Abstract

A forkcipher is a keyed, tweakable function mapping an n-bit input to a 2nbit output, which is equivalent to concatenating two outputs from two permutations. A forkcipher can be a useful primitive to design authenticated encryption schemes for short messages. A forkcipher is typically designed within the iterate-fork-iterate (IFI) paradigm, while the provable security of such a construction has not been widely explored.In this paper, we propose a method of constructing a forkcipher using public permutations as its building primitives. It can be seen as applying the IFI paradigm to the tweakable Even-Mansour ciphers. So our construction is dubbed the forked tweakable Even-Mansour (FTEM) cipher. Our main result is to prove that a (1, 1)-round FTEM cipher (applying a single-round TEM to a plaintext, followed by two independent copies of a single-round TEM) is secure up to 2 2n/3 queries in the ideal permutation model.

Highlights

  • IntroductionA half of the output can be seen as a ciphertext while the other half can be used to authenticate the message

  • With a significant amount of research in this area, we have a rich set of general-purpose Authenticated encryption (AE) schemes, some already standardized (e.g., GCM and CCM) and some expected to be adopted by new applications and standards

  • Research efforts are still needed in AE, in particular, for high-performance and low-latency processing of short messages

Read more

Summary

Introduction

A half of the output can be seen as a ciphertext while the other half can be used to authenticate the message It might be faster than existing block cipher-based authenticated encryption modes, in particular, for short messages. They proposed a dedicated forkcipher ForkSkinny by applying the IFI paradigm to the tweakable block cipher Skinny [BJK+16]. We weaken the ingredients by using three public permutations, where all parties have access to the underlying primitives; we will propose a way of constructing a forkcipher on top of random permutations, and study its provable security in the ideal permutation model This can be seen as the first step in making the model analyzed in provable security fashion more faithful to an actual iterate-fork-iterate instance, such as ForkSkinny. TEM when the underlying permutations and the round hash keys are all independent

Our Contribution
Notation
Uniform and XOR-Universal Hash Functions
Tweakable Block Cipher
Forkcipher
Indistinguishability
H-coefficient Technique
Security of FTEM
Proof of Lemma 3
Proof of Lemma 4
Conclusion
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call