Abstract
Message franking is a cryptographic scheme introduced in the Facebook end-to-end encrypted messaging system. It enables users to report abusive messages to Facebook in a verifiable manner. Grubbs, Lu and Ristenpart initiated theoretical study of message franking. They formalized the notion and introduced a new primitive called compactly committing authenticated encryption with associated data (ccAEAD) in 2017. They also presented provably secure ccAEAD schemes. Dodis, Grubbs, Ristenpart and Woodage introduced a new primitive called encryptment as a core building block of ccAEAD in 2018. They presented a provably secure encryptment scheme using a Merkle-Damgård hash function and transformations to ccAEAD from it.
In this paper, we present a provably secure encryptment scheme using a tweakable block cipher (TBC). Then, we present a ccAEAD scheme using a TBC by showing a transformation from encryptment using a TBC. Similar to the previous schemes, our scheme requires a collision-resistant pseudorandom function. We adopt a double-block-length construction using TBC for it.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_5
Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_31
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41
Bellare, M., Ristenpart, T.: Multi-property-preserving hash domain extension and the EMD transform. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 299–314. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_20
Berti, F., Guo, C., Pereira, O., Peters, T., Standaert, F.X.: TEDT, a leakage-resilient AEAD mode for high (physical) security applications. Cryptology ePrint Archive, Report 2019/137 (2019). https://eprint.iacr.org/2019/137
Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_21
Black, J., Rogaway, P., Shrimpton, T., Stam, M.: An analysis of the blockcipher-based hash functions from PGV. J. Cryptol. 23(4), 519–545 (2010)
Chen, L., Tang, Q.: People who live in glass houses should not throw stones: targeted opening message franking schemes. Cryptology ePrint Archive, Report 2018/994 (2018). https://eprint.iacr.org/2018/994
Dodis, Y., Grubbs, P., Ristenpart, T., Woodage, J.: Fast message franking: from invisible salamanders to encryptment. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 155–186. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_6
Facebook: Facebook messenger. https://www.messenger.com. Accessed 16 Apr 2020
Facebook: Messenger secret conversations. Technical Whitepaper (2016)
FIPS PUB 198–1: The keyed-hash message authentication code (HMAC) (2008)
Grubbs, P., Lu, J., Ristenpart, T.: Message franking via committing authenticated encryption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 66–97. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_3
Hirose, S.: Some plausible constructions of double-block-length Hash functions. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 210–225. Springer, Heidelberg (2006). https://doi.org/10.1007/11799313_14
Huguenin-Dumittan, L., Leontiadis, I.: A message franking channel. Cryptology ePrint Archive, Report 2018/920 (2018). https://eprint.iacr.org/2018/920
Jakobsson, M., Sako, K., Impagliazzo, R.: Designated verifier proofs and their applications. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 143–154. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_13
Jean, J., Nikolić, I., Peyrin, T., Seurin, Y.: Deoxys v1.41 (2016)
Katz, J., Yung, M.: Complete characterization of security notions for probabilistic private-key encryption. In: Proceedings of the Thirty-Second Annual ACM Symposium on Theory of Computing, pp. 245–254 (2000)
Leontiadis, I., Vaudenay, S.: Private message franking with after opening privacy. Cryptology ePrint Archive, Report 2018/938 (2018). https://eprint.iacr.org/2018/938
Signal Foundation: Signal. https://signal.org/. Accessed 16 Apr 2020
Tyagi, N., Grubbs, P., Len, J., Miers, I., Ristenpart, T.: Asymmetric message franking: content moderation for metadata-private end-to-end encryption. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 222–250. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_8
WhatsApp: WhatsApp Messenger. https://www.whatsapp.com. Accessed 16 Apr 2020
Acknowledgements
The author was supported in part by JSPS KAKENHI Grant Number JP18H05289.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of Lemma 2
From the definition of confidentiality,
where . For a query (A, M), \(\$\) returns an element chosen uniformly at random from , where \((C,B)\leftarrow \mathsf {ENtbc}_{K}(A,M)\). Notice that \(\mathsf {ENtbc}_{K}\) is described with \(\mathsf {I}^{E}\) and \(\mathsf {J}^{E}\) as shown in Fig. 4. Let \(\mathsf {FJ}_{\rho }\) be the function shown in Fig. 5. It is obtained by replacing \(\mathsf {I}^{E}_{K}\) of \(\mathsf {ENtbc}_{K}\) in Fig. 4 with \(\rho \). If , then
and there exists an adversary \(\mathbf {B}\) against \(\mathsf {I}^{E}\) such that
\(\mathbf {B}\) runs \(\mathbf {A}\) and simulates the oracle of \(\mathbf {A}\). If the oracle of \(\mathbf {B}\) is \(\mathsf {I}^{E}_{K}\), then \(\mathbf {A}\) is given access to \(\mathsf {ENtbc}_{K}\). If the oracle of \(\mathbf {B}\) is \(\rho \), then \(\mathbf {A}\) is given access to \(\mathsf {FJ}_{\rho }\). \(\mathbf {B}\) makes a single query to its oracle. \(\mathrm {T}_{\mathbf {B}}\) is at most about \(\mathrm {T}_{\mathbf {A}}+O(\ell _{\mathrm {m}}\mathrm {T}_{E})\).
Let \(\mathsf {F}_{\psi }\) be the function shown in Fig. 6, where . Then, since \(\mathbf {A}\) makes just a single query, \(\mathsf {FJ}_{\rho }\) is equivalent to \(\mathsf {F}_{\mathsf {J}^{E}_{(R,S)}}\) if and . Thus, if , then
There exists an adversary \(\mathbf {C}\) against \(\mathsf {J}^{E}\) such that
\(\mathbf {C}\) runs \(\mathbf {A}\) and simulates the oracle of \(\mathbf {A}\) using its oracle which is either \(\mathsf {J}^{E}_{(R,S)}\) or \(\psi \). \(\mathbf {C}\) makes a single query to its oracle. \(\mathrm {T}_{\mathbf {C}}\) is at most about \(\mathrm {T}_{\mathbf {A}}+O(\mathrm {T}_{E})\).
There also exists an adversary \(\mathbf {D}\) against \(F\) such that
\(\mathbf {D}\) runs \(\mathbf {A}\) and simulates the oracle of \(\mathbf {A}\) using its oracle, which is either \(F_{V}\) or \(\nu \), where and \(\nu \leftarrow \!\!\!\!\!\leftarrow \mathcal {F}_{\mathcal {W}\times \mathcal {X},\mathcal {V}\times \mathcal {W}}\). If the oracle of \(\mathbf {D}\) is \(F_{V}\), then \(\mathbf {A}\) is given access to \(\mathsf {F}_{\psi }\). If the oracle of \(\mathbf {D}\) is \(\nu \), then \(\mathbf {A}\) is given access to \(\$\). \(\mathbf {D}\) makes a single query to its oracle. \(\mathrm {T}_{\mathbf {D}}\) is at most about \(\mathrm {T}_{\mathbf {A}}\).
B Proof of Theorem 5
Suppose that . Let \(Q^{*}\triangleq (A^{*},(N^{*},C^{*},T^{*}),B^{*})\) be the query to \(\mathbf {ChalDec}\) by \(\mathbf {A}\) which causes \( win \leftarrow \mathtt {true}\). Let \( (M^{*},L^{*})\leftarrow \mathsf {DECtbc}(K,A^{*},(N^{*},C^{*},T^{*}),B^{*}) \).
First, suppose that \(\mathbf {A}\) already obtains a tuple (A, (N, C, T), B) by a query (A, M) to \(\mathbf {Enc}\) such that \(B=B^{*}\) before asking \(Q^{*}\). Then, since \(B=B^{*}\), \(T=T^{*}\) and \((A,N,C)\ne (A^{*},N^{*}, C^{*})\). Let \(L\leftarrow E_{K}^{\varvec{0}}(N)\). Then, \(L=L^{*}\) if and only if \(N=N^{*}\). Thus, \((A,L,C)\ne (A^{*},L^{*},C^{*})\). If \((A,L,C)\ne (A^{*},L^{*},C^{*})\) and \((A,L)=(A^{*},L^{*})\), then \(C\not =C^{*}\) and \(M\not =M^{*}\). Thus, \((A,L,C)\ne (A^{*},L^{*},C^{*})\) implies \((A,L,M)\ne (A^{*},L^{*},M^{*})\), which contradicts the strong receiver binding property of \(\mathsf {ECtbc}\).
Let \(\mathbf {B}\) be an adversary against \(\mathsf {ECtbc}\) concerning the strong receiver binding. \(\mathbf {B}\) simulates . If a query \((A^{*},(N^{*},C^{*},T^{*}),B^{*})\) to \(\mathbf {ChalDec}\) by \(\mathbf {A}\) causes \( win \leftarrow \mathtt {true}\) and \(\mathbf {A}\) obtains \((A,(N,C,T),B^{*})\) by a query (A, M) to \(\mathbf {Enc}\) before the query \((A^{*},(N^{*},C^{*},T^{*}),B^{*})\), then \(\mathbf {B}\) outputs a pair of (L, A, M) and \((L^{*},A^{*},M^{*})\), where \( (M^{*},L^{*})\leftarrow \mathsf {DECtbc}(K,A^{*},(N^{*},C^{*},T^{*}),B^{*})\) and \(L\leftarrow E_{K}^{\varvec{0}}(N)\). \(\mathbf {B}\) aborts otherwise. \(\mathbf {B}\) makes at most \(\sigma \) queries to \(E\).
Second, suppose that \(B^{*}\) is new. Namely, \(\mathbf {A}\) does not obtain a tuple (A, (N, C, T), B) by a query (A, M) to \(\mathbf {Enc}\) such that \(B=B^{*}\) before asking \(Q^{*}\). If \(B_{\mathrm {f}}^{*}=\varvec{0}\), then \(\mathbf {A}\) finds (V, W, X) satisfying \(E_{V}^{W}(X)\oplus X=\varvec{0}\), which contradicts the everywhere preimage resistance of \(\mathsf {f}^{E}\). If \(B^{*}_{0}\ne \varvec{0}\), then \(\mathbf {A}\) finds \((B^{*},T^{*})\) satisfying \(T^{*}=E_{K}^{B^{*}_{0}}(B^{*}_{1})\) with probability at most \(\sigma /2^{n}+1/(2^{n}-(q_{\mathrm {e}}+q_{\mathrm {d}}+q_{\mathrm {c}}))\).
Let \(\mathbf {C}\) be an adversary against \(\mathsf {f}^{E}\) concerning everywhere preimage resistance. \(\mathbf {C}\) simulates . If a query \((A^{*},(N^{*},C^{*},T^{*}),B^{*})\) to \(\mathbf {ChalDec}\) by \(\mathbf {A}\) causes \( win \leftarrow \mathtt {true}\), \(B^{*}\) is new and \(B^{*}_{\mathrm {f}}=\varvec{0}\), then \(\mathbf {C}\) outputs the input to the last invocation of \(F\) in \(\mathsf {ENtbc}(L^{*},A^{*},M^{*})\), where \((M^{*},L^{*})\leftarrow \mathsf {DEtbc}(K,A^{*},(N^{*}, C^{*},T^{*}),B^{*}).\)
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Hirose, S. (2020). Compactly Committing Authenticated Encryption Using Tweakable Block Cipher. In: Kutyłowski, M., Zhang, J., Chen, C. (eds) Network and System Security. NSS 2020. Lecture Notes in Computer Science(), vol 12570. Springer, Cham. https://doi.org/10.1007/978-3-030-65745-1_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-65745-1_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-65744-4
Online ISBN: 978-3-030-65745-1
eBook Packages: Computer ScienceComputer Science (R0)