Paper 2020/1076

Minimizing the Two-Round Tweakable Even-Mansour Cipher

Avijit Dutta

Abstract

In CRYPTO 2015, Cogliati et al. have proposed one-round tweakable Even-Mansour (\textsf{1-TEM}) cipher constructed out of a single $n$-bit public permutation $\pi$ and a uniform and almost XOR-universal hash function \textsf{H} as $(k,t,x)\mapsto {\mathsf{\text{H}}}_k(t)\oplus \pi ({\mathsf{\text{H}}}_k(t)\oplus x)$, where $t$ is the tweak, and $x$ is the $n$-bit message. Authors have shown that its two-round extension, which we refer to as \textsf{2-TEM}, obtained by cascading $2$-independent instances of the construction gives $2n/3$-bit security and $r$-round cascading gives $rn/r+2$-bit security. In ASIACRYPT 2015, Cogliati and Seurin have shown that four-round tweakable Even-Mansour cipher, which we refer to as \textsf{4-TEM}, constructed out of four independent $n$-bit permutations ${\pi }_1,{\pi }_2,{\pi }_3,{\pi }_4$ and two independent $n$-bit keys $k_1,k_2$, defined as $$k_1\oplus t\oplus {\pi }_4(k_2\oplus t\oplus {\pi }_3(k_1\oplus t\oplus {\pi }_2(k_2\oplus t\oplus {\pi }_1(k_1\oplus t\oplus x)))),$$ is secure upto $2^{2n/3}$ adversarial queries. In this paper, we have shown that if we replace two independent permutations of \textsf{2-TEM} (Cogliati et al., CRYPTO 2015) with a single $$-bit public permutation, then the resultant construction still guarrantees security upto $$ adversarial queries. Using the results derived therein, we also show that replacing the permutation $$ with $$ in the above equation preserves security upto $$ adversarial queries.