Results 1 
5 of
5
Tweakable Blockciphers with Beyond BirthdayBound Security
"... Abstract. Liskov, Rivest and Wagner formalized the tweakable blockcipher (TBC) primitive at CRYPTO’02. The typical recipe for instantiating a TBC is to start with a blockcipher, and then build up a construction that admits a tweak. Almost all such constructions enjoy provable security only to the bi ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Liskov, Rivest and Wagner formalized the tweakable blockcipher (TBC) primitive at CRYPTO’02. The typical recipe for instantiating a TBC is to start with a blockcipher, and then build up a construction that admits a tweak. Almost all such constructions enjoy provable security only to the birthday bound, and the one that does achieve security beyond the birthday bound (due to Minematsu) severely restricts the tweak size and requires perinvocation blockcipher rekeying. This paper gives the first TBC construction that simultaneously allows for arbitrarily “wide ” tweaks, does not rekey, and delivers provable security beyond the birthday bound. Our construction is built from a blockcipher and an ɛAXU2 hash function. As an application of the TBC primitive, LRW suggest the TBCMAC construction (similar to CBCMAC but chaining through the tweak), but leave open the question of its security. We close this question, both for TBCMAC as a PRF and a MAC. Along the way, we find a noncebased variant of TBCMAC that has a tight reduction to the security of the underlying TBC, and also displays graceful security degradation when nonces are misused. This result is interesting on its own, but it also serves as an application of our new TBC construction, ultimately giving a variable inputlength PRF with beyond birthdaybound security.
Optimally Secure Tweakable Blockciphers
 Software Encryption  FSE 2015, volume 9054 of LNCS
, 2015
"... Abstract. We consider the generic design of a tweakable blockcipher from one or more evaluations of a classical blockcipher, in such a way that all input and output wires are of size n bits. As a first contribution, we show that any tweakable blockcipher with one primitive call and arbitrary linear ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the generic design of a tweakable blockcipher from one or more evaluations of a classical blockcipher, in such a way that all input and output wires are of size n bits. As a first contribution, we show that any tweakable blockcipher with one primitive call and arbitrary linear pre and postprocessing functions can be distinguished from an ideal one with an attack complexity of about 2n/2. Next, we introduce the tweakable blockcipher F ̃ [1]. It consists of one multiplication and one blockcipher call with tweakdependent key, and achieves 22n/3 security. Finally, we introduce F ̃ [2], which makes two blockcipher calls, one of which with tweakdependent key, and achieves optimal 2n security. Both schemes are more efficient than all existing beyond birthday bound tweakable blockciphers known to date, as long as one blockcipher key renewal is cheaper than one blockcipher evaluation plus one universal hash evaluation.
XPX: Generalized Tweakable EvenMansour with Improved Security Guarantees. Cryptology ePrint Archive
"... Abstract. We present XPX, a tweakable blockcipher based on a single permutation P. On input of a tweak (t11, t12, t21, t22) ∈ T and a message m, it outputs ciphertext c = P (m⊕∆1)⊕∆2, where ∆1 = t11k⊕t12P (k) and ∆2 = t21k⊕t22P (k). Here, the tweak space T is required to satisfy a certain set of tr ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present XPX, a tweakable blockcipher based on a single permutation P. On input of a tweak (t11, t12, t21, t22) ∈ T and a message m, it outputs ciphertext c = P (m⊕∆1)⊕∆2, where ∆1 = t11k⊕t12P (k) and ∆2 = t21k⊕t22P (k). Here, the tweak space T is required to satisfy a certain set of trivial conditions (such as (0, 0, 0, 0) 6 ∈ T). We prove that XPX with any such tweak space is a strong tweakable pseudorandom permutation. Next, we consider the security of XPX under relatedkey attacks, where the adversary can freely select a keyderiving function upon every evaluation. We prove that XPX achieves various levels of relatedkey security, depending on the set of keyderiving functions and the properties of T. For instance, if t12, t22 6 = 0 and (t21, t22) 6 = (0, 1) for all tweaks, XPX is XORrelatedkey secure. XPX generalizes EvenMansour (EM), but also Rogaway’s XEX based on EM, and tweakable EM used in Minalpher. As such, XPX finds a wide range of applications. We show how our results on XPX directly imply relatedkey security of the authenticated encryption schemes PrøstCOPA and Minalpher, and how a straightforward adjustment to the MAC function Chaskey and to keyed Sponges makes them provably relatedkey secure.
BeyondBirthdayBound Security for Tweakable EvenMansour Ciphers with Linear Tweak and Key Mixing?
, 2015
"... Abstract. The iterated EvenMansour construction defines a block cipher from a tuple of public nbit permutations (P1,..., Pr) by alternatively xoring some nbit round key ki, i = 0,..., r, and applying permutation Pi to the state. The tweakable EvenMansour construction generalizes the conventional ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. The iterated EvenMansour construction defines a block cipher from a tuple of public nbit permutations (P1,..., Pr) by alternatively xoring some nbit round key ki, i = 0,..., r, and applying permutation Pi to the state. The tweakable EvenMansour construction generalizes the conventional EvenMansour construction by replacing the nbit round keys by nbit strings derived from a master key and a tweak, thereby defining a tweakable block cipher. Constructions of this type have been previously analyzed, but they were either secure only up to the birthday bound, or they used a nonlinear mixing function of the key and the tweak (typically, multiplication of the key and the tweak seen as elements of some finite field) which might be costly to implement. In this paper, we tackle the question of whether it is possible to achieve beyondbirthdaybound security for such a construction by using only linear operations for mixing the key and the tweak into the state. We answer positively, describing a 4round construction with a 2nbit master key and an nbit tweak which is provably secure in the Random Permutation Model up to roughly 22n/3 adversarial queries.
unknown title
, 2015
"... Abstract. We study how to construct efficient tweakable block ciphers in the Random Permutation model, where all parties have access to public random permutation oracles. We propose a construction that combines, more efficiently than by mere blackbox composition, the CLRW construction (which turns ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We study how to construct efficient tweakable block ciphers in the Random Permutation model, where all parties have access to public random permutation oracles. We propose a construction that combines, more efficiently than by mere blackbox composition, the CLRW construction (which turns a traditional block cipher into a tweakable block cipher) of Landecker et al. (CRYPTO 2012) and the iterated EvenMansour construction (which turns a tuple of public permutations into a traditional block cipher) that has received considerable attention since the work of Bogdanov et al. (EUROCRYPT 2012). More concretely, we introduce the (oneround) tweakable EvenMansour (TEM) cipher, constructed from a single nbit permutation P and a uniform and almost XORuniversal family of hash functions (Hk) from some tweak space to {0, 1}n, and defined as (k, t, x) 7 → Hk(t) ⊕ P (Hk(t) ⊕ x), where k is the key, t is the tweak, and x is the nbit message, as well as its generalization obtained by cascading r independently keyed rounds of this construction. Our main result is a security bound up to approximately 22n/3 adversarial queries against adaptive chosenplaintext and ciphertext distinguishers for the tworound TEM construction, using Patarin’s Hcoefficients technique. We also provide an analysis based on the coupling technique showing that asymptotically, as the number of rounds r grows, the security provided by the rround TEM construction approaches the informationtheoretic bound of 2n adversarial queries.