Paper 2024/2049

BBB Secure Arbitrary Length Tweak TBC from n-bit Block Ciphers

Arghya Bhattacharjee, Indian Statistical Institute, Kolkata, India, Technology Innovation Institute, Abu Dhabi, United Arab Emirates
Ritam Bhaumik, EPFL, Lausanne, Switzerland, Technology Innovation Institute, Abu Dhabi, United Arab Emirates
Nilanjan Datta, Institute for Advancing Intelligence, TCG-CREST, Kolkata, India
Avijit Dutta, Institute for Advancing Intelligence, TCG-CREST, Kolkata, India
Sougata Mandal, Institute for Advancing Intelligence, TCG-CREST, Kolkata, India, Ramakrishna Mission Vivekananda Educational and Research Institute, Belur, India
Abstract

At FSE'15, Mennink introduced two tweakable block ciphers, $\widetilde{F}[1]$ and $\widetilde{F}[2]$, both utilizing an $n$-bit tweak. It was demonstrated that $\widetilde{F}[1]$ is secure for up to $2^{2n/3}$ queries, while $\widetilde{F}[2]$ is secure for up to $2^n$ queries, assuming the underlying block cipher is an ideal cipher with $n$-bit key and $n$-bit data. Later, at ASIACRYPT'16, Wang et al. showed a birthday bound attack on Mennink's design (which was later corrected in the eprint version {\textbf eprint 2015/363}) and proposed 32 new candidates for tweakable block ciphers that are derived from $n$-bit ideal block ciphers. It was shown that all the $32$ constructions are provably secure up to $2^n$ queries. All the proposed designs by both Mennink and Wang et al. admit only $n$-bit tweaks. In FSE'23, Shen and Standaert proposed a tweakable block cipher, $\widetilde{G2}$, which uses $2n$-bit tweaks and is constructed from three $n$-bit block cipher calls, proving its security up to $n$ bits, assuming that the underlying block cipher is an ideal cipher. They have also shown that it is impossible to design a tweakable block cipher with $2n$-bit tweaks using only two $n$-bit block cipher calls while achieving security beyond the birthday bound. In this paper, we advance this research further. We show that any tweakable block cipher design with $3n$-bit tweaks based on only three block cipher calls, where at least one key is tweak-independent, is vulnerable to a birthday bound distinguishing attack. We then propose a tweakable block cipher, $\widetilde{\textsf{G}_3}^*$ that uses three block cipher calls and admits $3n$-bit tweaks, achieves security up to $O(2^{2n/3})$ queries when all three block cipher keys are tweak-dependent. Furthermore, we prove that using four ideal block cipher calls, with at least one key being tweak-dependent, is necessary and sufficient to achieve $n$-bit security for a tweakable block cipher that admits $3n$-bit tweaks. Finally, we propose a tweakable block cipher, $\widetilde{\textsf{G}_r}$, which uses $(r+1)$ block cipher calls and processes $rn$-bit tweaks, achieving security up to $O(2^n)$ queries when at least one block cipher key is tweak-dependent.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint.
Keywords
Tweakable Block CipherOptimal SecurityBeyond Birthday BoundIdeal Cipher ModelH-Coefficient Technique
Contact author(s)
bhattacharjeearghya29 @ gmail com
bhaumik ritam @ gmail com
nilanjan datta @ tcgcrest org
avirocks dutta13 @ gmail com
sougatamandal2014 @ gmail com
History
2024-12-19: approved
2024-12-19: received
See all versions
Short URL
https://ia.cr/2024/2049
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/2049,
      author = {Arghya Bhattacharjee and Ritam Bhaumik and Nilanjan Datta and Avijit Dutta and Sougata Mandal},
      title = {{BBB} Secure Arbitrary Length Tweak {TBC} from n-bit Block Ciphers},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/2049},
      year = {2024},
      url = {https://eprint.iacr.org/2024/2049}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.