POEx: A beyond-birthday-bound-secure on-line cipher

Abstract

On-line ciphers are convenient building blocks for realizing efficient single- pass encryption. In particular, the trend to limit the consequences of nonce reuses rendered them popular in recent authenticated encryption schemes. While encryption schemes, such as POE, COPE, or the ciphers within ElmE/ElmD concentrated on efficiency, their security guarantees and that of all earlier on-line ciphers is limited by the birthday bound, and so are those of the AE schemes built upon them. This work proposes POEx, a beyond-birthday-bound-secure on-line cipher which employs one call to a tweakable block cipher and one call to a 2n-bit universal hash function per message block. POEx builds upon the recently proposed XTX tweak extender by Iwata and Minematsu. We prove the security of our construction and discuss possible instantiations.

1 Introduction

On-line Ciphers

Restating the informal definition by Rogaway and Zhang [32], a cryptographic transform is called on-line if it can be realized by an algorithm that, for any allowed input, reads its input bytes one at a time in order and computes the corresponding output bytes one at a time in order, using only a constant-bound amount of memory and/or latency. On-line ciphers were introduced by Bellare et al. [7]: for some fixed n (which typically represents the block size of the underlying primitive), a message M is considered as a sequence of n-bit blocks M ₁,…,M _m , |M _i | = n, for 1 ≤ i ≤ m. Then, an on-line cipher is a deterministic length-preserving permutation where the i-th output block C _i depends only on the first i input blocks M ₁,…,M _i and the secret key. Boldyreva and Taesombut [13] later strengthened this definition to include the requirements of being computable with constant memory and latency.

Limitations

Due to their nature, on-line ciphers cannot provide the usual security notion of general ciphers, i.e., indistinguishability from a PRP (pseudorandom permutation) or SPRP (strong PRP). This stems directly from the fact that a secure cipher must make every bit of the ciphertext depend on every bit of the plaintext and vice versa – a requirement which prohibits constant-bound memory and latency. So, the security notions of on-line ciphers are derived forms of the notions for ciphers in general. As the ideal primitive, Bellare et al. [7] proposed an on-line permutation (OPRP), that is a family of permutations P = {P _i |P _i : ({0,1}ⁿ)ⁱ⁻¹ ×{0,1}ⁿ →{0,1}ⁿ}, for i ≥ 1, such that every P _i takes the current message block M _i as input and all previous input blocks M ₁,…,M _i−1 as “tweak” that defines the permutation P _i (M ₁∥… ∥ M _i−1,⋅). An on-line cipher is then called secure if it is infeasible to distinguish it from an OPRP (on-line pseudorandom permutation) or SOPRP (strong OPRP).

Applications

Despite their limitations, on-line ciphers are highly valuable in practice, for they allow to securely encrypt messages within a single pass. This is particularly important in environments with demanding throughput or low-latency requirements. Moreover, various network APIs in practice are stream- oriented¹, which disallows to buffer the entire input. In authenticated encryption, the use of OPRP-secure on-line ciphers limit the consequences of nonce reuses which motivated their application in several CAESAR [10] candidates. Though, many renowned block-cipher modes, e.g., CBC, CTR, or the encryption procedures of GCM [25] and OCB [21] actually are on-line ciphers. What renders the latter secure against chosen-plaintext attacks is the dependency on the additional input such as an encrypted nonce. Without it, their standalone encryption would lack even the basic OPRP security due to the missing dependency between blocks. In the remainder, we focus on on-line ciphers that provide at least OPRP security without depending on auxiliary inputs.

Existing Block-Cipher-Based On-line Ciphers

Due to their similarity to CBC, early on-line ciphers were inherently sequential. Bellare et al. [7] proposed HCBC1 and HCBC2, both of which use one call to the block cipher and one call to an almost-XOR-universal hash function. As major difference, the former construction employs a single multiplication and could provide only OPRP security, whereas the latter construction uses two multiplications to achieve SOPRP security. Boldyreva and Taesombut [13] later proposed a variant of HCBC2, called HPCBC, that prepended the encryption of a random IV in order to fit their strengthened notions. Nandi [29, 30] proposed two modified SOPRP-secure variants of HCBC1 and HCBC2, called MHCBC and MCBC. His MCBC construction could replace the additional call to a universal hash function by a second invocation of the block cipher. Rogaway and Zhang [32] could also eliminate any additional calls by employing a tweakable block cipher for their constructions TC1, TC2, and TC3. In parallel to them, Fleischmann et al. published the on-line authenticated encryption (AE) scheme McOE [17], also based on a tweakable block cipher. Their McOE-G variant was similar to TC3, but added the tag-splitting approach for handling arbitrary-length inputs. Yet, all of them were strictly sequential.

Recently proposed on-line ciphers targeted at improving efficiency. The on-line cipher POE (and the derived AE scheme POET) by Abed et al. [1] combines two calls to a universal hash function with one call to the block cipher per message block, which allows to pipeline the message processing. Andreeva et al. [4] proposed the first (almost) fully parallelizable OPRP-secure on-line cipher COPE (and the derived AE scheme COPA). Their design followed an Encrypt-Mix-Encrypt [18] approach at the cost of two block-cipher calls per block. Datta and Nandi adapted this strategy in their AE schemes ELmE and ELmD [14, 15] with a modified Mix layer; the CAESAR candidates ELmD and COPA have later been merged to COLM [2]. COBRA [5] employed a variant of the two-round Feistel network from OTR [27]; however, COBRA has been broken and withdrawn from the CAESAR competition. Last but not least, OleF [11] combined the Encrypt-Mix-Encrypt idea with the double-block approach and applied a four-round Feistel network to each for inverse-free decryption.

Beyond-Birthday-Bound Security

While there has been significant progress on the efficiency, the security of all on-line ciphers and on-line AE schemes above is still limited by the birthday bound, i.e., at most ℓ ≪ 2^n/2 blocks can be encrypted under the same key for a block size of n bits. For on-line AE schemes, this bound matches the common expectations for privacy. Though, there is a significant gap to the optimal authenticity bound of O(ℓ/2ⁿ), which was already criticized by Lu [24]. A birthday-bound limitation is also relevant in resource-constrained environments, where schemes would have to be instantiated with a lightweight block cipher. Using the de-facto standard block size of n = 64 bits for lightweight ciphers (e.g. for PRESENT [12, 19]), the security would have already vanished after encrypting about 2³² blocks (64 GiB); for example, if 1 MiB-messages were allowed (2¹⁷ blocks), the forgery probability would become about 1/16 already after 2¹³ messages had been processed under the same key. Nonetheless, one can imagine various further settings where beyond-birthday-bound (BBB) security is desirable for on-line ciphers.

Contribution

This work proposes POEx, a BBB-secure family of on-line ciphers which combines the XTX approach by Iwata and Minematsu [28] with ideas from TCx [32], McOE [17], and POE [1]. While our proposal is similar to those three schemes, their security is limited by the birthday bound since the adversary has full control over n bits of the tweak, whereas it has not in POEx. Table 1 compares our approach to existing on-line ciphers and encryption procedures from on-line nonce-misuse resistant AE schemes. Since there exist well-known methods to transform a given on-line cipher into an AE-secure on-line AE scheme (e.g. [7, 17, 32]), this work proposes only a family of on-line ciphers and leaves the (non-trivial) task of extending it to a BBB-secure AE scheme for future work.

Table 1 Comparison of existing OPRP-secure on-line ciphers and on-line nonce-misuse-resistant block-cipher-based AE schemes with our proposal

Outline

What remains is structured as follows: after briefly reviewing the preliminaries, Section 3 describes the generic POEx. Next, Section 4 recalls the relevant security notions. Section 5 provides the results of our security analysis. Section 6 provides a discussion and conclusion.

2 Preliminaries

We use notions similar to those in [3]. We use lowercase letters x,y for indices and integers, uppercase letters X,Y for binary strings and functions, and calligraphic uppercase letters \({\mathcal {X}}, {\mathcal {Y}}\) for sets. We denote the concatenation of binary strings X and Y by X ∥ Y and the result of their bitwise XOR by X ⊕ Y. We indicate the length of X in bits by |X|, and write X _i for the i-th block. \(X \twoheadleftarrow \mathcal {X}\) denotes that X is chosen uniformly at random from the set \(\mathcal {X}\). We define three sets of particular interest: \(\mathsf {Perm}(\mathcal {X})\) be the set of all permutations on X, \(\mathsf {{TPerm}}(\mathcal {T}, \mathcal {X})\) the set of all tweaked permutations over \(\mathcal {X}\) with associated non-empty tweak space \(\mathcal {T}\), and OPerm _n the set of all n-bit on-line permutations. We define by \(X_{1}, \ldots , X_{j} \xleftarrow {x} X\) an injective splitting of the string X into blocks such that X = X ₁∥⋯∥X _j with |X _i | = x for 1 ≤ i ≤ j − 1, and |X _j |≤ x. For an event E, we denote by Pr[E] the probability of E.

For a set \({\mathcal {X}}\), we denote an ℓ-element list by \(X = (X_{1}, \ldots , \mathcal {X}^{\ell })\) with \(X \in {\mathcal {X}}^{\ell }\). We denote an i-element sub-list as X _1..i := (X ₁,…,X _i ). Given sets X and Y _i , for 1 ≤ i ≤ ℓ, and a mapping \(H: {\mathcal {X}} \to {\mathcal {Y}}_{1} \times {\cdots } \times {\mathcal {Y}}_{\ell }\) with multiple outputs, we denote by H(X)[i] the i-th output Y _i ∈ Y _i . For sets X and Y, let ℓ-element lists \(X = (X_{1}, \ldots , \mathcal {X}^{\ell })\), \(X^{\prime } = (X^{\prime }_{1}, \ldots , X^{\prime }_{\ell })\), Y = (Y ₁,…,Y _ℓ ), and \(Y^{\prime } = (Y^{\prime }_{1}, \ldots , Y^{\prime }_{\ell })\) with X,X ^′∈ X ^ℓ and \(Y, Y^{\prime } \in \mathcal {Y}^{\ell }\). We call (X,Y ) and (X ^′,Y ^′) element-wise disjoint and denote it by (X,Y )≢(X ^′,Y ^′) iff it holds that \((X_{1..i}, \allowbreak Y_{1..i}) \ne (X^{\prime }_{1..i}, \allowbreak Y^{\prime }_{1..i})\), for all 1 ≤ i ≤ ℓ.

3 Generic definition of POEx

This section defines the generic POEx construction. Fix integers n,τ ≥ 1. Let \({\mathcal {K}}_{1}\) and \({\mathcal {K}}_{2}\) be non-empty key sets and \(\mathcal {K} = \mathcal {K}_{1} \times \mathcal {K}_{2}\). Further, we define two non-empty tweak sets \(\mathcal {T} = \{0,1\}^{\tau }\) and \({\mathcal {T}}^{\prime } = (\{0,1\}^{n})^{2}\). Let \({\mathcal {M}}, {\mathcal {C}} \subseteq (\{0,1\}^{n})^{*}\) denote message and ciphertext space, respectively. Let \(\mathcal {H} = \{ H | H: \mathcal {T}^{\prime } \to \{0,1\}^{n+\tau } \}\) be a family of 𝜖-cpAXU hash functions, where a key \(K_{2} \in \mathcal {K}_{2}\) defines the instance \(H \in \mathcal {H}\). We will explain this particular notion of universality in the following section.

Further, let \({\widetilde {{E}}}: {\mathcal {K}}_{1} \times {\mathcal {T}} \times \{0,1\}^{n} \to \{0,1\}^{n}\) denote a tweakable block cipher and let \({\widetilde {{D}}}: {\mathcal {K}}_{1} \times {\mathcal {T}} \times \{0,1\}^{n} \to \{0,1\}^{n}\) denote its inverse (since \({\widetilde {E}}^{-1,T}\) may be misleading). We will write \({\widetilde {E}_{K}^{T}}(\cdot )\) and \({\widetilde {{D}}_{K}^{T}}(\cdot )\) as short forms of \(\widetilde {E}(K, T, \cdot )\) and \({\widetilde {{D}}}(K, T, \cdot )\), respectively. Moreover, we will use \((W_{i}, V_{i}) \gets H_{K_{2}}(X_{i-1}, Y_{i-1})\) to also mean that W _i represents the first n bit of the output of H, and V _i the remaining bits. Next, we recall the definition of XTX briefly, which will simplify our later definition of POEx.

Definition 1 (XTX [28])

Let \(K_{1}, K_{2} \in {\mathcal {K}}\) be independent, let \({\mathcal {T}}\), \({\widetilde {E}}\), and \(\mathcal {H}\) be defined as above, and let \(\mathcal {T}^{\prime }\) be a space. Let \(H \in \mathcal {H}\) be defined by K ₂. Then, \(\textsc {XTX}[{\widetilde {{E}}}, H]: {\mathcal {K}}_{1} \times {\mathcal {K}}_{2} \times {\mathcal {T}^{\prime }} \times \{0,1\}^{n} \to \{0,1\}^{n}\) is defined as

$$\textsc{XTX}[{\widetilde{{E}}}, H]_{K_{1},K_{2}}^{T}(M) := {\widetilde{{E}}}_{K_{1}}^{V}(M \oplus W) \oplus W, \text{ where} \ (W, V) \gets H_{K_{2}}(T). $$

For encryption, POEx fixes a pair of initial chaining values (X ₀,Y ₀) to constants: X ₀ =const _x and Y ₀ =const _y , such that \(({\text {const}_{x}} {\,\Vert \,} {\text {const}_{y}}) \in {\mathcal {T}}^{\prime }\). For the i-th input block, the values W _i and V _i are derived from X _i−1 and Y _i−1 from \(H_{K_{2}}\). To compute the i-th ciphertext block C _i , V _i is used as tweak for \(\widetilde {E}\), and W _i is XORed to the message block M _i to derive the next top-row chaining value X _i ← M _i ⊕ W _i . The result of its encryption with \(\widetilde {E}\) under key K ₁ and tweak V _i yields the next bottom-row chaining value: \(Y_{i} \gets \widetilde {E}_{K_{1}}^{V_{i}}(X_{i})\). C _i is then given by C _i ← Y _i ⊕ W _i . The procedure is repeated for all message blocks and the ciphertext C results from the concatenation C ← (C ₁∥⋯ ∥ C _m ). A schematic illustration of the encryption process is shown in Fig. 1. The decryption works analogously. We define \(\textsc {POEx}[\widetilde {E}, H] = (\mathcal {E}, \mathcal {D})\) with deterministic encryption algorithm \(\mathcal {E}: \mathcal {K} \times {\mathcal {M}} \to {\mathcal {C}}\) and deterministic decryption algorithm \({\mathcal {D}}: {\mathcal {K}} \times {\mathcal {C}} \to {\mathcal {M}}\) as given in Algorithm 1. For all \(K \in \mathcal {K}\), \(M \in \mathcal {M}\), and \(C \in \mathcal {C}\), it holds that \({{\mathcal {D}}}_{K}({{\mathcal {E}}}_{K}(M)) = M\) and \({{\mathcal {E}}}_{K}({{\mathcal {D}}}_{K}(C)) = C\).

Fig. 1

Encryption of a three-block message M = (M ₁,M ₂,M ₃) with \(\textsc {POEx}[{\widetilde {{E}}},H]\). \({\widetilde {{E}}}: {\mathcal {K}}_{1} \times \{0,1\}^{\tau } \times \{0,1\}^{n} \to \{0,1\}^{n}\) is a tweakable block cipher and H : {0,1}²ⁿ →{0,1}^{n + τ} a keyed universal hash function

4 Security notions

4.1 Adversaries and Advantages

An adversary A is an efficient Turing machine that interacts with a given set of oracles that appear as black boxes to A. We denote by \(\mathbb {A}\) the class of all computationally bounded adversaries and \(\mathbf {A}^{\mathcal {O}}\) for the output of A after interacting with an oracle \(\mathcal {O}\). We write \({\Delta }_{\mathbf {A}}{\mathcal {O}^{L}}{\mathcal {O}^{R}} := | \Pr [{\mathbf {A}}^{\mathcal {O}^{L}} {\Rightarrow 1} ] - \Pr [{\mathbf {A}}^{\mathcal {O}^{R}} {\Rightarrow 1} ] | \) for the advantage of A to distinguish between oracles \(\mathcal {O}^{L}\) and \(\mathcal {O}^{R}\). All probabilities are defined over the random coins of the oracles and those of the adversary, if any. We say that A is a (q,σ,t)-X adversary if it asks at most q queries of at most σ blocks in total and runs in time at most t. We call A a (q,t)-X adversary if queries cannot contain multiple blocks. We write \( {\mathbf {{Adv}}^{X}_{F}}(q, \sigma , t) := \max _{{\mathbf {A}} \in {\mathbb {A}}}\{{\mathbf {{Adv}}^{X}_{F}}({\mathbf {A}})\}\) for the maximal advantage over all (q,σ,t)-X adversaries A on F and analogously for (q,t)-X adversaries. W.l.o.g., we assume that A never asks queries to which it already knows the answer.

We will provide pseudocode descriptions of the oracles, which will be referred to as games, according to the game-playing framework by Bellare and Rogaway [8]. Each game consists of a set of procedures. We define Pr[G(A) ⇒ x] as the probability that the Game G outputs x when given A as input.

4.2 Security Definitions for Universal Hashing

Definition 2 (𝜖-Almost-(XOR-)Universal Hash Functions)

Define two sets of bit strings \({\mathcal {X}}, {\mathcal {Y}} \subseteq \{0,1\}^{*}\). Let \({\mathcal {H}} = \left \{ H \,\vert \, H: {\mathcal {X}} \to {\mathcal {Y}} \right \}\) denote a family of hash functions. \({\mathcal {H}}\) is called 𝜖-almost-universal (𝜖-AU) iff for all distinct elements \(X, X^{\prime } \in {\mathcal {X}}\), it holds that \(\Pr _{H {\twoheadleftarrow } {\mathcal {H}}}\left [ H(X) = \allowbreak H(X^{\prime }) \right ] \le \epsilon \). \({\mathcal {H}}\) is called 𝜖-almost-XOR-universal (𝜖-AXU) iff for all distinct \(X, X^{\prime } \in {\mathcal {X}}\) and \(Y \in {\mathcal {Y}}\), it holds that \(\Pr _{H {\twoheadleftarrow } {\mathcal {H}}}[ H(X) \oplus H(X^{\prime }) = Y] \le \epsilon \).

Minematsu and Iwata [28] introduced the notion of partial 𝜖-almost-XOR-universality, which will be useful for our later security analysis of POEx.

Definition 3 (𝜖-Partial-AXU Hash Functions)

Let n,m ≥ 1 be fixed and \({\mathcal {X}}\) be a non-empty set. Let \(\mathcal {H} = \left \{H \,\vert \, H: {\mathcal {X}} \to \{0,1\}^{n} \times \{0,1\}^{m} \right \}\) be a family of hash functions. We say that \(\mathcal {H}\) is (n,m,𝜖)-partial-AXU or short (n,m,𝜖)-pAXU iff for all distinct elements \(X, X^{\prime } \in {\mathcal {X}}\) and all Δ ∈{0,1}ⁿ, it holds that

$$\max_{X, X^{\prime}, {\Delta}} \Pr_{H {\twoheadleftarrow} \mathcal{H}} \left[ H(X) \oplus H(X^{\prime}) = ({\Delta}, 0^{m}) \right] \le \epsilon. $$

Informally spoken, the notion captures the probability that one part of a given pair of hashes H(X) and H(X ^′) collides and the other part has a specific non-zero difference. Clearly, an 𝜖-AXU hash function is also 𝜖-pAXU. In the following, we introduce a notion of chained partial- almost-XOR universality to articulate the security requirements when the inputs depend on earlier outputs of the hash function.

Throughout the following, let integers n,m ≥ 1 and let \(\mathcal {H} = \{H \,\vert \, H: \{0,1\}^{n} \times \{0,1\}^{n} \to \{0,1\}^{n} \times \{0,1\}^{m} \}\) be a family of hash functions. From it, we derive a chained construction \(\mathcal {H}^{i} = \{ H^{i} \,|\, H^{i}: \{0,1\}^{n} \times \{0,1\}^{n} \times (\{0,1\}^{n})^{i} \times (\{0,1\}^{n})^{i} \to \{0,1\}^{n} \times \{0,1\}^{m} \}\)for a positive integer i.

Definition 4 (One-sided Chained Hash Functions)

Let \(H \in \mathcal {H}\) be given as above. We define the instances H ⁱ(X ₀,Y ₀,M _1..i−1,C _1..i−1) = (W _i ,V _i ) of \(\mathcal {H}^{i}\) for all integers i ≥ 1 and all inputs X ₀,Y ₀ ∈{0,1}ⁿ and M,C ∈ ({0,1}ⁿ)ⁱ⁻¹ recursively as

$$(W_{i}, V_{i}) {:=} \left\{\begin{array}{ll} H\left( X_{0}, Y_{0} \right) & \text{if} \ i = 1, \\ H(W_{i-1} \oplus M_{i-1}, W_{i-1} \oplus C_{i-1}) & \text{otherwise,} \end{array}\right. $$

where W _i−1 := H ⁱ⁻¹(X ₀,Y ₀,M _1..i−2,C _1..i−2)[1] denotes the first output of H ⁱ⁻¹.

Definition 5 (𝜖-Chained-Partial-AXU Hash Functions)

Let H and \(\mathcal {H}^{c}\) be given as above for some positive integer c. For 1 ≤ i ≤ c − 1, we define X _i = W _i ⊕ M _i and Y _i = W _i ⊕ C _i , and for 1 ≤ i ≤ c, we define Boolean variables

$$E_{i} {:=} H^{i}\left( X_{0}, Y_{0}, M_{1..i-1}, C_{1..i-1} \right) \oplus H^{i}\left( X_{0}, Y_{0}, M^{\prime}_{1..i-1}, C^{\prime}_{1..i-1} \right) =\left( {\Delta}, 0^{m}\right). $$

We say that \(\mathcal {H}^{c}\) is (n,m,c,𝜖)-chained-pAXU or short (n,m,c,𝜖)-cpAXU iff for all Δ ∈{0,1}ⁿ, X ₀,Y ₀ ∈{0,1}ⁿ, and all M,M ^′,C,C ^′∈ ({0,1}ⁿ)^c−1 s. t. for all intermediate values (X _i ,Y _i )≠(X _j ,Y _j ) with 1 ≤ j < i ≤ c, it holds theat \( \Pr _{\scriptsize {H {\twoheadleftarrow } \mathcal {H}}} \left [ E_{i} \right ] \le \epsilon \).

Note that sampling the instance H from \({\mathcal {H}}\) also defines H ⁱ. Further note that a (n,m,c,𝜖)-cpAXU hash function is also (n,m,𝜖)-pAXU since the partial-AXU notion represents the case c = 1; however, for c > 1, cpAXU poses a stronger requirement to the hash function than pAXU.

4.3 Security definitions for tweakable block ciphers

We briefly recall the security notions for tweakable block ciphers from [22, 32].

Definition 6 (TPRP/STPRP Advantage)

Fix n ≥ 1. Let \({\mathcal {K}}\) and \({\mathcal {T}}\) denote a non-empty key and tweak space, respectively. Let \(\widetilde {E}: \mathcal {K} \times \mathcal {T} \times \{0,1\}^{n} \to \{0,1\}^{n}\) be a tweakable block cipher and \({\widetilde {{D}}}\) its inverse. Further, let A, A ^′ be computationally bounded adversaries, where A has access to an oracle and A ^′ has access to two oracles. Let \(\widetilde {\pi } \twoheadleftarrow {\mathsf {{TPerm}}}({\mathcal {T}}, \{0,1\}^{n})\) and \(K {\twoheadleftarrow } {\mathcal {K}}\). Then, the TPRP advantage of A wrt. \({\widetilde {E}}\) and the STPRP advantage of A ^′ wrt. \(\widetilde {E}\) and \({\widetilde {{D}}}\) are defined as \( {\mathbf {{Adv}}^{\textsc {TPRP}}_{{\widetilde {{E}}}}}({\mathbf {A}}) := \underset {\mathbf {A}}{\Delta }({{\widetilde {{E}}}_{K}};{{\widetilde {\pi }}})\) and \({\mathbf {{Adv}}^{\textsc {STPRP}}_{{\widetilde {{E}}}, {\widetilde {D}}}}({\mathbf {A}}^{\prime }) := {\mathop {\mathrm {\Delta }}_{{\mathbf {A}}^{\prime }}({{\widetilde {{E}}}_{K}, {\widetilde {D}}_{K}};{{\widetilde {\pi }}, {\widetilde {\pi }}^{-1}})} \).

4.4 Security definitions for on-line ciphers

A secure cipher should behave like a random permutation. It is easy to see that on-line ciphers cannot guarantee this property since the encryption of message block M _i must not depend on the subsequent blocks M _j , for j > i. The on- line behavior implies that two messages M,M ^′ that share a p-block common prefix are always encrypted to two ciphertexts C,C ^′ that also share a p-block common prefix. Hence, an on-line cipher Π is called secure iff no ciphertext reveals any further information about a plaintext than its length and the longest common prefix with previous messages.

Definition 7 (Length of Longest Common Prefix [17])

Fix n ≥ 1 and let \({\mathcal {M}} \subseteq (\{0,1\}^{n})^{*}\). Given \(M, M^{\prime } \in {\mathcal {M}}\), we define the length of their longest common prefix as \(\textsc {LLCP}{_n}(M, M^{\prime }) := \max _{i} \left \{1 \le j \le i: M_{j} = M^{\prime }_{j} \right \}\). Given a set \({\mathcal {Q}}\) of messages \(M^{\prime } \in \mathcal {M}\), we define \(\textsc {LLCP}{_n}(M, {\mathcal {Q}}) := \max _{M^{\prime } \in {\mathcal {Q}}}\left \{ \textsc {LLCP}{_n}(M, M^{\prime }) \right \}\).

Definition 8 (On-line Cipher)

Fix n ≥ 1. Let \({\mathcal {M}},{\mathcal {C}} \subseteq (\{0,1\}^{n})^{*}\) and let \({\mathcal {K}}\) be a non-empty space. Let \({\mathcal {E}}: {\mathcal {K}} \times (\{0,1\}^{n})^{*} \to (\{0,1\}^{n})^{*}\) be a keyed family of permutations that takes a key \(K \in {\mathcal {K}}\) and a message \(M \in {\mathcal {M}}\), and outputs a ciphertext \(C \in {\mathcal {C}}\) such that |C| = |M|. We call \({\Pi } = ({\mathcal {E}}, {\mathcal {D}})\) an on-line cipher iff for all i ∈ [1,|M|/n], C _i depends only on M ₁ through M _i , and iff \({\mathcal {D}}\) is the decryption algorithm corresponding to \({\mathcal {E}}\).

Definition 9 (On-line Permutation)

Define integers i,j,m,n ≥ 1, and let P _i : ({0,1}ⁿ)ⁱ →{0,1}ⁿ be a family of indexed n-bit permutations, i.e., for a fixed index j ∈ ({0,1}ⁿ)ⁱ⁻¹, P _i (j,⋅) is a permutation. We define an n-bit on-line permutation P : ({0,1}ⁿ)^m → ({0,1}ⁿ)^m as a composition of m permutations P ₁ ∪ P ₂ ∪⋯ ∪ P _m . An m-block input M = (M ₁,…,M _m ) is mapped to an m-block output C = (C ₁,…,C _m ) by C _i = P _i (M ₁ || ⋯ || M _i−1,M _i ), for all 1 ≤ i ≤ m.

For any two distinct m-block inputs M,M ^′ that share an exactly p-block common prefix M ₁ || ⋯ || M _p , the corresponding outputs C = P(M),C ^′ = P(M ^′) satisfy \(C_{i} = C^{\prime }_{i}\) for all i ∈ [1,p] and p ≤ m. However, it applies that \(C_{p+1} \ne C^{\prime }_{p+1}\); moreover, all further blocks \(C_{i}, C^{\prime }_{i}\), with i ∈ [p + 2,m], are pairwise different with high probability. We denote by OPerm _n the set of all n-bit on-line permutations. A random on-line permutation can be efficiently implemented by lazy sampling.

Definition 10 (OPRP/SOPRP Advantage)

Let \({\Pi } = ({\mathcal {E}}, {\mathcal {D}})\) be an on-line cipher with block size n ≥ 1 and \({\mathcal {K}}\) be a non-empty set. Let \(K {\twoheadleftarrow } {\mathcal {K}}\) and \(P {\twoheadleftarrow } {\textsf {OPerm}}_{n}\). Let A and A ^′ be computationally bounded adversaries, where A has access to an oracle \(\mathcal {O}\), and A ^′ has access to two oracles \({\mathcal {O}}_{1}\) and \({\mathcal {O}}_{2}\). Then, the OPRP advantage of A wrt. Π is defined as \({\mathbf {{Adv}}^{\textsc {OPRP}}_{\Pi }}({\mathbf {A}}) := \underset {\mathbf {A}}{\Delta }({{\mathcal {E}}_{K}};{P})\) and the SOPRP advantage of A ^′ wrt. Π and P i ⁻¹ as \(\textbf {Adv}^{\textsc {SOPRP}}_{{\Pi ,{\Pi }^{-1}}}(\mathbf {A}^{\prime }) := {\mathop {\mathrm {\Delta }}_{{\mathbf {A}}^{\prime }}({{\mathcal {E}}_{K}, {\mathcal {D}}_{K}};{P, P^{-1}})}\).

5 Security analysis of POEx

Prior to the security analysis, we recall a theorem for XTX that will be used in the proof later in this section. Throughout the remainder, fix τ,n ≥ 1. Let \(\mathcal {K}_{1}\), \(\mathcal {K}_{2}\), \(\mathcal {T} = \{0,1\}^{\tau }\), and \(\mathcal {T}^{\prime }\) denote spaces and define \(\mathcal {K} = \mathcal {K}_{1} \times \mathcal {K}_{2}\). Further, let \(\widetilde {\pi } \twoheadleftarrow \mathsf {{TPerm}}(T, \{0,1\}^{n})\) and \(\mathcal {H} = \{H | H: {\mathcal {T}}^{\prime } \to \{0,1\}^{n} \times {\mathcal {T}} \}\) be a family of hash functions.

Theorem 1 (28)

Let \(\mathcal {H}\) be (n,τ,𝜖)- pAXU , where \(H \in \mathcal {H}\) is defined by \(K_{2} {\twoheadleftarrow } {\mathcal {K}}_{2}\) . Let A be a (q,t)- STPRP adversary on \(\textsc {XTX}[{\widetilde {\pi }},H]\) with access to two oracles. Then,

$${\mathbf{{Adv}}^{\textsc{STPRP}}_{\textsc{XTX}[{\widetilde{\pi}},H],\textsc{XTX}[{\widetilde{\pi}}^{-1},H]^{-1}}}({\mathbf{A}}) \le \epsilon \cdot q^{2}. $$

Theorem 2 (SOPRP Security of Generic POEx)

Let \(K_{1}, K_{2} {\twoheadleftarrow } {\mathcal {K}}\) and \({\mathcal {T}}^{\prime } = \{0,1\}^{n} \times \{0,1\}^{n}\) . Let \({\widetilde {{E}}}: {\mathcal {K}}_{1} \times {\mathcal {T}} \times \{0,1\}^{n} \to \{0,1\}^{n}\) be a tweakable block cipher and \(\mathcal {H}\) be (n,τ,2ⁿ⁻¹,𝜖)- cpAXU , where \(H \in \mathcal {H}\) is defined by K ₂ . Let A be a (q,σ,t)- SOPRP adversary on \(\textsc {POEx}[\widetilde {E}, H]\) with access to two oracles and let σ < 2ⁿ⁻¹ blocks. Then,

$${\mathbf{{Adv}}^{\textsc{SOPRP}}_{\textsc{POEx}[{\widetilde{{E}}}, H], \textsc{POEx}[{\widetilde{D}}, H]^{-1}}}({\mathbf{A}}) \le 2\sigma^{2}\epsilon \left( 1 + \frac{2^{\tau}}{2^{n}} \right) + \frac{4\sigma}{2^{n}} + {\mathbf{{Adv}}^{\textsc{STPRP}}_{{\widetilde{{E}}}, {\widetilde{{D}}}^{-1}}}(\sigma, O(t)). $$

Proof

Let A have access to two oracles that respond with either real encryptions (decryptions) using \(\textsc {POEx}[{\widetilde {E}}, H]\) (or \(\textsc {POEx}[{\widetilde {{D}}}, H]^{-1}\)), under a uniformly at random sampled secret key (K ₁,K ₂) or with results from an ideal on-line permutation \(P \twoheadleftarrow \textsf {OPerm}_{n}\) (or P ⁻¹). W.l.o.g., assume that A is deterministic and asks no queries to which it already knows the answer. We apply a common strategy for handling bad events from both worlds: in the real world, all secrets, i.e., the key, are revealed to the adversary A after it finished its interaction with the available oracles and has output its decision bit regarding which world it interacted with. Similarly, in the ideal world, the oracle samples the keys independently and uniformly at random and also reveals them to A after A finished its interaction and has output its decision bit. So, the internal variables can be computed by A in both worlds afterwards.

Proof Idea

We bound \({\Delta }_{\mathbf {A}}({{{\mathcal {E}}}_{K}, {{\mathcal {D}}}_{K}};{P, P^{-1}})\) using a game-based approach. We define a sequence of games G ₁ through G ₄, for which the definitions of G ₂ and G ₃ are provided in Algorithm 3. We omit a separate definition of G ₁ since its oracles \(\mathcal {E}\) and \(\mathcal {D}\) function identical to those in Algorithm 1, and we omit that of G ₄ since it models the ideal on-line permutation. The second game G ₂ will differ from G ₁ in the sense that G ₂ will keep track of the adversary’s queries, and will replace the concrete used block cipher \(\widetilde {E}, \widetilde {D}\) by a uniformly at random sampled tweakable permutation \({\widetilde {\pi }} {\twoheadleftarrow } {\mathsf {{TPerm}}}({\mathcal {T}}, \{0,1\}^{n})\) and \({\widetilde {D}}\) by \({\widetilde {\pi }}^{-1}\), where \({\widetilde {\pi }}\) and \({\widetilde {\pi }}^{-1}\) are defined by lazy sampling. Moreover, G ₂ will define several bad events, although they will not affect the outputs.

Subsequently, we will describe a third game G ₃, which will behave differently from G ₂ iff those bad events occur. Finally, we will describe a Game G ₄, which models an ideal on-line permutation, i.e., the encryption and decryption oracles of G ₄ are defined by \(P \twoheadleftarrow \textsf {OPerm}_{n}\) and P ⁻¹, respectively. The function Initialize provided in Algorithm 2 is identical for all games. Since it holds that

$$\underset{\mathbf{A}}{\mathrm{\Delta}}({{G}_{1}};{{G}_{4}}) \le \underset{\mathbf{A}}{\Delta}({{G}_{1}};{{G}_{2}}) + \underset{\mathbf{A}}{\Delta}({{G}_{2}};{{G}_{3}}) + \underset{\mathbf{A}}{\Delta}({{G}_{3}};{{G}_{4}}), $$

we can upper bound the distance between G ₁ and G ₄ by successively bounding the distance between every pair of two subsequent games.

Upper bound of Δ _A (G ₁;G ₂)

G ₂ keeps track of the adversary’s queries by storing them in a set \({\mathcal {Q}}\). Moreover, G ₂ stores the chaining values (X _i ,Y _i ) into a set \(\mathcal {B}\). Storing them allows to invoke an oracle LLCP _n that returns the longest common prefix p, i.e., the maximum number of common starting blocks p that the current plaintext M shares with any plaintext of previous queries. Analogously, we define an oracle \(\textsc {LLCP}_{n}^{C}\) which, given the current ciphertext query C, always returns the longest common prefix p of the current ciphertext C with any ciphertext of previous queries.

We define a function domain which takes \({\widetilde {\pi }}[V_{i}]\) and returns the combined set of all previously occurred inputs to \(\widetilde {\pi }[V_{i}]\) and all previously occurred outputs of \(\widetilde {\pi }[V_{i}]^{-1}\) over all queried blocks by A. Similarly, range takes \(\widetilde {\pi }[V_{i}]\) and returns the combined set of all previously occurred outputs of \({\widetilde {\pi }}[V_{i}]\) and all previously occurred inputs to \({\widetilde {\pi }}[V_{i}]^{-1}\) over all blocks of A’s queries. We further define two functions for codomain and corange: \(\overline {\textsf {domain}}(\widetilde {\pi }[V_{i}]) := \{0,1\}^{n} \setminus \textsf {domain}({\widetilde {\pi }}[V_{i}])\), \({\overline {\textsf {range}}}({\widetilde {\pi }}[V_{i}]) := \{0,1\}^{n} \setminus \textsf {range}({\widetilde {\pi }}[V_{i}])\) for all V _i ∈{0,1}^τ. Moreover, recall that for a set \({\mathcal {B}} \subseteq {\mathcal {A}}\), the coset of \({\mathcal {B}}\) is defined as \({\overline {{\mathcal {B}}}} := {\mathcal {A}} \setminus {\mathcal {B}}\). Finally, we define a function \(\textsf {find}: (\{0,1\}^{n})^{2} \times {\mathcal {T}} \to (\{0,1\}^{n})^{2}\)

$$\textsf{find}({\mathcal{B}}, V_{i}) := \left( {\overline{\textsf{domain}}}\left( {\widetilde{\pi}}[V_{i}]\right) \times {\overline{\textsf{range}}}\left( {\widetilde{\pi}}[V_{i}]\right)\right) \,\cap\, {\overline{{\mathcal{B}}}}. $$

Since for Game G ₂, none of the sets or flags affects its outputs, it holds that

$$\underset{\mathbf{A}}{\Delta}({{G}_{1}};{{G}_{2}}) \le {\mathbf{{Adv}}^{\textsc{STPRP}}_{{\widetilde{{E}}}, {\widetilde{D}}^{-1}}}(\sigma, O(t)). $$

Upper bound of Δ _A (G ₂;G ₃)

The third game G ₃ differs from G ₂ as follows: it resamples internal values if bad events occur in blocks beyond a common prefix:

• In the encryption oracle, bad₁ is set to true if both tweak and the cipher input for the current block repeat, i.e., there exist i,j ≥ 0: \((V_{i}, X_{i}) = (V^{\prime }_{j}, X^{\prime }_{j})\).

• In the encryption oracle, bad₂ is set to true if the pair of chaining values repeats, i.e., there exist i,j ≥ 0: \((X_{i}, Y_{i}) = (X^{\prime }_{j}, Y^{\prime }_{j})\).

• In the decryption oracle, bad₃ is set to true if both tweak and the cipher input for the current block repeat, i.e., there exist i,j ≥ 0: \((V_{i}, Y_{i}) = (V^{\prime }_{j}, Y^{\prime }_{j})\).

• In the decryption oracle, bad₄ is set to true if the pair of chaining values repeats, i.e., there exist i,j ≥ 0: \((X_{i}, Y_{i}) = (X^{\prime }_{j}, Y^{\prime }_{j})\).

The outputs of Game G ₃ differ from those of Game G ₂ only if a bad flag is set, i.e., they are identical until bad. We let A win if G ₃ sets any of the bad flags. It follows from the fundamental lemma of game playing [9] that

$$\underset{\mathbf{A}}{\Delta}({{G}_{2}};{{G}_{3}}) \le \Pr\left[{G}_{3}({\mathbf{A}}) \ \text{ sets} \ \textsf{bad} \right]. $$

Thus, we bound the probability that Game G ₃ sets bad. It holds that Pr[bad] ≤ Pr[bad₁ ∨ … ∨ bad₄]. In the following, we consider two fixed blocks \(M_{i},M^{\prime }_{j}\) of two queries M,M ^′. First, we consider the probability that bad₁ gets set, that is the probability that both tweak V _i and chaining value X _i collide: \((V_{i}, X_{i}) = (V^{\prime }_{j}, X^{\prime }_{j})\). We are interested in the probability

$$\begin{array}{@{}rcl@{}} \Pr[\textsf{bad}_{1}] &\le& \Pr\left[(V_{i} = V^{\prime}_{j}) \land (X_{i} = X^{\prime}_{j})\right] \\ &=& \Pr\left[(V_{i} \oplus V^{\prime}_{j} = 0^{\tau}) \land (W_{i} \oplus W^{\prime}_{j} = M_{i} \oplus M^{\prime}_{j})\right]. \end{array} $$

If the i-th and j-th blocks would be located directly after the common prefix of M and M ^′, it would automatically hold that \(V_{i} = V^{\prime }_{j}\); however, it would also hold that \(W_{i} = W^{\prime }_{j}\) and \(M_{i} \ne M^{\prime }_{i}\). Hence, it can never follow that \(X_{i} = X^{\prime }_{j}\). So, we consider the probability beyond being directly after a common prefix. This implies that (i,j)≠(1,1), i.e., at least one of the indices must be greater than one; otherwise, the considered blocks M _i and \(M^{\prime }_{j}\) would be directly after the (empty) common prefix. W.l.o.g., we assume i > 1. Then, Y _i is the result of \(\widetilde {\pi }[V_{i-1}](\cdot )\) and is therefore sampled at random from a set of size at least r ≥ 2ⁿ − σ ≥ 2ⁿ⁻¹. Since H is an (n,τ,2ⁿ⁻¹,𝜖)-cpAXU family of hash functions, it holds for a fixed pair of blocks that

$$\Pr[\textsf{bad}_{1}] = \Pr\left[(V_{i} \oplus V^{\prime}_{j} = 0^{\tau}) \land (W_{i} \oplus W^{\prime}_{j} = M_{i} \oplus M^{\prime}_{j})\right] \le \epsilon, $$

and Pr[bad₁] ≤ 𝜖 ⋅ σ ²/2 over all queries of at most σ blocks.

Next, we consider the probability that bad₂ gets set, that is the probability that a pair of chaining values repeats: \((X_{i}, Y_{i}) = (X^{\prime }_{j}, Y^{\prime }_{j})\). If the tweaks \(V_{i} = V^{\prime }_{j}\) also collide, it is easy to see that the permutation \({\widetilde {\pi }}[V_{i}]\) maps equal inputs \(X_{i} = X^{\prime }_{j}\) to equal outputs \(Y_{i} = Y^{\prime }_{j}\). Though, this case is already covered by the probability that bad₁ gets set, and we can focus on the case that chaining values repeat for different tweaks \(V_{i} \ne V^{\prime }_{j}\), i.e., for two permutations. It holds that

$$\begin{array}{@{}rcl@{}} \Pr[\textsf{bad}_{1} \lor \textsf{bad}_{2}] &=& \Pr[\textsf{bad}_{1}] + \Pr[\textsf{bad}_{2}] - \Pr[\textsf{bad}_{1} \land \textsf{bad}_{2}] \\ &=& \Pr[\textsf{bad}_{1}] + \Pr[\neg\textsf{bad}_{1} \land \textsf{bad}_{2}]. \end{array} $$

We obtain

$$\Pr[\neg\textsf{bad}_{1} \land \textsf{bad}_{2}] = \Pr\left[ (V_{i} \ne V^{\prime}_{j}) \land (X_{i} = X^{\prime}_{j}) \land (Y_{i} = Y^{\prime}_{j}) \right]. $$

Again, it follows that (i,j)≠(1,1) since otherwise, V _i = V _j would hold. It can happen that one of the indices is 0; w.l.o.g., we assume j = 0, i.e., we consider a collision of the form (X _i ,Y _i ) = (X ₀,Y ₀). Since Y _i is chosen by \({\widetilde {\pi }}[V_{i}](\cdot )\), the probability to hit Y ₀ is upper bounded by 1/(2ⁿ − σ) for a single block and σ/(2ⁿ − σ) over at most σ blocks. So, we can focus on i,j > 0 in the remainder, and assume w.l.o.g. i > 1.

Since we excluded events bad₁ to have occurred before, Y _i−1 has been chosen by \({\widetilde {\pi }}[V_{i-1}](\cdot )\) randomly from a set of size at least 2ⁿ⁻¹. From the fact that H is an 𝜖-cpAXU family of hash functions, it follows that

$$\Pr\left[(X_{i} = X^{\prime}_{j}) \land (V_{i} \ne V^{\prime}_{j}) \right] = \Pr\left[(W_{i} \oplus W^{\prime}_{j}) = (M_{i} \oplus M^{\prime}_{j})\right] \le 2^{\tau} \cdot \epsilon $$

since we allow all 2^τ − 1 non-zero differences \(V_{i} \oplus V^{\prime }_{j}\) from the assumption that bad₁ and bad₂ have not already occurred. It follows from \(V_{i} \ne V^{\prime }_{j}\) that \(\widetilde {\pi }[V_{i}]\) and \(\widetilde {\pi }[V^{\prime }_{j}]\) are independent random permutations, and hence the probability that \(Y_{i} = Y^{\prime }_{j}\) holds is \(1/(2^{n} - |\mathcal {B}|)\). The term \(|\mathcal {B}|\) results from the fact that the game resamples (X _i ,Y _i ) uniformly at random from all possible chaining values which are not in \(\mathcal {B}\) and which do not conflict with earlier values in the sets domain and range of \(\widetilde {\pi }[V_{i}]\) and \({\widetilde {\pi }}[V^{\prime }_{j}]\). There may be less than 2ⁿ values to sample from, but always at least 2ⁿ − (σ + 1) values. The ‘1’ represents the fact that (X ₀,Y ₀) is already contained in \(\mathcal {B}\) at the initialization. So, we can upper bound

$$\Pr[\neg\textsf{bad}_{1} \land \textsf{bad}_{2}] \le \frac{2^{\tau} \cdot \epsilon}{2^{n}-(\sigma+1)} $$

for fixed query and blocks, and, over all queries of σ blocks follows that

$$\Pr[\neg\textsf{bad}_{1} \land \textsf{bad}_{2}] \le \frac{\sigma^{2}}{2} \cdot \frac{2^{\tau} \cdot \epsilon}{2^{n}-(\sigma+1)} + \frac{\sigma}{2^{n} - \sigma}. $$

Since bad₃ and bad₄ represent events similar to bad₁ and bad₂ (only in decryption direction), it also follows that Pr[bad₃] ≤ 𝜖 ⋅ σ ²/2 and Pr[¬bad₃ ∧bad₄] ≤ (σ ²/2) ⋅ 2^τ 𝜖/(2ⁿ − (σ + 1)) + σ/(2ⁿ − σ). Hence, it holds that

$$\begin{array}{@{}rcl@{}} \Pr[\textsf{bad}] &\le& 2 \left( \frac{\sigma^{2}}{2} \epsilon + \frac{\sigma^{2}}{2} \epsilon \cdot \frac{2^{\tau}}{2^{n} - (\sigma+1)} + \frac{\sigma}{2^{n} - \sigma} \right) \\ &\le& \sigma^{2}\epsilon \left( 1 + \frac{2^{\tau}}{2^{n} - (\sigma+1)} \right) + \frac{2\sigma}{2^{n} - \sigma}. \end{array} $$

Upper bound of Δ _A (G ₃;G ₄)

We let the adversary already win if G ₃ has set bad. It remains to consider the setting where G ₃ does not set bad for the current query. We consider a pair of two distinct queries Q = (M,C), \(Q^{\prime } = (M^{\prime }, C^{\prime }) \in \mathcal {Q}\) with m = |M|/n and m ^′ = |M ^′|/n. W.l.o.g., we assume m ≥ m ^′ and denote by p =LLCP _n (M,M ^′) the length of their common prefix. We study the difference in the outputs of Game G ₃ and an ideal on-line permutation of Game G ₄ for three cases: (C1) for output blocks in a common prefix, 1 ≤ i ≤ p, (C2) for the diverging block, i.e., i = p + 1, and (C3) for output blocks after the diverging block, i.e., i > p + 1.

Case C1: Behavior in the Common Prefix

In Game G ₄, P is a deterministic on-line cipher. In Game G ₃, the output blocks in the common prefix are chosen by an ideal tweaked permutation \(\widetilde {\pi }[V_{i}](X_{i})\) (or \(\widetilde {\pi }[V_{i}]^{-1}(Y_{i})\)). For the first block, the tweak V ₁ is always fixed. Hence, if \(M_{1} = M^{\prime }_{1}\) holds for two queries, it follows from the definition of POEx that \(C_{1} = C^{\prime }_{1}\). Clearly, the chaining values for the next block, (X ₁,Y ₁) and \((X^{\prime }_{1}, Y^{\prime }_{1})\) are also identical for both queries; since H is deterministic, the tweaks for the next block must match, i.e., \((W_{2}, V_{2}) = (W^{\prime }_{2}, V^{\prime }_{2})\). In general, for all i ≤ p, the inputs \(M_{i} = M^{\prime }_{i}\) (or the outputs \(C_{i} = C^{\prime }_{i}\)) are identical in the prefix, and the tweaks and therefore the inputs to \(\widetilde {\pi }[V_{i}]\) are also identical since \(X_{i-1} = X^{\prime }_{i-1}\) and \(Y_{i-1} = Y^{\prime }_{i-1}\). Hence, the advantage of A to distinguish both games is zero in this case. A similar argument holds for the decryption.

Case C2: Behavior Directly after the Common Prefix

Since \(M_{i} = M^{\prime }_{i}\) for all 1 ≤ i ≤ p, it follows that \(V_{p+1} = V^{\prime }_{p+1}\) and \(W_{p+1} = W^{\prime }_{p+1}\). So, it follows from \(M_{p+1} \ne M^{\prime }_{p+1}\) that \(X_{p+1} \ne X^{\prime }_{p+1}\) and therefore \(Y_{p+1} \ne Y^{\prime }_{p+1}\) since \({\widetilde {\pi }}[V_{p}]\) is a permutation. Consequently, it follows that

$$C_{p+1} = (W_{p+1} \oplus Y_{p+1}) \ne (W^{\prime}_{p+1} \oplus Y^{\prime}_{p+1}) = C^{\prime}_{p+1}. $$

So, C _p+1 and \(C^{\prime }_{p+1}\) always differ in both games. A similar argument holds when concerning decryption. Again, the advantage of A to distinguish both games is zero in this case.

Case C3: Behavior after the (p + 1)-th Block

In Game G ₄, each output block after a common prefix is chosen uniformly at random from {0,1}ⁿ. Let \(\mathcal {V}_{i}\) denote a set that collects all chaining-value pairs (X _i ,Y _i ) for each occurring tweak V _i ∈{0,1}^τ. In the real world, each output block is chosen uniformly at random from \(\{0,1\}^{n} \setminus \mathcal {V}_{i}\) for the respective current tweak V _i . We concern two subcases: (3.1) blocks, for which all the tweaks \(V_{i} \ne V^{\prime }_{j}\) are distinct, and (3.2) blocks, for which the corresponding tweaks collide, i.e., \(V_{i} = V^{\prime }_{j}\) for two message blocks M _i and \(M^{\prime }_{j}\). Recall that the interest of this subcase limits to blocks that are not part of a common prefix nor follow directly after a common prefix, plus it assumes that no bad flags are set, i.e., no simultaneous collision in tweaks \(V_{i} = V^{\prime }_{j}\) and inputs \(X_{i} = X^{\prime }_{j}\) (or \(Y_{i} = Y^{\prime }_{j}\) in decryption direction) occurs.

Subcase 3.1

When the tweaks \(V_{i} \ne V^{\prime }_{j}\) are distinct, \({\widetilde {\pi }}[V_{i}]\) and \({\widetilde {\pi }}[V^{\prime }_{j}]\) define independent permutations. Therefore, there is no difference in the behavior between both games, i.e., the distinguishing advantage of A is zero in this subcase.

Subcase 3.2

If Game G ₃ does not set bad, the tuples (X _i ,Y _i ) are always distinct for blocks that are not part of a longest common prefix. In the remainder of this subcase, we make the adversary A stronger than it is by giving it control over the pairs (X _i−1,Y _i−1) with the restriction that \((X_{i-1},Y_{i-1}) \ne (X^{\prime }_{j-1},Y^{\prime }_{j-1})\) always holds. So, A is able to choose M _i , X _i−1, and Y _i−1, and must distinguish POEx with \(\textsc {XTX}[{\widetilde {\pi }}, H]\) from P only by observing the outputs C _i (and similarly, chooses C _i , X _i−1, and Y _i−1, and observes M _i in decryption direction). It is easy to see that, due to Theorem 1, we can upper bound its advantage in this subcase by

$${\mathbf{{Adv}}^{\textsc{STPRP}}_{\textsc{XTX}[{\widetilde{\pi}},H],\textsc{XTX}[{\widetilde{\pi}}^{-1},H]^{-1}}}(\sigma, O(t)) \le \epsilon \cdot \sigma^{2}. $$

The bound in Theorem 2 follows then from adding up all individual terms. □

6 Discussion and conclusion

Efficient tweakable block ciphers

The TWEAKEY [20] framework is an efficient key-scheduling approach for substitution-permutation networks where tweak and key words are treated equally, and are mixed into a so-called tweakey. Three tweakable block ciphers have been published in [20] alongside TWEAKEY: Joltik-BC, a lightweight cipher with 64-bit state and tweakey sizes of 128 and 192 bits, Deoxys-BC, is AES-like with a 128-bit state, and tweakey sizes of 256 and 384 bits, and Kiasu-BC, a 128-bit cipher with 64-bit tweak that does not follow the TWEAKEY approach, but is identical to the AES if the tweak is zeroed. Recently, Beierle et al. proposed Skinny [6], another AES-like tweakable block ciphers with a lightweight linear layer, also treating tweak and key as combined tweakey. The specification of Skinny proposes state sizes of n ∈{64,128} bits, and tweakey sizes of n, 2n, and 3n bits. Hence, Deoxys-BC-256 or Skinny-n/ 2n could appear as an appropriate choice for instantiation. Though, the question which tweakable block cipher is suited depends on the application setting. Less restricted environments may also allow wide-block tweakable ciphers such as ThreeFish [16]. Note that POEx can also be instantiated with a tweakable block cipher based on a classical block cipher, e.g., the well-known LRW/XEX designs [22, 31]. Though, the term \(\mathbf {{Adv}}^{\textsc {STPRP}}_{\widetilde {E},\widetilde {D}}(\sigma , O(t))\) limits their security to the birthday bound, whereas designs such as, e.g., [26, 33] can achieve beyond-birthday-bound security.

The bound

A bound with 2^τ/2ⁿ might look bad for tweakable block ciphers with larger tweak length than state length, i.e., τ ≫ n, as it is the case for, e.g., Deoxys-BC-384 and Skinny-64/192. However, we stress that desirable universal hash functions should provide a cpAXU bound of 𝜖 ≤ c/2^{τ + n}, for some small c. Thus, a bound of 2σ ² 𝜖 ⋅(1 + 2^τ−n) will then become (2c σ ²)(1/2^{τ + n} + 1/2²ⁿ), and provide security for up to O(2^{(τ + n)/2}) message blocks encrypted under the same key.

Comparison to TC2

POEx seems similar to TC2 by Rogaway and Zhang [32] if TC2 would be instantiated with the XTX [28] tweak-domain extender by Minematsu and Iwata as black box. However, such a generic instantiation could yield only birthday-bound security given a simple OPRP attack as in Algorithm 4. Assume, the adversary chooses the same value for all blocks in a long message. Then, if some pair of ciphertext blocks \(C_{j} = C^{\prime }_{j^{\prime }}\) collides, the collision will continue to the subsequent blocks \(C_{j+1} = C^{\prime }_{j^{\prime }+1}\) etc. since C _j+1 depends only on (M _j ,C _j ,M _j+1) and \(C^{\prime }_{j^{\prime }+1}\) only on \((M^{\prime }_{j^{\prime }}, C^{\prime }_{j^{\prime }}, M^{\prime }_{j^{\prime }+1})\) which is equal to (M _j ,C _j ,M _j+1). Since the probability of such a collision is about σ ²/2ⁿ⁺¹, it limits the OPRP security to the birthday bound.

In contrast to TC2, POEx avoids to directly use the plain- and ciphertext blocks as chaining values, but only their XOR with two pseudorandom internal values that the adversary cannot fully control. Hence, two n-bit values have to match to get a collision in the chaining values that would lead to a similar distinguisher as above.

Extension to on-line authenticated encryption

The proposed on-line cipher can be extended to an on-line authenticated encryption scheme, when combined with a MAC that achieves beyond-birthday-bound security, e.g., PMAC2x [23], which can yield a 2n-bit output that can be used as initial value for POEx. Since it is desirable to use only a single key for the tweakable block cipher, a common approach is to introduce domains into the tweak such that the tweakable block cipher defines domain-separated distinct permutations for encrypting full message blocks, processing a partial final message block, the associated data, the nonce, as well as for computing the authentication tag. However, the details of defining those operations have to be handled with care since they still need to provide beyond-birthday-bound security.

Conclusion

This work proposed POEx, an on-line cipher with beyond-birthday-bound security that represents a chained construction of Iwata and Minematsu’s XTX domain extender for tweakable block ciphers. Our construction appears well-suited for environments where parallelism plays a subordinate role but where security beyond the birthday bound is essential due to small cipher block sizes and/or rare key changes. Moreover, POEx may serve as a starting point towards more secure on-line nonce-misuse-robust AE schemes. In this domain, all known existing schemes provide authenticity only up to the birthday bound, which differs significantly from the expected security of standardized schemes such as OCB and GCM. While there exist straight-forward approaches to transform an on-line cipher into such a scheme (e.g. [17]), it remains an interesting future work to design a beyond-birthday-secure on-line AE scheme from POEx which needs efficient complementing algorithms for processing the associated data and deriving the tag. We defined POEx in a generic manner to allow the choice of an appropriate family of hash functions and a tweakable block cipher.