Tweakable Blockciphers with Beyond Birthday-Bound Security

(1)

Tweakable Blockciphers with

Beyond Birthday-Bound Security

Will Landecker, Thomas Shrimpton, and R. Seth Terashima

Dept. of Computer Science, Portland State University {landeckw,teshrim,seth}@cs.pdx.edu

Abstract. Liskov, Rivest and Wagner formalized the tweakable blockcipher (TBC) primitive at CRYPTO’02. The typical recipe for instantiating a TBC is to start with a blockcipher, and then build up a construction that admits a tweak. Almost all such constructions enjoy provable security only to the birthday bound, and the one that does achieve security beyond the birthday bound (due to Minematsu) severely restricts the tweak size and requires per-invocation blockcipher rekeying.

This paper gives the first TBC construction that simultaneously allows for arbitrarily “wide” tweaks, does not rekey, and delivers provable security beyond the birthday bound. Our construction is built from a blockcipher and an-AXU2hash function.

As an application of the TBC primitive, LRW suggest the TBC-MAC construction (similar to CBC-MAC but chaining through the tweak), but leave open the question of its security. We close this question, both for TBC-MAC as a PRF and a MAC. Along the way, we find a nonce-based variant of TBC-MAC that has a

tightreduction to the security of the underlying TBC, and also displays graceful security degradation when nonces are misused. This result is interesting on its own, but it also serves as an application of our new TBC construction, ultimately giving a variable input-length PRF with beyond birthday-bound security.

Keywords: tweakable blockcipher, beyond birthday bound, pseudorandom function, message authentication code, unforgeability.

sectionIntroduction A blockcipherE:{0,1}k_{× {}₀_,₁_}n _{→ {}₀_,₁_}n_{is typically viewed as a family of} permu-tationsEKover{0,1}n_{, where the index into the family is the key}_K_{∈ {}₀_,₁_}k_{. A}_{tweakable blockcipher}_(TBC) extends this viewpoint by adding a second “dimension” to the function family, called atweak. In particular, a TBC

e

E:{0,1}k_{× T × {}₀_,₁_}n _{→ {}₀_,₁_}n_{is a family of permutations indexed by a pair}₍_{K, T}₎_{∈ {}₀_,₁_}k_{× T}_{. There is,} however, a semantic asymmetry between the key and the tweak: the key is secret and gives rise to security, while the tweak may be public and gives rise to variability.

Liskov, Rivest and Wagner [21] formalized the TBC primitive. Their thesis was that primitives with inherent variability are a more natural starting point for building modes of operation, whereas classical constructions would use a blockcipher (deterministic once the key is fixed) and induce variability by using a per-message IV or nonce. Subsequent papers have delivered tweakable enciphering schemes (e.g. [14–16, 34, 8] and others), message authen-tication codes (e.g. [30]), and authenticated encryption (e.g. [29, 30, 20]) modes of operation. The Skein [32] hash function has a TBC at its core. TBC-based constructions have found widespread practical application for full-disk encryption.

BUILDING TBCS. There are few dedicated TBC designs: the Hasty Pudding [31] and Mercy [10] ciphers na-tively admit tweaks. The more common approach is to start from a blockcipher and build up a TBC, incorporat-ing support for a tweak without (one hopes) sacrificincorporat-ing whatever security the original blockcipher offered. The original LRW paper itself gave two constructions, which we callLRW1andLRW2. The former construction is

LRW1[E]K(T, X) =EK(T⊕EK(X))and it is a secure tweakable-PRP1if the underlyingn-bit blockcipherEis a secure PRP, although there is a birthday-type loss in the reduction. (That is, the security bound becomes vacuous around2n/2_{queries.) In addition to birthday-bound security, the tweakspace is limited to}_{T ⊆ {}₀_,₁_}n_{. The second} LRW constructionLRW2[H, E]h,K(T, X) =h(T)⊕EK(X⊕h(T))avoids this length restriction by hashing the tweak. LRW prove that this is a tweakable strong-PRP whenEis a secure strong-PRP andhis a random element of an-almost 2-xor-universal (-AXU2) hash function familyH. But here, too, one finds only birthday-bound

1

This notion is formally defined in Section 1. Informally, a TBCEeis a secure tweakable-PRP if, for a random and secret

keyK, the family of mappingsEeK(·,·)is computationally indistinguishable from a family of random permutations. The

(2)

security. Variations on the LRW constructions, for example Rogaway’s XE and XEX constructions [30], similarly offer provable security only to the birthday bound.

Tweakable blockciphers with beyond birthday-bound (BBB) security may be of particular interest for appli-cations such as large-scale data-at-rest protection, where key management and negotiation issues seem likely to drive up the amount of data protected by a single key. Also, when legacy restrictions require the use of Triple-DES (where n = 64), delivering BBB security has obvious benefits. We also note that OCB mode [30] would de-liver BBB authenticated-encryption security if constructed over a BBB tweakable blockcipher; other TBC-based constructions with (tight) security reductions to the security of the underlying TBC would similarly benefit.

Nonetheless, constructions of TBCs with BBB security are rare. One due to Minematsu [25] achieves BBB security, but only admits short tweaks (e.g.T ={0,1}n−m_for_m _≥_n/₂_{). It requires two blockcipher calls per} TBC invocation, and suffers an additional performance penalty by rescheduling one blockcipher key whenever the tweak changes. This last point also violates a TBC design goal, that changing a tweak should be more efficient than changing a key.

A NEWCONSTRUCTION WITHBBB SECURITY: CLRW2. Our main technical result is the first TBC construction that has tweakable strong-PRP security beyond the birthday bound, admits essentially arbitrary tweaks, and does not require per-invocation rekeying of any of the underlying objects.We call this theChainedLRW2(CLRW2) construction, since it can be written asLRW2[H, E]h2,K2(T,LRW2[H, E]h1,K1(T, X)); see Figure 1.

The bulk of the paper is dedicated to showing that whenEis a secure strong-PRP andH is an-AXU2hash function family with= 2−n_{, the CLRW2 TBC is a tweakable strong-PRP with security against adaptive attackers} makingO(22n/3₎_{queries. Figure 2 gives a graphical comparison of our security bound and the birthday bound.}

We also consider some variations of CLRW2, for example omitting internal xors, or keying the two blockci-phers with the same key.

Note that there are many efficient constructions of-AXU2families with≈2−nand, except perhaps for very long tweaks, the running time of CLRW2 is likely to be dominated by the two blockcipher calls.

X Y

h_ h_

T

E_K E_K

Fig. 1.The CLRW2 Construction.

ANALYZING THETBC-MACCONSTRUCTION AND VARIANTS. In addition to formalizing the TBC primitive, LRW suggested TBC-based constructions for (authenticated) encryption, hashing and message authentication. The last of these has yet to receive formal analysis, so we consider it. The basic TBC-MAC construction operates as follows. Fix k, n > 0 and let Ee: {0,1}k × {0,1}n × {0,1}n → {0,1}n be a tweakable blockcipher. Fix T0∈ {0,1}n_{. Then for any key}_K _{∈ {}₀_,₁_}k_{and a plaintext}_M ₌_{M1, . . . , Mb}_{consisting of}_{n-bit blocks, define}

TBCMAC[Ee]K(M) = Tb whereTi ←EKe (Ti−1, Mi)for alli ∈ [1..b]. This is the TBC-MAC (overE) of thee inputM.

(3)

the chaining value (the tweak) is separated from the plaintext input block. Moreover, it is easy to build TBCs with tweak inputs that are much larger thannbits (LRW already gave one way), and exploiting this may allow for simple twists on the basic TBC-MAC that give better security.

We first consider TBC-MAC as a variable-input-length pseudorandom function (VIL-PRF). We show that it is secure if the underlying TBC is a secure tweakable-PRP. Like CBC-MAC, however, TBC-MAC has only birthday-bound security. A small benefit is that this result is not restricted to prefix-free encoded inputs as it is for CBC-MAC. Actually, one can view TBC-MAC as an instance of the Merkle-Damg˚ard iteration [23, 11] over a compression function with a dedicated key input. In this setting Bellare and Ristenpart [3] have already shown that various versions of Merkle-Damg˚ard (plain, suffix-free encoded inputs, prefix-free encoded inputs) are PRF-preserving.

A more interesting result is found if the underlying TBC allows “wide” tweaks, i.e. tweaks that are wider than the blocksize. In this case, a simple nonce-based version of TBC-MAC (TBCMAC2) achieves much bet-ter PRF security bounds. In fact, if nonces are properly respected, the mode of operation impartsnoloss over the security of the underlying TBC. Thus,TBCMAC2instantiated with a beyond-birthday secure TBC yields a variable-input-length PRF with beyond-birthday security. What’s more, the security bound degrades quadratically in the maximum number of times any nonce is repeated, providing more graceful behavior than most nonce-based constructions, which fail catastrophically when a nonce-repeat occurs. Such nonce misuse-resistance can be quite useful in practice.

Lastly, we show that TBC-MAC is unforgeable assuming only that the underlying TBC is likewise unforgeable. This holds only for prefix-free encoded inputs. In fact, this follows from the work of Maurer and Sj¨odin [22], who give general results for the Merkle-Damg˚ard iteration. When the prefix-free encoding restriction is lifted, we exhibit a TBCEethat is unforgeable, yet TBC-MAC overEeis easily forged.

UNFORGEABILITY PRESERVATION OF TBCCONSTRUCTIONS. A final, small contribution of this work is to address the question: What if one wants only to assume access to cryptographic primitives that are unforgeable (i.e. unpredictable), rather than pseudorandom? No previous work addresses the provable security of TBC constructions starting from blockciphers with this weaker security assumption. We begin this effort by considering the two TBC constructions from LRW. We show thatLRW1isnotunforgeability preserving. That is, we build a blockcipherE that is unforgeable but for which is it easy to forgeLRW1[E]. (In fact, we useLRW1against itself in this result!) Likewise forLRW2, we show that there is an-AXU2hash function family and an unforgeable blockcipherEsuch thatLRW2[H, E]is easily forged. (Again, we useLRW1again to construct theE we need.) For space reasons, these results appear in Appendix E. At this time, we do not know if CLRW2 remains unforgeable given only unforgeable underlying blockciphers.

ADDITIONALRELATEDWORK. We have already mentioned the paper of Liskov et al. [21] as the starting point for our work. Goldenberg et al. [17] show how to build a TBC by directly tweaking the Luby-Rackoff construction. Usingn-bit random functions, the resulting2n-bit TBC has tweakable strong-PRP security to roughly2n_queries, and can accommodate a tweak of length`nusing`+ 6rounds.

Coron et al. [9] show that a three-round Feistel construction over ann-bit TBC with a wide tweak yields a

2n-bit TBC that has beyond birthday-bound security if the underlying TBC does. Our CLRW2 construction meets this requirement.

The PMAC1 construction by Rogaway [30] builds a (parallelizable) VIL-PRF from a TBC, achieving birthday-bound security. Recently, Yasuda [36] introduced the PMAC plus construction, which hasO(22n/3₎ _security like TBCMAC2 but is more efficient and parallelizable.PMAC pluscould be viewed as a construction over a tweakable blockcipher (which might be called the “XXE” construction, following Rogaway’s naming convention), but neither the construction nor the proof is cast this way. Separately, Yasuda [35] proves that Algorithm 6 from ISO 9797-1 and SUM-ECBC both have security againstO(22n/3₎_queries.

The WMAC construction of Black and Cochran [6] is a stateful hash-then-MAC construction that, like our TBCMAC2 construction, allows for graceful (quadratic) security degradation when nonces are repeated. There are various methods for using randomness to build VIL-PRFs with beyond birthday-bound security; for example MACRX [2], RMAC [19], randomized WMAC and enhanced hash-then-MAC [26]

(4)

unforge-ability; however, their counterexample does not apply to TBC-MAC because the compression function they con-struct is not a TBC.

Zhang et al. [37] study so-called rate-1 MACs constructed from variations of the PGV [27, 7] blockcipher-based compression functions. They show that certain of these compression functions, for examplef(T, X) =

EK⊕T(X), iterate (throughT) to unforgeable MACs under the assumption that the underlying blockcipher is related-key unpredictable for specific related-key functions. In the case of our example, the related-key functions are{K7→K⊕T |T ∈ {0,1}|K|_{}. But in this example and others, assuming that the blockcipher is related-key} unforgeable is equivalent to assuming that the compression function is an unforgeable TBC, and thus chaining through the tweak leads to TBC-MAC. Hence our results generalize some of those given by Zhang et al. [37]. We note that TBCs likeEK⊕T(X) are inefficient choices for iteration through the tweak, since they require rescheduling the blockcipher key each round.

We mention in passing that the basic three-key enciphered CBC construction due to Dodis et al. [12] can, in large, part be viewed as an instance of TBC-MAC over theLRW1TBC. (TheIV is no longer a fixed value, but depends on the first input block.)

NOTE ON ERROR IN PREVIOUS VERSION. This is a revised full version of a paper that appeared in CRYPTO ’12. Both the original full version (6 Aug. 2012) and the CRYPTO paper contain an error in the proof of Theorem 1.

Briefly, the error occurs in the transition from Game 4 to Game 5 when we tacitly assume the former is more likely than an ideal tweakable blockcipher to return certain values (specifically, values in the setS1). We would like to thank Gordon Procter for bringing the error to our attention. Procter also provided a suggested patch to the problem [28]; while we believe the patch is sound, we opted for a solution that simplifies the proof by using a coupling argument to abstract away the details of certain game transitions.

1 Preliminaries

NOTATION. WhenX is a set, we writex $

← X to mean that an element (namedx) is uniformly sampled fromX. We overload the notation for probabilistic algorithms, writingx $

←Mto mean that algorithmM runs and outputs a value namedx. WhenXandY are strings, we writeXkY for their concatenation. WhenX ∈ {0,1}∗_{we write}_|X_| for its length and, if1≤i < j≤ |X|we writeX[i..j]for the substring running from itsith_to_jth_{characters, or the} empty stringεotherwise. For a stringXof even lengthn, we defineXLandXRto beX[1..n

2]andX[( n

2+ 1)..n], respectively. For a tuple of strings(X1, X2, . . . , Xr)we define|(X1, X2, . . . , Xr)|=|X1kX2k · · · kXr|. The set {0,1}n_{is the set of all}_{n-bit strings,}₍_{₀_,₁_}n₎r_{is the set of all}_{nr-bit strings understood as}_r_{blocks of}_{n-bits each,} and({0,1}n₎+_{is the set of all strings that are a positive number of}_{n-bit blocks in length. When}_X _∈₍_{₀_,₁_}n₎+_, we writeX1, . . . , Xb n

←Xto mean thatX is parsed intobblocks ofn-bits each. For stringsX, Y ∈({0,1}n₎+ we define the predicateCommonPFi(X, Y)to be true if and only ifXandY agree on their firstiblocks ofn-bits, i.e.Xj =Yjfor all1 ≤j ≤iwhereXj, Yj ∈ {0,1}n_{. When}_{X ⊆} ₍_{₀_,₁_}n₎+_and_M _∈ ₍_{₀_,₁_}n₎+_{, we also} definePrefixX(M)to be the function that returns the blockwise longest common prefix thatMshares with strings inX. AnadversaryAis a probabilistic algorithm that takes zero or more oracles. We often use the notationA⇒x to denote the event (defined over some specified probability space) that some algorithmAoutputs valuex.

We make use of the code-based game-playing framework of Bellare and Rogaway [5]. WhenGis a game andA an adversary, we writePr

GA_⇒_y

for the probability that theFinalizeprocedure of gameGoutputsywhen executed with adversaryA. The probability is over the coins ofGandA. When theFinalizeprocedure is trivial, returning whateverA does, we omit the procedure from the game and writePr

AG_⇒_y

for the probability thatAoutputsywhen executed with gameG. In games, all boolean flags are initialized tofalseand all arrays are initially undefined at every point.

(5)

Ablockcipheris a function familyE:K × {0,1}n _{→ {}₀_,₁_}n_{such that for all}_K_{∈ K}_{the mapping}_EK₍_·₎_∈

Perm(n). We writeBC(K, n)to mean the set of all such blockciphers, shortening toBC(k, n)whenK={0,1}k_. Atweakable blockcipher(TBC) is a function familyEe:K ×(T × {0,1}n)→ {0,1}nsuch that for everyK∈ K andT ∈ T ⊆ {0,1}∗_{the mapping}

e

EK(T,·)is a permutation over{0,1}n_{. The set}_T _{is called the}_tweakspace_of the TBC, and the elementT ∈ T is thetweak.

SECURITY NOTIONS. LetF:K × D → Rbe a function family, and letAbe an adversary taking one oracle. Then we define

Advprf_F (A) = PrhK $

← K : AFK(·)_⇒₁

i

−Prhρ $

←Func(D,R) : Aρ(·)_⇒₁i

to be the PRF advantage ofAattackingF. Here, and throughout, the probability is over the random choices of the described experiment and those of the adversary. We define

Advuf-cma_F (A) = PrhK $

← K; (M, τ) $

←AFK(·) _: _FK₍_M_{) =}_τ_∧_new_-_msgi

to be the UF-CMA advantage (or “forging” advantage) ofA. Here the eventnew-msgholds iff the stringM was never asked byAto its oracle.

LetE:{0,1}k_{× {}₀_,₁_}n _{→ {}₀_,₁_}n_{be a blockcipher, and let} e

E :{0,1}k_×₍_{T × {}₀_,₁_}n₎_{→ {}₀_,₁_}n_{be a} tweakable blockcipher. LetK $

← {0,1}k,π $

←Perm(n), andΠ $

←BC(T, n). Then we define

Advprp_E (A) = PrhAEK(·)_⇒₁

i

−PrhAπ(·)⇒1i

Advsprp_E (A) = PrhAEK(·),E−_K1(·)_⇒₁i₋_Prh_Aπ(·),π−1(·)_⇒₁i

Advgprp e

E (A) = Pr h

AEeK(·,·)_⇒₁i₋_Prh_AΠ(·,·)_⇒₁i

Advsprpg e

E (A) = Pr h

AEeK(·,·),Ee

−1

K(·,·)⇒1

i

−PrhAΠ(·,·),Π−1₍_·_,_·₎ ⇒1i

to be (respectively) the PRP, strong PRP, tweakable-PRP, and tweakable strong-PRP advantages ofA, an adversary taking the indicated number of oracles. These probabilities are over the random coins ofAand the random choices ofK,π, andΠ, as appropriate.

A function familyF:K × D → Ris-almost 2-XOR-universal (-AXU2) if for all distinctX, X0 ∈ Dand Y ∈ R,PrhK $

← K : FK(X)⊕FK(X0_{) =}_Y i _≤ _.

RESOURSES AND CONVENTIONS. We consider the following adversarial resources: the running timet, the number of oracle queries askedq, and the total length of these queriesµ. For the PRP and strong PRP notions, we suppressµ since it is implicitly computable fromqand the blocksize. In the UF-CMA advantage,µincludes the length of the output forgery attempt(M, τ). It will often be the case that queries (and forgery attempts) are strings in({0,1}n₎+ for some blocksizen > 0, and here it will be convenient to speak of the total number of blocksσ =µ/n. The running time of an adversary is relative to some (implicit) fixed underlying model of computation. Running times will always be given with respect to some security experiment, and we define the running time to include the time to execute the entire experiment. We assume that adversaries do not make pointless queries: they do not repeat queries, nor do they ask queries that are outside of the domain of oracles they may access.

2 Tweakable SPRP-security of CLRW2

The centerpiece of this work is a TBC construction that provides BBB security, admits a large tweakspace, and does not require rekeying of any underlying object. Given a blockcipherE: {0,1}k_×{₀_,₁_}n_{→ {}₀_,₁_}n_{is blockcipher,} and a hash function family H:KH× D → {0,1}n_{, the CLRW2 construction}

e

E[H, E] : (KH)2_×₍_{₀_,₁_}k₎2_× D × {0,1}n_{→ {}₀_,₁_}n_{is given by}

e

(6)

Theorem 1. Fixk, n >0and letE:{0,1}k_{× {}₀_,₁_}n_{→ {}₀_,₁_}n_{be a blockcipher. Fix a non-empty set}_KH_{, and}

letD ⊆ {0,1}∗_{. Let}_H_: _KH _{× D → {}₀_,₁_}n _{be an}_-AXU

2 function family. LetEe = Ee[H, E]be the CLRW2

construction, defined above. LetAbe an adversary asking a total ofqqueries to its oracles, running in timet. Let ˆ

= max{,1/(2n₋₂_q₎_}_{. Then there exists an adversary}_B_{using the same resources, such that}

Advsprpg e

E (A)≤2Adv sprp E (B) +

4q3_ˆ2

1−q3_ˆ2.

0 1

Securit

y

b

ound

0 20 40 60 80 100

log2q CLRW2

Birthday-Bounded TBCs

Fig. 2. The maximum advantage of an adversary makingq queries agaisnt CLRW2 (solid line) and construc-tions limited by the birthday bound,q2_/₂n _{(dashed line). Here,}_n _{= 128}_, _{= 2}−n_{, and we have assumed the} Advsprp_E (B)term is negligible.

This bound deserves some interpretation. Consider = 2−n _{(since there are efficient constructions meeting} this), and assumeq ≤2n−2_{. Then}_ˆ _≤₁_/₂n−1 _≈₂−n _{for interesting values of}_{n. Now the additive term in the} bound is at mostpwhenq≤(p/(p+ 6))1/3_ˆ−2/3_{, so for any small constant}_p_{we have}_q₌_O₍₂2n/3₎_{. Thus when} Advsprp_E (B)is sufficiently small, CLRW2 is secure as a tweakable-SPRP up to about22n/3 _queries.2 _{Figure 2} gives a graphical comparison of our bound and the standard birthday bound.

PROOF OVERVIEW. The proof of Theorem 1 is quite long and involved, so we’ll start by giving a high-level overview of it. Proofs demonstrating birthday-bound security for TBC constructions typically “give up” if the adversary can cause a collision at a blockcipher input. In constructions like LRW1 and LRW2, the TBC output is no longer random, even when the blockcipher has been replaced by a random permutation. We overcome this problem by using two rounds of LRW2, and showing that it takes two independent collisionson the same queryto force non-random CLRW2 outputs.

The chief difficulty is ensuring that the second LRW2 round can withstand a collision so long as there was not also one on the first round. To this end, we argue that given a collision-free first round, the resulting distribution of CLRW2 output values — including those whichrequirea second-round collision to obtain — is extremely close to that of an ideal TBC.

The bulk of the proof is a sequence of games bounding the success probability of an adversary in the information-theoretic setting, where the blockciphers have been replaced by random permutations. The first three games address first-round collisions, and show that the distribution of CLRW2 outputs is consistent with that of an ideal cipher unless there is simultaneous a second-round collision. Our next three games address the case in which there is no first-round collision. By swapping the order in which dependent random variables are assigned values, we can choose the output early on in the game, and gain insight into the distribution by which it is governed. This distri-bution is shown to be very close to the ideal one. The final two games are used to derive an upper bound for the probability that the adversary can set a “bad flag”, which would force the game to exhibit non-ideal behavior. In

2

We note thatAdvsprp_E (B)will be at leastt/2k_≈_q/₂k

by exhaustive key search so,q= 22n/3

(7)

the end, we are able to assume that the adversary is non-adaptive by giving it explicit control over oracle return values. At that point, the-AXU2property can be applied.

Proof. For notational simplicity, we writeh1forHh1, andh2forHh2; this should cause no confusion. The majority of the proof will consider the constructionEewithEK₁ andEK₂ replaced with random permutationsπ1andπ2, which we write asEhe ₁,h2,πi,π2. At the end we can make a standard move to lift to the fully complexity theoretic setting.

LetAbe an adversary makingqqueries. If theith_{query is to the left (encryption) oracle, we denote the query}

with(Ti, Xi)and the response withYi; if the query is to the right (decryption) oracle, the roles ofXiandYiare reversed. We denote byYithe set of permissible (tweak-respecting) return values for an encryption oracle query, and similarly,Xiis the set of permissible return values for a decryption oracle query. That is,

Yi={0,1}n\ {Yj : j < i, Tj=Ti} Xi={0,1}n\ {Xj : j < i, Tj=Ti}.

Given a setS ⊆ {0,1}n and a stringx ∈ {0,1}n we defineS⊕x = {s⊕x : s∈S}. The permutationsπ1 andπ2are constructed lazily, whileh1andh2are already defined. Initially, boolean variables have the valuefalse, integers are zero, and all other variable types are undefined (equal to⊥).

GameG1(refer to Appendix A to see the games used in this proof) simulatesEeexactly by lazily sampling val-ues forπ1andπ2. Note that there is a certain symmetry between the encryption and decryption oracles. This sym-metry arises from the fact thatEeis the dual ofEe−1, in the sense thatEe_h−1

1,h2,π1,π2(Y, T) =Eeh2,h1,π−21,π

−1 1 (Y, T). The bulk of this proof concerns showing that a sequence of games are identical, or are identical until a specified event occurs (a boolean variable is set totrue). When arguing that transitions between games are correct in this sense, we will exploit the above symmetry by limiting our discussion to changes in the encryption oracle, and hence to queries made to that oracle; the arguments used to justify the corresponding changes in the decryption oracle are practically identical. Therefore fix some valuei∈[1..q], and assume theith_{query is to the encryption}

oracle.

In GameG2, we change what happens when there is a collision at the first block cipher: we sampleYifrom the ideal distribution, but raise a bad flag if we also encounter a collision at the input of second block cipher (bad1) or if Yi is already in the defined range (bad2). See Figure??. Game G3 is identical to Game G2, ex-ceptYi is not reassigned after abad flag is set. HencePr

AG1_⇒₁

= Pr

AG2_⇒₁ ≤ Pr

AG3_⇒₁

+ Pr

AG3 _: _bad

1∨bad2.

Next we modify the section of code in GameG3that is executed when no collision occurs atπ1; i.e., when Xi⊕h1(Ti)6=Xj⊕h1(Tj)for allj < i. Note that the random variablesZandYiare dependent. In GameG3, Z is chosen beforeYi, but as long as the joint distribution as preserved we may reverse this order. The resulting game will be equivalent to GameG3. As always, the decryption oracle will be modified in a similar manner.

To describe the correct distribution forYi, partition{0,1}ninto four sets,S1,S2,S3andS4. These sets are defined with respect to an oracle query(Ti, Xi)such that no collision occurs atπ1; that is, such thatXi⊕h1(Ti)6∈ Dom(π1). (When referring toDom(·)outside of pseudocode, we refer to the set of points at which the function is defined at the instant the adversary makes itsith_{oracle call [and similarly for}_Rng₍_·₎_{]; the game currently being}

used to define the oracle should be clear from context). Fory ∈ {0,1}n, we sayyispermissiblewheny ∈ Yi, andy ispossiblewhen Pr [Yi=y] > 0, given our assumption thatXi⊕h1(Ti) 6∈ Dom(π1)and the oracles’ execution histories for the firsti−1queries.

LetS4be the set of all non-permissible values. Note that ifyis not permissible (it has been returned on a query that used tweakTi), thenyis not possible (sinceEe(Ti,·)is a permutation and queries are distinct); henceS4is a subset of the impossible values. LetS3be the set of impossible values thatarepermissible.

(8)

In summary,

S1={y : y⊕h2(Ti)6∈Rng(π2)}

S2=ny : y⊕h2(Ti)∈Rng(π2), π₂−1(y⊕h2(Ti))⊕h2(Ti)⊕h1(Ti)∈Rng(π1)o

S3=Yi\(S1∪S2)

=

y : y⊕h2(Ti)∈Rng(π2), π−21(y⊕h2(Ti))⊕h2(Ti)⊕h1(Ti)∈Rng(π1) \ Yi

S4=Yi ={Yj : j < i, Tj =Ti}.

When these sets are used in pseudocode, it is understood that they are defined at the time the oracle call is made; althoughRng(π1)(for example) may change as code executes,S2does not change until the next query. When referred to by a decryption oracle, the definitions for these sets are the same up to the previously mentioned duality.

We will now compute the probability thatYi will be in each of these sets (again, under the assumption that there is no collision at the first block cipher; i.e, thatLi =Xi⊕h1(Ti)6∈ Dom(π1)). SinceS3 andS4contain only impossible values,Pr [Yi ∈S3∪S4|Li6∈Dom(π1) ] = 0. LetN =

Rng(π1)

. Giveny ∈ S2andLi 6∈ Dom(π1),Yi=yif and only ifZ =π2−1(y⊕h2(Ti))⊕h2(Ti)⊕h2(Ti). This value is inRng(π1)by definition ofS2, and so this event happens with probability1/N. Hence,

Pr [Yi∈S2|Li6∈Dom(π1) ] =|S2|/N and Pr [Yi∈S1|Li⊕ 6∈Dom(π1) ] = (N− |S2|)/N.

Fig. 3.When there is no collision atπ1, the distribution governingE’s outputs is very close to the distributione an ideal cipher would provide. Horizontal scaling suggests plausible relative sizes of each|Sk|: likely |S1| |S2∪S4| |S3|. This graph is accurate for the oracles in Games 1–5.

Ideally,Yiwould be distributed aspTBC(y) := PrhY $

← Yi;Y =yi= 1/(2n_{− |S4}_|₎_(for_y_6∈_S4_{) and zero} otherwise. However, we have shown that if there is no collision atπ1on theith_{query, then}_Yi_{is distributed as}

plazy(y) := Pr [Yi =y|Li6∈Dom(π1) ] =

   

  

N−|S2|

N|S1| ify∈S1 1

N ify∈S2

0 ify∈S3∪S4

(9)

Although this distribution is not quite what we want, we will show that it is close enough (even against birthday-type attacks). In particular, the statistical distance

δ(plazy, pTBC) := 1 2

X

y∈{0,1}n

|plazy(y)−pTBC(y)|= max

S⊆{0,1}n

X

y∈S

(plazy(y)−pTBC(y))

will be on the order ofq2_/₂2n_{. Geometrically, this quantity corresponds to half the shaded area in Figure 3. It can} also be viewed as the area abovepTBCbut belowplazy(or the other way around).

We integrate statistical distance into the game-playing proof by exploiting the existence of a optimalcoupling distributionΓ(plazy, pTBC)(see, e.g., Lemma 11.3 of [24]). This distribution samples points from{0,1}n×{0,1}n

and has the property that when(Y, Y0) $

←Γ(plazy, pTBC):

1. For ally∈ {0,1}n_,_{Pr [}_Y ₌_y_{] =}_p_lazy(_y₎_and_{Pr [}_Y0 ₌_y_{] =}_p_TBC(_y₎ 2. Except with probabilityδ(plazy, pTBC),Y =Y0.

So in GameG4, we sample(Y, Y0₎ $

←Γ(plazy, pTBC)and returnY. But we also need to lazily sample a point

Zforπ1that is consistent with our choice. IfY ∈S2, our decision is forced. On the other hand, ifY ∈S1, we can choose any value forZ∈S0 ₌_Rng₍_π1₎_{∩ {z} _: _z_⊕_h1₍_Ti₎_⊕_h2₍_Ti₎_6∈_Dom₍_π2₎_{}. Sampling}_Z $

←S0_uniformly satisfies the need for the joint distribution on(Z, Yi)to be identical in GamesG3andG4; e.g., in GameG4, for any fixedz∈S0_:

Pr [Z=z] = Pr [Z=z|Yi∈S1] Pr [Y ∈S1] = 1

|S0_|

_N_{− |S2}_|

N

= 1

N.

(By construction,|S0_|₌_N_{− |S2}_{|.) Hence:}

Pr

AG3_;_bad

1∨bad2= PrAG4;bad1∨bad2, and PrAG3⇒1= PrAG4⇒1.

Then in GameG5, we returnY0 _{instead of}_Y _{after sampling}₍_{Y, Y}0₎ $

←Γ(plazy, pTBC). SinceY 6= Y0 only

with probabilityδ(plazy, pTBC), most of the time these two games will behave identically. We setbad3when they do not:

Pr

AG4_;_bad

1∨bad2−PrAG5; bad1∨bad2≤PrAG5;bad3,

Pr

AG4_⇒₁ −Pr

AG5_⇒₁ ≤Pr

AG5_;_bad

3.

Now that we returnY0instead ofY, the random variableY serves no direct function. So in GameG6, we forgo assigningY. Instead, we sampleYi $

← Yi, and then setbad3with probabilityδ(plazy, pTBC). Values forπ1andπ2

are chosen as before. Thus, GamesG5andG6are equivalent.

At this point,Yiis always sampled fromYi, and once assigned, its value is never changed.

In GameG7, we give the adversary control over what value is assigned toYi(orXi, in the case of decryption queries), but insist that the value be inYiorXi, as appropriate. Because the adversary can computeYiandXi, he may simulate the oracles of GameG6if desired; hence, he can set thebadflags in GameG7with probability at least as high as any adversary can set the corresponding flags in GameG6. The oracle’s outputs are now deterministic, and may be (trivially) computed by the adversary in advance. Hence, we may assume without loss of generality that the adversary is non-adaptive.

For the rest of this proof, all probabilities will be with respect to the experimentAG7_{(unless the experiment is}

explicitly stated).

LetQbe the event that for there existi,j, andk(withj, k6=i) such thatXi⊕h1(Ti) =Xj⊕h1(Tj)and Yi⊕h2(Ti) = Yk⊕h2(Tk). That is,Qindicates the ith_{query is responsible for collisions at both}_π1 _and_π2_.

Our strategy is to show thatQis extremely unlikely, since it requires two independent collisions involving a single query. Barring such a query, we can show that the probability of a bad flag being set is very small.

By definition ofQand the-AXU2property ofH,

Pr [Q]≤ q X

i=1 X

j,k6=i

(10)

Defineβj = max_A_ePrhAeG7 : badj| ¬Q i

andβj(i) = max_A_ePrhAeG7 : badjon queryi| ¬Q i

. We consider the event in the latter definition to “trigger” even if it has also triggered on an earlier query. (This definition assumesqis not so large thatPr [¬Q] = 0, but since our bound becomes vacuous before this threshold, this is not an issue.) When boundingβj(i), we will assume theith_{query is made to the encryption oracle; as before, the}

other case is symmetric.

Becausebad2can only be set if the conditions forQare met, we immediately have thatβ2≤Pr [Q]≤q32.

Note thatbad1is set on queryiif and only if there existj, k < isuch that

Xi⊕h1(Ti) =Xj⊕h1(Tj) and π1(Li)⊕h1(Ti)⊕h2(Ti) =π1(Lk)⊕h1(Tk)⊕h2(Tk),

where we remind the reader thatLi=Xi⊕h1(Ti). Our goal now is to bound

β1(i) = Pr [∃k < i : π1(Li)⊕π1(Lk) =R(i, k)| ∃j < i : Li=Lj∧ ¬Q]·Pr [∃j < i : Li=Lj | ¬Q],

where for brevity we introduceR(i, k) =h1(Ti)⊕h2(Ti)⊕h1(Tk)⊕h2(Tk).

Because queries are unique andEe(Ti,·)is a permutation,Li =Lj is only possible ifTi 6=Tj, bringing the -AXU2property into scope. Hence

Pr [∃j < i : Li=Lj | ¬Q] = Pr [∃j < i : Li=Lj∧ ¬Q] Pr [¬Q]

≤Pr [∃j < i : Li=Lj]

1−q32 ≤

q

1−q32.

We now wish to boundPr [∃k < i : π1(Li)⊕π1(Lk) =R(i, k)| ∃j < i : Li=Lj∧ ¬Q](the other factor in our bound forβ1(i)), so assume that there is somej < isuch thatLi=Ljand that¬Q.

Fixk∈[1..i−1]. Consider the case thatLi=Lk. Thenπ1(Li) =R(i, k)is equivalent toh1(Ti)⊕h1(Tk) =

h2(Ti)⊕h2(Tk). Because queries must respect per-tweak permutivity,Ti 6=Tk; hence by the-AXU2 property ofH, in this caseβ1(i)≤.

On the other hand, ifLi 6=Lk, we will trace the execution history of the game backwards to when the values eventually assigned toπ1(Li)andπ1(Lk)become determined. Define root(x) = min{m : Lx=Lm}. Leti0 ₌ root(i), and letk0 ₌_root₍_k₎_{. Since}_Li ₌_Lj_{for some}_{j < i, it follows that}_i0 _{< i. Therefore, by our assumption} thatQdoes not occur, there is no` 6= i0 _{such that}_Y`_⊕_h2₍_T`_{) =} _Yi₀_⊕_h2₍_Ti₀₎_{. Hence on query}_i0_,_π1₍_Li₎_is sampled from a set of size at least2n₋₂_{q; this sampling occurs indirectly through the random variable}_{Z, itself} sampled either on Line 813 or 836, depending on which oracle receives queryi0.

Now we compute when the value of π1(Lk) = π1(Lk0) is determined. If there is no ` < k0 such that

Y`⊕h2(T`) =Yk0⊕h2(Tk0), thenπ1(Lk0)is likewise sampled indirectly from a set of size at least2n−2q.

How-ever, if such an`exists, thenπ1(Lk) =π−21(Yk0 ⊕h2(Tk0))⊕h2(Tk0)⊕h1(Tk0), and we are forced to backtrack

further to whenπ2−1(Y`⊕h2(T`)) =π2−1(Yk0⊕h2(Tk0))was defined. Fortunately, our assumption that the

condi-tions forQare not met saves us from having to backtrack far. Let`0 _{= min}_{m _: _Y`_⊕_h2₍_T`_{) =}_Ym_⊕_h2₍_Tm₎_}. Then¬Qimplies`0 ₌_root₍_`0₎_{. Hence on query}_`0_,_π−1

2 (Y`0 ⊕h2(T`0)) =π₂−1(Y`⊕h2(T`))is sampled, through

Z, from a set of size at least2n₋₂_{q. In the first of these two cases, let}_r ₌_k0_{; in the second, let}_r ₌_`0_{. After} queryrcompletes, the value which will be assigned toπ1(Lk)is deterministic.

Suppose without loss of generality thati0_{> r. Then}_π1₍_Li_{) =}_π1₍_Lk₎_⊕_R₍_{i, k}₎_{only if on query}_i0_,_π1₍_Li_{) =} π1(Li0)is assigned the unique value that makes the former equation true; this happens with probability at most

1/(2n₋₂_q₎_.

Letˆ= max(,1/(2n₋₂_q₎₎_{. Then}_{Pr [}_π1₍_Li₎_⊕_π1₍_Lk_{) =}_R₍_{i, k}₎_{| ∃j < i} _: _Li₌_Lj_{∧ ¬Q}_]_≤_ˆ_{. We have}

β1≤ q X

i=1

β1(i)≤ q X

i=1 i−1 X

k=1 qˆ2

1−q3_ˆ< q3_ˆ2

(11)

Our final task is to boundPr [bad3] =δ(plazy, pTBC). Forj= 1,2,3, define∆j=Py∈Sj(plazy(y)−pTBC(y)).

Since for anyy, y0 _∈_Sj,_p_lazy(_y_{) =}_p_lazy(_y0₎_(and_p

TBCis constant in these sets), we have:

β3(i) =δ(plazy, pTBC) = 1

2(|∆1|+|∆2|+|∆3|).

The law of total probability tells us that∆1+∆2+∆3 = 0, and by construction ofS3,∆3 ≤0. Further, since π₂−1(S4)⊕h2(Ti)⊕h1(Ti)⊆Rng(π1), we have that fory∈S2:plazy(y)−pTBC(y) = 1/N−1/(2n_−|S4_|₎_≥₀_. That is,∆2≥0.

We therefore are left with two possibilities: either∆1≤0(in which caseδ(plazy, pTBC) =∆2), or∆1>0(in

which caseδ(plazy, pTBC) =−∆3). Hence,δ(plazy, pTBC)≤max(∆2,−∆3).

The quantity∆2can be bounded as follows:

∆2=|S2| ₁

N −

1 2n_{− |S4|}

≤ q

N(2n_{− |S4|}₎(2

n_{− |S4}_{| −}_N₎

≤ q

N(2n₋_q₎(2

n₋_N₎_≤ q N(2n₋_q₎(2

n₋₍₂n₋_q₎₎

= q

2

(2n₋_q₎2.

It remains to bound−∆3= PrhY $

← Yi; Y ∈S3i. Note thatY ∈S3only if there existsj, k < isuch that Xj⊕h1(Tj) = Xi⊕h1(Ti)andYk⊕h2(Tk) = Y ⊕h1(Ti).We appeal to the-AXU2property as before to argue that the probability of suchjandkexisting is at most(q)2_.

In both cases, then,β3(i) =δ(plazy, pTBC)≤q2ˆ2. (Recall thatˆ= max{,1/(2n−2q)}.) Thereforeβ3 ≤

q3_ˆ2_{. By the fundamental lemma of game playing,}

PrhAEeh1,h2,π1,π2(·,·),Ee_h−1

1,h2,π1,π2(·,·)⇒1 i

= Pr

AG1_⇒₁

≤Pr

AG3_⇒₁

+ Pr

AG3 _: _bad

1∨bad2

≤Pr

AG6_⇒₁

+ Pr

AG6 _: _bad

1∨bad2+ 2 PrAG6 : bad3

≤Pr

AG6_⇒₁

+ Pr

AG7 _: _bad

1∨bad2+ 2 PrAG7 : bad3

≤Pr

AG6_⇒₁

+β1+ Pr [Q] + 2β3

≤PrhAΠ(·,·),Π−1₍_·_,_·₎

⇒1i+ 4q

3_ˆ2

1−q3_ˆ2.

Thus by a standard argument, there exists aBsuch that

Advsprpg e

E (A)≤2Adv sprp E (B) +

4q3_ˆ2

1−q3_ˆ2.

This completes the proof.

A NOTE ON AN ERROR IN A PREVIOUS VERSION. The original version of this paper attempted to, in effect, constructΓ(plazy, pTBC)explicitly — but failed to do so correctly: we erroneously made a tacit assumption that

∆1 ≥ 0. We thank Gordon Procter for bringing this mistake to our attention. Procter also helpfully provided a suggested patch [28], which uses anif/elseclause in the game-playing proof to address the two cases∆1≥0and ∆1<0separately. We believe Procter’s solution succeeds in fixing the problem. Ultimately, however, we decided to use a coupling distribution to abstract the details of transitioning fromplazytopTBC. This simplifies some of the

arguments, but admittedly sacrifices some of the explicitness present in Procter’s proof.

ATTACKS ON SIMPLER VARIANTS. Having seen our construction, one wonder if simpler variants work. For ex-ample, consider CLRW2 without the firstHh2(T)XOR operation, leaving

e

(12)

This variation permits birthday-bound attack. Namely, an adversary could submit queries in pairs,(Ti, X0₎_and

(Ti, X00₎_{, where}_X0_and_X00_{are fixed, and a new random tweak is used for each pair. By remembering the values}

e

E(Ti, X0)⊕Ee(Ti, X00), which are independent ofHh₂, it could detect collisions in Hh₁, say by using a hash table. That is, ifHh1(Ti) =Hh1(Tj), thenEe(Ti, X

0₎_⊕ e

E(Ti, X00_{) =} e

E(Tj, X0₎_⊕ e

E(Tj, X00₎_{. The converse is} false, but false positives could be weeded out by testing a small number ofX-values. Such an adversary would gain advantage close to one. Similar variations onEe permit analogous attacks, though we believe (but do not prove) that omitting the secondHh1(T)XOR operation yields a construction secure against adversaries constrained to chosen-plaintext attacks.

One might also wish to try settingK2 = K1. While we know of no attacks here, modifying our proof to accomodate this change would be non-trivial. In particular, boundingβ1required us to trace back through a game’s execution history to determine whenπ1became defined at particular points; this task would be messier and more difficult to verify ifπ2=π1. Still, this may merit future investigation.

3 PRF-security of TBC-MAC

THE TBC-MAC FUNCTION FAMILY. Fixk, n > 0 and let Ee: {0,1}k × {0,1}n × {0,1}n → {0,1}n be a tweakable blockcipher. We define the TBC-MAC function familyTBCMAC[Ee] :{0,1}k×({0,1}n)+→ {0,1}n as follows. On inputK ∈ {0,1}k _and_M _∈ ₍_{₀_,₁_}n₎+_{, let}_TBCMAC_[

e

E]K(T, M) = Tb where T0 = 0n; let M1,· · ·, Mb n

←M, andTi ← EKe (Ti−1, Mi)for i ∈ {1, . . . , b}. To extend the domain to {0,1}∗, one could introduce an explicit, unambiguous padding rule mapping{0,1}∗ _→ ₍_{₀_,₁_}n₎+_{, say mapping}_M _7→ _M _k₁₀r wherer is the smallest integer needed to reach a block boundary. But for simplicity we assume that all strings input toTBCMAC[Ee]are block-aligned. We extend this assumption by writingTBCMACpf for the TBC-MAC construction restricted to prefix-free encoded, block-aligned inputs.

BUILDING FROM A“NARROW”TWEAKSIZETBC. Our first result in this section is a natural one. We prove that TBC-MAC is a secure PRF if the underlying TBCE, withe n-bit tweaks and blocksize, is secure as a tweakable-PRP. One might hope that the security bound forTBCMAC[Ee]is better than for CBC-MAC over ann-bit blockci-pher, since the former is intuitively a “stronger” object than the latter. This is not the case. This is because theIV is fixed; thus an adversary can ask a series of distinct one-block messages and wait for a collision. Considering the information-theoretic setting, the fixedIV effectively reduces the ideal cipher to a random permutation in the first round, and so the standard PRP-PRF distinguishing attack forces us to accept birthday-bound security. The follow-ing theorem closely follows the code-based game-playfollow-ing proof of CBC-MAC due to Bellare and Rogaway [5]. We note that a tighter bound could be achieved (with more work) following the techniques of Bellare et al. [4]. The proof appears in Appendix B .

Theorem 2. (TBCMACis a PRF.)Fixn >0. LetEe:{0,1}n×({0,1}n× {0,1}n)→ {0,1}nbe a tweakable

blockcipher. LetAbe an adversary running in timet, askingqqueries, each of length at most`blocks ofn-bits. Then

Advprf

TBCMAC[E]e

(A)≤Advgprp e

E (B) +

(q`)2

2n

for an adversaryBthat runs in timet0 ₌_t₊_O₍_`q₎_{and asks at most}_q0 ₌_q`_queries.

BUILDING FROM A“WIDE”TWEAKSIZETBC. The LRW2 and CLRW2 constructions each give TBC that can handle tweaks that are potentially much larger than the blocksize. So we now consider the security of a nonce-based version of TBC-MAC based upon such a TBC. In particular, fixk, n, b >0and letEe: {0,1}k×({0,1}n+b+1× {0,1}n₎_{→ {}₀_,₁_}n_{be a tweakable blockcipher with tweaksize}_n₊_b_{+ 1}_{bits and blocksize}_n_{bits. For an}_`-block messageM1, . . . , M`where` >1, nonceN ∈ {0,1}b_{, and a fixed}_T0 ₌_IV_{, define}_TBCMAC2_[

e

E]K(N, M)as T`=EKe (T`−1k1kN, M`)where fori= 1to`−1,Ti=EKe (Ti−1k0k0b, Mi). We say that a PRF-adversaryA isnonce-respecting(forTBCMAC2) if it never repeats a nonce. Themultiplicityαof a nonceNis the number of times it is used in an attack, e.g.α= 1for every nonce if the attack is nonce-respecting.

Theorem 3. (TBCMAC2is a PRF.)Fixn >0andb≥0. LetEe:{0,1}n×({0,1}n+b+1× {0,1}n)→ {0,1}n

(13)

asksqqueries for the form(N, M)where the length ofM is at most`blocks. Assume that there arerdistinct values ofNamong these queries, and letα1, . . . , αrdenote the multiplicities of these. Then

Advprf

TBCMAC2[E]e

(A)≤Advprpg e

E (B) +

1 2n+1

r X

i=1

αi(αi−1)

!

+

r X

i=1 _αi

2

₍₂_`_{+ 1)(2}_`₎

2n

whereB runs in timet0 ₌ _t₊_O₍_q`₎_{and asks at most}_q0 ₌ _q`_{queries. Specifically, if}_A_{is nonce-respecting,} Advprf

TBCMAC2[E]e

(A)≤Advgprp e

E (B).

Proof. The second claim follows immediately from the first, sinceαi = 1for alliifAis nonce-respecting. So we prove the first claim.

We omit proof of the standard switch from the complexity-theoretic to the information-theoretic setting, wherein adversaryB simulates the PRF experiment forTBCMAC2overEKe orΠ, depending upon its own oracle. The remainder of the proof is the core technical piece, which proceeds by a sequence of code-based games.

For ease of notation, we writeTBCMAC2[Π]instead ofTBCMAC2[BC(n+b+1, n)]Πwith the understanding thatΠis a uniform element fromBC(n+b+1, n). Also, in the psuedocode we useDom(Π(T,·))to denote the set of domain points under the (lazily sampled) random permutationΠ(T,·)that have been assigned a corresponding range value. Likewise, the setRng(Π(T,·))denotes the set of stings in{0,1}n_{that have not yet been associated} to any domain point underΠ(T,·). Games are shown in Figure 4.

GameG0faithfully simulatesTBCMAC2[Π], using lazy sampling to establish the randomΠ. GameG1does likewise, but always returns a uniform random string. Lettingbad = bad1 ∨bad2, we see that these games are identical-until-bad, so Pr

AG0⇒1 −Pr

AG1⇒1

≤ Pr

AG1setsbad

. Since G1 returns a ran-dom string no matter what the value of bad, we drop unneccessary instructions and move to game G2 with

Pr

AG1_sets_bad

= Pr

AG2_sets_bad ≤ Pr

AG2_sets_bad

1+ PrAG2setsbad2. It is easy to see that the first summand is at most(1/2n+1₎Pr

i=1(αi)(αi−1)by a union bound. GameG3is the same asG2with the setting ofbad1removed. Thus we havePrAG1setsbad≤(1/2n+1)(Pri=1αi(αi−1))+Pr

AG3_sets_bad 2. The setting ofbad2is more complicated to analyze, because the adversary controlsMbsandNs. We see that

bad2is set only if for some1≤r < s≤qwe haveTbrr−1=T

s

bs−1andN

r₌_Ns_{. Notice that in terms of setting}

bad2the particular value assigned toΠ(Tbss−1kN

s_{, M}s

bs)is irrelevant. It only matters that the domain point has

been previously assigned a value. Moreover, these values are never used in the for-loop (becauseNs _{= 1}_k_N). So the adversary could itself have selected up front the valuesTs

bs to be returned and, also up front, picked theq

pairs(N,M)that optimize the chance ofbad2. So inG4we no longer sampleTs

bs, and no longer return any value;

we simply mark domain points asdefined. ThusPr

AG3_sets_bad

2 ≤ PrAG4setsbad2. Fix the optimal set of (N,M)for settingbad2 inG4. Finally in game G5 we delay the setting ofbad2 until the end, exchange the procedureF for a for-loop over the fixed nonce-message pairs, and sample the entire ideal cipher Π at the beginning instead of using lazy sampling. We note thatG5setsbad2at least as often as doesG4, since the latter only requires a tweak collision. HencePr

AG4_sets_bad

2≤Pr [G5setsbad2].

OnceΠ is fixed, the order in which the(Ni,Mi),i ∈[s], are put through the for-loop does not matter, so we assume that they are ordered lexicographically by their first component. Thus we can think of the messages as being processed in groups “named” by their common nonce value. By assumption, there arersuch groups with sizesα1, . . . , αr, respectively. LetColl1, . . . ,Collrbe the events thatbad2is set by members of the corresponding groups. Then we havePr [G5setsbad2]≤Pr_i=1Pr [ColliinG5 ]. Collecting up results we have

Pr

AG1_sets_bad

≤(2/2n₎ r X

i=1

αi(αi−1) +

r X

i=1

Pr [ColliinG5 ] .

(14)

such pairs of messages we obtain

Pr

AG1setsbad

≤(2/2n₎ r X

i=1

αi(αi−1) +

r X i=1 _αi 2

(2`+ 1)(2`)/2n

and our proof is complete.

Games G0, G1 procedureF(N, M): s←s+ 1

Ns←1kN Ms

1, . . . , Mbss

n

←Ms_←_M

T0s←IV

fori= 1tobs−1do

ifMis∈Dom(Π(Tis−1k0,·))then Tis←Π(Tis−1k0, Mis)

else Tis

$

←Rng(Π(Tis−1k0,·)) Π(Tis−1k0, M

s i)←T

s i

τs_←_Ts bs

$ ← {0,1}n

ifTs

bs∈Rng(Π(T s bs−1kN

s_,_·₎₎

then

bad1←true ;Tbss

$

←Rng(Π(Ts bs−1kN

s_,_·₎₎

ifMs

bs∈Dom(Π(T s bs−1kN

s_,_·₎₎_then

bad2←true ;Tbss ←Π(T s bs−1kN

s_{, M}s bs)

Π(Ts bs−1kN

s_{, M}s bs)←T

s bs

ifbad1∨bad2thenReturnTbss

Returnτs

Games G2,G3 procedureF(N, M): s←s+ 1

Ns←1kN Ms

1, . . . , Mbss

n

←Ms_←_M

T0s←IV

fori= 1tobs−1do

ifMis∈Dom(Π(Tis−1k0,·))then Tis←Π(Tis−1k0, Mis)

else Tis

$

←Rng(Π(Tis−1k0,·)) Π(Tis−1k0, M

s i)←T

s i

Ts bs

$ ← {0,1}n

ifTs

bs∈Rng(Π(T s bs−1kN

s_,_·₎₎_then_bad

1←true ifMs

bs∈Dom(Π(T s bs−1kN

s_,_·₎₎_then_bad

2 ←true Π(Ts

bs−1kN s_{, M}s

bs)←T s bs

ReturnTs bs

GameG4

procedureF(N,M): s←s+ 1

Ns←1kN Ms1, . . . ,M

s bs

n ←Ms

Ts

0 ←IV

fori= 1tobs−1do

ifMsi ∈Dom(Π(Tis−1k0,·))then Ts

i ←Π(Tis−1k0,Msi)

else Tis

$

←Rng(Π(Tis−1k0,·)) Π(Tis−1k0,Msi)←Tis

ifU[Tbss−1kN

s

,Msbs] =definedthenbad2←true U[Tbss−1kN

s

,Msbs]←defined

GameG5

Π←$ BC(n+b+ 1, n) fors= 1toqdo

Ns←1kN Ms1, . . . ,Msbs

n ←Ms

T0s←IV

fori= 1tobs−1do

Tis←Π(Tis−1k0,Msi)

if(∃r6=s)((Tbsr−1kN

r

) = (Tbss−1kN

s

)) thenbad2←true

(15)

4 Unforgeability-Preservation of TBC-MAC

TBC-MAC preserves the unforgeability of its underlying TBC when the TBC-MAC inputs are prefix-free. Since, qualitatively, this amounts to a new application of an existing result by Maurer and Sj¨odin [22], we defer our proof to Appendix D .

Theorem 4. (TBCMACpfpreserves UF-CMA.)Fixk, n >0, and letEe:{0,1}k× {0,1}n× {0,1}n→ {0,1}n

be a TBC. LetAbe an adversary forTBCMACpf[Ee]that runs in timet, asksqqueries, these totalingσblocks of n-bits in length. Then there exist adversariesBandCsuch that

Advuf_TBCMAC-cma pf_[_E]_e(A)≤

σ(σ−1)

2 Adv

uf-cma

e

E (B) +Adv uf-cma

e

E (C)

whereBruns in timetB ≤t, asksqB ≤σqueries totallingσB ≤2σblocks; and whereCruns in timetC =t, asksqC=σqueries totallingσC = 2σblocks.

However, if adversaries may mount an attack using non-prefix-free inputs, it is possible to forge TBC-MAC.3 The following lemma says that there exists a TBCFe,shown in Figure 12, that is unforgeable if some underlying TBCEeis. Liskov et al. [21] provide a TBCEewith the required signature.

Lemma 1. Let Ee : {0,1}k × {0,1}3n × {0,1}n → {0,1}n be a tweakable blockcipher. LetFe : {0,1}k × {0,1}2n_{× {}₀_,₁_}2n_{→ {}₀_,₁_}2n_{be a tweakable blockcipher defined by}

e

FK(TLkTR, XLkXR) =XL⊕TRkEKe (XLkTLkTR, XR).

ThenAdvuf-cma

e

F (A)≤Adv uf-cma

e

E (B)where the resources of adversariesAandBare the same.

Proof. Feis a tweakable blockcipher because, given the tweakT and keyK, one can invertFKe (T, X) = Y by evaluatingX=YL⊕TRkEe_K−1(YL⊕TRkTLkTR, YR). ThereforeFKe (T,·)is a permutation for every tweakT. Now, letBbe a forging adversary forEethat runs as follows. AdversaryB runsA, responding toA’s queries by using its own oracle forE. Whene Aoutputs its forgery((T∗, X∗), Y∗), letBoutput(X_L∗kT_L∗kT_R∗, X_R∗, Y_R∗) as its own forgery.

IfA’s forgery is valid, it must be the case that

Y∗₌ e

FK(T∗_{, X}∗₎

=X∗

L⊕TR∗kEKe (X_L∗kT_L∗kT_R∗, X_R∗)

henceYR∗=EKe (X_L∗kT_L∗kT_R∗, X_R∗)

It must also be the case thatA’s final query(T∗_{, X}∗₎_{be a new query. This implies that}₍_X∗

LkTL∗kTR∗, XR∗)is a new query as well, as we have only rearranged the forgery’sn-bit blocks. Clearly, then,Bsuccessfully forges whenever Adoes. Furthermore,B makes the same number of queries asAdoes. Therefore, ifAruns in timetmakingq queries totallingσblocks,Advuf-cma

e

F (A)≤Adv uf-cma

e

E (B), where the resources ofBaret

0 ₌_t,_q0 ₌_q_queries, these totallingσ0₌_σ_{blocks. This is due to the fact that each of}_A’s_q_{queries contain a}₂_{n-bit tweak and a}₂_n-bit message (a total of4nbits per query), and each ofB’sqqueries contain a3n-bit tweak and ann-bit message (also

totalling4nbits per query).

We now show that TBC-MAC instantiated withFeadmits efficient forging attacks if arbitrary inputs are allowed.

Theorem 5. (TBCMACis not UF-CMA preserving.) LetEebe a tweakable blockcipher and letFebe as defined in

Lemma 1. Then there exists an adversaryAthat asksq= 2queries totallingσ = 12blocks ofn-bits such that

Advuf_TBCMAC-cma

[F]e(A) = 1.

Proof. Consider the adversaryAthat queriesY1_←_TBCMAC_[ e

F]K(02nk02n), and then forges withX∗ = 02n andY∗_{= 0}n_k_Y1

L. The forgery is valid; we leave the confirmation of this fact to the interested reader.

3

We note that Bellare and Ristenpart [3] have already shown that the Merkle-Damg˚ard iteration is not unforgeability preserv-ing for arbitrary inputs. However, their counterexample does not suffice here, because the compression function they build is

(16)

References

1. J. An and M. Bellare. Constructing VIL-MACs from FIL-MACs: Message authentication under weakened assumptions.

Advances in Cryptology – CRYPTO 1999,LNCS vol. 1666, Springer, pp. 252–269, 1999.

2. M. Bellare, O. Goldreich and H. Krawczyk. Stateless evaluation of pseudorandom functions: Security beyond the birthday barrier.Advances in Cryptology – CRYPTO 1999, LNCS vol. 1666, Springer, pp. 270-287

3. M. Bellare and T. Ristenpart. Hash functions in the dedicated-key setting: Design choices and MPP transforms. Interna-tional Colloquium on Automata, Languages, and Programming – ICALP 2007, LNCS vol. 4596, Springer, pp. 399–410, 2007.

4. M. Bellare, K. Pietrzak, P. Rogaway. Improved security analyses for CBC MACs. Advances in Cryptology – CRYPTO 2005, LNCS vol. 3621, Spring, pp. 527–541, 2005.

5. M. Bellare and P. Rogaway. The security of triple encryption and a framework for code-based game-playing proofs.

Advances in Cryptology – EUROCRYPT 2006, LNCS vol. 4004, Springer, pp. 409–426, 2006.

6. J. Black and M. Cochran. MAC Reforgability.Fast Software Encryption – FSE 2009, LNCS vol. 5665, Springer, pp. 345– 362, 2009.

7. J. Black, P. Rogaway, T. Shrimpton and M. Stam. An analysis of the blockcipher-based hash functions from PGV.Journal of Cryptology, vol. 23, no. 4, pp. 320–325, Springer, 2010.

8. D. Chakraborty and P. Sarkar. A new mode of encryption providing a tweakable strong pseudo-random permutation.Fast Software Encryption – FSE 2006, LNCS vol. 4047, Springer, pp. 293-309, 2006

9. J-S. Coron, Y. Dodis, A. Mandal and Y. Seurin. A Domain Extender for the Ideal Cipher.Theory of Cryptography – TCC 2010, LNCS vol. 5978, Springer, pp. 273-289, 2010.

10. P. Crowley. Mercy: A Fast Large Block Cipher for Disk Sector Encryption.Fast Software Encryption – FSE 2000, LNCS 19787, pp. 49-63, 2000.

11. I. Damg˚ard. A design principle for hash functions. Advances in Cryptology – CRYPTO 1989, LNCS vol. 435, Springer, pp. 416–427, 1989.

12. Y. Dodis, K. Pietrzak and P. Puniya. A new mode of operation for block ciphers and length-preserving MACs. Advances in Cryptology – EUROCRYPT 2008, LNCS vol. 4965, Springer, pp. 198–219, 2008.

13. Y. Dodis and J. Steinberger. Message authentication codes from unpredictable block ciphers. Advances in Cryptology – CRYPTO 2009, LNCS vol. 5677, Springer, pp. 267–285, 2009.

14. S. Halevi and P. Rogaway. A tweakable cnciphering mode. Advances in Cryptology – CRYPTO 2003, LNCS vol. 2729, Springer, pp. 482–499, 2003.

15. S. Halevi and P. Rogaway. A parallelizable enciphering mode. Topics in Cryptology – CT-RSA 2004, LNCS vol. 2964, Springer, pp. 292–304, 2004.

16. S. Halevi. Invertible Universal Hashing and the TET Encryption Mode.Advances in Cryptology – CRYPTO 2007, LNCS vol. 4622, Springer, pp. 412-429, 2007.

17. D. Goldenberg, S. Hohenberger, M. Liskov, E.C. Schwartz and H. Seyalioglu. On Tweaking Luby-Rackoff Blockciphers.

Advances in Cryptologoy – ASIACRYPT 2007, LNCS vol. 4833, Springer, pp. 342–356, 2007

18. J. Garay, V. Kolesnikov and R. McLellan. MAC precomputation with applications to secure memory. 12th Information Security Conference – ISC 2009, LNCS vol. 5735, Springer, pp. 427–442, 2009.

19. E. Jaulmes, A. Joux and F. Valette. On the security of randomized CBC-MAC beyond the birthday paradox limit: A new construction.Fast Software Encryption –FSE 2002, LNCS vol. 2365, Springer, pp. 237–251, 2002.

20. T. Krovetz and P. Rogaway. The Software Performance of Authenticated-Encryption Modes. Fast Software Encryption – FSE 2011, LNCS vol. 6733, Springer, pp. 306–327, 2011.

21. M. Liskov, R. Rivest and D. Wagner, Tweakable block ciphers.Advances in Cryptology – CRYPTO 2002, LNCS vol. 2442, Springer, pp. 31–46, 2002.

22. U. Maurer and J. Sj¨odin. Single-key AIL-MACs from any FIL-MAC.International Colloquium on Automata, Languages, and Programming – ICALP 2005,LNCS vol. 3580, Springer, pp. 472–484, 2005.

23. R. Merkle. One way hash functions and DES.Advances in Cryptology – CRYPTO ’89, LNCS vol. 435, Springer, pp. 428– 446, 1989.

24. M. Mitzenmacher and E. Upfal. Probability and Computing: Randomized Algorithms and Probablistic Analysis. Cam-bridge University Press, 2005.

25. K. Minematsu. Beyond-birthday-bound security based on tweakable block cipher.Fast Software Encryption – FSE 2009, LNCS vol. 5665, Springer, pp. 308–326, 2009.

26. K. Minematsu. How to Thwart Birthday Attacks against MACs via Small Randomness. Fast Software Encryption – FSE 2010, LNCS vol. 6147, Springer, pp. 230–249, 2010.

27. B. Preneel, R. Govaerts and J. Vandewalle. Hash functions based on block ciphers: A synthetic approach. Advances in Cryptology – CRYPTO 1993, LNCS vol. 773, Springer, pp. 368–378, 1993.

(17)

29. P. Rogaway, M. Bellare, J. Black and T. Krovetz. OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption.ACM Conference on Computer and Communication Security – CCS 2001, ACM Press, pp. 196-205, 2001. 30. P. Rogaway. Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC Advances in

Cryptology – ASIACRYPT 2004, LNCS vol. 3329, Springer, pp. 13–31, 2004.

31. R. Schroeppel. The hasty pudding cipher. NIST AES proposal, available at http://www.cs.arizona.edu/∼rcs/hpc, 1998.

32. M. Bellare, T. Kohno, S. Lucks, N. Ferguson, B. Schneier, D. Whiting, J. Callas and J. Walker. Provable Security Support for the Skein Hash Family.http://www.skein-hash.info/sites/default/files/skein-proofs.pdf 33. T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1. Internet RFC 4346, 2006.

34. P. Wang, D. Feng and W. Wu. HCTS: A varible-input-length enciphering mode. Information Security an Cryptology – CISC 2005, LNCS vol. 3822, Springer, pp. 175-188, 2005.

35. K. Yasuda. The Sum of CBC MACs Is a Secure PRFTopics in Cryptology – CT-RSA 2010, LNCS vol. 5985, pp. 366–381, 2010.

36. K. Yasuda. A New Variant of PMAC: Beyond the Birthday Bound Advances in Cryptology – CRYPTO 2011, LNCS vol. 6841, pp. 596–607, 2011.

37. L. Zhang, W. Wu, P. Wang, L. Zhang, S. Wu and B. Liang. Constructing rate-1 MACs from related-key unpredictable block ciphers: PGV model revisted.Fast Software Encryption – FSE 2010, LNCS vol. 6147, Springer, pp. 250–269, 2010.

A

Games for Theorem 1

This appendix contains the games used in the proof of Theorem 1.

GAMEG1

100 ProcedureEe(T, X):

101 i←i+ 1;Xi←X;Ti←T

102 Li←Xi⊕h1(Ti)

103 ifLi∈Dom(π1)then

104 Mi←π1(Li)⊕h1(Ti)⊕h2(Ti)

105 ifMi∈Dom(π2)then

106 Yi←π2(Mi)⊕h2(Ti)

107 else

108 Yi←$ Rng(π2)⊕h2(Ti)

109 π2(Mi)←Yi⊕h2(Ti)

110 else

111 Z←$ Rng(π1);π1(Li)←Z

115 else

116 Yi←$ Rng(π2)⊕h2(Ti)

118 returnYi

119 ProcedureEe−1(T, Y):

120 i←i+ 1;Yi←Y;Ti←T

121 Ni←Yi⊕h2(Ti)

122 ifNi∈Rng(π2)then

123 Mi←π−21(Ni)⊕h2(Ti)⊕h1(Ti)

124 ifMi∈Rng(π1)then

125 Xi←π−11(Mi)⊕h1(Ti)

126 else

127 Xi←$ Dom(π1)⊕h1(Ti)

128 π1−1(Mi)←Xi⊕h1(Ti)

129 else

130 Z←$ Dom(π2);π−21(Ni)←Z

131 Mi←π−21(Ni)⊕h2(Ti)⊕h1(Ti)

133 Xi←π−11(Mi)⊕h1(Ti)

134 else

135 Xi←$ Dom(π1)⊕h1(Ti)

136 π−1

1 (Mi)←Xi⊕h1(Ti)

137 returnXi

(18)

GAMES G2 ,G3

305 Yi← Y$ i

307 bad1←true

309 else

310 ifYi⊕h2(Ti)∈Rng(π2)then

311 bad2 ←true

312 Yi

$

←Rng(π2)⊕h2(Ti)

314 else

315 Z $

←Rng(π1);π1(Li)←Z

319 else

320 Yi←$ Rng(π2)⊕h2(Ti)

322 returnYi

323 ProcedureEe−1(T, Y):

324 i←i+ 1;Yi←Y;Ti←T

327 Mi←π−21(Ni)⊕h2(Ti)⊕h1(Ti)

328 Xi← X$ i

330 bad1←true

331 Xi←π−11(Mi)⊕h1(Ti)

332 else

333 ifXi⊕h1(Ti)∈Dom(π1)then

334 bad2←true

335 Xi←$ Dom(π1)⊕h1(Ti)

336 π−1

1 (Mi)←Xi⊕h1(Ti)

337 else

338 Z←$ Dom(π2);π−21(Ni)←Z

339 Mi←π−21(Ni)⊕h2(Ti)⊕h1(Ti)

340 ifMi∈Rng(π1) then

341 Xi←π−11(Mi)⊕h1(Ti)

342 else

343 Xi

$

←Dom(π1)⊕h1(Ti)

344 π₁−1(Mi)←Xi⊕h1(Ti)

345 returnXi

GAMES G4 ,G5

505 Yi← Y$ i

507 bad1←true 508 else

509 ifYi⊕h2(Ti)∈Rng(π2)thenbad2←true 510 π2(Mi)←Yi⊕h2(Ti)

511 else 512 (Y, Y0) $

←Γ(plazy, pTBC)

513 ifY 6=Y0then 514 bad3←true 515 Yi←Y0; Yi←Y

516 ifYi∈S2then

517 Z←π−21(Yi⊕h2(Ti))⊕h2(Ti)⊕h1(Ti)

518 else ifYi∈S1

519 Z←$ Rng(π1)\(Dom(π2)⊕h2(Ti)⊕h1(Ti))

520 π2(Z⊕h1(Ti)⊕h2(Ti))←Yi⊕h2(Ti)

521 π1(Li)←Z

523 returnYi

524 ProcedureEe

−1₍_{T, Y}₎ : 525 i←i+ 1;Yi←Y;Ti←T

528 Mi←π−21(Ni)⊕h2(Ti)⊕h1(Ti)

529 Xi← X$ i

531 bad1←true 532 else

533 ifXi⊕h1(Ti)∈Dom(π1)thenbad2←true 534 π₁−1(Mi)←Xi⊕h1(Ti)

535 else 536 (X, X0) $

←Γ(plazy, pTBC)

537 ifX6=X0then 538 bad3←true

539 Xi←X0; Xi←X

540 ifXi∈S2then

541 Z←π1(Xi⊕h1(Ti))⊕h1(Ti)⊕h2(Ti)

542 else ifXi∈S1

543 Z←$ Dom(π2)\(Rng(π1)⊕h1(Ti)⊕h2(Ti))

544 π₁−1(Z⊕h2(Ti)⊕h1(Ti))←Xi⊕h1(Ti)

545 π₂−1(Ni)←Z

546 Mi←π−21(Ni)⊕h2(Ti)⊕h1(Ti)

547 returnXi

Fig. 6.In GameG4, we use a couplingΓ to sample random variables from the distribution of GameG3(plazy) and the