Cryptology ePrint Archive: Report 2014/831
Tweaks and Keys for Block Ciphers: the TWEAKEY Framework
Jérémy Jean and Ivica Nikolić and Thomas Peyrin
Abstract: We propose the TWEAKEY framework with goal to unify the design of tweakable block ciphers and of block ciphers resistant to related-key attacks. Our framework is simple, extends the key-alternating construction, and allows to build a primitive with arbitrary tweak and key sizes, given the public round permutation (for instance, the AES round). Increasing the sizes renders the security analysis very difficult and thus we identify a subclass of TWEAKEY, that we name STK, which solves the size issue by the use of finite field
multiplications on low hamming weight constants. We give very efficient instances of STK, in particular, a 128-bit tweak/key/state block cipher Deoxys-BC that is the first AES-based ad-hoc tweakable block cipher. At the same time, Deoxys-BC could be seen as a secure alternative to AES-256, which is known to be insecure in the related-key model. As another member of the TWEAKEY framework, we describe Kiasu-BC, which is a very simple and even more efficient tweakable variation of AES-128 when the tweak size is limited to 64 bits.
In addition to being efficient, our proposals, compared to the previous schemes that use AES as a black box, offer security beyond the birthday bound. Deoxys-BC and Kiasu-BC represent interesting pluggable primitives for authenticated encryption schemes, for instance, OCB instantiated with Kiasu-BC runs at about 0.75 c/B on Intel Haswell. Our work can also be seen as
advances on the topic of secure key schedule design for AES-like ciphers, describing several proposals in this direction.
Category / Keywords: secret-key cryptography / tweak, block cipher, key schedule, AES, authenticated encryption.
Original Publication (with major differences): IACR-ASIACRYPT-2014
Date: received 13 Oct 2014, last revised 15 Sep 2016
Contact author: thomas peyrin at gmail com
Available format(s): PDF | BibTeX Citation
Version: 20160915:200901 (All versions of this report)
Short URL: ia.cr/2014/831
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]