[Resource Topic] 2022/249: The Summation-Truncation Hybrid: Reusing Discarded Bits for Free

Welcome to the resource topic for 2022/249

Title:
The Summation-Truncation Hybrid: Reusing Discarded Bits for Free

Authors: Aldo Gunsing, Bart Mennink

Abstract:

A well-established PRP-to-PRF conversion design is truncation: one evaluates an n-bit pseudorandom permutation on a certain input, and truncates the result to a bits. The construction is known to achieve tight 2^{n-a/2} security. Truncation has gained popularity due to its appearance in the GCM-SIV key derivation function (ACM CCS 2015). This key derivation function makes four evaluations of AES, truncates the outputs to n/2 bits, and concatenates these to get a 2n-bit subkey. In this work, we demonstrate that truncation is wasteful. In more detail, we present the Summation-Truncation Hybrid (STH). At a high level, the construction consists of two parallel evaluations of truncation, where the truncated (n-a)-bit chunks are not discarded but rather summed together and appended to the output. We prove that STH achieves a similar security level as truncation, and thus that the n-a bits of extra output is rendered for free. In the application of GCM-SIV, the current key derivation can be used to output 3n bits of random material, or it can be reduced to three primitive evaluations. Both changes come with no security loss.

ePrint: https://eprint.iacr.org/2022/249

Talk: https://www.youtube.com/watch?v=YCUVqQVt00w

Slides: https://iacr.org/submit/files/slides/2020/crypto/crypto2020/202/slides.pdf

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .