Please use this identifier to cite or link to this item: https://hdl.handle.net/10356/146455
Title: Towards closing the security gap of Tweak-aNd-Tweak (TNT)
Authors: Guo, Chun
Guo, Jian
List, Eik
Song, Ling
Keywords: Science
Issue Date: 2020
Source: Guo, C., Guo, J., List, E., & Song, L. (2020). Towards closing the security gap of Tweak-aNd-Tweak (TNT). ASIACRYPT 2020, 12491 LNCS, 567-597. doi:10.1007/978-3-030-64837-4_19
Abstract: Tweakable block ciphers (TBCs) have been established as a valuable replacement for many applications of classical block ciphers. While several dedicated TBCs have been proposed in the previous years, generic constructions that build a TBC from a classical block cipher are still highly useful, for example, to reuse an existing implementation. However, most generic constructions need an additional call to either the block cipher or a universal hash function to process the tweak, which limited their efficiency. To address this deficit, Bao et al. proposed Tweak-aNd-Tweak (TNT) at EUROCRYPT’20. Their construction chains three calls to independent keyed permutations and adds the unmodified tweak to the state in between the calls. They further suggested an efficient instantiation TNT-AES that was based on round-reduced AES for each of the permutations. Their work could prove 2n/3-bit security for their construction, where n is the block size in bits. Though, in the absence of an upper bound, their analysis had to consider all possible attack vectors with up to 2n time, data, and memory. Still, closing the gap between both bounds remained a highly interesting research question. In this work, we show that a variant of Mennink’s distinguisher on CLRW2 with O(n23n/4) data and O(23n/2) time from TCC’18 also applies to TNT. We reduce its time complexity to O(n23n/4), show the existence of a second similar distinguisher, and demonstrate how to transform the distinguisher to a key-recovery attack on from an impossible differential. From a constructive point of view, we adapt the rigorous STPRP analysis of CLRW2 by Jha and Nandi to show O(23n/4) TPRP security for TNT. Thus, we move towards closing the gap between the previous proof and attacks for TNT as well as its proposed instance.
URI: https://hdl.handle.net/10356/146455
ISBN: 9783030648367
DOI: 10.1007/978-3-030-64837-4_19
Rights: © 2020 International Association for Cryptologic Research (IACR) (published by Springer). All rights reserved. This paper was published in ASIACRYPT 2020 and is made available with permission of International Association for Cryptologic Research (IACR) (published by Springer).
Fulltext Permission: open
Fulltext Availability: With Fulltext
Appears in Collections:SPMS Conference Papers

Files in This Item:
File Description SizeFormat 
main.pdf461.72 kBAdobe PDFView/Open

Page view(s)

289
Updated on Jan 30, 2023

Download(s) 50

66
Updated on Jan 30, 2023

Google ScholarTM

Check

Altmetric


Plumx

Items in DR-NTU are protected by copyright, with all rights reserved, unless otherwise indicated.