XHX - A Framework for Optimally Secure Tweakable Block Ciphers from Classical Block Ciphers and Universal Hashing

(1)

Tweakable Block Ciphers from Classical Block

Ciphers and Universal Hashing

Ashwin Jha1_{, Eik List}2_{, Kazuhiko Minematsu}3_, Sweta Mishra4_{, and Mridul Nandi}1

1 _{Indian Statistical Institute, Kolkata, India.}_{{ashwin_r, mridul}@isical.ac.in} 2 _{Bauhaus-Universität Weimar, Weimar, Germany.}_{[email protected]}

3 _{NEC Corporation, Tokyo, Japan.}_{[email protected]} 4 _{IIIT, Delhi, India.}_{[email protected]}

Abstract. Tweakable block ciphers are important primitives for design-ing cryptographic schemes with high security. In the absence of a stan-dardized tweakable block cipher, constructions built from classical block ciphers remain an interesting research topic in both theory and practice. Motivated by Mennink’s Fe[2] publication from 2015, Wang et al. pro-posed32optimally secure constructions at ASIACRYPT’16, all of which employ two calls to a classical block cipher each. Yet, those constructions were still limited ton-bit keys andn-bit tweaks. Thus, applications with more general key or tweak lengths still lack support. This work proposes theXHXfamily of tweakable block ciphers from a classical block cipher and a family of universal hash functions, which generalizes the construc-tions by Wang et al. First, we detail the genericXHXconstruction with three independently keyed calls to the hash function. Second, we show that we can derive the hash keys in efficient manner from the block ci-pher, where we generalize the constructions by Wang et al.; finally, we propose efficient instantiations for the used hash functions.

Keywords: Provable security·ideal-cipher model·tweakable block cipher

1 Introduction

Tweakable Block Ciphers. A tweakable block cipher (TBC for short), is a cryptographic transform that adds an additional public parameter calledtweak to the usual inputs key and plaintext of a classical block cipher. This means that a tweakable block cipher Ee : K × T × M → M is a permutation on the plaintext/ciphertext space M for every combination of some key K ∈ K and tweak T ∈ T, where K, T, and M are assumed to be non-empty sets. Tweakable block ciphers have been used first by Schroeppel and Orman in the Hasty Pudding Cipher, where the tweak still was calledSpice[18]. Liskov, Rivest, and Wagner [11] have formalized the concept then in 2002.

(2)

2 A. Jha, E. List, K. Minematsu, S. Mishra, and M. Nandi

dedicated constructions, such as those proposed alongside the TWEAKEY frame-work [7], or e.g., SKINNY [1]. However, in the absence of a standard, tweakable block ciphers based on classical ones remain a highly interesting topic.

Blockcipher-based Constructions. Liskov et al. [11] had described two con-structions, known as LRW1 and LRW2. Rogaway [17] proposed XE and XEX as refinements of LRW2 for updating tweaks efficiently and reducing the number of keys. These schemes are efficient in that they need one block cipher call plus one (computational) universal hash function. Both XE and XEX are provably secure under standard model, i.e., assuming the block cipher is a (strong) pseu-dorandom permutation, they are secure up to O(2n/2₎ _{queries, when using an} n-bit block cipher. Since this security bound results from the birthday paradox on collisions of inputs to the block cipher, their security is inherently limited by the birthday bound (BB-secure).

Constructions with Stronger Security. Beyond-birthday-bound (BBB) se-cure schemes that overcome this barrier have been an interesting research topic from both theory and practice. Minematsu [13] introduced a rekeying-based con-struction. Landecker, Shrimpton and Terashima [9] proposed a cascade of two independent LRW2 instances, called CLRW2. Both constructions are secure up to O(22n/3₎ _{queries, however, at the price of decreased efficiency of using two} block-cipher calls per block plus per-tweak rekeying or plus two calls to a uni-versal hash function, respectively.

For settings that require stronger security, Lampe and Seurin [8] proved that the chained cascade of more instances of LRW2 could asymptotically approach a security of up toO(2n₎_{queries, i.e. full}_{n-bit security. However, the downside is} drastically decreased performance. An alternative direction has been initiated by Mennink [12], who also proposed TBC constructions from classical block ciphers, but proved the security in the ideal-cipher model. Mennink’s constructions could achieve full n-bit security quite efficiently when both input and key aren bits. In particular, his second constructionFe[2]required only two block-cipher calls. Following Mennink’s work, Wang et al. [20] proposed 32constructions of opti-mally secure tweakable block ciphers from classical block ciphers. Their designs share ann-bit key,n-bit tweak andn-bit plaintext, and linearly mix tweak, key, and the result of a second offline call to the block cipher. Their constructions have the desirable property of allowing to cache the result of the first block-cipher call; moreover, given a-priori known tweaks, some of their constructions allow further to precompute the result of the key schedule.

(3)

lengths for which the constructions in [12,20] are inapplicable. In general, the tweak represents additional data accompanying the plaintext/ciphertext block, and no general reason exists why tweaks must be limited to the block length. Applications include but are not limited to, e.g., schemes for high-security AE or full-disk encryption. For example, Shrimpton and Terashima [19] proposed the AE scheme Protected IV, which required a TBC with variable-length tweak and BBB security. Moreover, disk-encryption schemes are typically based on TBCs, where the physical location on disk (e.g., the sector ID) is used as tweak, which can be arbitrarily long.

Before proving the security of a construction, we have to specify the employed model. The standard model is well-established in our community despite the fact that proofs base on few unproven assumptions, such as that a block cipher is a PRP, or ignore practical side-channel attacks. In the standard model, the adver-sary is given access only to either thereal constructionEeor anideal construction

e

π. In contrast, the ideal-cipher model differs in the sense that it assumes an ideal primitive—in our case the classical ideal block cipher E which is used in E—e which the adversary has also access to in both worlds. Although a proof in the ideal-cipher model is not an unexceptional guarantee that no attacks may exist when instantiated in practice [3], for us, it allows to capture away the details of the primitive for the sake of focus on the security of the construction, and is employed by a wide range of applications [4].

For schemes proven in the standard model, one can look at theXTX_construction

[14], which was proposed earlier by Minematsu and Iwata at IMACC’15.XTX

extended the tweak domain of a given tweakable block cipher Ee : {0,1}k_× {0,1}t_{× {}₀_,₁_}n_{→ {}₀_,₁_}n _{by hashing the arbitrary-length tweak to an}₍_n₊_t₎ -bit value. The firsttbits serve as tweak and the latternbits are XORed to both input and output of E. Given ane ǫ-AXU family of hash functions and an ideal tweakable cipher, XTX _{is secure for up to}_O₍₂(n+t)/2₎_{queries in the standard}

model. However, no alternative toXTX_{exists in the ideal-cipher model yet.}

Recently, Naito [15] proposed the XKX _{framework of beyond-birthday-secure}

tweakable block ciphers, which shares similarities to ours. He proposed two in-stances, the birthday-secure XKX(1) _{and the beyond-birthday-secure} XKX(2)_.

More detailed, the nonce is processed by a block-cipher-based PRF which yields the block-cipher key for the current message; the counter is hashed with a uni-versal hash function under a second, independent key to mask the input. As a contrast to other and to our proposal, Naito’s construction demands both a counter plus a nonce as parameters to overcome the birthday bound; as a stan-dalone construction, its security reduces to n/2 bits if an adversary could use the same “nonce” value for all queries. Hence, XKX(2) _{is tailored only to} cer-tain domains, e.g., modes of operation in nonce-based authenticated encryption schemes. Our proposal differs from XKX _{in four aspects: (1) we do not pose}

(4)

Table 1: Summary of Our Results. ICM(n, k)denotes the ideal-cipher model for a block cipher with n-bit block and k-bit key; BC(n, k) and TBC(n, t, k) denote the standard-model (tweakable) block cipher ofn-bit block, t-bit tweak, andk-bit key. #Enc. = #calls to the (tweakable) block cipher, and #Mult. = #multiplications over GF(2n₎_. _a₍_b_{) =} _b _{out of} _a _{calls can be precomputed with the secret key; we}

defines=⌈k/n⌉.

Scheme Model Tweak Key Security Efficiency Reference

length in bit in bit #Enc. #Mult.

e

F[2] ICM(n, n) n n n 2 [12]

f

E1, . . . ,Eg32 ICM(n, n) n n n 2(1) [20]

XTX _TBC₍_{n, t, k}₎ _any_{ℓ k}_{+ 2}_n ₍_n₊_t₎_/_{2 1} _2⌈_ℓ/n_⌉ _[14]

XKX(2) BC(n, k) –* _k₊_n _min{_{n, k/}_2} ₁ ₁ _[15]

XHX ICM(n, k) anyℓ k (n+k)/2 s+ 1(s) s⌈ℓ/n⌉ This work

XHX ICM(n, k) 2n k n s+ 1(s) s This work

*_XKX(2) _{employs a counter as tweak.}

Contribution. This work proposes theXHX_{family of tweakable block ciphers}

from a classical block cipher and a family of universal hash functions, which generalizes the constructions by Wang et al. [20]. Like them, the present work also uses the ideal-cipher model for our security analysis of XHX_{. As the major}

difference to their work, our proposal allows arbitrary tweak lengths, and works for any block cipher of n-bit block and k-bit key. The security is guaranteed up to O(2(n+k)/2)queries, hence is full n-bit secure whenk≥n. Our contribu-tions, are threefold: First, we detail the genericXHX _{construction with three}

independently keyed calls to the hash function. Second, we show that we can derive the hash keys in an efficient manner from the block cipher, generalizing the constructions by Wang et al.; finally, we propose efficient instantiations for the employed hash functions for concreteness.

The remainder is structured as follows: Section 2 briefly gives the preliminaries necessary for the rest of this work. Section 3 then defines the general construction, that we call GXHX _{for simplicity, which hashes the tweak to three outputs.}

Section 4 continues with the definition and analysis of XHX_{, which derives the}

hashing keys from the block cipher. Section 5 describes efficient instantiations for our hash functions depending on the tweak length. In particular, we propose instantiations for2n-bit and arbitrary-length tweaks.

2 Preliminaries

(5)

strings(X1, . . . , Xx),(Y1, . . . , Yx)of equal domain, we denote by(X1, . . . , Xx)⊕

(Y1, . . . , Yx)the element-wise XOR, i.e.,(X1⊕Y1, . . . , Xx⊕Yx). We indicate the length ofX in bits by|X|, and writeXi for thei-th block. Furthermore, we de-note byX ևX thatX is chosen uniformly at random from the setX. We define

three sets of particular interest:Func₍_X_,_Y₎_{be the set of all functions}_F _:_{X → Y,} Perm₍_X₎_{the set of all permutations}_π_:_{X → X, and}TPerm₍_T_,_X₎_{for the set of}

tweaked permutations overX with associated tweak spaceT.(X1, . . . , Xx)←n−X denotes thatXis split inton-bit blocks i.e.,X1k . . .kXx=X, and|Xi|=nfor

1≤i≤x−1, and |Xx| ≤n. Moreover, we definehXin to denote the encoding of a non-negative integerX into itsn-bit representation. Given a integerx∈N_,

we define the functiontrunc_x_:_{₀_,₁_}∗_{→ {}₀_,₁_}x_{to return the leftmost} _x_bits

of the input if its length is ≥x, and returns the input otherwise. For two sets X and Y, a uniform random function ρ: X → Y which maps inputs X ∈ X independently from other inputs and uniformly at random to outputs Y ∈ Y. For an eventE, we denote by Pr[E] the probability ofE. For positive integers nandk, we denote the falling factorial as (n)k :=n_k_!!.

Adversaries. An adversary A is an efficient Turing machine that interacts with a given set of oracles that appear as black boxes toA. We denote byAO the output ofAafter interacting with some oracleO. We write∆A O1;O2

:=

|Pr[AO1 ⇒ 1]−Pr[AO2 ⇒ 1]|for the advantage of A to distinguish between oracles O1 _and _O2_{. All probabilities are defined over the random coins of the} oracles and those of the adversary, if any. W.l.o.g., we assume thatAnever asks queries to which it already knows the answer.

A block cipherEwith associated key spaceKand message spaceMis a mapping E : K × M → M such that for every key K ∈ K, it holds thatE(K,·) is a permutation overM. We defineBlock₍_K,_M₎_{as the set of all block ciphers with}

key spaceK and message spaceM. A tweakable block cipherEe with associated key spaceK, tweak spaceT, and message spaceMis a mappingEe:K×T ×M → Msuch that for every key K∈ Kand tweak T ∈ T, it holds that Ee(K, T,·)is a permutation overM. We also writeEeT

K(·)as short form in the remainder. The STPRP security of Ee is defined via upper bounding the advantage of a distinguishing adversaryAin a game, where we consider the ideal-cipher model throughout this work. There,Ahas access to oracles(O, E±₎_{, where}_E± _{is the} usual notation for access to the encryption oracleEand to the decryption oracle E−1_._O_{is called construction oracle, and is either the real construction}_E_e±

K(·,·), or eπևTPerm(T,M).E± ևPerm(M)is an ideal block cipher underneath E.e

TheSTPRPadvantage ofAis defined as∆A(Ee_K±(·,·), E±(·,·);πe±(·,·), E±(·,·)),

where the probabilities are taken over random and independent choice ofK,E,

e

π, and the coins of A if any. For the remainder, we say that A is a (qC, qP) -distinguisher if it asks at mostqC queries to its construction oracle and at most qP queries to its primitive oracle.

(6)

Definition 2 (Almost-XOR-Universal Hash Function).LetH:K × X → Y be a family of keyed hash functions with Y ⊆ {0,1}∗_{. We say that} _H _is ǫ-almost-XOR-universal (ǫ-AXU) if, for K և K, and for all distinct X, X′ ∈ X

and any∆∈ Y, it holds thatPrKևK[H(K, X)⊕ H(K, X

′_{) =}_∆_]_≤_ǫ.

Minematsu and Iwata [14] defined partial-almost-XOR-universality to capture the probability of partial output collisions.

Definition 3 (Partial-AXU Hash Function). Let H:K × X → {0,1}n_× {0,1}k _{be a family of hash functions. We say that} _H _is ₍_{n, k, ǫ}₎_-partial-AXU ((n, k, ǫ)-pAXU) if, forKևK, and for all distinctX, X′∈ X and all∆∈ {0,1}n,

it holds that PrKևK

H(K, X)⊕ H(K, X′_{) = (}_∆,₀k₎_≤_ǫ.

The H-Coefficient Technique. The H-coefficients technique is a method due to Patarin [5,16]. It assumes the results of the interaction of an adversaryAwith its oracles are collected in a transcriptτ. The task ofAis to distinguish the real worldOreal from the ideal worldOideal. A transcriptτ is calledattainable if the

probability to obtainτin the ideal world is non-zero. One assumes thatAdoes not ask duplicate queries or queries prohibited by the game or to which it already knows the answer. Denote byΘreal andΘideal the distribution of transcripts in

the real and the ideal world, respectively. Then, the fundamental Lemma of the H-coefficients technique states:

Lemma 1 (Fundamental Lemma of the H-coefficient Technique [16]). Assume, the set of attainable transcripts is partitioned into two disjoint sets

GoodT _and BadT_{. Further assume, there exist} _{ǫ1, ǫ2} _≥ ₀ _{such that for any}

transcriptτ∈GoodT_{, it holds that}

Pr [Θreal =τ]

Pr [Θideal=τ]

≥1−ǫ1, and Pr [Θideal∈BadT]≤ǫ2.

Then, for all adversariesA, it holds that∆A(Oreal;Oideal)≤ǫ1+ǫ2.

The proof is given in [5,16].

3 The Generic

GXHX

Construction

Let n, k, ℓ≥1 be integers and K ={0,1}k_, _L ₌_{₀_,₁_}ℓ_{, and} _{T ⊆ {}₀_,₁_}∗_{. Let} E:K×{0,1}n_{→ {}₀_,₁_}n_{be a block cipher and}_H_:_{L×T → {}₀_,₁_}n_×K×{₀_,₁_}n be a family of hash functions. Then, we define by GXHX_[_E,_H_{] :} _{L × T ×}

{0,1}n _{→ {}₀_,₁_}n _{the tweakable block cipher instantiated with} _E _and _H_that, for given key L ∈ L, tweak T ∈ T, and message M ∈ {0,1}n_{, computes the} ciphertext C, as shown on the left side of Algorithm 1. Likewise, given key L∈ L, tweakT ∈ T, and ciphertextC∈ {0,1}n_{, the plaintext}_M _{is computed} by M ← GXHX_[_E,_H_]−1

(7)

M E C T

HL

X Y

H1 H2 H3

Fig. 1: Schematic illustration of the encryption process of a messageM and a tweak

T with the generalGXHX[E,H]tweakable block cipher.E:K × {0,1}n_{→ {0}_,_1}n _is

a keyed permutation and H:L × T → {0,1}n_{× K × {0}_,_1}n _{a keyed universal hash}

function.

Algorithm 1 Encryption and decryption algorithms of the general

GXHX_[_E,_H_]_{construction.}

11: functionGXHX[E,H]L(T, M)

12: (H1, H2, H3)← H(L, T)

13: C←EH₂(M⊕H1)⊕H3

14: returnC

21: functionGXHX[E,H]−1 L (T, C)

22: (H1, H2, H3)← H(L, T)

23: M←E−1

H₂(C⊕H3)⊕H1

24: returnM

keys L ∈ L, all tweak-plaintext inputs (T, M) ∈ T × {0,1}n_{, and all} tweak-ciphertext inputs(T, C)∈ T × {0,1}n_{, it holds that}

GXHX_[_E,_H_]−1

L (T,GXHX[E,H]L(T, M)) =M and

GXHX_[_E,_H_]_L₍_T,GXHX_[_E,_H_]−1

L (T, C)) =C.

Figure 1 illustrates the encryption process schematically.

4 XHX

_{: Deriving the Hash Keys from the Block Cipher}

In the following, we adapt the general GXHX _{construction to} XHX_{. which}

differs from the former in two aspects: first,XHX_{splits the hash function into}

three functions H1, H2, and H3; second, since we need at least n+k bit of key material for the hash functions, it derives the hash-function key from a key K using the block cipher E. We denote by s≥ 0 the number of derived hash-function keysLi and collect them together with the user-given keyK∈ {0,1}k into a vector L := (K, L1, . . . , Ls). Moreover, we define a set of variables Ii and Ki, for 1 ≤ i ≤ s, which denote input and key to the block cipherE for computing:Li:=EKi(Ii). We allow flexible, usecase-specific definitions for the

(8)

8 A. Jha, E. List, K. Minematsu, S. Mishra, and M. Nandi PSfrag

M E C Ii E

Ki

Li

H1(L, T)

H2(L, T)

H3(L, T)

X Y

Fig. 2: Schematic illustration of the XHX_[_E,_H] _{construction where we derive the}

hash-function keysLi from the block cipherE.

Algorithm 2 Encryption and decryption algorithms of XHX_{where the keys}

are derived from the block cipher. We define H:= (H1,H2,H3). Note that the exact definitions ofIi andKi are usecase-specific.

11: functionXHX[E,H].KeySetup(K) 12: fori←1tosdo

13: Li←EKi(Ii)

14: L←(K, L1, . . . , Ls)

15: returnL

21: functionH(L, T) 22: H1← H1(L, T)

23: H2← H2(L, T)

24: H3← H3(L, T)

25: return(H1, H2, H3)

31: functionXHX_[_E,_H]_K₍_{T, M}₎

32: L←XHX[E,H].KeySetup(K)

33: (H1, H2, H3)← H(L, T)

34: C←EH₂(M⊕H1)⊕H3

35: returnC

41: functionXHX[E,H]−1 K (T, C)

42: L←XHX_[_E,_H]_.KeySetup₍_K₎

43: (H1, H2, H3)← H(L, T)

44: M←EH−₂1(C⊕H3)⊕H1

45: returnM

({0,1}n₎s_{. Note, the values}_L

iare equal for all encryptions and decryptions and hence, can be precomputed and stored for all encryptions under the same key.

The Constructions by Wang et al. The32constructionsEe_[2] _{by Wang et}

al. are a special case of our construction with the parameterss= 1, key length k = n, with the inputs Ii, Ki ∈ {0n, K}, and the option (Ii, Ki) = (0n,0n) excluded. Their constructions compute exactly one valueL1 byL1:=EK1(I1). One can easily describe their constructions in the terms of theXHX_framework,

with three variablesX1, X2, X3∈ {K, L1, K⊕L1}for which holds thatX16=X2 andX36=X2, and which are used in XHX_{as follows:}

H1(L, T) :=X1, H2(L, T) :=X2⊕T, H3(L, T) :=X3.

4.1 Security Proof of XHX

This section concerns the security of the XHX_{construction in the ideal-cipher}

(9)

Properties of H. For our security analysis, we list a set of properties that we require for H. We assume that L is sampled uniformly at random fromL. To address parts of the output of H, we also use the notion Hi : L × T → {0,1}oi _{to refer to the function that computes the} _{i-th output of} _H₍_{L, T}₎_{, for} 1 ≤i ≤3, witho1 :=n, o2 :=k, ando3 :=n. Moreover, we define H1,2(T) :=

(H1(L, T),H2(L, T)), andH3,2(T) := (H3(L, T),H2(L, T)).

Property P1. For all distinctT, T′_{∈ T} _{and all}_∆_{∈ {}₀_,₁_}n_{, it holds that}

max

i∈{1,3}LPrևL

Hi,2(T)⊕ Hi,2(T′) = ∆,0k≤ǫ1.

Property P2. For allT ∈ T and all(c1, c2)∈ {0,1}n_{× {}₀_,₁_}k_{, it holds that}

max

i∈{1,3}LPrևL

[Hi,2(T) = (c1, c2)]≤ǫ2.

Note that Property P1 is equivalent to sayingH1,2andH3,2are(n, k, ǫ1)-pAXU; Property P2 is equivalent to the statement thatH1,2 andH3,2 areǫ2-AUniform. Clearly, it must hold that ǫ1, ǫ2≥2−(n+k)_.

Property P3. For all T ∈ T, all chosen Ii, Ki, for 1 ≤ i ≤ s, and all ∆ ∈ {0,1}n_{, it holds that}

Pr

LևL

H1,2(T)⊕(Ii, Ki) = ∆,0k≤ǫ3.

Property P4. For all T ∈ T, all chosen Ki, Li, for 1 ≤ i ≤ s, and all ∆ ∈ {0,1}n_{, it holds that}

Pr

LևL

H3,2(T)⊕(Li, Ki) = ∆,0k

≤ǫ4.

Properties P3 and P4 represent the probabilities that an adversary’s query hits the inputs that have been chosen for computing a hash-function key. We list a further property which gives the probability that a set of constants chosen by the adversary can hit the values Ii andKi from generating the keysLi:

Property P5. For1≤i≤s, and all(c1, c2)∈ {0,1}n_{× {}₀_,₁_}k_{, it holds that}

Pr

KևK

[(Ii, Ki) = (c1, c2)]≤ǫ5.

In other words, the tuples (Ii, Ki)contain a sufficient amount of close to nbit entropy, and cannot be predicted by an adversary with greater probability, i.e., ǫ5 should not be larger than a small multiple of1/2n_{. From Property 5 and the} fact that the valuesLi are computed fromEKi(Ii)with an ideal permutationE,

it follows that for1≤i≤sand all(c1, c2)∈ {0,1}n_{× {}₀_,₁_}k

Pr

KևK

(10)

e E±

L(·,·) E

±

(·,·) eπ±

(·,·) E±

(·,·)

A

Fig. 3: Schematic illustration of the oracles available toA.

Theorem 1. Let E և Block(K,{0,1}n) be an ideal cipher. Further, let Hi : L×T → {0,1}oi_{, for}₁_≤_i_≤₃_{be families of hash functions for which Properties}

P1 through P4 hold, and let K և K. Moreover, let Property P5 hold for the

choice of allIi andKi. Letsdenote the number of keysLi,1≤i≤s. LetAbe a (qC, qP)-distinguisher onXHX[E,H]K. Then

∆

A

XHX_[_E,_H_]_{, E}±_;_e_π±_{, E}±_≤_q2

Cǫ1+2qPqCǫ2+qCs(ǫ3+ǫ4)+2qPsǫ5+ s2

2n+1.

Proof Idea. The proof of Theorem 1 follows from Lemmas 1, 2, and 3. Those can be found in Appendix A. LetEe denote theXHX_[_E,_H_]_{construction in the}

remainder. Figure 3 illustrates the oracles available toA. The queries byAare collected in a transcriptτ. We will define a series of bad events that can happen during the interaction ofAwith its oracles:

– Collisions between two construction queries,

– Collisions between a construction and a primitive query, – Collisions between two primitive queries,

– The case that the adversary finds an input-key tuple in either a primitive or construction query that was used to derive a keyLi.

The proof will bound the probability of these events to occur in the transcript in Lemma 2. We define a transcript asbad if it satisfies at least one suchbad event, and defineBadT_{as the set of all attainable}_bad_transcripts.

Lemma 2. It holds that

Pr [Θideal∈BadT]≤q_C2ǫ1+ 2q_Pq_Cǫ2+q_Cs(ǫ3+ǫ4) + 2q_Psǫ5+

s2

2n+1. The proof is given in Appendix A.1.

Good Transcripts. Above, we have considered bad events. In contrast, we define GoodT_{as the set of all} _good _{transcripts, i.e., all attainable transcripts}

that arenot bad.

Lemma 3. Letτ∈GoodT_{be a good transcript. Then}

Pr [Θreal=τ]

Pr [Θideal=τ]

≥1.

(11)

Algorithm 3 The universal hash functionH∗_.

11: functionH∗

L(T)

12: (K, L1, . . . , Ls)←L

13: K′←trunc_n₍_K₎

14: H1← FK′(T)

15: H2←trunc_k_(F_L

1(T)k · · · k FLs(T))

16: H3← FK′(T)

21: functionFK(T)

22: p← |T|modn

23: if p6= 0then 24: T ←Tk0n−p

25: ParseT1, . . . , Tm←−n T

26: Tm+1← h|T|in

27: Y ←0

28: fori←1tom+ 1do 29: Y ←(Y ⊕Ti)·K

30: return(Y ·K)⊕K

5 Efficient Instantiations

The hash function forXHX_{needs to satisfy multiple conditions for the}

construc-tion to be secure. This secconstruc-tion provides concrete instantiaconstruc-tions of hash funcconstruc-tions which satisfy those conditions. While it is rather straight-forward to design hash functions in the case of independent keys, by using two independentn-bit AXU and AUniformhash functions, the additional conditions forXHX _{require more}

analysis. We present two instantiations depending on the maximum tweak length. While the case of n-bit tweaks has already been covered by Wang et al., there is the general important case of having a variable-length tweak still open, that we address with an instantiation. Additionally, we also present a second hash function that is more efficient for the special case of having a2n-bit tweak. Our proposals use field multiplications overGF₍₂n₎_{and need}₍_k₊_n₎_{bits of key}

material, where the ideal cipher is used for key derivation. We defineKi :=K andIi:=hii, for 1≤i≤s, i.e., we compute the subkeysLi as Li←EK(hii).

H∗ _{– A Hash Function for Variable-Length Tweaks.} _{We propose a first} instantiationH∗_{for variable-length tweaks.}_H∗_{uses two universal hash functions} keyed byKandL1, and takesT as input. Assumek≥nbe positive integers and s≤2k−1_{. More specifically, let}_F_:=_{F_|_F _:_{₀_,₁_}n_{× {}₀_,₁_}∗_{→ {}₀_,₁_}n_}_denote anǫ(m)-AXUandρ(m)-AUniformfamily of hash functions. Here,ǫ(m)andρ(m)

denote the maximum AXU andAUniformbiases for any input pair whose length is at mostminn-bit blocks. Then,H∗_:_L×{₀_,₁_}∗_{→ {}₀_,₁_}n_×{₀_,₁_}k_×{₀_,₁_}n_is defined in Algorithm 3. We suggest a polynomial hash forFK(·)with a minimum degree of one; this means, it holds that FK(ε) = K for the empty string ε to avoid fixed points. For simplicity,H∗_{conducts all computations in the same field}

GF₍₂n₎_{in all calls to}_{F. In general, we have to consider three potential cases for}

the relation of state size and key lengths:

(12)

– Case k<n. In this case, we could simply truncate H2 from n to k bits. Theoretically, we could derive a longer key from K for the computation of H1 and H3; however, we disregard this case since ciphers with smaller key than state length are very uncommon.

– Casek>n. In the third case, we truncate the hash keyK for the computa-tion ofH1 andH3tonbits. Moreover, we deriveshashing keysL1, . . . ,Ls from the block cipherE. For H2, we concatenate the output ofs instances of F, and truncate the result to k bits if necessary. This construction is well-known to beǫs₍_m₎_-pAXU_if_F _is_ǫ₍_m₎_-pAXU.

Lemma 4. H∗ _is ₂sn−k_ǫs+1₍_m₎_-pAXU _and ₂sn−k_ρs+1₍_m₎_{-Uniform. Moreover,} it satisfies Properties P3 and P4 with probability2sn−k_ρs+1₍_m₎_{each, and} Prop-erty P5 with ǫ5≤2/2k _{for our choice of the values}_I

i andKi.

Remark 1. The term2sn−k_{results from the potential truncation of}_H2_{if the key} lengthkof the block cipher is no multiple of the state sizen.H2is computed by concatenating the results of multiple independent invocations of a polynomial hashing functionF in GF₍₂n₎_{under assumed independent keys. Clearly, if}_F _is ǫ-AXU, then theirsn-bit concatenation isǫs-AXU. However, after truncatingsn tokbits, we may lose information, which results in the factor of2sn−k_{. For the} casek=n, it follows thats= 1, and the terms2sn−k_ǫs+1₍_m₎_and₂sn−k_ρs+1₍_m₎ simplify toǫ2₍_m₎_and_ρ2₍_m₎_{, respectively.}

Our instantiation ofFhasǫ(m) =ρ(m) = (m+2)/2n_{. Before we prove Lemma 4,} we derive from it the following corollary forXHX_{when instantiated with}_H∗_.

Corollary 1. Let E and XHX_[_E,_H∗_]_{be defined as in Theorem 1, where the} maximum length of any tweak is limited by at most m n-bit blocks. Moreover, letKևK. LetAbe a(qC, qP)-distinguisher onXHX[E,H∗]. Then

∆

A

XHX_[_E,_H∗_]_{, E}±_;_e_π±_{, E}±_≤(q

2

C+2qCqP+2qCs)(m+2)s+1

2n+k +

4qPs

2k + s2

2n+1. The proof of the corollary stems from the combination of Lemma 4 with Theo-rem 1 and can be omitted.

Proof of Lemma 4. In the following, we assume thatT, T′_{∈ {}₀_,₁_}∗_{are distinct} tweaks of at mostmblocks each. Again, we consider thepAXUproperty first.

Partial Almost-XOR-Universality. This is the probability that for any∆∈ {0,1}n_:

Pr

LևL

[(FK′(T),FL1,...,Ls(T))⊕(FK′(T

′₎_,_F

L1,...,Ls(T

′_{)) = (}_∆,₀n_)]

= Pr

LևL

[FK′(T)⊕ F_K′(T′) =∆,F_L

1,...,Ls(T)⊕ FL1,...,Ls(T

′_{) = 0}n_]

≤2sn−k·ǫs+1(m).

We assume independent hashing keys K′_, _{L1, . . . , L}

(13)

this case. In the case k > n, we compute swords of H2 that are concatenated and truncated tok bits. Hence,FL1,...,Ls is 2

sn−k_·_ǫs₍_m₎_{-AXU. In combination} with the AXU bound forFK′, we obtain the pAXUbound forH∗ above.

Almost-Uniformity. This is the probability that for any∆1, ∆2∈ {0,1}n

Pr

LևL

[(FK′(T),F_L

1,...,Ls(T)) = (∆1, ∆2)] = Pr

LևL

[FK′(T) =∆1,F_L

1,...,Ls(T) =∆2]

≤2sn−k·ρs+1(m)

sinceFisρ(m)-AUniform, and using a similar argumentation for the casesk=n andk > nas for partial-almost-XOR universality.

Property P3. For allT ∈ T and∆∈ {0,1}n, Property P3 is equivalent to

Pr

LևL

[FK′(T) = (∆⊕Ii),FL1,...,Ls(T) =K]

for a fixed1≤i≤s. Here, this property is equivalent to almost uniformity; hence, the probability for the latter equality is at most2sn−k_·ρs₍_m₎_{. The probability for} the former equality is at mostρ(m)since the property considers a fixedi. Since we assume independence ofKandL1, . . . , Ls, it holds thatǫ3≤2sn−k·ρs+1(m).

Property P4. For allT ∈ T and∆∈ {0,1}n_{, Property P4 is equivalent to}

Pr

LևL

[FK′(T) = (∆⊕Li),FL₁,...,Ls(T) =K]

for a fixed 1 ≤ i ≤ s. Using a similar argumentation as for Property P3, the probability is upper bounded byǫ4≤2sn−k_·_ρs+1₍_m₎_.

Property P5. We derive the hashing keysLiwith the help ofE and the secret keyK. So, in the simple case thats= 1, the probability that the adversary can guess any tuple(Ii, Ki), for1≤i≤s, that is used to derive the hashing keysLi, or guess any tuple (Li, Ki) is at most 1/2k. Under the reasonable assumption s <2k−1, the probability becomes for fixediin the general case:

Pr

KևK

[(Ii, Ki) = (c1, c2)]≤ 1

2k₋_s≤

2 2k.

A similar argument holds that the adversary can guess any tuple (Li, Ki), for

1≤i≤s. Hence, it holds forH∗ _that _ǫ5_≤₂_/₂k_.

ǫ(m) and ρ(m). It remains to determine ǫ(m)and ρ(m)for our instantiation ofFK(·). It maps tweaksT =T1, . . . , Tm to the result of

m

M

i=1

Ti·Km+3−i

!

⊕ h|T|in·K⊕K.

(14)

Algorithm 4 The universal hash functionH2_.

11: functionH2 L(T)

12: (K, L1, . . . , Ls)←L

13: (T1, T2)←−n T

14: K′

←trunc_n(K)

15: H1←T1_K′

16: H2←trunc_k(FL₁(T)k · · · k FLs(T))

17: H3←T1_K′

21: functionFLi(T1kT2)

22: return(T1Li)⊕T2

H∗_{is a general construction which supports arbitrary tweak lengths. Though, if} we usedH∗ _for₂_{n-bit tweaks, we would need four Galois-Field multiplications.} However, we can hash more efficiently, even optimal in terms of the number of multiplications in this case. For this purpose, we define H2_.

H2 _{– A Hash Function for} ₂_n_{-bit Tweaks.} _{Naively, for two-block tweaks} |T| = 2n, an ǫ-pAXU construction with ǫ ≈ 1/22n _{could be achieved by} sim-ply multisim-plying the tweak with some key L∈GF₍₂2n₎_{sampled uniformly over} GF₍₂2n₎_{. We can perform this even more efficiently by using two multiplications}

over the smaller fieldGF₍₂n₎_{. Additional conditions, such as uniformity, are}

sat-isfied by introducing squaring in the field to avoid fixed points in multiplication-based universal hash function. Following the notations from the previous sections, letL= (K, L1)be the 2n-bit key of our hash function. For X, Y ∈GF₍₂n₎_{, we}

define the operation:GF₍₂n₎_×GF₍₂n₎_→GF₍₂n₎_as

XY :=

(

X·Y ifX 6= 0

Y2 _otherwise.

We assume the standard encoding between the bit space and GF₍₂n₎_{, i.e. a} polynomial in the field is represented as its coefficient vector, e. g., the all-zero vector denotes the zero element0, and the bit string(0. . .01)denotes the identity element. Hereafter, we writeX interchangeably as an element ofGF₍₂n₎ _{or of}

{0,1}n_{. For}_L_{= (}_{₀_,₁_}n₎2_,_X _{= (}_{₀_,₁_}n₎2 _and_Y ₌_{₀_,₁_}n_{× {}₀_,₁_}k_{× {}₀_,₁_}n_, the constructionH2_:_{L × X → Y} _{is defined in Algorithm 4. We stress that the} usage of keys has been chosen carefully, e.g., a swap of K andL1 inH2 _would invalidate Property P4.

Lemma 5. H2 is 2s+1/2n+k-pAXU, 2s/2n+k-AUniform, satisfies Properties P3 and P4 with probability2/2n+k each, and Property P5 with ǫ5=s/2n for our choices ofIi andKi, for1≤i≤s.

Before proving Lemma 5, we derive from it the following corollary for XHX

(15)

Corollary 2. Let E and XHX_[_E,_H2_] _{be defined as in Theorem 1. Moreover,}

letKևK. LetAbe a(qC, qP)-distinguisher onXHX[E,H2]K. Then

∆

A

XHX_[_E,_H2_]_{, E}±_;_π_e±_{, E}±_≤ 2

s+2_q2

C+ 2s+1qCqP+ 4qCs

2n+k +

2qPs2

2n + s2

2n+1. Again, the proof of the corollary stems from the combination of Lemma 5 with Theorem 1 and can be omitted.

Proof of Lemma 5. Since H1 and H3 are equal, we can restrict the analysis of the properties of Lemma 5 to only the outputs (H1, H2). Note that K and L1 are independent. In the following, we denote the hash-function results for some tweak T as H1, H2, H3, and those for some tweak T′ ₆₌ _T _as _H′

1, H2′, H3′. Moreover, we denote then-bit words of H2 as (H1

2, . . . , H2s), and those of H2′ as (H′

2 1

, . . . ,H′ 2 s

).

Partial Almost-XOR-Universality. First, let us consider thepAXUproperty. It holds thatH1:=T1KandH2:=trunc_k₍_F_L

1(T), . . . ,FLs(T)). Considering

H1, it must hold thatH′

1=H1⊕∆, with

∆= (T1′K)⊕(T1K).

For anyX 6= 0n_{, it is well-known that} _X_Y _is₁_/₂n_{-AXU. So, for any fixed} _T1 and fixed ∆∈ {0,1}n_{, there is exactly one value}_T′

1 that fulfills the equation if H1′ 6=KK, and exactly two values ifH1′ =KK, namelyT1′∈ {0n, K}. So

Pr

KևL

[(T1K)⊕(T′

1K) =∆]≤2/2n.

The argumentation for H2 is similar. The probability that any Li = 0n, for

1 ≤ i ≤ s, is at most s/2n_{. In the remainder, we can then assume that all} Li6= 0n. W.l.o.g., we focus for now on the first word ofH2,H21, in the following. For fixed (T1, T2), H1

2, and T2′, there is exactly one value T1′ s.t. H2′ 1

= H1 2 if H′

2 1

6

=L1(L1⊕T′

2), namelyT1′ :=T1⊕(T2⊕T2′)L −1

1 . There exist exactly two valuesT′

1ifH2′ 1

=L1L1⊕T₂′, namelyT₁′ ∈ {0n, L1}. Hence, it holds that

Pr

L1ևL h

H1 2 =H2′

1i

≤2/2n_.

The same argumentation follows for 2 ≤ i ≤ s since the keys Li are pairwise independent. Sincens−kbits ofHs

2 andH2′ s

are truncated ifkis not a multiple ofn, the bound has to be multiplied with2sn−k_{. With the factor of}₂_/₂n_for_H1, it follows for fixed∆∈ {0,1}n _that_H2_is_ǫ-pAXU_for_ǫ_{upper bounded by}

2 2n ·2

sn−k_· 2s

2sn =

2s+1

(16)

Almost-Uniformity. Here, we concern the probability for anyH1 andH2:

Pr

LևL

[T1K=H1,trunc_k(F_L

1(T), . . . ,FLs(T)) =H2].

If K = 0n _and _H1 _{= 0}n_{, then the first equation may be fulfilled for any} _T1. Though, the probability forK= 0n _is₁_/₂n_{. So, we can assume}_K ₆_{= 0}n _{in the} remainder. Again, we focus on the first word ofH2 next. For fixedL1 andH1 2, there exist at most two values (T1, T2) to fulfill (T1L1)⊕T2 = H₂1. In the case H1 6=KK, there is exactly one value T1 :=H1K−1 that yields H1. Then,T1,L1, andH1

2 determineT2:=H21⊕(T1L1)uniquely. In the opposite case that H1 = KK, there exist exactly two values (T1, T₁′) that yield H1, namely 0n _and_{K. Each of those determines} _T2 _{uniquely. The probability that} the so-fixed values T1, T2 yield also H2

2, . . . ,H2s is at most (2/2n)s−1 if k is a multiple ofnsince the keysLi are pairwise independent; ifkis not a multiple of n, we have again an additional factor of 2sn−k _{from the truncation. Hence,} _H2 is2sn−k_·₂s_/₂n+sn_{= 2}s_/₂n+k_-AUniform.

Property P3. Given Ii = hi−1i and Ki = K, for 1 ≤ i ≤ s, ǫ3 is equiva-lent to the probability that a chosen (T1, T2) yields Pr[T1K = ∆⊕ hi−1i,

trunc_k₍_F_L

1(T), . . . ,FLs(T)) =K], for somei. This can be rewritten to Pr [T1K=∆⊕ hi−1i]

·Pr [trunc_k₍_F_L

1(T), . . . ,FLs(T)) =K|T1K=∆⊕ hi−1i]. For fixed ∆ 6= KK, there is exactly one value T1 that satisfies the first part of the equation; otherwise, there are exactly two values T1 if ∆=KK. Moreover, K is secret; so, the values T1 require that the adversary guesses K correctly. Given fixedT1,∆, and K, there is exactly one valueT2 that matches the first nbits ofK; T2 := (T1L1)⊕K[k−1..k−n]. The remaining bits of K are matched with probability2sn−k_/₂(s−1)n_{, assuming that the keys} _L

i are independent. Hence, it holds thatǫ3≤2/2n_·₂sn−k_/₂sn_{= 2}_/₂n+k_.

Property P4. This argument follows from a similar argumentation as Prop-erty P3. Hence, it holds thatǫ4≤2/2n+k_.

Acknowledgments. This work was initiated during the group sessions of the 6th Asian Workshop on Symmetric Cryptography (ASK 2016) held in Nagoya. We thank the anonymous reviewers of the ToSC 2017 and Latincrypt 2017 for their fruitful comments.

References

(17)

2. Mihir Bellare and Phillip Rogaway. The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In Serge Vaudenay, editor, EU-ROCRYPT, volume 4004 of Lecture Notes in Computer Science, pages 409–426. Springer, 2006.

3. John Black. The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function. In Matthew J. B. Robshaw, editor, FSE, volume 4047 of Lecture Notes in Computer Science, pages 328–340. Springer, 2006.

4. John Black, Phillip Rogaway, and Thomas Shrimpton. Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. In Moti Yung, editor,CRYPTO, volume 2442 ofLecture Notes in Computer Science, pages 320– 335. Springer, 2002.

5. Shan Chen and John P. Steinberger. Tight Security Bounds for Key-Alternating Ci-phers. In Phong Q. Nguyen and Elisabeth Oswald, editors,EUROCRYPT, volume 8441 ofLecture Notes in Computer Science, pages 327–350. Springer, 2014. 6. Peter Gazi and Ueli M. Maurer. Cascade Encryption Revisited. In Mitsuru Matsui,

editor, ASIACRYPT, volume 5912 of Lecture Notes in Computer Science, pages 37–51. Springer, 2009.

7. Jérémy Jean, Ivica Nikolic, and Thomas Peyrin. Tweaks and Keys for Block Ci-phers: The TWEAKEY Framework. In Palash Sarkar and Tetsu Iwata, editors, ASIACRYPT (2), volume 8874 ofLecture Notes in Computer Science, pages 274– 288, 2014.

8. Rodolphe Lampe and Yannick Seurin. Tweakable Blockciphers with Asymptotically Optimal Security. In Shiho Moriai, editor,FSE, volume 8424 ofLecture Notes in Computer Science, pages 133–151. Springer, 2013.

9. Will Landecker, Thomas Shrimpton, and R. Seth Terashima. Tweakable blockci-phers with beyond birthday-bound security. In Reihaneh Safavi-Naini and Ran Canetti, editors, CRYPTO, volume 7417 of Lecture Notes in Computer Science, pages 14–30. Springer, 2012.

10. Jooyoung Lee. Towards Key-Length Extension with Optimal Security: Cascade Encryption and Xor-cascade Encryption. In Thomas Johansson and Phong Q. Nguyen, editors, EUROCRYPT, volume 7881 ofLecture Notes in Computer Sci-ence, pages 405–425. Springer, 2013.

11. Moses Liskov, Ronald L. Rivest, and David Wagner. Tweakable Block Ciphers. In Moti Yung, editor,CRYPTO, volume 2442 ofLecture Notes in Computer Science, pages 31–46. Springer, 2002.

12. Bart Mennink. Optimally Secure Tweakable Blockciphers. In Gregor Leander, editor, FSE, volume 9054 ofLecture Notes in Computer Science, pages 428–448. Springer, 2015.

13. Kazuhiko Minematsu. Beyond-Birthday-Bound Security Based on Tweakable Block Cipher. In Orr Dunkelman, editor,FSE, volume 5665 ofLecture Notes in Computer Science, pages 308–326. Springer, 2009.

14. Kazuhiko Minematsu and Tetsu Iwata. Tweak-Length Extension for Tweakable Blockciphers. In Jens Groth, editor,IMA Int. Conf., volume 9496 ofLecture Notes in Computer Science, pages 77–93. Springer, 2015.

15. Yusuke Naito. Tweakable Blockciphers for Efficient Authenticated Encryptions with Beyond the Birthday-Bound Security. IACR Transactions on Symmetric Cryptology, 2017(2):1–26, 2017.

(18)

17. Phillip Rogaway. Efficient Instantiations of Tweakable Blockciphers and Refine-ments to Modes OCB and PMAC. InASIACRYPT, volume 3329 ofLecture Notes in Computer Science, pages 16–31. Springer, 2004.

18. Richard Schroeppel and Hilarie Orman. The Hasty Pudding Cipher.AES candidate submitted to NIST, 1998.

19. Thomas Shrimpton and R. Seth Terashima. A Modular Framework for Building Variable-Input-Length Tweakable Ciphers. In Kazue Sako and Palash Sarkar, edi-tors,ASIACRYPT (1), volume 8269 ofLecture Notes in Computer Science, pages 405–423. Springer, 2013.

20. Lei Wang, Jian Guo, Guoyan Zhang, Jingyuan Zhao, and Dawu Gu. How to Build Fully Secure Tweakable Blockciphers from Classical Blockciphers. In Jung Hee Cheon and Tsuyoshi Takagi, editors, ASIACRYPT (1), volume 10031 of Lecture Notes in Computer Science, pages 455–483, 2016.

A

Proof Details

The proof of Theorem 1 follows from Lemmas 1, 2, and 3. Let Ee denote the

XHX_[_E,_H_]_{construction in the remainder. W.l.o.g., we assume,}_A_{does not ask}

duplicated queries nor trivial queries to which it already knows the answer, e.g., feeds the result of an encryption query to the corresponding decryption oracle or vice versa. The queries byAare collected in a transcriptτ. We define thatτ is composed of two disjoint sets of queriesτCandτP andL,τ=τC∪τP ∪ {L}, whereτC :={(Mi,Ci,Ti,H1i,H2i,H3i,Xi,Yi,di)}1≤i≤qC denotes the queries

by A to the construction oracle plus internal variables Hi

1, H2i, H3i (i.e., the outputs ofH1,H2, andH3, respectively),Xi _and_Yi_(where_Xi_←_Hi

1⊕Miand Yi _←_Hi

3⊕Ci, respectively); andτP :={(Kbi,Xbi,Ybi, di)}1≤i≤qP the queries to

the primitive oracle; both sets store also binary variables di _{that indicate the} direction of the i-th query, wheredi_{= 1} _{represents the fact that the} _{i-th query} is an encryption query, anddi _{= 0} _{that it is a decryption query. The internal} variables for one call toXHX_{are as given in Algorithm 2 and Figure 2.}

We apply a common strategy for handling bad events from both worlds: in the real world, all secrets (i.e., the hash-function keyL) are revealed to theAafter it finished its interaction with the available oracles, but before it has output its decision bit regarding which world it interacted with. Similarly, in the ideal world, the oracle samples the hash-function key independently from the choice of E and πe uniformly at random, L և L, and also reveals L to A after the

adversary finished its interaction and before has output its decision bit. The internal variables in construction queries – Hi

1,H2i, H3i, Xi, Yi – can then be computed and added to the transcript also in the ideal world using the oracle inputs and outputsTi_,_Mi_,_Ci_,_Hi

1,H2i, andH3i.

Let 1 ≤ i 6=j ≤q. We define that an attainable transcript τ is bad, i.e., τ ∈

BadT_{, if one of the following conditions is met:}

– bad1: There existi6=j s.t.(H₂i, Xi) = (H₂j, Xj).

– bad2: There existi6=j s.t.(H₂i, Yi) = (H₂j, Yj).

(19)

– bad4: There existi6=j s.t.(H₂i, Yi) = (Kbj,Ybj).

– bad5: There existi6=j s.t.(Kbi,Xbi) = (Kbj,Xbj).

– bad6: There existi6=j s.t.(Kbi,Ybi) = (Kbj,Ybj).

– bad7: There existi∈ {1, . . . , s}andj ∈ {1, . . . , q_C} s.t.(Xj, H₂j) = (I_i, K_i)

anddj _{= 1}_.

– bad8: There existi∈ {1, . . . , s}and j∈ {1, . . . , qC} s.t.(Yj, H2j) = (Li, Ki) anddj _{= 0}_.

– bad9: There existi∈ {1, . . . , s}andj ∈ {1, . . . , qP} s.t.(Xbj,Kbj) = (Ii, Ki). – bad10: There existi∈ {1, . . . , s}andj∈ {1, . . . , q_P}s.t.(Ybj,Kbj) = (L_i, K_i).

– bad11: There exist i, j ∈ {1, . . . , s} and i 6= j s.t. (K_i, L_i) = (K_j, L_j) but

Ii6=Ij.

The events

– bad1 andbad2consider collisions between two construction queries,

– bad3andbad4consider collisions between primitive and construction queries, – bad5 andbad6consider collisions between two primitive queries, and – bad7 through bad10 address the case that the adversary may could find an

input-key tuple in either a primitive or construction query that has been used to derive some of the subkeysLi.

– bad11 addresses the event that the ideal oracle produces a collision while sampling the hash-function keys independently uniformly at random.

Note that the eventsbad5 andbad6are listed here only for the sake of complete-ness. We will show briefly that these events can never occur.

A.1 Proof of Lemma 2

Proof. In the following, we upper bound the probabilities of each bad event.

bad₁ _and bad₂_. _Events _bad₁ _and _bad₂ _{represent the cases that two distinct} construction queries would feed the same tuple of key and input to the underlying primitive E if the construction would be the real E;e bad1 considers the case when the valuesHi

2=H j

2 andXi=Xj collide. In the real world, it follows that Yi ₌_Yj_{, while this holds only with small probability in the ideal world. The} event bad2 concerns the case when the values Hi

2 = H j

2 and Yi = Yj collide. Again, in the real world, it follows then thatXi ₌_Xj_{, whereas this holds only} with small probability in the ideal world. So, both events would allow A to distinguish both worlds. Let us consider bad1 first, and let us start in the real world. SinceAasks no duplicate queries, it must hold that two distinct queries

(Mi_{, T}i₎_and ₍_Mj_{, T}j₎_yielded

Xi= Mi⊕H1i

=Mj⊕H1j

=Xj and H2i =H j 2.

We define∆:=Mi_⊕Mj_{and consider two subcases: in the subcase that}_Ti₌_Tj_, it automatically holds that Hi

2 =H j

2 andH1i =H j

(20)

that Mi₌_Mj_{, i.e.,}

Awould have asked a duplicate query, which is prohibited. So, it must hold that Ti₆₌_Tj _{in the real world.}

If Ti ₌ _Tj _{in the ideal world, it must hold that the plaintexts are disjoint,} Mi ₆₌ _Mj_{, since we assumed that}

A does not make duplicate queries. Since

e

π(Ti_,_·₎ _{is a permutation, the resulting plaintexts are also disjoint:} _Mi ₆₌_Mj_. FromTi₌_Tj _{follows that}_Hi

1=H j

1 and thus,Xi andXj cannot be equal: Xi=Mi⊕H1i 6=Mj⊕H

j 1=Xj,

which contradicts with our definition ofbad1. So, it must hold thatTi₆₌_Tj _also in the ideal world. From Property P1 and overLևL, it holds then

Pr[bad1] = Prh∃i6=j; 1≤i, j≤qC: Xi, H2i

=Xj, H2j

i

= Pr∃i6=j; 1≤i, j≤qC:H1,2 Ti

⊕ H1,2 Tj

= ∆,0k_≤

qC

2

ǫ1.

Using a similar argumentation, it follows also from Property P1 that forTi₆₌_Tj

Pr[bad2] = Prh∃i6=j; 1≤i, j≤qC: Yi, H2i

=Yj, H2j

i

= Pr∃i6=j; 1≤i, j≤qC:H3,2 Ti

⊕ H3,2 Tj

= ∆,0k≤

qC

2

ǫ1.

bad₃ _and bad₄_. _Events _bad3 _and_bad4 _{represent the cases that a construction} query to thereal constructionEewould feed the same key and input(Hi

2, Xi)to the underlying primitiveEin the real construction as a primitive query(Kbj_,_X_bj₎_. This is equivalent to guessing the hash-function output for thei-th query. Let us considerbad3 first. OverLևLand for all(Kbj,Xbj), the probability ofbad3

is upper bounded by

Pr[bad3] = Prh∃i, j; 1≤i≤qC,1≤j ≤qP : (Xi, H2i) = (Xbj,Kbj)

i

= Prh∃i, j; 1≤i≤qC,1≤j ≤qP : (H1i =Mi⊕Xbj)∧(H2i =Kbj)

i

= Prh∃i, j; 1≤i≤qC,1≤j ≤qP :H1,2(Ti) = (Mi⊕Xbj,Kbj)

i

≤qC·qP·ǫ2

due to Property P2. Using a similar argumentation, it holds that

Pr[bad4] = Pr

h

∃i, j; 1≤i≤qC,1≤j≤qP : (Xi, H2i) = (Ybj,Kbj)

i

= Prh∃i, j; 1≤i≤qC,1≤j≤qP : (H3i=Ci⊕Ybj)∧(H2i =Kbj)

i

= Prh∃i, j; 1≤i≤qC,1≤j≤qP :H3,2(Ti) = (Ci⊕Ybj,Kbj)

i

(21)

bad₅ _and bad₆_. _Events _bad5 _and _bad6 _{represent the cases that two distinct} primitive queries feed the same key and the same input to the primitive E. Clearly, in both worlds, this implies thatAeither has asked a duplicate primitive query or has fed the result of an earlier primitive query to the primitive’s inverse oracle. Both types of queries are forbidden; so, they will not occur.

bad₇ _and bad₈_. _{Let us consider} _bad₇ _{first, which considers the case that the} j-th construction query in encryption direction matches the inputs to E used for generating a hash function subkeys Li, for some j ∈ [1..q] and i ∈ [1..s]. bad8considers the equivalent case in decryption direction. We define∆:=Mj_⊕ H1(L, Tj₎_{. For this} _bad _{event, it must hold that} _Mj _{⊕ H1}₍_{L, T}j_{) =} _I

i and H2(L, Tj_{) =}_K

i. Concerning the tuplesIi, Ki, we cannot exclude in general that all valuesK1(K) =. . .=Ks(K)are equal and therefore,Li are outputs of the same permutation. From Property P3 and the fact that there have beenjqueries and the adversary can hit one out ofs values, and overLևL, it follows that

the probability for this event can be upper bounded by

Pr[bad7] = Prh∃i, j; 1≤i≤s,1≤j≤qC: (Xj, H2j)⊕(Ii, Ki) = (∆,0k)

i

= Pr∃i, j; 1≤i≤s,1≤j≤qC :H1,2(Tj)⊕(Ii, Ki) = (∆,0k) ≤qC·s·ǫ3.

Using a similar argument, it follows from Property P4 that

Pr[bad8] = Prh∃i, j; 1≤i≤s,1≤j ≤qC: (Yj, H2j)⊕(Li, Ki) = (∆,0k)

i

= Pr∃i, j; 1≤i≤s,1≤j≤qC:H3,2(Tj)⊕(Li, Ki) = (∆,0k) ≤qC·s·ǫ4.

bad₉ _and bad₁₀_. _{The event} _bad9 _{models the case that a primitive query in} encryption direction matches key and input used for generating Li, for some i∈[1..s]:(Xbj_,_K_bj_{) = (}_I

i, Ki). The eventbad10 considers the equivalent case in decryption direction. From our assumption that Property P5 holds and the fact that the adversary can hit one out ofsvalues, and overKևK, the probability

for this event can be upper bounded by

Pr[bad9] = Prh∃i, j; 1≤i≤s,1≤j≤qP :

b

Xj,Kbj= (Ii, Ki)

i

≤qP·s·ǫ75

We can use a similar argument and Property P5 to upper bound the probability that thej-th query ofAhitsLi, Kiby

Pr[bad10] = Prh∃i, j; 1≤i≤s,1≤j≤qP :

b

Yj,Kbj= (Li, Ki)

i

≤qP·s·ǫ5.

(22)

which indicates that the hash-function keys cannot be result of computing them from the block cipherE. In the worst case, all keysKi, for1≤i≤s, are equal. So, the probability for this event can be upper bounded by

Pr[bad11] = Pr [∃i, j∈ {1, . . . , s}, i6=j: (Ki, Li) = (Kj, Lj), Ii6=Ij]≤ s2

2n+1. Our claim in Lemma 2 follows from summing up the probabilities of all bad events.

Before proceeding with the proof of good transcripts, we formulate a short fact that will serve useful later on. In the remainder, we denote the falling factorial as(n)k :=n_k_!!.

Fact 1. Letu1, . . . ,urandv1, . . . ,vs be positive integers such that it holds r

X

i=1 ui=

s

X

j=1

vj, (1)

r≤s, and (2)

vi≤ui, for all1≤i≤r. (3)

Then, it holds for any positive integerN≥Pr_i₌₁ui that r

Y

i=1

(N)_u_i ≤ s

Y

i=1

(N)_v_i and thus r

Y

i=1

1 (N)_u_i ≥

s

Y

i=1

1 (N)_v_i.

The proof follows from simple arithmetics and is therefore omitted.

A.2 Proof of Lemma 3

Proof. Fix a good transcriptτ. In the ideal world, the probability to obtainτ is

Pr[Θideal=τ] = Pr

∀i

e

π(Ti, Mi) =Ci·Pr

∀j

h

E(Kbj,Xbj) =Yji·Pr

∀g[Lg] ·Pr [KևK:K].

In the real world, the probability to obtain a transcriptτ is given by

Pr[Θreal=τ] = Pr

∀i,∀j,∀g

h e

EL(Ti, Mi) =Ci, E(Kbj,Xbj) =Yj, E(Kg, Ig) =Lg

i

·Pr [KևK:K].

First, we consider the distribution of keys. In the ideal world, all components of L = (K, L1, . . . , Ls) are sampled uniformly and independently at random; the real world employs the block cipherE for generatingL1, . . . , Ls. Let us focus on K, which is sampled uniformly in both worlds:

Pr [KևK:K] = 1

(23)

The remaining hash-function keyL1, . . . , Lswill be considered in turn. To prove the remainder of our claim in Lemma 3, we have to show that

Pr

∀i,∀j,∀g

h e

EL(Ti, Mi) =Ci, E(Kbj,Xbj) =Yj, E(Kg, Ig) =Lg

i

(4)

≥Pr

∀i

e

π(Ti, Mi) =Ci·Pr

∀j

h

E(Kbj,Xbj) =Yji· s

Y

g=1

Pr [Lgև{0,1}n:Lg].

We reindex the keys used in primitive queries to Kb1_{, . . . ,}Kbℓ _{to eliminate}

dupli-cates and group all primitive queries into setsKbj_{, for}₁_≤_j _≤_{ℓ, s.t. all sets are} distinct and each setKbj _{contains exactly only the primitive queries with key}_K_bj_:

b

Kj_:=n_K_bi_,_X_bi_,_Y_bi_:_K_bi₌_K_bjo_.

We denote bybkj₌_|_K_bj_|_{the number of queries with key}_K_bj_{. Clearly, it holds that} ℓ≤qP andPℓj=1bkj=qP.

Moreover, we also re-index the tweaks of the construction queries toT1_{, . . . ,}Tr

for the purpose of eliminating duplicates. Given these new indices, we group all construction queries into setsTj_{, for}₁_≤_j_≤_{r, s.t. all sets are distinct and each} set Tj _{contains exactly only all construction queries with the tweak}_Tj_:

Tj:= Ti_{, M}i_{, C}i_:Ti₌Tj

We denote by tj ₌ _|Tj_| _{the number of queries with tweak} _Tj_{. It holds that} r≤qC andPr_j₌₁tj =qC.

First, we consider the probability of an obtained good transcript in the ideal world. Therein, all componentsL1, . . . , Lsare sampled independently uniformly at random from{0,1}n_{. So, in the ideal world, it holds that}

s

Y

g=1

Pr [Lgև{0,1}n:Lg] = 1

(2n₎s.

Recall that everyπ_e(Tj_,_·₎_and_π_e−1₍Tj_,_·₎ _{is a permutation, and the assumption}

that A does not ask duplicate queries or such to which it already knows the answer. So, all queries are pairwise distinct. The probability to obtain the outputs of our transcript for some fixed tweakTj _{is given by}

1

2n_·₍₂n₋₁₎_{· · · · ·}₍₂n₋_tj_{+ 1)} =

1 (2n₎

tj

.

The same applies for the outputs of the primitive queries in our transcript for some fixed keyKbj_:

1 (2n₎

b kj

(24)

The outputs of construction and primitive queries are independent from each other in the ideal world. Over all disjoint key and tweak sets, the probability for obtaining τ in the ideal world is given by

Pr [Θideal=τ] =

r

Y

i=1

1 (2n₎

tj ! ·   ℓ Y j=1 1 (2n₎

b kj

 · 1

(2n₎s ·

1

|K|. (5)

It remains to upper bound the probabilityτ in the real world. We observe that for every pair of queries i and j with Ti ₌ _Tj_{, it holds that} _Hi

2 = H j 2, i.e., both queries always target the same underlying permutation. Moreover, in the real world, two distinct tweaksTi ₆₌_Tj _{can still collide in their hash-function} outputsHi

2=H j

2. In this case, the queries with tweaksTi andTj also use the same permutation. Furthermore, there may be hash-function outputs Hi

2 from construction queries that are identical to keys Kbj _{that were used in primitive} queries. In this case, both queries also employ the same permutation and so, the outputs from primitive and from construction queries are not independent as in the ideal world. Moreover, the derived keysLi are also constructed from the same block cipher E; hence, the inputsKi may also use the same permutation as primitive and construction queries.

For our purpose, we also reindex the keys in all primitive queries into sets to

b

K1_{, . . . ,} Kbℓ_{, and also reindex the tweaks in construction queries to} T1_{, . . .}Tr

to eliminate duplicates. We define key sets Kj_{, for} ₁ _≤ _j _≤_{ℓ, and tweak sets} Tj_{, for} ₁ _≤ _j _≤ _{r, analogously as we did for the ideal world. Moreover, for} every so-indexed tweak Ti_{, we compute its corresponding value} _H₂i_{. We also}

reindex the hash values H2j to H12, . . . ,Hu2 for duplicate elimination, and group the construction queries into sets

Hj₂:=n Ti_{, M}i_{, C}i_:_H2₍_{L, T}i_{) =}_Hj 2

o

.

We denote byhj2=|H j

2|the number of queries whose tweak maps toH j

2. Clearly, it still holds thatPui=1hi2=qC. We can define an ordering s.t. for all1≤i≤u,

Ti_{is mapped to}_Hi

2. Since for all1≤i≤r, all queries of tweakTj are contained in exactly one setH₂j, there exists somej∈ {1, . . . , u}, s.t. it holds

u

X

j=1 hj2=

r

X

i=1

ti=qC, u≤r, and hi2≥ti, for all1≤i≤r.

Hence, it follows from Fact 1 that

u

Y

j=1

1 (2n₎

hj 2 ≥ r Y i=1 1 (2n₎

ti

.

(25)

into setsKj_{, for}₁_≤_j_≤_{w, s.t. all sets are distinct and each set contains exactly} those key-generating tuples with the keyK_j_:

Kj:=(Ii, Ki) :Ki=Kj. .

On this base, we unify and reindex the valuesHj

2, Kbj, and Kj to valuesP1, . . . ,

Pv _(using_P _{for permutation). We group all queries into sets}_Pj_{, for}₁_≤_j _≤_v, s.t. all sets are distinct and each set Pj _{consists of exactly the union of all} construction queries with the hash value H₂ ₌ Pj_{, all primitive queries with} b

K₌Pj_{, and all key-generating tuples with}K₌Pj_:

Pj :=Hi2:Hi2=Pj ∪

n b

Ki:Kbi₌Pj o

∪Ki :Ki ₌Pj _.

We denote by pj ₌_|Pj_|_{the number of queries that use the same permutation.} Clearly, it holds thatPv_j₌₁pj ₌_q

P+qC+s. Recall thatBlock(k, n)denotes the set of all k-bit key,n-bit block ciphers. In the following, we call a block cipher E compatible withτ iff

1. For all 1 ≤i ≤qC, it holds that Ci =EHi

2 M i_⊕_Hi

1

⊕Hi

3, where H1i = H1(L,Ti₎_, _H₂i ₌_H2₍_L,Ti₎_{, and}_H₃i ₌_H3₍_L,Ti₎_{, and}

2. for all1≤j≤qP, it holds thatYbj=EKbj(Xbj),

3. and for all1≤g≤s, it holds thatLi=EKi(Ii).

LetComp(τ)denote the set of all block ciphers Ecompatible with τ. Then,

Pr [Θreal=τ] = Pr [E_ևBlock(k, n) :E∈Comp(τ)]·Pr [K|Θreal =τ]. (6)

We focus on the first factor on the right-hand side. Since we assume that no bad events have occurred, the fraction of compatible block ciphers is given by

Pr [EևBlock(k, n) :E∈Comp(τ)] =

v

Y

i=1

1 (2n₎

pi

.

It holds that

v

X

i=1

pi=qP+qC+s= ℓ

X

j=1

b

kj+

r

X

j=1 tj+

w

X

j=1 kj=

ℓ

X

j=1

b

kj+

u

X

j=1 hj2+

w

X

j=1 kj.

We can substitute the variablesbkj_,_hj

2, andkjon the right-hand side by auxiliary variableszj

v

X

i=1 pi =

ℓ+_Xu+w

j=1

zj where zj=

     b

kj _if_j_≤_ℓ,

hj2 ifℓ < j≤ℓ+u, kj _otherwise.

(26)

hash Hj

2, and/or all tuples(Ii, Ki) that use one valueKj, it further holds that for all1≤i≤v, there exists somej∈ {1, . . . , ℓ+u+w}s.t.

pi≥zj.

So, we can directly apply Fact 1, from which it follows that

v

Y

i=1

1 (2n₎

pi ≥   ℓ Y j=1 1 (2n₎

b kj  ·   u Y j=1 1 (2n₎

hj₂

 ·   w Y j=1 1 (2n₎

kj   (7) ≥   ℓ Y j=1 1 (2n₎

b kj  ·   r Y j=1 1 (2n₎

tj  ·   w Y j=1 1 (2n₎

kj   ≥   ℓ Y j=1 1 (2n₎

b kj  ·   r Y j=1 1 (2n₎

tj

 · 1

(2n₎s.

Using the combined knowledge from Equations (4) through (7), we can derive that the probability for obtaining the construction and primitive outputs in the transcript is at least as high as the probability in the ideal world:

Pr [Θreal=τ]≥Pr [Θideal=τ].