International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

CTET+: A Beyond-Birthday-Bound Secure Tweakable Enciphering Scheme Using a Single Pseudorandom Permutation

Authors:
Benoît Cogliati , CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
Jordan Ethan , CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
Virginie Lallemand , Université de Lorraine, CNRS, Inria, LORIA, Nancy, France
Byeonghak Lee , Korea Advanced Institute of Science and Technology (KAIST), Daejeon, Korea
Jooyoung Lee , Korea Advanced Institute of Science and Technology (KAIST), Daejeon, Korea
Marine Minier , Université de Lorraine, CNRS, Inria, LORIA, Nancy, France
Download:
DOI: 10.46586/tosc.v2021.i4.1-35
URL: https://tosc.iacr.org/index.php/ToSC/article/view/9327
Search ePrint
Search Google
Abstract: In this work, we propose a construction of 2-round tweakable substitutionpermutation networks using a single secret S-box. This construction is based on non-linear permutation layers using independent round keys, and achieves security beyond the birthday bound in the random permutation model. When instantiated with an n-bit block cipher with ωn-bit keys, the resulting tweakable block cipher, dubbed CTET+, can be viewed as a tweakable enciphering scheme that encrypts ωκ-bit messages for any integer ω ≥ 2 using 5n + κ-bit keys and n-bit tweaks, providing 2n/3-bit security.Compared to the 2-round non-linear SPN analyzed in [CDK+18], we both minimize it by requiring a single permutation, and weaken the requirements on the middle linear layer, allowing better performance. As a result, CTET+ becomes the first tweakable enciphering scheme that provides beyond-birthday-bound security using a single permutation, while its efficiency is still comparable to existing schemes including AES-XTS, EME, XCB and TET. Furthermore, we propose a new tweakable enciphering scheme, dubbed AES6-CTET+, which is an actual instantiation of CTET+ using a reduced round AES block cipher as the underlying secret S-box. Extensivecryptanalysis of this algorithm allows us to claim 127 bits of security.Such tweakable enciphering schemes with huge block sizes become desirable in the context of disk encryption, since processing a whole sector as a single block significantly worsens the granularity for attackers when compared to, for example, AES-XTS, which treats every 16-byte block on the disk independently. Besides, as a huge amount of data is being stored and encrypted at rest under many different keys in clouds, beyond-birthday-bound security will most likely become necessary in the short term.
Video from TOSC 2021
BibTeX
@article{tosc-2021-31666,
  title={CTET+: A Beyond-Birthday-Bound Secure Tweakable Enciphering Scheme Using a Single Pseudorandom Permutation},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={2021, Issue 4},
  pages={1-35},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/9327},
  doi={10.46586/tosc.v2021.i4.1-35},
  author={Benoît Cogliati and Jordan Ethan and Virginie Lallemand and Byeonghak Lee and Jooyoung Lee and Marine Minier},
  year=2021
}