On the optimality of non-linear computations for symmetric key primitives

Abstract

Abstract A block is an n-bit string, and a (possibly keyed) block-function is a non-linear mapping that maps one block to another, e.g., a block-cipher. In this paper, we consider various symmetric key primitives with {\ell} block inputs and raise the following question: what is the minimum number of block-function invocations required for a mode to be secure? We begin with encryption modes that generate {\ell^{\prime}} block outputs and show that at least {(\ell+\ell^{\prime}-1)} block-function invocations are necessary to achieve the PRF security. In presence of a nonce, the requirement of block-functions reduces to {\ell^{\prime}} blocks only. If {\ell=\ell^{\prime}} , in order to achieve SPRP security, the mode requires at least {2\ell} many block-function invocations. We next consider length preserving r-block (called chunk) online encryption modes and show that, to achieve online PRP security, each chunk should have at least {2r-1} many and overall at least {2r\ell-1} many block-functions for {\ell} many chunks. Moreover, we show that it can achieve online SPRP security if each chunk contains at least {2r} non-linear block-functions. We next analyze affine MAC modes and show that an integrity-secure affine MAC mode requires at least {\ell} many block-function invocations to process an {\ell} block message. Finally, we consider affine mode authenticated encryption and show that in order to achieve INT-RUP security or integrity security under a nonce-misuse scenario, either (i) the number of non-linear block-functions required to generate the ciphertext is more than {\ell} or (ii) the number of extra non-linear block-functions required to generate the tag depends on {\ell} .