Paper 2025/383

Pencil: A Domain-Extended PRF with Full $n$-bit Security \\ for Strengthening GCM and More

Ritam Bhaumik, Technology Innovation Institute, Abu Dhabi, UAE
Jean Paul Degabriele, Technology Innovation Institute, Abu Dhabi, UAE
Abstract

We consider the problem of constructing efficient pseudorandom functions with Beyond-Birthday-Bound (BBB) security from blockciphers. More specifically, we are interested in variable-output-length pseudorandom functions (PRF) whose domain is twice that of the underlying blockcipher. We present two such constructions, $\textsf{Pencil}$ and $\sharp\textsf{Pencil}$, which provide weak PRF and full PRF security, respectively, where both achieve full $n$-bit security. While several recent works have focused on constructing BBB PRFs from blockciphers, much less attention has been given to weak PRF constructions which can potentially be constructed more efficiently and still serve as a useful primitive. Another understudied problem in this domain, is that of extending the domain of a BBB PRF, which turns out to be rather challenging. Besides being of theoretical interest in itself, this is also a very practical problem. Often, the input to the BBB PRF is a nonce, but random nonces are much easier to handle in practice as they do not require maintaining state---which can be very cumbersome in distributed systems and encrypted cloud storage. Accordingly, in order to maintain a BBB security bound, one requires random nonces of size between $1.5n$ and $2n$ bits long and corresponding BBB (weak) PRF constructions that admit matching input sizes. NIST has recently announced a pre-draft call for comments to standardise AEAD schemes that can encrypt larger amounts of data and admit larger nonces. The call lists two approaches. The first is to define an analogue of GCM using a 256-bit blockcipher, and the second is based on a recent proposal by Gueron, to extend GCM with a key derivation function (KDF) called DNDK to increase its security. In essence, DNDK is a BBB-secure expanding weak pseudorandom function with a domain size of 192 bits that is realised from AES. Our work makes relevant contributions to this domain in two important ways. Firstly, an immediate consequence of our work is that one can construct a GCM analogue with BBB security from $\sharp\textsf{Pencil}$, without resorting to a 256-bit blockcipher. Our second contribution is that $\sharp\textsf{Pencil}$ can be used as a KDF in combination with GCM in an analogous manner to DNDK-GCM. However, $\sharp\textsf{Pencil}$ being a full PRF as opposed to DNDK which is only a weak PRF, allows one to prove the KDF-GCM composition secure as an AEAD scheme. Finally, when contrasting $\textsf{Pencil}$ and DNDK as weak PRFs with comparable parameters, our construction requires only half the blockcipher calls.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint.
Keywords
BBB PRFDNDK-GCMNonce DoublingKeystream GenerationPencil
Contact author(s)
bhaumik ritam @ gmail com
jeanpaul degabriele @ tii ae
History
2025-03-04: approved
2025-02-28: received
See all versions
Short URL
https://ia.cr/2025/383
License
Creative Commons Attribution-NonCommercial-ShareAlike
CC BY-NC-SA

BibTeX 

@misc{cryptoeprint:2025/383,
      author = {Ritam Bhaumik and Jean Paul Degabriele},
      title = {Pencil: A Domain-Extended {PRF} with Full $n$-bit Security \\ for Strengthening {GCM} and More},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/383},
      year = {2025},
      url = {https://eprint.iacr.org/2025/383}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.