Paper 2015/363

Optimally Secure Tweakable Blockciphers

Bart Mennink

Abstract

We consider the generic design of a tweakable blockcipher from one or more evaluations of a classical blockcipher, in such a way that all input and output wires are of size n bits. As a first contribution, we show that any tweakable blockcipher with one primitive call and arbitrary linear pre- and postprocessing functions can be distinguished from an ideal one with an attack complexity of about 2^{n/2}. Next, we introduce the tweakable blockcipher tilde{F}[1]. It consists of one multiplication and one blockcipher call with tweak-dependent key, and achieves 2^{2n/3} security. Finally, we introduce tilde{F}[2], which makes two blockcipher calls, one of which with tweak-dependent key, and achieves optimal 2^n security. Both schemes are more efficient than all existing beyond birthday bound tweakable blockciphers known to date, as long as one blockcipher key renewal is cheaper than one blockcipher evaluation plus one universal hash evaluation.

Note: The article has been updated to fix an oversight in the proof.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
A minor revision of an IACR publication in FSE 2015
Keywords
Tweakable blockcipherLiskov-Rivest-Wagneroptimal securitybeyond birthday bound
Contact author(s)
bart mennink @ esat kuleuven be
History
2015-10-21: revised
2015-04-23: received
See all versions
Short URL
https://ia.cr/2015/363
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/363,
      author = {Bart Mennink},
      title = {Optimally Secure Tweakable Blockciphers},
      howpublished = {Cryptology ePrint Archive, Paper 2015/363},
      year = {2015},
      note = {\url{https://eprint.iacr.org/2015/363}},
      url = {https://eprint.iacr.org/2015/363}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.