International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Paper: Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model

Authors:
Aldo Gunsing , Digital Security Group, Radboud University, Nijmegen
Joan Daemen , Digital Security Group, Radboud University, Nijmegen
Bart Mennink , Digital Security Group, Radboud University, Nijmegen
Download:
DOI: 10.13154/tosc.v2019.i4.1-22
URL: https://tosc.iacr.org/index.php/ToSC/article/view/8451
Search ePrint
Search Google
Abstract: We present two tweakable wide block cipher modes from doubly-extendable cryptographic keyed (deck) functions and a keyed hash function: double-decker and docked-double-decker. Double-decker is a direct generalization of Farfalle-WBC of Bertoni et al. (ToSC 2017(4)), and is a four-round Feistel network on two arbitrarily large branches, where the middle two rounds call deck functions and the first and last rounds call the keyed hash function. Docked-double-decker is a variant of double-decker where the bulk of the input to the deck functions is moved to the keyed hash functions. We prove that the distinguishing advantage of the resulting wide block ciphers is simply two times the sum of the pseudorandom function distinguishing advantage of the deck function and the blinded keyed hashing distinguishing advantage of the keyed hash functions. We demonstrate that blinded keyed hashing is more general than the conventional notion of XOR-universality, and that it allows us to instantiate our constructions with keyed hash functions that have a very strong claim on bkh security but not necessarily on XOR-universality, such as Xoofffie (ePrint 2018/767). The bounds of double-decker and docked-double-decker are moreover reduced tweak-dependent, informally meaning that collisions on the keyed hash function for different tweaks only have a limited impact. We describe two use cases that can exploit this property opportunistically to get stronger security than what would be achieved with prior solutions: SSD encryption, where each sector can only be written to a limited number of times, and incremental tweaks, where one includes the state of the system in the variable-length tweak and appends new data incrementally.
Video from TOSC 2020
BibTeX
@article{tosc-2020-30085,
  title={Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universit├Ąt Bochum},
  volume={2019, Issue 4},
  pages={1-22},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/8451},
  doi={10.13154/tosc.v2019.i4.1-22},
  author={Aldo Gunsing and Joan Daemen and Bart Mennink},
  year=2020
}