Abstract
Cryptographic modes built on top of a blockcipher usually rely on the assumption that this primitive behaves like a pseudorandom permutation (PRP). For many of these modes, including counter mode and GCM, stronger security guarantees could be derived if they were based on a PRF design. We propose a heuristic method of transforming a dedicated blockcipher design into a dedicated PRF design. Intuitively, the method consists of evaluating the blockcipher once, with one or more intermediate state values fed-forward. It shows strong resemblance with the optimally secure EDMD construction by Mennink and Neves (CRYPTO 2017), but the use of internal state values make their security analysis formally inapplicable. In support of its security, we give the rationale of relying on the EDMD function (as opposed to alternatives), and present analysis of simplified versions of our conversion method applied to the AES. We conjecture that our main proposal AES-PRF, AES with a feed-forward of the middle state, achieves close to optimal security. We apply the design to GCM and GCM-SIV, and demonstrate how it entails significant security improvements. We furthermore demonstrate how the technique extends to tweakable blockciphers and allows for security improvements in, for instance, PMAC1.
Highlights
The conventional approach to cryptographic designs is to evaluate a blockcipher in a certain mode of operation, and undoubtedly the vast majority of MAC functions, encryption schemes, and authenticated encryption schemes follow this paradigm
Counter mode can be distinguished from a random encryption scheme in about 2n/2 data blocks: an adversary can keep mi constant and observe that the ci never collide whereas they likely collide for a Licensed under Creative Commons License CC-BY 4.0
Construction which we introduce in Section 2.1 and which we prove to attain at least the same level of security as EDMD
Summary
The conventional approach to cryptographic designs is to evaluate a blockcipher in a certain mode of operation, and undoubtedly the vast majority of MAC functions, encryption schemes, and authenticated encryption schemes follow this paradigm. A birthday bound here renders these ciphers nearly unusable in several relevant modes of operation Another prominent example scheme that, to a lesser extent, benefits from using a pseudorandom function over a pseudorandom permutation is Wegman-Carter MAC [WC81, Bra82]: WCk,h(u, m) = Fk(u) ⊕ h(m) ,. Unlike the case of blockciphers, dedicated fixed input length pseudorandom function designs are scarce: the only well-known candidate in literature is SURF by Bernstein [Ber97] This scarcity was one of the reasons for the introduction of WCS over WC
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
