Next Article in Journal
A Method for Constructing Supervised Topic Model Based on Term Frequency-Inverse Topic Frequency
Next Article in Special Issue
Building Group Key Establishment on Group Theory: A Modular Approach
Previous Article in Journal
Modified Advanced Encryption Standard Algorithm for Information Security
Previous Article in Special Issue
Randomness Analysis for the Generalized Self-Shrinking Sequences
Open AccessArticle

Block Cipher in the Ideal Cipher Model: A Dedicated Permutation Modeled as a Black-Box Public Random Permutation

by * and *
Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200240, China
*
Authors to whom correspondence should be addressed.
Symmetry 2019, 11(12), 1485; https://doi.org/10.3390/sym11121485
Received: 3 November 2019 / Revised: 26 November 2019 / Accepted: 2 December 2019 / Published: 5 December 2019
(This article belongs to the Special Issue Interactions between Group Theory, Symmetry and Cryptology)

Abstract

Designing a secure construction has always been a fascinating area for the researchers in the field of symmetric key cryptography. This research aimed to make contributions to the design of secure block cipher in the ideal cipher model whose underlying primitive is a family of n b i t to n b i t random permutations indexed by secret key. Our target construction of a secure block ciphers denoted as E [ s ] is built on a simple XOR operation and two block cipher invocations, under the assumptions that the block cipher in use is a pseudorandom permutation. One out of these two block cipher invocations produce a subkey that is derived from the secret key. It has been accepted that at least two block cipher invocations with XOR operations are required to achieve beyond birthday bound security. In this paper, we investigated the E [ s ] instances with the advanced proof technique and efficient block cipher constructions that bypass the birthday-bound up to 2 n provable security was achieved. Our study provided new insights to the block cipher that is beyond birthday bound security.
Keywords: pseudorandom permutation; block cipher; ideal cipher model; beyond birthday bound; provable security pseudorandom permutation; block cipher; ideal cipher model; beyond birthday bound; provable security

1. Introduction

A block cipher encryption design is called beyond birthday bound (BBB) secure if the proven upper bound on the adversarial advantage is meaningful even if an adversary can process more than 2 n / 2 data blocks, where n is the size of the block of a block cipher. The first time, Iwata proposed a BBB encryption mode cipher-based encryption (CENC) [1]. This was nonce based construction providing a solution through the invocation of more than one block cipher and simple XOR operation and achieved 2 2 n / 3 security against all nonce respecting adversaries. Later on, Iwata proved CENC construction based on mirror theory technique [2], and achieved optimal security [3]. Bhattacharya and Nandi also gave the BBB security of CENC by analyzing the security bound of variable output length using the chi-squared method.

1.1. Pseudorandom Permutation and Pseudorandom Function with BBB

The conventional approach for designing the cryptography primitives based on symmetric cipher is to behave as a perfectly random function. The vast majority, in this case, is an encryption scheme [4], MAC encryption schemes [5,6], and authenticated encryption schemes [7], following this paradigm via pseudorandom functions (PRF). Patarin suggested the construction of permutation sum and proved that a variant of single permutation indistinguishable from a random function up to BBB [8]. In 2003, Patarin gave the result 2 2 n / 3 security [9], like so, in 2005, achieved up to this security bound [10,11]. However, the PRF provides a solution for increasing the use of cryptography in a real-world application. The pseudorandom permutation (PRP) is the leading building block of the cryptographic design in spite of PRF [12,13,14,15]. If a block cipher is directly implemented as a PRF, which will have provable security limit birthday bound with a large block, this is often acceptable. But it is not acceptable in practice with a lightweight block cipher, which has relatively small block sizes. The PRF can be replaced by a PRP up to birthday bound queries [16,17,18,19]. Moreover, if the block size of a block cipher is large enough, then the security loss is sometimes acceptable. Whatever, there are many scenarios, such as lightweight applications, whose numbers have grown tremendously before some years that require higher security bound [20,21,22,23,24,25,26]. In recent years, various constructions have been proposed that achieve BBB security against more than 2 n / 2 queries. We could categorize these constructions into XOR permutations based and truncation based. The XOR permutations is popular for BBB construction by taking the XOR of more than one independent PRP [20].
X O R E k 1 , E k 2 ( x ) = E k 1 ( x ) E k 2 ( x )
This construction was analyzed by Lucks [21]. The single key variant of this construction provides the security up to 2 2 n / 3 queries [27]. After that, Patarin revised this construction and improved the security bound up to 2 n / 67 [28]. Later on, the results were generated by more than two independent PRP with XOR operation [29]. Dai et al. [30] using the chi-squared method verified the n b i t security of XOR construction, but the original proof was provided by Bhattacharya and Nandi [31]. The XOR construction is acceptable for encryption, but it is not usable for authentication, because domain size is required to extend. This can be solved through hashing the message, but the XOR construction needs some precise combination with a double block hash function [32,33,34]. The truncation based solution was presented by Hall et al. [17]. Later on, it was proved that truncating n b i t permutation has security bound up to 2 2 n / 3 queries [35]. Stam also derived these results in a non-cryptographic context [27]. Recently, another construction was proposed, which is known as Encrypted Davies Meyer (EDM) introduced by Cogliati and Seurin [36].
E D M E k 1 ,   E k 2 ( x ) = E k 2 ( E k 1 ( x ) x )
There are two independent permutations and it behaves like random function up to q 3 / 2 2 n [36]. Afterward, Dai et al. [30] achieved q 4 / 2 3 n using the chi-squared method. Now, a novel construction EDMD improved the security up to 2 n / 67 n by using mirror theory technique, which has almost an optimal security [37].
E D M D E k 1 ,   E k 2 ( x ) = E k 2 ( E k 1 ( x ) ) E k 1 ( x )
Two independent keys are required for EDMD. The single key setting is significant for higher security bound and efficient construction, which was also performed in our construction. Anyways, this construction secures up to q / 2 2 n / 3 . Cogliati and Seurin also extended the EDMD construction called encrypted Wegman carter with davies meyer (EWCDM), which is nonce based BBB secure.
E W C D M E k 1 ,   E k 2 , H k h ( N , M ) = E k 2 ( E k 1 ( N ) N H K ( M ) )
where, H K is a universal hash function, N denote the nonce, and M denote the message, which has an arbitrary length. The EWCDM achieved B B B up to 2 2 n / 3 MAC queries when it has nonce respecting setting. The use of internal state values of EWCDM construction makes their security analysis formally inapplicable [37]. Mennink presented the rationale relying on the EWCDM function, and simplified versions of the conversion method applied to the advanced encryption scheme (AES) [38]. The main proposal of AES-PRF, the AES with a feed forward of the middle state, achieved almost no optimal security. This construction was applied to GCM and GCM-SIV, and how it entails the significant security improvements was discussed. A little while back, Mennink presented a heuristic study to build BBB secure from public random permutation, showing that a single permutation call could not be secured BBB [39].
The above discussion shows that what to be tackled in PRF for BBB and where the goal is to build PRF, so that it is indistinguishable from a truly random function. However, our study aimed to build block cipher in the ideal cipher model, under the assumption that the block cipher is a PRP out of PRF, achieving full security. Moreover, the sum of even mansour (SoEM) construction achieves BBB up to 2 2 n / 3 , that is built from two randomly drawn keys and two independent permutations; if either keys or permutations are identical, then there is a birthday bound attack.

1.2. Our Construction

In this paper, we focused on a block cipher design based on a single key, which achieved BBB up to 2 n security. The main motivation is by the scenarios where the block cipher only has block size of 32 b i t ,   48 b i t ,   and 64 b i t [40]. The target construction of block cipher depicted in Figure 1, defined as E [ s ] : K   × P P , consists of two block cipher invocations and additional simple XOR operation. Furthermore, a heuristic approach is carried out to examine the instances of E [ s ] and, at last, E 1   E 32 efficient construction is successfully found. In detail, the first invoke of block cipher produces a subkey y from the secret key k such that y = E ( k , 0 ) , y = E ( 0 , k ) , and y = E ( k , k ) . The second invoke of a block cipher encrypt and decrypt the plaintext p and ciphertext c , respectively, with a key k or k y . However, we stress that the first block cipher invocation is precomputing and storing the subkey y . Thus, our design only requires one invocation of a block cipher for encryption and decryption when the subkey y is precomputed and stored. We have designed this construction in the ideal cipher model that has the main advantage of provable security up to 2 n . The previously available block cipher has maximum provable security up to 2 2 n / 3 . From the efficiency point of view, previous constructions required more than one key, s > 2 block cipher invocations [20,36], and universal hash function invocations; in the absence of these, their efficiency needed to be increased. The minimum number of block cipher invocation with a single key is good for efficiency. Our design requires just a single secret key and one block cipher invocation for encryption and decryption when the subkey is precomputed and stored.

2. Preliminaries

2.1. Notations

The { 0 , 1 } n denotes the set of bit strings of length n . We denote the bitwise addition a b , where a , b   { 0 , 1 } n . The Y Z is the assignment of Z to the variable Y . The x $ X denotes the uniform random selection of x from X . The | X | denotes the number of elements in X . Let a { 0 ,   1 } and b   { 0   ,   1 } , a . b   denotes the multiplication of a and b , if a = 1 , then it is equal to b , and if a = 0 , then a . b equals to 0. The block cipher denotes as E : K   × P P , where P is a plaintext/message space, K is the key space. Throughout the paper, we have fixed K = P = { 0 , 1 } n . Let E ( k , · ) and E 1 ( k , · ) denote the encryption and decryption, respectively, with a secret key k K . Let E ± ( k , · ) involves E ( k , · ) and E 1 ( k , · ) . Sometimes, we denote E ( k , · ) as E k ( · ) , E 1 ( k , · ) as E k 1 ( · ) , and E ± ( k , · ) as E k ( · ) and E k 1 ( · ) , respectively. The ( u , w ) are the input and output tuple of E such that w = E ( u ) . The input-output tuple of E k is denoted as ( p , c ) such that E k ( p ) = c . Let P e r m ( n ) denote the set of all permutations on { 0 , 1 } n . The function π is said to be an ideal   cipher   model if randomly selected that is π R P e r m ( n ) . Similarly, we define these notations   π ( · , · ) , π 1 ( · , · ) , and π ± ( · , · ) , respectively.

2.2. Security Definition

A computationally unbounded distinguisher D is an algorithm that has adaptive access to an oracle and outputs a bit   0   or   1 . Let the two oracles O 1 and O 2 have the same interface, we can get the distinguishing advantage of D as follows.
A d v ( D ) = Pr [ D O 1 1 ]   Pr [ Pr [ D O 2 1 ]
A block cipher with a key space K and message space P is a mapping E : K   × P P such that for all key k K . The E ( K , P ) is a permutation over P . We denote E k ( P ) for E ( K , P ) . The distinguisher D is having query access to ( O 1 , E ± ) : O 1 is either E k ± ( · , · ) with k $ K or π $ P e r m . The E ± is an underlying block cipher. The advantage of distinguisher D in distinguishing E and π is defined as.
A d v E p r p ( D ) = | Pr [ D E k ± ( · , · ) , E ± ( · , · ) 1 ] Pr [ D π ± ( · , · ) , E ± ( · , · ) 1 ] |
Throughout this paper, we considered information as theoretical with computationally unbounded distinguishers D sorely limited by the number of queries to the oracle. Overall, maximum is taken by distinguisher   D that makes at most q queries to its oracles .
A d v E p r p ( q ) = m a x D { A d v E p r p ( D ) }

2.3. H-Coefficient Technique

Central to our proof is a H-Coefficient technique presented by Patarin [8,41]. As mentioned above, we considered the information as theoretical, with computationally unbounded distinguisher D . Thus, we always assumed that distinguisher D is deterministic without the loss of generality. Let distinguisher D interacts with O 1 and O 2 . The interaction of D with its oracles are recorded in a view v . The X O 2 is the probability distribution of v when distinguisher D interacts with O 2 . The V is the set of all attainable views v when D interacting with O 2 , which is V = {   v | Pr [   X O 2 = v ] > 0   } . The H-Coefficient technique states as follows:
Let 0 ε 1 . Consider a partition V = V g o o d V b a d set of attainable view such that:
  • Pr [   X O 2 V b a d ]
  • f o r   a l l   v V g o o d , Pr [   X O 1 = v ] Pr [   X O 2 = v ] 1 ε
Then, the distinguishing advantage satisfies
A d v ( D ) Pr [   X O 2 V b a d ]   +   ε
The core idea of the H-coefficient technique is: a large number of views are almost equally likely in both oracles (real worlds and the ideal world), and the odd ones occur with a small probability. Note that the partitioning of V into   b a d and g o o d views is directly reflected in the terms Pr [   X O 2 V b a d ] and ε in the bound: if V g o o d is too large, ε will become large , whereas if V b a d is too large, Pr [   X O 2 V b a d ] will become large .

3. Construction Limitations

In this section, we will discuss the construction limitations of secure block cipher in the ideal cipher model, which is built on dedicated block cipher invocations and simple XOR operation. The X O R operation has efficiency benefits. The target construction is denoted as E [ s ] and is built on s block cipher invocations. Let E denote the underlying block cipher with n b i t block size and n b i t . key size. Let p, c , and k denote the plaintext, ciphertext, and key, respectively, where all have n b i t size. Let a i , j and b i , j be one   bit variable of being   0 or 1 , where 1 i s   +   1 and 1 j i   +   2 . The encryption of E [ s ] is shown in Algorithm 1. The target construction E [ s ] is depicted in Figure 1. In detail, this is a graphical view from which we would acquire the resultant block cipher construction. Moreover, all the s block cipher invocations are involved in the computation of the ciphertext c . The ciphertext c must be invertible and efficiently decrypted from plaintext p and key k . There are some limitations for E [ s ] to achieve our goal:
The plaintext p should be involved in exactly one X O R operation. The p involves in XOR operation, which gives x i and corresponding y i . So, both outputs ( x i and y i ) are called plaintext dependent variable. On the other side, if a variable y i is used to compute another variable x j , which depends on y i , then x j and corresponding y j would also be plaintext dependent variable. So, we cannot use plaintext dependent variable to produce any key or subkey , otherwise, constructions will not be efficient.
There should be at most one plaintext dependent variable produced from the XOR operation. Otherwise, the decryption process cannot efficiently decrypt because there is more than one variable.
If we summarize and satisfy the above limitations, then E [ s ] can be an efficient block cipher construction. Moreover, an additional condition is also necessary for efficiency and security. Our first goal is to achieve full ( 2 n ) provable   sec urity . The target construction is important to achieve the goal. Nowadays, A E S and S I M O N block cipher is utilized in various applications of different block sizes, such as 128 b i t and 64 b i t . In some environments, the block size of lightweight block ciphers can be even shorter. Thus, block cipher construction with a simply birthday bound security may not be suitable for various applications. Therefore, another construction which provide higher security is definitely necessary. Particularly, for application design, a block cipher with full security is surely an interesting research topic . Our second goal is the efficiency, we invoke two block cipher because minimum number of block cipher invocation led to concern about high efficiency. It is well known that block cipher invocations are much more time consuming than XOR operation. So, the efficiency reduces due to a number of block cipher invocation. But, besides this, we aimed to achieve perfect efficiency under the condition of no security sacrifices, i.e., eliminating the unnecessary input variables. In fact, this is also a reason in our target construction having simple XOR operation and only necessary input variables. Algorithm 1 is shown as follow:
Algorithm 1 E [ s ] ( · , · )
input: k ,   p ,   E ( · , · ) ,   v a i a b l e s   a i , j   a n d   b i , j
Output:   c i p h e r t e x t   x 1 = a 1 , 1 . k ,     b 1 , 1 . k b 1 , 2 . p
  • x 1 = a 1 , 1 . k ,     b 1 , 1 . k b 1 , 2 . p
  • f o r   i = 1   t o   s 1 ,   do
  • y i = E ( a 1 , 1 . k , x i )
  • x i + 1 =   a i 1 , 1 . k j = 2 i + 1 a i 1 , j . y j 1 , b i 1 , 1 . k b i 1 , 2 . p j = 3 i + 2 b i 1 , j . y j 2
  • end for
  • y s = E ( k s , x s )
  • c =   b s 1 , 1 . k   b s 1 , 2 . k j = 3 s + 2 b s 1 , j . y j 2
  • return ciphertext c
In order to achieve the above goals among the instances of target construction, we adopted a heuristic approach. For the instances of E [ s ] , we invoked only two block cipher to achieve 2 n provable security because s = 1 for instances of E [ s ] had most 2 n / 2 security. Thus, at least two block cipher invocations are required to bypass the birthday bound barrier.
We continued to examine the instances of E [ 2 ] and would not analyze the E [ s > 2 ] instances unless investigated all the instances of E [ 2 ] and none of them achieve 2 n security. In fact, if some instances of E [ 2 ] achieves 2 n security, then there is no need to examine the other instances of E [ 2 ] . To follow the above strategy, we analyzed the target construction E [ s ] and found 32 instances with 2 n provable security.

3.1. E [ 2 ] Instances

According to the previous discussion, the plaintext p should be involved in exactly one XOR operation. There should be, at most, one plaintext dependent variable produced from the XOR operation. Otherwise, the decryption process cannot efficiently decrypt because there exists more than one variable. The plaintext dependent variable cannot be used to produce any key-value; otherwise, constructions will not be efficient. Following this strategy, we divided E [ 2 ] instances into three types on the basis of when plaintext p is XOR to compute x i and c , respectively.
  • Type 1 instances: when p is XOR to compute x 1
  • Type 2 instances: when p is XOR to compute x 2
  • Type 3 instances: when p is XOR to compute c

3.1.1. Type 1 Instances

According to the above limitation, the plaintext   dependent   variables cannot be used to produce key value, so, a 2 , 2 = 0 . The plaintext p should be involved in exactly one XOR operation, so, b 2 , 2 = 0 and b 3 , 2 = 0 . We set b 2 , 3 = 1 , which is the first block cipher invocation, and set b 3 , 4 = 1 , which is second block cipher invocation. If b 2 , 3 = 0 , it means two block ciphers’ invocations are parallel, and these instances are involved in type 2. It also shows that x 2 and y 2 are plaintext variables. Then, we set b 3 , 3 = 0 because y 2 is already used as a plaintext dependent variable. All of these simplified constructions of type 1 are shown in Figure 2. We examined the instances of type 1, and ciphertext is computed as follows.
c = E ( a 2 , 1 . k ,   x 2 ) b 3 , 1 . k
Instances with one block cipher Invocation of type 1.
We would show that any instance that makes only one block cipher invocation of type 1 construction could not achieve B B B security. Let E : { 0 , 1 } n   × { 0 , 1 } n { 0 , 1 } n be a block cipher, shown in Figure 3. We showed that there exists a distinguisher D that can distinguish any such block cipher from random   permutation using at most 2 n / 2 queries.
● When a 1 , 1 = 0 and b 1 , 1 = 1 .
In this case, we can see the input or output of E is not related to p or c . When b 1 , 2 = 0 , then distinguisher D selects arbitrary p and p to get c and c . If the event c = c occurs, then output is 1; otherwise, it is 0. The success probability of D is 1 when interacts with 1 2 n . The results are similar for b 2 , 3 = 0 .
● When a 1 , 1 = 0 and b 1 , 1 = 0 .
In this case, we can see the input or output of E is independent of the key. When b 1 , 2 = 1 , the distinguisher D selects arbitrary x 1 and x 1 to get y 1 and y 1 ; then, it puts p = b 1 , 2 1 x 1 and p = b 1 , 2 1 x 1 to get c and c . If the event occurs, then output is 1, otherwise 0.
E v e n t = { c c = b 2 , 3 . y 1 b 2 , 3 .   y 1   i f   b 2 , 2 . x 1 = 0   c c = b 2 , 3 . y 1 b 2 , 3 .   y 1 x 1 x 1   i f   b 2 , 2 . x 1 0
The success probability of D is 1 when interacts with 1 2 n . Similar is the case for b 2 , 1 = 0 .
● When b 2 , 2 = 0 .
In this case, there exists a distinguisher D , distinguishing the real   world oracle ( E k ± , E ± ) from the ideal world oracle ( π ± , E ± ) with some probability. The distinguisher D makes 2 n / 2 queries and operates as follows. For j = 1 ,   ,   2 n / 2 , the distinguisher D selects arbitrary p ( j ) to get c ( j ) . If c ( j ) c ( j ) for all queries and its indices j j , then output 1, otherwise output 0.
At the end of type 1 instances, we can conclude that the plaintext added in the first X O R operation and the output value after the first invocation of block cipher are included in second block cipher invocation as a key that is a plaintext   dependent   variable , so the advantage of the adversary is at most around birthday bound.

3.1.2. Type 2 Instances

Following the construction limitations, set b 3 , 5 = 1 . The plaintext p should be involved in exactly one X O R operation, so, b 1 , 2 = 0 and b 3 , 2 = 0 . We set b 2 , 3 = 1 , that is, the first block cipher invocation, and thus, we set b 3 , 4 = 1 , that is, second block cipher invocation. It also shows that x 1 and y 1 are not plaintext dependent variables. All of these simplified constructions of type 1 are depicted in Figure 4. Here, we examined the type 2 instances. For these instances, we computed ciphertext as follows.
c = E ( a 2 , 1 . k b 3 , 3 . y 1 ,   x 2 ) b 3 , 1 . k b 3 , 3 . y 1
The first block cipher invocation is y 1 = E ( a 1 , 1 . k , b 1 , 1 . k ) . Throughout all the instances of type 2, we call y 1 as a subkey that is obtained from the secret key k for those instances with ( a 1 , 1 , b 1 , 1 ) ( 0 , 0 ) . However, the computation from p to x 2 is x 2 = p b 2 , 1 . k b 2 , 3 . y 1 , and Δ x 2 = Δ p always holds and Δ y 2 = Δ c , respectively. Moreover, for any plaintext and ciphertext pair ( p , c ) and ( p , c ) , the adversary knows the internal variable differences Δ x 2 and Δ y 2 . Therefore, according to the above constraint, we can find some conditions on the type 2 instances to achieve B B B .
● When ( a 1 , 1 , b 1 , 1 ) ( 0 , 0 ) .
If ( a 1 , 1 , b 1 , 1 ) = ( 0 , 0 ) , then it means y 1 = E ( 0 , 0 ) . Adversary makes a query ( 0 , 0 ) to E ( · , · ) to get y 1 , and the first block cipher invocation kicks off. Then, the instances are based on only a single block cipher invocation in the adversary view. As we discussed in the previous sections, when s < 2 , the construction achieves security up to birthday bound.
● When ( a 2 , 1 , a 2 , 2 ) ( 0 , 0 ) .
If ( a 2 , 1 , a 2 , 2 ) = ( 0 , 0 ) , then adversary regards b 2 , 1 . k b 2 , 3 . y 1 and b 3 , 1 . k b 3 , 3 . y 1 . So, the instance gives essentially one step of [42].
● When ( b 2 , 1 , b 2 , 3 ) ( 0 , 0 ) .
If ( b 2 , 1 , b 2 , 3 ) = ( 0 , 0 ) , then p = x 2 , i.e., the adversary knows and can control the x 2 value. A distinguisher D is launched and fixes two distinct p and p . The distinguisher D queries to E [ 2 ] k ( · , · ) and gets ciphertext c and c and stores ( c c ) , respectively. The D makes a query for E ( · , · ) and receives ω and ω ´ , respectively, and matches ω   ω   ´ to stored c c . The distinguisher D recovers a 2 , 1 . k a 2 , 2 . y 1 . For any plaintext-ciphertext pair ( p , c ) and ( p , c ) , the distinguisher D can compute z (such that a 2 , 1 . k a 2 , 2 . y 1 = z ) and z and query ( z , p ) and ( z , p ) to E ( · , · ) , recovering y 2 and y 2 , respectively. So, the output of distinguisher D is 1 if c c = y 2 y 2 , otherwise, compute 0. When interacting with E [ 2 ] , then the output of distinguisher D is 1 until it recovers a 2 , 1 . k a 2 , 2 . y 1 . Thus, the success probability is 1 ( 1 2 n ) 2 n .
● When ( b 3 , 1 , b 3 , 3 ) ( 0 , 0 ) .
This has a similar analysis which is presented above, where the adversary knows and has control over the value of y 2 and he fixes the ciphertext c and c and queries to E [ 2 ] k 1 ( · , · ) .
● When ( b 2 , 1 , b 2 , 3 ) ( a 2 , 1 , a 2 , 2 ) .
If ( b 2 , 1 , b 2 , 3 ) = ( a 2 , 1 , a 2 , 2 ) , it has ( b 2 , 1 . k b 2 , 3 . y 1 ) = ( a 2 , 1 . k a 2 , 2 . y 1 ) , which is denoted by g and x 2 z 2 = g p g = p . Thus, the adversary knows and can control x 2 z . A distinguisher D is launched and gives queries to E [ 2 ] k ( · , · ) and receives c and c and stores ( c c ) , respectively. Moreover, D sends distinct queries to E ( · , · ) and receives ω and ω , ´ respectively, and stores ( ω   ω ) ´ . Then, he matches ( ω   ω ) ´ and ( c c ) . The D can compute x 2 and z for any plaintext-ciphertext and receive y 2 from E ( · , · ) . Moreover, the distinguisher D just needs to make some extra queries. Thus, the success probability is trivially 1 ( 1 2 n ) 2 n .
● When ( b 3 , 1 , b 3 , 3 ) ( a 2 , 1 , a 2 , 2 ) .
This is also having a similar analysis as shown above.
Putting all the above properties of type 2 instances together, we got 32 instances, denoted by E 1 ,   E 2 , ,   E 32 and depicted in Figure 5. We investigated these constructions and found 2 n provable security. We used the H-Coefficient technique for proof, which is discussed in Section 4.

3.1.3. Type 3 Instances

When p is X O R to compute c , then b 3 , 2 . p = 1 , b 1 , 2 . p = 0 , and b 2 , 2 . p = 0 . The constructions of type 3 are depicted in Figure 6. In this construction, it could be seen that p and c are linearly related, and distinguisher D can distinguish by only two queries to E [ 2 ] k ( · , · ) with distinct plaintext p and p Δ , verifying Δ c = Δ . Hence, the discussion of type 3 instances is omitted here.

4. Security Proof

Let E 1 ,   E 2 , , E 32 is any instance, and E is an underlying block cipher. Let there be any distinguisher D that has access to oracles O 1 and O 2 , either E k ± ( · , · ) , E ± ( · , · ) with k $ K or π ± ( · , · ) , E ± ( · , · ) . The distinguisher D is computationally unbounded and deterministic, making q queries when interacting with O 1 and O 2 . We defined distinguisher queries to O 1 and O 2 as q 1 and q 2 , respectively: q = q 1   +   q 2 and do not contain duplicate queries. When distinguisher D interacts with O 1 and O 2 , the queries response are v 1 = { ( p 1   ,   c 1 ) ,   ,   ( p q 1   ,   c q 1 ) } and v 2 = { ( u 1 , w 1 ) ,   ,   ( u q 2 , w q 2 ) } , respectively. The v is the view denoting the transcripts, and in the end, the distinguisher D obtains a view v = ( v 1 , v 2 ) . The distinguisher D , based on the v , computes its decision bit. Accordingly, the decision b i t probability distribution of distinguisher D relies on the probability distribution of v . The X and Y are the probability distribution on v when interacts with ( E k ± ( · , · ) , E ± ( · , · ) ) and ( π ± ( · , · ) , E ± ( · , · ) ) , respectively. We used V as an attainable view when D interacts with O 1 , which is V = { v | Pr [ Y = v ] > 0 } and V = V g o o d V b a d . The main goal of the proof is to disclose the subkey y and secret key k after interacting with O 1 and O 2 . In ( π ± ( · , · ) , E ± ( · , · ) ) as ( O 1 , O 2 ) , we chose k $ K and got corresponding subkey   y by querying E ± . The distinguisher D can easily derive query response ( u , w ) of E ± ( · , · ) invocations for each query response ( p i , c i ) in view   v 1 . The query responses of a block cipher E for each view v = ( v 1 , v 2 ) V is divided into three tables. The first one consists of a single query response of block cipher E :   T 1 = { ( ( u 1 1 , w 1 1 = y ) } . The second table consists of the other queries’ responses of block cipher E derived from v 1 : T 2 = { ( ( u 1 2 , w 1 2 ) ,   ,   u q 2 2 , w q 2 2 } . The last table consists of all queries’ responses from v 2 : T 3 :   T 3 = { ( ( u 1 3 , w 1 3 ) ,   ,   u q 2 3 , w q 2 3 } .

4.1. Bad Events

v V b a d if there are following queries: T 1 = { ( ( u 1 1 , w 1 1 = y ) } ,   T 2 = { ( ( u 1 2 , w 1 2 ) ,   ,   u q 2 2 , w q 2 2 } , and T 3 = { ( ( u 1 3 , w 1 3 ) ,   ,   u q 2 3 , w q 2 3 } such that the following condition holds: there exists ( u j i , w j i ) in table T i and ( u j i , w j i ) in table T i such that ( u j i , w j i ) = ( u j i , w j i ) where i i , then v causes bad event.

4.2. P r [ Y V b a d ]

According to our construction, we gave here the exact definition of V b a d , which also ensures the V g o o d . The V g o o d does not cause bad event. Here, we defined the V b a d of E 1 only due to the limited space. At least, one event defines the V b a d if it exists.
(a)
( p i , c i ) v 1 such that p i = y ;
(b)
( p i , c i ) v 1 such that c i = k ;
(c)
( p i , c i ) v 1 and ( u j , w j ) v 2 such that ( u j = p i   y )
(d)
( p i , c i ) v 1 and ( u j , w j ) v 2 such that ( w j = c i   y k )
The subkey y and secret k are uniformly selected at random from a set   of size of at least   2 n q 1 . We get
Pr [ ( a ) ] q / 2 n q 1 ;
Pr [ ( b ) ] q / 2 n q 1 ;
Pr [ ( c ) ] q / 2 n q 1 ;
Pr [ ( d ) ] q / 2 n q 1 ;
Thus, we get
Pr [ Y V b a d ] Pr [ ( a ) ]   +   Pr [ ( b ) ] + Pr [ ( c ) ] + Pr [ ( d ) ]
Let q <   2 n 1 and using above values, we get
Pr [ Y V b a d ] 4 q 2 n 1

4.3. Ratio for V g o o d

First of all, Pr [ X = v ] . The X is a random variable that is defined on the probability space of all possible underlying block cipher E and all possible secret key k . The probability space of X is denoted as a l l X . Correspondingly, the | a l l X | is equal to 2 n   ( 2 n ! )   2 n . In a l l X , an element π getting along with v is taken, if π gives exactly the same responses for all queries. The c o m p X ( v ) is defined as all the elements in a l l X compatible with v .
Pr [ X = v ] = | c o m p X ( v ) | a l l X
Similarly, Y is defined on the probability space of E 1 , underlying block cipher E , and key k . On defining c o m p X ( v ) and a l l Y , respectively, we have
Pr [ Y = v ] = | c o m p Y ( v ) | a l l Y
a l l Y is 2 n   ( 2 n ! )   2 n   ( 2 n ! )   2 n , that is the number of keys times, the number of block ciphers. We next computed | c o m p X ( v ) | and | c o m p Y ( v ) | . We knew that the view v contains the key k value, that is, at the end of the interaction, it is disclosed to distinguisher D . A set of input outputs of underlying block cipher E are derived and separately stored in tables   T 1 ,   T 2 , and T 3 . The number of input-output of E with the key value i is denoted as α i and β i in   T 2 and   T 3 , respectively, where 0 i   2 n 1 . The γ   i denotes the number of queries to O 1 with key value. There is no collision between any two tables, so v is good. Secondly, the distinguisher D never makes duplicate queries. Therefore, all the inputs and outputs of E in T 1 , T 2 , and T 3 are distinct, showing that   γ   i = α i . The query response ( u 1 1 , w 1 1 ) of E in T 1 has u 1 1 = k or u 1 1 = 0 ( E 1   t o   E 20 have u 1 1 = k and others u 1 1 = 0 ). On assuming u 1 1 = k , we got
| c o m p X ( v ) | = ( 2 n α k   β k 1 ) ! i = 0 k 1 ( 2 n α i   β i ) ! i = k   +   1 2 n 1 ( 2 n α i   β i ) !
| c o m p Y ( v ) | = i = 0 2 n 1 ( 2 n   γ   i ) ! ( ( 2 n   β k 1 ) ! i = 0 k 1 ( 2 n   β i ) ! i = k   +   1 2 n 1 ( 2 n   β i ) ! )
= i = 0 2 n 1 ( 2 n α i ) ! ( ( 2 n   β k 1 ) ! i = 0 k 1 ( 2 n   β i ) ! i = k   +   1 2 n 1 ( 2 n   β i ) ! )
= ( 2 n α k ) ! ( 2 n   β k 1 ) ! i = 0 k 1 ( 2 n α i ) ! ( 2 n   β i ) ! i = k   +   1 2 n 1 ( 2 n α i ) ! ( 2 n   β i ) !
From ( 2 n α ) ! ( 2 n β ) ! ( 2 n α β ) ! ( 2 n ) ! , we have
| c o m p Y ( v ) | ( 2 n α k   β k 1 ) !   ( 2 n ! ) 2 n
We can compute
| c o m p X ( v ) | | c o m p Y ( v ) | ( 2 n α k   β k 1 ) ! i = 0 k 1 ( 2 n α i   β i ) ! i = k   +   1 2 n 1 ( 2 n α i   β i ) ! ( 2 n α k   β k 1 ) !   ( 2 n ! ) 2 n i = 0 k 1 ( 2 n α i   β i ) ! i = k   +   1 2 n 1 ( 2 n α i   β i ) ! = 1 ( 2 n ! ) 2 n
Finally, we can compute
Pr [ X = v ] Pr [ X = v ] = | c o m p X ( v ) | | c o m p Y ( v ) | × a l l Y a l l X
1 ( 2 n ! ) 2 n × 2 n ( 2 n ! ) 2 n ( 2 n ! ) 2 n 2 n ( 2 n ! ) 2 n = 1
Thus, it gives a ratio for V g o o d = 0
Combining both 4.2 and 4.3,
A d v E 1 p r p ( q ) 4 q 2 n 1

Author Contributions

L.W. conceptualized the idea, Y.N. performed analysis, and both the authors wrote manuscript in coordination with each other.

Funding

National Nature Science Foundation of China, Youth Project.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Iwata, T. New Blockcipher Modes of Operation with Beyond the Birthday Bound Security. In International Workshop on Fast Software Encryption; Springer: Berlin/Heidelberg, Germany, 2006; pp. 310–327. [Google Scholar]
  2. Patarin, J. Mirror theory and cryptography. Appl. Algebra Eng. Commun. Comput. 2017, 28, 321–338. [Google Scholar] [CrossRef]
  3. Iwata, T.; Mennink, B.; Vizár, D. Cenc is optimally secure. IACR Cryptol. ePrint Arch. 2016, 2016, 1087. [Google Scholar]
  4. Bellare, M.; Desai, A.; Jokipii, E.; Rogaway, P. A concrete security treatment of symmetric encryption. In Proceedings of the 38th Annual Symposium on Foundations of Computer Science, Miami Beach, FL, USA, 20–22 October 1997; pp. 394–403. [Google Scholar]
  5. Bellare, M.; Guérin, R.; Rogaway, P. Xor macs: New methods for message authentication using finite pseudorandom functions. In Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 1995; pp. 15–28. [Google Scholar]
  6. Bernstein, D.J. How to stretch random functions: The security of protected counter sums. J. Cryptol. 1999, 12, 185–192. [Google Scholar] [CrossRef]
  7. McGrew, D.A.; Viega, J. The security and performance of the galois/counter mode (gcm) of operation. In International Conference on Cryptology in India; Springer: Berlin/Heidelberg, Germany, 2004; pp. 343–355. [Google Scholar]
  8. Patarin, J. A Proof of Security in O(2n) for the Xor of Two Random Permutations. In International Conference on Information Theoretic Security; Springer: Berlin/Heidelberg, Germany, 2008; pp. 232–248. [Google Scholar]
  9. Patarin, J. Luby-rackoff: 7 rounds are enough for 2n(1−ε) security. In Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2003; pp. 513–529. [Google Scholar]
  10. Patarin, J. On linear systems of equations with distinct variables and small block size. In International Conference on Information Security and Cryptology; Springer: Berlin/Heidelberg, Germany, 2005; pp. 299–321. [Google Scholar]
  11. Patarin, J. Introduction to mirror theory: Analysis of systems of linear equalities and linear non equalities for cryptography. IACR Cryptol. ePrint Arch. 2010, 2010, 287. [Google Scholar]
  12. Daemen, J.; Rijmen, V. Rijndael/aes. Encycl. Cryptogr. Secur. 2005, 520–524. [Google Scholar] [CrossRef]
  13. Bogdanov, A.; Knudsen, L.R.; Leander, G.; Paar, C.; Poschmann, A.; Robshaw, M.J.; Seurin, Y.; Vikkelsoe, C. Present: An ultra-lightweight block cipher. In International Workshop on Cryptographic Hardware and Embedded Systems; Springer: Berlin/Heidelberg, Germany, 2007; pp. 450–466. [Google Scholar]
  14. De Canniere, C.; Dunkelman, O.; Knežević, M. Katan and ktantan—A family of small and efficient hardware-oriented block ciphers. In International Workshop on Cryptographic Hardware and Embedded Systems; Springer: Berlin/Heidelberg, Germany, 2009; pp. 272–288. [Google Scholar]
  15. Guo, J.; Peyrin, T.; Poschmann, A.; Robshaw, M. The led block cipher. In International Workshop on Cryptographic Hardware and Embedded Systems; Springer: Berlin/Heidelberg, Germany, 2011; pp. 326–341. [Google Scholar]
  16. Impagliazzo, R.; Rudich, S. Limits on the provable consequences of one-way permutations (invited talk). In Proceedings on Advances in Cryptology; Springer: Berlin/Heidelberg, Germany, 1990; pp. 8–26. [Google Scholar]
  17. Hall, C.; Wagner, D.; Kelsey, J.; Schneier, B. Building prfs from prps. In Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 1998; pp. 370–389. [Google Scholar]
  18. Bellare, M.; Rogaway, P. The security of triple encryption and a framework for code-based game-playing proofs. In Annual International Conference on the Theory and Applications of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 2006; pp. 409–426. [Google Scholar]
  19. Chang, D.; Nandi, M. A short proof of the prp/prf switching lemma. IACR Cryptol. ePrint Arch. 2008, 2008, 78. [Google Scholar]
  20. Bellare, M.; Krovetz, T.; Rogaway, P. Luby-rackoff backwards: Increasing security by making block ciphers non-invertible. In International Conference on the Theory and Applications of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 1998; pp. 266–280. [Google Scholar]
  21. Lucks, S. The sum of prps is a secure prf. In International Conference on the Theory and Applications of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 2000; pp. 470–484. [Google Scholar]
  22. Lim, C.H.; Korkishko, T. Mcrypton–a lightweight block cipher for security of low-cost rfid tags and sensors. In International Workshop on Information Security Applications; Springer: Berlin/Heidelberg, Germany, 2005; pp. 243–258. [Google Scholar]
  23. Wu, W.; Zhang, L. Lblock: A Lightweight Block Cipher; Springer: Berlin/Heidelberg, Germany, 2011; pp. 327–344. [Google Scholar]
  24. Borghoff, J.; Canteaut, A.; Güneysu, T.; Kavun, E.B.; Knezevic, M.; Knudsen, L.R.; Leander, G.; Nikov, V.; Paar, C.; Rechberger, C.; et al. Prince—A Low-Latency Block Cipher for Pervasive Computing App. Lications; Springer: Berlin/Heidelberg, Germany, 2012; pp. 208–225. [Google Scholar]
  25. Beaulieu, R.; Treatman-Clark, S.; Shors, D.; Weeks, B.; Smith, J.; Wingers, L. The simon and speck lightweight block ciphers. In Proceedings of the 52nd ACM/EDAC/IEEE Design Automation Conference (DAC), San Francisco, CA, USA, 8–12 June 2015; pp. 1–6. [Google Scholar]
  26. Beierle, C.; Jean, J.; Kölbl, S.; Leander, G.; Moradi, A.; Peyrin, T.; Sasaki, Y.; Sasdrich, P.; Sim, S.M. The skinny family of block ciphers and its low-latency variant mantis. In Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2016; pp. 123–153. [Google Scholar]
  27. Bellare, M.; Impagliazzo, R. A tool for obtaining tighter security analyses of pseudorandom function based constructions, with app. lications to prp to prf conversion. IACR Cryptol. ePrint Arch. 1999, 1999, 24. [Google Scholar]
  28. Patarin, J. Security in O(2n) for the xor of two random permutations\-proof with the standard h technique. IACR Cryptol. ePrint Arch. 2013, 2013, 368. [Google Scholar]
  29. Cogliati, B.; Lampe, R.; Patarin, J. The indistinguishability of the xor of $$ k $$ permutations. In International Workshop on Fast Software Encryption; Springer: Berlin/Heidelberg, Germany, 2014; pp. 285–302. [Google Scholar]
  30. Dai, W.; Hoang, V.T.; Tessaro, S. Information-theoretic indistinguishability via the chi-squared method. In Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2017; pp. 497–523. [Google Scholar]
  31. Bhattacharya, S.; Nandi, M. Revisiting variable output length xor pseudorandom function. IACR Trans. Symmetric Cryptol. 2018, 2018, 314–335. [Google Scholar]
  32. Yasuda, K. A new variant of pmac: Beyond the birthday bound. In Annual Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2011; pp. 596–609. [Google Scholar]
  33. Datta, N.; Dutta, A.; Nandi, M.; Paul, G.; Zhang, L. Single key variant of PMAC_plus. IACR Trans. Symmetric Cryptol. 2017, 2017, 268–305. [Google Scholar]
  34. Naito, Y. Blockcipher-based macs: Beyond the birthday bound without message length. In International Conference on the Theory and App.lication of Cryptology and Information Security; Springer: Berlin/Heidelberg, Germany, 2017; pp. 446–470. [Google Scholar]
  35. Gilboa, S.; Gueron, S. The advantage of truncated permutations. In International Symposium on Cyber Security Cryptography and Machine Learning; Springer: Berlin/Heidelberg, Germany, 2019; pp. 111–120. [Google Scholar]
  36. Cogliati, B.; Seurin, Y. Ewcdm: An efficient, beyond-birthday secure, nonce-misuse resistant mac. In Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2016; pp. 121–149. [Google Scholar]
  37. Mennink, B.; Neves, S. Encrypted davies-meyer and its dual: Towards optimal security using mirror theory. In Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2017; pp. 556–583. [Google Scholar]
  38. Mennink, B.; Neves, S. Optimal prfs from blockcipher designs. IACR Trans. Symmetric Cryptol. 2017, 228–252. [Google Scholar]
  39. Chen, Y.L.; Lambooij, E.; Mennink, B. How to build pseudorandom functions from public random permutations. In Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2019; pp. 266–293. [Google Scholar]
  40. Beaulieu, R.; Shors, D.; Smith, J.; Treatman-Clark, S.; Weeks, B.; Wingers, L. Simon and speck: Block ciphers for the internet of things. IACR Cryptol. ePrint Arch. 2015, 2015, 585. [Google Scholar]
  41. Chen, S.; Steinberger, J. Tight security bounds for key-alternating ciphers. In Annual International Conference on the Theory and Applications of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 2014; pp. 327–350. [Google Scholar]
  42. Even, S.; Mansour, Y. A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 1997, 10, 151–161. [Google Scholar] [CrossRef]
Figure 1. E [ s ] : Target   Construction .
Figure 1. E [ s ] : Target   Construction .
Symmetry 11 01485 g001
Figure 2. E [ 2 ] : Type   1   Construction .
Figure 2. E [ 2 ] : Type   1   Construction .
Symmetry 11 01485 g002
Figure 3. Type 1: One Block cipher invocation.
Figure 3. Type 1: One Block cipher invocation.
Symmetry 11 01485 g003
Figure 4. E [ 2 ] : Type   2   Construction .
Figure 4. E [ 2 ] : Type   2   Construction .
Symmetry 11 01485 g004
Figure 5. The E 1 ,   E 2 , ,   a n d   E 32 efficient construction: the internal variable y is referred to as a subkey for these constructions.
Figure 5. The E 1 ,   E 2 , ,   a n d   E 32 efficient construction: the internal variable y is referred to as a subkey for these constructions.
Symmetry 11 01485 g005aSymmetry 11 01485 g005bSymmetry 11 01485 g005c
Figure 6. E [ 2 ] : Type   3   Construction .
Figure 6. E [ 2 ] : Type   3   Construction .
Symmetry 11 01485 g006
Back to TopTop