On Improving Performance of One Block Ciphers Mode of Operation Used for Protection of Block-Oriented System Storage Devices Текст научной статьи по специальности «Математика»

On Improving Performance of One Block Ciphers Mode of Operation Used for Protection of Block-Oriented System Storage Devices

Georgy V. Firsov, Alisa M. Koreneva

Abstract—In the end of 2022 in Russian Federation a block ciphers mode of operation named DEC (Disk Encryption with Counter) for protection of block-oriented storage devices was adopted as recommendations for standardization. Due to its operational properties, it is complicated to use it for system partition encryption. In modern software for disk encryption, XTS mode of operation is widely spread. However, properties of the XTS mode lead to degradation of its cryptographic qualities. Previously the authors introduced XEH (Xor-Encrypt-Hash) mode of operation, that mitigates weaknesses of the XTS mode. This paper describes a block ciphers mode of operation XEHf (XEH fast), aimed to improve performance of the XEH mode. Its security is proven in chosen ciphertext attack setting, and its operational properties are studied.

Keywords—Block ciphers mode of operation, Block-oriented storage devices, Full disk encryption, Cryptographic protection of information, Provable security, Symmetric cryptography.

I. Introduction

Many software solutions for full disk encryption (FDE) are known: VeraCrypt, Apple FileVault, Microsoft BitLocker, etc. These solutions are intended to protect data stored on hard drives from being read by an unauthorized party (hereinafter referred to as adversary). The adversary may act inside of controlled zone and have direct access to data storage device. If the data is stored in encrypted form, passive adversary gains nothing from viewing the data.

Most of existing solutions for FDE utilize specially designed cryptographic algorithms such as block ciphers modes of operation. The most widespread mode is called XEX-based Tweaked-codebook mode with ciphertext Stealing (XTS). The XTS mode is described in NIST SP 800-3 8E "Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices". Notwithstanding its widespread use, the XTS mode is considered insecure, since several attacks on this mode are known [1][2]. Some of these attacks are theoretical, they provide an upper bound of the XTS mode security [2]. Other attacks are practical, e.g. plaintext-recovery ones, but they require more data to be processed [1].

Manuscript received November 15, 2023.

G. V. Firsov is with National Research Nuclear University MEPhI, Moscow, Russian Federation, Security Code LLC, Moscow, Russian Federation (corresponding author, e-mail: G.Firsov@securitycode.ru).

A. M. Koreneva, PhD is with Financial University under the Government of the Russian Federation, Moscow, Russian Federation, Security Code LLC, Moscow, Russian Federation (e-mail: A. Koreneva@securitycode .ru).

In the Russian Federation, recommendations for standardization were recently adopted defining a new block ciphers mode of operation called Disk Encryption With Counter (DEC) [3]. The DEC mode requires counters associated with each sector and partition (logical disk) to be stored [4]. This complicates the mode's usage for system partition encryption (the partition intended to store operation system files). Consider 32 GB disk with 512-byte sectors. At least 256 MB of additional storage is required to store counters necessary for encrypting this disk in the DEC mode with block ciphers standardized in the Russian Federation. At the same time, the standard size of system EFI (Extensible Firmware Interface) partition (the partition that stores data available at boot time) is 100 MB, and extending this partition could not be performed using standard applications built into a Windows operating system (OS).

In our previous works a modification of the XTS mode called XEH (Xor-Encrypt-Hash) is introduced [5][6]. The aim of the XEH mode is to mitigate its predecessor's weaknesses. The XEH mode is proven to be secure in chosen ciphertext attack (CCA) setting and has up-to-birthday-bound security. Further, this mode has better performance compared to Encrypt-Mix-Encrypt approach given two universal hash functions invocation being faster than encrypting each block in a sector using a block cipher [6]. Universal hash functions used in the XEH mode consist of finite field operations with data blocks represented as finite field elements. Even though these operations may be implemented using special processor instructions, the universal hash functions performance could be improved.

In this paper, we introduce a modification of the XEH mode called XEHf, which stands for Xor-Encrypt-Hash fast. The XEHf mode is aimed to improve performance of its predecessor via using a different universal hash function after encrypting blocks with a block cipher.

The rest of the paper has the following structure. In Section II, we introduce the main notation and terms used in the rest of the paper. Section III contains definition of the XEHf mode. Section IV discussed security properties for the proposed mode. In Section V, we compare the XEHf mode with some existing modes. In Section VI, we summarize results of our study.

II. PRELIMINARIES

Full disk encryption systems encrypt the entire storage device space. Regardless of its physical structure the device is logically split into one or more partitions. Partition is a "logical disk" that one can observe in a file explorer built into an operating system. Each partition consists of sectors. Sector is the smallest chunk of consecutive data that can be

read from or written to the disk. All sectors have the same size (usually 512 or 4096 KB). Each sector has its own number (we denote it by SN) that is unique inside a corresponding partition.

Consider a fixed partition. Since sector numbers are unique inside the partition, they could be used to "randomize" encryption, i.e. to make the same data to be encrypted into different ciphertexts being located in different sectors. This property could be achieved by using tweakable encryption schemes. Notion of tweakable encryption scheme (in regard to block ciphers) is introduced in [7]. In the current paper, we give an adapted definition. A tweakable encryption scheme £ is a family of functions E: K x T x M ^ C, where M is a message space, C is a ciphertext space, K is a key space, T is a tweak space. All sets K, M, C and T are nonempty. Functions in the family are "indexed" by key. For every K EK we write EK(-,-) for E (K,-,-), where the function E is called encryption function of scheme £. The encryption function is bijective on its last variable. Corresponding function E-1 is called decryption function of the scheme. The scheme satisfies the correctness requirement, if the following holds: VK EK VT E T Vm E

M: E-1 (t, Ek(T, m)J = m.

An untweakable encryption scheme £ or simply encryption scheme is a family of functions E: K x M ^ C "indexed" by key. Partially applied function E(K,-) is bijective. As before, for every K EK we write EK(-) for E(K,-). The scheme satisfies the correctness requirement, if the following equality holds:

VK EK Vm EM: E-1(EK (m)) = m.

An untweakable encryption scheme could be regarded as a tweakable encryption scheme with T = [X], where X is some fixed value, e.g. an empty binary string. That is, the notion of tweakable encryption scheme generalizes the notion of untweakable encryption scheme.

Block cipher £ is an untweakable encryption scheme, where M = C = Vu Vt is a set of binary strings of length I E N. Number I is called blocksize.

Number of blocks in a sector is denoted by n. In this paper, we assume that sector length in bits is multiple of n, i.e. sector length in bits equals nl. Further, the following inequality holds: 0 < n <2l.

Let F be a finite field: F = GF(2)[x]/p(x), where p(x) = x128 + x1 + x2 + x + 1 for I = 128 and p(x) = x64 + x4 + x3 + x + 1 for I = 64. We explicitly define the field for I E [64,128], because these are blocksizes of standardized block ciphers from [8]. The field could be similarly defined for other values of I by choosing proper irreducible polynomial p(x). The primitive element x of the field F is denoted by a.

Consider an arbitrary set X. The set of all permutations of

$

the set X is denoted by S(X). We write x^X to denote the process of assigning to the variable x a random, uniformly distributed element from the set X.

Lemma 1 (Lemma 2 of [6]). Let X be an arbitrary set. Let values x1,., xn be independent and uniformly distributed on X. Then n-tuple x = (x1,..., xn) is uniformly distributed on Xn.

Lemma 2 (Lemma 1 of [6]). Let X be an arbitrary set. Let n be a permutation chosen from S(X) according to some distribution (not necessary uniform). Let x be an element chosen uniformly from X (this choice is independent from the choice of n). Then the value n(x) is uniformly distributed on X.

Lemma 3 (adapted Theorem A.1 of [9]). Let X be a set and = N. Let we uniformly and independently choose q elements from X. Let A be an event of at least two chosen elements being equal, then:

In proposed in this paper XEHf mode, block-wise almost universal hash functions are used. The following definition is adapted from [10] and [11]. Let T: K x 'Rn be a keyed family of functions ("indexed" by key), where K is a key space, T> and R are arbitrary sets, n is a positive integer. T is said to be (e1, e2)-block-wise almost universal (BAU) if for every x, x' ET> and for every i, i' E [1,..., n] holds:

Pr^bi = y't'] < i f i * i',

PrK\yi = y[t] < e2, otherwise,

where (j1.....yn) = T(K, x), (y[.....y'n ) = T(K, x'),

(x, i) * (x', i'). Subscript "K" denotes, that probability is taken over the uniform choice of K EK.

In the present paper we use RND-fdeCCA-sector notion from [6] to analyze cryptographic properties of the proposed XEHf mode. This security notion considers an active adversary that may encrypt and decrypt any (allowed) piece of data. In practice, it means that the adversary has direct access to storage device. Such adversary may write some data using FDE subsystem interface (as a legitimate user), read encrypted data directly from the disk and vice versa.

We briefly describe the RND-fdeCCA-sector security notion below. Let £ be a tweakable encryption scheme with M = C = Vnl. In probabilistic experiment RND-fdeCCA-sector, two parties interact with each other by sending queries and responding to them. An adversary <A sends queries to a challenger Exp. Each query consists of data and location of the data on disk (e.g. sector number). The challenger provides two oracles: encryption and decryption ones. Encryption oracle encrypts the data from query, decryption oracle, in turn, decrypts the data. The adversary makes qe> 0 queries to the encryption oracle, and qd> 0 queries to the decryption one.

Consider two worlds: real and random. In real world, encryption and decryption oracles use the scheme £ to process adversary's requests. Key for the scheme is chosen once before the first query and remains unchanged during the experiment. The key is unknown to the adversary. In random world, the encryption and decryption oracles merely return uniformly random ciphertext and plaintext respectively. The adversary's goal is to distinguish these two worlds by analyzing responses to its queries. The adversary returns either 0 or 1 (we write 0 or 1) for "real" or "random" worlds respectively.

All plaintexts and ciphertexts have the same length. The adversary never repeats its queries and never makes "pointless" queries. By "pointless" we mean such queries which the adversary already "knows" the answer for. That is the adversary never queries for decryption of a ciphertext received from the encryption oracle, and never queries for

encryption of a plaintext received from the decryption oracle.

The adversary's advantage is defined as follows:

Adv

RND-fdeCCA-sector

= Pr ^ l] - ^ 1],

where superscripts after ^ denote oracles, which it interacts with.

Let {%,..., as] be a set of restrictions on adversary's resources. Let ..., as) is be set of adversaries which resources satisfy given restrictions a1,..., as. We write:

Adv

RND-fdeCCA-sector

= max

(ai, - , as) =

Adv

RND-fdeCCA-sector

III. Specification of XEHf mode

The main difference between the new XEHf mode and its ancestor the XEH mode is a different block-wise universal hash function used after encrypting data blocks with a block cipher.

The XEHf mode uses two block-wise universal functions /: F x F x F" ^ F" and F x F" ^ F", that are defined as follows: /O3-T4, y) = (y

0(T3, y) = (ZT3,33,2+ Z.

,

T3,T4 ^ T3,T4>

-, y™ + ZT3),

n—7

(1) where

(2)

where y = (yi, yj , 7T3,T4 = T4 + ^Uyr

= Z7=iy7-T3'-1.

In addition, we define the following functions:

5(T2, T3, T4, y) = /(Y3, T4, y) + aT2, T3, y) = 0(T3, y) + aTl, where aT. = (a0^, a1^, ..., a"-1^) for i £ {1,2}, a = x is a primitive element of F.

For simplicity, we write /T3,T4 (•) for /(t3, t4,-), 5t2,t3,t4 (0 for ^ T4/X 0T3 Q for ^O^O and ^T1,T3 Q for ^(Ti,T3/). For fixed Tj, i £ {1, .,4} functions 0T2,T3,T4 and ^Tl,T3 are permutations.

Lemma 4. Let F be an arbitrary field. Further let t2, t3, t4 be uniformly and independently chosen elements of F. Then g is (1/|F|,(n- 1)/|F|)-BAU. We prove Lemma 4 in Appendix A.

Lemma 5 (Lemma 4 of [6]). Let F be an arbitrary field. Further let r1, t3 be uniformly and independently chosen elements of F. Then ^ is (1/|F|, (n - 1)/|F|)-BAU.

Let A;: ^ F be a function, that maps a binary string a = (a°,..., a;-1) of to element a = H'lO^x' of F, where at £ {0,1} for each index i. Let V;: F ^ be an inverse function of A;.

Let £ be a block cipher with key space blocksize I and encryption function £\ The XEHf mode uses two independent block cipher keys K", K" £ and four subkeys r1, t2, t3, t4 that are derived from a sector number SN as follows:

Ti = A,^ (5N)),

T2 = A, (fK'(V(Ti))),

T3 = (5N)),

T4 = A; (^(V(T3))).

Let XEHfbe a tweakable encryption scheme constructed from a block cipher £. Encryption and decryption functions of the scheme are denoted by Enc^.' and Dec^ ^ respectively. These functions are shown in Fig. 1. '

IV. Security of XEHf mode

Let XEHfn,n' be a tweakable encryption scheme, where two uniformly random permutations n, n' £ S(7;) are used instead of block cipher in the XEHf mode. The permutation n is used instead of , and permutation n' is used instead of . The key space of the scheme "K' is S(7;)2, i.e. permutations n and n' are used as a key.

Replacing a block cipher with n and n' allows us to analyze combinatorial properties of the XEHf mode without taking block cipher properties into account. The concrete security of XEHf mode is summarized in the following theorem.

Theorem 1. (XEHf security) Let n £ S(7;) and n' £ S(7;) be random independent permutations. Fix positive integers Z, n, q. Then:

AdvRND-fdeCCA-sector( , < 2(n + ^V, XEHf _ 2' ,

where q = +

We prove Theorem 1 in Appendix B.

V. Discussion and comparison with existing solutions

The XEHf mode is compared with the following modes:

Function Enc^(SN, m1,..., m„) Function Dec^-^ (SN, c1, —, c„ )

Derive subkeyS Derive subkeys

Ti ^ A;(^ (5N)) Ti ^ (5N))

T2 (f^'(V(ri))) t2^a; (f^'(V(Ti)))

T3 ^ A;(^' (5N)) (5N))

T4 ^ A; (^ (Vfo))) r4 ^ A; (£^(V(T3)))

Encrypt Decryp/|

(mmi, ..., mmj ^ ^Tl,T3 (A; (m1), ..., A; (m„)) (cci, — , cc„) ^ 0T2,T3,T4(A; (Ci), — -, Ai(c„))

for i ^ 1 to n do for i ^ 1 to n do

ccj ^£x(V,(rnmi)) mm; ^£'—1(V;(cCj))

(Cl, C„) ^ 5-2^t3,t4 (cc1, ccn) (mi, —, m„) ^ ^Tl,T3(Aj (mm1), A; (mm„ ))

Return result Return result

return (V;(C1).....V; (c„ )) return (V; (mi), —, V,(m„))

Figure 1. Encryption (left) and decryption (right) under XEHf mode using block cipher £ with two independent keys K, Ä'' £ %. Functions £K and f-1 for K £ Ä''} are encryption and decryption functions of the block cipher £ on the key K.

DEC and XTS, that are standardized modes for block-oriented storage devices, and XEH, which is the baseline of the XEHf mode.

The main difference between XEHf and XEH modes is the use of a different functio n g after encrypting blocks with a block cipher. For the XEHf mode, this function depends on three subkeys t2, t3 and t4. For the XEH mode similar function (we denote it by h instead of g to prevent ambiguity) depends on two subkeys t2, t3 and is defined as follows [6]:

h{j2, T3, y) = q(j3, y) + at2,

q(j3, y) = (y± + Qr3, -, Qn-i + Qr3, QrJ,

where QT3 = y} • Tn3-i) + (^-ly} • &(/)), and :is a function that

(3)

-'i maps

an element r =

Xi=1 o-i2l of the ring H^i to an element r = ^1=1 of the

field F, at £ {0,1} for i£ {0,..., I It is clearly seen that:

1}.

Qr3 = yn + YjVtë- + &

i=i

Consider the following matrix:

(Ts + (n- 1)) (T2 + Si (n- 2))

yn

yn-

yn-

(4)

(5)

(ir1 + Si (1)) • yi

The matrix (5) consists of n rows. Each row represents a step in computing the value of QT3. The right column (to the right of the vertical line) consists of all summands of the sum (4). The left column represents an auxiliary register. While moving down the rows of the matrix, the value of this register is multiplied by t3, except for the step from the first row to the second one. Initially, the register contains t3. We observe, that computing the value of QT3 requires 2n — 3 multiplications and 2n- 2 additions in the field F. After that according to (3), the value of QT3 is added to each block, except for the last one. It requires n- 1 finite field additions. Next, we add the value of aT2. This step requires n finite field additions and n - 1 finite field multiplications by the primitive element a = x.

Next, consider the function g used in the XEHf mode. To compute its value, the value of f should be computed first. According to Horner's rule, computing the value of YT3/T-4 requires n- 1 finite field multiplications and n additions. The value of YT3/T-4 is added to each block, except for the last one, which requires n- 1 finite field additions. Then, the value of aT2 is added to the result of the previous step. It require s n finite field additions and n- 1 finite field multiplications by the primitive element a.

Total number of subkeys and finite field operations (additions, multiplications and multiplications by primitive element) required to compute functions g and h is shown in Table I.

Table I. Total number of subkeys and finite field operations

required to compute functions g and h. Number of additions,

multiplications and multiplications by primitive element are denoted by A, M and MP respectively.

Function Subkeys A M MP

3 3 3n — 1 n — 1 n — 1

h 2 4n- 3 2n — 3 n — 1

From Table I, we observe that the function g requires less multiplications and additions than h, but uses 3 subkeys instead of 2. Each subkey is produced by invoking a block cipher encryption function. Therefore, the XEHf mode is more efficient than the XEH mode, if n- 2 multiplications and n- 2 additions in finite field are performed faster than one invocation of block cipher encryption function.

Similarly to the XEH and XTS modes and in contrast to the DEC mode, the XEHf mode does not require any additional data such as counters, initialization vectors, etc. The DEC mode uses one half-block counter for each partition and one half-block counter for each sector. These counters should be stored on a storage device reducing disk space available to user. Total amount of additional data required for encryption of 32 GB of data on system disk with 512-byte sector using standardized block ciphers is shown in Table II. From Table II, we observe that this amount exceeds 100 MB, and therefore, the additional data could not be stored in system EFI partition, since the standard size of this partition is exactly 100 MB, and it cannot be extended with built-in Windows OS tools. This makes the XEHf mode appropriate for encrypting of system disk.

Table II. Comparison of additional data amount for the DEC and XEHf modes required for encryption of 32 GB system disk with sector size of 512 bytes.

Cipher (mode) Blocksize Amount of additional data

Magma (DEC) 64 bits 256 MB

Magma (XEHf) -

Kuznyechik (DEC) 128 bits 512 MB

Kuznyechik (XEHf) -

Furthermore, performance measurements are performed for the XTS, XEH and XEHf modes. The DEC mode is excluded from the performance comparison due to impossibility of creating equivalent experimental functioning conditions.

Abovementioned modes are implemented in C programming language with SSE2 instructions set support. In performance comparison each mode uses Kuznyechik as a block cipher [8]. The experiment is conducted on a computer with 2.6 GHz Intel(R) Core(TM) i7-9750H CPU, 8 Gb of DDR4 RAM, and 64-bit macOS 14.1 operating system. During the experiment, 512- and 4096-byte sectors are encrypted and decrypted multiple times, and the average processing time is taken into account. Each value is normalized for a corresponding value for XTS mode (thus, all normalized values for XTS mode are equal to 1). The results are shown in Table III.

Table III. Relative time of encrypting and decrypting of 512- and 4096-byte sectors in XTS, XEH and XEHf modes.

Encryption Decryption

Mode 512 4096 512 4096

bytes bytes bytes bytes

XTS 1 1 1 1

XEH 1.078 1.051 1.081 1.065

XEHf 1.055 1.037 1.051 1.044

From Table III, one can see, that performance degradation relative to XTS mode does not exceed 9% for XEH and 6% for XEHf. This decrease of performance is substantiated by

additional computations of / and 0. The XEHf mode performs all operations faster, than its ancestor.

VI. Conclusion

In this paper we introduce a new provably secure block ciphers mode of operation XEHf, which stands for "XEH fast", aimed to improve performance of the XEH mode [5][6].

Cryptographic and operational properties of XEHf mode are investigated. The mode is proven to be secure against adaptive adversary in Chosen Ciphertext Attack (CCA) setting. The mode uses block-wise universal hash functions, which properties are essential for the mode's security.

Performance comparison with existing modes is performed. The XEHf mode runs 3% faster on average compared to the XEH mode due to more efficient hash function.

References

[1] Isobe, T., & Minematsu, K. (2020). "Plaintext recovery attacks against XTS beyond collisions" in K. G. Paterson, D. Stebila (eds.),

Selected Areas in Cryptography - SAC 2019, 103-123. Springer, Cham.

[2] Firsov, G., & Koreneva, A. (2022). On One Block Cipher Mode of Operation Used to Protect Data on Block-Oriented Storage Devices.

Modern Information Technologies and IT- Education, 18(3), 691701.

[3] R 1323565.1.042-2022. Information technology. Cryptographic protection of information. Block ciphers mode of operation designed to protect of data storage medium with a block-oriented structure. (2022). Russian National Bureau of Standards.

[4] Bogdanov, D., & Nozdrunov, V. (2021). Some properties of one mode of operation of block ciphers. In 10th Workshop on Current Trends in Cryptology (CTCrypt 2021). Pre-proceedings (pp. 12-17).

[5] Firsov, G., & Koreneva, A. (2023). On one block cipher mode of operation for protection of block-oriented storage devices. Applied Discrete Mathematics. Supplement, 16(1), 52-56.

[6] Firsov, G., & Koreneva, A. (2024). On improved security bounds of one block ciphers mode of operation for protection of block-oriented system storage devices. Journal of Computer Virology and Hacking Techniques.

[7] Liskov, M., Rivest, R. L., & Wagner, D. (2010). Tweakable block ciphers. Journal of Cryptology, 24(3), 588-613.

[8] GOST 34.12-2018. Information technology. Cryptographic protection of information. Block ciphers. (2018). Russian National Bureau of Standards.

[9] Bellare, M., & Rogaway, P. (2005). Introduction to Modern Cryptography.

[10] Halevi, S. (2007). "Invertible Universal Hashing and the TET Encryption Mode" in Menezes, A. (ed), Advances in Cryptology -CRYPTO 2007. CRYPTO 2007. Lecture Notes in Computer Science. 4622, 412-429. Springer, Berlin, Heidelberg.

[11] Sarkar, P. (2009). Efficient tweakable enciphering schemes from (block-wise) universal hash functions. IEEE Transactions on Information Theory, 55(10), 4749-4760.

Appendix A. The proof of Lemma 4

Proof The proof uses the same idea as proof of Lemma 4 of [6]. Fix some (y1,...,y„) £F" and (y1,...,y^) £F". Further let O1, ..., z„) = 0T2,T3,T4 (yi,., y„) and Oi,..., z;) = 5T2,T3,T4 (yi,., y;).

Case i ^ i'. Without loss of generality, we assume i < i'. First, consider i' < n. We have:

z. - z;, = t2 • (a'-1 - a*'-1) + (6)

where i?i = (y + rT3,T4)-(y' + l^J. From (6) immediately follows that event Zj = z' is equivalent to the

event t2 = • (a1'-1 - a1-1) . Since the right part of the equation is independent from t2, which is chosen uniformly, the probability of the last event equals 1/| F|. Next, consider i' = n. We have:

zj - z!' = T2 • (a'-1 - a''-1) + where ^ = (y + ^t3,t4) - ^t'3,t4 . As before, ^ is independent from t2 . Using similar idea we conclude, that the probability of Zj and z' being equal given i' = n equals 1/|F|. Hence:

1

' (7)

Pr

T2,T3,T4[Zi - zi'] ^ i * i'-

Case i = i'. In this case, (y1,...,y„) ^ (y1, ...,yO always holds. First, suppose i < n. Then:

Z;-Z'' = (y, + ^J-fr' + From (1) and (2), we have: y; + yT3,T4 = fi3 + Epiy/T"-1, where fi3 = yj + t4 + y„. Similarly we have y/ + >T3,X4 = ^3 + £"=-i y^"-1, A3 = y' + T4 + y;. Event Zj = z'' is equivalent to the event:

0 = (fl3-fl3 ) + ^(y-yj)

.n-7

(8)

7 = 1

There exists at least one non-zero coefficient of polynomial (8). Therefore, the equality (8) holds if and only if t3 is a root of the polynomial.

Degree of the polynomial (8) does not exceed n — 1, and hence, there exist no more than n — 1 roots. The polynomial coefficients are all independent from t3, which is chosen uniformly. Therefore, the probability of Z; and zt'' being equal given i = ¿' A i < n does not exceed (n — 1)/|F|.

Similar argument shows similar bound for case i = n. Hence:

r 'i n - 1

PrT2,T3,T4[Zi = zi'] ^^T", i = I'-

(9)

'T2,T3,T^"l "¿'J — |p|

/ 1 n-1\

From (7) and (9), we conclude that g is J-BAU

by definition. This completes the proof.

Appendix B. The proof of Theorem 1

Let ^ be an adversary. We write "^[G.dMf] ^ 1" to denote that adversary ^ returned 1 in security game (experiment) named "GAME". We write "G.dMf: ¿ad = 1" to denote that the "bad" flag equals 1 in the end of security game "GAME".

Proof This proof of the XEHf mode security is based on game-substitution argument. The following four games are introduced:

• Game XEHf In this game the adversary interacts with a challenger, that uses XEHfencryption scheme to process requests. Permutations n and n' are built via

"lazy sampling" technique, i.e. whenever the value of n(x) is required, we choose uniformly an "unused" value and define n(x) to equal this value. The same steps are performed, whenever the value of n-1(y) is required. The permutation n' is built in the similar way.

• Game RND1. This game differs from the previous one in the way of building n and n' functions. In this game, we do not check if a newly chosen value is "unused". Hence, n and n' are not necessary permutations.

• Game RND2. In this game, the challenger generates just random binary strings of proper length as responses to the adversary's queries. After handling all queries, the challenger checks if there is a collision in either domain or range of n and/or n' functions.

• Game NON (for "noninteractive"). In this game, we consider stronger condition when the adversary sends both plaintext and ciphertext in each query. This game's purpose is to upper bound the probability of a collision in either domain or range of n and n' functions.

We describe the algorithm of "lazy sampling" in more detail. Using this algorithm, we build n and n' permutations in games XEHf and RND1. Since n and n' are build the same way, we describe this algorithm once.

Let m £ {n, n'}. Let Dw and Rw be domain and range of permutation respectively. These sets are used to track the values, for which the permutation is defined. Both sets are initially empty.

Whenever the value of oi(x) is required, an algorithm Smpw ("Smp" stands for "sample") is invoked. Corresponding algorithm Smpw-i exists for sampling or1. These algorithms are shown in Fig. B.1. For game XEHf, we preserve the shaded statements, and for game RND1, we do not.

We use the "bad" flag, which could be either 0 or 1. Initially this flag is set to 0 and could be modified during the game under certain conditions in algorithms Smpw and Smpw-i.

Algorithm Smpw (x) Algorithm Smp^-1 (y)

Choose a value Choose a value

$ y<- V, $

Perform checks Perform checks

if y £ Rw then if x £ Dw then

ôad ^ 1 ôad ^ 1

y <- rç \ R^

if x £ Dw then if y £ Rw then

ôad ^ 1 ôad ^ 1

y ^ oi(x) x ^ ai-1(y)

Save value Save value

oi(x) ^ y oi(x) ^ y

^ Dw U (x) ^ Dw U (x)

Rw ^ Rw U (y) ^ U (y)

Return result Return result

return y return x

Figure B.1. Algorithms SmpM and SmpM-i for w £ {n", n'}. We preserve shaded statements for game XEHf and omit them for game RND1.

In all games we never redefine subkeys. Let S QVL x N be a set of pairs that consist of a sector number and a query number, which the sector number was processed for the first time on. Let TcF4 x N be a set of corresponding subkeys. Sets S and T are related to each other: if (SN, j) £ S, and t1, t2, t3, t4 are computed using sector number SN, then Oi, T2, T3, T4,j) £ T.

Game XEHf. The challenger's encryption and decryption oracles use encryption and decryption functions of the scheme XEHfn,n respectively. In more details, the encryption and decryption oracles invoke algorithms RespEnc and RespDec respectively. To track currently handled query sequential number, these algorithms maintain an internal counter cnt. To handle a sector number, these algorithms invoke algorithm Twk. The algorithm Twk is shown in Fig. B.2, algorithms RespEnc and RespDec are shown in Fig. B.3.

Algorithm Twk(SN, j)_

if 3k: k < j A (SN, j) £ S then

Ti, T2, T3, T4 * Ti, T2, T3, T4 s. t. (ti, T2, T3, T4, k) £ T

else

t-* Al(Smpn(SN)) T2^At (smpn,(Vl (Ti))) T3^Al(Smpn, (SN))

(Smp^t (T3))) S*SU {(SN, j)}

T*TU {(Ti, T2, T3, T4, j)}

return ti, t2, t3, t4

Figure B.2. Algorithm Twk for games XEHfand RND1.

Game RND1. The only difference from the previous game is definition of algorithms Smpw and Smpw-i for m £ {n, n'}. The shaded statements in Fig. B.1 are omitted. Hence, n and n' are not necessary permutations.

Note, that games XEHf and RND1 are identical until the "bad" flag is set to 1. Therefore, we have: Pr[M[XEHf] ^ 1] - Pr[M[RND1] ^ 1] < < Pr[RND1: bad = 1].

Game RND2. We change the structure of a game. In this game, the challenger responds on every query with a random uniform binary string. Each string is chosen independently. After processing all queries, challenger checks if there exist a collision in either domain or range of n and/or n'. If such collision exists, then the "bad" flag is set to 1.

More precisely, we modify algorithms Twk, RespEnc and RespDec. Hereinafter Dw and Rw are in principle multisets. The algorithm Twk does not invoke Smpw anymore. Instead, it uniformly chooses subkeys and directly modifies Dw and Rw. Algorithms RespEnc and RespDec are shown in Fig. B.4. Algorithm Twk is shown in Fig. B.5.

After responding on the last adversary's query, the "bad" flag is set to 1 if there is a collision in at least one of the sets Dn, Rn, Vn, and R^'.

The adversary in RND2 game receives uniformly random n-tuples of elements from Vt. In RND1 game, encryption and decryption oracles uniformly and independently choose values cck and mmk, k £ {1,..., n} on each query. Applying Lemma 1 and then Lemma 2 (both gT2,T3,T4 and ^Tl,T3 are permutations for every xi, x2, x3, t4), we conclude that games RND1 and RND2 are indistinguishable by the adversary <A, because the adversary receives uniformly random binary strings in both games. Therefore, we have: Pr[^.[RND1] ^ 1] = Pr[A.[RND2] ^ 1],

Pr[RND1: bad = 1] = Pr[RND2: bad = 1].

Algorithm Twk(SN, j)_

if 3k: k < j A (SN, j) £ S then

Ti, T2, T3, T4 * ti, T2, T3, T4 s. t. (ti, T2, T3, T4, k) £ T else

for j * 1 to 4 do

$

Tj* Vt

* Ai(fj)

S*SU {(SN, j)}

T*TU {(Ti, T2, T3, T4, j)}

Hn*HnU {SN, T3}

{ti, T4}

{SN, ti}

K'*K'U {T2, t3} return t1, t2, t3, t4

Figure B.5. Algorithm Twk for game RND2.

Algorithm RespEnc(SN, m)

Function RespDec(SN, c)

Process sector number

Process sector number

t1, t2, Ts, t4 ^ Twk(SN, cnt) cnt ^ cnt + 1

t1 , t2, Ts, t4 ^ Twk(SN, cnt) cnt ^ cnt + 1

Encrypt

(mmi,..., mmn) ^ ^Tl>T3 (Ai(mi),..., Ai (mn)) for i ^ 1 to n do

CCI ^ Smp^(Vi(mmi)) (Ci,..., cn) ^ g-}T,,T. (CCi,..., ccn)

Return result

Decrypt

(cci,..., ccn) ^ gT2,r3,r4 (Ai(Ci),..., Ai (cn)) for i ^ 1 to n do

mmi ^ Smpn-i(Vi(cci)) (mi,...,mn) ^ 4>T1,t3(Ai(mmi),..., Ai(mmn))

return (Vi(ci).....Vi (cn ))

Return result

return (Vi(mi),..., Vi(mn))

Figure B.3. Algorithms RespEnc and RespDec for games XEHf and RND1.

Algorithm RespEnc(SN, m) Function RespDec(5W, c)

Process sector number Process sector number

x1, t2, t3, t4 * Twk(SN, cnt) cnt * cnt + 1 "Encrypt" (C-.....Cn) * V,n Update multisets (mm-,..., mmn) * xjjTl>T3 (At(mi),..., At (mn)) (cc-, ccn) * gT2,T3,Ti (Ai (Cl), ..., Al(cn)) Dn*DnU {Vt (mm-).....Vt (mmn)} R„ *R„ U {V , (cc-).....V , (ccn)} Return result return (cr,..., cn) t1 , t2, Ts, t4 ^ Twk(SN, cnt) cnt ^ cnt + 1 "Decrypt" $ (mi,...,mn) Update multisets (mmi, ...,mmn) ^ 4>Tl,T3(Ai(mi), Ai(mn)) (cc^ ccn) ^ gT2:T(Ai (Cl), Ai (cn)) n U {Vi (mmi).....V i (mmn)} R „^R^U {V i (c Ci).....V ,(c cn )} Return result return (mi,..., mn)

Figure B.4. Algorithms RespEnc and RespDec for game RND2.

In game RND2, the adversary interacts with two random oracles, since these oracles respond with uniformly and independently chosen random binary strings. Hence: Pr[A.[RND2] ^ 1] = Pr[^$'$ ^ 1].

We have the following upper bound on the adversary's advantage:

Adv

RND-fdeCCA-sector "XEHf

(A) =

= Pr ^ 1] — Pr [A$'$ ^ 1] =

= Pr[M[XEHf] ^ 1] — Pr[Jl[RND2] ^ 1] =

= Pr[^[xEH/] ^ 1] — Pr[^[flND1] ^ 1] <

< Pr[flWD1: bad = 1] = = Pr[RND2: bad = 1].

(10)

an upper bound on the value of Adv^

RND-fdeCCA-sector XEHf

(q)

via bounding the probability Pr[flWD2: bad = 1].

Collision analysis. Let Collx be an event of a collision in multiset X for Xe {Dn, R^, Y)n', R^'}. By inclusion-exclusion principle we have: Pr[RND2\bad = 1] < Pr[CollDn] + + Pr[CollRn] + + Pr [ Co I lD ] + + Pr [coZZRji'].

(mm

(11)

Consider y'-th query. Let

(^i(mJ,i).....M™^

Sr2j,T3j,T4j (^l(c/,i).....Al(Cj,n))

are subkeys for the y'-th query.

Uji , ...

(cci,i,

mmjn) = ■, cchn) =

where t

i,j> l2,j> <-S,j> <-4,j

First, consider the multiset R^. This multiset consists of the following values: Vl(T1j), vl(t4j), Vi(ccj-l), •••, Vi(ccjn) for every j £ {1,...,q}.

Let CollTg be an event that there is at least one pair (i, j) such that SNi & SNj and fap t3x, T%i) = (t2j, T3J, T4J). From law of total probability, we have:

Pr[CollRn] < Pr[CollTJ + Pr[CollRnjCoOl], (12)

Game NON. In this game, we consider stronger condition. The adversary sends both plaintext and ciphertext in each query. More formally, it makes q = qe + qd queries. The y'-th query has the following form: (SNj, mj, Cj, tj), where SNj is a sector number, is an n-block message (plaintext), Cj is an n-block ciphertext, tj is either 0 or 1 denoting encryption or decryption query respectively. We denote i-th block of m, (Cj) by m^ (c^) for i £ {1,..., n}. oracles perform the same actions as in previous game, except for response generation, since response is provided by adversary.

The adversary's queries are such that they maximize the probability of the "bad" flag being set and are not pointless. The adversary never makes the same query twice.

Now we could get rid of the concrete adversary and find

where event CollT£ is complement of CollT£.

First, consider the event CollTg. There are at most (2) < q2/2 pairs of different sector numbers. Consider a pair (i, j) such that SNi & SNj. The probability of (*2,i, T3,i, T4,i) and (T2J, T3J, T4j) being equal is 2-31, because all subkeys are chosen uniformly and independently. Hence:

Pr[CollTJ <

2 ■ 2si■

Next, we assume that the event Coll

T,9

(13)

occurs, i.e. all

subkeys are different for different sector numbers. Let p < q be the total number of different sector numbers occurred among adversary's queries. We write all these sector numbers in some order (the specific order is not important in this context): (SN1,.,SNP), where superscript denote sequence numbers in particular order.

We rewrite all values of cc,

■n

ccjn into p matrices. Each such matrix contains values computed for queries with the same sector number. These matrices are of the following form:

CCt =

cc

ki,i

CC,

ki,n

cch

(14)

are i.e.

Qt' "-It'1

where t£ {1,..., p}, and {k1,..., kqtj £ {1,..., q} numbers of queries that contain sector number SNt, SNkl = - = SNkqt = SN*. Note that = q.

Now we bound the probability of a collision in columns of matrices (14). There are n columns in t-th matrix, in each

column there are (2) elements. Therefore, there are at most

n • (2) different pairs of elements in columns of t-th matrix. By Lemma 4, the probability of collision in such pair does not exceed ^—r. Therefore, we have the following upper bound on probability of collision among such pairs:

£ n(n - 1) • ( 2 ) < £ - 1)

2 • 2'

<

<

1/n(n - 1)q2 (n + 2)2q2 q2

+

+

2\ 2; 2; 22i, Next, consider the multiset R^. It consists of at most 2q values. By Lemma 3, we have the following upper bound on probability of collision is this multiset:

Pr Hv]-1

1 2q(2q-1) 2q2

2 2 < "

The number of remaining pairs does not exceed (|^7r|) —

|Rre |2/2. Probability of a collision in such pair is not greater, than 1/2'. Note that |RJ — (n + 2)q. Hence, the probability of collision among these pairs is less or equal to

(n + 2)2q2/(2 • 2'). _

The probability of collision in R^ given is

bounded as follows: Pr[CoZZRn |C<^ —

1/ n(n- 1)q2 (n + 2)2q2\ (15)

— 2 ^ 2 + 2 J'

From (12) given (13) and (15), we have: Pr[CoHRJ —

1 /n(n - 1)q2 (n + 2)2q2 q2

— 2 \ 2 + 2 +2^ Similar analysis shows the following upper bound for

Pr[CoZZDJ. The only difference is that we apply Lemma 5 instead of Lemma 4, and instead of the event CoZZT,fl, we consider an event of existence of at least on pair

(¿,;') such that Sty * Sty and (tu, tw) = (tw, 73,;): Pr[CoHDJ —

Similar analysis shows the same upper bound for Pr [co"V].

Given abovementioned upper bounds on summands in (11), we have: Pr[flND2: ¿ad = 1] —

<

n(n - 1)q2 (n + 2)2q2 q2

n

+

+

2 • 2

+

a2 4a2

+-----1--— <

2 • 22i 2' -

n(n - 1)o2 (n + 2)2q2 a2 < ——_, + --—-—I———- +

2'

a2 4a2

+—---1--—

4 • 21 2'

8 • 2

a /

= 2T(n(n- 1) + (n + 2)2 +— J< 2(n + 2)2q2

Hence, advantage of an adversary, that makes q queries in total, has the following upper bound:

AdvRND-fdeCCA-sector. ) — 2(" + 2)V XEHf _ 2'

This completes the proof.