Keywords

1 Introduction

A blockcipher is a family of permutations indexed via a secret key. Tweakable blockciphers generalize over classical blockciphers by introducing the tweak as an additional parameter. More formally, a tweakable blockcipher \({\widetilde{E}}:{\mathcal {K}}\times {\mathcal {T}}\times {\mathcal {M}}\rightarrow {\mathcal {M}}\) is a family of permutations on \({\mathcal {M}}\) indexed by a key \(k\in {\mathcal {K}}\) and tweak \(t\in {\mathcal {T}}\). Here, the key input is a secret parameter to guarantee security, while the tweak value is a public parameter with the main purpose to bring flexibility to the cipher. Tweakable blockciphers were formalized by Liskov, Rivest, and Wagner [29] and find a wide spectrum of applications, such as tweakable enciphering schemes [8, 13, 2022, 34, 45, 49], authenticated encryption schemes and message authentication codes [2, 27, 41, 42], and online ciphers [2, 44].

Example tweakable blockciphers that admit tweaks by design are Schroeppel’s Hasty Pudding Cipher [46], Crowley’s Mercy [10], and the Threefish cipher used in SHA-3 finalist Skein [14]. Furthermore, Goldenberg et al. [18] demonstrated how to transform a Feistel scheme into a tweakable Feistel scheme that achieves birthday bound security, and Mitsuda and Iwata [35] derived similar results for generalized Feistel schemes. Jean et al. [23] considered the problem of tweaking key alternating ciphers by presenting TWEAKEY, a construction that elegantly blends the tweak with the key in the key scheduling algorithm.

A more generic approach is to design a tweakable blockcipher from an ordinary blockcipher (and possibly other cryptographic primitives) in a black-box way. Two such constructions were introduced in Liskov et al.’s original paper. The first construction \(\mathsf{LRW1}\) makes two evaluations of an underlying blockcipher \(E\), while the other construction \(\mathsf{LRW2}\) is based on a blockcipher \(E\) and a universal hash function family H:

$$\begin{aligned} \mathsf{LRW1}(k,t,m)&= E(k,E(k,m)\oplus t)\,,\end{aligned}$$
(1)
$$\begin{aligned} \mathsf{LRW2}([k,h],t,m)&= E(k,m\oplus h(t))\oplus h(t)\,, \end{aligned}$$
(2)

where \(h\in H\). These constructions achieve security up to the birthday bound. Related to \(\mathsf{LRW2}\) is the \(\mathsf{XEX}\) construction by Rogaway [41], and extensions of it by Chakraborty and Sarkar [7] and Minematsu [32], which effectively reduces the keyspace to n bits.

Landecker, Shrimpton, and Terashima [27] considered the cascade of two \(\mathsf{LRW2}\)’s:

$$\begin{aligned} \mathsf{LRW2}[2]([k_1,k_2,h_1,h_2],t,m) = \mathsf{LRW2}([k_2,h_2],t,\mathsf{LRW2}([k_1,h_1],t,m))\,, \end{aligned}$$
(3)

and proved it secure up to about \(2^{2n/3}\) queries.Footnote 1 Lampe and Seurin [26] generalized this approach and considered a cascade of \(\rho \ge 1\) evaluations:

$$\begin{aligned} \mathsf{LRW2}[\rho ]([\mathbf {k},\mathbf {h}],t,m) = \mathsf{LRW2}([k_\rho ,h_\rho ],t,\cdots \mathsf{LRW2}([k_1,h_1],t,m)\cdots )\,, \end{aligned}$$
(4)

where \(\mathbf {k}=(k_1,\ldots ,k_\rho )\) are blockcipher keys and \(\mathbf {h}=(h_1,\ldots ,h_\rho )\) instantiations of H. Lampe and Seurin proved that for even \(\rho \), this construction is secure up to approximately \(2^{\rho n/(\rho +2)}\) queries. Note that this bound only improves over the one of Landecker et al. for \(\rho \ge 4\). Lampe and Seurin conjectured that their bound could be improved to \(2^{\rho n/(\rho +1)}\). This term approaches the optimal \(2^n\) for increasing \(\rho \), but also the number of primitive calls and the key size increases linearly in \(\rho \).

Tweak-Dependent Keys

Liskov et al. [29] suggested that a change in the tweak should be cheaper than a change in the key. As pointed out by Jean et al. [23], this may seem somewhat counter-intuitive because the adversary has full control over the tweak while it has only limited to no control over the key. They suggest that, in practice, the two inputs should be treated comparably. Additionally, the theoretical quest to derive an (almost) optimally secure tweakable blockcipher complying with this condition lead to an unrestrained increase of primitive calls and of the number of keys.

For example, the tweakable blockcipher \({\widetilde{E}}(k,t,m) = E(k\oplus t,m)\) is secure up to about \(2^{n/2}\) evaluations (in the single-key setting,Footnote 2 and if the underlying cipher is sufficiently secure), and thus achieves the same level of security as, for instance, \(\mathsf{LRW1}\). If we assume that the underlying cipher \(E\) consists of a key scheduling part and a message encryption part (such separation is easily made for key alternating ciphers), each evaluation of \({\widetilde{E}}\) requires one key scheduling and one message encryption, while each evaluation of \(\mathsf{LRW1}\) requires two message encryptions (the key scheduling can be pre-computed). This means that \({\widetilde{E}}\) is more efficient than \(\mathsf{LRW1}\) if the key scheduling part of \(E\) is cheaper than its message encryption part.

Minematsu [33] presented a construction of a tweakable blockcipher with tweak-dependent key that achieves beyond birthday bound security. In more detail, he proved that

$$\begin{aligned} \mathsf{Min}(k,t,m) = E(E(k,t\Vert 0^{n-|t|}),m) \end{aligned}$$
(5)

is secure up to \(\max \{2^{n/2},2^{n-|t|}\}\) where |t| denotes the fixed tweak length. Unfortunately, this construction only achieves beyond birthday bound security as long as the tweak is shorter than n / 2 bits and it can impossibly achieve optimal \(2^n\) security (unless \(|t|=0\)). Beyond Minematsu’s scheme, no other tweakable blockciphers in this direction are known.Footnote 3

Our Contributions

We investigate the following elementary question. Can we design an optimally secure tweakable blockcipher \({\widetilde{E}}\) with n -bit in- and outputs using only a blockcipher \(E\) with n -bit in- and outputs?

We approach this question generically, focusing on the way \({\widetilde{E}}\) is designed from \(E\), which means that the preprocessing functions that prepare the inputs to the underlying blockcipher may be technically any function as long as the tweakable blockcipher itself is invertible. This also means that the preprocessing functions may utilize another cryptographic primitive (for \(\mathsf{LRW2}\) the tweak and message are preprocessed as \((t,m)\mapsto m\oplus h(t)\) for some universal hash function \(h\in H\)). We will not rely on the potential cryptographic strength of the preprocessing functions: we only make a security assumption on \(E\) and assume the mixing functions are efficiently computable.

Formally, security is defined as the information-theoretic indistinguishability of \(({\widetilde{E}},E)\) from \(({\widetilde{\pi }},E)\), with \({\widetilde{\pi }}\) an ideal tweakable cipher, \(E\) an ideal cipher, and where the distinguisher has forward and inverse query access to both of its oracles. We remark that the same security model is, for instance, oft-employed in the area of key-length extenders [1, 4, 12, 16, 17, 28].

Generic Design. We start with presenting a generic description of a tweakable blockcipher design \({\widetilde{E}}[\rho ]\) for \(\rho \ge 1\). It consists of \(\rho \) calls to a classical blockcipher \(E\) interlaced with arbitrary mixing functions to generate the inputs to primitive calls and to generate the final output of the tweakable cipher. To assure invertibility of \({\widetilde{E}}[\rho ]\), we pose a validity condition on the mixing functions, and only consider mixing functions that comply with this condition. Next, we consider various instances of \({\widetilde{E}}[\rho ]\).

One Blockcipher Call with Linear Mixing. We first focus on the case \(\rho =1\), with the mixing functions being linear mappings over the finite field \({\mathrm {GF}}(2^n)\), and formally prove that any tweakable blockcipher of this form can be broken in a total complexity of about \(2^{n/2}\). The attack covers for instance the tweakable cipher \(E(k\oplus t,m)\) discussed before.

One Blockcipher Call with Polynomial Mixing. Next, we allow for mixing functions that involve multiplications, and introduce the tweakable blockcipher \({\widetilde{F}}[1]:\{0,1\}^{n}\times \{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\) (see also Fig. 1):

$$\begin{aligned} {\widetilde{F}}[1](k,t,m) = E(k\oplus t,m\oplus z)\oplus z\text {, where }z=k\otimes t\,. \end{aligned}$$

We prove that \({\widetilde{F}}[1]\) is indistinguishable from an ideal tweakable cipher as long as the distinguisher’s complexity is at most \(2^{2n/3}\). The proof is based on Patarin’s H-coefficient technique [38] which has found recent adoption in, among others, generic blockcipher design [9, 12] and MAC security [36]. It additionally uses the finite field equivalent of Szemerédi-Trotter theorem [47], a result that was also used by Jetchev et al. [24] in the context of blockcipher based hashing. Informally, this theorem states that if L is a set of lines in a finite field and P a set of two-dimensional points, the number of point-line incidences is at most \(\min \{|L|^{1/2}|P|+|L|,|L||P|^{1/2}+|P|\}\). This theorem is applied by viewing construction queries as lines and primitive queries as points.

Fig. 1.
figure 1

Tweakable blockcipher \({\widetilde{F}}[1]\)

Full size image
Fig. 2.
figure 2

Tweakable blockcipher \({\widetilde{F}}[2]\)

Full size image

Two Blockcipher Calls with Linear Mixing. Thirdly, we consider the case \(\rho =2\) and linear mixing functions, and introduce \({\widetilde{F}}[2]:\{0,1\}^{n}\times \{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\) (see also Fig. 2):

$$\begin{aligned} {\widetilde{F}}[2](k,t,m)=E(k\oplus t,m\oplus z)\oplus z\text {, where }z=E(k,t)\,. \end{aligned}$$

It differs from \({\widetilde{F}}[1]\) in that the tweak processing \(z=k\otimes t\) is replaced by \(E(k,t)\). We remark that PCLMULQDQ and AES are comparably efficient on the latest Intel Haswell processors [19]. Using slightly more involved techniques than for \({\widetilde{F}}[1]\), we prove that \({\widetilde{F}}[2]\) is an optimally secure tweakable cipher up to about \(2^n\) queries.

Comparison

A comparison of \({\widetilde{F}}[1]\) and \({\widetilde{F}}[2]\) with the state of the art is given in Table 1. It shows that \({\widetilde{F}}[1]\) and \({\widetilde{F}}[2]\) compare favorably. For instance, both \({\widetilde{F}}[1]\) and \(\mathsf{LRW2}[2]\) achieve 2n / 3-bit security, but the latter uses 2 blockcipher calls and 2 universal hash function calls. This means that \({\widetilde{F}}[1]\) is more efficient if one key renewal is cheaper than one blockcipher evaluation plus one universal hash evaluation. It additionally uses a key that is four times as small. Similarly, \({\widetilde{F}}[2]\) achieves optimal security using 2 cipher calls and 1 key renewal. The same bound is asymptotically achieved by \(\mathsf{LRW2}[\rho ]\) for \(\rho \rightarrow \infty \), but this one requires \(\rho \) cipher calls and \(\rho \) universal hash calls, and has a key of size \(2\rho n\).

Table 1. Comparison of \({\widetilde{F}}[1]\) and \({\widetilde{F}}[2]\) with existing tweakable blockciphers. Universal hashes in \(\mathsf{LRW2}[\rho ]\) are instantiated as multiplications in the finite field of \(2^n\) elements (see also Sect. 2). Cost is divided into plain \(E\)-calls, multiplications or universal hashes \(\otimes /h\), and the number of E-calls with tweak-dependent key “tdk”. For \(\mathsf{Min}\), |t| denotes the fixed size of the tweak. The security bounds on \({\widetilde{F}}[1]\) and \({\widetilde{F}}[2]\) are derived in the information-theoretic model.
Full size table

On the other hand, \({\widetilde{F}}[1]\) and \({\widetilde{F}}[2]\) are proven in the information-theoretic model while the other schemes are analyzed in the complexity-theoretic model. Both schemes require a blockcipher that offers resistance against distinguishers that may freely choose the tweak that transforms the key input k under XOR. Fortunately, no related-key attacks of this form on the widely used blockciphers such as AES are known: Biryukov et al. [5, 6] derived a related-key attack on full AES-192 and AES-256, but using a more complicated and contrived key relation (see also Daemen and Rijmen [11]). We note that the proofs for \({\widetilde{F}}[1]\) and \({\widetilde{F}}[2]\) can straightforwardly be transformed to the complexity-theoretic model as long as the underlying blockcipher is related-key secure under XOR in the formalization of Bellare and Kohno [3]. This requires a hybrid proof, where the first step consists of replacing the underlying blockcipher \(E\) by an ideal primitive (at the cost of the related-key security of \(E\)). This step is, however, relatively loose, which can be seen from the fact that the ideal cipher achieves tight \(2^{n/2}\) related-key security under XOR while it yields \(2^{2n/3}\) and \(2^n\) security for \({\widetilde{F}}[1]\) and \({\widetilde{F}}[2]\) in the information-theoretic model.

Outline

We present the security model in Sect. 2. Our generic tweakable blockcipher design \({\widetilde{E}}[\rho ]\) is given in Sect. 3. In Sect. 4, we consider \(\rho =1\): the impossibility result for linear mixing is given in Sect. 4.1 and our construction \({\widetilde{F}}[1]\) using polynomial mixing is introduced in Sect. 4.2. Then, in Sect. 5, we consider \(\rho =2\) and present \({\widetilde{F}}[2]\) based on linear mixing functions. The work is concluded in Sect. 6.

2 Model

By \(\{0,1\}^{n}\) we denote the set of bit strings of length n. Let \({\mathrm {GF}}(2^n)\) be the field of order \(2^n\). We identify bit strings from \(\{0,1\}^{n}\) and finite field elements in \({\mathrm {GF}}(2^n)\). This is done by representing a string \(a=a_{n-1}a_{n-2}\cdots a_1a_0\in \{0,1\}^n\) as polynomial \(a(\mathtt{x})=a_{n-1}\mathtt{x}^{n-1}+ a_{n-2}\mathtt{x}^{n-2}+\cdots + a_1\mathtt{x}+ a_0\in {\mathrm {GF}}(2^n)\) and vice versa. There is additionally a one-to-one correspondence between \([0,2^n-1]\) and \(\{0,1\}^{n}\), by considering \(a(\mathtt{2})\in [0,2^n-1]\). For \(a,b\in \{0,1\}^{n}\), we define addition \(a\oplus b\) as addition of the polynomials \(a(\mathtt{x})+b(\mathtt {x})\in {\mathrm {GF}}(2^n)\). Multiplication \(a\otimes b\) is defined with respect to the irreducible polynomial \(f(\mathtt{x})\) used to represent \({\mathrm {GF}}(2^n)\): \(a(\mathtt{x})\cdot b(\mathtt{x})\text { mod }f(\mathtt{x})\).

If \(\mathcal {A}\) is some set, \(a\xleftarrow {{\scriptscriptstyle \$}}\mathcal {A}\) denotes the uniformly random drawing of a from \(\mathcal {A}\). The size of \(\mathcal {A}\) is denoted by \(\left| \mathcal {A}\right| \).

Distinguishers and Advantages

Throughout this work, a distinguisher \(\mathcal {D}\) is a computationally unbounded probabilistic algorithm. It is given query access to one or more oracles \({\mathcal {O}}\), which means that it can make a certain amount of queries to \({\mathcal {O}}\) adaptively. After this communication with \({\mathcal {O}}\), the distinguisher outputs a 0 or a 1. For two different oracles \({\mathcal {O}}\) and \({\mathcal {P}}\), we define the advantage of \(\mathcal {D}\) in distinguishing both worlds by

$$\begin{aligned} \mathbf{Adv}_{}^{\mathrm{}}(\mathcal {D}) = \left| \mathbf{Pr}\left[ \mathcal {D}^{{\mathcal {O}}} = 1 \right] - \mathbf{Pr}\left[ \mathcal {D}^{{\mathcal {P}}} = 1 \right] \right| \,. \end{aligned}$$
(6)

We use the H-coefficient technique by Patarin [38] and Chen and Steinberger [9]. Consider a fixed deterministic distinguisher trying to distinguish two oracles \({\mathcal {O}}\) and \({\mathcal {P}}\), where its advantage function is denoted \(\mathbf{Adv}_{}^{\mathrm{}}(\mathcal {D})\) as in (6). Denote by X (resp. Y) the probability distribution of views when interacting with \({\mathcal {O}}\) (resp. \({\mathcal {P}}\)). Let \(v\) be a view, i.e., a list of query-response tuples \(\mathcal {D}\) may observe while interacting with \({\mathcal {O}}\) or \({\mathcal {P}}\). This view is called “attainable” if an interaction with \({\mathcal {P}}\) could render this view, or formally if \(\mathbf{Pr}\left[ Y=v\right] >0\). We denote by \({\mathcal {V}}\) the set of attainable views.

Lemma 1

(Patarin’s Technique). Let \(\mathcal {D}\) be a deterministic distinguisher. Consider a partition \({\mathcal {V}}={\mathcal {V}}_{{\mathrm {good}}} \cup {\mathcal {V}}_{{\mathrm {bad}}}\) of the set of attainable views. Let \(0\le \varepsilon \le 1\) be such that for all \(v\in {\mathcal {V}}_{{\mathrm {good}}} \),

$$\begin{aligned} \frac{\mathbf{Pr}\left[ X=v\right] }{\mathbf{Pr}\left[ Y=v\right] } \ge 1-\varepsilon \,. \end{aligned}$$
(7)

Then, the distinguishing advantage satisfies \(\mathbf{Adv}_{}^{\mathrm{}}(\mathcal {D})\le \varepsilon + \mathbf{Pr}\left[ Y\in {\mathcal {V}}_{{\mathrm {bad}}}\right] \).

A proof of this lemma is given in [9]. The idea of the technique is that only few views are significantly more likely to appear in \({\mathcal {P}}\) than in \({\mathcal {O}}\). In other words, the ratio (7) is close to 1 for all but a few views: the “bad” views. The definition of “bad” views is sometimes a delicate process, rendering a tradeoff between \(\varepsilon \) and \(\mathbf{Pr}\left[ Y\in {\mathcal {V}}_{{\mathrm {bad}}}\right] \). Indeed, a too loose definition of bad views results in a larger second term, while a too tight one renders a larger \(\varepsilon \).

Blockciphers and Tweakable Blockciphers

A blockcipher \(E:{\mathcal {K}}\times {\mathcal {M}}\rightarrow {\mathcal {M}}\) is a mapping such that for every key \(k\in {\mathcal {K}}\), \(E_k(\cdot )=E(k,\cdot )\) is a permutation on \({\mathcal {M}}\). We denote its inverse for fixed k by \(E_k^{-1}(\cdot )\). We denote by \(\mathsf{BC}({\mathcal {K}},{\mathcal {M}})\) the set of all such blockciphers.

A tweakable blockcipher \({\widetilde{E}}:{\mathcal {K}}\times {\mathcal {T}}\times {\mathcal {M}}\rightarrow {\mathcal {M}}\) is a mapping such that for every \(k\in {\mathcal {K}}\) and every tweak \(t\in {\mathcal {T}}\), the function \({\widetilde{E}}_k(t,\cdot )={\widetilde{E}}(k,t,\cdot )\) is a permutation on \({\mathcal {M}}\). Like before, its inverse is denoted by \({\widetilde{E}}_k^{-1}(\cdot ,\cdot )\). Let \({\widetilde{\mathsf{P}}}({\mathcal {T}},{\mathcal {M}})\) be the set of all functions \({\widetilde{\pi }}:{\mathcal {T}}\times {\mathcal {M}}\rightarrow {\mathcal {M}}\) such that for all \(t\in {\mathcal {T}}\), \({\widetilde{\pi }}(t,\cdot )\) is a permutation on \({\mathcal {M}}\).

Security of tweakable blockciphers considers a distinguisher \(\mathcal {D}\) that has query access to a tweakable blockcipher \({\widetilde{E}}_k\) for \(k\xleftarrow {{\scriptscriptstyle \$}}{\mathcal {K}}\) or an ideal tweakable permutation \({\widetilde{\pi }}\xleftarrow {{\scriptscriptstyle \$}}{\widetilde{\mathsf{P}}}({\mathcal {T}},{\mathcal {M}})\), and tries to distinguish both worlds. It is typically bounded to have limited resources, such as q queries and \(\tau \) time. In this work, we focus on modular designs for tweakable blockciphers, where \({\widetilde{E}}\) uses a blockcipher \(E\) as underlying primitive. If we denote by \(\tau _E\) the time needed for one evaluation of \(E\), the distinguisher can evaluate this underlying cipher at most \(r:=\tau /\tau _E\) times. We consider \(E\) to be perfectly secure and give \(\mathcal {D}\) query access to \(E\). More formally, we define the strong tweakable-PRP security of \({\widetilde{E}}\) based on \(E\) as

$$\begin{aligned} \mathbf{Adv}_{{\widetilde{E}}}^{\mathrm{\widetilde{sprp}}}(\mathcal {D}) = \left| \mathbf{Pr}\left[ \mathcal {D}^{{\widetilde{E}}_k^{\pm },E^{\pm }} = 1 \right] - \mathbf{Pr}\left[ \mathcal {D}^{{\widetilde{\pi }}^{\pm },E^{\pm }} = 1 \right] \right| \,, \end{aligned}$$

where the probabilities are taken over the random choices of \(k\xleftarrow {{\scriptscriptstyle \$}}{\mathcal {K}}\), \(E\xleftarrow {{\scriptscriptstyle \$}}\mathsf{BC}({\mathcal {K}},{\mathcal {M}})\), and \({\widetilde{\pi }}\xleftarrow {{\scriptscriptstyle \$}}{\widetilde{\mathsf{P}}}({\mathcal {T}},{\mathcal {M}})\), and the random coins of \(\mathcal {D}\). Distinguisher \(\mathcal {D}\) is bounded to make q queries to its first (construction) oracle and r queries to its second (primitive) oracle.

Universal Hash Functions

A hash function family \(H:{\mathcal {K}}\times {\mathcal {X}}\rightarrow {\mathcal {Y}}\) is called \(\varepsilon \) -almost 2-XOR-universal if for all distinct \(x,x'\in {\mathcal {X}}\) and \(y\in {\mathcal {Y}}\), \(\mathbf{Pr}\left[ h\xleftarrow {{\scriptscriptstyle \$}}{\mathcal {K}}\; : \; H_h(x)\oplus H_h(x')=y\right] \le \varepsilon \) [25, 40]. A well-known universal hash function \(H:\{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\) with \(\varepsilon =2^{-n}\) is defined by multiplication in \({\mathrm {GF}}(2^n)\): \(H_h(x)=h\otimes x\).

3 Generic Design

Here and throughout we consider \({\mathcal {K}}={\mathcal {T}}={\mathcal {M}}=\{0,1\}^{n}\) for some \(n\ge 1\). Let \(E:\{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\) be a blockcipher. A generic tweakable blockcipher \({\widetilde{E}}[\rho ]:\{0,1\}^{n}\times \{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\) based on \(\rho \ge 1\) calls to \(E\) can be represented by mappings \(A_i:\{0,1\}^{(i+2)n}\rightarrow \{0,1\}^{n}\) for \(i=1,\ldots ,\rho +1\) and \(B_i:\{0,1\}^{(i+1)n}\rightarrow \{0,1\}^{n}\) for \(i=1,\ldots ,\rho \) as follows:

$$\begin{aligned}&\mathbf{procedure }\; \,{\widetilde{E}}[\rho ](k,t,m)\\&\quad \;\; \mathbf{for }\;\, i=1,\ldots ,\rho \;\, \mathbf{do }\\&\quad \;\;\quad \;\; x_i = A_i(k,t,y_1,\ldots ,y_{i-1},m)\\&\quad \;\;\quad \;\; l_i = B_i(k,t,y_1,\ldots ,y_{i-1})\\&\quad \;\;\quad \;\; y_i = E(l_i,x_i)\\&\quad \;\; \mathbf{return }\;\, c = A_{\rho +1}(k,t,y_1,\ldots ,y_\rho ,m) \end{aligned}$$

The tweakable blockcipher \({\widetilde{E}}[3]\) making \(\rho =3\) blockcipher calls is depicted in Fig. 3. The design resembles ideas of the permutation based hash function construction described by Rogaway and Steinberger [43] and the blockcipher based hash function construction described by Mennink [31]. However, \({\widetilde{E}}[\rho ]\) is required to be invertible. In other words, on input of ktc, \({\widetilde{E}}[\rho ]^{-1}(k,t,c)=m\) should be computable, and we will pose a validity condition on \(A_i,B_i\) to guarantee this.

Definition 1

(informal). The mixing functions \(A_i\) for \(i=1,\ldots ,\rho +1\) and \(B_i\) for \(i=1,\ldots ,\rho \) are valid if there is exactly one function \(A_{i^*}\) that processes m, such that the first \(i^*-1\) rounds of \({\widetilde{E}}[\rho ]\) can be computed in forward direction without knowledge of m, the last \(\rho -(i^*-1)\) rounds in inverse direction without knowledge of m, and \(A_{i^*}\) can be inverted to obtain m.

Note that we already require that \(B_1,\ldots ,B_\rho \) do not get m as input. A formal definition of valid mixing functions is given in Appendix A; this definition is more technical and not strictly needed for a better understanding of the attacks and proofs in this work.

Fig. 3.
figure 3

Tweakable blockcipher \({\widetilde{E}}[3]\) making three blockcipher evaluations

Full size image

Apart from the validity condition, the mixing functions could be anything, and may technically even be of the form \(A_1(k,t,m)=\mathsf{AES}(k\oplus t,m)\). However, it is reasonable to assume the mixing functions to be sufficiently efficient, and we focus on constructions with polynomial mixing functions.

4 One Blockcipher Call

In Sect. 4.1 we consider \({\widetilde{E}}[1]\) for any triplet of valid functions \(A_1,B_1,A_2\) that are linear mappings over \({\mathrm {GF}}(2^n)\), hence only consist of addition and scalar multiplication. We show that any such tweakable cipher can be attacked by an information-theoretic distinguisher in at most \(2^{n/2}\) queries, and thus that provable security beyond this bound cannot be achieved. In Sect. 4.2 we allow for mixing functions that consist of a finite field multiplication, and introduce \({\widetilde{F}}[1]\).

4.1 Linear Mixing

We present an attack on \({\widetilde{E}}[1]\) for any \(A_1,B_1,A_2\) that comply with the invertibility condition and that are linear.

Proposition 1

Let \(n\ge 1\). Let \({\widetilde{E}}[1]:\{0,1\}^{n}\times \{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\) be a tweakable blockcipher based on valid linear \(A_1,B_1,A_2\). Then, there is a distinguisher \(\mathcal {D}\) making at most \(2^{n/2+1}\) construction queries and \(2^{n/2+1}\) primitive queries, such that

$$\begin{aligned} \mathbf{Adv}_{{\widetilde{E}}[1]}^{\mathrm{\widetilde{sprp}}}(\mathcal {D}) \ge 1-\frac{1}{2^n}\,. \end{aligned}$$

Proof

The mixing functions are linear, and can be represented by matrices

$$\begin{aligned} \left( \begin{array}{c} A_1\\ B_1 \end{array} \right) = \left( \begin{array}{ccc} a_{11}&{}a_{12}&{}a_{13}\\ b_{11}&{}b_{12}&{}0 \end{array}\right) \quad \text {and}\quad A_2 = \left( \begin{array}{cccc} a_{21}&a_{22}&a_{23}&a_{24} \end{array}\right) , \end{aligned}$$

where \(A_1,B_1\) are evaluated on (ktm) and \(A_2\) on \((k,t,y_1,m)\). Additional conditions apply regarding the validity. Note that we have to distinguish two cases: \(i^*=1\) and \(i^*=2\), and we start with the latter.

Case \({{\varvec{i}}}^{\mathbf{*}}\varvec{=}\mathbf{2.}\) Validity requires that \(A_1\) is independent of m (hence \(a_{13}=0\)) and \(A_2\) is an invertible mapping \(m\mapsto c\) for any \(k,t,y_1\) (hence \(a_{24}\ne 0\)). Distinguisher \(\mathcal {D}\) selects an arbitrary t and two arbitrary distinct \(m,m'\). Then, it queries \(c\leftarrow {\mathcal {O}}(t,m)\) and \(c'\leftarrow {\mathcal {O}}(t,m')\), where \({\mathcal {O}}\) is either \({\widetilde{E}}[1]\) or \({\widetilde{\pi }}\). If \(c\oplus c'=a_{24}(m\oplus m')\), the distinguisher outputs 1, otherwise it outputs 0. Note that the distinguisher always outputs 1 if it is in the real world: because \(a_{13}=0\), both queries have identical \(E\)-calls, and thus \(y_1=y_1'\). Therefore, \(c\oplus c' = A_2\left( 0,0,0,m\oplus m'\right) = a_{24}(m\oplus m')\). On the other hand, this condition is set in the ideal world with probability \(1/2^n\). This gives a distinguisher in 2 construction queries with a success probability of \(1-1/2^n\).

Case \({{\varvec{i}}}^{\mathbf{*}}\varvec{=}\mathbf{1.}\) This case is more technical. Validity requires that \(A_1\) is an invertible mapping \(m\mapsto x_1\) for any kt (hence \(a_{13}\ne 0\)). \(A_2\) is required to be independent of m (hence \(a_{24}=0\)) and an invertible mapping \(y_1\mapsto c\) for any kt (hence \(a_{23}\ne 0\)). At a high level, we consider a distinguisher \(\mathcal {D}\) that queries its construction oracle \({\mathcal {O}}\) (either \({\widetilde{E}}[1]\) or \({\widetilde{\pi }}\)) and/or its primitive oracle \(E\), with the goal to find a colliding pair: a construction query \((t_i,m_i,c_i)\) and a primitive evaluation \((l_j,x_j,y_j)\) such that

$$\begin{aligned} \left( \begin{array}{c} A_1\\ B_1 \end{array} \right) \left( \begin{array}{c} k\\ t_i\\ m_i \end{array} \right) = \left( \begin{array}{c} x_j\\ l_j \end{array} \right) . \end{aligned}$$
(8)

In this case, the attacker can verify if \(A_2(k,t_i,y_j,m_i)\mathop {=}\limits ^{?}c_i\), and output 0 / 1 accordingly. Technicalities arise as the key k is unknown and it is not straightforward to find a pair of queries satisfying (8). Additionally, for some \(A_1,B_1\) a different technique has to be employed. We make a further distinction among four cases. The case distinction is made based on the values \(b_{12}\), \(b_{11}\), and \(a_{11}\).

Subcase \(\varvec{b}_{\mathbf{12}}\varvec{=} \mathbf{0}\). In this case the key input to the blockcipher is \(b_{11}k\). The distinguisher selects arbitrary distinct \(t,t'\) and an arbitrary m, and sets \(m'=m\oplus a_{13}^{-1}a_{12}(t\oplus t')\). Then, it queries \(c\leftarrow {\mathcal {O}}(t,m)\) and \(c'\leftarrow {\mathcal {O}}(t',m')\). If \(c\oplus c'=a_{22}(t\oplus t')\), the distinguisher outputs 1, otherwise it outputs 0. The remaining analysis is similar to previous case \(i^*=2\), using that \(a_{24}=0\) and \(y_1=y_1'\) in the real world. This gives a distinguisher in 2 construction queries with a success probability of \(1-1/2^n\).

Subcase \({\varvec{b}}_{\mathbf{12}}\varvec{\ne } \mathbf{0}\), \(\varvec{b}_{\mathbf{11}}\varvec{=}\varvec{a}_{\mathbf{11}}\varvec{=} \mathbf{0}\). In this case k is not used as input to \(A_1\) and \(B_1\). The distinguisher selects an arbitrary t and arbitrary distinct \(m,m'\). Then, it queries \(c\leftarrow {\mathcal {O}}(t,m)\) and \(c'\leftarrow {\mathcal {O}}(t,m')\). Additionally, it queries \(y\leftarrow E(B_1(k,t,m),A_1(k,t,m))\) and \(y'\leftarrow E(B_1(k,t,m'),A_1(k,t,m'))\) (which can be queried without knowledge of k as \(a_{11}=b_{11}=0\)). If \(c\oplus c'=a_{23}(y\oplus y')\), the distinguisher outputs 1, otherwise it outputs 0. The remaining analysis is similar to before. This gives a distinguisher in 2 construction queries and 2 primitive queries with a success probability of \(1-1/2^n\).

Subcase \(\varvec{b}_{\mathbf{12}}\varvec{\ne } \mathbf{0}\), \(\varvec{b}_{\mathbf{11}}\varvec{\ne } \mathbf{0}\). This is the most general subcase. (8) is equivalent to finding a construction query \((t_i,m_i,c_i)\) and a primitive evaluation \((l_j,x_j,y_j)\) such that

$$\begin{aligned} \left( \begin{array}{ccc} 0&{}a_{12}'&{}a_{13}\\ b_{11}&{}b_{12}&{}0 \end{array}\right) \left( \begin{array}{c} k\\ t_i\\ m_i \end{array} \right) = \left( \begin{array}{c} x_j\oplus b_{11}^{-1}a_{11}l_j\\ l_j \end{array} \right) , \end{aligned}$$
(9)

where \(a_{12}'=a_{12}\oplus b_{11}^{-1}a_{11}b_{12}\) and where \(b_{11},b_{12},a_{13}\ne 0\). The distinguisher defines

$$\begin{aligned} \begin{array}{llll} \text {for }i=1,\ldots ,2^{n/2}:&{}\qquad t_i=b_{12}^{-1}\big (\langle i-1\rangle _{n/2}\Vert 0^{n/2}\big ) &{}\quad \text {and}&{}\quad m_i=a_{13}^{-1}a_{12}'t_i\,,\\ \text {for }j=1,\ldots ,2^{n/2}:&{}\qquad l_j=0^{n/2}\Vert \langle j-1\rangle _{n/2} &{}\quad \text {and}&{} \quad x_j=b_{11}^{-1}a_{11}l_j\,. \end{array} \end{aligned}$$

Note that these values are selected such that the first equation of (9) holds for any (ij): it reads \(a_{12}'t_i \oplus a_{12}'t_i=0\). Regarding the second equation, we have \(b_{12}\{t_1,\ldots ,t_{2^{n/2}}\}\oplus \{l_1,\ldots ,l_{2^{n/2}}\}=\{0,1\}^{n}\), hence this equation will hold for exactly one \((i^\star ,j^\star )\).

For \(i=1,\ldots ,2^{n/2}\), it queries \(c_i\leftarrow {\mathcal {O}}(t_i,m_i)\). For \(j=1,\ldots ,2^{n/2}\), it queries \(y_j\leftarrow E(l_j,x_j)\). For every ij, the distinguisher writes \(k_{ij}=b_{11}^{-1}(l_j \oplus b_{12}t_i)\) and verifies if \(A_2(k_{ij},t_i,y_j,m_i)\mathop {=}\limits ^{?}c_i\). For any ij such that this equation holds, the adversary chooses an arbitrary new tweak \(t_i'\) and arbitrary message \(m_i'\), sets \(x_j'=A_1(k_{ij},t_i',m_i')\) and \(l_j'=B_1(k_{ij},t_i',m_i')\), makes construction query \(c_i'\leftarrow {\mathcal {O}}(t_i',m_i')\) and primitive query \(y_j'\leftarrow E(l_j',x_j')\), and verifies if \(A_2(k_{ij},t_i',y_j',m_i')\mathop {=}\limits ^{?}c_i'\).

If there is an ij such that both verifications succeed, the distinguisher outputs 1, otherwise it outputs 0. Recall that in the real world there is exactly one solution \(k=k_{i^\star j^\star }\) and both verifications succeed for this key. In the ideal world, the distinguisher outputs 1 if there is a combination of ij such that both verifications succeed. This happens with probability at most \(2^{n/2}\cdot 2^{n/2}\cdot (1/2^n)^2=1/2^n\). This gives a distinguisher that makes at most \(2^{n/2+1}\) construction queries and \(2^{n/2+1}\) primitive queries and succeeds with probability \(1-1/2^n\).

Subcase \(\varvec{b}_{\mathbf{12}}\ne 0\), \(\varvec{b}_{\mathbf{11}}=\mathbf{0}\), \(\varvec{a}_{\mathbf{11}}\ne \mathbf{0}\). This case is in fact the orthogonal of the previous one. Now, (8) translates to finding a construction query \((t_i,m_i,c_i)\) and a primitive evaluation \((l_j,x_j,y_j)\) such that

$$\begin{aligned} \left( \begin{array}{ccc} a_{11}&{}a_{12}&{}a_{13}\\ 0&{}b_{12}&{}0 \end{array}\right) \left( \begin{array}{c} k\\ t_i\\ m_i \end{array} \right) = \left( \begin{array}{c} x_j\\ l_j \end{array} \right) , \end{aligned}$$
(10)

where \(a_{11},b_{12},a_{13}\ne 0\). The distinguisher defines

$$\begin{aligned} \begin{array}{llll} \text {for }i=1,\ldots ,2^{n/2}:&{}\qquad t_i=0^n &{}\quad \text {and} &{}\quad m_i=a_{13}^{-1}\big (\langle i-1\rangle _{n/2}\Vert 0^{n/2}\big )\,,\\ \text {for }j=1,\ldots ,2^{n/2}:&{} \qquad l_j=0^n &{}\quad \text {and} &{}\quad x_j=0^{n/2}\Vert \langle j-1\rangle _{n/2}\,. \end{array} \end{aligned}$$

Note that the second equation of (10) holds for any (ij), but there is exactly one combination for which the first equation holds. The remainder of the attack literally follows previous case. \(\square \)

The authenticated encryption scheme \(\mathsf{McOE}\)-\(\mathsf{X}\) by Fleischmann et al. [15] uses the tweakable blockcipher \({\widetilde{E}}_{\mathsf{McOE}\text {-}\mathsf{X}}(k,t,m) = E(k\oplus t,m)\), and Proposition 1 gives a distinguishing attack in about \(2^{n/2}\) queries. In fact, the attack of Mendel et al. [30] on \(\mathsf{McOE}\)-\(\mathsf{X}\) uses a generalization of the attack of Proposition 1.

4.2 Polynomial Mixing

We consider the design of a tweakable blockcipher based on one blockcipher call where the mixing functions may consist of a finite field multiplication. Recall the \(\mathsf{LRW2}\) tweakable blockcipher of (2) that is based on a 2-XOR-universal hash function h. We make two simplifications: firstly, we instantiate it with the optimally secure 2-XOR-universal hash function \(h(x)=h\otimes x\) (see Sect. 2), and secondly, we put \(h=k\). This results in the following function \(\mathsf{LRW2}':\{0,1\}^{n}\times \{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\):

$$\begin{aligned} \mathsf{LRW2}'(k,t,m) = E(k,m\oplus z)\oplus z\text {, where }z=k\otimes t\,. \end{aligned}$$

This function achieves security up to at most \(2^{n/2}\) queries [29]. However, it turns out that a significant security gain can be made by making the key input tweak-dependent.

In more detail, we propose the following tweakable cipher \({\widetilde{F}}[1]:\{0,1\}^{n}\times \{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\):

$$\begin{aligned} {\widetilde{F}}[1](k,t,m) = E(k\oplus t,m\oplus z)\oplus z\text {, where }z=k\otimes t\,. \end{aligned}$$

The function is depicted in Fig. 1. In the following theorem, we prove that it achieves 2n / 3-bit security.

Theorem 1

Let \(n\ge 1\). Let \(\mathcal {D}\) be a distinguisher making at most q construction queries and r primitive queries. Then,

$$\begin{aligned} \mathbf{Adv}_{{\widetilde{F}}[1]}^{\mathrm{\widetilde{sprp}}}(\mathcal {D}) \le \frac{2\min \{q^{1/2}r+q,qr^{1/2}+r\}}{2^n}\,. \end{aligned}$$

Equilibrium is achieved for \(q=r\), for which \({\widetilde{F}}[1]\) achieves approximately \(2^{2n/3}\) security. Note that the result implies something even stronger: if the online complexity q is at most \(2^{n/2}\), the offline complexity r can be up to almost \(2^{n-3}\). The proof relies on the finite field equivalent of Szemerédi-Trotter theorem [47], which – to our knowledge – was first introduced to cryptography by Jetchev et al. [24].

Lemma 2

(Szemerédi-Trotter Theorem Over Finite Fields). Let \(\mathbb {F}\) be a finite field. Let P (resp. L) be a set of points (resp. lines) in \({\mathbb {F}}^2\). Define \(I(P,L)=\{(p,\ell )\in P\times L \mid p\in \ell \}\). Then,

$$\begin{aligned} |I(P,L)| \le \min \{|L|^{1/2}|P|+|L|,|L||P|^{1/2}+|P|\}\,. \end{aligned}$$

A proof of this lemma can be found in Tao [48] and Özen [37, Theorem5.1.5]. (Tao [48] shows that the bound is more or less sharp: put P the set of all points in \({\mathbb {F}}^2\) and L the set of all lines in \({\mathbb {F}}^2\). Then, both |P| and |L| are approximately \(|\mathbb {F}|^2\) and the number of point-line incidences I(PL) is about \(|\mathbb {F}|^3\).) Using Lemma 2, we are ready to prove Theorem 1.

Proof

(Proof of Theorem 1 ). Let \(k\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\), \(E\xleftarrow {{\scriptscriptstyle \$}}\mathsf{BC}(\{0,1\}^{n},\{0,1\}^{n})\), and \({\widetilde{\pi }}\xleftarrow {{\scriptscriptstyle \$}}{\widetilde{\mathsf{P}}}(\{0,1\}^{n},\{0,1\}^{n})\). We consider a computationally unbounded distinguisher \(\mathcal {D}\) that has bidirectional access to two oracles: \(({\widetilde{F}}[1]_k,E)\) in the real world and \(({\widetilde{\pi }},E)\) in the ideal world. As \(\mathcal {D}\) is computationally unbounded, we can without loss of generality assume that it is deterministic and we apply Lemma 1. The distinguisher makes q queries to \({\mathcal {O}}_1\in \{{\widetilde{F}}[1]_k,{\widetilde{\pi }}\}\), and these are summarized in a view \(v_1=\{(t_1,m_1,c_1),\ldots ,(t_q,m_q,c_q)\}\). Similarly, it makes r queries to \({\mathcal {O}}_2=E\), which are summarized in a view \(v_2=\{(l_1,x_1,y_1),\ldots ,(l_r,x_r,y_r)\}\). Without loss of generality, we assume that both \(v_1\) and \(v_2\) do not contain duplicate elements. Additionally, we assume that both views are attainable. For \(v_1\), this is the case if and only if for any distinct \(i,i'\) such that \(t_i=t_{i'}\), we have \(m_i\ne m_{i'}\) and \(c_i\ne c_{i'}\). The case of \(v_2\) is equivalent.

After \(\mathcal {D}\)’s interaction with \(({\mathcal {O}}_1,{\mathcal {O}}_2)\), but before it outputs its decision 0 / 1, we disclose the key k to the distinguisher. In real world, this is the key used for the game, in the ideal world k will be a fake and freshly drawn key. This is truly without loss of generality, as it only leads to an increase in the distinguishing advantage (the distinguisher can ignore this information, if it wants). The complete view is denoted \(v=(v_1,v_2,k)\).

Bad Views. We next present our definition of bad views, followed by an informal explanation. We define by \({\mathcal {V}}_{{\mathrm {bad}}}\) the set of all views \(v\) such that at least one of the following two conditions holds:

$$\begin{aligned}&\exists \; (t,m,c)\in v_1,(l,x,y)\in v_2:\; (k\oplus t,m\oplus k\otimes t)=(l,x)\,,\end{aligned}$$
(11a)
$$\begin{aligned}&\exists \; (t,m,c)\in v_1,(l,x,y)\in v_2:\; (k\oplus t,c\oplus k\otimes t)=(l,y)\,. \end{aligned}$$
(11b)

Recall the partition \({\mathcal {V}}={\mathcal {V}}_{{\mathrm {good}}} \cup {\mathcal {V}}_{{\mathrm {bad}}}\), implying that any attainable view such that (11) does not hold, is good.

We give a high-level explanation of the definition of bad views. Note that we can implicitly “map” all tuples in \(v_1\) to their corresponding \(E\)-evaluation: a tuple \((t,m,c)\in v_1\) corresponds to \(E\)-evaluation \((k\oplus t,m\oplus k\otimes t,c\oplus k\otimes t)\), where k is given in \(v\). Intuitively, we want that there are no two tuples in \(v_1\cup v_2\) whose \(E\)-evaluations “collide”, in the sense that they render the same input to or output of \(E\). Two different tuples from \(v_2\) never collide, by attainability of \(v\). Two different tuples from \(v_1\) also never collide. Indeed, let \((t,m,c),(t',m',c')\in v_1\) be two different tuples. These collide if

$$\begin{aligned} (k\oplus t,m\oplus k\otimes t)&=(k\oplus t',m'\oplus k\otimes t')\text { or}\\ (k\oplus t,c\oplus k\otimes t)&=(k\oplus t',c'\oplus k\otimes t')\,, \end{aligned}$$

which is the case if and only if \((t,m)=(t',m')\) or \((t,c)=(t',c')\), impossible due to attainability of \(v\). Finally, collisions between \(v_1\) and \(v_2\) imply (11).

\(\mathbf{Pr}[{{\varvec{Y}}}\in {\mathcal {V}}_{\mathbf{bad}}].\) Consider the ideal world \(({\widetilde{\pi }},E)\). The key \(k\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\) is a dummy key drawn independently of \(v_1,v_2\). Starting with the first bad condition (11a), it is equivalent to

$$\begin{aligned} \exists \; (t,m,c)\in v_1,(l,x,y)\in v_2:\; (k\oplus t,m\oplus (l\oplus t)\otimes t)=(l,x)\,. \end{aligned}$$

Note that the second equation is independent of k, it solely depends on the tuples \((t,m,c)\in v_1\) and \((l,x,y)\in v_2\), and we apply Lemma 2. For every \((t,m,c)\in v_1\) we ignore c and represent (tm) as a line \(\ell :\mathtt{y}=t\otimes \mathtt{x} \oplus (m\oplus t\otimes t)\) in \({\mathrm {GF}}(2^n)^2\). For every \((l,x,y)\in v_2\), we ignore y and consider (lx) as a point \((\mathtt{x},\mathtt {y})\) in \({\mathrm {GF}}(2^n)^2\). The number of combinations \((t,m,c)\in v_1\) and \((l,x,y)\in v_2\) such that \(m\oplus (l\oplus t)\otimes t=x\) is in fact the number of point-line incidences \(I(v_2,v_1)\), which by Lemma 2 is at most \(\min \{q^{1/2}r+q,qr^{1/2}+r\}=:f(q,r)\). Any of these tuples fixes one possible value \(l\oplus t\). Therefore, there are at most f(qr) possible keys that could set (11a). A symmetric reasoning applies to (11b). As \(k\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\), we find,

$$\begin{aligned} \mathbf{Pr}\left[ Y\in {\mathcal {V}}_{{\mathrm {bad}}}\right] \le \frac{2\min \{q^{1/2}r+q,qr^{1/2}+r\}}{2^n}\,. \end{aligned}$$

\(\mathbf{Pr}[{{\varvec{X}}}\varvec{=}{{\varvec{v}}}]/\mathbf{Pr}[{{\varvec{Y}}}\varvec{=}{{\varvec{v}}}]\) . Let \(v\in {\mathcal {V}}_{{\mathrm {good}}} \). For the computation of \(\mathbf{Pr}\left[ X=v\right] \) and \(\mathbf{Pr}\left[ Y=v\right] \), it suffices to compute the fraction of oracles that could result in view \(v\), for both the real and ideal world. Formally, if we denote by \(\mathrm{all}_X\) the set of all oracles in the real world, and by \(\mathrm{comp}_X(v)\) the fraction of them compatible with \(v\), we find \(\mathbf{Pr}\left[ X=v\right] =|\mathrm{comp}_X(v)|/|\mathrm{all}_X|\). Similarly for the ideal world.

Note that \(|\mathrm{all}_X|=2^n\cdot (2^n!)^{2^n}\), the number of possible keys k times the number of possible ciphers \(E\). Similarly, \(|\mathrm{all}_Y|=2^n\cdot (2^n!)^{2^n}\cdot (2^n!)^{2^n}\), where the first term now corresponds to the disclosed dummy key. The computation of the number of oracles compatible with \(v\) is slightly more involved. We group the tuples in \(v_1\) according to the tweak value and the tuples in \(v_2\) according to the key value. More formally, for \(t\in [0,2^n-1]\) define \(\alpha _t=|\{(t',m',c')\in v_1 \mid t'=t\}|\), and for \(l\in [0,2^n-1]\) define \(\beta _l=|\{(l',x',y')\in v_2 \mid l'=l\}|\). Additionally, denote for \(l\in [0,2^n-1]\):

$$\begin{aligned} \gamma _l=\alpha _{k\oplus l} + \beta _l\,. \end{aligned}$$

This definition of \(\gamma _l\) is inspired by the fact that a tuple \((t,m,c)\in v_1\) corresponds to an \(E\)-evaluation with key input \(l=k\oplus t\).

Using these definitions, we are ready to compute the number of compatible oracles. First consider \(\mathrm{comp}_X(v)\). As \(v\) is a good view and does not satisfy (11), every query tuple in \(v_1\cup v_2\) defines a unique \(E\)-evaluation. This leaves \(\prod _{l=0}^{2^n-1}(2^n-\gamma _l)!\) blockciphers \(E\in \mathsf{BC}(\{0,1\}^{n},\{0,1\}^{n})\) compliant with \((v_1,v_2)\). Additionally, the key k is uniquely fixed as it is included in \(v\). We find:

$$\begin{aligned} |\mathrm{comp}_X(v)| = \prod _{l=0}^{2^n-1}(2^n-\gamma _l)!\,. \end{aligned}$$

Next, for the ideal world, a similar reasoning shows that there are \(\prod _{t=0}^{2^n-1}(2^n-\alpha _t)!\) tweakable ciphers \({\widetilde{\pi }}\in {\widetilde{\mathsf{P}}}(\{0,1\}^{n},\{0,1\}^{n})\) compliant with \(v_1\) and \(\prod _{l=0}^{2^n-1}(2^n-\beta _l)!\) blockciphers \(E\in \mathsf{BC}(\{0,1\}^{n},\{0,1\}^{n})\) compliant with \(v_2\). We find:

$$\begin{aligned} |\mathrm{comp}_Y(v)|&= \prod _{t=0}^{2^n-1}(2^n-\alpha _t)!\cdot \prod _{l=0}^{2^n-1}(2^n-\beta _l)!\\&= \prod _{l=0}^{2^n-1}(2^n-\alpha _{k\oplus l})!\cdot (2^n-\beta _l)! \le (2^n)!^{2^n}\cdot \prod _{l=0}^{2^n-1}(2^n-\gamma _l)!\,, \end{aligned}$$

using that \((2^n-\alpha )!\cdot (2^n-\beta )!\le (2^n-\alpha -\beta )!\cdot 2^n!\) for any \(0\le \alpha ,\beta \le 2^n\). Assembling all bounds yields

$$\begin{aligned} \frac{\mathbf{Pr}\left[ X=v\right] }{\mathbf{Pr}\left[ Y=v\right] } = \frac{|\mathrm{all}_Y|\cdot |\mathrm{comp}_X(v)|}{|\mathrm{all}_X|\cdot |\mathrm{comp}_Y(v)|} \ge \frac{2^n\cdot (2^n!)^{2^n}\cdot (2^n!)^{2^n}\cdot \prod _{l=0}^{2^n-1}(2^n-\gamma _l)!}{2^n\cdot (2^n!)^{2^n}\cdot (2^n)!^{2^n}\cdot \prod _{l=0}^{2^n-1}(2^n-\gamma _l)!} = 1. \end{aligned}$$

Lemma 1 thus carries over for \(\varepsilon =0\). \(\square \)

5 Two Blockcipher Calls

We suggest an alternative to \({\widetilde{F}}[1]\) based on two blockcipher calls and linear mixing functions \(A_1,B_1,A_2,B_2,A_3\). In more detail, we propose the following tweakable cipher \({\widetilde{F}}[2]:\{0,1\}^{n}\times \{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\):

$$\begin{aligned} {\widetilde{F}}[2](k,t,m)=E(k\oplus t,m\oplus z)\oplus z\text {, where }z=E(k,t)\,. \end{aligned}$$

The function is depicted in Fig. 2. \({\widetilde{F}}[2]\) differs from \({\widetilde{F}}[1]\) in that the tweak processing \(z=k\otimes t\) is replaced by \(E(k,t)\). We remark that it is fair to make such transition, as multiplication and AES are comparably expensive on the latest Intel processors. In the following theorem, we prove that \({\widetilde{F}}[2]\) achieves optimal security.

Theorem 2

Let \(n\ge 1\). Let \(\mathcal {D}\) be a distinguisher making at most q construction queries and r primitive queries. Then,

$$\begin{aligned} \mathbf{Adv}_{{\widetilde{F}}[2]}^{\mathrm{\widetilde{sprp}}}(\mathcal {D}) \le \frac{r}{2^n} + \frac{2qr}{(2^n-q)(2^n-r)}\,. \end{aligned}$$

The bound guarantees security of \({\widetilde{F}}[2]\) up to almost \(2^n\) queries to both the construction and the primitive. In more detail, the bound is at most 1 / 2 as long as \(q,r\le 2^{n-2}\).

Proof

The proof is in the lines of the one of Theorem 1, but differences arise due to the evaluations of \(E\) involved in the transformation of \(z=E(k,t)\).

Let \(k\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\), \(E\xleftarrow {{\scriptscriptstyle \$}}\mathsf{BC}(\{0,1\}^{n},\{0,1\}^{n})\), and \({\widetilde{\pi }}\xleftarrow {{\scriptscriptstyle \$}}{\widetilde{\mathsf{P}}}(\{0,1\}^{n},\{0,1\}^{n})\). As before, we consider a computationally unbounded, deterministic, distinguisher \(\mathcal {D}\) that has bidirectional access to \(({\widetilde{F}}[2]_k,E)\) in the real world and \(({\widetilde{\pi }},E)\) in the ideal world. The distinguisher makes q queries to \({\mathcal {O}}_1\in \{{\widetilde{F}}[2]_k,{\widetilde{\pi }}\}\), and these are summarized in a view \(v_1=\{(t_1,m_1,c_1),\ldots ,(t_q,m_q,c_q)\}\). Similarly, it makes r queries to \({\mathcal {O}}_2=E\), which are summarized in \(v_2=\{(l_1,x_1,y_1),\ldots ,(l_r,x_r,y_r)\}\). Again, we assume that both \(v_1\) and \(v_2\) are attainable when interacting with the ideal world and do not contain duplicate elements.

After the \(\mathcal {D}\)’s interaction with \(({\mathcal {O}}_1,{\mathcal {O}}_2)\), but before it outputs its decision 0 / 1, we will again disclose the key k (fake k in the ideal world). We additionally disclose to the distinguisher all values \(z_i=E(k,t_i)\) for \(i=1,\ldots ,q\). These will be disclosed in the form of a view \(v_z=\{(k,t_1,z_1),\ldots ,(k,t_{q'},z_{q'})\}\), where \(q'\) denotes the number of distinct tweak values in \(v_1\) (note that, indeed, the same tweak may appear in different tuples of \(v_1\)). Again, these disclosures are without loss of generality, as they only lead to an increase in the distinguishing advantage. The complete view is now denoted \(v=(v_1,v_2,v_z,k)\).

Bad Views. We define by \({\mathcal {V}}_{{\mathrm {bad}}}\) the set of all views \(v\) such that at least one of the following three conditions holds:

$$\begin{aligned}&\exists \; (l,x,y)\in v_2:\; k=l\,,\end{aligned}$$
(12a)
$$\begin{aligned}&\exists \; (t,m,c)\in v_1,(l,x,y)\in v_2,(k,t,z)\in v_z:\; (k\oplus t,m\oplus z)=(l,x)\,,\end{aligned}$$
(12b)
$$\begin{aligned}&\exists \; (t,m,c)\in v_1,(l,x,y)\in v_2,(k,t,z)\in v_z:\; (k\oplus t,c\oplus z)=(l,y)\,. \end{aligned}$$
(12c)

Recall the partition \({\mathcal {V}}={\mathcal {V}}_{{\mathrm {good}}} \cup {\mathcal {V}}_{{\mathrm {bad}}}\), implying that any attainable view such that (12) does not hold, is good. The bad conditions (12b-12c) match (11a-11b), with the difference that \(z=E(k,t)\) is involved. The bad condition (12a) is new and is used to rule out the event that any of the evaluations in \(v_z\) already “appears” in \(v_2\) (the condition is slightly stronger, assuring that \(v_2\) does not contain any query for key k).

\(\mathbf{Pr}[{{\varvec{Y}}}\in {\mathcal {V}}_{\mathbf{bad}}\) . Consider the ideal world \(({\widetilde{\pi }},E)\). The key \(k\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\) is a dummy key drawn independently of \(v_1,v_2\). Basic probability theory:

$$\begin{aligned} \mathbf{Pr}\left[ \text {(12)} \right] \le \mathbf{Pr}\left[ \text {(12a)} \right] + \mathbf{Pr}\left[ \text {(12b)}\vee \text {(12c)} \mid \lnot \text {(12a)} \right] \,. \end{aligned}$$

Condition (12a) holds with probability at most \(r/2^n\), as there are at most r possible values l, and the key is randomly drawn from \(\{0,1\}^{n}\). Assume (12a) is not set, hence \(v_2\) does not contain any tuple \((k,\cdot ,\cdot )\). This particularly means that all values \(z_1,\ldots ,z_{q'}\) are drawn independently of \(v_1,v_2\). Regarding condition (12b), we have q tuples in \(v_1\) and r tuples \(v_2\). Any combination fixes one possible \((l\oplus t,x\oplus m)\) and also fixes exactly one tuple in \(v_z\). Therefore, there are at most qr possible drawings of (kz) that could set (12b). A symmetric reasoning applies to (12c). As k is uniformly drawn from a set of size at least \(2^n-r\) (condition \(\lnot \)(12a) rules out at most r values), and the corresponding z is drawn from a set of size at least \(2^n-q\) (there are at most q values z, all different as \(E\) is a blockcipher), we find

$$\begin{aligned} \mathbf{Pr}\left[ (12b)\vee (12c) \mid \lnot (12a) \right] \le \frac{2qr}{(2^n-q)(2^n-r)}\,. \end{aligned}$$

Combining the bounds results in \(\mathbf{Pr}\left[ Y\in {\mathcal {V}}_{{\mathrm {bad}}}\right] \le \dfrac{r}{2^n} + \dfrac{2qr}{(2^n-q)(2^n-r)}\).

\(\mathbf{Pr}[{{\varvec{X}}}\varvec{=}{{\varvec{v}}}]/\mathbf{Pr}[{{\varvec{Y}}}\varvec{=}{{\varvec{v}}}]\) . The analysis of Theorem 1 carries over verbatim with the difference that we merge \(v_2\cup v_z\). Note that, by our definition of good views, these two sets do not overlap or conflict. \(\square \)

The scheme \({\widetilde{F}}[2]\) is equally expensive as the tweakable blockcipher by Minematsu [33], which also makes two blockcipher calls, one with a tweak-dependent key. On the other hand, it achieves a significantly higher level of security: \(2^n\) versus \(2^{\max \{n/2,n-|t|\}}\), where |t| denotes the size of the tweak.

6 Conclusions

We considered the generic design of n-bit tweakable blockciphers only based on calls to a classical blockcipher. \({\widetilde{F}}[1]\) and \({\widetilde{F}}[2]\) show that good beyond birthday bound security can be achieved quite elegantly. More detailed, the latter construction makes only two blockcipher calls and achieves optimal security.

As suggested in the original formalization of tweakable blockciphers by Liskov et al. [29], tweak renewal should be cheaper than key renewal. To a certain degree, this is a reasonable condition, but once generic constructions such as \(\mathsf{LRW2}[\rho ]\) require more and more primitive calls, it is of theoretical and practical interest to search for alternatives that release this side condition (see also Jean et al. [23]). In fact, \({\widetilde{F}}[1]\) and \({\widetilde{F}}[2]\) improve over the state of the art beyond birthday bound solutions, in the key size and in the efficiency as long as key renewal is reasonably cheap.

A direction for future research would be to investigate if improved bounds can be derived for \({\widetilde{F}}[1]\) or any other one-call scheme. Additionally, we note that our schemes are analyzed in the single-key model, and it may be of interest to investigate them under the related-key model where the adversary may influence the key input to the tweakable blockcipher. Finally, it is of interest to derive two-call schemes where the tweak transforms the key input to the underlying blockcipher in a more randomized way (in a similar fashion as \(\mathsf{Min}\) of (5)).