CTET+: A Beyond-Birthday-Bound Secure Tweakable Enciphering Scheme Using a Single Pseudorandom Permutation

Authors

  • Benoît Cogliati CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
  • Jordan Ethan CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
  • Virginie Lallemand Université de Lorraine, CNRS, Inria, LORIA, Nancy, France
  • Byeonghak Lee Korea Advanced Institute of Science and Technology (KAIST), Daejeon, Korea
  • Jooyoung Lee Korea Advanced Institute of Science and Technology (KAIST), Daejeon, Korea
  • Marine Minier Université de Lorraine, CNRS, Inria, LORIA, Nancy, France

DOI:

https://doi.org/10.46586/tosc.v2021.i4.1-35

Keywords:

tweakable enciphering mode, SPN, beyond-birthday-bound security

Abstract

In this work, we propose a construction of 2-round tweakable substitutionpermutation networks using a single secret S-box. This construction is based on non-linear permutation layers using independent round keys, and achieves security beyond the birthday bound in the random permutation model. When instantiated with an n-bit block cipher with ωn-bit keys, the resulting tweakable block cipher, dubbed CTET+, can be viewed as a tweakable enciphering scheme that encrypts ωκ-bit messages for any integer ω ≥ 2 using 5n + κ-bit keys and n-bit tweaks, providing 2n/3-bit security.
Compared to the 2-round non-linear SPN analyzed in [CDK+18], we both minimize it by requiring a single permutation, and weaken the requirements on the middle linear layer, allowing better performance. As a result, CTET+ becomes the first tweakable enciphering scheme that provides beyond-birthday-bound security using a single permutation, while its efficiency is still comparable to existing schemes including AES-XTS, EME, XCB and TET. Furthermore, we propose a new tweakable enciphering scheme, dubbed AES6-CTET+, which is an actual instantiation of CTET+ using a reduced round AES block cipher as the underlying secret S-box. Extensive
cryptanalysis of this algorithm allows us to claim 127 bits of security.
Such tweakable enciphering schemes with huge block sizes become desirable in the context of disk encryption, since processing a whole sector as a single block significantly worsens the granularity for attackers when compared to, for example, AES-XTS, which treats every 16-byte block on the disk independently. Besides, as a huge amount of data is being stored and encrypted at rest under many different keys in clouds, beyond-birthday-bound security will most likely become necessary in the short term.

Downloads

Published

2021-12-03

Issue

Section

Articles

How to Cite

CTET+: A Beyond-Birthday-Bound Secure Tweakable Enciphering Scheme Using a Single Pseudorandom Permutation. (2021). IACR Transactions on Symmetric Cryptology, 2021(4), 1-35. https://doi.org/10.46586/tosc.v2021.i4.1-35