What is the name of the mode in which we simply change the tweak for each block without the need for complex chaining modes? Is this mode secure?
Are there any other recommended modes for native tweakable block cipher like Threefish?
Asked
Active
Viewed 307 times
1
-
Isn't the mode simply called TBC mode? I can easily find a paper on TBC and TAE (authenticated) modes. – Maarten Bodewes Mar 23 '20 at 22:56
-
@MaartenBodewes As far as I know, TBC stands for Tweakable Block Cipher. It is not a mode. Also papers that i have found uses a chaining mode (cipher of a block is used as a tweak for the next block). Finally, not only me asking for that mode's name. In the following link, you may find a correct answer stating clearly "not sure if it has a standard name" link – m.nasim Mar 24 '20 at 17:51
-
additional point to clarify my point of view. Threefish could be used in ECB mode or any other standard mode. Threefish still TBC, not a normal block cipher. – m.nasim Mar 24 '20 at 19:24
-
What do you need that CTR mode doesn't have? I hope you're using encrypt-then-mac authentication, not relying on limited malleability instead of authentication. – Future Security Mar 30 '20 at 15:19
-
@Future Security Tweakable ciphers already deploy a tweak with the key, why not using it as a counter given that changing tweak is cheap in terms of CPU time – m.nasim Mar 30 '20 at 15:41
-
also pleade refer to this link where you may find that Tweak Counter Mode does not fail catastrophically as CTR when key/IV is reused – m.nasim Mar 30 '20 at 15:51
-
Then I'm pretty sure I know what the kind of mode you're thinking of would look like. Security properties are the same as if you used a different ECB key for each block position. That includes leaking times when a block value is repeated at a given position (assuming the actual key is reused). Padding may be necessary. – Future Security Mar 30 '20 at 17:29
-
Actually side channel attacks are not.considered in counter.mode, since tweak not needed to be secret. Threefish provides 1024 bit key + 128 bit tweak. Changing the tweak will not reveal anything about the key. Changing the key in ECB is another story. Moreover Threefish is immune against side channel attacks as stated by designers – m.nasim Mar 30 '20 at 18:11
-
Not sure that I understood leaking times when a block value is repeated correctly. Is it side channel of time required for encryption OR is it offline comparison of two cipher blocks? After all, Threefish is immune against side channel attacks and related key attacks. Hope this helps. BTW, I am not a cryptographer, so forgive any misunderstanding – m.nasim Mar 30 '20 at 18:31
2 Answers
0
Many people want a "seekable cipher", which implies that they can't use chaining modes.(a) (b) So far I've seen 3 ways to build such a cipher:
David Cary
- 5,664
- 4
- 21
- 35
-
Thank you @David, this is why i am asking for TBC. as SEJPM said, i was plainning to use the tweak as a counter. however, i would not use a nonce at all. Threefish provides 1024 bit key. Long enough not to need additional security from the tweak. – m.nasim Mar 30 '20 at 01:06
0
What is the name of the mode in which we simply change the tweak for each block without the need for complex chaining modes? Is this mode secure?
Yes, if you do it right it's IND\$-CPA secure but not IND-CCA (and thus not AE-secure). In particular you'd need a CTR-like counter in your tweak (ie block counter + nonce / IV) and then each message block would be encrypted by a unique random permutation which is only ever evaluated on one input, thus its output is indistinguishable from a random string (and thus IND\$-CPA secure).
You can see that this is not CCA-secure because an adversary can just ask for encryptions of $0^{2n}$ and $1^{2n}$ in a challenge query and then for their decryption query only modify the second block of the challenge ciphertext. That one will yield a randomized "message" upon decryption but the first block still contains $0^n$ or $1^n$.
This is actually almost exactly how OCB3 does message encryption (though it first constructs a TBC from a regular block cipher).
Are there any other recommended modes for native tweakable block cipher like Threefish?
There's also CTRT and an SIV-scheme based on that (paper here) which uses the nonce as the block input and the counter as the tweak-input to generate a keystream. This is actually quite nice for getting a variable-output-length PRF out of a TBC that accepts full-block message inputs (also the IND\$-CPA security is ~$\frac{q^2}{2^{t+n}}$ instead of regular CTR's ~$\frac{q^2}{2^n}$ for block-size $n$ and tweak-size $t$).
There's also the authenticated encryption scheme McOE (which builds on TBCs) which has the nice property that even for nonce-reusing adversaries it only leaks the length of the common prefix for same-nonce messages - while being an online encryption scheme that can stream the message and operate in constant memory unlike the SIV-like schemes.
Notation and Notions: $0^n,1^n$ are n-bit strings of all $0$ bits or all $1$ bits.
AE-security is called CCA3 in this answer, intuitively it means that you cannot distinguish the outputs of the encryption oracle from random strings and that you cannot come up with a ciphertext that you didn't get verbatim from the encryption oracle that will decrypt without error.
IND\$-CPA is not to be confused with IND-CPA and is a stronger notion that requires encryptions to be indistinguishable from random strings of the same length (so it's AE-security without the decryption oracle).
SEJPM
- 45,967
- 7
- 99
- 205
-
Thank you very much. Actually, i had to search for IND-XXX. I found this link which was asked by you :). Two more questions please, why did you say that "it is not secure against Chosen Ciphertext Attack". And what is AE-Secure? – m.nasim Mar 30 '20 at 01:03
-
Well, I found that AE-Secure is IND-CCA secure and provide authentication. Is this right? – m.nasim Mar 30 '20 at 01:18
-
@m.nasim I edited to add explanations for IND$-CPA and AE-security and why the scheme is not even CCA. – SEJPM Mar 30 '20 at 11:20