International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

On Large Tweaks in Tweakable Even-Mansour with Linear Tweak and Key Mixing

Authors:
Benoît Cogliati , Thales DIS France SAS, Meudon, France
Jordan Ethan , CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
Ashwin Jha , CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
Soumya Kanti Saha , Indian Institute of Science, Bengaluru, India
Download:
DOI: 10.46586/tosc.v2023.i4.330-364
URL: https://tosc.iacr.org/index.php/ToSC/article/view/11292
Search ePrint
Search Google
Abstract: In this paper, we provide the first analysis of the Iterated Tweakable Even-Mansour cipher with linear tweak and key (or tweakey) mixing, henceforth referred as TEML, for an arbitrary tweak(ey) size kn for all k ≥ 1, and arbitrary number of rounds r ≥ 2. Note that TEML captures the high-level design paradigm of most of the existing tweakable block ciphers (TBCs), including SKINNY, Deoxys, TweGIFT, TweAES etc. from a provable security point of view. At ASIACRYPT 2015, Cogliati and Seurin initiated the study of TEML by showing that 4-round TEML with a 2n-bit uniform at random key, and n-bit tweak is secure up to 22n/3 queries. In this work, we extend this line of research in two directions. First, we propose a necessary and sufficient class of linear tweakey schedules to absorb mn-bit tweak(ey) material in a minimal number of rounds, for all m ≥ 1. Second, we give a rigorous provable security treatment for r-round TEML, for all r ≥ 2. In particular, we first show that the 2r-round TEML with a (2r + 1)n-bit key, αn-bit tweak, and a special class of tweakey schedule is IND-CCA secure up to O(2r−α/r n) queries. Our proof crucially relies on the use of the coupling technique to upper-bound the statistical distance of the outputs of TEML cipher from the uniform distribution. Our main echnical contribution is a novel approach for computing the probability of failure in coupling, which could be of independent interest for deriving tighter bounds in coupling-based security proofs. Next, we shift our focus to the chosen-key setting, and show that (r + 3)-round TEML, with rn bits of tweakey material and a special class of tweakey schedule, offers some form of resistance to chosen-key attacks. We prove this by showing that r + 3 rounds of TEML are both necessary and sufficient for sequential indifferentiability. As a consequence of our results, we provide a sound provable security footing for the TWEAKEY framework, a high level design rationale of popular TBC.
BibTeX
@article{tosc-2023-33692,
  title={On Large Tweaks in Tweakable Even-Mansour with Linear Tweak and Key Mixing},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={023 No. 4},
  pages={330-364},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/11292},
  doi={10.46586/tosc.v2023.i4.330-364},
  author={Benoît Cogliati and Jordan Ethan and Ashwin Jha and Soumya Kanti Saha},
  year=2023
}