Abstract
We propose the Synthetic Counter-in-Tweak (\(\mathsf {SCT}\)) mode, which turns a tweakable block cipher into a nonce-based authenticated encryption scheme (with associated data). The \(\mathsf {SCT}\) mode combines in a SIV-like manner a Wegman-Carter MAC inspired from \(\mathsf {PMAC}\) for the authentication part and a new counter-like mode for the encryption part, with the unusual property that the counter is applied on the tweak input of the underlying tweakable block cipher rather than on the plaintext input. Unlike many previous authenticated encryption modes, \(\mathsf {SCT}\) enjoys provable security beyond the birthday bound (and even up to roughly \(2^n\) tweakable block cipher calls, where n is the block length, when the tweak length is sufficiently large) in the nonce-respecting scenario where nonces are never repeated. In addition, \(\mathsf {SCT}\) ensures security up to the birthday bound even when nonces are reused, in the strong nonce-misuse resistance sense (MRAE) of Rogaway and Shrimpton (EUROCRYPT 2006). To the best of our knowledge, this is the first authenticated encryption mode that provides at the same time close-to-optimal security in the nonce-respecting scenario and birthday-bound security for the nonce-misuse scenario. While two passes are necessary to achieve MRAE-security, our mode enjoys a number of desirable features: it is simple, parallelizable, it requires the encryption direction only, it is particularly efficient for small messages compared to other nonce-misuse resistant schemes (no precomputation is required) and it allows incremental update of associated data.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
- Authenticated encryption
- Tweakable block cipher
- Nonce-misuse resistance
- Beyond-birthday-bound security
- CAESAR competition
1 Introduction
Background on Authenticated Encryption. Confidentiality and authenticity of data are the two main security properties that one must ensure when communicating over an insecure channel. In the symmetric key setting, it has long been known how to ensure both of them independently, e.g., starting from a secure block cipher, by using a suitable encryption mode for confidentiality [7] and a block cipher-based MAC for authenticity [9]. However, how exactly to combine both tools has long been left to the practitioners, leading to major security breaches [3, 18, 37]. Sometimes, protocol designers even overlooked that authenticity was a necessary requirement besides confidentiality, as exemplified by padding oracle attacks [59]. Even when the combination of the encryption and the MAC schemes is properly done, it might not be the most efficient solution, especially when the two parts rely on two different primitives. For these reasons, interest has shifted towards designing “integrated” Authenticated Encryption (AE) schemes ensuring jointly authenticity and confidentiality of data, which are more efficient and less likely to be incorrectly used. Besides, it has become standard for an AE scheme to have the ability to handle so-called associated data (AD), which are authenticated but not encrypted [51] (such a scheme was for a time called an AEAD scheme, but since this feature is so important in practice, virtually all modern AE schemes provide it; we will only talk of AE in this paper, implicitly meaning AEAD). Even though ad-hoc AE schemes were already used since a long time, the formal treatment of these constructions only started around 2000 [10, 11, 36]. At about the same time, provably secure AE designs started to appear, such as \(\mathsf {IAPM}\) [34, 35], \(\mathsf {XCBC}\) [22], \(\mathsf {CCM}\) [61], \(\mathsf {OCB}\) [52, 54], or \(\mathsf {GCM}\) [43]. The CAESAR competition [1] for authenticated encryption, started in 2014, recently put this research topic in the limelight. Various AE schemes were proposed, from purely ad-hoc designs to (tweakable) block cipher operating modes.
Nonce-Misuse Resistance. Since most symmetric-key primitives (in particular block ciphers) from which AE schemes are built are deterministic, a random IV or a nonce (i.e., a value which must never be repeated for the same secret key) is a necessary ingredient for achieving strong security goals. Failing to ensure the corresponding requirement (high entropy for an IV, non-repetition for a nonce) can have dramatic consequences for security. For example, reusing a nonce just a single time for encrypting two messages in \(\mathsf {OCB}\) completely breaks confidentiality: an attacker can immediately detect repeated message blocks since the corresponding ciphertext blocks will be equal. The non-repeating requirement on the nonce can be challenging to fulfill in some contexts, for example when encryption is implemented in a stateless device.Footnote 1 It is likely (and it has happened before) that some implementations will, e.g., simply generate nonces at random, “hoping” that no collision will occur. For that reason, a recent trend in AE has been to design schemes achieving nonce-misuse resistance, which informally means that the impact on security of a nonce repetition should be as limited as possible. This goal was first put forward by Rogaway and Shrimpton [55], who formalized the notion of misuse-resistant AE (MRAE). For a scheme enjoying this property, authenticity is not harmed by nonce repetitions, while confidentiality is only damaged insofar as the adversary can detect whether the same triple of nonce, AD and message values is repeated. Example of schemes achieving this security notion are \(\mathsf {EAX}\) [12], \(\mathsf {SIV}\) [55], \(\mathsf {AEZ}\) [26], or \(\mathsf {GCM}\)-\(\mathsf {SIV}\) [25]. Because the MRAE notion cannot be achieved for an online scheme (since each bit of the ciphertext must depend on every bit of the plaintext), Fleischmann et al. [21] proposed a relaxation of the MRAE notion called online AE (OAE), which can be achieved with a single pass on the input. Examples of schemes ensuring this security property are \(\mathsf {McOE}\) [21], \(\mathsf {COPA}\) [5], or \(\mathsf {POET}\) [2]. However, the interest in the OAE notion has been recently reduced by some serious security concerns, notably the so-called chosen-prefix/secret-suffix (CPSS) generic attack [27], that shares some similarities with the BEAST attack [18].
Birthday and Beyond-Birthday Security. Another important shortcoming of most AE operating modes is that they provide only birthday-bound security with respect to the block length of the underlying primitive. Since virtually all existing block ciphers have block length at most 128 bits (in particular the current block cipher standard \(\mathsf {AES}\)), this means that security is lost at \(2^{64}\) block cipher calls at best, which is low given modern security requirements (for 64-bit block ciphers, the situation is even more problematic). Moreover, this is rarely a problem with the tightness of the security proof: attacks matching the bound are often known. For example, Ferguson [19] described a simple collision-based attack on \(\mathsf {OCB}\) that breaks authenticity with \(2^{64}\) blocks of messages. Recently, some AE schemes providing security beyond the birthday bound (BBB) were proposed [28, 29], but they usually come at an expensive performance price. One could argue that using a double-block-length block cipher would provide the expected security, but this solution comes with an important efficiency penalty (as can be seen in generic double-block-length block cipher constructions) and would be highly problematic for hardware implementations where internal state size is a major contribution to the total area cost.
AE from Tweakable Block Ciphers. Compared with a conventional block cipher, a tweakable block cipher (TBC) \(\widetilde{E}\) takes an additional input called a tweak bringing inherent variability to the primitive (equivalently, a TBC can be seen as a family of block ciphers indexed by the tweak). In the same paper that formalized the corresponding security notion [41], it was pointed out that a TBC was a very convenient starting point for building various schemes. In particular, for AE schemes, two prominent examples are the sibling modes \(\mathsf {TAE}\) [41] and \(\mathsf {\Theta CB}\) [38] (the TBC-based generalization of \(\mathsf {OCB}\)). They have “perfect” security in the sense that, when used with an ideal TBC, the advantage of any adversary is zero against confidentiality and close to \(2^{-\tau }\) against authenticity, where \(\tau \) is the tag length. However, as already pointed out, a weakness of both \(\mathsf {TAE}\) and \(\mathsf {\Theta CB}\) (even when used with an ideal TBC) is that their security completely collapses as soon as a nonce is repeated. As a matter of fact, existing AE schemes built from an ideal TBC either ensure perfect security in the nonce-respecting scenario only (like \(\mathsf {TAE}\) or \(\mathsf {\Theta CB}\)), or fulfill the weak OAE notion only (e.g. \(\mathsf {COPA}\), once recast to use an ideal TBC), or ensure MRAE-security but only up to the birthday bound, even if nonces are not repeated (like \(\mathsf {AEZ}\)). The \(\mathsf {PIV}\) construction by Shrimpton and Terashima [58] allows to construct a variable-input-length TBC with BBB-security, which in turn allows to construct (via the Encode-then-Encipher method) an AEAD scheme with BBB-security against nonce-respecting adversaries and birthday-bound security against nonce-misusing ones. However, \(\mathsf {PIV}\) requires as a building block a fixed-input-length TBC with variable tweak length (comparable to the maximal input length of the \(\mathsf {PIV}\) construction), which in turn requires to appeal to universal hash functions with key length comparable to the maximal tweak length. Hence, the resulting AEAD scheme must use very large keys to ensure BBB-security for large messages. As of today, there is no AEAD scheme based on a fixed-tweak-length TBC that ensures both BBB-security in the nonce-respecting scenario and (at least) birthday-bound security in the nonce-misuse scenario. Yet this seems a very desirable goal since such a scheme would at the same time yield very high (BBB) security guarantees in the nominal, nonce-respecting use case and retain acceptable (birthday-bound) security when inadvertently misused.
Our Contributions. In this paper, we propose the \(\mathsf {SCT}\) (Synthetic Counter-in-Tweak) nonce-based AE mode for tweakable block ciphers and prove that it ensures BBB-security in the nonce-respecting scenario, and birthday-bound security in the nonce-misuse scenario (in the strong MRAE sense [55]). More precisely, for the nonce-respecting case, when using a ideal TBC with block length n and “effective” tweak lengthFootnote 2 w, \(\mathsf {SCT}\) is secure up to roughly \(2^n\) TBC calls when \(w\ge n\), and up to roughly \(2^{(n+w)/2}\) TBC calls when \(w\le n\), which is always larger than \(2^{n/2}\). The \(\mathsf {SCT}\) mode requires two passes (as is inevitable for MRAE-security), but it is simple, parallelizable, it requires the encryption direction only, it is particularly efficient for small messages compared to other nonce-misuse resistant schemes (no precomputation is required) and it allows incremental update of associated data.
With respect to how authentication and encryption are combined, our design draws inspiration from the \(\mathsf {SIV}\) generic composition method [55]: the nonce N, the associated data A, and the message M are first input to a keyed function \(F_{K}\), yielding an pseudorandom initial value IV, which will serve as authentication tag. The message is then encrypted, using the generated IV and the nonce N (see Fig. 4). This “recycling” of the nonce in the encryption part of the mode is what makes our high-level construction (called \(\mathsf {NSIV}\)) crucially different from \(\mathsf {SIV}\) and allows to reach BBB-security in the nonce-respecting case.Footnote 3
It remains to instantiate the two components of the \(\mathsf {NSIV}\) construction, the keyed function \(F_K\) and the encryption scheme. Since we aim at BBB-security in the nonce-respecting case, a natural starting point for \(F_K\) is the Wegman-Carter paradigm [14, 56, 60]. Hence, we propose a nonce-based MAC mode called \(\mathsf {PWC}\) (Parallel Wegman-Carter) which combines a xor-universal hash function inspired from \(\mathsf {PMAC}\) [13, 52] applied to the AD and the message, and a simple pseudorandom function applied to the nonce. In order to achieve nonce-misuse resistance (which in general Wegman-Carter MACs do not provide), we add an additional encryption layer, which results in the \(\mathsf {EPWC}\) (Encrypted PWC) mode.
The real challenge lies in designing an encryption scheme which is BBB-secure in the nonce-respecting case. Since on one hand it seems hard to leverage on the non-repeating property of the nonce without actually giving the nonce as input to the encryption mode, and on the other hand we need to make use in some way of the pseudorandom IV computed from \(F_K\),Footnote 4 it appears that what we need to design is actually a combined nonce- and IV-based encryption scheme (nivE scheme for short). To the best of our knowledge, this notion has never appeared before, and we introduce it in this paper. The encryption mode that we propose, called \(\mathsf {CTRT}\) (CounTeR in Tweak), is a counter-like mode with the unusual property that the counter is applied on the tweak input of the underlying TBC rather than on the plaintext input, where the nonce comes in. The combination of \(\mathsf {EPWC}\) and \(\mathsf {CTRT}\) through the \(\mathsf {NSIV}\) construction (the IV generated by \(\mathsf {EPWC}\) being used as initial counter in \(\mathsf {CTRT}\)) yields the \(\mathsf {SCT}\) mode, illustrated in Fig. 1.
For completeness, we also describe in the full version of this paper [50] the \(\mathsf {CTPWC}\) (\(\mathsf {CTRT}\) -then- \(\mathsf {PWC}\)) mode, an online nonce-based AE scheme which combines in an “encrypt-then-MAC” manner a slight variant of the \(\mathsf {CTRT}\) encryption mode and the \(\mathsf {PWC}\) authentication mode. The security guarantees provided by \(\mathsf {CTPWC}\) are similar to those of \(\mathsf {\Theta CB}\), but it is roughly twice less efficient, so that we do not claim that it is of particularly high interest. One small advantage that we see for this mode compared with \(\mathsf {\Theta CB}\) is that the nonce length can be as large as the block length of the underlying TBC, whereas for \(\mathsf {\Theta CB}\) the sum of the nonce length and of the maximal length of encrypted messages must be less than the tweak length of the underlying tweakable block cipher, which might be restrictive in some settings (e.g., for \(\textsf {KIASU-BC}\) [32]). It might also escape the patent issues which hindered the adoption of \(\mathsf {OCB}\).
Instantiating the TBC. As just discussed, our new AE modes offer BBB-security (in the nonce-respecting case) when used with an ideal TBC. If one aims at leveraging this security level in the real world, one must instantiate the TBC with care. Most existing TBCs are built from conventional block ciphers in a generic way, the prominent example being the \(\mathsf {XE}\)/\(\mathsf {XEX}\) construction [52] which only ensures security up to the birthday bound. Hence, using \(\mathsf {XE}\)/\(\mathsf {XEX}\) in our schemes would in a sense waste their nice security promises.Footnote 5 To remedy this problem, one can use either generic TBC constructions with BBB-security [39, 40, 44, 45] (but they are often inefficient or provably secure in the ideal cipher model only), or ad-hoc TBC designs without known weaknesses. The second option was chosen for a number of CAESAR candidates [24, 30–32]. In fact, the \(\mathsf {SCT}\) mode was explicitly designed as a replacement to the \(\mathsf {COPA}\) mode used in versions 1.1 and 1.2 of CAESAR candidates \(\textsf {Deoxys}\) [30] (128-bit blocks, 128-bit tweaks) and \(\textsf {Joltik}\) [31] (64-bit blocks, 64-bit tweaks).Footnote 6 We refer to the submission documents of these two candidates for a detailed report on implementation results, which are quite competitive. Other potential candidates for instantiating the \(\mathsf {SCT}\) mode are \(\textsf {Scream}\) [24] and \(\textsf {Threefish}\), the TBC on which the hash function \(\textsf {Skein}\) [20] is based. There is currently a shift towards designing dedicated TBCs achieving higher security and efficiency than generic BC-based constructions, and we hope to see more and more TBC proposals that could be used with \(\mathsf {SCT}\).
Open Problems and Future Work. The \(\mathsf {CTRT}\) encryption scheme has the notable feature that its security degrades gracefully with the maximal number of repetitions of nonces: when the nonce repetitions are limited, security remains close to the security bound in the nonce-respecting case. In contrast, the security of the \(\mathsf {EPWC}\) authentication mode (and more generally of any encrypted Wegman-Carter MAC) falls back to birthday bound as soon as the adversary can repeat one single nonce twice (see Remark 2 in Sect. 5). It remains a pending question to modify \(\mathsf {EPWC}\) so that it provides graceful security degradation with the maximal number of nonce repetitions as well. This would make the resulting AE scheme a good candidate for high security in both nonce-respecting and nonce-misuse models for most practical scenarios. Another challenging open problem would be to construct an AE scheme which remains BBB-secure even when nonces are arbitrarily repeated. The main difficulty is to build a deterministic, stateless, BBB-secure MAC, which is known to be notably hard [17, 62]. Another possible direction for future work would be to design a mode similar to \(\mathsf {SCT}\) using only one pass and achieving online nonce-misuse resistance in the OAE sense [21]. Such a feature would allow users to smoothly choose the best security achievable, depending on whether two passes can be tolerated or not by the application. Finally, it would be interesting to analyze how to strengthen \(\mathsf {SCT}\) against other misuse scenarios such as release of unverified plaintext [4], and to study how its security is affected by tag truncation [26].
Organization. In Sect. 2 we provide a high-level description of the various possibilities that we considered for constructing a BBB-secure nivE scheme. After introducing the notation and standard security notions in Sect. 3, we describe the \(\mathsf {CTRT}\) encryption scheme and prove its security in Sect. 4, while we describe the \(\mathsf {PWC}\) and \(\mathsf {EPWC}\) nonce-based MAC schemes and prove their security in Sect. 5. Finally, we explain how to combine \(\mathsf {CTRT}\) and \(\mathsf {EPWC}\) using the \(\mathsf {NSIV}\) construction to build the nonce-based AE mode \(\mathsf {SCT}\) and prove its security in Sect. 6.
2 Counter-in-Tweak for Beyond-Birthday Security
As motivated in introduction, our goal is to design a simple TBC-based AE scheme that provides BBB-security in the nonce-respecting setting and (at least) birthday-bound MRAE-security. As already mentioned, an encrypted Wegman-Carter MAC solves the problem for the authentication part, so that we focus here on encryption. Hence, our problem is as follows: given a nonce and a synthetic IV generated pseudorandomly from the nonce, the AD and the message, how do we use them to encrypt the message with BBB-security? We give a quick overview of the various constructions that we considered and why, except the \(\mathsf {CTRT}\) encryption mode we propose, they fail or are unsatisfactory.
A natural direction to explore is to start from a scheme providing BBB-security for non-repeating nonces, such as \(\mathsf {TAE}\) [41] or \(\mathsf {\Theta CB}\) [38], which are similar with regard to encryption: it simply consists in a “tweakable” codebook mode, the tweak holding the nonce and a message block counter. This is obviously not nonce-misuse resistant: repeating the nonce a single time will lead to a complete break of confidentiality since a constant message block leads to a constant ciphertext block. One could incorporate the IV by simply concatenating it to the nonce and the counter to form the tweak. However, this would require a TBC with larger tweak, which is usually very costly to achieve.Footnote 7 Rather than concatenating the nonce and the IV, one could try to combine them into a single shorter string S, but this would presumably result in birthday security even in the nonce-respecting scenario (since a collision on S would directly break confidentiality). Hence, a codebook encryption mode does not seem to be a very convenient starting point.
For this reason, we preferred to consider a counter mode (note that this was the encryption mode favored by Rogaway and Shrimpton to instantiate the SIV composition method [55]). The question now is: how do we feed the nonce, the IV, and the i-th counter to the TBC in order to create the mask that will be xored to the i-th message block? We considered several possibilities (we do not claim this to be exhaustive):
-
(a)
One can put the nonce in the tweak input, and the sum of the IV and the counter in the plaintext input. The problem is that confidentiality caps at birthday bound even in the nonce-respecting scenario: the adversary can query the encryption of a single message with \(2^{n/2}\) equal blocks, and observe that no collision occurs in the corresponding ciphertext blocks (since the nonce is fixed and all TBC calls use the same tweak), which will distinguish the ciphertext from a random string (for which a collision would be expected).
-
(b)
One can concatenate the nonce and the counter in the tweak input, and use the IV for the plaintext input. Since the tweak is different for each message block position, this solves the issue of the previous solution. We conjecture that this mode meets our security objectives, but an important drawback is that a larger tweak length is required and, as mentioned before, this is very costly.
-
(c)
One can put the sum of the nonce and the counter in the tweak input (instead of concatenating them) and the IV in the plaintext input. This mode might meet our security objectives, however the adversary can very easily provoke collisions on tweak inputs even in the nonce-respecting scenario, which might complicate the proof of BBB-security. Another drawback is that in the nonce-misuse scenario, a collision on the IV immediately breaks confidentiality, which dashes any hope for BBB nonce-misuse resistance. Note that one could imagine variants where the nonce and the IV are first encrypted before being used, but it is not clear if this would prevent the issues just mentioned and this would presumably make the security proof quite complex.
-
(d)
Finally, one can put the sum of the IV and the counter in the tweak input and the nonce in the plaintext input, which is exactly the \(\mathsf {CTRT}\) mode. We will prove in Sect. 4 that it meets our security goal. The first idea is that the counter in the tweak input ensures that all the calls to the internal TBC will use different tweaks for one single message query, so that the ciphertext looks uniformly random in that case. Thus, the adversary has to query several messages with different nonce values and hope that many collisions will occur between tweak inputs in order to observe a divergence from uniformity in the ciphertexts. However, these collisions are hard to control since they depend on the pseudorandom IV (in contrast with other modes discussed above, where the tweak input can be easily controlled by the adversary). We will show in Sect. 4, using a “balls-into-bins" analysis, that the number of tweak collisions remains small, so that the distribution of the ciphertexts remains close to uniform. Moreover, the nonce-misuse scenario helps the adversary only if it can repeat the same nonce a very high number of times until a collision happens on the tweaks, so that the security of the \(\mathsf {CTRT}\) mode degrades gracefully with the maximal number of nonce repetitions.
3 Preliminaries
Notation. Given a string \(X\in \{0,1\}^*\), |X| denotes its length. If X and Y are respectively n-bit and m-bit strings, \(n<m\), then \(X\oplus Y\) denotes the n-bit string obtained by xoring X with the n leftmost bits of Y. Given some implicit length n and a bit-string X of length \(1\le |X| < n\), we denote \(X10^*\) the string obtained by appending a single 1 and \((n-|X|-1)\) 0’s to X. Given two sets \(\mathcal {X}\) and \(\mathcal {Y}\), the set of all functions from \(\mathcal {X}\) to \(\mathcal {Y}\) is denoted \(\mathsf {Func}(\mathcal {X},\mathcal {Y})\). A function \(F\in \mathsf {Func}(\mathcal {X},\mathcal {Y})\) is said regular if all \(Y\in \mathcal {Y}\) have the same number of preimages by F (this obviously requires \(|\mathcal {X}|\) to be a multiple of \(|\mathcal {Y}|\)).
Tweakable Block Ciphers. A tweakable block cipher (TBC) with key space \(\mathcal {K}\), tweak space \(\mathcal {T}\), and domain \(\mathcal {X}\) is a mapping \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {X}\rightarrow \mathcal {X}\) such that for any key \(K\in \mathcal {K}\) and any tweak \(T\in \mathcal {T}\), \(X\mapsto \widetilde{E}(K,T,X)\) is a permutation of \(\mathcal {X}\). We often write \(\widetilde{E}_K(T,X)\) or \(\widetilde{E}_K^T(X)\) in place of \(\widetilde{E}(K,T,X)\). We denote \(\mathsf {TBC}(\mathcal {K},\mathcal {T},\mathcal {X})\) the set of all tweakable block ciphers with key space \(\mathcal {K}\), tweak space \(\mathcal {T}\), and domain \(\mathcal {X}\). A tweakable permutation with tweak space \(\mathcal {T}\) and domain \(\mathcal {X}\) is a mapping \(\widetilde{P}: \mathcal {T}\times \mathcal {X}\rightarrow \mathcal {X}\) such that for any tweak \(T\in \mathcal {T}\), \(X\mapsto \widetilde{P}(T,X)\) is a permutation of \(\mathcal {X}\). We often write \(\widetilde{P}^T(X)\) in place of \(\widetilde{P}(T,X)\). We denote \(\mathsf {TP}(\mathcal {T},\mathcal {X})\) the set of all tweakable permutations with tweak space \(\mathcal {T}\) and domain \(\mathcal {X}\). The security of a TBC is defined as follows.
Definition 1
(TPRP Security). Let \(\widetilde{E}\in \mathsf {TBC}(\mathcal {K},\mathcal {T},\mathcal {X})\) and \(\mathsf {A}\) be an adversary with oracle access to a tweakable permutation with tweak space \(\mathcal {T}\) and domain \(\mathcal {X}\). The advantage of \(\mathsf {A}\) in breaking the TPRP-security of \(\widetilde{E}\) is defined as
Note that we do not need the strongest “two-sided” version of TPRP-security (where the adversary also has access to a decryption oracle) since all constructions considered in this paper only use the forward (encryption) direction of the underlying TBC.
Tweak Separation. Let \(\widetilde{E}\) be a TBC with tweak space of the form \(\mathcal {T}'=\mathcal {I}\times \mathcal {T}\) for some subset \(\mathcal {I}\subset \mathbb {N}\) and some set \(\mathcal {T}\). We call \(\mathcal {T}\) the effective tweak space of \(\widetilde{E}\). Then, for \(i\in \mathcal {I}\), we denote \(\widetilde{E}^i\) the tweakable block cipher with the same key and message spaces as \(\widetilde{E}\) and tweak space \(\mathcal {T}\) defined by
By the same convention as before, we write \(\widetilde{E}^i_K(T,X)\) or \(\widetilde{E}^{i,T}_K(X)\) for \(\widetilde{E}^i(K,T,X)\). Clearly, when \(\widetilde{E}\) is an ideal TBC drawn uniformly at random from \(\mathsf {TBC}(\mathcal {K},\mathcal {T}',\mathcal {M})\), then each \(\widetilde{E}^i\) is an independent ideal TBC drawn uniformly at random from \(\mathsf {TBC}(\mathcal {K},\mathcal {T},\mathcal {M})\). Given a bit-string X of length \(1\le |X|\le n\), we compactly write
to mean \(\widetilde{E}^i(K,T,X)\) when \(|X|=n\) and \(\widetilde{E}^j(K,T,X10^*)\) when \(|X|<n\).
Standard Security Notions. We give the security definitions of a nonce-based PRF, a nonce-based MAC, and a nonce-based Authenticated Encryption scheme. All these are standard, except maybe the nonce-based PRF notion which is a straightforward adaptation of the classical definition of a PRF to the nonce-based setting. Our definition of the security of a MAC is indistinguishability-based (which will be more convenient later), but it is easy to see that it is equivalent to the more conventional unforgeability-based definition. In the following, a nonce-based keyed function is a function \(F:\mathcal {K}\times \mathcal {N}\times \mathcal {D}\rightarrow \mathcal {Y}\), where \(\mathcal {K}\) is the key space, \(\mathcal {N}\) the nonce space, \(\mathcal {D}\) the domain and \(\mathcal {Y}\) the range.
Definition 2
(Nonce-Based PRF). Let \(F:\mathcal {K}\times \mathcal {N}\times \mathcal {D}\rightarrow \mathcal {Y}\) be a nonce-based keyed function, and let us write \(F_K(N,D)\) for F(K, N, D). Let \(\mathsf {A}\) be an adversary with oracle access to a function from \(\mathcal {N}\times \mathcal {D}\) to \(\mathcal {Y}\). The advantage of \(\mathsf {A}\) against the PRF-security of F is defined as
The adversary is said nonce-respecting if it never repeats a nonce \(N\in \mathcal {N}\) in its oracle queries. In that case, we denote its advantage \( \mathbf{Adv }^{\mathrm {nPRF}}_{F}(\mathsf {A})\).
Definition 3
(Nonce-Based MAC). Let F be as in Definition 2. Let \(\mathsf {B}\) be an adversary with oracle access to two oracles, the first oracle being a function from \(\mathcal {N}\times \mathcal {D}\) to \(\mathcal {Y}\), the second oracle with inputs in \(\mathcal {N}\times \mathcal {D}\times \mathcal {Y}\) and outputs in \(\{1,\bot \}\). The advantage of \(\mathsf {B}\) against the MAC-security of F is defined as
where \(\mathsf {Ver}_K\) is an oracle which takes as input a triple \((N,D,\mathsf {tag})\in \mathcal {N}\times \mathcal {D}\times \mathcal {Y}\) and returns 1 if \(F_K(N,D)=\mathsf {tag}\), and \(\bot \) otherwise, and \(\mathsf {Rej}\) is an oracle which always returns \(\bot \). The adversary is not allowed to ask a verification query \((N,D,\mathsf {tag})\) if a previous query (N, D) to \(F_K\) returned \(\mathsf {tag}\). The adversary is said nonce-respecting if it never repeats a nonce \(N\in \mathcal {N}\) in its queries to the first oracle \(F_K\). In that case, we denote its advantage \( \mathbf{Adv }^{\mathrm {nMAC}}_{F}(\mathsf {B})\).
Note that in the general case where the adversary is allowed to repeat nonces, F can be seen as a standard (i.e., not nonce-based) keyed function with domain \(\mathcal {N}\times \mathcal {D}\), in which case one recovers the standard definitions of a PRF and a MAC (hence our notation of the advantage when the adversary is unrestricted w.r.t. nonces). While it is a well-known fact that if F is a secure PRF, then it is a secure MAC [9, 23], we stress that this is not true for the nonce-based variants of the two notions, which are in fact incomparable.Footnote 8
We then give the definition of a nonce-based Authenticated Encryption (nAE) scheme (with associated data), for which we first recall the syntax. Let \(\mathcal {K}\), \(\mathcal {N}\), \(\mathcal {A}\), and \(\mathcal {M}\) be non-empty sets. A nAE scheme is a tuple \(\varPi =(\mathcal {K},\mathcal {N},\mathcal {A},\mathcal {M},\mathsf {Enc},\mathsf {Dec})\), where \(\mathsf {Enc}\) and \(\mathsf {Dec}\) are deterministic algorithms. The encryption algorithm \(\mathsf {Enc}\) takes as input a key \(K\in \mathcal {K}\), a nonce \(N \in \mathcal {N}\), associated data \(A\in \mathcal {A}\), and a message \(M\in \mathcal {M}\), and outputs a binary string \(C\in \{0,1\}^*\) (we assume that \(\mathsf {Enc}\) returns \(\bot \) if one of the inputs is not in the intended set). The decryption algorithm \(\mathsf {Dec}\) takes as input a key \(K\in \mathcal {K}\), a nonce \(N\in \mathcal {N}\), associated data \(A\in \mathcal {A}\), and a binary string \(C\in \{0,1\}^*\), and outputs either a message \(M\in \mathcal {M}\), or a special symbol \(\bot \). We require that \(\mathsf {Dec}(K,N,A,\mathsf {Enc}(K,N,A,M))=M\) for all tuples \((K,N,A,M)\in \mathcal {K}\times \mathcal {N}\times \mathcal {A}\times \mathcal {M}\). We write \(\mathsf {Enc}_K(N,A,M)\) for \(\mathsf {Enc}(K,N,A,M)\) and \(\mathsf {Dec}_K(N,A,C)\) for \(\mathsf {Dec}(K,N,A,C)\).
Definition 4
(Nonce-Based AE). Let \(\varPi =(\mathcal {K},\mathcal {N},\mathcal {A},\mathcal {M},\mathsf {Enc},\mathsf {Dec})\) be a nAE scheme. The advantage of an adversary \(\mathsf {A}\) in breaking \(\varPi \) is defined as
where \(\mathsf {Rand}\) is an oracle which on input \((N,A,M)\in \mathcal {N}\times \mathcal {A}\times \mathcal {M}\) outputs a randomFootnote 9 string of length \(|\varPi .\mathsf {Enc}_K(N,A,M)|\) and \(\mathsf {Rej}\) is an oracle which always outputs \(\bot \). The adversary is not allowed to make a decryption query (N, A, C) if a previous encryption query (N, A, M) returned C. The adversary is said nonce-respecting if it never repeats a nonce \(N\in \mathcal {N}\) in its encryption queries, in which case we denote its advantage \( \mathbf{Adv }^{\mathrm {nAE}}_\varPi (\mathsf {A})\).
Note that in the general case where the adversary is allowed to repeat nonces, \(\varPi \) can be seen as a deterministic AE scheme [55] with header space (in the terms of [55]) \(\mathcal {N}\times \mathcal {A}\), so that one exactly recovers the definition of the MRAE notion of Rogaway and Shrimpton [55] (which we simply abbreviate to AE here).
Adversary Characteristics. In all the paper, given some implicit parameter n, a \((q,m,\ell ,\sigma ,t)\)-adversary against a nonce-based scheme is an adversary:
-
which makes at most q oracle queries; when the adversary has access to two oracles (i.e., when attacking the MAC-security of a keyed function or a nAE scheme), this means q queries in total to both oracles;
-
which uses any nonce at most m times throughout its queries (\(m=1\) for a nonce-respecting adversary); when the adversary has access to two oracles, this only applies to queries to its first oracle (MAC or encryption oracle);
-
such that the length of any of its queries (nonce excluded) is at most \(\ell \) blocks of n bits; for a keyed function with domain \(\mathcal {D}=\mathcal {A}\times \mathcal {M}\) or a nAE scheme, this means that both the AD length and the message length of any query is at most \(\ell \) blocks of n bits;
-
such that the total length of all its queries (nonce excluded) is at most \(\sigma \) blocks of n bits; for a keyed function with domain \(\mathcal {D}=\mathcal {A}\times \mathcal {M}\) or a nAE scheme, this means the sum of the AD and the message length over all queries;
-
which runs in time at most t.
4 The CTRT Encryption Mode
4.1 Syntax and Security of nivE Schemes
Most existing encryption schemes are either nonce-based [53] or IV-based [7], i.e., they employ an externally provided value which either should not repeat (nonce), or should be selected uniformly at random (IV). (See also [46]). Here, we introduce the notion of combined nonce- and IV-based encryption scheme (nivE for short).
Syntactically, a nivE scheme is a tuple \(\varPi =(\mathcal {K},\mathcal {N},\mathcal {IV},\mathcal {M},\mathsf {Enc},\mathsf {Dec})\) where \(\mathcal {K}\), \(\mathcal {N}\), \(\mathcal {IV}\) and \(\mathcal {M}\) are non-empty sets and \(\mathsf {Enc}\) and \(\mathsf {Dec}\) are deterministic algorithms. The encryption algorithm \(\mathsf {Enc}\) takes as input a key \(K\in \mathcal {K}\), a nonce \(N \in \mathcal {N}\), an initial value \(IV\in \mathcal {IV}\), and a message \(M\in \mathcal {M}\), and outputs a binary string \(C\in \{0,1\}^*\) (we assume that \(\mathsf {Enc}\) returns \(\bot \) if one of the inputs is not in the intended set). The decryption algorithm \(\mathsf {Dec}\) takes as input a key \(K\in \mathcal {K}\), a nonce \(N\in \mathcal {N}\), an initial value \(IV\in \mathcal {IV}\), and a binary string \(C\in \{0,1\}^*\), and outputs either a message \(M\in \mathcal {M}\), or a special symbol \(\bot \). We require that
for all tuples \((K,N,IV,M)\in \mathcal {K}\times \mathcal {N}\times \mathcal {IV}\times \mathcal {M}\).
We denote \(\mathsf {Enc}^{\$}\) the probabilistic algorithm which takes as input \((K,N,M)\in \mathcal {K}\times \mathcal {N}\times \mathcal {M}\), internally generates a uniformly random \(IV\leftarrow _{\$}\mathcal {IV}\), computes \(C=\mathsf {Enc}(K,N,IV,M)\), and outputs \((IV,C)\in \mathcal {IV}\times \{0,1\}^*\). We write \(\mathsf {Enc}_K(N,IV,M)\) for \(\mathsf {Enc}(K,N,IV,M)\) and \(\mathsf {Enc}^{\$}_K(N,M)\) for \(\mathsf {Enc}^{\$}(K,N,M)\). The security of a nivE scheme is defined as follows.
Definition 5
(Security of a nivE Scheme). Let \(\varPi =(\mathcal {K},\mathcal {N},\mathcal {IV},\mathcal {M},\mathsf {Enc},\mathsf {Dec})\) be a nivE scheme. The advantage of an adversary \(\mathsf {A}\) in breaking \(\varPi \) is defined as
where \(\mathsf {Rand}\) is an oracle which on input \((N,M)\in \mathcal {N}\times \mathcal {M}\) outputs a random string of length \(|\varPi .\mathsf {Enc}^{\$}_K(N,M)|\). The adversary is said nonce-respecting if it never repeats a nonce \(N\in \mathcal {N}\) in its oracle queries, in which case we denote its advantage \( \mathbf{Adv }^{\mathrm {nivE}}_\varPi (\mathsf {A})\).
Note that when the adversary is allowed to repeat nonces, \(\varPi \) can be seen as a family of purely IV-based encryption (ivE) schemes [46] indexed by the nonce space \(\mathcal {N}\), hence our notation of the advantage in that case.
4.2 Definition and Analysis of the CTRT Mode
We now define the \(\mathsf {CTRT}\) (CounTeR in Tweak) mode, turning a tweakable block cipher into a nivE scheme. Let \(\mathcal {K}\) and \(\mathcal {T}\) be non-empty sets, and let \(\widetilde{E}\in \mathsf {TBC}(\mathcal {K},\mathcal {T}',\mathcal {X})\) be a tweakable block cipher with key space \(\mathcal {K}\), tweak spaceFootnote 10 \(\mathcal {T}'=\{1\}\times \mathcal {T}\), and domain \(\mathcal {X}=\{0,1\}^n\). Let \(\mathsf {Inc}\) be a cyclic permutation of \(\mathcal {T}\). We construct from \(\widetilde{E}\) a nivE scheme \(\mathsf {CTRT}[\widetilde{E}]\) with key space \(\mathcal {K}\), nonce space \(\mathcal {N}=\mathcal {X}=\{0,1\}^n\), IV space \(\mathcal {IV}=\mathcal {T}\), and message space \(\mathcal {M}=\{0,1\}^*\) as defined in Fig. 2 and illustrated on bottom of Fig. 1.
The security of \(\mathsf {CTRT}\) is captured by Theorem 1 below. Logarithms are in base 2 and \(t_{\mathsf {CTRT}}(\sigma )\) is an upper bound on the time needed for computing \(\mathsf {CTRT}[\widetilde{E}].\mathsf {Enc}_K\) on inputs of total message length at most \(\sigma \) blocks of n bits when calls to \(\widetilde{E}_K\) cost unit time.
Theorem 1
(Security of CTRT). Let \(\widetilde{E}\in \mathsf {TBC}(\mathcal {K},\mathcal {T}',\mathcal {X})\) with \(\mathcal {X}=\{0,1\}^n\), \(\mathcal {T}'=\{1\}\times \mathcal {T}\), and \(|\mathcal {T}|\ge 8\). Let \(\mathsf {A}\) be a \((q,m,\ell ,\sigma ,t)\)-adversary against \(\mathsf {CTRT}[\widetilde{E}]\) with \(\ell \le |\mathcal {T}|\). Then there exists an adversary \(\mathsf {A}'\) against the TPRP-security of \(\widetilde{E}\), making at most \(\sigma \) oracle queries and running in time at most \(t+t_{\mathsf {CTRT}}(\sigma )\), such that
where
In particular, if \(\mathsf {A}\) is nonce-respecting (\(m=1\)), one has
Before proceeding to the proof, we comment the security bound of this theorem. Consider first the case of a nonce-respecting adversary \(\mathsf {A}\). Assuming \(|\mathcal {T}|\ge |\mathcal {X}|\), then \(\mathsf {A}\) must makes queries of total message length \(\sigma \) blocks of n bits with \(\sigma \) close to \(|\mathcal {X}|=2^n\) (neglecting logarithmic factors) before being able to distinguish the outputs of \(\mathsf {CTRT}[\widetilde{E}]\) from random.Footnote 11 On the other hand, if \(|\mathcal {T}|=2^w<|\mathcal {X}|\), then \(\mathsf {CTRT}[\widetilde{E}]\) is secure up to roughly \(2^{(n+w)/2}\) TBC calls (again, neglecting logarithmic factors), which is always larger than \(2^{n/2}\). In particular, if \(w=n/2\) (as e.g. for \(\textsf {KIASU-BC}\) [32]), then security is ensured up to roughly \(2^{3n/4}\) TBC calls. In the nonce-misuse scenario, note that the additional term \(2(m-1)\sigma /|\mathcal {T}|\) remains small as long as nonces are not repeated too many times (e.g. \(m\le 100\)) and \(\sigma \ll |\mathcal {T}|\), and turns into a birthday-like term only in the extreme case where a few nonces are repeated close to \(\sigma \) times. This means that a few nonce repetitions will not hurt and that nonces must be “seriously” mishandled before security goes down to birthday bound.
Proof of Theorem 1. Fix a \((q',m,|\mathcal {T}|,\sigma ,t)\)-adversary \(\mathsf {A}\) against \(\mathsf {CTRT}[\widetilde{E}]\) (we denote \(q'\) the maximal number of adversarial queries and will later use q for the actual number of queries in a specific attack). The first part of the proof is standard, and consists in introducing an intermediate game where all calls to \(\widetilde{E}_K\) in the \(\mathsf {CTRT}\) construction are replaced by calls to a random tweakable permutation \(\widetilde{P}\). Consider the following adversary \(\mathsf {A}'\) against the TPRP-security of \(\widetilde{E}\). Let \(G\in \{\widetilde{E}_K,\widetilde{P}\}\) be the oracle to which \(\mathsf {A}'\) has access. Adversary \(\mathsf {A}'\) runs \(\mathsf {A}\), answers its encryption queries (N, M) by drawing a random IV and executing the code in Fig. 2 on input (N, IV, M), replacing calls to \(\widetilde{E}_K\) by oracle calls to G, and finally outputs the same bit as \(\mathsf {A}\). Clearly, \(\mathsf {A}'\) makes at most \(\sigma \) oracle queries and runs in time at most \(t+t_{\mathsf {CTRT}}(\sigma )\). Moreover, it is easy to see that
where
and \(\mathsf {CTRT}[\widetilde{P}]\) is a slight abuse of notation for the \(\mathsf {CTRT}\) construction based on an arbitrary tweakable permutation \(\widetilde{P}\).
Upper bounding \(\delta \) is now a purely information-theoretic problem, so that we allow \(\mathsf {A}\) to be computationally unbounded, and hence, wlog, deterministic. The adversary is now trying to distinguish between \(\mathsf {CTRT}[\widetilde{P}]\) for a random \(\widetilde{P}\) (thereafter called the “real world”) and \(\mathsf {Rand}\) (thereafter called the “ideal world”). We assume wlog that \(\mathsf {A}\) always makes queries of length a multiple of the block length n, and of total length \(\sigma \) blocks (if not, we pad all queries whose final block is incomplete with zeros for free, which can only increase the adversary’s advantage).
Following the H-coefficients method [15, 48], we summarize the interaction of \(\mathsf {A}\) with its oracle in the so-called transcript of the attack
where \((N_i,M_i)\) denotes the i-th query of the attacker and \((IV_i,C_i)\) the corresponding answer of the oracle. Furthermore, we denote \(M_i=M_{i,1}\Vert \cdots \Vert M_{i,\ell _i}\), \(C_i=C_{i,1}\Vert \cdots \Vert C_{i,\ell _i}\), where \(\ell _i\) is the number of blocks of the i-th message, and \(IV_{i,j}=\mathsf {Inc}^{j-1}(IV_i)\) the j-th counter for the i-th message, \(j=1,\ldots ,\ell _i\). Let \(\varTheta _\mathrm{re}\), resp. \(\varTheta _\mathrm{id}\), denote the distribution of the transcript in the real world, resp. ideal world. We say that a transcript \(\tau \) is \(\mathsf {A}\)-attainable (or simply attainable) if the probability to obtain \(\tau \) in the ideal world is non-zero. Note that the number of queries q and the lengths of the queries \(\ell _1,\ldots ,\ell _q\) are themselves random variables (they can vary for distinct \(\mathsf {A}\)-attainable transcripts), yet by the assumption that the attacker always asks the maximal number of allowed blocks throughout its queries, one always has \(\sum _{i=1}^q \ell _i=\sigma \).
From \(\tau \) we define for each possible tweak \(T\in \mathcal {T}\) the “load” of the tweak as
In words, L(T) is the number of times the tweak T appears as a counter when encrypting the queries of the adversary. Clearly, one has
The proof relies on the fundamental lemma of the H-coefficients technique (see e.g. [15] for the proof).
Lemma 1
Assume that the set of \(\mathsf {A}\)-attainable transcripts is partitioned into two disjoint sets \(\mathsf {GoodT}\) and \(\mathsf {BadT}\), and that there exists \(\varepsilon _1\) and \(\varepsilon _2\) such that for any \(\tau \in \mathsf {GoodT}\), one has
and \(\Pr \left[ \varTheta _\mathrm{id}\in \mathsf {BadT} \right] \le \varepsilon _2\). Then \(\delta \le \varepsilon _1+\varepsilon _2\), with \(\delta \) as defined by (2).
We say that an attainable transcript \(\tau \) is bad if one of the two following conditions are met:
-
(C-1) there exists \((i,j)\ne (i',j')\) such that \(IV_{i,j}=IV_{i',j'}\) and \(N_i = N_{i'}\);
-
(C-2) there exists \((i,j)\ne (i',j')\) such that \(IV_{i,j}=IV_{i',j'}\), \(N_i\ne N_{i'}\), and \(M_{i,j}\oplus C_{i,j}=M_{i',j'}\oplus C_{i',j'}\).
Note that condition (C-1) can only be satisfied for a nonce-misuse adversary, since (by the assumption that the length of each query is at most \(|\mathcal {T}|\) blocks of n bits so that counters do not loop) \(IV_{i,j}=IV_{i',j'}\) requires \(i\ne i'\), which implies that \(N_i\ne N_{i'}\) for a nonce-respecting adversary. Note also that the condition (C-2) can only be satisfied in the ideal world. Indeed, in the real world, \(M_{i,j}\oplus C_{i,j}=\widetilde{P}(IV_{i,j},N_i)\) and \(M_{i',j'}\oplus C_{i',j'}=\widetilde{P}(IV_{i',j'},N_{i'})\), so that if \(IV_{i,j}=IV_{i',j'}\) and \(N_i\ne N_{i'}\) one necessarily has \(M_{i,j}\oplus C_{i,j}\ne M_{i',j'}\oplus C_{i',j'}\).
We let \(\mathsf {BadT}\) be the set of bad transcripts, and \(\mathsf {GoodT}\) be the set of attainable transcripts which are not bad, henceforth called good transcripts. We first consider good transcripts.
Lemma 2
Let \(\tau \in \mathsf {GoodT}\) be a good transcript. Then
Proof
Note that a good transcript has the property that for each \((i,j)\ne (i',j')\) such that \(IV_{i,j}=IV_{i',j'}\), one has \(N_i\ne N_i'\) and \(M_{i,j}\oplus C_{i,j}\ne M_{i',j'}\oplus C_{i',j'}\). In other words, the transcript encodes a partial tweakable permutation, where for each tweak \(T\in \mathcal {T}\) there are exactly L(T) distinct values \(N_i\) mapped to some value \(M_{i,j}\oplus C_{i,j}\). The probability to obtain a good transcript \(\tau \) in the ideal and real worlds can now be easily computed. In the ideal world, since the \(IV_i\)’s and the \(C_i\)’s are uniformly random, one has
In the real world, the \(IV_i\)’s are random as well, but now the probability to obtain the \(C_i\)’s can easily be seen to be the probability that the random tweakable permutation \(\widetilde{P}\) is compatible with the partial tweakable permutation encoded by \(\tau \) [15]. Hence, one has
where \((a)_b\) denotes the falling factorial \(a(a-1)\cdots (a-b+1)\), with \((a)_0=1\) by convention. From this, we deduce that
\(\square \)
It remains to upper bound the probability to obtain a bad transcript in the ideal world. For \(i\in \{1,2\}\), let \(\mathsf {BadT}_i\) be the set of attainable transcripts satisfying condition (C-i). We first consider condition (C-1).
Lemma 3
One has
Proof
Consider two distinct queries \((N_i,M_i)\) and \((N_{i'},M_{i'})\). If the nonces are the same (\(N_i=N_{i'}\)), then the probability, over the random draw of \(IV_i\) and \(IV_{i'}\) in \(\mathcal {T}\), that there exists j and \(j'\) such that \(IV_{i,j}=IV_{i',j'}\), is \((\ell _i+\ell _{i'}-1)/|\mathcal {T}|\). If the nonces are distinct, then clearly condition (C-1) cannot be satisfied for i and \(i'\). Hence, summing over all possible nonces, we have
Fix some nonce N, and assume for notational simplicity that the first \(q'\) queries use nonce N, with \(q'\le m\) by assumption. Then the probability that condition (C-1) is met for nonce N is at most
where \(\ell (N)\) is the total length of queries using nonce N. The result follows by summing over all possible nonces, using \(\sum _{N\in \mathcal {N}}\ell (N)=\sigma \). \(\square \)
We handle condition (C-2) in the following lemma.
Lemma 4
One has
where \(L_{\max }=2\log \sigma \) when \(8\le \sigma \le |\mathcal {T}|\) and \(L_{\max }=\frac{2\sigma \log |\mathcal {T}|}{|\mathcal {T}|}\) when \(\sigma \ge |\mathcal {T}|\).
Proof
Let \(\mathsf {BadT}_3\) be the set of transcripts satisfying the following condition (\(L_{\max }\) being defined as in the statement of the lemma):
(C-3) there exists \(T\in \mathcal {T}\) such that \(L(T)\ge L_{\max }\).
Then
Note that in the ideal world, the values L(T) only depend on the random draw of the \(IV_i\)’s, and that once the L(T)’s are fixed, condition (C-2) only depends on the random draw of the \(C_{i,j}\)’s. In particular, since in the ideal world the \(C_{i,j}\)’s are uniformly random, one has
where for the third inequality we used that there are at most \(\min \{\sigma ,|\mathcal {T}|\}\) tweaks T such that \(L(T)\ge 1\).
It remains to upper bound the probability that condition (C-3) is satisfied, which can be recast as a “balls-into-bins” problem. Thinking of each tweak T as a bin, each random \(IV_i\) determines a sequence of \(\ell _i\) consecutiveFootnote 12 bins where a ball is thrown. If the attacker only made queries of length one block, then this would be a standard “balls-into-bins” problem, where each ball is thrown independently in a bin chosen uniformly at random, and we could use classical results about the maximal occupancy of any bin directly. However, the attacker can choose the length of each message at will and we need to take this into account.Footnote 13 Intuitively, for some fixed total number \(\sigma \) of balls, using messages of length \(\ell _i>1\) should lower the maximal occupancy since balls thrown in consecutive bins cannot end in the same bin. We formalize this intuition in a separate Lemma below, which implies that
The result follows. \(\square \)
The lemma below is a simple variant on the standard balls-into-bins problem. A similar result was proved in [6] (and potentially in many other papers).
Lemma 5
Consider a set of \(|\mathcal {T}|\ge 8\) bins and \(\sigma \ge 8\) balls. Fix an integer \(q\le \sigma \) and a sequence of integers \((\ell _1,\ldots ,\ell _q)\) with \(1\le \ell _i\le |\mathcal {T}|\) and \(\sum _{i=1}^q\ell _i=\sigma \). Consider the following random process: for \(i=1,\ldots ,q\), a chain of \(\ell _i\) balls is thrown in consecutive bins, the initial bin being chosen independently and uniformly at random. Then the probability that, at the end of the process, any bin contains \(L_{\max }\) balls or more, is less than \(1/|\mathcal {T}|\), where
-
(a) \(L_{\max }=2\log \sigma \) when \(\sigma \le |\mathcal {T}|\);
-
(b) \(L_{\max }=\frac{2\sigma \log |\mathcal {T}|}{|\mathcal {T}|}\) when \(\sigma \ge |\mathcal {T}|\).
Proof
See the full version of the paper [50].
Completing the Proof of Theorem 1. From Lemmas 3 and 4, we obtain by the union bound that
with \(f(\sigma )\) as in the statement of Theorem 1. Combining (4) with Lemmas 1 and 2 (taking \(\varepsilon _1=0\)), we obtain the same upper bound for \(\delta \) (defined by (2)) as for \(\Pr \left[ \varTheta _\mathrm{id}\in \mathsf {BadT} \right] \). Finally, Eq. (1) yields the result.
Variants. In the full version of the paper [50], we describe two variants of \(\mathsf {CTRT}\), a purely nonce-based one and a purely IV-based one.
5 The PWC and EPWC Message Authentication Codes
In this section, we describe two related modes for message authentication, \(\mathsf {PWC}\) (Parallel Wegman-Carter) and \(\mathsf {EPWC}\) (Encrypted PWC). Let \(\mathcal {K}\) and \(\mathcal {T}\) be two sets, and let \(\widetilde{E}\) be a tweakable block cipher with key space \(\mathcal {K}\), tweak spaceFootnote 14 \(\mathcal {T}'=\{2,\ldots ,5\}\times \mathcal {T}\), and domain \(\mathcal {X}=\{0,1\}^n\). Let \(\mathsf {Inc}\) be a cyclic permutation of \(\mathcal {T}\). From \(\widetilde{E}\), we construct two nonce-based keyed functions, \(\mathsf {PWC}[\widetilde{E}]\) and \(\mathsf {EPWC}[\widetilde{E}]\), both with key space \(\mathcal {K}\), nonce-space \(\mathcal {N}=\mathcal {X}=\{0,1\}^n\), domain \(\mathcal {D}=\mathcal {A}\times \mathcal {M}\), where \(\mathcal {A}=\mathcal {M}=\{0,1\}^*\),Footnote 15 and range \(\mathcal {Y}=\mathcal {X}=\{0,1\}^n\), as defined in Fig. 3 and illustrated on top of Fig. 1 (for \(\mathsf {PWC}\), just omit the final call to \(\widetilde{E}^{4,0}_K\)). We will prove that both \(\mathsf {PWC}[\widetilde{E}]\) and \(\mathsf {EPWC}[\widetilde{E}]\) are \(2^n\)-secure as nonce-based MAC and nonce-based PRF, and that \(\mathsf {EPWC}[\widetilde{E}]\) is moreover a birthday bound-secure PRF in the nonce-misuse scenario.
The \(\mathsf {PWC}\) construction follows the Wegman-Carter paradigm [14, 56, 60] by combining a xor-universal hash function H inspired from \(\mathsf {PMAC}\) [13, 52] applied to (A, M), and a pseudorandom function F applied to the nonce N. This pseudorandom function is constructed from \(\widetilde{E}\) by summing two independent pseudorandom permutations in order to obtain security beyond the birthday bound [42]. The \(\mathsf {EPWC}\) construction is simply \(\mathsf {PWC}\) with an additional layer of encryption to provide nonce-misuse resistance.
Before stating and proving the security results for \(\mathsf {(E)PWC}\), we focus on how to obtain the BBB-secure pseudorandom function F from \(\widetilde{E}\). A straightforward way would be to “put the nonce in the tweak”, e.g.,
This would result in a uniformly random value for each new nonce, but this is only possible when the intended nonce space is smaller than the effective tweak space \(\mathcal {T}\) of \(\widetilde{E}\). In order to allow the nonce length to be as large as the block length of \(\widetilde{E}\), we use instead the “sum-of-PRPs” construction by defining (the exact tweak prefixes are unimportant)
The pseudorandomness of this construction has been well studied. Assuming that \(\widetilde{E}^{2,0}_K\) and \(\widetilde{E}^{2,1}_K\) are perfectly random and independent permutations, Lucks [42, Theorem 5] showed that an information-theoretic adversary trying to distinguish \(F_K\) from a random function \(\rho :\{0,1\}^n\rightarrow \{0,1\}^n\) within q queries has an advantage upper bounded by \(q^3/2^{2n-1}\) (see also [16]). Better bounds were proposed in three different papers: Bellare and Impagliazzo [8] proved that the advantage is upper bounded by \(\mathcal {O}(n)(q/2^n)^{1.5}\), while Patarin proved in two different ways [47, 49] an upper bound \(\mathcal {O}(q/2^n)\). However, in all three cases the exact \(\mathcal {O}(\cdot )\) function was left unspecified and the upper bound was not explicitly worked out. For the sake of concreteness, we propose the following optimistic conjecture.
Conjecture 1
There is an absolute constant C such the advantage of any adversary trying to distinguish the sum of two independent random permutations of \(\mathcal {X}\) from a random function from \(\mathcal {X}\) to \(\mathcal {X}\) within q queries is at most \(Cq/|\mathcal {X}|\).
The security of \(\mathsf {PWC}\) and \(\mathsf {EPWC}\) is captured by Theorems 2 and 3 below. We denote by \(t_{\mathsf {PWC}}(\sigma )\), resp. \(t_{\mathsf {EPWC}}(\sigma )\), an upper bound on the time needed to compute \(\mathsf {PWC}[\widetilde{E}]\), resp. \(\mathsf {EPWC}[\widetilde{E}]\) on inputs of total (AD + message) length at most \(\sigma \) blocks of n bits when calls to \(\widetilde{E}_K\) cost unit time.
Theorem 2
(PRF-Security of \(\mathsf {PWC}\) and \(\mathsf {EPWC}\) ). Let \(\widetilde{E}\in \mathsf {TBC}(\mathcal {K},\mathcal {T}',\mathcal {X})\) with \(\mathcal {X}=\{0,1\}^n\) and \(\mathcal {T}'=\{2,\ldots ,5\}\times \mathcal {T}\), and assume Conjecture 1. Let \(\mathsf {A}\) be a \((q,m,\ell ,\sigma ,t)\)-adversary against the PRF-security of \(\mathsf {PWC}[\widetilde{E}]\), resp. \(\mathsf {EPWC}[\widetilde{E}]\), with \(\ell \le |\mathcal {T}|-2\). Then there exists an absolute constant C and an adversary \(\mathsf {A}'\), resp. \(\mathsf {A}''\), against the TPRP-security of \(\widetilde{E}\), making at most \(\sigma +2q\), resp. \(\sigma +3q\) oracle queries and running it time at most \(t+t_{\mathsf {PWC}}(\sigma )\), resp. \(t+t_{\mathsf {EPWC}}(\sigma )\), such that
-
(a) if \(\mathsf {A}\) is nonce-respecting (\(m=1\)), then
$$\begin{aligned} \mathbf{Adv }^{\mathrm {nPRF}}_{\mathsf {PWC}[\widetilde{E}]}(\mathsf {A})&\le \mathbf{Adv }^{\mathrm {TPRP}}_{\widetilde{E}}(\mathsf {A}')+ \frac{Cq}{|\mathcal {X}|} ;\\ \mathbf{Adv }^{\mathrm {nPRF}}_{\mathsf {EPWC}[\widetilde{E}]}(\mathsf {A})&\le \mathbf{Adv }^{\mathrm {TPRP}}_{\widetilde{E}}(\mathsf {A}'')+ \frac{Cq}{|\mathcal {X}|} ; \end{aligned}$$ -
(b) if \(\mathsf {A}\) is allowed to repeat nonces (\(m>1\)), then
$$ \mathbf{Adv }^{\mathrm {PRF}}_{\mathsf {EPWC}[\widetilde{E}]}(\mathsf {A})\le \mathbf{Adv }^{\mathrm {TPRP}}_{\widetilde{E}}(\mathsf {A}'')+\frac{q^2}{|\mathcal {X}|}. $$
Proof
Fix a \((q,m,|\mathcal {T}|-2,\sigma ,t)\)-adversary \(\mathsf {A}\) against the PRF-security of \(\mathsf {PWC}[\widetilde{E}]\) or \(\mathsf {EPWC}[\widetilde{E}]\), trying to distinguish the construction from a random function \(R\leftarrow _{\$}\mathsf {Func}(\mathcal {N}\times \mathcal {D},\mathcal {Y})\), where \(\mathcal {D}=\mathcal {A}\times \mathcal {M}\). We start by proving (a), assuming \(\mathsf {A}\) is nonce-respecting (\(m=1\)). First, slightly abusing the notation, let us see \(\mathsf {(E)PWC}\) as a construction based on an arbitrary tweakable permutation, identifying \(\mathsf {(E)PWC}[\widetilde{E}]_K\) with \(\mathsf {(E)PWC}[\widetilde{E}_K]\). We start by replacing \(\widetilde{E}_K\) in the security experiment by a uniformly random tweakable permutation \(\widetilde{P}\). One can see \(\mathsf {A}^{\mathsf {PWC}[\cdot ]}\), resp. \(\mathsf {A}^{\mathsf {EPWC}[\cdot ]}\), as an adversary \(\mathsf {A}'\), resp. \(\mathsf {A}''\) against the TPRP-security of \(\widetilde{E}\), making at most \(\sigma +2q\), resp. \(\sigma +3q\) queries to its oracle (since a query of \(\ell _i\) blocks to \(\mathsf {PWC}\), resp. \(\mathsf {EPWC}\), costs \(\ell _i+2\), resp. \(\ell _i+3\) calls to \(\widetilde{E}\)) and running in time at most \(t'=t+t_{\mathsf {PWC}}(\sigma )\), resp. \(t'=t+t_{\mathsf {EPWC}}(\sigma )\), so that
where
In order to upper bound \(\delta \), we abstract the high-level structure of \(\mathsf {(E)PWC}[\widetilde{P}]\) as follows. First, we see how A and M are handled as applying a keyed hash function (the key being \(\widetilde{P}\)) to the pair (A, M), viz.
We also define a pseudorandom function (again with key \(\widetilde{P}\)) as
Then, \(\mathsf {(E)PWC}[\widetilde{P}]\) can be written
which should make it clear that the \(\mathsf {PWC}\) construction follows the Wegman-Carter paradigm [60] with an additional layer of encryption for \(\mathsf {EPWC}\) (note that the three sets of tweaks used in F, H, and for the final encryption call are disjoint, so that these three building blocks are independent).
We start by showing that the hash function family \((H_{\widetilde{P}})\), with \(\widetilde{P}\in \mathsf {TP}(\mathcal {T}',\mathcal {X})\), is xor-universal, i.e., for any two distinct inputs (A, M), \((A',M')\), and any \(X\in \mathcal {X}=\{0,1\}^n\), the probability, over the random draw of \(\widetilde{P}\leftarrow _{\$}\mathsf {TP}(\mathcal {T}',\mathcal {X})\), that
is less than \(1/|\mathcal {X}|\). Assume that \(A\ne A'\) (the reasoning is similar if \(A=A'\) and \(M\ne M'\)), let \(\ell _a=|A|/n\) and \(\ell '_a=|A'|/n\), and assume wlog that \(\ell _a\ge \ell '_a\). Denote \(A=A_1\Vert \cdots \Vert A_{\ell _a}\) and \(A'=A'_1\Vert \cdots \Vert A'_{\ell '_a}\). Assume first that \(\ell _a>\ell _a'\). Then (13) is equivalent to
where Z is independent of permutations \(\widetilde{P}^{2,\ell _a+1}\) and \(\widetilde{P}^{3,\ell _a+1}\), hence the probability is exactly \(1/|\mathcal {X}|\). Assume now that \(\ell _a=\ell '_a\). There is necessarily an index \(i\le \ell _a\) such that \(A_i\ne A'_i\). If \(i<\ell _a\), then (13) is equivalent to
where Z is a value potentially depending on \(\widetilde{P}\) for tweaks different from \((2,i+1)\). Since the probability of this equality (over the random draw of \(\widetilde{P}^{2,i+1}\)) is either 0 when \(Z=0\) or exactly \(1/|\mathcal {X}|\) when \(Z\ne 0\), it follows that the condition is met with probability at most \(1/|\mathcal {X}|\) in that case. Similarly, if \(i=\ell _a\), then (13) is equivalent to
where Z is a value potentially depending on \(\widetilde{P}\) for tweaks different from \((2,i+1)\) and \((3,i+1)\). Again, the condition is met with probability at most \(1/|\mathcal {X}|\) in that case. This concludes the proof that H is xor-universal.
As a second step, we replace \(F_{\widetilde{P}}\) by a uniformly random function \(\rho \) from \(\mathcal {N}=\{0,1\}^n\) to \(\mathcal {X}=\{0,1\}^n\). Let \(\mathsf {PWC}'[\rho ,\widetilde{P}]\), resp. \(\mathsf {EPWC}'[\rho ,\widetilde{P}]\) be defined as in (11), resp. (12), except that \(F_{\widetilde{P}}\) is replaced by a call to \(\rho \). Since \(\mathsf {A}\) is nonce-respecting, then both \(\mathsf {PWC}'[\rho ,\widetilde{P}]\) and \(\mathsf {EPWC}'[\rho ,\widetilde{P}]\) are perfectly indistinguishable from \(\mathsf {Rand}\) (this is obvious for \(\mathsf {PWC}'\), while for \(\mathsf {EPWC}'\) this follows from the fact that applying any fixed permutation to uniformly random values yields uniformly random values). Hence, it remains to upper bound \(\mathsf {A}\)’s advantage in distinguishing \(\mathsf {(E)PWC}[\widetilde{P}]\) from \(\mathsf {(E)PWC}'[\rho ,\widetilde{P}]\). By a straightforward hybrid argument, this is exactly the advantage of an adversary \(\mathsf {A}'''\) simulating H (and \(\widetilde{P}^{4,0}\) for \(\mathsf {EPWC}\)) in distinguishing \(F_{\widetilde{P}}\) from \(\rho \) within at most q queries (since each query to the construction translates in exactly one query to the function applied to the nonce). Using Conjecture 1, this advantage is upper bounded by \(Cq/|\mathcal {X}|\). Combining this with (6), resp. (7), we obtain the result.
We then prove (b), assuming \(\mathsf {A}\) is allowed to repeat nonces (\(m>1\)). Exactly as before, one has
with \(\delta \) defined as in (8). We now see \(\mathsf {EPWC}[\widetilde{P}]\) as a construction based on a universal hash function applied to (N, A, M) followed by a PRF. More precisely, let
with H and F as defined in resp. (9) and (10). Then
It is easy to adapt the proof that H is xor-universal to show that \(H'\) is also xor-universal (hence, in particular, universal, which is all we need here). The remaining of the proof is now standard [57], and we only sketch it. We first replace \(\widetilde{P}^{4,0}\) in \(\mathsf {EPWC}[\widetilde{P}]\) by a uniformly random function \(\rho :\mathcal {X}\rightarrow \mathcal {X}\), and denote \(\mathsf {EPWC}''[\rho ,\widetilde{P}]\) the resulting construction. By the PRP-PRF switching lemma, \(\mathsf {A}\) can distinguish \(\mathsf {EPWC}[\widetilde{P}]\) from \(\mathsf {EPWC}''[\rho ,\widetilde{P}]\) with advantage at most \(q^2/(2|\mathcal {X}|)\), and because \(H'\) is universal, it can distinguish \(\mathsf {EPWC}''[\rho ,\widetilde{P}]\) from \(\mathsf {Rand}\) with advantage at most \(q^2/(2|\mathcal {X}|)\). The result follows. \(\square \)
Theorem 3
(MAC-Security of \(\mathsf {PWC}\) and \(\mathsf {EPWC}\) ). Let \(\widetilde{E}\in \mathsf {TBC}(\mathcal {K},\mathcal {T}',\mathcal {X})\) with \(\mathcal {X}=\{0,1\}^n\) and \(\mathcal {T}'=\{2,\ldots ,5\}\times \mathcal {T}\), and assume Conjecture 1. Let \(\mathsf {B}\) be a nonce-respecting \((q,1,\ell ,\sigma ,t)\)-adversary against the MAC-security of \(\mathsf {PWC}[\widetilde{E}]\), resp. \(\mathsf {EPWC}[\widetilde{E}]\), with \(\ell \le |\mathcal {T}|-2\). Then there exists an absolute constant C and an adversary \(\mathsf {B}'\), resp. \(\mathsf {B}''\), against the TPRP-security of \(\widetilde{E}\), making at most \(\sigma +2q\), resp. \(\sigma +3q\) oracle queries and running it time at most \(t+t_{\mathsf {PWC}}(\sigma )\), resp. \(t+t_{\mathsf {EPWC}}(\sigma )\), such that
Proof
The proof is standard and deferred to the full version of the paper [50]. \(\square \)
Remark 1
While it is in principle possible to save one encryption call in the \(\mathsf {EPWC}\) construction by keeping the final AD or message block unencrypted as in the standard \(\mathsf {PMAC}\) construction [13, 52], we avoid this to ensure that static AD always gets treated the same, independently of the message. Indeed, applying this optimization would result in a construction where the final block of AD should be treated differently depending on whether the message is empty or not. Handling the AD independently of the message allows to precompute
and to process the nonce and the message later (in particular, when the AD is static, \(\mathsf {auth}'\) need not be recomputed each time).
Remark 2
In the nonce-misuse scenario, there is a simple birthday attack against \(\mathsf {EPWC}[\widetilde{E}]\) as soon as the adversary can repeat a single nonce twice. The attack proceeds as follows: simply query \(\mathsf {EPWC}[\widetilde{E}]_K\) for roughly \(2^{n/2}\) pairs \((N_i,A,M)\) with distinct nonces and the same AD and message until a collision occurs on the outputs for two nonces \(N_1\) and \(N_2\). Clearly, a collision on the MACs implies that \(F_K(N_1)=F_K(N_2)\) (where \(F_K\) is given by (5)). Hence, the adversary can now query \(Y=\mathsf {EPWC}[\widetilde{E}]_K(N_1,A',M')\) for a new pair \((A',M')\ne (A,M)\). Then Y is a valid forgery for \((N_2,A',M')\). It remains an open problem to design a nonce-based MAC scheme ensuring graceful degradation of security with the maximal number of nonce repetitions.
6 The SCT Mode
6.1 The NSIV Construction
In this section, we present the nAE mode \(\mathsf {SCT}\) and analyze its security. We first describe a generic composition method named \(\mathsf {NSIV}\), which defines a nAE scheme from a nonce-based keyed function and an nivE scheme. The \(\mathsf {NSIV}\) construction results from a small (but important from a security viewpoint) modification to the (generic) \(\mathsf {SIV}\) construction [55]. While in \(\mathsf {SIV}\) the encryption part is purely IV-based, \(\mathsf {NSIV}\) relies on a combined nonce- and IV-based encryption (nivE) scheme, the nonce being used as input both to the keyed function and the nivE scheme. This is the only difference with \(\mathsf {SIV}\), where the nonce is only given as input to the keyed function.
More formally, let F be a nonce-based keyed function with key-space \(\mathcal {K}_1\), nonce space \(\mathcal {N}\), domain \(\mathcal {D}=\mathcal {A}\times \mathcal {M}\), and range \(\mathcal {Y}\), and \(\varPi =(\mathcal {K}_2,\mathcal {N},\mathcal {IV},\mathcal {M},\mathsf {Enc},\mathsf {Dec})\) be a nivE scheme. Fix a regular function \(\mathsf {Conv}:\mathcal {Y}\rightarrow \mathcal {IV}\). We define the nAE schemeFootnote 16 \(\mathsf {NSIV}[F,\varPi ]=(\mathcal {K},\mathcal {N},\mathcal {A},\mathcal {M},\mathsf {Enc},\mathsf {Dec})\) with key-space \(\mathcal {K}=\mathcal {K}_1\times \mathcal {K}_2\) as specified on Fig. 4.
The security of \(\mathsf {NSIV}[F,\varPi ]\) is given by Theorem 4 below. We assume that \(\mathcal {A}=\mathcal {M}=\{0,1\}^*\) for convenience, but this restriction can be lifted easily. We denote by \(t_{\varPi }(\sigma )\) an upper bound on the time needed for computing \(\varPi .\mathsf {Enc}\) or \(\varPi .\mathsf {Dec}\) on inputs of total message length at most \(\sigma \) blocks of n bits, and we assume that computing \(\mathsf {Conv}(\mathsf {tag})\) or sampling uniformly from \(\mathsf {Conv}^{-1}(IV)\) takes negligible time for any \(\mathsf {tag}\in \mathcal {Y}\) and \(IV\in \mathcal {IV}\). The proof of this theorem is similar to the security proof of \(\mathsf {SIV}\), and deferred to the full version of the paper [50].
Theorem 4
(Security of \(\mathsf {NSIV}\) ). Let \(F:\mathcal {K}_1\times \mathcal {N}\times \mathcal {D}\rightarrow \mathcal {Y}\), where \(\mathcal {D}=\mathcal {A}\times \mathcal {M}\), be a nonce-based keyed function, \(\varPi =(\mathcal {K}_2,\mathcal {N},\mathcal {IV},\mathcal {M},\mathsf {Enc},\mathsf {Dec})\) be a nivE scheme, and \(\mathsf {Conv}:\mathcal {Y}\rightarrow \mathcal {IV}\) be a regular function. Let \(\mathsf {A}\) be a \((q,m,\ell ,\sigma ,t)\)-adversary against \(\mathsf {NSIV}[F,\varPi ]\). Then, letting \(t'=t+t_{\varPi }(\sigma )\), the following holds:
-
(a) if \(\mathsf {A}\) is allowed to repeat nonces (\(m>1\)), then there exists a \((q,m,\ell ,\sigma ,t')\)-adversary \(\mathsf {A}'\) against \(\varPi \) and a \((q,q,\ell ,\sigma ,t')\)-adversary \(\mathsf {A}''\) against the PRF-security of F such that
$$ \mathbf{Adv }^{\mathrm {AE}}_{\mathsf {NSIV}[F,\varPi ]}(\mathsf {A}) \le \mathbf{Adv }^{\mathrm {ivE}}_{\varPi }(\mathsf {A}')+ \mathbf{Adv }^{\mathrm {PRF}}_{F}(\mathsf {A}'')+\frac{q}{|\mathcal {Y}|}; $$ -
(b) if \(\mathsf {A}\) is nonce-respecting (\(m=1\)), then there exists a \((q,1,\ell ,\sigma ,t')\)-adversary \(\mathsf {A}'\) against \(\varPi \) and \((q,1,\ell ,\sigma ,t')\)-adversaries \(\mathsf {A}''\) and \(\mathsf {A}'''\) against respectively the PRF- and the MAC-security of F, all nonce-respecting, such that
$$ \mathbf{Adv }^{\mathrm {nAE}}_{\mathsf {NSIV}[F,\varPi ]}(\mathsf {A}) \le \mathbf{Adv }^{\mathrm {nivE}}_{\varPi }(\mathsf {A}')+ \mathbf{Adv }^{\mathrm {nPRF}}_{F}(\mathsf {A}'')+ \mathbf{Adv }^{\mathrm {nMAC}}_{F}(\mathsf {A}'''). $$
6.2 From NSIV to SCT
The \(\mathsf {SCT}[\widetilde{E}]\) mode is simply \(\mathsf {NSIV}[F,\varPi ]\) where F is instantiated with \(\mathsf {EPWC}[\widetilde{E}]\) and \(\varPi \) is instantiated with \(\mathsf {CTRT}[\widetilde{E}]\). Additionally, in order to be able to use the same key for calls to \(\widetilde{E}\) both in \(\mathsf {EPWC}\) and in \(\mathsf {CTRT}\), we use tweak separation to ensure that all calls to \(\widetilde{E}\) in \(\mathsf {EPWC}\) and in \(\mathsf {CTRT}\) are independent. The resulting construction is illustrated in Fig. 1. Combining Theorem 4 with Theorems 1, 2 and 3, we finally obtain the following result for the security of \(\mathsf {SCT}\).Footnote 17 We denote by \(t_{\mathsf {SCT}}(\sigma )\) an upper bound on the time needed for computing \(\mathsf {SCT}[\widetilde{E}].\mathsf {Enc}_K\) or \(\mathsf {SCT}[\widetilde{E}].\mathsf {Dec}_K\) on inputs of total (AD + message) length at most \(\sigma \) blocks of n bits when calls to \(\widetilde{E}_K\) cost unit time.
Theorem 5
(Security of \(\mathsf {SCT}\) ). Let \(\widetilde{E}\in \mathsf {TBC}(\mathcal {K},\mathcal {T}',\mathcal {X})\) with \(\mathcal {X}=\{0,1\}^n\), \(\mathcal {T}=\{1,\ldots ,5\}\times \mathcal {T}\), and \(|\mathcal {T}|\ge 8\). Let \(\mathsf {Conv}\) be a regularFootnote 18 function from \(\mathcal {X}\) to \(\mathcal {T}\). Assume Conjecture 1 and let \(f(\sigma )\) be defined as in Theorem 1. Let \(\mathsf {A}\) be a \((q,m,\ell ,\sigma ,t)\)-adversary against \(\mathsf {SCT}[\widetilde{E}]\) with \(\ell \le |\mathcal {T}|-2\). Then there exists an absolute constant C and an adversary \(\mathsf {A}'\) against the TPRP-security of \(\widetilde{E}\), making at most \(\sigma +3q\) oracle queries and running in time at most \(t+t_{\mathsf {SCT}}(\sigma )\), such that
-
(a) if \(\mathsf {A}\) is allowed to repeat nonces in encryption queries (\(m>1\)), then
$$ \mathbf{Adv }^{\mathrm {AE}}_{\mathsf {SCT}[\widetilde{E}]}(\mathsf {A})\le \mathbf{Adv }^{\mathrm {TPRP}}_{\widetilde{E}}(\mathsf {A}')+\frac{2(m-1)\sigma +1}{|\mathcal {T}|}+f(\sigma )+\frac{q^2+q}{|\mathcal {X}|}; $$ -
(b) if \(\mathsf {A}\) is nonce-respecting \((m=1)\), then
$$ \mathbf{Adv }^{\mathrm {nAE}}_{\mathsf {SCT}[\widetilde{E}]}(\mathsf {A})\le \mathbf{Adv }^{\mathrm {TPRP}}_{\widetilde{E}}(\mathsf {A}')+\frac{1}{|\mathcal {T}|}+f(\sigma )+\frac{(2C+1)q}{|\mathcal {X}|}. $$
Notes
- 1.
Similarly, the high-entropy requirement on the IV is hard to meet when no good randomness source is available.
- 2.
The \(\mathsf {SCT}\) mode uses 5 tweak prefixes to separate the different usages of the TBC. The “effective” tweak length is what remains once 3 bits have been used to encode the prefix.
- 3.
While \(\mathsf {SIV}\) corresponds to generic composition method A4 in the nomenclature of Namprempre et al. [46], \(\mathsf {NSIV}\) does not fit any of the NRS schemes.
- 4.
This excludes for example a simple \(\mathsf {OCB}\)-like encryption mode since it is only nonce-based, not IV-based.
- 5.
Similarly, the only reason why \(\mathsf {OCB}\) is secure up to the birthday bound whereas \(\mathsf {\Theta CB}\) is “perfectly” secure is because it relies on \(\mathsf {XE}\)/\(\mathsf {XEX}\) for instantiating the TBC.
- 6.
The tweak prefixes used in this paper were chosen for ease of exposition and are slightly different from the ones used in \(\textsf {Deoxys}\) and \(\textsf {Joltik}\) v1.3, which were chosen mainly for efficiency reasons.
- 7.
- 8.
E.g., an nPRF-secure function F might depend only on the nonce, in which case it is trivial to forge and break nMAC-security, while an nMAC-secure function F might have all its outputs starting with a 0 bit, which allows to trivially break nPRF-security.
- 9.
We assume that \(\mathsf {Rand}\) returns the same output if a query is repeated.
- 10.
The \(\mathsf {CTRT}\) mode does not need tweak separation per se. We use a single 1 prefix in order to conveniently combine \(\mathsf {CTRT}\) with \(\mathsf {EPWC}\) later.
- 11.
Note that in that case the size of the tweak space \(\mathcal {T}\) only impacts the maximal message length \(\ell \), not the security bound.
- 12.
The successor of the tweak T is \(\mathsf {Inc}(T)\).
- 13.
Note that the adversary must commit to the length \(\ell _i\) of the chain before knowing the initial bin \(IV_i\) since it first makes the query \((N_i,M_i)\) and only then receives the answer \((IV_i,C_i)\).
- 14.
We use a set of prefixes which is disjoint from the set used for the \(\mathsf {CTRT}\) mode in order to later combine the two modes smoothly.
- 15.
When constructing an AE scheme, it is more convenient to directly define a vector-input MAC, rather than a string-input MAC that must later be transformed to handle vectors of strings, as required for an AE scheme.
- 16.
Our formalization of an nAE scheme in Definition 4 assumes that the ciphertext is a binary string, whereas in our description, \(\mathsf {NSIV}[F,\varPi ].\mathsf {Enc}\) returns a pair \((C,\mathsf {tag})\). We assume some implicit encoding of this pair into a single binary string.
- 17.
- 18.
Note that this regularity condition imposes \(|\mathcal {T}|\le |\mathcal {X}|\). However, when \(\mathcal {T}|>|\mathcal {X}|\), the security bounds of \(\mathsf {CTRT}\) and \(\mathsf {EPWC}\) do not depend on the tweak length (only the maximal message length does). Hence, one can always use a subset of tweaks of size \(|\mathcal {X}|\) in case \(|\mathcal {T}|>|\mathcal {X}|\).
References
CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness. http://competitions.cr.yp.to/caesar.html
Abed, F., Fluhrer, S., Forler, C., List, E., Lucks, S., McGrew, D., Wenzel, J.: Pipelineable on-line encryption. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 205–223. Springer, Heidelberg (2015)
AlFardan, N.J., Paterson, K.G., Lucky thirteen: breaking the TLS and DTLS record protocols. In: Security and Privacy - SP 2013, pp. 526–540 (2013)
Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 105–125. Springer, Heidelberg (2014)
Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013)
Asharov, G., Naor, M., Segev, G., Shahaf, I., Encryption, S.S.: Optimal locality in linear space via two-dimensional balanced allocations. IACR Cryptology ePrint Archive, Report 2016/251 (2016). To appear at STOC 2016
Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: FOCS 1997, pp. 394–403 (1997)
Bellare, M., Impagliazzo, R.: A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion. IACR Cryptology ePrint Archive, Report 1999/024 (1999)
Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)
Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000)
Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004)
Black, J.A., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002)
Brassard, G.: On computationally secure authentication tags requiring short secret shared keys. In: CRYPTO 1982, pp. 79–86 (1982)
Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014)
Cogliati, B., Lampe, R., Patarin, J.: The indistinguishability of the XOR of \(k\) permutations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 285–302. Springer, Heidelberg (2014)
Dodis, Y., Steinberger, J.: Domain extension for MACs beyond the birthday barrier. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 323–342. Springer, Heidelberg (2011)
Duong, T., Rizzo, J.: Here come the \(\oplus \) Ninjas. Unpublished manuscript (2011). https://bug665814.bugzilla.mozilla.org/attachment.cgi?id=540839
Ferguson, N.: Collision attacks on OCB. Unpublished manuscript (2002). http://www.cs.ucdavis.edu/~rogaway/ocb/fe02.pdf
Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein hash function family. SHA3 Submission to NIST (Round 3) (2010)
Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012)
Gligor, V.D., Donescu, P.: Fast encryption and authentication: XCBC encryption and XECB authentication modes. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, p. 92. Springer, Heidelberg (2002)
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)
Grosso, V., Leurent, G., Standaert, F.-X., Varici, K., Durvaux, F., Gaspar, L., Kerckhof, S.: SCREAM and iSCREAM. Submitted to CAESAR (2014)
Gueron, S., Lindell, Y.: GCM-SIV: full nonce misuse-resistant authenticated encryption atunder one cycle per byte. In: ACM CCS 2015, pp. 109–119 (2015)
Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015)
Hoang, V.T., Reyhanitabar, R., Rogaway, P., Vizár, D.: Online authenticated-encryption and its nonce-reuse misuse-resistance. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 493–517. Springer, Heidelberg (2015)
Iwata, T.: New blockcipher modes of operation with beyond the birthday bound security. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 310–327. Springer, Heidelberg (2006)
Iwata, T.: Authenticated encryption mode for beyond the birthday bound security. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 125–142. Springer, Heidelberg (2008)
Jean, J., Nikolic, I., Peyrin, T.: Deoxys v1. Submitted to the CAESAR competition (2014)
Jean, J., Nikolic, I., Peyrin, T.: Joltik v1. Submitted to the CAESAR competition (2014)
Jean, J., Nikolic, I., Peyrin, T.: KIASU v1. Submitted to the CAESAR competition (2014)
Jean, J., Nikolic, I., Peyrin, T.: Tweaks and keys for blockciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014)
Jutla, C.S.: Encryption modes with almost free message integrity. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 529–544. Springer, Heidelberg (2001)
Jutla, C.S.: Encryption modes with almost free message integrity. J. Cryptol. 21(4), 547–578 (2008). Earlier version at EUROCRYPT 2001
Katz, J., Yung, M.: Characterization of security notions for probabilistic private-key encryption. J. Cryptol. 19(1), 67–95 (2006)
Krawczyk, H.: The order of encryption and authentication for protecting communications (or: how secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001)
Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011)
Lampe, R., Seurin, Y.: Tweakable blockciphers with asymptotically optimal security. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 133–152. Springer, Heidelberg (2014)
Landecker, W., Shrimpton, T., Terashima, R.S.: Tweakable blockciphers with beyond birthday-bound security. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 14–30. Springer, Heidelberg (2012)
Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002)
Lucks, S.: The sum of PRPs is a secure PRF. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 470–484. Springer, Heidelberg (2000)
McGrew, D.A., Viega, J.: The security and performance of the Galois/counter mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004)
Mennink, B.: Optimally secure tweakable blockciphers. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 428–448. Springer, Heidelberg (2015)
Minematsu, K.: Beyond-birthday-bound security based on tweakable block cipher. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 308–326. Springer, Heidelberg (2009)
Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014)
Patarin, J.: A proof of security in \(O(2^n)\) for the Xor of two random permutations. In: Safavi-Naini, R. (ed.) ICITS 2008. LNCS, vol. 5155, pp. 232–248. Springer, Heidelberg (2008)
Patarin, J.: The “Coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009)
Patarin, J.: Security in \(O(2^n)\) for the Xor of two random permutations: proof with the standard \(H\) technique. IACR Cryptology ePrint Archive, Report 2013/368 (2013)
Peyrin, T., Seurin, Y.: Counter-in-Tweak: authenticated encryption modes for tweakable block ciphers. Full version of this paper. http://eprint.iacr.org/2015/1049
Rogaway, P.: Authenticated-encryption with associated-data. In: ACM CCS 2002, pp. 98–107 (2002)
Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004)
Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–359. Springer, Heidelberg (2004)
Rogaway, P., Bellare, M., Black, J.: OCB: a block-cipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur. 6(3), 365–403 (2003)
Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006)
Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996)
Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. IACR Cryptology ePrint Archive, Report 2004/332 (2004)
Shrimpton, T., Terashima, R.S.: A modular framework for building variable-input-length tweakable ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 405–423. Springer, Heidelberg (2013)
Vaudenay, S.: Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS \(..\). In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–546. Springer, Heidelberg (2002)
Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)
Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). Submission to NIST (2002). http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ccm/ccm.pdf
Yasuda, K.: A new variant of PMAC: beyond the birthday bound. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 596–609. Springer, Heidelberg (2011)
Acknowledgements
The authors would like to thank Jérémy Jean and Ivica Nikolic for their remarks on early designs. The first author is supported by the Singapore National Research Foundation Fellowship 2012 (NRF-NRFF2012-06).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 International Association for Cryptologic Research
About this paper
Cite this paper
Peyrin, T., Seurin, Y. (2016). Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers. In: Robshaw, M., Katz, J. (eds) Advances in Cryptology – CRYPTO 2016. CRYPTO 2016. Lecture Notes in Computer Science(), vol 9814. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-53018-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-662-53018-4_2
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-53017-7
Online ISBN: 978-3-662-53018-4
eBook Packages: Computer ScienceComputer Science (R0)