Small Stretch Problem of the DCT Scheme and How to Fix It

Yuchao Chen; Tingting Guo; Lei Hu; Lina Shang; Shuping Mao; Peng Wang

doi:10.46586/tosc.v2024.i1.114-134

IACR Transactions on Symmetric Cryptology (Mar 2024)

Small Stretch Problem of the DCT Scheme and How to Fix It

Yuchao Chen,
Tingting Guo,
Lei Hu,
Lina Shang,
Shuping Mao,
Peng Wang

Affiliations

Yuchao Chen: School of Cyber Science and Technology, Shandong University, Qingdao, China; Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China
Tingting Guo: Research Center for Data Hub and Security, Zhejiang lab, Hangzhou, China
Lei Hu: Key Laboratory of Cyberspace Security Defense, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
Lina Shang: Space Star Technology Co., Ltd., Beijing, China
Shuping Mao: Key Laboratory of Cyberspace Security Defense, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
Peng Wang: School of Cryptology, University of Chinese Academy of Sciences, Beijing, China

DOI: https://doi.org/10.46586/tosc.v2024.i1.114-134
Journal volume & issue: Vol. 2024, no. 1

Abstract

Read online

DCT is a beyond-birthday-bound (BBB) deterministic authenticated encryption (DAE) mode proposed by Forler et al. in ACISP 2016, ensuring integrity by redundancy. The instantiation of DCT employs the BRW polynomial, which is more efficient than the usual polynomial in GCM by reducing half of the multiplication operations. However, we show that DCT suffers from a small stretch problem similar to GCM. When the stretch length τ is small, choosing a special m-block message, we can reduce the number of queries required by a successful forgery to O(2τ/m). We emphasize that this attack efficiently balances space and time complexity but does not contradict the security bounds of DCT. Finally, we propose an improved scheme named Robust DCT (RDCT) with a minor change to DCT, which improves the security when τ is small and makes it resist the above attack.

Published in IACR Transactions on Symmetric Cryptology

ISSN: 2519-173X (Online)
Publisher: Ruhr-Universität Bochum
Country of publisher: Germany
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering: Electronics: Computer engineering. Computer hardware
Website: https://tosc.iacr.org

About the journal

Abstract

Keywords