Compactly Committing Authenticated Encryption Using Tweakable Block Cipher

Abstract

Message franking is a cryptographic scheme introduced in the Facebook end-to-end encrypted messaging system. It enables users to report abusive messages to Facebook in a verifiable manner. Grubbs, Lu and Ristenpart initiated theoretical study of message franking. They formalized the notion and introduced a new primitive called compactly committing authenticated encryption with associated data (ccAEAD) in 2017. They also presented provably secure ccAEAD schemes. Dodis, Grubbs, Ristenpart and Woodage introduced a new primitive called encryptment as a core building block of ccAEAD in 2018. They presented a provably secure encryptment scheme using a Merkle-Damgård hash function and transformations to ccAEAD from it.

In this paper, we present a provably secure encryptment scheme using a tweakable block cipher (TBC). Then, we present a ccAEAD scheme using a TBC by showing a transformation from encryptment using a TBC. Similar to the previous schemes, our scheme requires a collision-resistant pseudorandom function. We adopt a double-block-length construction using TBC for it.

Appendices

A Proof of Lemma 2

From the definition of confidentiality,

where . For a query (A, M), \(\$\) returns an element chosen uniformly at random from , where \((C,B)\leftarrow \mathsf {ENtbc}_{K}(A,M)\). Notice that \(\mathsf {ENtbc}_{K}\) is described with \(\mathsf {I}^{E}\) and \(\mathsf {J}^{E}\) as shown in Fig. 4. Let \(\mathsf {FJ}_{\rho }\) be the function shown in Fig. 5. It is obtained by replacing \(\mathsf {I}^{E}_{K}\) of \(\mathsf {ENtbc}_{K}\) in Fig. 4 with \(\rho \). If , then

and there exists an adversary \(\mathbf {B}\) against \(\mathsf {I}^{E}\) such that

$$ \bigl |\Pr [\mathbf {A}^{\mathsf {ENtbc}_{K}}=1]-\Pr [\mathbf {A}^{\mathsf {FJ}_{\rho }}=1]\bigr |= \mathrm {Adv}_{\mathsf {I}^{E}}^{\mathrm {prf}}(\mathbf {B}) . $$

\(\mathbf {B}\) runs \(\mathbf {A}\) and simulates the oracle of \(\mathbf {A}\). If the oracle of \(\mathbf {B}\) is \(\mathsf {I}^{E}_{K}\), then \(\mathbf {A}\) is given access to \(\mathsf {ENtbc}_{K}\). If the oracle of \(\mathbf {B}\) is \(\rho \), then \(\mathbf {A}\) is given access to \(\mathsf {FJ}_{\rho }\). \(\mathbf {B}\) makes a single query to its oracle. \(\mathrm {T}_{\mathbf {B}}\) is at most about \(\mathrm {T}_{\mathbf {A}}+O(\ell _{\mathrm {m}}\mathrm {T}_{E})\).

Let \(\mathsf {F}_{\psi }\) be the function shown in Fig. 6, where . Then, since \(\mathbf {A}\) makes just a single query, \(\mathsf {FJ}_{\rho }\) is equivalent to \(\mathsf {F}_{\mathsf {J}^{E}_{(R,S)}}\) if and . Thus, if , then

$$\begin{aligned}&\bigl |\Pr [\mathbf {A}^{\mathsf {FJ}_{\rho }}=1]-\Pr [\mathbf {A}^{\$}=1]\bigr |\\&\qquad \le \bigl |\Pr [\mathbf {A}^{\mathsf {F}_{\mathsf {J}^{E}_{(R,S)}}}=1] -\Pr [\mathbf {A}^{\mathsf {F}_{\psi }}=1]\bigr |+ \bigl |\Pr [\mathbf {A}^{\mathsf {F}_{\psi }}=1]\bigr |-\Pr [\mathbf {A}^{\$}=1]\bigr | . \end{aligned}$$

There exists an adversary \(\mathbf {C}\) against \(\mathsf {J}^{E}\) such that

$$ \bigl |\Pr [\mathbf {A}^{\mathsf {F}_{\mathsf {J}^{E}_{(R,S)}}}=1]- \Pr [\mathbf {A}^{\mathsf {F}_{\psi }}=1]\bigr |= \mathrm {Adv}_{\mathsf {J}^{E}}^{\mathrm {prf}}(\mathbf {C}) . $$

\(\mathbf {C}\) runs \(\mathbf {A}\) and simulates the oracle of \(\mathbf {A}\) using its oracle which is either \(\mathsf {J}^{E}_{(R,S)}\) or \(\psi \). \(\mathbf {C}\) makes a single query to its oracle. \(\mathrm {T}_{\mathbf {C}}\) is at most about \(\mathrm {T}_{\mathbf {A}}+O(\mathrm {T}_{E})\).

There also exists an adversary \(\mathbf {D}\) against \(F\) such that

$$ \bigl |\Pr [\mathbf {A}^{\mathsf {F}_{\psi }}=1]-\Pr [\mathbf {A}^{\$}=1]\bigr |= \mathrm {Adv}_{F}^{\mathrm {prf}}(\mathbf {D}) . $$

\(\mathbf {D}\) runs \(\mathbf {A}\) and simulates the oracle of \(\mathbf {A}\) using its oracle, which is either \(F_{V}\) or \(\nu \), where and \(\nu \leftarrow \!\!\!\!\!\leftarrow \mathcal {F}_{\mathcal {W}\times \mathcal {X},\mathcal {V}\times \mathcal {W}}\). If the oracle of \(\mathbf {D}\) is \(F_{V}\), then \(\mathbf {A}\) is given access to \(\mathsf {F}_{\psi }\). If the oracle of \(\mathbf {D}\) is \(\nu \), then \(\mathbf {A}\) is given access to \(\$\). \(\mathbf {D}\) makes a single query to its oracle. \(\mathrm {T}_{\mathbf {D}}\) is at most about \(\mathrm {T}_{\mathbf {A}}\).

Fig. 4.

Description of \(\mathsf {ENtbc}\) using \(\mathsf {I}^{E}\) and \(\mathsf {J}^{E}\)

Fig. 5.

\(\mathsf {FJ}_{\rho }\)

Fig. 6.

\(\mathsf {F}_{\psi }\)

B Proof of Theorem 5

Suppose that . Let \(Q^{*}\triangleq (A^{*},(N^{*},C^{*},T^{*}),B^{*})\) be the query to \(\mathbf {ChalDec}\) by \(\mathbf {A}\) which causes \( win \leftarrow \mathtt {true}\). Let \( (M^{*},L^{*})\leftarrow \mathsf {DECtbc}(K,A^{*},(N^{*},C^{*},T^{*}),B^{*}) \).

First, suppose that \(\mathbf {A}\) already obtains a tuple (A, (N, C, T), B) by a query (A, M) to \(\mathbf {Enc}\) such that \(B=B^{*}\) before asking \(Q^{*}\). Then, since \(B=B^{*}\), \(T=T^{*}\) and \((A,N,C)\ne (A^{*},N^{*}, C^{*})\). Let \(L\leftarrow E_{K}^{\varvec{0}}(N)\). Then, \(L=L^{*}\) if and only if \(N=N^{*}\). Thus, \((A,L,C)\ne (A^{*},L^{*},C^{*})\). If \((A,L,C)\ne (A^{*},L^{*},C^{*})\) and \((A,L)=(A^{*},L^{*})\), then \(C\not =C^{*}\) and \(M\not =M^{*}\). Thus, \((A,L,C)\ne (A^{*},L^{*},C^{*})\) implies \((A,L,M)\ne (A^{*},L^{*},M^{*})\), which contradicts the strong receiver binding property of \(\mathsf {ECtbc}\).

Let \(\mathbf {B}\) be an adversary against \(\mathsf {ECtbc}\) concerning the strong receiver binding. \(\mathbf {B}\) simulates . If a query \((A^{*},(N^{*},C^{*},T^{*}),B^{*})\) to \(\mathbf {ChalDec}\) by \(\mathbf {A}\) causes \( win \leftarrow \mathtt {true}\) and \(\mathbf {A}\) obtains \((A,(N,C,T),B^{*})\) by a query (A, M) to \(\mathbf {Enc}\) before the query \((A^{*},(N^{*},C^{*},T^{*}),B^{*})\), then \(\mathbf {B}\) outputs a pair of (L, A, M) and \((L^{*},A^{*},M^{*})\), where \( (M^{*},L^{*})\leftarrow \mathsf {DECtbc}(K,A^{*},(N^{*},C^{*},T^{*}),B^{*})\) and \(L\leftarrow E_{K}^{\varvec{0}}(N)\). \(\mathbf {B}\) aborts otherwise. \(\mathbf {B}\) makes at most \(\sigma \) queries to \(E\).

Second, suppose that \(B^{*}\) is new. Namely, \(\mathbf {A}\) does not obtain a tuple (A, (N, C, T), B) by a query (A, M) to \(\mathbf {Enc}\) such that \(B=B^{*}\) before asking \(Q^{*}\). If \(B_{\mathrm {f}}^{*}=\varvec{0}\), then \(\mathbf {A}\) finds (V, W, X) satisfying \(E_{V}^{W}(X)\oplus X=\varvec{0}\), which contradicts the everywhere preimage resistance of \(\mathsf {f}^{E}\). If \(B^{*}_{0}\ne \varvec{0}\), then \(\mathbf {A}\) finds \((B^{*},T^{*})\) satisfying \(T^{*}=E_{K}^{B^{*}_{0}}(B^{*}_{1})\) with probability at most \(\sigma /2^{n}+1/(2^{n}-(q_{\mathrm {e}}+q_{\mathrm {d}}+q_{\mathrm {c}}))\).

Let \(\mathbf {C}\) be an adversary against \(\mathsf {f}^{E}\) concerning everywhere preimage resistance. \(\mathbf {C}\) simulates . If a query \((A^{*},(N^{*},C^{*},T^{*}),B^{*})\) to \(\mathbf {ChalDec}\) by \(\mathbf {A}\) causes \( win \leftarrow \mathtt {true}\), \(B^{*}\) is new and \(B^{*}_{\mathrm {f}}=\varvec{0}\), then \(\mathbf {C}\) outputs the input to the last invocation of \(F\) in \(\mathsf {ENtbc}(L^{*},A^{*},M^{*})\), where \((M^{*},L^{*})\leftarrow \mathsf {DEtbc}(K,A^{*},(N^{*}, C^{*},T^{*}),B^{*}).\)