Optimal Tweakable Blockcipher based on Dual MISTY-Type Structure

Fengtong Wen1,2

1. School of Computer Science and TechnologyShandong university

Jinan, China2. School of Science, university of Jinan

Jinan, Chinawftwq@163.com

Lizi YinSchool of Science, university of Jinan

Jinan, Chinass yinlz@ujn.edu.cn

Abstract—In this paper, on the basis of four round DualMISTY-Type transformations,we give a method to solve anopen problem about tweakable blockcipher proposed by Liskovet al. The problem is how to construct tweakable blockcipherswithout using a pre-existing blockcipher. We show that tweak-able blockcipher can be created directly from dual MISTY-Type structure. Concretely, we built and analyze an optimalfour round tweakable dual MISTY-Type transformation whichuse the XOR-universal permutation to replace some roundpseudorandom permutation and reduce the number of thepseudorandom permutation by using some permutation repeat-edly.

Keywords-cryptography;block cipher;tweakable block ci-pher; MISTY-TYPE structure;

I. INTRODUCTION

A blockcipher, regarded as of permutations on a messagespace indexed by a secret key, is a pair of algorithms E andD . The encryption algorithm E takes two inputs-a secretkey K and a message block M, and produces a ciphertextblock C of the same length as M, while the decryptionalgorithm D reverse the process. We call a blockcipherpseudorandom permutation if no attacker with polynomiallymany encryption queries can distinguish between the blockcipher and a random permutation.A tweakable blockcipher is a blockcipher which takes an ex-tra input, the tweak T , that is used only to provide variationand is easy to be changed without more cost. A tweakableblockcipher is secure if it is indistinguishable from a familyof random permutation indexed by the tweak T . The notionof tweakable blockcipher was formalized by Liskov, Rivestand Wagner[1], they give two constructions for tweakableblockciphers using an underlying blockcipher. They mainlydiscuss how to incorporate tweaks with existing blockci-phers. Subsequent works, EMD and EME mode[2] and HCHmode[3], also take the same approach. In [1], they alsoproposed an open problem that is how to design tweakableblockcipher directly without using pre-existing block cipher.In some cases, the direct schemes of tweakable blockcipherare more efficient than the schemes that use the blockcipher.David Goldenberg et al[4]give an directly tweakable block-

cipher using Feistel construction. They prove that 4 roundtweakable Luby-Rackoff blockciphers are CPA-secure and6 round tweakable Luby-Rackoff blockciphers are CCA-secure.In [5], we analyze the scheme that bases on thedual MISTY-Type structure .We conclude that there is nosecure tweakable blockcipher on the basis of three roundDual MISTY-Type transformations and there exits securefour round Dual MISTY-Type tweakable blockcipher if theround permutation is random.Tweakable blockcipher has many practical application inthe field of computer science. An important application isthat of disk encryption as has been pointed out by Haleviand Rogaway in [6]. Here the disk sectors are separatelyencrypted and the sector addresses are taken to be thetweaks. Thus, if the plaintext block P is encrypted twiceunder the same key, the output ciphertext blocks will not bethe same.Our work. In this paper, we optimize the four round DualMISTY-Type structure by using the XOR-universal permu-tation and reducing the number of pseudorandom permu-tation.Concretely,we replace the first round pseudorandompermutation with XOR-universal permutation and employingidentical pseudorandom permutation in the second and thethird round dataflow.

II. PRELIMINARIES

A. Definitions

Let In denote the set of n-bit strings and Permn be theset of all permutations from In to itself where n is positiveinteger.Definition 1.Permn is called a TPE(truly random permuta-tion ensemble)if all permutations in Permn are uniformlydistributed.Definition 2[1]. Tweakable blockcipher is a triple of al-gorithms (G ,E ,D) for key generation, encryption and de-cryption,respectively. The algorithms, G (.),E (., .), D(., .),are all efficiently computable; and where the correctnessproperty holds; that is, for all M, T, and for all keysK∈ G (1n),DK(EK(M,T ), T ) = M . Over all adversaries

2010 Second International Conference on Future Networks

978-0-7695-3940-9/10 $26.00 © 2010 IEEE

DOI 10.1109/ICFN.2010.21

39

with access to an encryption oracle, the maximum advantageis defined as:

ADVE (A ) = |Pr[A EK (.,.)(1n) = 1]− Pr[A Π(1n) = 1]|where (1)Π is a random permutation family indexed byT; (2)Attacker A is allowed to make at most q oraclequeries. A tweakable blockcipher is CPA secure if for allA , ADVE (A ) is negligible.Definition 3. Dual MISTY-Type structure. This structure wasfirstly introduced by Matsui[7]. Matsui showed that MISTY-Type structure was faster and more robust than Feistel struc-ture on linear cryptanalysis and differential cryptanalysis.The concrete scheme is defined as: for some input(L,R),

Li = fi(Li−1 ⊕Ri−1)

Ri = Li−1

where the input is M = (L0, R0) = (L,R), the output aftern round is (Ln, Rn), each fi ∈ permn is a random per-mutation. Ju-Sung Kang at el.[7]prove that three round dualMISTY-Type transformation is pseudorandom permutationensemble.Definition 4. Tweakable Dual MISTY-Type blockcipher is aDual MISTY-Type structure with adding a tweak in somelocation.The concrete scheme is defined as: for some input(L,R, T ),

Li = fi(Li−1 ⊕Ri−1 ⊕ T )

Ri = Li−1

where the input is M = (L0, R0, T ) = (L,R, T ), the outputafter n round is (Ln, Rn), each fi ∈ permn, i(1 ≤ i ≤ n) isa random permutation. The tweak is a half-block in length;that is, on input M = (L0, R0, T ) = (L,R, T ) of size 2n,the tweak is of size n.Definition 5. ε- XOR universal permutation. Let H be apermutation family over In,H is ε-XOR universal permuta-tion if the following condition satisfied: for any two distinctelement x, y ∈ In and any elementz ∈ In, P [h ← H :h(x)⊕ h(y) = z] ≤ εDefinition 6. Optimal Tweakable four round Dual MISTY-Type blockcipher is an optimized tweakable Dual MISTY-Type structure by replacing the first round function with aXOR-universal permutation and employing identical randompermutation in the second round and the third round. Theconcrete scheme is defined as: for some input (L,R, T ),

L1 = h(L0 ⊕R0), R1 = L0

L2 = f1(L1 ⊕R1), R2 = L1

L3 = f1(L2 ⊕R2 ⊕ T ), R3 = L2

L4 = f2(L3 ⊕R3), R4 = L3

where the input is M = (L0, R0, T ) = (L,R, T ), f1, f2 ∈permn is a random permutation. h is a XOR universal

permutation.Lemma 1[8]. Let f be a permutation chosen from a TPEpermn. Then for any x1, x2, y ∈ In,

P (f(x1)⊕ f(x2) = y) ={

12n−1 , ify �= 00, ify = 0

Lemma 2[8]. Let f1, f2 be two permutations independentlychosen from a TPE permn. Then for any a, b, c, d, y ∈ In,such that a �= b, c �= d,

P (f1(a)⊕ f1(b)⊕ f2(c)⊕ f2(d) = y) <1

2n−1, n ≥ 2

III. TWEAKABLE BLOCKCIPHERS WITH CPA SECURITY

A. Main results

In this section, we will discuss the CPA security of theoptimal four round Dual MISTY-Type structure.Theorem 1. Let f1, f2 are independently chosen from ann-bit PPE, h is a ε- XOR universal permutation, if thetweak is XORed with (L2 ⊕ R2), then the optimal fourround tweakable Dual MISTY-Type transformation E isindistinguishable(in a CPA attack) from a random 2n-bitpermutation ensemble Π indexed by T .Proof. Without loss of generality, we assume thatf1, f2

are independently chosen from the TPE Permn. A canquery the oracle O,O chose a permutation from E orΠ. We assume that the attacker A makes q differentqueries (L1, R1, T 1), . . . , (Lq, Rq, T q) to the oracle O. Let(Li

j , Rij), i = 1, . . . , q, j = 1, 2, 3, 4 be the j-th round output

in the i-th oracle query.Let AL denote the event that L1

2⊕R12⊕T 1, . . . , Lq

2⊕Rq2⊕T q

are all distinct. If AL occurs, L14, . . . , L

q4 are completely

random, since Li4 = f2(Li

3⊕Ri3) = f2(f1(Li

2⊕Ri2⊕T i)⊕

Li2), i = 1, . . . , q and f1, f2 are independent truly random

permutations. Similarly, if AL occurs, then R14, . . . , R

q4 are

completely random, since f1 is truly random permutation.So (L1

4, R14), . . . , (L

q4, R

q4) are completely random since f1

andf2 are independently random permutation. Therefore, ifAL occurs, then

ADVE (A ) = |Pr(A output1|O ← E )

−Pr(A output1|O ← Π)|= |Pr((A output1|O ← E ) | AL)Pr(AL)

+Pr((A output1|O ← E ) | AL)Pr(AL)

−Pr((A output1|O ← Π) | AL)Pr(AL)

−Pr((A output1|O ← Π) | AL)Pr(AL)|= |Pr((A output1|O ← E ) | AL)Pr(AL)

−Pr((A output1|O ← Π) | AL)Pr(AL)|Since

Pr((A output1|O ← E ) | AL)

40

= Pr((A output1|O ← Π) | AL)

soADVE (A ) ≤ Pr(AL)

≤∑

1≤i≤j≤q

P (Li2 ⊕Ri

2 ⊕ T i = Lj2 ⊕Rj

2 ⊕ T j)

Now we estimate P (Li2 ⊕ Ri

2 ⊕ T i = Lj2 ⊕ Rj

2 ⊕ T j) forany 1 ≤ i < j ≤ q. Let (L0, R0, T ) = (L,R, T ). We havethe following four cases.Case1. Li

0 = Lj0, R

i0 = Rj

0, Ti �= T j . In this case it is easy

to see that

P (Li2 ⊕Ri

2 ⊕ T i = Lj2 ⊕Rj

2 ⊕ T j) = P (T i = T j) = 0

Case2.Li0 = Lj

0, Ri0 �= Rj

0. Then we obtain by lemma2and definition 4 thatP (Li

2 ⊕ Ri2 ⊕ T i = Lj

2 ⊕ Rj2 ⊕ T j) =

P (f1(h(Li0 ⊕Ri

0)⊕Li0))⊕ h(Li

0 ⊕Ri0)⊕ T i = f1(h(Lj

0 ⊕Rj

0)⊕Lj0))⊕h(Lj

0⊕Rj0)⊕T j) =P (f1(h(Li

0⊕Ri0)⊕Li

0))⊕f1(h(Lj

0 ⊕ Rj0) ⊕ Lj

0)) ⊕ h(Li0 ⊕ Ri

0) ⊕ h(Lj0 ⊕ Rj

0) =T i ⊕ T j) ≤ max{ 1

2n−1 , ε}. Since f1 is truly randompermutation and h is a ε-XOR-universal permutation andLi

0 ⊕Ri0 �= Lj

0 ⊕Rj0, h(Li

0 ⊕Ri0)⊕Li

0 �= h(Lj0 ⊕Rj

0)⊕Lj0

Case3. Li0 �= Lj

0, Ri0 = Rj

0. Then we obtain by Lemma2 anddefinition 4 that

P (Li2 ⊕Ri

2 ⊕ T i = Lj2 ⊕Rj

2 ⊕ T j) ≤ max{ 12n−1

, ε}The proof is similar to that of case 2.Case4.Li

0 �= Lj0, R

i0 �= Rj

0.If Li

0⊕Ri0 = Lj

0⊕Rj0, h(Li

0⊕Ri0)⊕Li

0 �= h(Lj0⊕Rj

0)⊕Lj0.

Then we can obtain by Lemma1 that

P (Li2 ⊕Ri

2 ⊕ T i = Lj2 ⊕Rj

2 ⊕ T j) ≤ 12n − 1

Since f1 is truly random permutation.If Li

0⊕Ri0 �= Lj

0⊕Rj0, h(Li

0⊕Ri0)⊕Li

0 = h(Lj0⊕Rj

0)⊕Lj0.

Then we can obtain by definition 4 that

P (Li2 ⊕Ri

2 ⊕ T i = Lj2 ⊕Rj

2 ⊕ T j) ≤ ε

Since h is ε-XOR universal permutation.If Li

0⊕Ri0 �= Lj

0⊕Rj0, h(Li

0⊕Ri0)⊕Li

0 �= h(Lj0⊕Rj

0)⊕Lj0.

Observe that by Lemma2 and definition 4,

P (Li2 ⊕Ri

2 ⊕ T i = Lj2 ⊕Rj

2 ⊕ T j) ≤ max{ 12n − 1

, ε}Since f1 is random permutation and h is a ε-XOR universalpermutation.Hence, for any case,

P (Li2 ⊕Ri

2 ⊕ T i = Lj2 ⊕Rj

2 ⊕ T j) ≤ max{ 12n−1

, ε} = ε

Therefore, we can conclude that

ADVE (A ) ≤ C2q ε =

q(q − 1)2

ε.

which is negligible.

IV. CONCLUSION

In this paper, on the basis of four round Dual MISTY-Type transformations, we propose a tweakable blockcipherdirectly and solve an open problem, that is, how to constructtweakable blockciphers without using a preexisting block-cipher proposed by Liskov et.al. By using XOR universalpermutation and reducing the number of random permuta-tion,we optimize the scheme. The new scheme is provablesecurity if the underlying function is a pseudorandom per-mutation or XOR universal permutation. At the same time,we point out that there is no secure tweakable blockcipher onthe basis of three round Dual MISTY-Type transformations.

ACKNOWLEDGMENT

This work was supported by the Natural Science Founda-tion of shandong province (No.Y2008A29),the Science andTechnique Foundation of shandong province (No.2008GG30009008), graduate education innovation program of shan-dong Educational Committee(No.SDYY08029).

REFERENCES

[1] Moses Liskov, Ronald L.Rivest, and David Wagner. Tweak-bale block ciphers. CRTPTO 2002, LNCS 2442: 31-46.Springer, Heidelberg.

[2] Halevi, S., Rogway, P. A Parallelizable enciphering mode.CT-RSA 2004, LNCS 2964: 292-304. Springer.

[3] Debrup Chakraborty and Palash Sarkar.HCH: A new tweak-able enciphering scheme using the hash-encrypt-hash ap-proach. INDOCRYPT 2006. LNCS 4329: 287-302. Springer.

[4] David Goldenberg, Susan Hohenberger. On tweaking Luby-Backoff Blockciphers. ASIACRYPT 2007, LNCS 4833: 342-356. Springer.

[5] Fengtong Wen et al.On Tweaking Dual MISTY-TYPE Block-ciphers.ICCSIT 2009:281-283.

[6] Halevi,S.,Rogway,P.A Tweakable Enciphering Mode.CRYPTO 2003. LNCS 2729: 482-499. Springer, Heidelberg.

[7] M.Matsui.New struture of block ciphers with provable secu-rity against differential and linear cryptanalysis. FSE 1996,LNCS 1039:206-218. Springer-Verlag.

[8] Ju-Sung Kang, Okyeon Yi,Dowon Hong at el. Pseudorandom-ness of MISTY-Type Transformations and the Block CipherKASUMI. ACISP 2001, LNCS 2119: 60-73. Springer-Verlag.

41