On the optimality of non-linear computations for symmetric key primitives

Article Type

Research Article

Publication Title

Journal of Mathematical Cryptology


A block is an n-bit string, and a (possibly keyed) block-function is a non-linear mapping that maps one block to another, e.g., a block-cipher. In this paper, we consider various symmetric key primitives with ℓ block inputs and raise the following question: what is the minimum number of block-function invocations required for a mode to be secure? We begin with encryption modes that generate ℓ′ block outputs and show that at least (ℓ + ℓ′ - 1) block-function invocations are necessary to achieve the PRF security. In presence of a nonce, the requirement of block-functions reduces to ℓ′ blocks only. If ℓ = ℓ′, in order to achieve SPRP security, the mode requires at least 2ℓ many block-function invocations. We next consider length preserving r-block (called chunk) online encryption modes and show that, to achieve online PRP security, each chunk should have at least 2r - 1 many and overall at least 2rℓ - 1 many block-functions for ℓ many chunks. Moreover, we show that it can achieve online SPRP security if each chunk contains at least 2r non-linear blockfunctions. We next analyze affine MAC modes and show that an integrity-secure affine MAC mode requires at least ℓ many block-function invocations to process an ℓ block message. Finally, we consider affine mode authenticated encryption and show that in order to achieve INT-RUP security or integrity security under a nonce-misuse scenario, either (i) the number of non-linear block-functions required to generate the ciphertext is more than ℓ or (ii) the number of extra non-linear block-functions required to generate the tag depends on ℓ.

First Page


Last Page




Publication Date



All Open Access, Hybrid Gold

This document is currently not available here.