Abstract
When keys are small or parts thereof leak, key-recovery attacks on symmetric-key primitives still pose a plausible threat. Key stretching is one well-known means to throttle potential adversaries, where stretching a key by s bit means that a key-recovery attack has to perform \(\min \{2^{k-1}, 2^{k-\lambda +s-1}\}\) operations on average for \(\lambda \) bit information leakage. However, typical explicit key stretching requires also the defender to pay for the stretch operations.
The usual assumption is that a surrounding encryption scheme does not increase the key-recovery security of its internal primitives. This work challenges this assumption by considering the structure of popular encryption schemes. In particular, message lengths may be non-negligible in settings such as full-disk encryption or archiving, where the adversary can obtain only long messages. Surprisingly, the question of whether a surrounding encryption scheme has only a negligible impact on key recovery seems to have remained uninvestigated. Therefore, it is interesting to study if “implicit” key stretching may come for free as an inherent property of popular schemes.
We define an encryption scheme as “fully key-stretching-secure” if an adversary that sees plaintext-ciphertext pairs of at least m blocks each must perform at least m primitive calls for testing a key candidate. Using a similar definition of affine modes as Chakraborti et al. in JMC 2018, we systematically explore common encryption schemes with respect to their key-stretching security. In total, we consider five classes of (1) online, (2) SIV-like, (3) parallelizable two-pass (EME-like), (4) sequential two-pass (CMC-like), and (5) three-pass (HCTR-like) encryption schemes. By modeling them as affine modes, we can identify all considered encryption schemes key-stretching-insecure, i.e., one needs only O(1) primitive calls for testing a key candidate. However, for the insecure schemes from types (4) and (5), namely for EME-, CMC-, and HCTR-like schemes, we propose minor tweaks to ensure full key-stretching security.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abed, F., Forler, C., List, E., Lucks, S., Wenzel, J.: RIV for robust authenticated encryption. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 23–42. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_2
Andreeva, E., Barwell, G., Bhaumik, R., Nandi, M., Page, D., Stam, M.: Turning online ciphers off. IACR Trans. Symmetric Cryptol. 2017(2), 105–142 (2017)
Bellare, M., Boldyreva, A., Knudsen, L., Namprempre, C.: Online ciphers and the Hash-CBC construction. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 292–309. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_18
Bertoni, G., Daemen, J., Hoffert, S., Peeters, M., Van Assche, G., Van Keer, R.: Farfalle: parallel permutation-based cryptography. IACR Trans. Symmetric Cryptol. 2017(4), 1–38 (2017)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28496-0_19
Chakraborti, A., Datta, N., Nandi, M.: On the optimality of non-linear computations for symmetric key primitives. J. Math. Cryptol. 12(4), 241–259 (2018)
Dodis, Y., Kalai, Y.T., Lovett, S.: On cryptography with auxiliary input. In: Mitzenmacher, M., editor, STOC, pp. 621–630. ACM (2009)
Halevi, S.: EME*: extending EME to handle arbitrary-length messages with associated data. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 315–327. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30556-9_25
Halevi, S.: EME*: extending EME to handle arbitrary-length messages with associated data. IACR Cryptol. ePrint Arch. 2004, 125 (2004)
Halevi, S., Rogaway, P.: A parallelizable enciphering mode. IACR Cryptol. ePrint Arch. 2003, 147 (2003)
Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_28
Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24660-2_23
Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_2
Hoang, V.T., Reyhanitabar, R., Rogaway, P., Vizár, D.: Online authenticated-encryption and its nonce-reuse misuse-resistance. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 493–517. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_24
Jean, J., Nikolić, I., Peyrin, T.: Deoxys v1.41. Third-round submission to the CAESAR competition; Deoxys-II became finalist, 12 Oct 2016
Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21702-9_18
McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30556-9_27
Mennink, B., Neves, S.: Optimal PRFs from blockcipher designs. IACR Trans. Symmetric Cryptol. 2017(3), 228–252 (2017)
Minematsu, K.: Parallelizable rate-1 authenticated encryption from pseudorandom functions. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 275–292. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_16
Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_15
Nandi, M.: On the minimum number of multiplications necessary for universal hash functions. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 489–508. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_25
Peyrin, T., Seurin, Y.: Counter-in-Tweak: authenticated encryption modes for tweakable block ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 33–63. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_2
Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30539-2_2
Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_23
Rogaway, P., Zhang, H.: Online ciphers from tweakable blockciphers. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 237–249. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_16
Shrimpton, T., Terashima, R.S.: A modular framework for building variable-input-length tweakable ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 405–423. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42033-7_21
International Telecommunication Union. ITU Recommendation G.709/Y.1331 (06/20). Technical report, International Telecommunication Union, 06 Jun 2020
Wang, P., Feng, D., Wu, W.: HCTR: a variable-input-length enciphering mode. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 175–188. Springer, Heidelberg (2005). https://doi.org/10.1007/11599548_15
Acknowledgements
We are highly thankful to the reviewers of CT-RSA 2022 and ICISC 2022 for their fruitful comments. This research was funded by DFG Grant LU 608/9-1.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Encryption-Model Visualization
B Decryption Representations
For single-pass modes, we define the decryption model as
For two-pass schemes, the decryption can be represented as
For three passes, the decryption is represented as
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Bossert, J., List, E., Lucks, S. (2023). Implicit Key-Stretching Security of Encryption Schemes. In: Seo, SH., Seo, H. (eds) Information Security and Cryptology – ICISC 2022. ICISC 2022. Lecture Notes in Computer Science, vol 13849. Springer, Cham. https://doi.org/10.1007/978-3-031-29371-9_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-29371-9_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-29370-2
Online ISBN: 978-3-031-29371-9
eBook Packages: Computer ScienceComputer Science (R0)