Paper 2015/363

Optimally Secure Tweakable Blockciphers

Bart Mennink


We consider the generic design of a tweakable blockcipher from one or more evaluations of a classical blockcipher, in such a way that all input and output wires are of size n bits. As a first contribution, we show that any tweakable blockcipher with one primitive call and arbitrary linear pre- and postprocessing functions can be distinguished from an ideal one with an attack complexity of about 2^{n/2}. Next, we introduce the tweakable blockcipher tilde{F}[1]. It consists of one multiplication and one blockcipher call with tweak-dependent key, and achieves 2^{2n/3} security. Finally, we introduce tilde{F}[2], which makes two blockcipher calls, one of which with tweak-dependent key, and achieves optimal 2^n security. Both schemes are more efficient than all existing beyond birthday bound tweakable blockciphers known to date, as long as one blockcipher key renewal is cheaper than one blockcipher evaluation plus one universal hash evaluation.

Note: The article has been updated to fix an oversight in the proof.

Available format(s)
Secret-key cryptography
Publication info
A minor revision of an IACR publication in FSE 2015
Tweakable blockcipherLiskov-Rivest-Wagneroptimal securitybeyond birthday bound
Contact author(s)
bart mennink @ esat kuleuven be
2015-10-21: revised
2015-04-23: received
See all versions
Short URL
Creative Commons Attribution


      author = {Bart Mennink},
      title = {Optimally Secure Tweakable Blockciphers},
      howpublished = {Cryptology ePrint Archive, Paper 2015/363},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.