Skip to content

Turning Online Ciphers Off

Research output: Contribution to journalArticle

Standard

Turning Online Ciphers Off. / Andreeva, Elena; Barwell, Guy; Bhaumik, Ritam; Nandi, Mridul; Page, Daniel; Stam, Martijn.

In: Transactions on Symmetric Cryptology, Vol. 2017, No. 2, 19.06.2017, p. 105-142.

Research output: Contribution to journalArticle

Harvard

Andreeva, E, Barwell, G, Bhaumik, R, Nandi, M, Page, D & Stam, M 2017, 'Turning Online Ciphers Off', Transactions on Symmetric Cryptology, vol. 2017, no. 2, pp. 105-142. https://doi.org/10.13154/tosc.v2017.i2.105-142

APA

Andreeva, E., Barwell, G., Bhaumik, R., Nandi, M., Page, D., & Stam, M. (2017). Turning Online Ciphers Off. Transactions on Symmetric Cryptology, 2017(2), 105-142. https://doi.org/10.13154/tosc.v2017.i2.105-142

Vancouver

Andreeva E, Barwell G, Bhaumik R, Nandi M, Page D, Stam M. Turning Online Ciphers Off. Transactions on Symmetric Cryptology. 2017 Jun 19;2017(2):105-142. https://doi.org/10.13154/tosc.v2017.i2.105-142

Author

Andreeva, Elena ; Barwell, Guy ; Bhaumik, Ritam ; Nandi, Mridul ; Page, Daniel ; Stam, Martijn. / Turning Online Ciphers Off. In: Transactions on Symmetric Cryptology. 2017 ; Vol. 2017, No. 2. pp. 105-142.

Bibtex

@article{e6c8f46569b54d83b6fc751e8a6917d8,
title = "Turning Online Ciphers Off",
abstract = "CAESAR has caused a heated discussion regarding the merits of one-pass encryption and online ciphers. The latter is a keyed, length preserving function which outputs ciphertext blocks as soon as the respective plaintext block is available as input. The immediacy of an online cipher affords a clear performance advantage, but it comes at a price: ciphertext blocks cannot depend on later plaintext blocks, limiting diffusion and hence security. We show how one can attain the best of both worlds by providing provably secure constructions, achieving full cipher security, based on applications of an online cipher around blockwise reordering layers. Explicitly, we show that with just two calls to the online cipher, prp security up to the birthday bound is both attainable and maximal. Moreover, we demonstrate that three calls to the online cipher suffice to obtain beyond birthday bound security. We provide a full proof of this for a prp construction, and, in the ±prp setting, security against adversaries who make queries of any single length. As part of our investigation, we extend an observation by Rogaway and Zhang by further highlighting the close relationship between online ciphers and tweakable blockciphers with variable-length tweaks.",
keywords = "beyond birthday bound, online siphers, modes of operation, provable security, pseudorandom permutation, tweakable blockcipher",
author = "Elena Andreeva and Guy Barwell and Ritam Bhaumik and Mridul Nandi and Daniel Page and Martijn Stam",
year = "2017",
month = "6",
day = "19",
doi = "10.13154/tosc.v2017.i2.105-142",
language = "English",
volume = "2017",
pages = "105--142",
journal = "Transactions on Symmetric Cryptology",
issn = "2519-173X",
number = "2",

}

RIS - suitable for import to EndNote

TY - JOUR

T1 - Turning Online Ciphers Off

AU - Andreeva, Elena

AU - Barwell, Guy

AU - Bhaumik, Ritam

AU - Nandi, Mridul

AU - Page, Daniel

AU - Stam, Martijn

PY - 2017/6/19

Y1 - 2017/6/19

N2 - CAESAR has caused a heated discussion regarding the merits of one-pass encryption and online ciphers. The latter is a keyed, length preserving function which outputs ciphertext blocks as soon as the respective plaintext block is available as input. The immediacy of an online cipher affords a clear performance advantage, but it comes at a price: ciphertext blocks cannot depend on later plaintext blocks, limiting diffusion and hence security. We show how one can attain the best of both worlds by providing provably secure constructions, achieving full cipher security, based on applications of an online cipher around blockwise reordering layers. Explicitly, we show that with just two calls to the online cipher, prp security up to the birthday bound is both attainable and maximal. Moreover, we demonstrate that three calls to the online cipher suffice to obtain beyond birthday bound security. We provide a full proof of this for a prp construction, and, in the ±prp setting, security against adversaries who make queries of any single length. As part of our investigation, we extend an observation by Rogaway and Zhang by further highlighting the close relationship between online ciphers and tweakable blockciphers with variable-length tweaks.

AB - CAESAR has caused a heated discussion regarding the merits of one-pass encryption and online ciphers. The latter is a keyed, length preserving function which outputs ciphertext blocks as soon as the respective plaintext block is available as input. The immediacy of an online cipher affords a clear performance advantage, but it comes at a price: ciphertext blocks cannot depend on later plaintext blocks, limiting diffusion and hence security. We show how one can attain the best of both worlds by providing provably secure constructions, achieving full cipher security, based on applications of an online cipher around blockwise reordering layers. Explicitly, we show that with just two calls to the online cipher, prp security up to the birthday bound is both attainable and maximal. Moreover, we demonstrate that three calls to the online cipher suffice to obtain beyond birthday bound security. We provide a full proof of this for a prp construction, and, in the ±prp setting, security against adversaries who make queries of any single length. As part of our investigation, we extend an observation by Rogaway and Zhang by further highlighting the close relationship between online ciphers and tweakable blockciphers with variable-length tweaks.

KW - beyond birthday bound

KW - online siphers

KW - modes of operation

KW - provable security

KW - pseudorandom permutation

KW - tweakable blockcipher

UR - https://eprint.iacr.org/2015/485

U2 - 10.13154/tosc.v2017.i2.105-142

DO - 10.13154/tosc.v2017.i2.105-142

M3 - Article

VL - 2017

SP - 105

EP - 142

JO - Transactions on Symmetric Cryptology

JF - Transactions on Symmetric Cryptology

SN - 2519-173X

IS - 2

ER -