TY - JOUR
AU - Cogliati, Benoît
AU - Ethan, Jordan
AU - Lallemand, Virginie
AU - Lee, Byeonghak
AU - Lee, Jooyoung
AU - Minier, Marine
PY - 2021/12/03
Y2 - 2023/05/28
TI - CTET+: A Beyond-Birthday-Bound Secure Tweakable Enciphering Scheme Using a Single Pseudorandom Permutation
JF - IACR Transactions on Symmetric Cryptology
JA - ToSC
VL - 2021
IS - 4
SE - Articles
DO - 10.46586/tosc.v2021.i4.1-35
UR - https://tosc.iacr.org/index.php/ToSC/article/view/9327
SP - 1-35
AB - <p>In this work, we propose a construction of 2-round tweakable substitutionpermutation networks using a single secret S-box. This construction is based on non-linear permutation layers using independent round keys, and achieves security beyond the birthday bound in the random permutation model. When instantiated with an n-bit block cipher with <em>ωn</em>-bit keys, the resulting tweakable block cipher, dubbed CTET<sup>+</sup>, can be viewed as a tweakable enciphering scheme that encrypts <em>ωκ</em>-bit messages for any integer <em>ω</em> ≥ 2 using 5n + <em>κ</em>-bit keys and <em>n</em>-bit tweaks, providing 2<em>n</em>/3-bit security.<br>Compared to the 2-round non-linear SPN analyzed in [CDK<sup>+</sup>18], we both minimize it by requiring a single permutation, and weaken the requirements on the middle linear layer, allowing better performance. As a result, CTET<sup>+</sup> becomes the first tweakable enciphering scheme that provides beyond-birthday-bound security using a single permutation, while its efficiency is still comparable to existing schemes including AES-XTS, EME, XCB and TET. Furthermore, we propose a new tweakable enciphering scheme, dubbed AES<sub>6</sub>-CTET<sup>+</sup>, which is an actual instantiation of CTET<sup>+</sup> using a reduced round AES block cipher as the underlying secret S-box. Extensive<br>cryptanalysis of this algorithm allows us to claim 127 bits of security.<br>Such tweakable enciphering schemes with huge block sizes become desirable in the context of disk encryption, since processing a whole sector as a single block significantly worsens the granularity for attackers when compared to, for example, AES-XTS, which treats every 16-byte block on the disk independently. Besides, as a huge amount of data is being stored and encrypted at rest under many different keys in clouds, beyond-birthday-bound security will most likely become necessary in the short term.</p>
ER -