Cryptology ePrint Archive: Report 2015/851

Beyond-Birthday-Bound Security for Tweakable Even-Mansour Ciphers with Linear Tweak and Key Mixing

Benoît Cogliati and Yannick Seurin

Abstract: The iterated Even-Mansour construction defines a block cipher from a tuple of public $n$-bit permutations $(P_1,\ldots,P_r)$ by alternatively xoring some $n$-bit round key $k_i$, $i=0,\ldots,r$, and applying permutation $P_i$ to the state. The \emph{tweakable} Even-Mansour construction generalizes the conventional Even-Mansour construction by replacing the $n$-bit round keys by $n$-bit strings derived from a master key \emph{and a tweak}, thereby defining a tweakable block cipher. Constructions of this type have been previously analyzed, but they were either secure only up to the birthday bound, or they used a nonlinear mixing function of the key and the tweak (typically, multiplication of the key and the tweak seen as elements of some finite field) which might be costly to implement. In this paper, we tackle the question of whether it is possible to achieve beyond-birthday-bound security for such a construction by using only linear operations for mixing the key and the tweak into the state. We answer positively, describing a 4-round construction with a $2n$-bit master key and an $n$-bit tweak which is provably secure in the Random Permutation Model up to roughly $2^{2n/3}$ adversarial queries.

Category / Keywords: secret-key cryptography / tweakable block cipher, iterated Even-Mansour cipher, key-alternating cipher, beyond-birthday-bound security

Original Publication (with major differences): IACR-ASIACRYPT-2015

Date: received 2 Sep 2015, last revised 7 Sep 2015

Contact author: benoitcogliati at hotmail fr, yannick seurin@m4x org

Available format(s): PDF | BibTeX Citation

Note: An abridged version appears in the proceedings of ASIACRYPT 2015. This is the full version.

Version: 20150907:092214 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]