Paper 2017/812
Optimal PRFs from Blockcipher Designs
Bart Mennink and Samuel Neves
Abstract
Cryptographic modes built on top of a blockcipher usually rely on the assumption that this primitive behaves like a pseudorandom permutation (PRP). For many of these modes, including counter mode and GCM, stronger security guarantees could be derived if they were based on a PRF design. We propose a heuristic method of transforming a dedicated blockcipher design into a dedicated PRF design. Intuitively, the method consists of evaluating the blockcipher once, with one or more intermediate state values fed-forward. It shows strong resemblance with the optimally secure EDMD construction by Mennink and Neves (CRYPTO 2017), but the use of internal state values make their security analysis formally inapplicable. In support of its security, we give the rationale of relying on the EDMD function (as opposed to alternatives), and present analysis of simplified versions of our conversion method applied to the AES. We conjecture that our main proposal AES-PRF, AES with a feed-forward of the middle state, achieves close to optimal security. We apply the design to GCM and GCM-SIV, and demonstrate how it entails significant security improvements. We furthermore demonstrate how the technique extends to tweakable blockciphers and allows for security improvements in, for instance, PMAC1.
Metadata
- Available format(s)
- Category
- Secret-key cryptography
- Publication info
- Published by the IACR in FSE 2018
- Keywords
- PRPPRFEDMDAES-PRFGCMGCM-SIVPMAC1
- Contact author(s)
- b mennink @ cs ru nl
- History
- 2017-08-30: revised
- 2017-08-29: received
- See all versions
- Short URL
- https://ia.cr/2017/812
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2017/812, author = {Bart Mennink and Samuel Neves}, title = {Optimal {PRFs} from Blockcipher Designs}, howpublished = {Cryptology {ePrint} Archive, Paper 2017/812}, year = {2017}, url = {https://eprint.iacr.org/2017/812} }