**Beyond-Birthday-Bound Security for Tweakable Even-Mansour Ciphers with Linear Tweak and Key Mixing**

*Benoît Cogliati and Yannick Seurin*

**Abstract: **The iterated Even-Mansour construction defines a block cipher from a tuple of public $n$-bit permutations $(P_1,\ldots,P_r)$ by alternatively xoring some $n$-bit round key $k_i$, $i=0,\ldots,r$, and applying permutation $P_i$ to the state. The \emph{tweakable} Even-Mansour construction generalizes the conventional Even-Mansour construction by replacing the $n$-bit round keys by $n$-bit strings derived from a master key \emph{and a tweak}, thereby defining a tweakable block cipher. Constructions of this type have been previously analyzed, but they were either secure only up to the birthday bound, or they used a nonlinear mixing function of the key and the tweak (typically, multiplication of the key and the tweak seen as elements of some finite field) which might be costly to implement. In this paper, we tackle the question of whether it is possible to achieve beyond-birthday-bound security for such a construction by using only linear operations for mixing the key and the tweak into the state. We answer positively, describing a 4-round construction with a $2n$-bit master key and an $n$-bit tweak which is provably secure in the Random Permutation Model up to roughly $2^{2n/3}$ adversarial queries.

**Category / Keywords: **secret-key cryptography / tweakable block cipher, iterated Even-Mansour cipher, key-alternating cipher, beyond-birthday-bound security

**Original Publication**** (with major differences): **IACR-ASIACRYPT-2015

**Date: **received 2 Sep 2015, last revised 7 Sep 2015

**Contact author: **benoitcogliati at hotmail fr, yannick seurin@m4x org

**Available format(s): **PDF | BibTeX Citation

**Note: **An abridged version appears in the proceedings of ASIACRYPT 2015. This is the full version.

**Version: **20150907:092214 (All versions of this report)

**Short URL: **ia.cr/2015/851

[ Cryptology ePrint archive ]