Cryptology ePrint Archive: Report 2015/476

XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees

Bart Mennink

Abstract: We present XPX, a tweakable blockcipher based on a single permutation P. On input of a tweak (t_{11},t_{12},t_{21},t_{22}) in T and a message m, it outputs ciphertext c=P(m xor Delta_1) xor Delta_2, where Delta_1=t_{11}k xor t_{12}P(k) and Delta_2=t_{21}k xor t_{22}P(k). Here, the tweak space T is required to satisfy a certain set of trivial conditions (such as (0,0,0,0) not in T). We prove that XPX with any such tweak space is a strong tweakable pseudorandom permutation. Next, we consider the security of XPX under related-key attacks, where the adversary can freely select a key-deriving function upon every evaluation. We prove that XPX achieves various levels of related-key security, depending on the set of key-deriving functions and the properties of T. For instance, if t_{12},t_{22} neq 0 and (t_{21},t_{22}) neq (0,1) for all tweaks, XPX is XOR-related-key secure. XPX generalizes Even-Mansour (EM), but also Rogaway's XEX based on EM, and various other tweakable blockciphers. As such, XPX finds a wide range of applications. We show how our results on XPX directly imply related-key security of the authenticated encryption schemes PrÝst-COPA and Minalpher, and how a straightforward adjustment to the MAC function Chaskey and to keyed Sponges makes them provably related-key secure.

Category / Keywords: secret-key cryptography / XPX, XEX, Even-Mansour, tweakable blockcipher, related-key security, Pr{\o}st, COPA, Minalpher, Chaskey, Keyed Sponges

Original Publication (with minor differences): IACR-CRYPTO-2016

Date: received 19 May 2015, last revised 30 May 2016

Contact author: bart mennink at esat kuleuven be

Available format(s): PDF | BibTeX Citation

Version: 20160530:180704 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]