Paper 2023/1272

Tight Security of TNT and Beyond: Attacks, Proofs and Possibilities for the Cascaded LRW Paradigm

Ashwin Jha, Ruhr-Universität Bochum, Bochum, Germany, CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
Mustafa Khairallah, Seagate Research Group, Singapore, Singapore, Lund University, Lund, Sweden
Mridul Nandi, Indian Statistical Institute, Kolkata, India
Abishanka Saha, Indian Statistical Institute, Kolkata, India

Liskov, Rivest and Wagner laid the theoretical foundations for tweakable block ciphers (TBC). In a seminal paper, they proposed two (up to) birthday-bound secure design strategies --- LRW1 and LRW2 --- to convert any block cipher into a TBC. Several of the follow-up works consider cascading of LRW-type TBCs to construct beyond-the-birthday bound (BBB) secure TBCs. Landecker et al. demonstrated that just two-round cascading of LRW2 can already give a BBB security. Bao et al. undertook a similar exercise in context of LRW1 with TNT --- a three-round cascading of LRW1 --- that has been shown to achieve BBB security as well. In this paper, we present a CCA distinguisher on TNT that achieves a non-negligible advantage with $ O(2^{n/2}) $ queries, directly contradicting the security claims made by the designers. We provide a rigorous and complete advantage calculation coupled with experimental verification that further support our claim. Next, we provide new and simple proofs of birthday-bound CCA security for both TNT and its single-key variant, which confirm the tightness of our attack. Furthering on to a more positive note, we show that adding just one more block cipher call, referred as 4-LRW1, does not just re-establish the BBB security, but also amplifies it up to $ 2^{3n/4} $ queries. As a side-effect of this endeavour, we propose a new abstraction of the cascaded LRW-design philosophy, referred to as the LRW+ paradigm, comprising two block cipher calls sandwiched between a pair of tweakable universal hashes. This helps us to provide a modular proof covering all cascaded LRW constructions with at least $ 2 $ rounds, including 4-LRW1, and its more established relative, the well-known CLRW2, or more aptly, 2-LRW2.

Note: An abridged version of this article appears in IACR-EUROCRYPT 2024. This article is an amalgamation and extension of prior work of the same authors. Concretely, it combines and significantly extends the contents of IACR ePrint articles 2023/1212 (by Khairallah), and 2023/1233 (by Jha, Nandi, and Saha) that appeared in August 2023 on closely related topics into a single edited document. This article should be seen as a successor of both these IACR ePrint articles.

Available format(s)
Secret-key cryptography
Publication info
A major revision of an IACR publication in EUROCRYPT 2024
TNTLRW1LRW2CLRW2birthday-bound attack
Contact author(s)
letterstoashwin @ gmail com
khairallah @ ieee org
mridul nandi @ gmail com
sahaa 1993 @ gmail com
2024-04-25: last of 5 revisions
2023-08-24: received
See all versions
Short URL
Creative Commons Attribution


      author = {Ashwin Jha and Mustafa Khairallah and Mridul Nandi and Abishanka Saha},
      title = {Tight Security of TNT and Beyond: Attacks, Proofs and Possibilities for the Cascaded LRW Paradigm},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1272},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.