Abstract
A multi-forkcipher (MFC) is a generalization of the forkcipher (FC) primitive introduced by Andreeva et al. at ASIACRYPT’19. An MFC is a tweakable cipher that computes s output blocks for a single input block, with s arbitrary but fixed. We define the MFC security in the ind-prtmfp notion as indistinguishability from s tweaked permutations. Generalizing tweakable block ciphers (TBCs, s = 1), as well as forkciphers (s = 2), MFC lends itself well to building simple-to-analyze modes of operation that support any number of cipher output blocks.Our main contribution is the generic CTR encryption mode GCTR that makes parallel calls to an MFC to encrypt a message M. We analyze the set of all 36 “simple and natural” GCTR variants under the nivE security notion by Peyrin and Seurin rom CRYPTO’16. Our proof method makes use of an intermediate abstraction called tweakable CTR (TCTR) that captures the core security properties of GCTR common to all variants, making their analyses easier. Our results show that many of the schemes achieve from well beyond birthday bound (BBB) to full n-bit security under nonce respecting adversaries and some even BBB and close to full n-bit security in the face of realistic nonce misuse conditions.We finally present an efficiency comparison of GCTR using ForkSkinny (an MFC with s = 2) with the traditional CTR and the more recent CTRT modes, both are instantiated with the SKINNY TBC. Our estimations show that any GCTR variant with ForkSkinny can achieve an efficiency advantage of over 20% for moderately long messages, illustrating that the use of an efficient MFC with s ≥ 2 brings a clear speed-up.
Highlights
Forkcipher (FC) [ALP+19b] is a novel symmetric primitive, originally conceived for efficient authenticated encryption (AE) of short messages
Most of the variants using both nonce and random IV have a better nonce- and IV- based encryption schemes (nivE) bound than ivE
Case 3: When neither of the events U and V is applicable to the given generic CTR (GCTR) variant and all MFC calls made during the q queries contain distinct input-tweak pairs we know that there can not be a trivial collision here
Summary
Forkcipher (FC) [ALP+19b] is a novel symmetric primitive, originally conceived for efficient authenticated encryption (AE) of short messages. The CounTeR in Tweak (CTRT) encryption mode was proposed by Peyrin and Seurin [PS16] It is a TBC-based CTR-style encryption mode where the tweak value T is set to the counter block computed as the XOR of the random IV value and a counter (IV ⊕ j), and the cipher input value X is set to a unique nonce value N (fixed per message). We reanalyze Tweakable HCTR (or THCTR; a VIL enciphering scheme [DN18]) that uses as an internal building block a CTR-like encryption mode that is equal to our GCTR-4. ForkSkinny in any of our GCTR modes achieves an efficiency improvement of over 20% over SKINNY in GCTR modes for the same tweak and nonce sizes
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
