3

When the term "XEX" or the phrase "XOR-encrypt-XOR" is used, does it refer only to the scheme $CT = E_{K}(PT \oplus T) \oplus T$/$PT = E_{K}(CT \oplus T) \oplus T$ (where $T$ is the whitening/tweak value), leaving out how the value of $T$ is changed between blocks if it is even specified to be changed at all? Or does it also refer to a specific method of changing $T$ between blocks?

If it is the former, then does that mean the birthday bound will apply to any mode of operation constructed around it where $T$ is deterministically generated? For instance, let's say we use the second method of generating the tweak as specified in this question where $T = E_K(IV \boxplus i)$. What would happen if this were used to encrypt more than $2^{0.5 \times n}$ blocks?

If it is the latter, then does the birthday bound only apply to when $T$ is stepped using finite field multiplication as in XTS?

Melab
  • 3,655
  • 2
  • 22
  • 44
  • Can you find the answers to your question in the paper that introduced XEX, Phillip Rogaway, ‘Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC’, Tech report, September 24, 2004? – Squeamish Ossifrage Dec 04 '17 at 02:29
  • @SqueamishOssifrage The answer from it is unclear. I see talk about a polynomial-derived tweak, but nothing about whether or not it is the reason the birthday bound applies, so it doesn't answer my second question. – Melab Dec 04 '17 at 04:01
  • 1
    See the detailed security reduction theorems and proofs. Generally, wherever you see a $q^2$, that's a likely candidate for collisions and birthday bounds. But the details are more complicated than that—the birthday paradox manifests in many ways, and is usually not articulated as such but rather as collision probabilities, replacement of random functions by random permutations, etc. – Squeamish Ossifrage Dec 04 '17 at 17:00
  • @SqueamishOssifrage By "my second question" I was referring to my question about using same block cipher to encrypt a counter to generate the tweak value. – Melab Dec 04 '17 at 18:40
  • Permuting the set of tweaks is not going to change any of the security. Mapping them through a function that, unlike a permutation, is not injective and may have collisions, on the other hand, may change things, because of those collisions. – Squeamish Ossifrage Dec 04 '17 at 21:05
  • So the scheme $CT_{i}=E_{K_{0}}(E_{K_{1}}(i) \oplus PT_{i}) \oplus E_{K_{1}}(i)$ would only be secure up to the birthday bound? – Melab Dec 04 '17 at 21:27
  • Worse: either that would admit an immediate distinguisher, by testing whether a two-block message of identical plaintext blocks has identical ciphertext blocks, or you've omitted the tweak altogether. Note that XEX figures both the tweak $t$ and the block index $i$ into it: $C_i = E_k(P_i \oplus (E_k(t) \cdot \alpha^i)) \oplus (E_k(t) \cdot \alpha^i)$, where $\alpha$ is a generator of GF(2^128). If you omit the tweak or the block index you break it completely. – Squeamish Ossifrage Dec 04 '17 at 22:57
  • @SqueamishOssifrage But it doesn't omit the tweak because $t=E_{K_{1}}(i)$. – Melab Dec 05 '17 at 00:53
  • The tweak and the block index are independent; it doesn't make sense to say $t = E_{K_1}(i)$ unless you're using a different name for the per-message tweak. – Squeamish Ossifrage Dec 05 '17 at 03:41
  • @SqueamishOssifrage As far as I have seen it used, the definition of "tweak" says nothing about the way in which it is being used, be it for domain separation or to make each block encrypt to a distinct value. In this case, I am wondering if deriving a per-block tweak by encrypting the block number yields beyond-birthday bound security. – Melab Dec 19 '17 at 21:09
  • Sorry, my terms didn't match the paper. The paper splits the tweak into two parts, one of which is meant to be fixed for many blocks (what I called tweak) and the other of which is meant to be sequentially incremented for many blocks (what I called block index). (Simplified) XEX is defined by $\hat E_k(i\mathbin\Vert j, m) = E_k(m \oplus \Delta) \oplus \Delta$, where $\Delta = \alpha^j \otimes E_k(i)$. Here $E_k$ is a $b$-bit block cipher, and $\alpha$ is a generator of $\operatorname{GF}(2^b)$. Permuting the tweaks $i\mathbin\Vert j$ does nothing; mapping them noninjectively may hurt. – Squeamish Ossifrage Dec 20 '17 at 06:13
  • @SqueamishOssifrage What if the two whitening values were different? – Melab Dec 20 '17 at 14:33
  • I don't know—you'll have to work out how it affects the proof of Theorem 11 in Appendix C. My guess is that it makes no difference. – Squeamish Ossifrage Dec 20 '17 at 15:42

0 Answers0