**XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees**

*Bart Mennink*

**Abstract: **We present XPX, a tweakable blockcipher based on a single permutation P. On input of a tweak (t_{11},t_{12},t_{21},t_{22}) in T and a message m, it outputs ciphertext c=P(m xor Delta_1) xor Delta_2, where Delta_1=t_{11}k xor t_{12}P(k) and Delta_2=t_{21}k xor t_{22}P(k). Here, the tweak space T is required to satisfy a certain set of trivial conditions (such as (0,0,0,0) not in T). We prove that XPX with any such tweak space is a strong tweakable pseudorandom permutation. Next, we consider the security of XPX under related-key attacks, where the adversary can freely select a key-deriving function upon every evaluation. We prove that XPX achieves various levels of related-key security, depending on the set of key-deriving functions and the properties of T. For instance, if t_{12},t_{22} neq 0 and (t_{21},t_{22}) neq (0,1) for all tweaks, XPX is XOR-related-key secure. XPX generalizes Even-Mansour (EM), but also Rogaway's XEX based on EM, and various other tweakable blockciphers. As such, XPX finds a wide range of applications. We show how our results on XPX directly imply related-key security of the authenticated encryption schemes Prøst-COPA and Minalpher, and how a straightforward adjustment to the MAC function Chaskey and to keyed Sponges makes them provably related-key secure.

**Category / Keywords: **secret-key cryptography / XPX, XEX, Even-Mansour, tweakable blockcipher, related-key security, Pr{\o}st, COPA, Minalpher, Chaskey, Keyed Sponges

**Original Publication**** (with minor differences): **IACR-CRYPTO-2016

**Date: **received 19 May 2015, last revised 30 May 2016

**Contact author: **bart mennink at esat kuleuven be

**Available format(s): **PDF | BibTeX Citation

**Version: **20160530:180704 (All versions of this report)

**Short URL: **ia.cr/2015/476

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]