Home The mF mode of authenticated encryption with associated data
Article Open Access

The mF mode of authenticated encryption with associated data

  • Bishwajit Chakraborty EMAIL logo and Mridul Nandi
Published/Copyright: January 28, 2022
Download Article (PDF)
Become an author with De Gruyter Brill
Submit Manuscript Author Information
Journal of Mathematical Cryptology
From the journal Journal of Mathematical Cryptology Volume 16 Issue 1

Abstract

In recent years, the demand for lightweight cryptographic protocols has grown immensely. To fulfill this necessity, the National Institute of Standards and Technology (NIST) has initiated a standardization process for lightweight cryptographic encryption. NIST’s call for proposal demands that the scheme should have one primary member that has a key length of 128 bits, and it should be secure up to 2 50 1 byte queries and 2 112 computations. In this article, we propose a tweakable block cipher (TBC)-based authenticated encryption with associated data (AEAD) scheme, which we call mF . We provide authenticated encryption security analysis for mF under some weaker security assumptions (stated in the article) on the underlying TBC. We instantiate a TBC using block cipher and show that the TBC achieves these weaker securities, provided the key update function has high periodicity. mixFeed is a round 2 candidate in the aforementioned lightweight cryptographic standardization competition. When we replace the key update function with the key scheduling function of Advanced Encryption Standard (AES), the mF mode reduces to mixFeed . Recently, the low periodicity of AES key schedule is shown. Exploiting this feature, a practical attack on mixFeed is reported. We have shown that multiplication by primitive element satisfies the high periodicity property, and we have a secure instantiation of mF , a secure variant of mixFeed .

Keywords: mixFeed ; multi-commitment prediction; μ-TPRP; TBC; lightweight; BC
MSC 2010: 68p25; 94a60; 94a62

1 Introduction

Lighweight cryptography. Lightweight cryptography is concerned with a huge variety of resource-limited devices including Internet of Things end nodes and radio-frequency identification tags [1]. For a resource-constrained environment, the standard cryptographic protocols such as Advanced Encryption Standard (AES) [2] and SHA3 [3], which work well together, within computer systems, are difficult to implement because of implementation size, speed or throughput, and energy consumption. The lightweight cryptography trades off implementation cost, speed, security, performance, and energy consumption on resource-limited devices. The purpose of lightweight cryptography is to consume less memory, less computing resource, and less power supply, and to provide a weaker but satisfactory security solution that can work in resource-limited devices. As a consequence, lightweight cryptographic protocols are expected to be simpler and faster as compared to conventional cryptographic protocols.

In the last decade, the demand for lightweight cryptographic protocols has grown immensely. To fulfill this necessity, the National Institute of Standards and Technology (NIST) has initiated a standardization process for lightweight cryptographic (LWC) encryption schemes. NIST’s call for proposal [4] demands that a scheme should have one primary member that has a key length of 128 bits, and it should be secure up to 2 50 1 byte queries and 2 112 computations. Due to the wide availability of well-secured (tweakable) block ciphers, they are a popular choice as a building block while designing lightweight cryptographic protocols. This popularity is evident from the fact that 25 out of 56 submissions to round 1 of LWC competition were based on (tweakable) block ciphers, and subsequently, 15 were promoted to round 2.

(Tweakable) block cipher. A block cipher is a cryptographic primitive consisting of two algorithms, namely, ( E , D ) such that the deterministic function E takes a fixed-length key and a fixed-length (also called a block) message as input to produce a single block of ciphertext output. In notation, E : { 0 , 1 } κ × { 0 , 1 } n { 0 , 1 } n is a function such that, for all K { 0 , 1 } κ , E K is a permutation. For any given K { 0 , 1 } κ and any M , C { 0 , 1 } n , we have D ( K , C ) = M if and only if E ( K , M ) = C .

A tweakable block cipher (TBC) [5] is a deterministic function E ˜ , which takes a fixed-length tweak along with a fixed-length key and a block of message to output a single block of ciphertext, such that it acts as a family of block ciphers. In notation, E ˜ : { 0 , 1 } t × { 0 , 1 } κ × { 0 , 1 } n { 0 , 1 } n is a function such that there exists a family of block ciphers { E t w } such that for, each t w { 0 , 1 } t , E ˜ ( t w , K , M ) = E t w ( K , M ) .

TBC-based AEAD. For many AEAD modes [6,7,8, 9,10] with an underlying TBC E ˜ and a given key K , the encryption algorithm works as follows. It takes an initial input I V and then computes Y 0 = E ˜ ( t w 0 , K , I V ) , where the tweak t w 0 depends on the nonce and perhaps, some other parameters. To process the ith block of message (or associated data), it uses a feedback function F B , which takes Y i 1 and M i as inputs and X i and C i as outputs (only X i in case of AD). It then outputs Y i = E ˜ ( t w 0 , K , X i ) , which is used to process the next block of associated data or message. After processing the entire message, the next TBC output is used as the input for the tag generation protocol. For such an AEAD scheme with an appropriate feedback function F B , the privacy and the forgery advantage of any adversary can be bounded as follows:

(1.1) Adv AEAD priv ( T , D ) Adv E ˜ tprp ( T , D ) ,

(1.2) Adv AEAD forge ( T , D ) Adv E ˜ tprp ( T , D ) + O D 2 n ,

where T and D are respectively, the time and data complexity of the adversaries playing the security games and n is the TBC state size. Hence, the security of such a TBC-based AEAD scheme can be bounded by bounding the TPRP advantage of the underlying TBC.

Security of some instantiations of TBC based on block ciphers. A dedicated TBC construction is conjectured to have security, and hence, we can instantiate the mode by such a secure TBC. In addition to the dedicated constructions, there are some known constructions of TBC based on a block cipher. For example, XEX [11] is shown to have birthday-bound security.

AEAD modes such as Remus -N [7] and mixFeed [6] use explicit block cipher-based TBC constructions as their underlying TBC. Given a block cipher E and a feedback function ρ , the ICE1 TBC (used in Remus-N1) uses a key derivation function KDF, which takes inputs K and N and outputs L = ρ ( E K ( N ) ) . Given input X and tweak ( N , ω , i ) , it then outputs E K ( X ) , where K = 2 i L ω . As described in ref. [12], an adversary can make D queries with a fixed input 0 n and varying the tweaks to get D outputs Y 1 , , Y D . Notice that ICE1 uses two block cipher calls, one is used as the key derivation function and the second one is used as the encryption function with the key that is derived from the key derivation output of the first. So, let K 1 , , K D { 0 , 1 } κ be those intermediate keys. Now, if the adversary pre-computes Y 1 , , Y T by making T primitive block cipher calls with input 0 n and keys K 1 , , K T , then the probability that Y i = Y j , and hence, K i = K j for some 1 < i < D , 1 < j < T is bounded by D T 2 κ . Hence,

Adv ICE1 tprp ( T , D ) D T 2 κ .

Note that while constructing any TBC, it is generally desired that it should achieve security with a T close to 2 κ . For instance, according to NIST [4], T 2 112 for n 128 and T 2 224 when n = 256 . Hence, a bound such as above doesn’t provide satisfactory security as it limits the size of D . Accordingly, given D 2 50 , ICE1 doesn’t satisfy NIST requirements. The authors of ref. [12] also extended the aforementioned attack to Remus -N1. ICE2 (used in Remus-N2) provides higher security of the form D T / 2 2 κ , but it uses an auxiliary key (can be viewed as a combination of XEX and ICE1). This costs some additional state to hold this auxiliary key. This motivates the following question.

Can we have an instantiation of TBC based on block cipher without using any auxiliary key but still provide satisfactory security (for instance, up to the NIST desired level)?

At a glance, it seems impossible to design such a TBC. However, we show that such security is possible to achieve for the AEAD mode based on a TBC, which does not use any auxiliary key. Clearly, we must have different reductions than what we usually have (as mentioned in equations (1.1)–(1.2)). The distinguishing attack for Remus -N1 [7] requires fixing the associated data block as it is going to be the input of the underlying block cipher. This can be avoided if the first block is defined to be nonce. This principle is adapted in mixFeed [6]. Both mixFeed [6] and Remus [7] are similar in nature (as described earlier) with two main differences. First, they use different feedback functions that do not affect the security as such. The second difference is that unlike Remus , mixFeed processes the nonce before processing the associated data and hence uses one extra TBC call. In the nonce-respecting model, the inputs of the block cipher vary in the case of mixFeed . Hence, the attack due to ref. [12] can be avoided.

1.1 Our contribution

We formalize the TBC-based AEAD mode, which is used in mixFeed , and we call it mF . In this article, we reduce the security of the mF mode in terms of the security of the underlying TBC against two newly introduced input-restricted adversaries, namely, (1) the μ -respecting TPRP adversary and (2) ( μ , λ ) -multicommitment prediction adversary. We note that these two notions are non-standard but weaker than standard TPRP security notions in the sense that an adversary is μ -respecting if it can make at most μ queries with the same input. In a nonce-respecting AEAD scheme where the nonce is processed in the beginning, since the initial TBC input is not repeated, and the other TBC inputs depend on their previous TBC outputs, we can consider the security of the underlying TBC in terms of μ -respecting adversaries with small μ . In the case of mF mode in nonce-respecting setup, we can choose μ to be about n to achieve the following bounds.

(1.3) Adv mF priv ( T , D ) Adv E ˜ μ - tprp ( T , D ) + O μ 2 D 2 n ,

(1.4) Adv mF forge ( T , D ) Adv E ˜ ( μ , D ) - mcp ( T , D ) + 2 Adv E ˜ μ - tprp ( T , D ) + O μ 2 D 2 n + 2 D 2 n 2 .

where the new security advantage terms Adv E ˜ μ - tprp and Adv E ˜ ( μ , D ) - mcp , respectively, denote the adversarial advantage of any μ -respecting TPRP adversary and any ( μ , D ) -multicommitment prediction adversary. For more detailed definitions, see Section 2.2.

We now study these two security notions for two instantiations of TBC. mixFeed is one such instantiation. The designers of mixFeed claimed the security of the scheme under the assumption that the AES key scheduling algorithm has a small number of short permutation cycles, and hence, the probability of finding a key in those cycles is also small. Khairallah [13] observed that if this assumption is violated, it may lead to weak-key attacks on mixFeed . Later, Leurent and Pernot [14] confirmed this observation by explicitly finding a large number of short cycles in the AES key scheduling algorithm. In this article, we try to interpret this weakness in terms of our general notations and conclude that the weakness is only due to the use of the AES key schedule in the key updation function (KUF). Our second instantiation of TBC based on block cipher using primitive element multiplication (we call the overall AEAD mF prim ) achieves the bounds,

(1.5) Adv E ˜ μ - tprp ( T , D ) μ T 2 n .

(1.6) Adv E ˜ ( μ , D ) - mcp ( T , D ) μ T 2 n + D 2 n 2 .

Plugging these results in our previous results, we obtain that the mF prim mode is well secured within the NIST requirements.

1.2 Organization of the article

In Section 2, we define some existing and newly introduced security definitions associated with AEAD modes and TBCs. In Section 3, we introduce the TBC-based AEAD scheme called mF . In Section 4, we reduce the security of the mF mode to the security of the underlying TBC against the newly introduced TBC security games defined in Section 2.2. In Section 5, we define a new TBC construction using a block cipher and a KUF and upper bound the advantages of any adversary playing those new TBC security games against it. In Section 6, we consider the mF mode under this new TBC and derive an upper bound on the security of such a mode. Further, we inspect the weakness of the mixFeed mode as an explicit instantiation of the mF mode and try to interpret it in our notation. In Section 7, we show that this weakness of mixFeed doesn’t weaken the security of the mF mode in general by constructing an explicit instantiation called the mF prim mode, which is well secured within the NIST-specified parameters. Finally, in Section 8, we make a theoretical comparison between the mF prim mode of AEAD and some other existing TBC-based lightweight AEAD schemes.

2 Security definitions of AEAD and TBC

2.1 Security definitions of AEAD

In this section, we define some well-known security definitions of AEAD modes. We call an AEAD adversary nonce respecting when it doesn’t make more than one encryption query with the same nonce. An authenticated encryption scheme with associated data functionality, or AEAD in short, is a tuple of deterministic algorithms F = ( , D ) , defined over the key space K , nonce space N , associated data space A , message space , ciphertext space C , and tag space T , where:

: K × N × A × C × T and D : K × N × A × C × T { } .

Here, and D are called the encryption and decryption algorithms, respectively, of F . Further, it is required that D ( K , N , A , ( K , N , A , M ) ) = M for any ( K , N , A , M ) K × N × A × . For all key K K , we write K ( ) and D K ( ) to denote ( K , ) and D ( K , ) , respectively.

2.1.1 Privacy

Given an adversary A , we define the privacy advantage [15] of A against F as Adv F priv ( A ) = Pr [ A K = 1 ] Pr [ A $ = 1 ] , where $ returns a random output string of the same length as the output size of K . The privacy advantage of the F K is defined as follows:

Adv F priv ( q , σ , t ) = max A Adv F priv ( A ) ,

where the maximum is taken over all the nonce-respecting adversaries A running in time t and making at most q encryption queries with a total number of blocks in all the queries being at most σ .

2.1.2 Forgery

We say that a nonce-respecting oracle adversary A K , D K forges F , if A is able to make a fresh and valid query ( N , A , C , T ) to D K . By fresh query, we mean that the adversary does not make any previous query ( N , A , M ) to K such that K ( N , A , M ) = ( C , T ) . We say a decryption query is valid, if D K ( N , A , C , T ) . The forging advantage [15] of an adversary A is written as follows:

Adv F forge ( A ) = Pr [ A K , D K forges ]

and we write

Adv F forge ( q , σ , t ) = max A Adv F forge ( A ) ,

where the maximum is taken over all adversary A running in time t , making at most q e nonce-respecting encryption queries with maximum σ e blocks and making at most q d decryption queries with maximum σ d blocks. We define q = q e + q d and σ = σ e + σ d . Note that the decryption queries are not necessarily nonce respecting, i.e., nonce can be repeated in the decryption queries, and an encryption query and a decryption query can use the same nonce. However, all nonces used in encryption queries are distinct.

2.2 Security definitions of TBC

Let E ˜ be an n -bit TBC with tweak space T . The TPRP advantage [5] of E ˜ against an oracle adversary A is defined as follows:

Adv E ˜ tprp ( A ) = Pr [ A E ˜ K = 1 ] Pr [ A Π ˜ = 1 ] ,

where Π ˜ is chosen uniformly from the set of all functions π ˜ : T × { 0 , 1 } n { 0 , 1 } n , where, for every t w T , π ˜ ( t w , ) is a permutation on { 0 , 1 } n . We call Π ˜ a tweakable random permutation. We write Adv E ˜ tprp ( q , t ) = max A Adv E ˜ tprp ( A ) where maximum is taken over all adversaries A running in time t making at most q queries.

Next, we define two new security definitions for a given TBC.

2.2.1 μ -respecting TPRP security

Let μ be a positive integer. We define μ - TPRP advantage of E ˜ to be Adv E ˜ μ - tprp ( q , t ) = max A Adv E ˜ tprp ( A ) , where the maximum is taken over all μ -respecting adversaries A (i.e., the number of queries ( t w , X ) by A with a same plaintext input X is at most μ ) running in time t . When the TBC is instantiated in the ideal cipher model, the time parameter t denotes the number of ideal cipher calls.

2.2.2 Multi-commitment prediction

Let E ˜ be a TBC. Let A be an adversary, which has oracle access to an n -bit TBC E ˜ with a tweak space T in the first phase.

PHASE 2:

  1. After all the queries of the first phase are done, it makes at most λ commitments of the form ( t w i , x i , y i ) , where x i , y i { 0 , 1 } n 2 , t w i T .

  2. A makes prediction queries of the form ( t w j , X j ) such that ( t w j , X j ) are fresh, i.e., j , ( t w j , X j ) has never been queried before (Figure 1).

We say that any adversary A wins the λ -multi-commitment-prediction game if for some prediction query tuple ( t w j , X j ) there exists a commitment tuple ( t w i , x i , y i ) such that

t w i = t w j ; x i = X j n 2 ; E ˜ K ( t w i , X j ) n 2 = y i .

The λ -multi-commitment-predicting advantage of an adversary A is defined as follows:

Adv E ˜ λ - mcp ( A ) = Pr [ A E ˜ wins the λ - multi - commitment - prediction game ] ,

and we write,

Adv E ˜ λ - mcp ( q , t ) = max A Adv E ˜ λ - mcp ( A ) ,

where maximum is taken over all adversaries A running in time t making at most q queries.

We define ( μ , λ ) - mcp advantage of A to be

Adv E ˜ ( μ , λ ) - mcp ( q , t ) = max A Adv E ˜ λ - mcp ( A )

where the maximum is taken over all adversaries as defined earlier with the additional restriction that they make μ -respecting queries in the first phase of the game.

We would like to note that in the ideal cipher model, the ( μ , λ ) -multi-commitment prediction security is defined in the same way as mentioned earlier with an additional restriction that the adversary doesn’t make any primitive calls to E in the phase 2.

2.3 Multi collision

We say that an adversary A with oracle access to O produces a μ -multicollision if it makes μ distinct queries x 1 , , x μ to O , for which all responses are identical. The μ - m u l t i c o l l i s i o n -advantage of the adversary A is defined as follows:

Adv O μ - mcoll ( A ) = Pr [ A O produces μ -multicollision ]

and Adv O μ - mcoll ( q ) = max A Adv O μ - mcoll ( A ) , where maximum is taken over all adversaries A making at most q queries.

Figure 1 Phase 2 of the ( λ , μ ) \left(\lambda ,\mu ) -mcp game between A {\mathscr{A}} and C ℋ {\mathcal{C}}{\mathcal{ {\mathcal H} }} . The phase 1 C ℋ {\mathcal{C}}{\mathcal{ {\mathcal H} }} queries are responded similarly to as in the case of μ \mu -TPRP game. For phase 2 queries, the μ \mu -restriction is lifted. Note that the phase 2 queries and predictions can be done in any order. The only condition is that each of the predictions of the form ( t w j ′ , X j ′ ) \left(t{w}_{j}^{^{\prime} },{X}_{j}^{^{\prime} }) must be fresh, i.e., it has not been queried earlier.
Figure 1

Phase 2 of the ( λ , μ ) -mcp game between A and C . The phase 1 C queries are responded similarly to as in the case of μ -TPRP game. For phase 2 queries, the μ -restriction is lifted. Note that the phase 2 queries and predictions can be done in any order. The only condition is that each of the predictions of the form ( t w j , X j ) must be fresh, i.e., it has not been queried earlier.

3 The mF mode of AEAD

We start by defining the positive feedback function F B + , which takes a chain input Y of size n -bits and a data input M of size less than or equal to n -bits to generate a data output C of size M -bits and a chain output of size n . The negative feedback function can be described in a similar way. The general description of the feedback functions can be understood from Figures 2 and 3. For the case when the data input M has length n , the feedback functions can be described in a much simpler way. If M = n , then F B + ( Y , M ) = ( X , C ) , where C = Y M and X = C n / 2 M n / 2 . Similarly, if C = n , then F B ( Y , C ) = ( X , M ) , where M = Y C and X = C n / 2 M n / 2 .

Figure 2 The F B + F{B}^{+} function in mF {\mathsf{mF}} . pad {\mathsf{pad}} is 0 ∗ 1 {0}^{\ast }1 padding.
Figure 2

The F B + function in mF . pad is 0 1 padding.

Figure 3 The FB − function in mF. pad is 0 1 ∗ padding.
Figure 3

The FB function in mF. pad is 0 1 ∗ padding.

Let E ˜ be a TBC with state size n and tweak-size t > n 8 . We define the mF mode of AEAD using this TBC as follows. Given any data D , we define d D n n . We parse the data D into d parts of n bit data blocks. In notation ( D d , , D 1 ) n D , where D d = n if n D r if r > 0 s.t D r mod n .

Given any data ( N , A , M ) { 0 , 1 } n 8 { 0 , 1 } { 0 , 1 } and distinct but predefined { a 1 , , a 6 } , we define ( a , δ A ) and ( m , δ M ) depending on A and M using the Fmt function as described in Algorithm 5. We restrict the values of a , m such that a + m + 2 2 t n + 8 . With this setup, the mF mode encryption with the secret key K , simply outputs E ˜ K ( 0 t , N 0 6 10 ) as the tag if both a , m = 0 . Else it sets N = N 0 7 1 if a = 0 and N = N 0 8 if a 0 . It takes ( ( N , 0 ) , N 0 8 ) as the first TBC input to generate Y 0 .

Associated data processing: It parses ( A a , , A 1 ) n A . For each i [ 0 , a 1 ] , it evaluates F B + ( Y i , A i + 1 ) to generate ( X i + 1 , ) and use ( ( N , i ) , X i + 1 ) as the next TBC input to generate Y i + i . Finally, it makes another TBC call with input ( ( N , a + 1 ) , Y a δ A ) to generate Y a + 1 . It outputs Y a + 1 as tag, if m = 0 .

Message processing: It parses ( M m , , M 1 ) n M . For each i [ a + 1 , l ] it evaluates F B + ( Y i , M i a ) to generate ( X i + 1 , C i a ) and use ( ( N , i ) , X i + 1 ) as the next TBC input to generate Y i + i . Finally it makes another TBC call with input ( ( N , l + 2 ) , Y l + 1 δ M ) to generate the tag. It outputs ( C m , , C 1 ) as the ciphertext.

Let pad be 0 1 padding function. represents invalid. P 1 ? a 1 : a 2 evaluates to a 1 if P 1 is true and a 2 otherwise. P 1 & P 2 ? a 1 : a 2 : a 3 : a 4 evaluates to a 1 if both P 1 and P 2 are true, to a 2 if only P 1 is true, to a 3 if only P 2 is true and to a 4 if none of P 1 , P 2 are true. Feed ( , , dir ) F B + if dir = + F B if dir = . Then, with this notations, mF mode of AEAD can be best understood from Figure 4 and 5.

Figure 4 Block diagram for mF encryption. Here, N′ = N‖x, where x = 08/07 1 depending on the condition that (a ≠ 0) or (a = 0 & m ≠ 0) respectively. We define l = a + m. δ A , δ M are as defined in Figure 5.
Figure 4

Block diagram for mF encryption. Here, N′ = Nx, where x = 08/07 1 depending on the condition that (a ≠ 0) or (a = 0 & m ≠ 0) respectively. We define l = a + m. δ A , δ M are as defined in Figure 5.

Figure 5 Algorithm defining the mF {\mathsf{mF}} mode.
Figure 5

Algorithm defining the mF mode.

4 Security reductions of mF

Here, we give upper bounds on the privacy advantage and forging advantage of mF against any adversary B . For notational reference, see Figure 4.

4.1 Privacy

Theorem 4.1

For any privacy adversary B of mF , there is an μ - TPRP adversary A of E ˜ , such that

Adv mF priv ( B ) Adv E ˜ μ - tprp ( A ) + σ 1 + ( μ + 1 ) 2 2 n σ 2 n 2 μ ,

where σ is the total number of queries by A .

Proof

Note that mF is the mode based on a TBC E ˜ K . If we replace E ˜ K by an n -bit tweakable random permutation P with same tweak space, we denote the construction as mF P . From the construction it is easy to see that all tweaks used in the tweakable random permutation while we execute nonce-respecting queries are distinct. Hence, all output bits of mF P are random, so it is equivalent to the oracle $. So, Adv mF priv ( B ) = Pr [ B mF P = 1 ] Pr [ B mF E ˜ K = 1 ] .

By using straightforward reduction, one can construct an adversary A , which mainly simulates the mode mF O , where O (which is either P or E ˜ K ) is the challenge oracle of A . Clearly, Adv mF priv ( B ) Adv E ˜ tprp ( A ) . However, A does not necessarily follow μ -input-respecting for small μ . So we follow a slightly different strategy to define A . It is basically same as A , except that it aborts and returns 0 whenever it is going to violate μ -input-restriction. More precisely, it maintains a list of all queries ( t w i , X i ) to its challenger. If for some i , there exists μ + 1 number of j < i with X j = X i , it aborts (instead of making the query) and returns zero. When it does not abort, it returns whatever B returns. Now,

Pr [ B mF P = 1 ] Pr [ B mF E ˜ K = 1 ] Pr [ B mF P = 1 A doesn’t abort ] + Pr [ A P aborts ] Pr [ B mF E ˜ K = 1 A doesn’t abort ] ( 1 ) ( Pr [ A P = 1 ] Pr [ A mF E ˜ K = 1 ] ) + Pr [ A P aborts ] ( 2 ) Adv E ˜ μ - tprp ( A ) + σ 1 + ( μ + 1 ) 2 2 n σ 2 n 2 μ .

The inequality (1) follows from the definition that A returns 1 if and only if it does not abort and B returns 1. We now bound Pr [ A P aborts ] σ 1 + ( μ + 1 ) 2 2 n σ 2 n 2 μ , which justifies inequality (2) mentioned earlier.

Consider the event that A P aborts, i.e., { i 1 , , i μ + 1 } [ 1 , σ ] such that A needs to make μ + 1 queries of the form ( t w i j , X i j ) to P such that X i j = X i j j , j [ 1 , μ + 1 ] . Now, note that for all such queries, if the previous query by A is of the form ( t w i j 1 , X i j 1 ) and it received the output Y i j 1 , then

X i j n 2 = Y i j C i j n 2

for some known C i 1 , , C i μ + 1 . Now consider an oracle O P , which takes input of the form ( t w i , X i , C i ) and outputs z i = Y i C i n 2 as response, where Y i = P ( t w i , X i ) .

Then, clearly,

Pr [ A P aborts ] Adv O P μ + 1 - mcoll ( σ ) .

Finally, to bound Adv O P μ + 1 - mcoll ( σ ) , let ω d = ( ( N i , j i ) , X i , z i ) i be the online transcript of any adversary playing μ - mcoll game with O P .

The μ -multi collision occurs if i 1 , , i μ [ 1 , σ ] such that z i k = z i l for all k , l [ 1 , μ ] .

Note that the probability of μ -multicollision is highest when the tweak is the same for all the queries.

In that case, for a given x { 0 , 1 } n 2 and fixed i k [ 1 , σ ] number of possible tuples of ( Y i k , C i K ) such that z i k = Y i k C i k n 2 = x is bounded by 2 n 2 . Hence, varying over all i 1 , , i μ [ 1 , σ ] , we have a number of possible tuples ( Y i 1 , C i 1 ) , , ( Y i μ , C i μ ) such that z i k = Y i k C i k n 2 = x k [ 1 , μ ] is bounded by 2 μ n 2 .□

Varying over all x { 0 , 1 } n 2 and for all combination of i 1 , , i μ [ 1 , σ ] , we have number of ways in which μ -multi collision occurs is at most σ μ 2 ( μ + 1 ) n 2 .

Hence, we have

Lemma 4.2

Adv O p μ - mcoll ( σ ) = Pr [ μ - mcoll ] σ μ 2 ( μ + 1 ) n 2 ( 2 n ) μ σ 1 + μ 2 2 n σ 2 n 2 μ 1 .

4.2 Forgery

Define an oracle O E ˜ K , which takes a query input of the form ( t w , X , C ) and returns

X = C 0 n 2 E ˜ K ( t w , X ) n 2 .

We can similarly define O P , where the TBC mentioned earlier is replaced by tweakable random permutation P . For any ( μ + 1 ) -multicollision ( μ + 1 ) -input-restricting adversary C with oracle access to O E ˜ K , there is an ( μ + 1 ) -multicollision adversary C with oracle access to O P , such that

Adv E ˜ ( μ + 1 ) - mcoll ( C ) Adv E ˜ μ - tprp ( C ) + σ 1 + ( μ + 1 ) 2 2 n σ 2 n 2 μ .

This follows from the standard reduction and Lemma 4.2.

Theorem 4.3

For any nonce-respecting forging adversary B of mF making q e encryption queries with σ e encryption query blocks, q d decryption queries with σ d decryption query blocks, there is (i) ( μ , σ d ) - m c p adversary A of E ˜ , and (ii) ( μ + 1 ) -multicollision adversary C with oracle access to O E ˜ K (as defined earlier), such that

Adv mF forge ( B ) Adv E ˜ ( μ , σ d ) - mcp ( A ) + 2 Adv E ˜ μ - tprp ( C ) + σ 1 + ( μ + 1 ) 2 2 n σ 2 n 2 μ + 2 σ e 2 n 2 .

Let B be any forging adversary of mF . Suppose B makes q e encryption queries with σ e encryption query blocks and q d forging attempts with effectively σ d encryption blocks. We construct a ( μ , σ d ) - mcp adversary A , which uses B to win the ( μ , σ d ) -multi-commitment-prediction game of E ˜ .

4.2.1 The reduction game

Let C be a ( μ , λ ) - mcp challenger. A acts as a forgery challenger for B , as follows:

Phase 1:

  1. Whenever B sends an encryption query of the form ( N i , A i , M i ) i [ 1 , q e ] ,

    1. A responds to the query by computing ( C i , T i ) by making the required E ˜ K queries to C .

    2. In the previous step, A always follows the restriction that no more than μ queries to E ˜ have the same input. Otherwise, it aborts.

  2. For every decryption query of the form ( N j , A j , C j , T j ) j [ 1 , q d ] , A simply responds it with .

  3. When all the encryption and decryption queries by B have been responded, A revisits all the decryption queries made by B . For each j [ 1 , q d ] , A proceeds as follows:

    1. A checks if B has previously made any encryption query ( N i , A i , M i ) and received output of the form ( C i , T i ) such that N i = N j and defines an integer p j as follows:

      1. if there doesn’t exist any encryption query ( N i , A i , M i ) from B such that N i = N j , then A sets p j = 1 .

      2. Else if ( N i , A i , M i ) such that N i = N j but T i T j or l i < l j , then A sets p j = 1 .

      3. Else if ( N i , A i , M i ) such that N i = N j but l i > l j and T j Y l j + 2 i , then A sets p j = 1 .

      4. Else if ( N i , A i , M i ) such that N i = N j but l i > l j and T j = Y l j + 2 i , then A sets p j = 0 .

      5. Else if p j Z 0 be such that pad ( C m j k j ) = pad ( C m i k i ) , k [ 0 , p j ) but pad ( C m j p j j ) pad ( C m i p j i ) , then

        1. A defines p j = p j + 1 , if pad ( C m j p j j ) n 2 = pad ( C m i p j i ) n 2 . Otherwise, it defines p j = p j + 2 .

        2. A defines

          Δ j pad ( C m j p j + 1 j ) n 2 pad ( C m i p j + 1 i ) n 2 .

    2. If p j = 1 , 0 ; A computes Y k j for all k [ 0 , l j p j ] and else computes Y k j for all k [ 0 , l j p j + 1 ] with the help of C following the restriction that no more than μ queries to E ˜ have the same input. In that case A aborts.

Remark 4.4

If there exists a common prefix between ( N i , A i , C i ) and ( N j , A j , C j ) , then A already has computed up to the common prefix length during encryption query and thus need not send any new encryption query to C for computation up to that point.

Phase 2 (commitment):

For each j [ 1 , q d ] ,

  1. If p j = 1 , then,

    1. Note that A knows Y l j + 1 j from Phase 1.

    2. A sets commitment of the form ( ( N j , l j + 2 ) , Y l j + 1 j n 2 , T j n 2 ) .

  2. If p j = 0 , then,

    1. A sets Y l j + 1 j n 2 = Y l j + 1 i D l j + 1 i δ M j n 2 , where

      D l j + 1 i = Y l j + 1 i A l j + 2 i if l j < a i δ A i if l j = a i C i j a + 1 i if l j > a i .

    2. A sets commitment of the form ( ( N j , l j + 1 ) , C m j j n 2 , Y l j + 1 j n 2 ) .

  3. If p j 0 , 1 , then A makes p j commitments of the form

    ( t w k j , x k j , y k j ) k [ l j p j + 2 , l j + 1 ] ,

    where

    t w k j = ( N j , k ) ; x k j = C m j p j + 1 j n 2 ; y k j = Y k i n 2 Δ j if k = l j p j + 2 Y k i n 2 Otherwise .

Phase 2 (prediction):

For each j [ 1 , q d ]

  1. If p j = 1 , then

    1. It calculates X l j + 2 j = Y l j + 1 j δ M j .

    2. It sends prediction query of the form ( ( N j , l j + 2 ) , X l j + 2 j ) .

  2. If p j = 0 , then

    1. Note that A knows Y l j j from Phase 1.

    2. A then sets X l j + 1 j = ( 0 n 2 Y l j j n 2 ) C m j j .

    3. Finally A send ( ( N j , l j + 1 ) , X l j + 1 j ) as a prediction query.

  3. If p j 0 , 1 , then

    1. Note that, A knows Y l j p j + 1 j from Phase 1.

    2. for k = l j p j + 2 to l j + 1 ,

      1. A knows the value of Y k 1 j .

      2. A then sets X k j = ( 0 n 2 Y l k 1 j n 2 ) C k 1 j .

      3. It sends ( t w k j , X k j ) as a prediction query and receives Y k j .

4.2.2 Understanding the reduction game

The adversary A ’s actions on receiving an encryption query are quite simple. To each decryption query, A simply responds . Now, we try to understand how the adversary A generates the commitments and the predictions depending upon the queries of B . Notice that for each decryption query by B , A sets an integer flag p taking values in [ 1 , m i ] . Moreover, it makes at least one commitment and at least one prediction for each decryption query.

For simplicity, we assume that B makes only one decryption query of the form ( N , A , C , T ) .

Here, we only discuss the most complex case, i.e., when there exists an encryption query of the form ( N , A , M ) with response ( C , T ) , such that N = N ; l = l and T = T . The adversary looks for the maximum possible common suffix between C and C . Assume that the last p blocks of C and C are identical. Then, depending on whether the most significant half of the last non-identical blocks of C and C are identical or not, the flag is set to p + 2 or p + 1 , respectively. With the help of C , A simulates the mF decryption protocol to compute Y l p + 1 before exiting phase 1.

Note that adversary A knows all the { Y l p + 2 , , Y l + 1 } values from the encryption transcript generated for B . The adversary simply sets p commitments of the form ( ( N , l p + 2 ) , C m p + 1 n 2 , Y l p + 2 n 2 ) , , ( ( N , l + 1 ) , C m n 2 , Y l + 1 n 2 ) . Finally, A returns to simulating the decryption protocol starting from Y l p + 1 by sending prediction queries of the form ( ( N , l p + k ) , X l p + k ) k [ 2 , p + 1 ] to C .

Remark 4.5

When B makes more than one decryption query, A doesn’t make any prediction query before generating commitments corresponding to all the decryption queries.

Let CBAD denote the event that A receives an encryption query of the form ( N i , A i , M i ) to output a response of the form ( C i , T i ) , such that, for some 1 c l i , we have X c i n 2 = Y c 1 i n 2 δ M n 2 for some arbitrary M .

Lemma 4.6

Pr [ CBAD ] 2 σ e 2 n 2 + Adv E ˜ μ - tprp ( C ) .

Proof

Since CBAD occurs only during the encryption queries, by a standard reduction technique, there exists a μ - TPRP adversary C such that

Pr [ CBAD ] Pr [ CBAD P ] + Adv E ˜ μ - tprp ( C ) ,

where CBAD P denotes the event CBAD when A has oracle access to P .

Now, Let A have oracle access to P . Then, during the ith encryption query, we have

X c i n 2 = A c i n 2 if c a i Y c 1 i n 2 δ A i n 2 if c = a i + 1 M c i n 2 if c > a i + 1 .

Now since all the Y j i values are generated uniformly at random and δ A i n 2 δ M n 2 for any M . Hence, for any i ( q ] and any M , Pr [ CBAD ] 1 2 n 2 . Since, δ M takes at most two values, depending on whether n M or not, varying over all i , j , we have the lemma.□

Corollary 4.7

If the event CBAD doesn’t hold, then for any decryption query ( N j , A j , C j , T j ) , such that N j = N i , l i > l j and T j = Y l j + 2 i , then X l j + 1 j X l j + 1 i .

Proof

Note that, T j = Y l j + 2 i X l j + 2 j = X l j + 2 i . Now, since Y l j + 1 j = X l j + 2 j δ M j and since CBAD doesn’t hold, Y l j + 1 j Y l j + 1 i , which implies X l j + 1 j X l j + 1 i .□

Proposition 4.8

Suppose A never Aborts and CBAD never occurs. If ( N j , A j , C j , T j ) is a valid forgery, for some j [ 1 , q d ] , then for some k [ 1 , p j ] , we have ( t w k j , X k j ) is a successful prediction query tuple.

We postpone the proof of Proposition 4.8 to Section 4.3.

4.2.3 Proof of Theorem 4.3

For all encryption queries of the form ( N i , A i , M i ) , A can correctly simulate as it has access to E ˜ K .

Note that Proposition 4.8 means, that, given A doesn’t abort and CBAD doesn’t occur for any encryption query by B , the ( μ , σ d ) - mcp adversary A makes a valid prediction whenever the forging adversary B makes a successful forgery. Hence, by Proposition 4.8,

Pr [ A wins ( μ , σ d ) -mcp game ] Pr [ B Forges i th query for some i [ 1 , q d ] A doesn’t abort CBAD ¯ ]

Hence,

Pr [ B Forges ] Pr [ B Forges i th query for some i [ 1 , q d ] A doesn’t abort CBAD ¯ ] + Pr [ A aborts ] + Pr [ CBAD ] Pr [ A wins ( μ , σ d ) -mcp game ] + Pr [ A aborts ] + Pr [ CBAD ] Adv E ˜ ( μ , σ d ) - mcp ( A ) + 2 Adv E ˜ μ - tprp ( C ) + σ 1 + ( μ + 1 ) 2 2 n σ 2 n 2 μ + 2 σ e 2 n 2 .

4.3 Proof of Proposition 4.8

Let ( N j , A j , C j , T j ) be a valid forgery. Depending on the value of p j , we divide it into three cases.

Case 1: If p j = 1 .

In the commitment phase, the adversary A commits ( ( N j , l j + 2 ) , Y l j + 1 j n 2 , T j n 2 ) as described earlier.

Notice that if N i N j for all encryption query of the form ( N i , A i , M i ) , then ( N j , l j + 2 ) is fresh.

If N i = N j and l j = l i but T i T j , then since ( N j , l j + 2 ) = ( N i , l i + 2 ) , we must have ( ( N j , l j + 2 ) , X l j + 2 j ) is fresh.

If N i = N j and l j > l i , then we again have ( N j , l j + 2 ) is fresh.

Let N i = N j and l j < l i . If T j Y l j + 2 , then we have ( ( N j , l j + 2 ) , X l j + 2 j ) is fresh.

Hence, if any of the aforementioned condition is satisfied, then ( ( N j , l j + 2 ) , X l j + 2 j ) is fresh, i.e., ( ( N j , l j + 2 ) , X l j + 2 j ) has never been queried before by A to C , X l j + 2 j n 2 = Y l j + 1 j n 2 and E ˜ K ( ( N j , l j + 2 ) , X l j + 2 j ) = T j . Hence, we see that ( ( N j , l j + 2 ) , X l j + 2 j ) is a valid prediction query with respect to the commitment ( ( N j , l j + 2 ) , Y l j + 1 j n 2 , T j n 2 ) .

Case 2: If p j = 0

We have, N i = N j , l j < l i and T j = Y l j + 2 . Then, we must have X l j + 2 j = X l j + 2 i and

Y l j + 1 j n 2 = Y l j + 1 i n 2 D l j + 1 i n 2 δ M j n 2 ,

where D l j + 1 i is as defined in phase 2.

In the commitment phase, the adversary A commits ( ( N j , l j + 1 ) , C m j j n 2 , Y l j + 1 j n 2 ) as described earlier. Now, by Proposition 4.7, we have ( ( N j , l j + 1 ) , X l j + 1 j ) is fresh. Moreover, it is a valid prediction query.

Case 3: If p j 1 , 0

There exist an i [ 1 , q e ] such that N j = N i , a j + m j = a i + m i = l j , T j = T i .

Now consider the two cases:

  1. First, let p j Z 0 be such that C m j k j = C m i k i , k [ 0 , p j ) and C m j p j j C m i p j i but C m j p j j n 2 = C m i p j i n 2 . In this case, p j = p j + 2 . We have, by suffix property, Δ j 0 and

    Y l j p j + 2 j n 2 = Y l j p j + 2 i n 2 Δ j .

    i.e. , X l j p j + 2 j X l j p j + 2 i .

  2. Now, let p j Z 0 be such that C m j k j = C m i k i , k [ 0 , p j ) and C m j p j j n 2 C m i p j i n 2 . Then, p j = p j + 1 and, by the suffix property,

    Y l j p j + 2 j n 2 = Y l j p j + 2 i n 2 .

Since C m j p j + 1 j n 2 C m i p j + 1 i n 2 ,

X l j p j + 2 j X l j p j + 2 i .

Hence, we conclude that ( t w l j p j + 2 j , X l j p j + 2 j ) is fresh in both cases.

In the commitment phase, the adversary commits ( t w k j , x k j , y k j ) for all k [ l j p j + 2 , l j + 1 ] .

If ( t w l j p j + 2 j , X l j p j + 2 j ) is a valid prediction query with respect to ( t w l j p j + 2 j , x l j p j + 2 j , y l j p j + 1 j ) , we are done.

If not, then C m j p j + 2 j = C m i p j + 2 i .

Y l j p j + 2 j n 2 Y l j p j + 2 i n 2 .

i.e. X l j p j + 3 j X l j p j + 3 i .

Hence, we have ( t w l j p j + 3 j , X l j p j + 3 j ) is fresh.

Inductively, suppose ( t w l j j , X l j j ) is not a valid prediction query. Then, as C m j j = C m i i ,

Y l j j n 2 Y l j i n 2 ,

i.e. , X l j + 1 j X l j + 1 i .

Hence, ( t w l j + 1 j , X l j + 1 j ) is fresh.

Since N j = N i , a j + m j = a i + m i = l j , T j = T i X l j + 2 j = X l j + 2 i . Hence,

Y l j + 1 j = Y l j + 1 i .

Finally, since ( N j , A j , C j , T j ) is a valid forgery, it must be that

E ˜ K ( t w l j + 1 j , X l j + 1 j ) = Y l j + 1 j .

Hence, ( t w l j + 1 j , X l j + 1 j ) must be a valid prediction query.

5 A block cipher-based TBC construction

Let ρ : { 0 , 1 } n { 0 , 1 } n be any bijective function and ρ i denotes i consecutive applications of ρ . We call ρ , the KUF of the TBC.

Definition 5.1

Given any fixed KUF ρ , define

ν ρ max l < 2 n 1 l Pr r K l K $ { 0 , 1 } n .

where for all K { 0 , 1 } n , r K is defined as the smallest positive integer such that ρ r K ( K ) = K .

Notice that if ρ ( K ) = α K , where α is a primitive polynomial of degree n , then ν ρ = 0 . Leurent and Pernot [14] showed that if ρ is the 11th round-key function in the AES key scheduling algorithm, then ν ρ 0.44 14018661024 .

Consider a block cipher E : { 0 , 1 } n × { 0 , 1 } n { 0 , 1 } n . Then, for any integer t > n , we define the TBC E ˜ : { 0 , 1 } n × { 0 , 1 } t × { 0 , 1 } n { 0 , 1 } n as, E ˜ ( K , t w , X ) E ( K t w , X ) , where K t w ρ i ( E ( K , N ) ) . Here, we parse t w to get N = t w n ; i is the decimal integer representation of t w t n (Figure 6).

Figure 6 A block cipher-based TBC construction.
Figure 6

A block cipher-based TBC construction.

Remark 5.2

If the key size κ of the block cipher is less than the state size n , then we can take the ρ function with domain and range { 0 , 1 } κ and chop K N appropriately. If κ > n , we can generate the updated key suitably by multiple applications of ρ . Since there exist many popular block ciphers with κ = n , in this article we restrict our analysis to these types of block ciphers only.

5.1 Bounding μ - TPRP security of E ˜

Here, we try to bound the μ - TPRP security of the TBC E ˜ . Let A be any μ -respecting adversary playing the μ - TPRP game that makes at most t primitive queries and d online queries.

We assume that the adversary doesn’t make repetitive or redundant queries.

5.1.1 The ideal world and analysis of bad events

Let P and denote the index set of primitive queries and encryption queries, respectively.

In the ideal world, the oracle chooses random functions P : { 0 , 1 } n × { 0 , 1 } n { 0 , 1 } n and Q : T × { 0 , 1 } n { 0 , 1 } n such that for all K { 0 , 1 } n we have P ( K , ) as a random permutation and for all t w T , we have Q ( t w , ) as a random permutation.

Primitive query: In the Ideal world for the ith primitive query of the form ( K i , X i ) , it computes Y i = P ( K i , X i ) and sends it as a response.

Define ω t = ( K i , X i , Y i ) i P to be the primitive transcript.

Online query: On receiving the ith input query of the form ( ( N i , j i ) , X i ) , it computes Y i = Q ( ( N i , j i ) , X i ) and sends it as the response.

Offline computation: Oracle chooses K { 0 , 1 } n uniformly at random. It then chooses a permutation Π : { 0 , 1 } n { 0 , 1 } n uniformly at random from the set of all permutations over { 0 , 1 } n . It then defines K N i Π ( N i ) n and K i = ρ j i ( K N i ) .

Define ω d = ( K , ( ( N i , j i ) , X i , Y i , K i ) i ) , to be the online transcript.

Define ω = ( ω t , ω d ) be the transcript for the adversary in the ideal world.

Bad Events: We now look at the ideal world transcript ω . We identify all the possible events where there is an input or output collision between different types of query-response tuples in ω , i.e., between the inputs or outputs of ( K i , X i , Y i ) i P , ( K , t w i , K i ) i and ( K i , X i , Y i ) i . The six possible input collisions are as follows:

  1. ( K i , X i ) = ( K i , X i ) , i , i P

  2. ( K , t w i ) = ( K , t w i ) , i , i

  3. ( K i , X i ) = ( K i , X i ) , i , i

  4. ( K , t w i ) = ( K i , X i ) , i , i P

  5. ( K , t w i ) = ( K i , X i ) , i , i

  6. ( K i , X i ) = ( K i , X i ) , i , i P .

Similarly, the six possible output collisions are as follows:

  1. ( K i , Y i ) = ( K i , Y i ) , i , i P

  2. ( K , K i ) = ( K , K i ) , i , i

  3. ( K i , Y i ) = ( K i , Y i ) , i , i

  4. ( K , K i ) = ( K i , Y i ) , i , i P

  5. ( K , K i ) = ( K i , Y i ) , i , i

  6. ( K i , Y i ) = ( K i , Y i ) , i , i P .

We ignore cases I 1 and O 1 as the adversary doesn’t make redundant queries. Similarly, we also ignore case I 2 as it simply means that the adversary has made multiple encryption queries with the same tweak. We consider the cases I 4 , I 5 , O 4 , and O 5 as subcases of the event that K = K i for some i P . We call this event as BAD1 . Similarly, we consider cases I 3 , O 2 and O 3 as subcases of the event that for some i , i we have K i = K i . Since the subcase where t w i = t w i is already considered in BAD1 , it is enough to consider the subcase, where t w i t w i . Define this event as BAD2 . We denote the event that case I 6 occurs as BAD3 . Finally, we denote the event that case O 6 occurs as BAD4 .

In notation:

BAD1 : For some i P , we have K i = K .

BAD2 : For some i 1 i 2 , we have ( N i 1 , j i 1 ) ( N i 2 , j i 2 ) but K i 1 = K i 2 .

BAD3 : For some i and i P , we have ( K i , X i ) = ( K i , X i ) .

BAD4 : For some i and i P , we have ( K i , Y i ) = ( K i , Y i ) .

Note that, in the ideal world, BAD1 implies that the adversary couldn’t guess the secret key. Furthermore, BAD2 , BAD3 , and BAD4 mean that the input–output tuples in ω t and ω d are distinct, i.e., permutation compatible.

Definition 5.3

BAD = i = 1 4 BADi .

We call a transcript ω bad if event BAD occurs.

Lemma 5.4

Pr [ BAD ] d ν ρ + t + d 2 n + d 2 2 n + 1 + 2 μ t 2 n + d μ + 1 ( 2 n ) μ .

Proof

Here, we try to bound the distinct bad events defined earlier.

Bounding  BAD1 : Fix i P . Since K is chosen uniformly at random, we have the probability that K i = K is at most 1 2 n . similar varying over all i ,

Pr [ BAD1 ] d + t 2 n .

Bounding  BAD2 : This event can be divided into the following cases.

Case 1: ( N i 1 N i 2 ) In this case, since Π is a random permutation, K N i 1 K N i 2 are distinct and independent. Hence, probability that K i 1 = K i 2 is at most 1 2 n . Varying over all i 1 , i 2 , we have,

Pr [ Case 1 ] d 2 2 n + 1 .

Case 2: ( N i 1 = N i 2 ; j i 1 j i 2 ) In this case, we have K N i 1 = K N i 2 .

Hence, Case 2 event occurs if and only if, ρ ( j i 1 j i 2 ) ( K N i ) = K N i , i.e., ( j i 1 j i 2 ) is divisible by the periodicity of K N i (say r K N i ).

Note that queries of this form arise due to the encryption query of B with nonce N i in the privacy game.

Let l i denote the number of blocks in the encryption query of B with nonce N i . Then for all i i , i 2 , such that N i 1 = N i 2 = N i , we have j i 1 j i 2 l i , i.e., r i l i , and by Definition 5.1, the probability that Case 2 holds is at most l i ν ρ .

Now, varying over all possible i , and from the observation that i l i d , we have

Pr [ Case 2 ] i l i ν ρ d ν ρ .

Since the aforementioned two cases are mutually exclusive, we have

Pr [ BAD2 ] d 2 2 n + 1 + d ν ρ .

Bounding  BAD3 : For a given i P , let the adversary make the primitive query ( K i , X i ) . Then, there can be at most μ encryption query of the form ( ( N i k , j i k ) , X i ) k [ 1 , μ ] , i k , and hence, at most μ ( K i k , X i ) k [ 1 , μ ] , i k tuples. Now, since K i k are chosen uniformly at random during encryption query, we have, for a given i k , the probability that K i k = K i is at most 1 2 n . Hence, for a given i P , the probability that i s.t. ( K i , X i ) = ( K i , X i ) is at most μ 2 n . Varying over all i , we have

Pr [ BAD3 ] μ t 2 n .

Bounding  BAD4 : To bound BAD4 , we first define an event BADY as follows:

BADY : i 1 , i μ + 1 s.t. Y i k = Y i l k , l [ 1 , μ + 1 ] .

Then, by union bound, we have

Pr [ BAD4 ] Pr [ BADY ] + Pr [ BAD4 BADY ¯ ] .

Bounding  BADY : Since for each i , Y i is chosen uniformly at random, given i 1 , , i μ + 1 , the probability that Y i j = Y i j , for all j [ 1 , μ + 1 ] is at most 1 ( 2 n ) μ . Hence, varying over all choices of i 1 , , i μ + 1 , we have

Pr [ BADY ] d μ + 1 ( 2 n ) μ .

Bounding  BAD4 BADY ¯ : For a given i P , let the adversary’s primitive transcript be ( K i , , Y i ) . Then, there can be at most μ encryption transcripts of the form ( ( N i k , j i k ) , , Y i ) k [ 1 , μ ] , i k , and hence, at most μ ( K i k , Y i ) k [ 1 , μ ] , i k tuples. Since K i k are chosen uniformly at random during encryption query, we have for a given i k , the probability that K i k = K i is at most 1 2 n . Hence, for a given i P probability, that i s.t. ( K i , Y i ) = ( K i , Y i ) is at most μ 2 n . Varying over all i , we have

Pr [ BAD4 BADY ¯ ] μ t 2 n .

Hence, we get

Pr [ BAD4 ] d μ + 1 ( 2 n ) μ + μ t 2 n .

Finally, adding all the probabilities, we get the lemma.□

5.1.2 Real World and good transcript analysis

The real world has oracle E K . All the primitive queries and the encryption queries are responded to based on the responses of E K .

By good transcript, we mean any transcript, which is not bad. Now consider a good transcript ω = ( ω t , ω d ) . Let Θ 0 and Θ 1 be the transcript random variable obtained in the ideal world and real world respectively.

Note that by definition of the good transcript, the input–outputs of ω t and ω d in the ideal world are independent yet permutation compatible. Hence, we have

Pr [ Θ 0 = ω ] = t i 1 ( 2 n ) t i × 1 2 n × 1 ( 2 n ) d × 1 ( 2 n ) d ,

where t i denotes the number of primitive queries with the key K i { 0 , 1 } n , i.e., i t i = t .

Now, note that in the real world, the primitive queries and online queries are permutation compatible.

Hence, we have Pr [ Θ 1 = ω ] = k i 1 ( 2 n ) k i × 1 2 n × 1 ( 2 n ) d , where k i = d i + t i such that t i denotes the number of primitive queries with key K i and d i denotes the number of encryption queries of the form ( N l , j l , X ) such that K l = K i . Note that i k i = d + t .

Hence,

Pr [ Θ 1 ] Pr [ Θ 0 ] = t i ( 2 n ) t i × 2 n × ( 2 n ) d × ( 2 n ) d k i ( 2 n ) k i × 2 n × ( 2 n ) d = i ( 2 n ) t i × ( 2 n ) d i ( 2 n ) t i + d i = ( 2 n ) d i ( 2 n t i ) d i > 1 .

Hence, by H-coefficient technique, we have Theorem 5.5.

Theorem 5.5

Adv E ˜ μ - tprp ( d , t ) d ν ρ + t + d 2 n + d 2 2 n + 1 + 2 μ t 2 n + d μ + 1 ( 2 n ) μ .

5.2 Bounding ( μ , λ ) - m c p security of E ˜

Here, we try to bound the advantage of a μ -respecting adversary A making t primitive queries and d online queries playing the ( μ , λ ) -multi commitment prediction game with a challenger C . We assume that the adversary doesn’t make repetitive or redundant queries.

5.2.1 Game 0:

We define the original ( μ , λ ) - m c p security game between A and C as Game 0. Define P , 1 , and 2 , respectively as the set of query indices of Phase 1 primitive queries, Phase 1 encryption queries, and Phase 2 encryption queries.

Phase 1:

Primitive query: For the ith primitive query of the form ( K i , X i ) i P , C computes Y i = E ( K i , X i ) and sends it as a response.

Define ω t = ( K i , X i , Y i ) i P to be the primitive transcript.

Online query oracle chooses K { 0 , 1 } n uniformly at random. On receiving the ith input query of the form ( ( N i , j i ) , X i ) i 1 if the query is μ -respecting, then C computes K N i = E ( K , N i ) , K i = ρ j i ( K N i ) and outputs Y i = E ( K i , X ) as response. Else, it aborts.

Phase 2:

Commitment generation: A sends λ commitments of the form ( t w i , x i , y i ) i [ 1 , λ ] to C .

Primitive queries: A doesn’t make any primitive query in phase 2.

Prediction queries: Whenever A makes a fresh prediction query of the form ( ( N i , j i ) , X i ) for some i 2 , C computes K N i = E ( K , N i ) , K i = ρ j i ( K N i ) and outputs Y i = E ( K i , X ) as response.

Let ω e 1 = ( ( N i , j i ) , X i , Y i ) i 1 and ω e 2 = ( ( N i , j i ) , X i , Y i ) i 2 be the phases 1 and 2, respectively, online transcript of the adversary.

Define ω e = ω e 1 ω e 2 as the overall online transcript of the adversary. Define ω = ( ω t , ω e ) as the transcript of A .

5.2.2 Game 1:

We now define a newly modified security game called Game 1. Here, C chooses random a function Q : T × { 0 , 1 } n { 0 , 1 } n such that for all t w T we have Q ( t w , ) is a random permutation. C acts similar to a Game 0 challenger except in the case of phase 1 online queries.

Phase 1 online query: On receiving the ith input query of the form ( ( N i , j i ) , X i ) i 1 if the query is μ -respecting, then C computes Y i = Q ( ( N i , j i ) , X i ) and sends it as the response. Else, it aborts.

We say that any adversary A wins Game 1 if for some prediction query tuple ( ( N k , j k ) , X k ) there exist a commitment tuple ( t w i , x i , y i ) such that

t w i = ( N k , j k ) ; x i = X k n 2 ; E ˜ K ( t w i , X k ) n 2 = y i .

Adv E ˜ Game 1 ( d , t ) = max A Pr [ A E ˜ wins Game 1 ] .

where the maximum is taken over all adversaries A running in time t making at most d queries.

Proposition 5.6

Given any ( d , t ) -adversary A playing Game 0 (or Game 1), there exists a ( d , t + 2 d ) -adversary B playing μ -TPRP security game such that,

Pr [ A wins Game 0 ] Pr [ A wins Game 1 ] + Adv E ˜ μ - tprp ( B ) .

Proof

We construct the ( d , t + 2 d ) -adversary B playing against an a μ -TPRP challenger C as follows:

  1. Whenever A makes a phase 1 primitive query B makes the same primitive query to the μ -TPRP challenger C and forward the response to A .

  2. B chooses K { 0 , 1 } n uniformly at random.

  3. Whenever A makes a phase 1 encryption query B makes the same encryption query to the μ -TPRP challenger C and forward the response to A .

  4. On receiving the commitments from A , B does nothing.

  5. Whenever A makes a prediction query of the form ( ( N i , j i ) , X i ) for some i 2 , B makes a primitive query to C to receive K N i = E ( K , N i ) . It then computes K i = ρ j i ( K N i ) and makes a second primitive query to output Y i = E ( K i , X ) as response.

  6. Whenever A wins ( resp. loses ) B sends 1 (resp. 0) to C .

From the construction, it is clear that whenever C is a real (resp. ideal) oracle adversary, B simulates perfectly as a Game 0 (resp. Game 1) oracle to the adversary A . Hence,

Pr [ A wins Game 0 ] = Pr [ B 1 C real ] Pr [ A wins Game 1 ] = Pr [ B 1 C ideal ] .

Hence,

Pr [ A wins Game 0 ] Pr [ A wins Game 1 ] = Pr [ B 1 C real ] Pr [ B 1 C ideal ] = Adv E ˜ μ - tprp ( B )

Proposition 5.7

Adv E ˜ Game 1 ( d , t ) λ t 2 3 n 2 + λ 2 n 2 1 .

Proof

Consider the following event due to Phase 2.

BAD5 : For some i [ 1 , λ ] and i P , we have a commitment ( ( N i , j i ) , x i , y i ) such that, ( K i , x i ) = ( K i , X i n 2 ) , where K i ρ j i E K ( N i ) .□

Claim 5.8

Pr [ BAD5 ] λ t 2 3 n 2 .

Proof

Fix i [ 1 , λ ] and i P . Since K N i is distributed uniformly at random, and there is no primitive query after commitment, we have the probability that ( K i , x i ) = ( K i , X i n 2 ) is at most 1 2 3 n 2 . varying over all i , i , we have the claim.□

Claim 5.9

Pr [ A wins Game 1 BAD5 ¯ ] λ 2 n 2 1 .

Proof

Suppose ( ( N i , j i ) , X i ) is a valid prediction for some i 2 . Let ( t w j , x j , y j ) be the commitment corresponding to this prediction. Since BAD5 doesn’t occur, there is no primitive query of the form ( K i , X i ) in phase 1. Now suppose there are κ i many primitive queries in phase 1 of the form ( K i , ) . Then, the probability that Y i n 2 = y i is bounded by 2 n 2 2 n κ . Since κ t , assuming t 2 n 1 and varying over all i , we have the claim.□

Proposition 5.7 follows from Claims 5.8 and 5.9.

Theorem 5.10

Adv E ˜ ( μ , λ ) - mcp ( d , t ) d ν ρ + t + 3 d 2 n + d 2 2 n + 1 + 2 μ ( t + 2 d ) 2 n + d μ + 1 ( 2 n ) μ + λ t 2 3 n 2 + λ 2 n 2 1 .

Proof

From Proposition 5.6, we have for any ( d , t ) adversary A we have we have a ( d , t + 2 d ) adversary B such that

Adv Game 0 ( A ) Adv Game 1 ( A ) + Adv E ˜ μ - tprp ( B ) .

Taking maximum over all such ( d , t ) adversaries A , we have

Adv Game 0 ( d , t ) Adv Game 1 ( d , t ) + Adv E ˜ μ - tprp ( d , t + 2 d ) .

Now plugging in the appropriate values from Proposition 5.7 and Theorem 4.1, we have Theorem 4.3.□

6 mF under the new TBC construction

In this section, we consider the mF construction under the new TBC construction defined in Section 5.

Theorem 6.1

Adv mF , E ˜ priv ( σ , t ) σ ν ρ + t + σ 2 n + σ 2 2 n + 1 + 2 μ t 2 n + σ μ + 1 ( 2 n ) μ + σ 1 + ( μ + 1 ) 2 2 n σ 2 n 2 μ .

Theorem 6.2

Adv mF , E ˜ forge ( σ , t ) 3 σ ν ρ + 3 ( 1 + 2 μ ) t 2 n + 3 σ 2 2 n + 1 + ( 5 + 4 μ ) σ 2 n + 3 σ μ + 1 ( 2 n ) μ + σ t 2 3 n 2 + σ 2 n 2 2 + σ 1 + ( μ + 1 ) 2 2 n σ 2 n 2 μ ,

where n is the state size and the key size and μ is the number of multi collisions allowed in the input of the TBC. For all calculation purposes, take μ 4 .

Proof

Theorems 6.1 and 6.2 can be derived from Theorems 4.1 and 4.3, respectively, by appropriately plugging in the security bounds for E ˜ derived in Section 5.□

6.1 mixFeed as an mF construction

The mixFeed [6] mode of AEAD uses a block cipher AES , which is a variation of AES [2] in the sense that, unlike the original scheme, it calls the AES MixColumn operation in the last round and also outputs the 11th round key in the AES key schedule. It then uses the new key to process the next data block. Since the key outputs only depend on the previous key input and are independent of the data inputs, this operation can be run in parallel and mixFeed can be viewed as an mF construction with n = 128 and the 11th round key function in the AES key scheduling algorithm as the KUF.

Khairallah [13] observed that mixFeed is prone to practical forgery due to the existence of small periodic cycles in AES key schedule algorithm. Later, Leurent and Pernot [14] confirmed Mustafa’s observations by giving a practical attack on mixFeed with a success probability of 0.44 (with data complexity 220GB). In our notations, if l = 14018661024 , then Pr r K l , K $ { 0 , 1 } 128 0.44 . Plugging in this value in Definition 5.1, we get, σ ν ρ 2 46 × 0.44 14018661024 1 in Theorems 6.1 and 6.2.

7 Overcoming the weakness of mixFeed

In this section, we show that the weakness in mixFeed [6] is only a weakness of the AES [2] key schedule and not of the AEAD mode in general. More specifically, we describe a specific mF construction and show that it is well secured within the NIST prescribed bounds.

For any primitive polynomial α of degree n , we define ρ ( x ) = α x x { 0 , 1 } n . Consider the TBC construction of Section 6 with ρ as its KUF.

Next, we consider the mF mode of AEAD with this TBC and call it mF prim . As noted earlier, ν ρ = 0 . Hence, from Theorems 6.1 and 6.2, we can conclude that for any adversary running in time t and making at most q encryption and decryption (in case of forgery) query with a total of at most σ blocks,

Theorem 7.1

Adv mF prim priv ( σ , t ) t + σ 2 n + σ 2 2 n + 1 + 2 μ t 2 n + σ μ + 1 ( 2 n ) μ + σ 1 + ( μ + 1 ) 2 2 n σ 2 n 2 μ .

Theorem 7.2

Adv mF prim , E ˜ forge ( σ , t ) 3 ( 1 + 2 μ ) t 2 n + 3 σ 2 2 n + 1 + ( 5 + 4 μ ) σ 2 n + 3 σ μ + 1 ( 2 n ) μ + σ t 2 3 n 2 + σ 2 n 2 2 + σ 1 + ( μ + 1 ) 2 2 n σ 2 n 2 μ ,

where n is the state size and μ is the number of multi collisions allowed in the input of the TBC. For all calculations, take μ 4 .

7.1 Interpretation of the above bounds

According to NIST requirement, σ 2 46 and t 2 112 . Following the recommendation in ref. [6], we take n = κ = 128 . Then, taking μ = 4 , we have σ 1 + ( μ + 1 ) 2 2 n σ 2 n 2 μ < 2 25 , and hence, the dominating term is 2 μ t 2 n in Theorem 7.1 and 5 μ t 2 n + 3 σ 2 n 2 in Theorem 7.2, which are both less than 2 10 . Hence, we conclude that the mF prim mode is well secured within the complexity bounds specification of NIST.

Remark 7.3

If the linearity of multiplication by a primitive polynomial α becomes problematic under some block cipher designs, one could define ρ ( K ) = P 1 ( α P ( K ) ) for some nonlinear permutation P . This preserves the cycle structure of the multiplication by α but can be arbitrarily nonlinear depending on P .

8 mF mode as a lightweight AEAD

In this section, we try to give a theoretical comparison between the mF prim mode and some other TBC designs in the NIST LWC [4] competition. Ignoring the different types of overheads required in practical implementations, we define the state size as the number of bits required to hold the key, auxiliary keys such as masking key (if any), block cipher state, and round key. Note that the mF prim mode of AEAD as in Section 7 can be implemented as a block cipher-based construction. Unlike Figure 7, where each TBC call can be seen to be using two block cipher calls, we can process the nonce N with key K only once to get K N , and then we store K N as the initial key. The rekeying can be done in parallel, by applying the KUF ( ρ ) to the previous key while processing each data block. In this way, we can process the whole encryption–decryption query with only one extra block cipher call. Further, the number of bits processed per primitive block cipher call is asymptotical to n .

Figure 7 A TBC in mF {\mathsf{mF}} with linear KUF. Here, α \alpha is any primitive polynomial of degree n n .
Figure 7

A TBC in mF with linear KUF. Here, α is any primitive polynomial of degree n .

We have tabulated theoretical comparisons of different TBC-based AEAD schemes in Table 1. A more practical, implementation-based comparison is beyond the scope of this article and can be left as a future research problem.

Table 1

A theoretical comparison of different TBC-based lightweight AEAD schemes. Here the TBC of mF prim is considered with AES -128/128 as the underlying block cipher

Mode State size (includes key size) Block size Tweak size # Pass Bits processed per primitive call Inverse free
Romulus-N1 [8] 512 128 384 1 128 Yes
Romulus- M1 [8] 512 128 384 2 64 Yes
SKINNY-AEAD (M1) [16] 640 128 384 1 128 No
QAMELEON [17] 640 128 384 1 128 No
LILLIPUT-I-128 [18] 576 128 320 1 128 No
mF prim 384 128 NA 1 128 Yes

9 Conclusion

In this article, we have considered a TBC-based AEAD scheme mF , which can be viewed as an abstraction of mixFeed mode. We have proven that the security of the said mF mode can be reduced to the security of its underlying TBC. We constructed a new block cipher-based TBC construction and bound the security advantages of any adversary against mF mode using this TBC. We have tried to interpret the results of ref. [14] in our notations and confirmed the observation made in ref. [13] that in the case of mixFeed the security of the underlying TBC depends on the periodicity of the AES key scheduling algorithm. Finally, to show that the said weakness is restricted to the use of AES key scheduling algorithm and that it doesn’t affect the mF mode in general, we have constructed an explicit TBC construction and showed that the mF prim mode using this TBC achieves the desired security within the NIST parameters.

  1. Conflict of interest: Authors state no conflict of interest.

References

[1] N. Mouha. The design space of lightweight cryptography. in: NIST Lightweight Cryptography Workshop 2015. 2015. Search in Google Scholar

[2] NIST. Announcing the ADVANCED ENCRYPTION STANDARD (AES), National Institute of Standards and Technology, U.S. Department of Commerce, Fedral Information Processing Standards Publication no FIPS 197. 2001.Search in Google Scholar

[3] M. J. Dworkin. SHA-3 standard: Permutation-based hash and extendable-output functions. 2015. 10.6028/NIST.FIPS.202Search in Google Scholar

[4] NIST. Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process. 2018.https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/final-lwc-submission-requirements-august2018.pdfSearch in Google Scholar

[5] M. Liskov, R.L. Rivest, D. Wagner. Tweakable block ciphers. In: Annual International Cryptology Conference. Springer; 2002. p. 31–46. 10.1007/3-540-45708-9_3Search in Google Scholar

[6] B. Chakraborty, M. Nandi. mixFeed. Submission to NIST LwC Standardization Process (Round 2). 2019. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/mixFeed-spec-round2.pdf.Search in Google Scholar

[7] T. Iwata, M. Khairallah, K. Minematsu, T. Peyrin. REMUS. Submission to NIST LwC Standardization Process (Round 1). 2019. https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/round-1/spec-doc/Remus-spec.pdf.Search in Google Scholar

[8] T. Iwata, M. Khairallah, K. Minematsu, T. Peyrin. Romulus. Submission to NIST LwC Standardization Process (Round 2). 2019. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/Romulus-spec-round2.pdf. Search in Google Scholar

[9] T. Iwata, M. Khairallah, K. Minematsu, T. Peyrin, Y. Sasaki, S. MengSim, L. Sun. Thank Goodness It’s Friday (TGIF). Submission to NIST LwC Standardization Process (Round 1). 2019. https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/round-1/spec-doc/TGIF-spec.pdf.Search in Google Scholar

[10] S. Gueron, A. Jha, M. Nandi. COMET. Submission to NIST LwC Standardization Process (Round 1). 2019. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/comet-spec-round2.pdf.Search in Google Scholar

[11] P. Rogaway. Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer; 2004. p. 16–31. 10.1007/978-3-540-30539-2_2Search in Google Scholar

[12] N. Datta, A. Jha, A. Mège, M. Nandi. Breaking REMUS and TGIF in the light of NIST Lightweight Cryptography Standardization Project. 2019. https://csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2019/documents/papers/breaking-remus-and-tgif-lwc2019.pdf.Search in Google Scholar

[13] M. Khairallah. Weak Keys in the Rekeying Paradigm: Application to COMET and mixFeed. Cryptology ePrint Archive, Report 2019/888. 2019. https://eprint.iacr.org/2019/888.Search in Google Scholar

[14] G. Leurent, C. Pernot. New Representations of the AES Key Schedule. Cryptology ePrint Archive, Report 2020/1253. 2020. https://eprint.iacr.org/2020/1253.Search in Google Scholar

[15] P. Rogaway. Authenticated-encryption with associated-data. In: Proceedings of the 9th ACM Conference on Computer and communications Security; 2002. p. 98–107. 10.1145/586110.586125Search in Google Scholar

[16] Beierle C, Jean J, Kölbl S, Leander G, Moradi A, Peyrin T, et al. SKINNY-AEAD and SKINNY-HASH. Submission to NIST LwC Standardization Process (Round 2). 2019. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/SKINNY-spec-round2.pdf.Search in Google Scholar

[17] R. Avanzi, S. Banik, A. Bogdanov, O. Dunkelman, S. Huang, F. Regazzoni. Qameleon v. 1.0. Submission to NIST LwC Standardization Process (Round 1). 2019. https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/round-1/spec-doc/qameleon-spec.pdf.Search in Google Scholar

[18] Adomnicai A, Berger TP, Clavier C, Francq J, Huynh P, Lallemand V, et al. Lilliput-AE: a new lightweight tweakable block cipher for authenticated encryption with associated data. Submitted to NIST Lightweight Project. 2019. Search in Google Scholar
Received: 2020-03-28
Revised: 2021-10-04
Accepted: 2021-12-22
Published Online: 2022-01-28

© 2022 Bishwajit Chakraborty and Mridul Nandi, published by De Gruyter

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

  1. Regular Articles
  2. On the confusion coefficient of Boolean functions
  3. On the supersingular GPST attack
  4. Reproducible families of codes and cryptographic applications
  5. Evolution of group-theoretic cryptology attacks using hyper-heuristics
  6. MAKE: A matrix action key exchange
  7. The mF mode of authenticated encryption with associated data
  8. Cryptanalysis of “MAKE”
  9. An efficient post-quantum KEM from CSIDH
  10. Pseudo-free families and cryptographic primitives
  11. A deterministic algorithm for the discrete logarithm problem in a semigroup
  12. Application of automorphic forms to lattice problems
  13. On the algebraic immunity of multiplexer Boolean functions
  14. A Ring-LWE-based digital signature inspired by Lindner–Peikert scheme
  15. The polynomial learning with errors problem and the smearing condition
  16. Abelian sharing, common informations, and linear rank inequalities
  17. Integer polynomial recovery from outputs and its application to cryptanalysis of a protocol for secure sorting
  18. DLP in semigroups: Algorithms and lower bounds
  19. On the efficiency of a general attack against the MOBS cryptosystem
  20. The most efficient indifferentiable hashing to elliptic curves of j-invariant 1728
  21. Group codes over binary tetrahedral group
https://doi.org/10.1515/jmc-2020-0054
Keywords for this article
mixFeed; multi-commitment prediction; μ-TPRP; TBC; lightweight; BC
Creative Commons
BY 4.0

Articles in the same Issue

  1. Regular Articles
  2. On the confusion coefficient of Boolean functions
  3. On the supersingular GPST attack
  4. Reproducible families of codes and cryptographic applications
  5. Evolution of group-theoretic cryptology attacks using hyper-heuristics
  6. MAKE: A matrix action key exchange
  7. The mF mode of authenticated encryption with associated data
  8. Cryptanalysis of “MAKE”
  9. An efficient post-quantum KEM from CSIDH
  10. Pseudo-free families and cryptographic primitives
  11. A deterministic algorithm for the discrete logarithm problem in a semigroup
  12. Application of automorphic forms to lattice problems
  13. On the algebraic immunity of multiplexer Boolean functions
  14. A Ring-LWE-based digital signature inspired by Lindner–Peikert scheme
  15. The polynomial learning with errors problem and the smearing condition
  16. Abelian sharing, common informations, and linear rank inequalities
  17. Integer polynomial recovery from outputs and its application to cryptanalysis of a protocol for secure sorting
  18. DLP in semigroups: Algorithms and lower bounds
  19. On the efficiency of a general attack against the MOBS cryptosystem
  20. The most efficient indifferentiable hashing to elliptic curves of j-invariant 1728
  21. Group codes over binary tetrahedral group
Sign up now to receive a 20% welcome discount
Institutional Access
How does access work?
Have an idea on how to improve our website?
Please write us.
© 2025 De Gruyter Brill
Downloaded on 20.10.2025 from https://www.degruyterbrill.com/document/doi/10.1515/jmc-2020-0054/html
Scroll to top button