Using Chaskey as a stream cipher

Question

Chaskey (https://eprint.iacr.org/2014/386.pdf) is a a secure, compact and efficient MAC for embedded systems and has won many benchmarks. It is built using an Even-Mansour block cipher. This block cipher XORs a plaintext with a key, applies a public permutation function, then XORs the result with the same key to create the ciphertext. The paper unfortunately only discusses the MAC use case, and not the encryption use case. The web site (https://mouha.be/chaskey/) however mentions other use cases as well:

A lightweight PRF.
Can be used to cryptographically ensure message integrity (as a MAC).
To authenticate users (in challenge-response protocols).
To generate random numbers (in counter mode).

What I'm wondering is if it can also be used, in a secure way, for encryption, i.e. using it in counter mode to create a stream cipher. This would mean we could create an Encrypt-then-MAC algorithm using only Chaskey as primitive, which would be very efficient for embedded systems (of course in combination with a per-message nonce).

Since it can be used as a PRF and to generate random numbers in counter mode, it seems like this should indeed be feasible.

kelalaka · Accepted Answer · 2022-01-30T15:49:35.010

CTR mode originally is designed for PRFs.

Privacy and Authentication: An Introduction to Cryptography as an invited paper on Proceedings of the IEEE, 67 (1979), pp. 397–427.

Any PRF^* can be turned into a stream cipher with CTR mode. However, it is not preferable to use a heavy function built for MAC to use as a stream cipher. Use ChaCha for stream cipher constructed from PRF or use direct stream cipher like Trivium.

If you really want to use then use the input as $$F_k(\text{nonce_block}\mathbin\|\text{counter_block})$$ as the CTR mode and encrypt as

$$c_i = m_i \oplus F_k(\text{nonce_block}\mathbin\|\text{counter_i})$$

Make sure that

$\text{counter_i}$ never exceed size of the $\text{counter_block}$,
never return to initial state if counter reaches the maximum $2^{\text{counter_block_size}}-1$
do not complicate with resumuing the counter for another encryption.
Under above, newer let an $(IV,key)$ appear again where $IV = (\text{nonce_block}\mathbin\|\text{counter_i})$

^* Actually, any is not enough for cryptography, the key size and the input and output size are important. Today we prefer xChaCha20 since it enables 192-bit nonces to avoid the nonce collision under the same key and has 512-bit input/output sizes. Chaskey's 128-bit security is enough for lightweight cryptography, however, for other purposes, it is not secure enough.

Great! A follow up question: CCM uses the same key for both CTR encryption and for MAC by careful construct of the input to the block cipher. Can we use a similar approach here to avoid the need to have two keys? — Emil, Jan 31 '22 at 11:22
It needs an analysis. It is always better o generate two from one with a KDF like HKDF and expand will be enough for you if you have a uniform random-key. — kelalaka, Jan 31 '22 at 11:30

Using Chaskey as a stream cipher

1 Answers1