Paper 2017/474

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Bart Mennink


Two types of tweakable blockciphers based on classical blockciphers have been presented over the last years: non-tweak-rekeyable and tweak-rekeyable, depending on whether the tweak may influence the key input to the underlying blockcipher. In the former direction, the best possible security is conjectured to be $2^{\sigma n/(\sigma+1)}$, where $n$ is the size of the blockcipher and $\sigma$ is the number of blockcipher calls. In the latter direction, Mennink and Wang et al. presented optimally secure schemes, but only in the ideal cipher model. We investigate the possibility to construct a tweak-rekeyable cipher that achieves optimal security in the standard cipher model. As a first step, we note that all standard-model security results in literature implicitly rely on a generic standard-to-ideal transformation, that replaces all keyed blockcipher calls by random secret permutations, at the cost of the security of the blockcipher. Then, we prove that if this proof technique is adopted, tweak-rekeying will not help in achieving optimal security: if $2^{\sigma n/(\sigma+1)}$ is the best one can get without tweak-rekeying, optimal $2^n$ provable security with tweak-rekeying is impossible.

Available format(s)
Publication info
Published by the IACR in CRYPTO 2017
Optimal securitystandard modelideal modelimpossibilitytweakable blockciphers
Contact author(s)
b mennink @ cs ru nl
2017-05-28: received
Short URL
Creative Commons Attribution


      author = {Bart Mennink},
      title = {Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security},
      howpublished = {Cryptology ePrint Archive, Paper 2017/474},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.