<p>In EUROCRYPT’20, Bao et al. have proved that three rounds of cascaded <Emphasis FontCategory="SansSerif">LRW1</Emphasis> construction provides security up to <InlineEquation ID="IEq4"> <EquationSource Format="TEX">\(2^{2n/3}\)</EquationSource> <EquationSource Format="MATHML"><math> <msup> <mn>2</mn> <mrow> <mn>2</mn> <mi>n</mi> <mo stretchy="false">/</mo> <mn>3</mn> </mrow> </msup> </math></EquationSource> </InlineEquation> queries. However, in a recent work by Khairallah et al., it has been shown that the construction provides only birthday bound security via exhibiting a distinguishing attack on the construction, and thereby invalidating the claim of Bao et al. In an independent and contemporaneous work, Datta et al. have shown that four rounds of cascading of the <InlineEquation ID="IEq5"> <EquationSource Format="TEX">\(\textsf {LRW1}\)</EquationSource> <EquationSource Format="MATHML"><math> <mrow> <mi mathvariant="sans-serif">LRW</mi> <mn mathvariant="sans-serif">1</mn> </mrow> </math></EquationSource> </InlineEquation> construction, dubbed as <InlineEquation ID="IEq6"> <EquationSource Format="TEX">\(\textsf {CLRW1}^4\)</EquationSource> <EquationSource Format="MATHML"><math> <mrow> <mi mathvariant="sans-serif">CLRW</mi> <msup> <mn mathvariant="sans-serif">1</mn> <mn>4</mn> </msup> </mrow> </math></EquationSource> </InlineEquation>-based on four independent keyed block ciphers-achieves 3<i>n</i>/4-bit CCA security. In this paper, we have shown that a key reduced variant of the <InlineEquation ID="IEq7"> <EquationSource Format="TEX">\(\textsf {CLRW1}^4\)</EquationSource> <EquationSource Format="MATHML"><math> <mrow> <mi mathvariant="sans-serif">CLRW</mi> <msup> <mn mathvariant="sans-serif">1</mn> <mn>4</mn> </msup> </mrow> </math></EquationSource> </InlineEquation> construction, dubbed as <InlineEquation ID="IEq8"> <EquationSource Format="TEX">\(\textsf {R}{-}\textsf {CLRW1}^4\)</EquationSource> <EquationSource Format="MATHML"><math> <mrow> <mi mathvariant="sans-serif">R</mi> <mo>-</mo> <mi mathvariant="sans-serif">CLRW</mi> <msup> <mn mathvariant="sans-serif">1</mn> <mn>4</mn> </msup> </mrow> </math></EquationSource> </InlineEquation> based on two independent keyed block ciphers, achieves 2<i>n</i>/3-bit CCA security. The security proof of our construction relies on a heavy use of the H-Coefficient technique and non-trivial analysis in lower bounding the real interpolation probability for good transcripts.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Two-key variant of the four-round cascading \(\textsf{LRW1}\)

  • Shreya Dey,
  • Avijit Dutta,
  • Kazuhiko Minematsu

摘要

In EUROCRYPT’20, Bao et al. have proved that three rounds of cascaded LRW1 construction provides security up to \(2^{2n/3}\) 2 2 n / 3 queries. However, in a recent work by Khairallah et al., it has been shown that the construction provides only birthday bound security via exhibiting a distinguishing attack on the construction, and thereby invalidating the claim of Bao et al. In an independent and contemporaneous work, Datta et al. have shown that four rounds of cascading of the \(\textsf {LRW1}\) LRW 1 construction, dubbed as \(\textsf {CLRW1}^4\) CLRW 1 4 -based on four independent keyed block ciphers-achieves 3n/4-bit CCA security. In this paper, we have shown that a key reduced variant of the \(\textsf {CLRW1}^4\) CLRW 1 4 construction, dubbed as \(\textsf {R}{-}\textsf {CLRW1}^4\) R - CLRW 1 4 based on two independent keyed block ciphers, achieves 2n/3-bit CCA security. The security proof of our construction relies on a heavy use of the H-Coefficient technique and non-trivial analysis in lower bounding the real interpolation probability for good transcripts.