Abstract
We present two tweakable wide block cipher modes from doubly-extendable cryptographic keyed (deck) functions and a keyed hash function: double-decker and docked-double-decker. Double-decker is a direct generalization of Farfalle-WBC of Bertoni et al. (ToSC 2017(4)), and is a four-round Feistel network on two arbitrarily large branches, where the middle two rounds call deck functions and the first and last rounds call the keyed hash function. Docked-double-decker is a variant of double-decker where the bulk of the input to the deck functions is moved to the keyed hash functions. We prove that the distinguishing advantage of the resulting wide block ciphers is simply two times the sum of the pseudorandom function distinguishing advantage of the deck function and the blinded keyed hashing distinguishing advantage of the keyed hash functions. We demonstrate that blinded keyed hashing is more general than the conventional notion of XOR-universality, and that it allows us to instantiate our constructions with keyed hash functions that have a very strong claim on bkh security but not necessarily on XOR-universality, such as Xoofffie (ePrint 2018/767). The bounds of double-decker and docked-double-decker are moreover reduced tweak-dependent, informally meaning that collisions on the keyed hash function for different tweaks only have a limited impact. We describe two use cases that can exploit this property opportunistically to get stronger security than what would be achieved with prior solutions: SSD encryption, where each sector can only be written to a limited number of times, and incremental tweaks, where one includes the state of the system in the variable-length tweak and appends new data incrementally.
Highlights
Block ciphers have long been the main building block for symmetric cryptography
With full disk encryption the nonce serves as the sector index
Where σ is the total data complexity, σW is the data complexity with tweak W, qW the number of queries with tweak W, Advprf is the prf-advantage of the deck function and Advbkh is the bkh-advantage of the keyed hash function
Summary
Block ciphers have long been the main building block for symmetric cryptography. block ciphers operate on data of fixed and predetermined length. One can encrypt data of variable length by using a block cipher in a mode of operation, such as counter mode, CBC or OFB. Security of such modes typically depends on a nonce. The encryption should be length-preserving and there is no place for a nonce For these cases, one can use a tweakable wide block cipher. One can use a tweakable wide block cipher This encrypts arbitrarily large strings in such a way that each bit of the ciphertext depends on each bit of the plaintext and vice versa.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
