Masked Iterate-Fork-Iterate: A New Design Paradigm for Tweakable Expanding Pseudorandom Function

Abstract

Many modes of operations for block ciphers or tweakable block ciphers do not require invertibility from their underlying primitive. In this work, we study fixed-length Tweakable Pseudorandom Function (TPRF) with large domain expansion, a novel primitive that can bring high security and significant performance optimizations in symmetric schemes, such as (authenticated) encryption.

Our first contribution is to introduce a new design paradigm, derived from the Iterate-Fork-Iterate construction, in order to build n-to-\(\alpha n\)-bit (\(\alpha \ge 2\)), n-bit secure, domain expanding TPRF. We dub this new generic composition masked Iterate-Fork-Iterate \(\textsf{mIFI}\). We then propose a concrete TPRF instantiation \(\textsf {ButterKnife} \) that expands an n-bit input to 8n-bit output via a public tweak and secret key. \(\textsf {ButterKnife} \) is built with high efficiency and security in mind. It is fully parallelizable and based on Deoxys-BC, the AES-based tweakable block cipher used in the authenticated encryption winner algorithm in the defense-in-depth category of the CAESAR competition. We analyze the resistance of ButterKnife to differential, linear, meet-in-the-middle, impossible differentials and rectangle attacks. A special care is taken to the attack scenarios made possible by the multiple branches.

Our next contribution is to design and provably analyze two new TPRF-based deterministic authenticated encryption (DAE) schemes called \(\textsf{SAFE}\) and \(\textsf{ZAFE}\) that are highly efficient, parallelizable, and offer \((n+\min (n,t))/2\) bits of security, where n, t denote respectively the input block and the tweak sizes of the underlying primitives. We further implement \(\textsf{SAFE}\) with \(\textsf {ButterKnife} \) to show that it achieves an encryption performance of 1.18 c/B for long messages on Skylake, which is \(24\%\) faster than the comparable Crypto’17 TBC-based \(\textsf{ZAE}\) DAE. Our second candidate \(\textsf{ZAFE}\), which uses the same authentication pass as \(\textsf{ZAE}\), offers a similar level of speedup. Besides, we show that \(\textsf {ButterKnife} \), when used in Counter Mode, is slightly faster than \(\textsf{AES}\) (0.55 c/B vs 0.63 c/B on Skylake).

Appendices

A Details on ButterKnife

ButterKnife Constants. In ButterKnife the round constant RC[i] is the AES round constant in the ith round as defined below:

Existing Lower Bounds. The bounds are summarized in Table 5.

Table 5. Lower bounds on the number of active S-boxes in the related-tweakey model for Deoxys-BC-256 [14].

Reminder of the Best Results on Deoxys-BC-256 with 128-bit Key and Tweak. The results are summarized in Table 6.

Table 6. Some of the best results on Deoxys-BC-256 with 128-bit key and tweak.

1.1 A.1 Additional Aspects

In the main body we focused on distinguishers that do not take into account the final feed forward as this final operation makes it hard to mount a key recovery part at the bottom. The key recovery requires to invert rounds in value to access the end of the distinguisher, which is made difficult by the unknown value of the middle internal state. When given the full code book a zero-sum distinguisher can be constructed against one or more branches as described in [40, Appendix A.1] with distinguishing advantage \(1 - \frac{1}{2^{128}}\). In an integral attack, adding a round tweakey does not have any impact. This allows an adversary to apply the integral attacks on reduced-round AES to round-reduced ButterKnife also.

Cryptanalysis of ForkCiphers [8] applies as well, but with the difference that the reconstruction setting is not available given that one cannot make decryption queries. A reflection differential distinguishers might exist between two branches, but accessing it and building the required pair is troublesome.

B Graphical Representation of \(\textsf{SAFE}\)

Fig. 5.

The \(\textsf{SAFE}\) authenticated encryption function which, given a plaintext M and associated data A, outputs the ciphertext C and the tag T. Here \(\textsf{Trunc}_i\) simply truncates its input to i bits if it is longer or fills it with zeroes otherwise, and \(\textsf{Split}_{a,b}\) additionally splits it into its leftmost a bits and rightmost b bits. \(\otimes \) denotes the multiplication in \(\textrm{GF}(2^{2n})\). Recall that \(\lambda \le 2n\).

C \(\textsf{ZMAC}\) Pseudocode

Algorithm 5

. Specification of \(\textsf{ZMAC}\) [27]. Here 2a denotes the multiplication by the element of the finite field GF(\(2^n\)) that is represented by the polynomial x.