Paper 2023/1272
Tight Security of TNT and Beyond: Attacks, Proofs and Possibilities for the Cascaded LRW Paradigm
Abstract
Liskov, Rivest and Wagner laid the theoretical foundations for tweakable block ciphers (TBC). In a seminal paper, they proposed two (up to) birthday-bound secure design strategies --- LRW1 and LRW2 --- to convert any block cipher into a TBC. Several of the follow-up works consider cascading of LRW-type TBCs to construct beyond-the-birthday bound (BBB) secure TBCs. Landecker et al. demonstrated that just two-round cascading of LRW2 can already give a BBB security. Bao et al. undertook a similar exercise in context of LRW1 with TNT --- a three-round cascading of LRW1 --- that has been shown to achieve BBB security as well. In this paper, we present a CCA distinguisher on TNT that achieves a non-negligible advantage with $ O(2^{n/2}) $ queries, directly contradicting the security claims made by the designers. We provide a rigorous and complete advantage calculation coupled with experimental verification that further support our claim. Next, we provide new and simple proofs of birthday-bound CCA security for both TNT and its single-key variant, which confirm the tightness of our attack. Furthering on to a more positive note, we show that adding just one more block cipher call, referred as 4-LRW1, does not just re-establish the BBB security, but also amplifies it up to $ 2^{3n/4} $ queries. As a side-effect of this endeavour, we propose a new abstraction of the cascaded LRW-design philosophy, referred to as the LRW+ paradigm, comprising two block cipher calls sandwiched between a pair of tweakable universal hashes. This helps us to provide a modular proof covering all cascaded LRW constructions with at least $ 2 $ rounds, including 4-LRW1, and its more established relative, the well-known CLRW2, or more aptly, 2-LRW2.
Note: An abridged version of this article appears in IACR-EUROCRYPT 2024. This article is an amalgamation and extension of prior work of the same authors. Concretely, it combines and significantly extends the contents of IACR ePrint articles 2023/1212 (by Khairallah), and 2023/1233 (by Jha, Nandi, and Saha) that appeared in August 2023 on closely related topics into a single edited document. This article should be seen as a successor of both these IACR ePrint articles.
Metadata
- Available format(s)
- Category
- Secret-key cryptography
- Publication info
- A major revision of an IACR publication in EUROCRYPT 2024
- Keywords
- TNTLRW1LRW2CLRW2birthday-bound attack
- Contact author(s)
-
letterstoashwin @ gmail com
khairallah @ ieee org
mridul nandi @ gmail com
sahaa 1993 @ gmail com - History
- 2024-04-25: last of 5 revisions
- 2023-08-24: received
- See all versions
- Short URL
- https://ia.cr/2023/1272
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/1272, author = {Ashwin Jha and Mustafa Khairallah and Mridul Nandi and Abishanka Saha}, title = {Tight Security of {TNT} and Beyond: Attacks, Proofs and Possibilities for the Cascaded {LRW} Paradigm}, howpublished = {Cryptology {ePrint} Archive, Paper 2023/1272}, year = {2023}, url = {https://eprint.iacr.org/2023/1272} }