Keywords

1 Introduction

A blockcipher \(E:\mathcal {K}\times \mathcal {M}\rightarrow \mathcal {M}\) is a family of permutations on \(\mathcal {M}\) indexed by a key \(k\in \mathcal {K}\). Tweakable blockciphers generalize over the classical ones by the additional input of a tweak. More detailed, a tweakable blockcipher \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) satisfies the property that for every key \(k\in \mathcal {K}\) and tweak \(t\in \mathcal {T}\), \(\widetilde{E}(k,t,\cdot )\) is a permutation on \(\mathcal {M}\). The key is usually secret, but the tweak is a parameter that is known or even chosen by the user. In 2002, Liskov, Rivest, and Wagner [36] formalized the principle of tweakable blockciphers, and they have gained broad attention since then.

A well-established way of designing a tweakable blockcipher is by building it on top of a conventional blockcipher \(E:\{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\), such as AES (other approaches will be discussed in Sect. 1.3). In their seminal work, Liskov et al. proposed two such constructions:

$$\begin{aligned} \mathsf {LRW1}(k,t,m)&= E(k,E(k,m)\oplus t)\,,\end{aligned}$$
(1)
$$\begin{aligned} \mathsf {LRW2}([k,h],t,m)&= E(k,m\oplus h(t))\oplus h(t)\,, \end{aligned}$$
(2)

where for the latter scheme, h is a universal hash function taken from a family of hash functions H. Related to \(\mathsf {LRW2}\) is Rogaway’s \(\mathsf {XEX}\) [50] and its generalizations by Chakraborty and Sarkar [15] and Minematsu [42]: these constructions replace the masking h(t) by a tweaking function based on \(E(k,\cdot )\), and therewith eliminate the use of h. All of these constructions, however, only achieve birthday bound \(2^{n/2}\) security.

1.1 Quest for Beyond Birthday Bound Security

Various attempts have been made to achieve security beyond the birthday bound, and we identify two approaches: non-tweak-rekeyable schemes and tweak-rekeyable schemes. In a non-tweak-rekeyable scheme, the key inputs to the underlying blockciphers are independent of the tweak, while in a tweak-rekeyable scheme, the tweak value may have an influence on the key input to the underlying blockcipher.

In the direction of non-tweak-rekeyable schemes, the state of the art centers around the security of \(\sigma \ge 1\) round \(\mathsf {LRW2}\):

$$\begin{aligned} \mathsf {LRW2}[\sigma ]([\underline{k},\underline{h}],t,m) = \mathsf {LRW2}([k_\sigma ,h_\sigma ],t,\cdots \mathsf {LRW2}([k_1,h_1],t,m)\cdots )\,, \end{aligned}$$

where \(\underline{k}=(k_1,\ldots ,k_\sigma )\) are blockcipher keys and \(\underline{h}=(h_1,\ldots ,h_\sigma )\) instantiations of a universal hash function family H. Landecker et al. [35] and Procter [48] showed that this construction achieves approximately \(2^{2n/3}\) security for two rounds, and Lampe and Seurin [34] proved security up to about \(2^{\sigma n/(\sigma +2)}\) for an arbitrary even number of rounds. It is conjectured that this scheme achieves \(2^{\sigma n/(\sigma +1)}\) security for any \(\sigma \ge 1\) [34].

Tweak-rekeyable schemes on the other hand tend to achieve higher levels of security easier, but require a different model. Minematsu [43] introduced the following scheme:

$$\begin{aligned} \mathsf {Min}(k,t,m) = E(E(k,t\Vert 0^{n-\ell _t}),m)\,, \end{aligned}$$
(3)

where \(\ell _t\) denotes the length of the tweak, and proved that it achieves security up to \(\max \{2^{n/2},2^{n-\ell _t}\}\). It is straightforward to derive an attack on \(\mathsf {Min}\) matching this bound. Note that the scheme only achieves beyond birthday bound security if \(\ell _t<n/2\). The tweak size can be elegantly extended using the XTX construction of Minematsu and Iwata [45] at the cost of an extra universal hash function evaluation.

Mennink [38] introduced two constructions based on one, resp. two, blockcipher calls (for \(\mathsf {Men2}\) we use the adjusted function from the full version [39], see also Sect. 5.2):

$$\begin{aligned} \mathsf {Men1}(k,t,m)&= E(k\oplus t,m\oplus z)\oplus z\text {, where }z=k\otimes t\,,\end{aligned}$$
(4)
$$\begin{aligned} \mathsf {Men2}(k,t,m)&= E(k\oplus t,m\oplus z)\oplus z\text {, where }z=E(2k,t)\,. \end{aligned}$$
(5)

The former is proven secure up to about \(2^{2n/3}\) queries, the latter approximately optimally \(2^n\) secure. Wang et al. [56] generalized the approach of Mennink and derived a wide class of optimally secure schemes. However, on the downside, these constructions are all analyzed in the ideal cipher model, meaning that the underlying blockcipher is assumed to be perfectly random.

1.2 Optimal Security in Standard Model?

The usage of the ideal cipher model for tweakable blockciphers (and for symmetric-key schemes in general) can be considered controversial: the model is significantly stronger and allows for better security bounds, as evidenced by Mennink’s and Wang et al.’s constructions. In this work, we investigate the distinction between the standard and ideal model for the case of tweakable blockciphers, and show the existence of an insuperable gap: whereas in the ideal model optimal security is possible fairly efficiently, we prove under reasonable assumptions that this cannot be achieved in the standard model.

Generic Standard-to-Ideal Reduction. All results on tweakable blockciphers in the standard cipher model [15, 34,35,36, 42, 43, 48, 50], implicitly rely on a generic standard-to-ideal reduction, where the keyed blockcipher calls are replaced with secret ideal permutations. This step usually costs \(\mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D})\), where \(\mathcal {D}\) is some strong related-key PRP distinguisher with a certain amount of resources, usually q queries to the keyed oracle \(E_{\phi (k)}\) and \(\tau \) time, and \(\varPhi \) is the set of related-key deriving functions \(\phi \) that \(\mathcal {D}\) is allowed to choose. This reduction is in fact also broadly used beyond the area of tweakable blockciphers, such as in authenticated encryption schemes [1, 3, 11, 21, 28, 33, 37, 44, 50, 51] and message authentication codes [4, 13, 16, 24, 29, 30, 41, 47, 57,58,59], and in fact, we are not aware of any security result of a construction based on a standard-model blockcipher that uses a structurally different approach. Inspired by this, we investigate what level of tweakable blockcipher security can be achieved if this proof technique is employed.

Lower bound on \(\varvec{\mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D})}\) . The generic reduction particularly means that \(\mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D})\) becomes a necessary term in the derivation, and we derive a lower bound on this advantage, i.e. to see how much the loss is.

Pivotal to the analysis is the set of related-key deriving functions \(\varPhi \), which differs depending on the application. For instance, for \(\mathsf {LRW1}\) and \(\mathsf {LRW2}\) we would have \(\varPhi _{\mathsf {LRW}}=\{k\mapsto k\}\) and the cost of the reduction is simply the strong PRP security of \(E\). For the cascade \(\mathsf {LRW2}[\sigma ]\), we would have

$$\begin{aligned} \varPhi _{\mathsf {LRW2}[\sigma ]}=\{\underline{k}\mapsto k_i \mid i\in \{1,\ldots ,\sigma \}\}\,. \end{aligned}$$

As the \(\sigma \) keys are independent this implies a reduction loss of \(\sigma \) times the strong PRP security of \(E\) (see also [34, 35]). In both cases, it is fair to assume that the strong PRP security of \(E\) is small. The situation gets more technical for tweak-rekeyable schemes. For \(\mathsf {Min}\) and \(\mathsf {Men2}\) we would have larger sets of key-deriving functions:Footnote 1

$$\begin{aligned} \varPhi _{\mathsf {Min}}&=\{k\mapsto E(k,t\Vert 0^{n-\ell _t})\mid t\in \{0,1\}^{\ell _t}\}\,,\\ \varPhi _{\mathsf {Men2}}&=\varPhi _\oplus \cup \{k\mapsto 2k\}=\{k\mapsto k\oplus \delta \mid \delta \in \mathcal {K}\}\cup \{k\mapsto 2k\}\,. \end{aligned}$$

If the size of \(\varPhi \) increases, the related-key insecurity increases. In more detail, we show that for any \(\varPhi \) and any \(E\),

$$\begin{aligned} \mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}) \ge \varOmega \left( \frac{\min \{q,|\varPhi |\}\cdot r}{2^n}\right) \,, \end{aligned}$$

where \(\mathcal {D}\) can make q related-key queries to \(E_{\phi (k)}\) for random key k and has time to make r offline evaluations of \(E\). (The bound is in fact a bit more fine-grained, cf. Proposition 1, but above simplification is adequate for a proper understanding of the result, and for \(\varPhi =\varPhi _{\mathsf {Min}}\) and \(\varPhi =\varPhi _{\mathsf {Men2}}\) above bound matches the one of Proposition 1.)

For \(\mathsf {Min}\), this bound entails a “minimal loss” of \(\min \{q,2^{\ell _t}\}\cdot r/2^n\), a term which in hindsight perfectly explains the security level of \(\mathsf {Min}\). For \(\mathsf {Men2}\) the loss is even worse: \(q\cdot r/2^n\). (Also if the “subkey” 2k in \(\mathsf {Men2}\) is replaced by an independent key \(k'\), the same loss applies.) Concretely, this means that the usage of the generic standard-to-ideal reduction entails impossibility of beyond birthday bound security on \(\mathsf {Men2}\). Clearly, this does not invalidate the security of \(\mathsf {Men2}\): this negative result is purely due to the lossiness of the generic reduction.

This issue is in fact not new: already in 1998, Bellare et al. encountered it in their seminal paper on Luby-Rackoff backwards [8], and reverted to an analysis in the ideal cipher model. A formal treatment of the situation, however, has not been given. The issue also appeared for schemes based on primitives other than blockciphers. Most prominently, the security of the HMAC message authentication code is based on the PRF security of the underlying function [5, 6]. As recently argued by Gaži et al. [23], this standard-model approach might be too pessimistic, and [25] approached the security of HMAC in the ideal compression function model.

Generalized Impossibility. We additionally demonstrate that the issue is not specific to \(\mathsf {Men2}\), but applies to a broad spectrum of schemes. In more detail, we consider a generalized construction of a tweakable blockcipher based on a blockcipher, and show that, if the generic standard-to-ideal reduction is employed, achieving optimal standard-model security with tweak-rekeying is at least as hard as without tweak-rekeying. Given the state of the art on non-tweak-rekeyable schemes, and particularly the conjecture on \(\mathsf {LRW2}[\sigma ]\), this shines a negative light on the possibility to find a tweakable blockcipher that is secure in the standard cipher model. Note that the result does not imply that the generic standard-to-ideal reduction is unavoidable, nor that optimal security cannot be achieved, but if this reduction is employed and if the conjecture on \(\mathsf {LRW2}[\sigma ]\) is true, optimality seems impossible for this generalized class of functions. The approach followed for this impossibility result may be generalizable to different types of primitives.

Discussion. It is reasonable to question the relevance of any result in any of both models (other questions are discussed in detail in Sect. 8). It appears that, while the ideal-model results may sometimes be a bit too promising, standard-model results may be extremely loose. This is for instance the case for \(\mathsf {Men2}\), where the ideal-model results seem more representative than the standard-model ones. A similar observation was made by Shrimpton and Terashima [55], who introduce the ideal model under key-oblivious access as a weakened version of the ideal cipher model. As a general rule, it is always wise to interpret security results in any of the models with care.

1.3 Other Ways of Tweakable Blockcipher Design

We briefly elaborate on approaches to tweakable blockcipher design, other than constructing them from conventional blockciphers. One approach is to build them “from scratch,” as is done for the Hasty Pudding Cipher [53], Mercy [20], Threefish [22], and TWEAKEY [31]. This approach, however, does not allow for any reductionist security argument. Goldenberg et al. [26] and Mitsuda and Iwata [46] transformed generalized Feistel schemes into tweakable generalized Feistel schemes. These constructions only achieve birthday bound security. A novel approach is to build tweakable blockciphers from public permutations, as is done by Sasaki et al. [52], Cogliati et al. [17, 18], Granger et al. [27], and Mennink [40]. This approach achieves comparable levels of security to the non-tweak-rekeyable schemes of above, but the security analysis is inherently done in the ideal permutation model.

1.4 Outline

Our model and the security of (tweakable) blockciphers are formalized in Sect. 2. In Sect. 3 we define what we consider a reduction and what we mean with optimal security. This section also includes a formalization of the generic standard-to-ideal reduction. We derive a lower bound on the strong related-key PRP security in Sect. 4. We revisit \(\mathsf {LRW2}\) and \(\mathsf {Men2}\) using these formalizations and results in Sect. 5. In Sect. 6 we present a generalized tweakable blockcipher design, and in Sect. 7 we derive our impossibility result on the optimal security of a generalized tweakable blockcipher. We present an elaborate discussion of the results in Sect. 8.

2 Notation and Model

For a positive integer n, \(\{0,1\}^{n}\) denotes the set of bit strings of length n. If \(\mathcal {X}\) is some set, \(x\xleftarrow {{\scriptscriptstyle \$}}\mathcal {X}\) denotes the uniformly random drawing of x from \(\mathcal {X}\). The size of \(\mathcal {X}\) is denoted by \(\left| \mathcal {X}\right| \).

2.1 Blockciphers

A blockcipher \(E:\mathcal {K}\times \mathcal {M}\rightarrow \mathcal {M}\) is a mapping such that for every key \(k\in \mathcal {K}\), \(E_k(\cdot )=E(k,\cdot )\) is a permutation on \(\mathcal {M}\). For fixed k, its inverse is denoted by \(E_k^{-1}(\cdot )\). We denote by \(\mathsf {BC}(\mathcal {K},\mathcal {M})\) the set of all such blockciphers. Letting \(\mathsf {P}(\mathcal {M})\) be the set of all permutations on \(\mathcal {M}\), the strong PRP security of \(E\) is defined as

$$\begin{aligned} \mathbf {Adv}_{E}^{\mathrm {sprp}}(\mathcal {D}) = \left| \mathbf {Pr}\left( \mathcal {D}^{E_k^{\pm }} = 1 \right) - \mathbf {Pr}\left( \mathcal {D}^{\pi ^{\pm }} = 1 \right) \right| \,, \end{aligned}$$

where the probabilities are over \(k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}\) and \(\pi \xleftarrow {{\scriptscriptstyle \$}}\mathsf {P}(\mathcal {M})\), and the random coins of \(\mathcal {D}\). Distinguisher \(\mathcal {D}\) is typically bounded to have limited resources, such as \(\tau \) time and q queries to its oracle.

We will consider a generalized security notion that captures the case where a distinguisher can perform related-key attacks. We follow the theoretical framework of Bellare and Kohno [7] and its generalization to tweakable blockciphers by Cogliati and Seurin [19]. Let \(\varPhi \) be a set of permitted related-key deriving functions that map \(\mathcal {K}'\rightarrow \mathcal {K}\). Define the function \(\mathrm {rk}[E]:\mathcal {K}'\times \varPhi \times \mathcal {M}\rightarrow \mathcal {M}\) as

$$\begin{aligned} \mathrm {rk}[E](k,\phi ,m) = E(\phi (k),m)\,. \end{aligned}$$

Note that \(\mathrm {rk}[E]\) is invertible for fixed \((k,\phi )\), and the inverse is defined the straightforward way. The strong related-key PRP security of \(E\) is defined as

$$\begin{aligned} \mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}) = \left| \mathbf {Pr}\left( \mathcal {D}^{\mathrm {rk}[E]_k^{\pm }} = 1 \right) - \mathbf {Pr}\left( \mathcal {D}^{\mathrm {rk}[ rE ]_k^{\pm }} = 1 \right) \right| \,, \end{aligned}$$

where the probabilities are over \(k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}'\) and \( rE \xleftarrow {{\scriptscriptstyle \$}}\mathsf {BC}(\mathcal {K},\mathcal {M})\), and the random coins of \(\mathcal {D}\). Distinguisher \(\mathcal {D}\) is typically bounded to have limited resources, such as \(\tau \) time and q queries to its oracle.

Note that, for the sake of generality, the definition explicitly allows the domain \(\mathcal {K}'\) and range \(\mathcal {K}\) of the function \(\phi \) to be distinct, although in many cases one simply has \(\mathcal {K}'=\mathcal {K}\). If \(\mathcal {K}'=\mathcal {K}\) and \(\varPhi =\{k\mapsto k\}\), the definition of related-key security boils down to the classical definition: \(\mathbf {Adv}_{\{k\mapsto k\},E}^{\mathrm {srkprp}}(\mathcal {D})=\mathbf {Adv}_{E}^{\mathrm {sprp}}(\mathcal {D})\). Another famous set of related-key deriving functions is \(\varPhi _\oplus =\{k\mapsto k\oplus \delta \mid \delta \in \mathcal {K}\}\). The set may also include more involved functions, e.g., ones that internally rely on evaluations of \(E\) as well [2]. Throughout, for any set \(\varPhi \), we assume that it never contains two identical functions, and we denote by \(|\varPhi |\) the number of functions in the set.

2.2 Tweakable Blockciphers

A tweakable blockcipher \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) is a mapping such that for every \(k\in \mathcal {K}\) and every tweak \(t\in \mathcal {T}\), the function \(\widetilde{E}_k(t,\cdot )=\widetilde{E}(k,t,\cdot )\) is a permutation on \(\mathcal {M}\). Like before, its inverse is denoted as \(\widetilde{E}_k^{-1}(\cdot ,\cdot )\). Let \(\widetilde{\mathsf {P}}(\mathcal {T},\mathcal {M})\) consist of all functions \(\widetilde{\pi }:\mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) such that for all \(t\in \mathcal {T}\), \(\widetilde{\pi }(t,\cdot )\in \mathsf {P}(\mathcal {M})\). We define the standard-model strong tweakable-PRP security of \(\widetilde{E}\) as

$$\begin{aligned} \mathbf {Adv}_{\widetilde{E}}^{\mathrm {s\text {-}\widetilde{sprp}}}(\mathcal {D}) = \left| \mathbf {Pr}\left( \mathcal {D}^{\widetilde{E}_k^{\pm }} = 1 \right) - \mathbf {Pr}\left( \mathcal {D}^{\widetilde{\pi }^{\pm }} = 1 \right) \right| \,, \end{aligned}$$

where probabilities are over \(k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}\) and \(\widetilde{\pi }\xleftarrow {{\scriptscriptstyle \$}}\widetilde{\mathsf {P}}(\mathcal {T},\mathcal {M})\), and the random coins of \(\mathcal {D}\). As before, \(\mathcal {D}\) is typically bounded to operate in \(\tau \) time and q queries to its oracle.

This definition applies to an arbitrary tweakable cipher \(\widetilde{E}\). The q queries are solely made to \(\widetilde{E}_k^{\pm }\) or \(\widetilde{\pi }^{\pm }\), and the time \(\tau \) can be spent at the distinguisher’s discretion. Suppose \(\widetilde{E}\) uses a blockcipher \(E\) as underlying primitive. If we denote by \(\tau _E\) the uniform time needed for one evaluation of \(E\), the distinguisher can evaluate this underlying cipher at most \(r:=\tau /\tau _E\) times. Assuming this blockcipher \(E\) does not show underlying weaknesses, we can consider an abstraction of the model and consider the distinguisher to be information-theoretic and to have query access to \(E\) and \(\widetilde{E}_k^{\pm }\). The approach is also known as the ideal model [9, 14, 54]. More formally, we define the ideal-model strong tweakable-PRP security of \(\widetilde{E}\) based on \(E\) as

$$\begin{aligned} \mathbf {Adv}_{\widetilde{E}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D}) = \left| \mathbf {Pr}\left( \mathcal {D}^{\widetilde{E}_k^{\pm },E^{\pm }} = 1 \right) - \mathbf {Pr}\left( \mathcal {D}^{\widetilde{\pi }^{\pm },E^{\pm }} = 1 \right) \right| \,, \end{aligned}$$

where the probabilities are over \(k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}\), \(E\xleftarrow {{\scriptscriptstyle \$}}\mathsf {BC}(\mathcal {K},\mathcal {M})\), and \(\widetilde{\pi }\xleftarrow {{\scriptscriptstyle \$}}\widetilde{\mathsf {P}}(\mathcal {T},\mathcal {M})\), and the random coins of \(\mathcal {D}\). Distinguisher \(\mathcal {D}\) is typically bounded to make q queries to its first (construction) oracle and r queries to its second (primitive) oracle.

3 Formalization of Reduction and Optimality

Formalization of Reduction. In order to formally argue about reductionist security of tweakable blockciphers to classical blockciphers, we first settle our definition of a reductionist proof.

Definition 1

Let \(\widetilde{E}\) be a tweakable blockcipher that internally uses a dedicated blockcipher \(E\). We say that the strong tweakable-PRP security of \(\widetilde{E}\) reduces to the strong related-key PRP security of \(E\) if for any \(\mathrm {s\text {-}\widetilde{sprp}}\) distinguisher \(\mathcal {D}\) there exists an \(\mathrm {rk\text {-}sprp}\) distinguisher \(\mathcal {D}'\) with comparable resources such that

$$\begin{aligned} \mathbf {Adv}_{\widetilde{E}}^{\mathrm {s\text {-}\widetilde{sprp}}}(\mathcal {D}) \le \delta \cdot \mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}') + \varepsilon \,, \end{aligned}$$

where \(\varPhi \) is some set of related-key deriving functions depending on the design of \(\widetilde{E}\), \(\delta \) a small constant, and \(\varepsilon \) is a term negligible in the security parameter of \(\widetilde{E}\).

All existing standard-model security proofs on tweakable blockciphers from classical blockciphers [15, 34,35,36, 42, 43, 48, 50] derive a reductionist bound of the form of Definition 1. Even stronger, all of these results implicitly rely on a generic standard-to-ideal reduction which we formalize in below lemma.

Lemma 1

(Generic Standard-to-Ideal Reduction). Let \(\widetilde{E}\) be a tweakable blockcipher that internally uses a dedicated blockcipher \(E\). Assume that \(\widetilde{E}\) makes \(\rho \) calls to its underlying \(E\) and let \(\varPhi \) denote the set of all related-key deriving functions under which \(E\) is evaluated. For any \(\mathrm {s\text {-}\widetilde{sprp}}\) distinguisher \(\mathcal {D}\),

$$\begin{aligned} \mathbf {Adv}_{\widetilde{E}}^{\mathrm {s\text {-}\widetilde{sprp}}}(\mathcal {D}) \le \mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}') + \mathbf {Adv}_{\widetilde{E}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D}'')\,, \end{aligned}$$

where \(\mathcal {D}'\) is a distinguisher making at most \(\rho \cdot q\) queries and running in time \(\tau \), and \(\mathcal {D}''\) is an information-theoretic distinguisher making at most q queries to its construction oracle and 0 queries to its primitive oracle.

Proof

The proof follows a simple hybrid argument: first replace the underlying blockcipher evaluations by a random blockcipher \( rE \xleftarrow {{\scriptscriptstyle \$}}\mathsf {BC}(\mathcal {K},\mathcal {M})\). This step costs us \(\mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}')\). For the remaining analysis of \(\mathbf {Adv}_{\widetilde{E}}^{\mathrm {s\text {-}\widetilde{sprp}}}(\mathcal {D})\) with \(E\) replaced with secret \( rE \): the distinguisher has no access to \(\mathrm {rk}[ rE ]_k\) as it does not know k nor \( rE \). Therefore, we can safely assume it has unbounded computational power, and transform it to an information-theoretic adversary that is not allowed to query the underlying primitive. Hence, we obtain the term \(\mathbf {Adv}_{\widetilde{E}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D}'')\) where \(\mathcal {D}''\) has resources (q, 0).    \(\square \)

We remark that in Definition 1 and Lemma 1, the set of related-key deriving functions \(\varPhi \) depends on the tweakable blockcipher. In many cases, \(\varPhi \) just consists of the identity function, \(\varPhi =\{k\mapsto k\}\), in which case the related-key security boils down to the classical strong PRP security. This is for example the case for \(\mathsf {LRW1}\) and \(\mathsf {LRW2}\), cf. Theorem 1 in Sect. 5. An example of a more elaborate set of key-deriving functions is \(\varPhi _\oplus \), cf. Theorem 3 in Sect. 5.

We furthermore remark that Lemma 1 consists of a somewhat pessimistic bounding: the distinguishers \(\mathcal {D}'\) and \(\mathcal {D}''\) are in fact constructed from \(\mathcal {D}\), and a more accurate bounding would be of the form

$$\begin{aligned} \mathbf {Adv}_{\widetilde{E}}^{\mathrm {s\text {-}\widetilde{sprp}}}(\mathcal {D}) \le \mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}'[\mathcal {D}]) + \mathbf {Adv}_{\widetilde{E}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D}''[\mathcal {D}])\,. \end{aligned}$$

In the context of Lemma 1, one would usually maximize both sides of the inequality over all possible distinguishers \(\mathcal {D},\mathcal {D}',\mathcal {D}''\), while in the more accurate bounding one would simply maximize both sides over \(\mathcal {D}\). In other words, the bound of Lemma 1 gives a slightly more pessimistic result, but nevertheless, it exactly covers the reduction that is implicitly used in the proofs of [15, 34,35,36, 42, 43, 48, 50].

Beyond this list of tweakable blockcipher results, the reduction of Lemma 1 in fact finds implicit use in myriad other blockcipher based cryptographic designs, including various authenticated encryption schemes [1, 3, 11, 21, 28, 33, 37, 44, 50, 51] and message authentication codes [4, 13, 16, 24, 29, 30, 41, 47, 57,58,59]. We are not aware of any security result of a construction based on a standard-model blockcipher that does not follow this reduction but that uses a structurally different approach.

Optimality. We additionally define what we mean with an optimally secure \(\widetilde{E}\).

Definition 2

Let \(\widetilde{E}\) be a tweakable blockcipher that internally uses a dedicated blockcipher \(E\). We say that it is optimally standard/ideal-model secure if for any distinguisher \(\mathcal {D}\) making q queries to its construction oracle and r evaluations of the primitive (where in the standard model, \(r=\tau /\tau _E\)):

$$\begin{aligned} \mathbf {Adv}_{\widetilde{E}}^{\mathrm {s/i\text {-}\widetilde{sprp}}}(\mathcal {D}) \le \frac{ const \cdot \max \{q,r\}}{\min \{|\mathcal {K}|,|\mathcal {M}|\}}\,, \end{aligned}$$

for some small constant \( const \).

The term \(r/|\mathcal {K}|\) corresponds to recovering the key for \(\widetilde{E}\); apart from that, the bound is rather arbitrary and conservative to maintain generality. We refer to Bellare and Rogaway [10, Sect. 3.6] for an informal justification of the bound. We refer to Bernstein and Lange [12] for an interesting discussion on the heuristic existence of hard-to-find attackers.

4 Lower Bound on the Strong Related-Key PRP Security

We will derive a lower bound on the strong related-key PRP security of an arbitrary blockcipher \(E\) for any set of key-deriving functions \(\varPhi \), demonstrating that it can always be distinguished from a random blockcipher up to approximately the birthday bound (apart from various technicalities). Earlier lower bounds, for instance by Bellare and Kohno [7], targeted specific sets \(\varPhi \), but it turns out that the problem gets significantly harder if an arbitrary set of key-deriving functions is considered. This is in part attributed to the fact that the lower bound would depend on certain structural properties of \(\varPhi \).

For a set of key-deriving functions \(\varPhi \) and a key \(k\in \mathcal {K}\), we write \(\varPhi (k) = \{\phi (k) \mid \phi \in \varPhi \}\). We denote by \(\mathbf {Ex}\left( |\varPhi (k)|\right) \) the expected size of the set \(\varPhi (k)\), where the randomness is taken over the choice of \(k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}\).

Proposition 1

Consider a blockcipher \(E:\mathcal {K}\times \mathcal {M}\rightarrow \mathcal {M}\), and denote by \(\tau _E\) the uniform time needed for one evaluation of \(E\). Let \(\varPhi \) be a set of related-key deriving functions. There exists a distinguisher \(\mathcal {D}\) making q queries and operating in about \(\tau \) time, such that

$$\begin{aligned} \mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}) \ge \max _{\varPhi '\subseteq \varPhi ,|\varPhi '|=q'}\frac{\mathbf {Ex}\left( |\varPhi '(k)|\right) \cdot r'}{2|\mathcal {K}|} - \frac{1}{|\mathcal {M}|-1}\,, \end{aligned}$$

where \(q'=\min \{q-1,|\varPhi |\}\) and \(r'=\tau /\tau _E-1\), which are required to satisfy \(q'\cdot r'\le |\mathcal {K}|\).

Proof

Let \(k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}\) be the secret key used to instantiate the distinguisher’s oracle.

Let \(\varPhi '=\{\phi _1,\ldots ,\phi _{q'}\}\subseteq \varPhi \) be any subset of \(\varPhi \) of size \(q'\). We construct distinguisher \(\mathcal {D}_{\varPhi '}\) as follows. Denote its oracle by \(\mathcal {O}_k\in \{\mathrm {rk}[E]_k,\mathrm {rk}[ rE ]_k\}\).

  1. (i)

    Fix any \(m\in \mathcal {M}\);

  2. (ii)

    Let \(\mathcal {K}'=\{l_1,\ldots ,l_{r'}\}\mathop {\subseteq }\limits ^{{\scriptscriptstyle \$}}\mathcal {K}\) be a set of randomly drawn key values;

  3. (iii)

    For \(i=1,\ldots ,q'\), query \(c_i\leftarrow \mathcal {O}_k(\phi _i,m)\);

  4. (iv)

    For \(j=1,\ldots ,r'\), evaluate \(y_j\leftarrow E(l_j,m)\);

  5. (v)

    If for some ij we have \(c_i=y_j\):

    • Fix any \(m'\in \mathcal {M}\backslash \{m\}\);

    • Query \(c'_i\leftarrow \mathcal {O}_k(\phi _i,m')\) and evaluate \(y'_j\leftarrow E(l_j,m')\);

    • If \(c'_i=y'_j\), return 1;

  6. (vi)

    Return 0.

Remains to bound the success probability of \(\mathcal {D}_{\varPhi '}\). Recall that

$$\begin{aligned} \mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}_{\varPhi '}) \ge \mathbf {Pr}\left( \mathcal {D}_{\varPhi '}^{\mathrm {rk}[E]_k^{\pm }} = 1 \right) - \mathbf {Pr}\left( \mathcal {D}_{\varPhi '}^{\mathrm {rk}[ rE ]_k^{\pm }} = 1 \right) \,, \end{aligned}$$
(6)

and we will analyze these probabilities separately.

Starting with first probability of (6), if \(\phi _i(k)=l_j\) for some (ij), then we necessarily have \(c_i=y_j\) and \(c'_i=y'_j\). Therefore,

$$\begin{aligned} \mathbf {Pr}\left( \mathcal {D}_{\varPhi '}^{\mathrm {rk}[E]_k^{\pm }} = 1 \right)&\ge \mathbf {Pr}\left( \exists l\in \varPhi '(k)\;:\; l\in \mathcal {K}'\right) \nonumber \\&= \sum _{\mathcal {L}\subseteq \mathcal {K}} \mathbf {Pr}\left( \exists l\in \mathcal {L}\;:\; l\in \mathcal {K}' \mid \varPhi '(k)=\mathcal {L}\right) \mathbf {Pr}\left( \varPhi '(k)=\mathcal {L}\right) \,. \end{aligned}$$
(7)

Note that two independent sources of randomness are involved: the drawing of the key \(k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}\) and the generation of random subset \(\mathcal {K}'\mathop {\subseteq }\limits ^{{\scriptscriptstyle \$}}\mathcal {K}\). We proceed with the first probability of (7) for any fixed \(\mathcal {L}\) of size at most \(q'\). Via the inclusion-exclusion principle, Bonferroni’s inequality states

$$\begin{aligned}&\; \mathbf {Pr}\left( \exists l\in \mathcal {L}\;:\; l\in \mathcal {K}' \mid \varPhi '(k)=\mathcal {L}\right) \nonumber \\ =&\; \sum _{\beta =1}^{q'} (-1)^{\beta -1}\sum _{\begin{array}{c} \mathcal {L}'\subseteq \mathcal {L}\\ |\mathcal {L}'|=\beta \end{array}} \mathbf {Pr}\left( \forall l\in \mathcal {L}'\;:\; l\in \mathcal {K}' \mid \varPhi '(k)=\mathcal {L}\right) \nonumber \\ \ge&\;\sum _{l\in \mathcal {L}} \mathbf {Pr}\left( l\in \mathcal {K}' \mid \varPhi '(k)=\mathcal {L}\right) - \sum _{\begin{array}{c} l,l'\in \mathcal {L}\\ l\ne l' \end{array}} \mathbf {Pr}\left( l,l'\in \mathcal {K}' \mid \varPhi '(k)=\mathcal {L}\right) \\ =&\; \sum _{l\in \mathcal {L}} \frac{r}{|\mathcal {K}|} - \sum _{\begin{array}{c} l,l'\in \mathcal {L}\\ l\ne l' \end{array}} \frac{{r\atopwithdelims ()2}}{{|\mathcal {K}|\atopwithdelims ()2}} = \frac{|\mathcal {L}|\cdot r'}{|\mathcal {K}|} - \frac{{|\mathcal {L}|\atopwithdelims ()2}{r'\atopwithdelims ()2}}{{|\mathcal {K}|\atopwithdelims ()2}} \ge \frac{|\mathcal {L}|\cdot r'}{2|\mathcal {K}|}\,,\nonumber \end{aligned}$$
(8)

as \(q',r'\ge 1\) and \(q'\cdot r'\le |\mathcal {K}|\). This gives for (7):

$$\begin{aligned} \mathbf {Pr}\left( \mathcal {D}_{\varPhi '}^{\mathrm {rk}[E]_k^{\pm }} = 1 \right) \ge \sum _{\mathcal {L}\subseteq \mathcal {K}} \frac{|\mathcal {L}|\cdot r'}{2|\mathcal {K}|}\mathbf {Pr}\left( \varPhi '(k)=\mathcal {L}\right) = \frac{\mathbf {Ex}\left( |\varPhi '(k)|\right) \cdot r'}{2|\mathcal {K}|}\,. \end{aligned}$$

For the second probability of (6), focus on the indices (ij) for which the if-clause is evaluated. We have

$$\begin{aligned} \mathbf {Pr}\left( \mathcal {D}_{\varPhi '}^{\mathrm {rk}[ rE ]_k^{\pm }} = 1 \right) \le \mathbf {Pr}\left( c'_i=y'_j \mid c_i=y_j \right) = \frac{1}{|\mathcal {M}|-1}\,, \end{aligned}$$

using that \( rE \) is a random permutation.

We thus obtain from (6):

$$\begin{aligned} \mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}_{\varPhi '}) \ge \frac{\mathbf {Ex}\left( |\varPhi '(k)|\right) \cdot r'}{2|\mathcal {K}|} - \frac{1}{|\mathcal {M}|-1}\,. \end{aligned}$$

Note that this bound holds for every choice of \(\varPhi '\). The claim of Proposition 1 is satisfied for \(\mathcal {D}=\mathcal {D}_{\varPhi ''}\), where

$$\begin{aligned} {}\varPhi '' = \mathop {\text {argmax}}\limits _{\varPhi '\subseteq \varPhi ,|\varPhi '|=q'} \mathbf {Ex}\left( |\varPhi '(k)|\right) .\quad \square \end{aligned}$$

We remark that the bounding of \(\mathbf {Pr}\left( \mathcal {D}_{\varPhi '}^{\mathrm {rk}[E]_k^{\pm }} = 1 \right) \) could be improved (i) by involving more terms of the inclusion-exclusion principle in (8), and (ii) for specific sets of key-deriving functions \(\varPhi \), by choosing \(\varPhi '\) and \(\mathcal {K}'\) more smartly. For instance, for \(\varPhi =\varPhi _\oplus \), the bound reads

$$\begin{aligned} \mathbf {Pr}\left( \mathcal {D}_{\varPhi '}^{\mathrm {rk}[E]_k^{\pm }} = 1 \right) \ge \frac{q'\cdot r'}{2|\mathcal {K}|}\,, \end{aligned}$$

because \(\mathbf {Ex}\left( |\varPhi '(k)|\right) =q'\) for \(\varPhi '\subseteq \varPhi _\oplus \) of size \(q'\). It is a straightforward exercise to verify that, for a smart choice of \(\varPhi '\) and \(\mathcal {K}'\), the probability can be pulled up to \(\frac{q'\cdot r'}{|\mathcal {K}|}\). Nevertheless, the bound of Proposition 1 suffices for our purposes.

We furthermore remark that the attack of Bellare and Kohno [7] for \(\varPhi =\varPhi _\oplus \cup \varPhi _+\) is better than the one resulting from Proposition 1. In fact, their attack exploits potential collisions in \(\varPhi \), rather than preimages. A generalization of Proposition 1 to cover attacks of this kind is beyond the scope of this paper. Nevertheless, we think that it is an interesting problem to derive a generalized tight attack on any \(E\) and for any \(\varPhi \), or at least a generalized attack that covers Proposition 1, the attack of Bellare and Kohno, and more.

5 Examples

We discuss two state-of-the-art examples: one from Liskov et al. [36], and one from Mennink [38].

5.1 Liskov et al.’s Scheme

In their original work [36], Liskov et al. introduced two tweakable blockcipher constructions, both achieving approximately \(2^{n/2}\) security. We consider the construction that is based on two keys: \(k\in \{0,1\}^{n}\) and h coming from a universal hash function family H (see also Fig. 1):

$$\begin{aligned} \mathsf {LRW2}([k,h],t,m)&= E(k,m\oplus z)\oplus z\text {, where }z=h(t)\,. \end{aligned}$$

Follow-up results analyzed the security of a cascade of more than one independent \(\mathsf {LRW2}\)’s [34, 35, 48]; the currently outlined example directly generalizes to these results.

Theorem 1

(Liskov et al. [36], Minematsu [42]). Let \(n\ge 1\), and let H be an \(\varepsilon \)-almost 2-XOR-universal hash function family.Footnote 2 Let \(\mathcal {D}\) be a distinguisher making at most q construction queries and running in time \(\tau \). Then,

$$\begin{aligned} \mathbf {Adv}_{\mathsf {LRW2}}^{\mathrm {s\text {-}\widetilde{sprp}}}(\mathcal {D})&\le \mathbf {Adv}_{E}^{\mathrm {sprp}}(\mathcal {D}') + \varepsilon q^2\,, \end{aligned}$$

where \(\mathcal {D}'\) is a distinguisher making at most q queries and running in time \(\tau \).

Note that the strong tweakable-PRP security of \(\mathsf {LRW2}\) reduces to the strong PRP security of \(E\) in the terminology of Definition 1. The implicit presence of the generic standard-to-ideal reduction of Lemma 1 is obvious from the bound. The term \(\varepsilon q^2\) is the security bound for \(\mathsf {LRW2}\) if the underlying blockcipher is replaced with an ideal secret permutation \(\pi \).

Fig. 1.
figure 1

Tweakable blockcipher \(\mathsf {LRW2}\)

Full size image
Fig. 2.
figure 2

Tweakable blockcipher \(\mathsf {Men2}\)

Full size image

5.2 Mennink’s Scheme

Mennink [38, 39] recently introduced two tweak-rekeyable tweakable blockciphers and analyzed them in the ideal cipher model. One of the constructions is the following (see also Fig. 2):

$$\begin{aligned} \mathsf {Men2}(k,t,m)&= E(k\oplus t,m\oplus z)\oplus z\text {, where }z=E(2k,t)\,. \end{aligned}$$

Note that we have taken the adjusted scheme from the full version [39], where the masking is done with key 2k instead of k. This adjustment was introduced in order to resolve a simple oversight in the proof as pointed out by Wang et al. [56]. Mennink [39] showed that this (adjusted) scheme \(\mathsf {Men2}\) achieves approximately \(2^n\) security. We remark that Wang et al. generalized the approach to designing optimally secure tweakable blockciphers. The currently outlined example directly generalizes to the constructions of [56].

Theorem 2

(Mennink [38, 39]). Let \(n\ge 1\). Let \(\mathcal {D}\) be a distinguisher making at most q construction queries and r primitive queries. Then,

$$\begin{aligned} \mathbf {Adv}_{\mathsf {Men2}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D})&\le \frac{q+r}{2^n} + \frac{2qr}{(2^n-q)(2^n-q-r)}\,. \end{aligned}$$

It is easy to verify that for \(\max \{q,r\}\le 2^n/4\), the advantage can be upper bounded by \(4\max \{q,r\}/2^n\). Thus, \(\mathsf {Men2}\) is optimally ideal-model secure in terms of Definition 2. In the standard model, using the generic transformation of Lemma 1 and the definition of \(\varPhi _{\mathsf {Men2}}\) from Sect. 1,

$$\begin{aligned} \varPhi _{\mathsf {Men2}}&=\varPhi _\oplus \cup \{k\mapsto 2k\}=\{k\mapsto k\oplus \delta \mid \delta \in \mathcal {K}\}\cup \{k\mapsto 2k\}\,, \end{aligned}$$

one can obtain the following result on \(\mathsf {Men2}\):

Theorem 3

Let \(n\ge 1\). Let \(\mathcal {D}\) be a distinguisher making at most q construction queries and running in time \(\tau \). Then,

$$\begin{aligned} \mathbf {Adv}_{\mathsf {Men2}}^{\mathrm {s\text {-}\widetilde{sprp}}}(\mathcal {D})&\le \mathbf {Adv}_{\varPhi _{\mathsf {Men2}},E}^{\mathrm {srkprp}}(\mathcal {D}') + \frac{q}{2^n}\,, \end{aligned}$$

where \(\mathcal {D}'\) is a distinguisher making at most 2q queries and running in time \(\tau \).

Proof

By Lemma 1, we have

$$\begin{aligned} \mathbf {Adv}_{\mathsf {Men2}}^{\mathrm {s\text {-}\widetilde{sprp}}}(\mathcal {D}) \le \mathbf {Adv}_{\varPhi _{\mathsf {Men2}},E}^{\mathrm {srkprp}}(\mathcal {D}') + \mathbf {Adv}_{\mathsf {Men2}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D}'')\,, \end{aligned}$$

where \(\mathcal {D}'\) is a distinguisher making at most 2q queries and runs in time \(\tau \), and \(\mathcal {D}''\) an information-theoretic distinguisher making at most q queries to its construction oracle and \(r=0\) queries to its primitive oracle. By Theorem 2, we have \(\mathbf {Adv}_{\mathsf {Men2}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D}'')\le \frac{q}{2^n}\).    \(\square \)

While the bound of Theorem 3 seems to improve over the one of Theorem 2, this is not the case. Indeed, by the remark after Proposition 1:

$$\begin{aligned} \mathbf {Adv}_{\varPhi _{\mathsf {Men2}},E}^{\mathrm {srkprp}}(\mathcal {D}') \ge \mathbf {Adv}_{\varPhi _\oplus ,E}^{\mathrm {srkprp}}(\mathcal {D}') \ge \frac{(2q-1)(r-1)}{|\mathcal {K}|} - \frac{1}{2^n-1} = \varOmega \left( \frac{qr}{|\mathcal {K}|}\right) \,, \end{aligned}$$

contradictory implying that \(\mathsf {Men2}\) cannot be provably optimally standard-model secure if the standard-to-ideal reduction is used. However, the attack of Proposition 1 to break the strong RK-security of \(E\) for related-key deriving functions \(\varPhi _\oplus \) does not apply to \(\mathsf {Men2}\): its in- and output of \(E\) themselves are masked via a key. A way to resolve this discrepancy would be to include the maskings within the definition of related-key security, say the “strong masked related-key PRP” but such a security notion would in fact be equivalent to the strong tweakable-PRP security of \(\mathsf {Men2}\). It would be like reducing the security of \(E=\) AES to the “AES-security” of \(E\).

We note that in case one uses \(\mathsf {Men2}\) with two independent keys, i.e., replacing 2k with independent key \(k'\), a comparable reasoning to that of Theorem 3 gives bound

$$\begin{aligned} \mathbf {Adv}_{\mathsf {Men2}}^{\mathrm {s\text {-}\widetilde{sprp}}}(\mathcal {D})&\le \mathbf {Adv}_{\varPhi _\oplus ,E}^{\mathrm {srkprp}}(\mathcal {D}') + \mathbf {Adv}_{E}^{\mathrm {sprp}}(\mathcal {D}'') + \frac{q}{2^n}\,, \end{aligned}$$

where \(\mathcal {D}'\) and \(\mathcal {D}''\) are distinguishers making at most q queries and running in time \(\tau \). The same reasoning as before subsequently applies.

6 Generalized Tweakable Blockcipher Design

We consider a generalized tweakable blockcipher \(\widetilde{E}\) based on a classical blockcipher \(E\). It follows the generic design of valid tweakable blockciphers by Mennink [38], with two differences. First, for simplicity and sake of presentation, we separate the number of calls to \(E\) into \(\rho \) message-independent calls and \(\sigma \) message-dependent calls, where \(\rho \) and \(\sigma \) are constants independent of the security parameter n. This is without loss of generality, looking back at the formalization of [38] and the assumption that \(\widetilde{E}\) processes the data m “as a whole.” Second, we will explicitly use two different keys \(k^a\) and \(k^b\): \(k^b\) is only used in the key inputs to \(E\) and \(k^a\) is only used in the masking (and indirectly in the data inputs to \(E\)).Footnote 3 We remark that our description is equivalent to the one of [38] if we set \(k^a=k^b\). In the generic design we consider tweaks of size n bits. The generic construction easily generalizes to arbitrarily sized tweaks, but our impossibility result of Sect. 7 assumes the tweak size to be close to n.

Formally, let \(n\ge 1\) and consider a blockcipher \(E:\{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\). We consider a generic tweakable blockcipher \(\widetilde{E}[\rho ,\sigma ]:\{0,1\}^{2n}\times \{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\) based on \(\rho \ge 0\) message-independent precomputation calls to \(E\) and \(\sigma \ge 0\) message-dependent calls to \(E\) as follows (see also Fig. 3):

$$\begin{aligned}&\mathbf {procedure} \, \widetilde{E}[\rho ,\sigma ](k^a\Vert k^b,t,m)\\[-1pt]&\quad \;\; \mathbf {for}\, i=1,\ldots ,\rho \, \mathbf {do}\\[-1pt]&\quad \;\;\quad \;\; x^\mathsf {pre}_i = A^\mathsf {pre}_i(k^a,t,y^\mathsf {pre}_1,\ldots ,y^\mathsf {pre}_{i-1})\\[-1pt]&\quad \;\;\quad \;\; l^\mathsf {pre}_i = B^\mathsf {pre}_i(k^b,t,y^\mathsf {pre}_1,\ldots ,y^\mathsf {pre}_{i-1})\\[-1pt]&\quad \;\;\quad \;\; y^\mathsf {pre}_i = E(l^\mathsf {pre}_i,x^\mathsf {pre}_i)\\[-1pt]&\quad \;\; y_0 = m\\[-1pt]&\quad \;\; \mathbf {for} \, i=1,\ldots ,\sigma \, \mathbf {do}\\[-1pt]&\quad \;\;\quad \;\; x_i = A_i(k^a,t,y^\mathsf {pre}_1,\ldots ,y^\mathsf {pre}_\rho ,y_{i-1})\\[-1pt]&\quad \;\;\quad \;\; l_i = B_i(k^b,t,y^\mathsf {pre}_1,\ldots ,y^\mathsf {pre}_\rho )\\[-1pt]&\quad \;\;\quad \;\; y_i = E(l_i,x_i)\\[-1pt]&\quad \;\; \mathbf {return}\, c = A_{\sigma +1}(k^a,t,y^\mathsf {pre}_1,\ldots ,y^\mathsf {pre}_\rho ,y_\sigma ) \end{aligned}$$
Fig. 3.
figure 3

Tweakable blockcipher \(\widetilde{E}[\rho ,\sigma ]\): precomputation of \(y^\mathsf {pre}_i\) (left) and processing of m (right). “inv.” means that the function is invertible

Full size image

The functions \(A^\mathsf {pre}_i:\{0,1\}^{(i+1)n}\rightarrow \{0,1\}^{n}\) and \(A_i:\{0,1\}^{(\rho +3)n}\rightarrow \{0,1\}^{n}\) compute the data inputs to \(E\) (and are keyed via \(k^a\)), while the functions \(B^\mathsf {pre}_i:\{0,1\}^{(i+1)n}\rightarrow \{0,1\}^{n}\) and \(B_i:\{0,1\}^{(\rho +2)n}\rightarrow \{0,1\}^{n}\) compute the key inputs to \(E\) (and are keyed via \(k^b\)). To guarantee invertibility of \(\widetilde{E}\), we require that for fixed \(k^a,t,y_1^\mathsf {pre},\ldots ,y_\rho ^\mathsf {pre}\) the functions

$$\begin{aligned} A_i(k^a,t,y_1^\mathsf {pre},\ldots ,y_\rho ^\mathsf {pre},\cdot ) \end{aligned}$$

are invertible for all \(i=1,\ldots ,\sigma +1\). (This is also the reason that \(A_i\) does not get inputs \(y_0,\ldots ,y_{i-2}\).) Apart from this condition, the functions \(A_i^\mathsf {pre},B_i^\mathsf {pre},A_i,B_i\) can be any function, as long as they are sufficiently efficient. We put no limitation on how these functions process t; it may be split apart and processed by multiple functions separately.

Note that the message-independent precomputation calls can to a certain extent be reordered. Without loss of generality, there exists a \(\rho '\le \rho \) such that \(y^\mathsf {pre}_1,\ldots ,y^\mathsf {pre}_{\rho '}\) are only used as inputs to \(A^\mathsf {pre}_i,B^\mathsf {pre}_i,B_i\), and that \(y^\mathsf {pre}_{\rho '+1},\ldots ,y^\mathsf {pre}_{\rho }\) are also used as inputs to \(A_i\). We define \(\rho ''=\rho -\rho '\).

6.1 Key-Uniformity

In the remainder of this work we will require a technical condition on \(\widetilde{E}\), which informally assures that \(\widetilde{E}\) does not behave structurally different for different keys. For instance, it should not be the case that for some keys, \(l_1\) can take only one value independent of the tweak, while for other keys, it can take \(2^n\) values (one for every tweak). We will call this property “key-uniformity.” Note that the condition slightly limits the generality of the scheme, but it is quite reasonable that a scheme should behave comparably for all keys.

For brevity, view the functions \(B^\mathsf {pre}_i\) for \(i=1,\ldots ,\rho \) as mappings \((k^a,k^b,t)\mapsto l^\mathsf {pre}_i\), and the functions \(B_i\) for \(i=1,\ldots ,\sigma \) as mappings \((k^a,k^b,t)\mapsto l_i\). Note that, indeed, \((y^\mathsf {pre}_1,\ldots ,y^\mathsf {pre}_i)\), is a function of \((k^a,k^b,t)\) for any i.

Definition 3

We say that \(\widetilde{E}\) is c-key-uniform for some \(c\ge 0\), if there exist \(\lambda ^\mathsf {pre}_1,\ldots ,\lambda ^\mathsf {pre}_\rho ,\lambda _1,\ldots ,\lambda _\sigma \) such that for any \(k^a\Vert k^b\in \{0,1\}^{2n}\):

$$\begin{aligned}&\text {for }i=1,\ldots ,\rho :\qquad 2^{\lambda ^\mathsf {pre}_i-c} \le \left| \mathsf {rng}(B^\mathsf {pre}_i(k^a,k^b,\cdot )) \right| \le 2^{\lambda ^\mathsf {pre}_i}\,,\\&\text {for }i=1,\ldots ,\sigma :\qquad 2^{\lambda ^{ {i}}_i-c} \le \left| \mathsf {rng}(B^{ {i}}_i(k^a,k^b,\cdot )) \right| \le 2^{\lambda ^{ {i}}_i}\,. \end{aligned}$$

An observation we will use later on is that \(\widetilde{E}\) calls its underlying \(E\) with key-deriving functions \(\varPhi = \varPhi ^\mathsf {pre}_B \cup \varPhi _B\), where:

$$\begin{aligned} \begin{aligned} \varPhi ^\mathsf {pre}_B&:= \{ (k^a,k^b) \mapsto B^\mathsf {pre}_i(k^a,k^b,t) \mid i\in \{\rho '+1,\ldots ,\rho \}, t\in \{0,1\}^{n}\}\,,\\ \varPhi _B&:= \{ (k^a,k^b) \mapsto B_i(k^a,k^b,t) \mid i\in \{1,\ldots ,\sigma \}, t\in \{0,1\}^{n}\}\,. \end{aligned} \end{aligned}$$
(9)

6.2 Examples

The generalized design represents \(\mathsf {LRW2}\) of Fig. 1 for \(\rho =0\), \(\sigma =1\), \(k^a=h\) (abusing notation), \(k^b=k\), and the following processing functions:

$$\begin{aligned} A_1(h,t,m)&= h(t) \oplus m\,,\\ B_1(k,t)&= k\,,\\ A_2(h,t,y_1)&= h(t)\oplus y_1\,. \end{aligned}$$

Note that \(\mathsf {LRW2}\) is 0-key-uniform (by putting \(\lambda _1=0\)).

The generalized design represents \(\mathsf {Men2}\) of Fig. 2 for \(\rho =\sigma =1\), \(k^b=k\) (\(k^a\) is not used), and the following processing functions:

Also \(\mathsf {Men2}\) is 0-key-uniform (by putting \(\lambda ^\mathsf {pre}_1=0\) and \(\lambda _1=n\)).

7 Impossibility

We will provide a heuristic argument that if the standard-to-ideal reduction of Lemma 1 is used, optimal security in the standard model by a tweak-rekeyable tweakable blockcipher as described in Sect. 6 is at least as hard as achieving it by a non-tweak-rekeyable one. The analysis is based on below Assumption 1.

Assumption 1

For any scheme \(\widetilde{E}\) as described in Sect. 6 that is non-tweak-rekeyable (hence, \(l_i^\mathsf {pre}\) and \(l_i\) are independent of t), and any \(\mathcal {T}\subseteq \{0,1\}^{n}\) of size \(|\mathcal {T}|\ge 2^{(\rho ''+\sigma )n/(\rho ''+\sigma +1)}\), we have

$$\begin{aligned} \mathbf {Adv}_{\widetilde{E}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D}) \ge \dfrac{q^{\rho ''+\sigma +1}}{2^{(\rho ''+\sigma )n}} \end{aligned}$$

for some distinguisher \(\mathcal {D}\) which only takes tweaks from \(\mathcal {T}\).

The lower bound on \(|\mathcal {T}|\) in Assumption 1 is argued by the observation that the bound on \(\mathbf {Adv}_{\widetilde{E}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D})\) is void for \(q\ge 2^{(\rho ''+\sigma )n/(\rho ''+\sigma +1)}\). In other words: any attacker against \(\widetilde{E}\) will make at most approximately \(q\le 2^{(\rho ''+\sigma )n/(\rho ''+\sigma +1)}\) queries and thus require at most that many tweaks for its attack. The assumption is discussed in further detail in Sect. 8.

Theorem 4

Let \(n\ge 1\) and let \(\rho ,\sigma \ge 0\). Let \(\widetilde{E}\) be any tweakable blockcipher as in Sect. 6 that is c-key-uniform for some small c. Let \(\varPhi \) be as in (9). If Assumption 1 holds, then

$$\begin{aligned} \begin{aligned} \max _{\mathcal {D}'}\mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}')&+ \max _{\mathcal {D}''}\mathbf {Adv}_{\widetilde{E}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D}'')\\&=\varOmega \left( \min \left\{ \frac{qr}{2^n},\dfrac{q^{\rho ''+\sigma +1}}{2^{(\rho ''+\sigma )n}},\frac{r^{(\rho ''+\sigma )(\rho ''+\sigma +1)}}{2^{((\rho ''+\sigma )(\rho ''+\sigma +1)-1)n}}\right\} \right) \,, \end{aligned}\end{aligned}$$
(10)

where the first maximum is taken over all \(\mathrm {srkprp}\) distinguishers \(\mathcal {D}'\) that make at most \((\rho ''+\sigma )\cdot q\) construction queries and at most r primitive evaluations, and the second maximum is taken over all information-theoretic \(\mathrm {i\text {-}\widetilde{sprp}}\) distinguishers \(\mathcal {D}''\) that make q construction queries and 0 primitive queries.

We give an interpretation of Theorem 4 in Sect. 7.1, and its proof in Sect. 7.2.

7.1 Interpretation of Theorem 4

Suppose our goal is to prove security of \(\widetilde{E}\) against any \(\mathrm {s\text {-}\widetilde{sprp}}\) distinguisher \(\mathcal {D}\), that can make q construction queries and r evaluations of the primitive. If we would opt to follow the standard-to-ideal reduction of Lemma 1, the first transition would give us an unavoidable bound

$$\begin{aligned} \mathbf {Adv}_{\widetilde{E}}^{\mathrm {s\text {-}\widetilde{sprp}}}(\mathcal {D}) \le \mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}') + \mathbf {Adv}_{\widetilde{E}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D}'')\,, \end{aligned}$$

where \(\mathcal {D}'\) is a distinguisher making at most \((\rho ''+\sigma )q\) queriesFootnote 4 and making r primitive queries, and \(\mathcal {D}''\) is an information-theoretic distinguisher making at most q queries to its construction oracle and 0 queries to its primitive oracle. Effectively, this step corresponds to replacing the \(\rho ''\) message-independent evaluations of \(E\) that are used by the masking functions \(A_1,\ldots ,A_\sigma \) and the \(\sigma \) message-dependent evaluations of \(E\) by a secret random related-key blockcipher \(\mathrm {rk}[ rE ]_{k^b}\). The remaining \(\rho '\) evaluations of \(E\) in the message-independent precomputation occur indirectly via the related-key deriving functions.

A next step in the security analysis would be to bound both terms for the strongest possible distinguishers \(\mathcal {D}'\) and \(\mathcal {D}''\). However, Theorem 4 shows that we can impossibly prove optimal security of this bound in terms of Definition 2. The theorem can henceforth be informally captured as follows.

Corollary 1

If \(2^{\sigma n/(\sigma +1)}\) is the best one can get without tweak-rekeying, optimal \(2^n\) provable security with tweak-rekeying via the generic standard-to-ideal reduction is impossible.

The bound of Theorem 4 is worse than the bound of Assumption 1, an unavoidable loss to cover worst-case scenarios. The loss shows that with tweak-rekeying we can get closer to \(2^n\) than without tweak-rekeying, but we can never achieve optimal security. That is, the bound of (10) cannot give \(2^n/ const \) security provided that \(\rho \) and \(\sigma \) are constant.

The result leaves aside the question of whether the generic standard-to-ideal reduction is strictly necessary. We will discuss this question in Sect. 8.

7.2 Proof of Theorem 4

Before going to the proof of Theorem 4, we will give a high-level intuition. The core idea is to consider the two terms of (10), and to make a distinction depending on how much freedom the distinguisher has in influencing the rekeying of the \(\sigma \) message-dependent evaluations of \(E\). We consider two cases:

  1. (1)

    Tweaks have little to no influence on the rekeying of each of the blockciphers. In this case, the lower bound on \(\mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}')\) (Proposition 1) will be small and we cannot argue based on this part of the bound. On the other hand, the distinguisher can select a large set of tweaks \(\mathcal {T}\) for which the blockciphers will never be rekeyed. This way, \(\mathcal {D}\) would simply be considering a non-tweak-rekeyable cipher, for which Assumption 1 applies;

  2. (2)

    Tweaks have a significant influence on the rekeying of some of the blockciphers. In this case, the lower bound on \(\mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}')\) (Proposition 1) will be significant, and imply the impossibility of an optimal security bound.

Combining the two cases will imply the lower bound of Theorem 4. This high-level overview omits a few technicalities. Most importantly, case (1) requires an upper bound on the influence of the tweaks while case (2) requires a lower bound. This is resolved using the c-key-uniformity of Definition 3.

Proof

(Proof of Theorem 4 ). Let \(k^a,k^b\) be two fixed secret keys. Recall that \(\widetilde{E}\) is c-key-uniform for some small c. Let

$$\begin{aligned} \lambda ^*= \max \{\lambda ^\mathsf {pre}_{\rho '+1},\ldots ,\lambda ^\mathsf {pre}_\rho ,\lambda _1,\ldots ,\lambda _\sigma \}\,. \end{aligned}$$

We will derive a lower bound on

$$\begin{aligned} \max _{\mathcal {D}'}\mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}') + \max _{\mathcal {D}''}\mathbf {Adv}_{\widetilde{E}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D}'') \end{aligned}$$
(11)

by making a case distinction depending on \(\lambda ^*\).

Case \(\varvec{2^{n-\lambda ^*(\rho ''+\sigma )}\ge 2^{(\rho ''+\sigma )n/(\rho ''+\sigma +1)}}\) . For simplicity, we bound (11) as

$$\begin{aligned} \max _{\mathcal {D}'}\mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}') + \max _{\mathcal {D}''}\mathbf {Adv}_{\widetilde{E}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D}'') \ge \max _{\mathcal {D}''}\mathbf {Adv}_{\widetilde{E}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D}'')\,, \end{aligned}$$

and argue based on the \(\mathrm {i\text {-}\widetilde{sprp}}\) security, where the maximum is taken over any information-theoretic \(\mathcal {D}''\) that makes at most q construction queries and 0 primitive evaluations.

By maximality of \(\lambda ^*\), there is a set \(\mathcal {T}'\subseteq \{0,1\}^{n}\) of size

$$\begin{aligned} |\mathcal {T}'| \ge \frac{2^n}{\prod _{i=\rho '+1}^{\rho } |\mathsf {rng}(B^\mathsf {pre}_i(k^a,k^b,\cdot ))| \cdot \prod _{i=1}^{\sigma } |\mathsf {rng}(B^{ {i}}_i(k^a,k^b,\cdot ))|} \ge 2^{n-\lambda ^*(\rho ''+\sigma )} \end{aligned}$$

such that \(B^\mathsf {pre}_i(k^a,k^b,t)=B^\mathsf {pre}_i(k^a,k^b,t')\) and \(B^{ {i}}_i(k^a,k^b,t)=B^{ {i}}_i(k^a,k^b,t')\) for all \(t,t'\in \mathcal {T}'\). By Assumption 1, applied for this \(\mathcal {T}'\), we obtain

$$\begin{aligned} \max _{\mathcal {D}''}\mathbf {Adv}_{\widetilde{E}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D}'') \ge \dfrac{q^{\rho ''+\sigma +1}}{2^{(\rho ''+\sigma )n}}\,. \end{aligned}$$
(12)

Note that \(\mathcal {T}'\) is key-dependent and the distinguisher from Assumption 1 does not know \(\mathcal {T}'\). This is not a problem, though, as in (12) we are maximizing over all distinguishers: the maximum over all distinguishers equals the maximum over all distinguishers that only take tweaks from \(\mathcal {T}'\), maximized over all possible sets \(\mathcal {T}'\).

Case \(\varvec{2^{n-\lambda ^*(\rho ''+\sigma )}\le 2^{(\rho ''+\sigma )n/(\rho ''+\sigma +1)}}\) . For simplicity, we bound (11) as

$$\begin{aligned} \max _{\mathcal {D}'}\mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}') + \max _{\mathcal {D}''}\mathbf {Adv}_{\widetilde{E}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D}'') \ge \max _{\mathcal {D}'}\mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}')\,, \end{aligned}$$

and argue based on the \(\mathrm {srkprp}\) security, where the maximum is taken over any distinguisher \(\mathcal {D}'\) that makes at most \((\rho ''+\sigma )\cdot q\) construction queries and at most r primitive evaluations.

By Proposition 1,

$$\begin{aligned} \max _{\mathcal {D}'}\mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}') \ge \max _{\varPhi '\subseteq \varPhi ,|\varPhi '|=q'}\frac{\mathbf {Ex}\left( |\varPhi '(k)|\right) \cdot r'}{2^{n+1}} - \frac{1}{2^n-1}\,, \end{aligned}$$

where \(q'=\min \{(\rho ''+\sigma )q-1,|\varPhi |\}\) and \(r'=r-1\). Note that

$$\begin{aligned} \max _{\varPhi '\subseteq \varPhi ,|\varPhi '|=q'} \mathbf {Ex}\left( |\varPhi '(k)|\right) \ge \min \{(\rho ''+\sigma )q-1,2^{\lambda ^*-c}\}\,. \end{aligned}$$

This maximum is achieved for \(\varPhi '\) being a subset of the set of key-deriving functions for which the maximum \(\lambda ^*\) is achieved. As \(2^{\lambda ^*}\ge 2^{n/((\rho ''+\sigma )(\rho ''+\sigma +1))}\), we derive:

$$\begin{aligned} \max _{\mathcal {D}'}\mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}')&\ge \frac{\min \{(\rho ''+\sigma )q-1,2^{n/((\rho ''+\sigma )(\rho ''+\sigma +1))-c}\}\cdot r'}{2^{n+1}} - \frac{1}{2^n-1}\,. \end{aligned}$$

Assuming that \(\frac{2^{n/((\rho ''+\sigma )(\rho ''+\sigma +1))}r'}{2^{n+1+c}}\le 1\) (otherwise the term will not influence the bound), above term is lower bounded by

$$\begin{aligned} \max _{\mathcal {D}'}\mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}')&\ge \min \left\{ \frac{((\rho ''+\sigma )q-1)r'}{2^{n+1}},\frac{2^{n}{r'}^{(\rho ''+\sigma )(\rho ''+\sigma +1)}}{2^{(n+1+c)(\rho ''+\sigma )(\rho ''+\sigma +1)}}\right\} - \frac{1}{2^n-1}\,. \end{aligned}$$

Conclusion. We get for (11):

$$\begin{aligned} \max _{\mathcal {D}'}\mathbf {Adv}_{\varPhi ,E}^{\mathrm {srkprp}}(\mathcal {D}')&+ \max _{\mathcal {D}''}\mathbf {Adv}_{\widetilde{E}}^{\mathrm {i\text {-}\widetilde{sprp}}}(\mathcal {D}'')\\&=\varOmega \left( \min \left\{ \frac{qr}{2^n},\dfrac{q^{\rho ''+\sigma +1}}{2^{(\rho ''+\sigma )n}},\frac{r^{(\rho ''+\sigma )(\rho ''+\sigma +1)}}{2^{((\rho ''+\sigma )(\rho ''+\sigma +1)-1)n}}\right\} \right) \,, \end{aligned}$$

assuming that c is a small constant. This completes the proof.    \(\square \)

8 Discussion

The results shine a negative light on optimal standard-model security of tweakable blockciphers and give rise to multiple questions.

What are the implications of the negative standard-model result on \(\mathsf {Men2}\) of Theorem 3 ? Despite what the lower bound of Theorem 3 suggests, the gap is mainly caused by the estimation in the hybrid step. More detailed, the step where \(E\) is replaced with \(\mathbf {Adv}_{\varPhi _{\mathsf {Men2}},E}^{\mathrm {srkprp}}(\mathcal {D}')\) is extremely loose, and an attacker \(\mathcal {D}'\) that maximizes its success probability in breaking the related-key security of \(E\) is not transformable to an attacker on \(\mathsf {Men2}\). Concretely, standard-model security derivations simply cannot confirm this.

How do the standard and ideal model compare, and what are the implications of results in both models? This question is not easy to answer. Results in the ideal cipher model are likely to be over-optimistic, while the standard-model results are too loose, mainly due to the seemingly necessary generic reduction of Lemma 1. Intuitively, the “real” security of a scheme satisfies

The question is, which of the estimates is tighter? In the ideal-model versus standard-model results on \(\mathsf {Men2}\), Theorem 2 versus Theorem 3, the standard-model bound seems to be too loose. For different schemes, it may be the other way around. A potential approach to go is to weaken the ideal-model, an approach for instance followed by Shrimpton and Terashima [55], yet, this approach is ultimately still an ideal-model approach.

In either situation, the findings of this work contribute to a better understanding of how both models compare, and demonstrate that results in the two models should be interpreted with care. We believe that, taking these issues into account, the ideal-cipher security model is still reasonable to consider.

Is Assumption 1 reasonable? Recall that Lampe and Seurin [34] conjectured that the cascade of \(\sigma \) \(\mathsf {LRW2}\)’s achieves \(2^{\sigma n/(\sigma +1)}\) security (for the cascade of \(\mathsf {LRW2}\)’s we have \(\rho =\rho '=\rho ''=0\)). Assumption 1 suggests that this is the best possible for non-tweak-rekeyable tweakable blockciphers. Regardless of this, it is merely used as starting point: if the assumption holds, then tweak-rekeying will not help in achieving optimal security. Assumption 1 allows for some stretch: if it is not true and a slightly more secure tweakable blockcipher can be constructed, the results (and in particular Theorem 4) generalize accordingly.

The heuristic bound in Theorem 4 is better than the one of Assumption 1, which indicates that tweak-rekeyability may result in a better bound than non-tweak-rekeyability (but no optimal one). However, the derivation of the bound of Theorem 4 is very conservative. For instance, it relies on the superset bound \(\varPhi \supseteq \varPhi _B\) of (9) and on a lower bound on \(|\varPhi _B|\), both of which are loose. Tighter bounds for Theorem 4 may be achieved if more properties of \(\widetilde{E}\) are taken into account.

Can we Salvage the Generic Standard-to-Ideal Reduction? Theoretically, Theorem 4 gives a lower bound on an upper bound argued via the generic reduction of Lemma 1. This is in itself little informative, yet it shows us that if this classical first-step reduction is used, we cannot get optimal security. Note that we do not claim that the standard-to-ideal reduction is unavoidable, but that if this reduction is applied, the term of (10) is unavoidable. A way to circumvent the usage of the reduction and the strong (related-key) PRP security definition as formalized in Sect. 2.1 may be by using a generalized security model for blockciphers, such as the “strong masked related-key PRP security.” Such a generalized security model would, however, only absorb various design properties of the tweakable blockcipher, and shift the problem instead of solving it.