Abstract
We prove the tight multi-user (mu) security of the (tweakable) key alternating cipher (KAC) for any round r with a single permutation and r-wise independent subkeys, providing a more realistic provable-security foundation for block ciphers. After Chen and Steinberger proved the single-user (su) tight security bound of r-round KAC in 2014, its extension under more realistic conditions has become a new research challenge. The state-of-the-art includes (i) single permutation by Yu et al., (ii) the mu security by Hoang and Tessaro, and (iii) correlated subkeys by Tessaro and Zhang. However, the previous works considered these conditions independently, and the tight security bound of r-round KACs with all of these conditions is an open research problem. We address it by giving the new mu-bound with an n-bit message space, approximately \(q \cdot \left( \frac{p + r q}{2^n} \right) ^r\), wherein p and q are the number of primitive and construction queries, respectively. The bound ensures the security up to the \(O(2^\frac{rn}{r+1})\) query complexity and is tight, matching the conventional attack bound. Moreover, our result easily extends to the r-round tweakable KAC when its subkeys generated by a tweak function is r-wise independent. The proof is based on the re-sampling method originally proposed for the mu-security analysis of the triple encryption. Its extension to any rounds is the core technique enabling the new bound.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Yu et al. recently simplified the proof technique, and derived the tight su-bound for \(\textsf {KAC}\). The proof is limited to the su-setting, and proving the mu-security is still open.
- 2.
This is because in the ideal world, a random permutation and the underlying ideal cipher are independently defined.
- 3.
Note that if first some internal values have been defined by previous queries, the forward sampling starts from the round at which the internal value is not defined.
- 4.
For a pair \((M^{(\nu ,\alpha )},C^{(\nu ,\alpha )})\) of plaintext and ciphertext defined by \(\textsf {KAC}^{-1}_{r}[K^{(\nu )}, \pi ^{-1}](C^{(\nu ,\alpha )})\), the input-output pairs of \(\pi ^{-1}\) can be written by the definition with \(\textsf {KAC}_{r}[K^{(\nu )}, \pi ](M^{(\nu ,\alpha )})\) since \(\textsf {KAC}^{-1}_{r}[K^{(\nu )}, \pi ^{-1}](C^{(\nu ,\alpha )})\) is the inverse of \(\textsf {KAC}_{r}[K^{(\nu )}, \pi ](M^{(\nu ,\alpha )})\).
- 5.
In the ideal world, the pairs are freshly defined at the \(\alpha \)-th construction query by our algorithm defined in Sect. 5.3.
- 6.
In the forward (resp. inverse) sampling, the internal value after the 4th (before the 5th) round connects with the 2-chain (resp. 4-chain) with the user’s subkeys that influences the 7th (resp. 1st) round. Since the pair at the 7th (resp. 1st) round is fixed by some previous query, the duplication of the internal value cannot be fixed. .
- 7.
Note that in a loop of Algorithm 2, each fresh value is sampled from a set including values defined in the same loop. Hence, the sampling method probabilistically yields a collision within the same loop. The collision event is handled in the bad transcript analysis. On the other hand, the sampling method contributes to obtaining a nice ratio for a good transcript.
- 8.
The bound comes from the fact that if \(\textsf{bad}\) occurs, then one of \(\textbf{E}\) occurs before the other bad events occur.
References
Bellare, M., Tackmann, B.: The multi-user security of authenticated encryption: AES-GCM in TLS 1.3. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 247–276. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_10
Biham, E.: How to decrypt or even substitute DES-encrypted messages in \(2^{28}\) steps. Inf. Process. Lett. 84(3), 117–124 (2002)
Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F.-X., Steinberger, J., Tischhauser, E.: Key-alternating ciphers in a provable setting: encryption using a small number of public permutations. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 45–62. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_5
Chen, S., Lampe, R., Lee, J., Seurin, Y., Steinberger, J.: Minimizing the two-round even-mansour cipher. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, pp. 39–56. Springer Berlin Heidelberg, Berlin, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_3
Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014, pp. 327–350. Springer Berlin Heidelberg, Berlin, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_19
Cogliati, B., et al.: Provable security of (tweakable) block ciphers based on substitution-permutation networks. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018: 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2018, Proceedings, Part I, pp. 722–753. Springer International Publishing, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_24
Cogliati, B., Lampe, R., Seurin, Y.: Tweaking even-mansour ciphers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015: 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, pp. 189–208. Springer Berlin Heidelberg, Berlin, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_9
Cogliati, B., Seurin, Y.: Beyond-birthday-bound security for tweakable even-mansour ciphers with linear tweak and key mixing. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015: 21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29 – December 3, 2015, Proceedings, Part II, pp. 134–158. Springer Berlin Heidelberg, Berlin, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_6
Degabriele, J.P., Govinden, J., Günther, F., Paterson, K.G.: The Security of ChaCha20-Poly1305 in the Multi-User Setting. In: CCS ’21, pp. 1981–2003. ACM (2021)
Dunkelman, O., Keller, N., Shamir, A.: Minimalism in cryptography: the even-mansour scheme revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012, pp. 336–354. Springer Berlin Heidelberg, Berlin, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_21
Dutta, A.: Minimizing the two-round tweakable even-mansour cipher. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020: 26th International Conference on the Theory and Application of Cryptology and Information Security, Daejeon, South Korea, December 7–11, 2020, Proceedings, Part I, pp. 601–629. Springer International Publishing, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_20
Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997)
Guo, C., Wang, L.: Revisiting key-alternating Feistel ciphers for shorter keys and multi-user security. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018: 24th International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia, December 2–6, 2018, Proceedings, Part I, pp. 213–243. Springer International Publishing, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_8
Hoang, V.T., Tessaro, S.: Key-alternating ciphers and key-length extension: exact bounds and multi-user security. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016: 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2016, Proceedings, Part I, pp. 3–32. Springer Berlin Heidelberg, Berlin, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_1
Hoang, V.T., Tessaro, S., Thiruvengadam, A.: The multi-user security of GCM, revisited: tight bounds for nonce randomization. In: CCS 2018, pp. 1429–1440. ACM (2018)
Lampe, R., Patarin, J., Seurin, Y.: An asymptotically tight security analysis of the iterated even-mansour cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012, pp. 278–295. Springer Berlin Heidelberg, Berlin, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_18
Lampe, R., Seurin, Y.: Tweakable blockciphers with asymptotically optimal security. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 133–151. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_8
Luykx, A., Mennink, B., Paterson, K.G.: Analyzing multi-key security degradation. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 575–605. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_20
Mouha, N., Luykx, A.: Multi-key security: the even-mansour construction revisited. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015: 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, pp. 209–223. Springer Berlin Heidelberg, Berlin, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_10
Naito, Y., Sasaki, Y., Sugawara, T., Yasuda, K.: The multi-user security of triple encryption, revisited: exact security, strengthening, and application to TDES. In: CCS 2022, ACM (2022)
Patarin, J.: The “Coefficients H’’ Technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21
Rescorla, E.: RFC 8446: The transport layer security (TLS) protocol version 1.3. https://doi.org/10.17487/RFC8446 (2018)
Rescorla, E., Tschofenig, H., Modadugu, N.: The datagram transport layer security (DTLS) protocol version 1.3 - draft-ietf-tls-dtls13-43. https://tools.ietf.org/html/draft-ietf-tls-dtls13-43 (2021)
Steinberger, J.P.: Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance. IACR Cryptol. ePrint Arch., p. 481 (2012). http://eprint.iacr.org/2012/481
Tessaro, S., Zhang, X.: Tight Security for Key-Alternating Ciphers with Correlated Sub-keys. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021: 27th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 6–10, 2021, Proceedings, Part III, pp. 435–464. Springer International Publishing, Cham (2021). https://doi.org/10.1007/978-3-030-92078-4_15
Thomson, M., Turner, S.: Using TLS to secure QUIC. RFC 9001, 1–52 (2021). https://doi.org/10.17487/RFC9001
Wu, Y., Yu, L., Cao, Z., Dong, X.: Tight security analysis of 3-round key-alternating cipher with a single permutation. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020: 26th International Conference on the Theory and Application of Cryptology and Information Security, Daejeon, South Korea, December 7–11, 2020, Proceedings, Part I, pp. 662–693. Springer International Publishing, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_22
Yu, L., Wu, Y., Yu, Yu., Cao, Z., Dong, X.: Security proofs for key-alternating ciphers with non-independent round permutations. In: Rothblum, G., Wee, H. (eds.) Theory of Cryptography: 21st International Conference, TCC 2023, Taipei, Taiwan, November 29 – December 2, 2023, Proceedings, Part I, pp. 238–267. Springer Nature Switzerland, Cham (2023). https://doi.org/10.1007/978-3-031-48615-9_9
Acknowledgement
We thank anonymous reviewers for useful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Association for Cryptologic Research
About this paper
Cite this paper
Naito, Y., Sasaki, Y., Sugawara, T. (2024). The Exact Multi-user Security of (Tweakable) Key Alternating Ciphers with a Single Permutation. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14651. Springer, Cham. https://doi.org/10.1007/978-3-031-58716-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-58716-0_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58715-3
Online ISBN: 978-3-031-58716-0
eBook Packages: Computer ScienceComputer Science (R0)
