Tight Security of Cascaded LRW2

Ashwin Jha; Mridul Nandi

摘要

Abstract At CRYPTO ’12, Landecker et al. introduced the cascaded LRW2 (or CLRW2) construction and proved that it is a secure tweakable block cipher up to roughly 22n/3documentclass[12pt]{minimal} usepackage{amsmath} usepackage{wasysym} usepackage{amsfonts} usepackage{amssymb} usepackage{amsbsy} usepackage{mathrsfs} usepackage{upgreek} setlength{oddsidemargin}{-69pt} egin{document}$$ 2^{2n/3} $$end{document} queries. Recently, Mennink has presented a distinguishing attack on CLRW2 in 2n1/223n/4documentclass[12pt]{minimal} usepackage{amsmath} usepackage{wasysym} usepackage{amsfonts} usepackage{amssymb} usepackage{amsbsy} usepackage{mathrsfs} usepackage{upgreek} setlength{oddsidemargin}{-69pt} egin{document}$$ 2n^{1/2}2^{3n/4} $$end{document} queries. In the same paper, he discussed some non-trivial bottlenecks in proving tight security bound, i.e., security up to 23n/4documentclass[12pt]{minimal} usepackage{amsmath} usepackage{wasysym} usepackage{amsfonts} usepackage{amssymb} usepackage{amsbsy} usepackage{mathrsfs} usepackage{upgreek} setlength{oddsidemargin}{-69pt} egin{document}$$ 2^{3n/4} $$end{document} queries. Subsequently, he proved security up to 23n/4documentclass[12pt]{minimal} usepackage{amsmath} usepackage{wasysym} usepackage{amsfonts} usepackage{amssymb} usepackage{amsbsy} usepackage{mathrsfs} usepackage{upgreek} setlength{oddsidemargin}{-69pt} egin{document}$$ 2^{3n/4} $$end{document} queries for a variant of CLRW2 using 4-wise independent AXU assumption and the restriction that each tweak value occurs at most 2n/4documentclass[12pt]{minimal} usepackage{amsmath} usepackage{wasysym} usepackage{amsfonts} usepackage{amssymb} usepackage{amsbsy} usepackage{mathrsfs} usepackage{upgreek} setlength{oddsidemargin}{-69pt} egin{document}$$ 2^{n/4} $$end{document} times. Moreover, his proof relies on a version of mirror theory which is yet to be publicly verified. In this paper, we resolve the bottlenecks in Mennink’s approach and prove that the original CLRW2 is indeed a secure tweakable block cipher up to roughly 23n/4documentclass[12pt]{minimal} usepackage{amsmath} usepackage{wasysym} usepackage{amsfonts} usepackage{amssymb} usepackage{amsbsy} usepackage{mathrsfs} usepackage{upgreek} setlength{oddsidemargin}{-69pt} egin{document}$$ 2^{3n/4} $$end{document} queries. To do so, we develop two new tools: First, we give a probabilistic result that provides improved bound on the joint probability of some special collision events, and second, we present a variant of Patarin’s mirror theory in tweakable permutation settings with a self-contained and concrete proof. Both these results are of generic nature and can be of independent interests. To demonstrate the applicability of these tools, we also prove tight security up to roughly 23n/4documentclass[12pt]{minimal} usepackage{amsmath} usepackage{wasysym} usepackage{amsfonts} usepackage{amssymb} usepackage{amsbsy} usepackage{mathrsfs} usepackage{upgreek} setlength{oddsidemargin}{-69pt} egin{document}$$ 2^{3n/4} $$end{document} queries for a variant of DbHtS, called DbHtS-p, that uses two independent universal hash functions.

机译：摘要在Crypto '12，Landecker等。引进了级联的LRW2（或CLRW2）施工，并证明它是一个最大22n / 3 documentClass [12pt] {minimal} usepackage {amsmath} usepackage {isysym} usepackage {amsfonts} usepackage {amssymb} usepackage {amsbsy} usepackage {mathrsfs} usepackage {supmeek} setLength { oddsidemargin} {-69pt} begin {document} $$ 2 ^ {2n / 3} $$ end {document}查询。最近，Mennink已经在2N1 / 223N / 4 DocumentClass [12pt]中对CLRW2的显着攻击介绍了[12pt] {minimal} usepackage {ammath} usepackage {isysym} usepackage {amsfonts} usepackage {amssymb} usepackage {amsbsy} usepackage {mathrsfs} usepackage {supmeek} setLength { oddsideDemargin} {-69pt} begin {document} $$ 2n ^ {1/2} 2 ^ {3n / 4} $$ end {document}查询。在同样的论文中，他讨论了一些非凡的瓶颈，证明了紧密安全绑定，即最多23n / 4 documentClass [12pt] {minimal} usepackage {ammath} usepackage {isysym} usepackage {amsfonts} usepackage {amssymb} usepackage {amsbsy} usepackage {mathrsfs} usepackage {supmeek} setLength { oddsideDemargin} {-69pt} begin {document} $$ 2 ^ {3n / 4} $$ end {document}查询。随后，他证明了最多可安全到23n / 4 documentClass [12pt] {minimal} usepackage {ammath} usepackage {isysym} usepackage {amssymb} usepackage {amsbsy} usepackage {mathrsfs} usepackage {submeek} setLength { oddsidemargin} { - 69pt} begin {document} $$ 2 ^ {3n / 4} $$ end {3n / 4}使用4-wise独立的axu假设和限制的CLRW2变体的查询每个调整值都发生在大多数2n / 4 documentClass [12pt] {minimal} usepackage {ammath} usepackage {isysym} usepackage {amssymb} usepackage {amsbsy} usepackage {mathrsfs} usepackage {升级} setLength { oddsidemargin} { - 69pt} begin {document} $$ 2 ^ {n / 4} $$ end {document}次。此外，他的证据依赖于镜像理论的版本，尚未公开验证。在本文中，我们解决了Mennink方法中的瓶颈，并证明原始的CLRW2确实是最多23n / 4 DocumentClass [12pt] {minimal} usepackage {ammath} usepackage {isysym} usepackage {amsfonts} usepackage {amssymb} usepackage {amsbsy} usepackage {mathrsfs} usepackage {supmeek} setLength { oddsidemargin} { - 69pt} begin {document} $$ 2 ^ {3n / 4} $$ 结束{Document}查询。为此，我们开发了两个新工具：首先，我们提供了一个概率的结果，提供了一些特殊碰撞事件的联合概率的改进界限，而第二个，我们在具有自我的可调置换设置中呈现了一个帕塔林的镜面理论的变体。包含和具体的证据。这两种结果都是通用性质，可以是独立的利益。为了证明这些工具的适用性，我们还证明了大约23n / 4 documentClass [12pt] {minimal} usepackage {ammath} usepackage {isysym} usepackage {amsfonts} usepackage {amssymb} usepackage { AMSBSY} usepackage {mathrsfs} usepackage {supmeek} setLength { oddsideDemargin} {-69pt} begin {document} $$ 2 ^ {3n / 4} $$ end {3n / 4}查询DBHT的变体，被称为dbhts-p，它使用两个独立的通用散列函数。

Tight Security of Cascaded LRW2

摘要

著录项

相似文献

相关主题

期刊订阅