Cryptology ePrint Archive: Report 2015/363

Optimally Secure Tweakable Blockciphers

Bart Mennink

Abstract: We consider the generic design of a tweakable blockcipher from one or more evaluations of a classical blockcipher, in such a way that all input and output wires are of size n bits. As a first contribution, we show that any tweakable blockcipher with one primitive call and arbitrary linear pre- and postprocessing functions can be distinguished from an ideal one with an attack complexity of about 2^{n/2}. Next, we introduce the tweakable blockcipher tilde{F}[1]. It consists of one multiplication and one blockcipher call with tweak-dependent key, and achieves 2^{2n/3} security. Finally, we introduce tilde{F}[2], which makes two blockcipher calls, one of which with tweak-dependent key, and achieves optimal 2^n security. Both schemes are more efficient than all existing beyond birthday bound tweakable blockciphers known to date, as long as one blockcipher key renewal is cheaper than one blockcipher evaluation plus one universal hash evaluation.

Category / Keywords: secret-key cryptography / Tweakable blockcipher, Liskov-Rivest-Wagner, optimal security, beyond birthday bound

Original Publication (with minor differences): IACR-FSE-2015

Date: received 21 Apr 2015, last revised 21 Oct 2015

Contact author: bart mennink at esat kuleuven be

Available format(s): PDF | BibTeX Citation

Note: The article has been updated to fix an oversight in the proof.

Version: 20151021:101823 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]