-9106-1Search in Google Scholar

[2] M. Bellare, J. Kilian and P. Rogaway, The security of cipher block chaining, Advances in Cryptology—CRYPTO 1994, Lecture Notes in Comput. Sci. 839, Springer, Berlin (1994), 341–358. 10.1007/3-540-48658-5_32Search in Google Scholar

[3] T. P. Berger, M. Minier and G. Thomas, Extended generalized feistel networks using matrix representation, Selected Areas in Cryptography—SAC 2013, Springer, Berlin (2014), 289–305. 10.1007/978-3-662-43414-7_15Search in Google Scholar

[4] J. Black and P. Rogaway, A block-cipher mode of operations for parallelizable message authentication, Advances in Cryptology—Eurocrypt 2002, Lecture Notes in Comput. Sci. 2332, Springer, Berlin (2002), 384–397. 10.1007/3-540-46035-7_25Search in Google Scholar

[5] A. Chakraborti, N. Datta and M. Nandi, INT-RUP analysis of block-cipher based authenticated encryption schemes, Topics in Cryptology—CT-RSA 2016, Lecture Notes in Comput. Sci. 9610, Springer, Berlin (2016), 39–54. 10.1007/978-3-319-29485-8_3Search in Google Scholar

[6] D. Chakraborty and M. Nandi, An improved security bound for HCTR, Fast Software Encryption—FSE 2008, Lecture Notes in Comput. Sci. 5086, Springer, Berlin (2008), 289–302. 10.1007/978-3-540-71039-4_18Search in Google Scholar

[7] S. Halevi, EME*: Extending EME to handle arbitrary-length messages with associated data, Progress in Cryptology—INDOCRYPT 2004, Lecture Notes in Comput. Sci. 3348, Springer, Berlin (2004), 315–327. 10.1007/978-3-540-30556-9_25Search in Google Scholar

[8] S. Halevi, Invertible universal hashing and the TET encryption mode, Advances in Cryptology—CRYPTO 2007, Lecture Notes in Comput. Sci. 4622, Springer, Berlin (2007), 412–429. 10.1007/978-3-540-74143-5_23Search in Google Scholar

[9] S. Halevi and P. Rogaway, A tweakable enciphering mode, Advances in Cryptology—CRYPTO 2003, Lecture Notes in Comput. Sci. 2729, Springer, Berlin (2003), 482–499. 10.1007/978-3-540-45146-4_28Search in Google Scholar

[10] S. Halevi and P. Rogaway, A parallelizable enciphering mode, Topics in Cryptology—CT-RSA 2004, Lecture Notes in Comput. Sci. 2964, Springer, Berlin (2004), 292–304. 10.1007/978-3-540-24660-2_23Search in Google Scholar

[11] V. T. Hoang and P. Rogaway, On generalized feistel networks, Advances in Cryptology—CRYPTO 2010, Springer, Berlin (2010), 613–630. 10.1007/978-3-642-14623-7_33Search in Google Scholar

[12] T. Iwata and K. Kurosawa, Omac: One-key cbc mac, Fast Software Encryption—FSE 2003, Lecture Notes in Comput. Sci. 2887, Springer, Berlin (2003), 129–153. 10.1007/978-3-540-39887-5_11Search in Google Scholar

[13] C. S. Jutla, Encryption modes with almost free message integrity, Advances in Cryptology—EUROCRYPT 2001, Lecture Notes in Comput. Sci. 2045, Springer, Berlin (2003), 529–544. 10.1007/3-540-44987-6_32Search in Google Scholar

[14] C. S. Jutla, Prf domain extension using dag, Theory of Cryptography—TCC 2006, Lecture Notes in Comput. Sci. 3876, Springer, Berlin (2006), 561–580. 10.1007/11681878_29Search in Google Scholar

[15] C. S. Jutla, Encryption modes with almost free message integrity, J. Cryptology 21 (2008), no. 4, 547–578. 10.1007/s00145-008-9024-zSearch in Google Scholar

[16] K. Kurosawa and T. Iwata, Tmac: Two-key cbc mac, Topics in Cryptology—CT-RSA 2003, Lecture Notes in Comput. Sci. 2612, Springer, Berlin (2003), 33–49. 10.1007/3-540-36563-X_3Search in Google Scholar

[17] M. Luby and C. Rackoff, How to construct pseudo-random permutations from pseudo-random functions, Advances in Cryptology—CRYPTO 1985, Lecture Notes in Comput. Sci. 218, Springer, New York (1984), 447–447. 10.1007/3-540-39799-X_34Search in Google Scholar

[18] M. Nandi, Two new efficient cca-secure online ciphers: Mhcbc and mcbc, Progress in Cryptology—INDOCRYPT 2008, Lecture Notes in Comput. Sci. 5365, Springer, Berlin (2008), 350–362. 10.1007/978-3-540-89754-5_27Search in Google Scholar

[19] M. Nandi, A unified method for improving PRF bounds for a class of blockcipher based macs, Fast Software Encryption—FSE 2010, Lecture Notes in Comput. Sci. 6147, Springer, Berlin (2010), 212–229. 10.1007/978-3-642-13858-4_12Search in Google Scholar

[20] M. Nandi, On the optimality of non-linear computations of length-preserving encryption schemes, Advances in Cryptology—ASIACRYPT 2015 Part II, Springer, Berlin (2015), 113–133. 10.1007/978-3-662-48800-3_5Search in Google Scholar

[21] P. Rogaway, Efficient instantiations of tweakable blockciphers and refinements to modes ocb and pmac, Advances in Cryptology—ASIACRYPT 2004, Lecture Notes in Comput. Sci. 3329, Springer, Berlin (2004), 16–31. 10.1007/978-3-540-30539-2_2Search in Google Scholar

[22] P. Rogaway and H. Zhang, Online ciphers from tweakable blockciphers, Topics in Cryptology—CT-RSA 2011, Lecture Notes in Comput. Sci. 6558, Springer, Berlin (2011), 237–249. 10.1007/978-3-642-19074-2_16Search in Google Scholar

[23] P. Sarkar, Improving upon the tet mode of operation, Information Security and Cryptology—ICISC 2007, Lecture Notes in Computer Science 4817, Springer, Berlin (2007), 180–192. 10.1007/978-3-540-76788-6_15Search in Google Scholar

[24] P. Wang, D. Feng and W. Wu, HCTR: A variable-input-length enciphering mode, Information Security and Cryptology—CISC 2005, Lecture Notes in Comput. Sci. 3822, Springer, Berlin (2005), 175–188. 10.1007/11599548_15Search in Google Scholar

[25] L. Zhang, W. Wu, H. Sui and P. Wang, iFeed[AES] v1, 2014, https://competitions.cr.yp.to/round1/ifeedaesv1.pdf. Search in Google Scholar

Received: 2017-03-13
Revised: 2018-03-25
Accepted: 2018-05-20
Published Online: 2018-06-19
Published in Print: 2018-12-01

© 2018 Walter de Gruyter GmbH, Berlin/Boston

This article is distributed under the terms of the Creative Commons Attribution Non-Commercial License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.

Downloaded on 21.2.2024 from https://www.degruyter.com/document/doi/10.1515/jmc-2017-0011/html
Scroll to top button