Paper 2015/999

Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption

Robert Granger, Philipp Jovanovic, Bart Mennink, and Samuel Neves


A popular approach to tweakable blockcipher design is via masking, where a certain primitive (a blockcipher or a permutation) is preceded and followed by an easy-to-compute tweak-dependent mask. In this work, we revisit the principle of masking. We do so alongside the introduction of the tweakable Even-Mansour construction MEM. Its masking function combines the advantages of word-oriented LFSR- and powering-up-based methods. We show in particular how recent advancements in computing discrete logarithms over finite fields of characteristic 2 can be exploited in a constructive way to realize highly efficient, constant-time masking functions. If the masking satisfies a set of simple conditions, then MEM is a secure tweakable blockcipher up to the birthday bound. The strengths of MEM are exhibited by the design of fully parallelizable authenticated encryption schemes OPP (nonce-respecting) and MRO (misuse-resistant). If instantiated with a reduced-round BLAKE2b permutation, OPP and MRO achieve speeds up to 0.55 and 1.06 cycles per byte on the Intel Haswell microarchitecture, and are able to significantly outperform their closest competitors.

Note: Full version of the EUROCRYPT 2016 paper.

Available format(s)
Publication info
A major revision of an IACR publication in EUROCRYPT 2016
Tweakable Even-Mansourmaskingoptimizationdiscrete logarithmsauthenticated encryptionBLAKE2
Contact author(s)
philipp jovanovic @ epfl ch
2022-03-16: last of 4 revisions
2015-10-14: received
See all versions
Short URL
Creative Commons Attribution


      author = {Robert Granger and Philipp Jovanovic and Bart Mennink and Samuel Neves},
      title = {Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption},
      howpublished = {Cryptology ePrint Archive, Paper 2015/999},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.