# Connecting tweakable and multi-key blockcipher security

- 627 Downloads
- 1 Citations

## Abstract

The significance of understanding blockcipher security in the multi-key setting is highlighted by the extensive literature on attacks, and how effective key size can be significantly reduced. Nevertheless, little attention has been paid in formally understanding the design of multi-key secure blockciphers. In this work, we formalize the multi-key security of tweakable blockciphers in case of general key derivation functions. We show an equivalence between blockcipher multi-key security and tweakable blockcipher security. Our equivalence connects two objects of study, the iterated Even–Mansour (EUROCRYPT 2012) and the iterated Tweakable Even–Mansour (CRYPTO 2015), which establishes that results in both areas are, to a certain extent, transferable. Using our novel equivalence relation, we derive new bounds for both constructions, pave the path towards the solution of two well-studied conjectures, and show that, contrary to common knowledge, key derivation functions need not necessarily be pseudorandom functions in order to provide security: for the iterated Even–Mansour universal hash functions suffice.

## Keywords

Even–Mansour Tweakable Even–Mansour Cascaded LRW Multi-key Conjectures## Mathematics Subject Classification

94A60## 1 Introduction

A necessity for any cryptographic system is the ability to support communication among many users, for potentially long periods of time. Enabling security in such scenarios requires distributing many keys, not only per user, but also per unit of time. As a result, understanding the multi-key security of cryptographic algorithms is important.

In applications where symmetric-key algorithms are used for the bulk of communication, the difficulty in maintaining security in multi-key settings involves not only initially distributing and managing keys for each pair of communicating parties, but also ensuring that keys are not used beyond recommended data and time limits. How long a key can be used and how much data it can process is determined via cryptanalysis and security bounds estimating adversarial success probability. However, until recently, most analysis has been performed in the single-key setting, even though analyzing cryptographic algorithms in the multi-key setting has more practical significance.

Nevertheless, the limitations of the multi-key setting are well-understood for a large variety of cryptographic algorithms, such as public key encryption [5], key establishment protocols [9, 13], signatures [65], and message authentication codes [6, 17]. Blockciphers are no exception, and have been the subject of many attacks taking advantage of the availability of multiple keys. For example, Biham [7] showed that the effective key size of blockciphers can halve in the multi-key setting, provided sufficiently many keys are employed in the encryption of a known plaintext. Subsequent attacks used time-memory-key tradeoffs [12, 29, 34, 41] for improvements.

Despite the multitude of attacks, little exploration has been done concerning the design of blockciphers in the multi-key setting. This is most likely due to the result stating that the multi-key security of a blockcipher can be reduced to its single-key security with a security loss proportional to the number of keys used, a fact which has been formally proven for public key encryption schemes [5] and message authentication codes [17], among others. This reduction relies on the fact that all keys are independent and uniformly distributed. In practice, however, generating keys is often done via the use of key derivation functions (KDFs), which use a master key to output many different keys. Therefore, to be able to rely on single-key security, such a KDF must behave like a pseudorandom function, so that its outputs are computationally indistinguishable from independent, uniformly distributed values.

### 1.1 Linking multi-key security with tweakable blockciphers

Our main contribution is drawing a powerful connection between the multi-key security of blockciphers and the security of *tweakable* blockciphers. As a first step towards the connection, we present a generalized definition of multi-key security of (tweakable) blockciphers in Sect. 3. While earlier definitions, including Mouha and Luykx [64], only considered independent, uniformly generated keys, we introduce KDFs in the definition of multi-key security, and say that the combination of a blockcipher with KDF is secure if it is indistinguishable from uniform random permutations.

By explicitly including KDFs into blockcipher security, and viewing key schedules as a type of KDF, one can put weak, known, and related key attacks in perspective with multi-key security. More importantly, due to the explicit inclusion of KDFs, the connection between multi-key and tweakable blockcipher security (Sect. 4) is immediate. This connection allows one to use the large body of work on tweakable blockciphers (see Sect. 5) to understand the multi-key security of blockciphers, and vice versa.

Finally, via the connection with tweakable blockciphers, *related-key* security of blockciphers [10] can also be linked to multi-key security. In more detail, in related-key security, an attacker may transform the master key via a related-key-deriving function, which could also be interpreted as deriving a new subkey in the multi-key setting.

### 1.2 Application to even–mansour and tweakable even–mansour

By identifying KDFs with key schedules, or rather TWEAKEY schedules [48], which process both tweak and key input to generate subkeys for use in blockciphers, significant performance gains can be made depending upon the application. KDFs are usually designed to behave like pseudorandom functions, which is the optimal choice when blockciphers are treated like black boxes. However, in order to improve performance blockciphers cannot be treated as black boxes, and KDFs must be designed with specific blockciphers in mind, which is what a TWEAKEY schedule is.

Chen and Steinberger [19] proved that \(\mathrm {EM} [r]\) achieves asymptotically \(2^{rn/(r+1)}\) single-key security for arbitrary \(r\ge 1\). Hoang and Tessaro [42] recently simplified their bound and improved it by a constant factor. They additionally demonstrated how the results directly generalize to the multi-key setting based on uniformly random KDF. For \(\mathrm {TEM} [r]\), Cogliati et al. [16] proved \(2^{n/2}\) single-key security for \(r = 1\), \(2^{2n/3}\) for \(r = 2\), and \(2^{rn/(r+2)}\) for any *even* *r*, and conjectured that it achieves (tight) \(2^{rn/(r+1)}\) single-key security for any \(r\ge 1\). These results are summarized in Table 1, with further related work in Sect. 5.

*any*

*r*, as long as the universal hash function is replaced by a uniform random function, and the adversaries use a limited number of tweaks. In applications where the number of tweaks can be limited to a small number, as might, for example, be the case in certain authenticated encryption schemes [2, 26, 68], our newly obtained bound on \(\mathrm {TEM} [r]\) improves over the state of the art, and even solves the conjecture by Cogliati et al. in 2015 [21] for the specific case of uniformly random masking. The replacement of the universal hash function by a uniform random function may in certain settings by a burden, but this condition allows us to make a first step towards solving this conjecture for general masking. The new bounds are summarized in Table 1.

State of the art and new results on \(\mathrm {EM} [r]\), \(\mathrm {TEM} [r]\), and \(\mathrm {LRW} [r]\), with *n* the size of the permutation or blockcipher, \(\mu \) the number of users, and \(\ell \) the number of tweaks used

Scheme | Model | # Rounds | Note | ||
---|---|---|---|---|---|

1 | 2 | | |||

\(\mathrm {EM} \) | Single-key | \(2^{n/2}\) | \(2^{2n/3}\) | \(2^{\frac{rn}{r+1}}\) | |

\(\mathrm {EM} \) | UAXU-multi-key | \(2^{n/2}\) | \(2^{2n/3}\) | \(2^{\frac{rn}{r+2}}\) | New |

\(\mathrm {EM} \) | Random-multi-key | \(2^{n/2}\) | \(2^{2n/3}\) | \(2^{\frac{rn}{r+1}}\) | |

\(\mathrm {TEM} \) (UAXU mask) | Single-key | \(2^{n/2}\) | \(2^{2n/3}\) | \(2^{\frac{rn}{r+2}}\) | [16] |

\(\mathrm {TEM} \) (random mask) | Single-key | \(2^{n/2}\) | \(2^{2n/3}\) | \(2^{\frac{rn}{r+1}}\) | New |

\(\mathrm {LRW} \) (AXU mask) | Single-key | \(2^{n/2}\) | \(2^{2n/3}\) | \(2^{\frac{rn}{r+2}}\) | |

\(\mathrm {LRW} \) (random mask) | Single-key | \(2^{n/2}\) | \(2^{2n/3}\) | \(2^{\frac{rn}{r+1}}\) | New |

As a bonus, the new \(\mathrm {TEM} [r]\) bound carries over to its blockcipher-based sibling \(\mathrm {LRW} [r]\) [53, 55, 56, 67]; see Fig. 1 for its depiction, and Sect. 5 for a detailed explanation of the construction. Our bounds therefore also partially solve the related conjecture by Landecker et al. [56] and Lampe and Seurin [55] on \(\mathrm {LRW} [r]\), provided the maximum number of tweaks can be bounded and the masking is random.

Finally, we also consider multi-key security of \(\mathrm {EM} [r]\) with a KDF that is not necessarily random. Using aforementioned equivalence in reverse direction, in Sect. 5.4 we transfer the results from Cogliati et al. [16] on \(\mathrm {TEM} [r]\) to multi-key security bounds of \(\mathrm {EM} [r]\) which do not degrade relative to the number of users, but with the same limitations on *r* as with the \(\mathrm {TEM} [r]\) bounds (see Table 1). The bound is identical to that of [16]. Interestingly, we are able to conclude that a pseudorandom KDF is *not* necessary to achieve multi-key security with the \(\mathrm {EM} [r]\) construction. Since the tweaks for \(\mathrm {TEM} [r]\) are generated using universal hash functions, such functions suffice as KDF for \(\mathrm {EM} [r]\).

### 1.3 Performance gains

Besides the necessity of using pseudorandom KDFs when the blockcipher is treated as a black box, it is also important if the application scenario contains malicious users: it should be infeasible for one pair of communicating users to guess the keys of other users. Therefore, weakening the KDF must be done with care. However, there are applications where the users are known not to be malicious.

Consider wireless sensor networks for example, which consist of small autonomous sensors used to monitor environmental conditions. Using our connection between multi-key security and tweakable blockciphers, it is clear that in those settings one could replace the combination of a KDF and blockcipher with a single tweakable blockcipher, where the “keys” for each of the sensors would correspond to different tweaks for the tweakable blockcipher. Even though each of the sensors could easily compute the “key” of any other sensor, the main security threat in this scenario are external attackers, not the sensors themselves. This approach is formalized in Sect. 6.

The only issue would be key compromise of a sensor, which would immediately leak the key, and therefore security of the entire system would be lost. Even if it is difficult to ensure that no sensor will leak its key, one can still avoid using pseudorandom KDFs. For example, an intermediate solution is to group together sensors, and to distribute an independent key to each group, while communication within the group is performed by changing tweaks. In Sect. 3.2 we describe another solution, which uses universal hash functions which are secure against collusion of a group of users, meaning a certain number of sensors could be compromised without the entire system loosing security.

## 2 Preliminaries

The set of bit strings of length \(n\ge 0\) is denoted \(\{0,1\}^{n}\). For two sets \(\mathcal {X},\mathcal {Y}\), the set of all functions from \(\mathcal {X}\rightarrow \mathcal {Y}\) is denoted \(\mathsf {Func} (\mathcal {X},\mathcal {Y})\), the case of \(\mathcal {X}=\mathcal {Y}\) being abbreviated to \(\mathsf {Func} (\mathcal {X})\). The set of permutations on \(\mathcal {X}\) is denoted \(\mathsf {Perm} (\mathcal {X})\). Uniform random drawing of an element *x* from \(\mathcal {X}\) is denoted \(x\xleftarrow {{\scriptscriptstyle \$}}\mathcal {X}\).

### 2.1 Blockciphers and tweakable blockciphers

A blockcipher is a mapping \(E:\mathcal {K}\times \mathcal {M}\rightarrow \mathcal {M}\) where for every key \(k\in \mathcal {K}\), the function \(E(k,\cdot )\) is a permutation on \(\mathcal {M}\). Its inverse is denoted \(E^{-1}(k,\cdot )\). A tweakable blockcipher is a mapping \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) where for every key \(k\in \mathcal {K}\) and every tweak \(t\in \mathcal {T}\), the function \(\widetilde{E}(k,t,\cdot )\) is a permutation on \(\mathcal {M}\). Its inverse is denoted \(\widetilde{E}^{-1}(k,t,\cdot )\). Denote by \(\mathsf {TPerm} (\mathcal {T},\mathcal {M})\) the set of all functions \(\widetilde{\pi }:\mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) such that \(\widetilde{\pi }(t,\cdot )\in \mathsf {Perm} (\mathcal {M})\) for all \(t\in \mathcal {T}\).

Note that a conventional blockcipher is a tweakable blockcipher with tweak space of size 1, meaning that tweakable blockcipher security definitions can be applied to blockciphers. Therefore, we will only discuss the security of tweakable ciphers, which will be denoted explicitly with the use of ‘T’ and ‘\(\sim \)’. The corresponding notation for conventional blockciphers follows by removing the ‘T’s and ‘\(\sim \)’s.

Let \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) be a tweakable blockcipher that is internally based on \(r\ge 1\) primitives \(\varPi _1,\ldots ,\varPi _r\in \mathsf {Prims} \), where \(\mathsf {Prims} \) is some set of primitives. Examples include \(\mathsf {Prims} =\mathsf {Perm} (\mathcal {M})\), which is used in the Even–Mansour constructions, and \(\mathsf {Prims} =\mathsf {Func} (\mathcal {M}')\), which is used in Feistel networks where \(\mathcal {M}'\) is of size smaller than \(\mathcal {M}\).

In the following definition we consider a distinguisher \(\mathcal {D}\) that either interacts in a “real world”, where it has query access to \(\widetilde{E}_k\) with secret \(k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}\), or an “ideal world”, where \(\mathcal {D}\) interacts with an ideal tweakable permutation \(\widetilde{\pi }\xleftarrow {{\scriptscriptstyle \$}}\mathsf {TPerm} (\mathcal {T},\mathcal {M})\). In both worlds \(\mathcal {D}\) gets access to the idealized primitives \({\varPi }=(\varPi _1,\ldots ,\varPi _r)\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Prims} ^r\). The goal of \(\mathcal {D}\) is to distinguish the real from the ideal world.

### Definition 1

*STPRP security*) Consider \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) based on \(r\ge 1\) primitives \(\varPi _1,\ldots ,\varPi _r\in \mathsf {Prims} \). The \(\mathrm {STPRP}\) (strong tweakable pseudorandom permutation) advantage of a distinguisher \(\mathcal {D}\) is

*q*queries to the construction for at most \(\ell \) different tweaks, and

*p*queries to each of the primitives.

Inclusion of the parameter \(\ell \) might seem artificial, but it can be set arbitrarily large and therefore does not limit applicability of the definition. Although it is included to describe distinguishers more accurately, it has a meaningful connection to the security bounds of MAC functions and authenticated encryption schemes based on blockciphers. In more detail, consider an authenticated encryption scheme based on a tweakable blockcipher, denote by \(\ell '\) the maximal message length, and \(\ell \) the number of different tweaks employed in the authenticated encryption schemes. On the one hand, the parameter \(\ell '\) often plays a significant role in the security bounds, while on the other hand, the values \(\ell \) and \(\ell '\) are often close to each other, and differ at most by a multiplicative constant. For example, for COPA [2], ELmE [26], and SCT [68], we have \(\ell \approx 2\ell '\).

### 2.2 Universal hash functions

*H*is

*uniform*if for any \(x\in \mathcal {X}\) and \(y\in \mathcal {Y}\), we have

*H*is \(\varepsilon \)-

*almost-XOR-universal*

*(*\(\varepsilon \)-

*AXU)*

^{1}if for any distinct \(x,x'\in \mathcal {X}\) and \(y\in \mathcal {Y}\), we have

*H*is \(\varepsilon \)-

*UAXU*if it is uniform and \(\varepsilon \)-AXU.

### Lemma 1

\(\mathsf {F} ^{\mathcal {X}}_{\mathcal {Y}}\) is uniform and \(|\mathcal {Y}|^{-1}\)-AXU.

Throughout, we will simply write \(\mathsf {F} ^{\mathcal {X}}_{n}\) for \(\mathsf {F} ^{\mathcal {X}}_{\{0,1\}^{n}}\). Our interest in uniform random functions is purely in connecting our definition of multi-key security to the conventional definitions.

## 3 Multi-key security

Mouha and Luykx [64] formalized the notion of multi-key security of blockciphers, and applied it to one round of Even–Mansour (cf. Sect. 5.1). We introduce the generalization of this model to (i) tweakable blockcipher constructions and (ii) arbitrary key derivation functions. The model shows similarity with that of Hoang and Tessaro [42]. As in Sect. 2.1 we will discuss the multi-key security model for tweakable blockciphers, including ‘T’s and ‘\(\sim \)’s. The multi-key security for conventional blockciphers follows by removing the ‘T’s and ‘\(\sim \)’s.

In the definition below, \(\mu \) represents the number of instantiations with which the adversary interacts. A master key \(k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}'\) is generated for use in the key derivation function (KDF) \(F:\mathcal {K}'\times \mathcal {X}\rightarrow \mathcal {K}\), which maps the master key along with what we call an ID in \(x\in \mathcal {X}\), to a key in \(\mathcal {K}\). Here, the different IDs correspond to the different instances in the multi-key setting. The adversary can adaptively choose IDs via the oracle \(\widetilde{E}_{F(k,\cdot )}\), where the ID is input via \(F(k,\cdot )\). The adversary can instantiate at most \(\mu \) IDs. The ideal functionality corresponding to \(\widetilde{E}_{F(k,\cdot )}\) is \(\widetilde{\pi }_{(\cdot )}\), which is formalized as a tweakable permutation with tweak space \(\mathcal {T}\times \mathcal {X}\): the subscript input \((\cdot )\) can be viewed as a tweak input from \(\mathcal {X}\) which specifies the selected user, which in turn specifies a particular tweakable permutation to use. Figure 2 depicts the oracles with which distinguisher \(\mathcal {D}\) interacts.

### Definition 2

*TMK security*) Let \(\mu \ge 1\). Consider tweakable blockcipher \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) based on \(r\ge 1\) primitives \(\varPi _1,\ldots ,\varPi _r\in \mathsf {Prims} \), and let \(F:\mathcal {K}'\times \mathcal {X}\rightarrow \mathcal {K}\) with \(|\mathcal {X}|\ge \mu \) be a KDF. The \(\mathrm {TMK}\) advantage of a distinguisher \(\mathcal {D}\) is

*q*queries to the \(\mu \) constructions (in whatever distribution), for at most \(\ell \) different tweaks per construction, and

*p*queries to each of the primitives.

### 3.1 Compatibility with prior definitions

Due to the generalized nature of our definition, it is in fact *equivalent* to the definition of related-key security of (tweakable) blockciphers [10, 21, 32], although the applications structurally differ in the types of key derivation functions considered. Particularly, related-key security targets simple KDFs, often as simple as bitwise XOR or bitwise addition, while for multi-key security the KDFs are usually stronger primitives, and in most cases are pseudorandom. Nevertheless, the obvious equivalence between related-key security and our generalized multi-key security definition hints at the existence of more applications of our work in the context of related-key security, although this direction is beyond the scope of our work.

### 3.2 On multi-key-derivation functions

Taking a uniformly random KDF is, naturally, the most secure way of multi-key derivation, but it requires a lot of randomness. Definition 2 allows us to consider more general KDFs, including universal hash functions and pseudorandom number generators.

On a more general note, we remark that typically stand-alone key derivation functions are multi-purpose, with main application the key derivation from passwords and salts. We refer to Yao and Yin [35], Krawczyk [43, 49], and ISO-18033-3 [47] for various designs and analyses.

## 4 Tweakable blockciphers versus multi-key security

A distinguisher \(\mathcal {D}_1\) attacking the \(\mathrm {MK}\) security of \(E\) with respect to \(F\) can be converted into a distinguisher \(\mathcal {D}_2\) attacking the \(\mathrm {STPRP}\) security of \(\widetilde{E}\), by mapping each ID queried by \(\mathcal {D}_1\) into a tweak queried by \(\mathcal {D}_2\). Conversely, any \(\mathrm {STPRP}\) distinguisher \(\mathcal {D}_2\) can be converted into a \(\mathrm {MK}\) distinguisher \(\mathcal {D}_1\) by using the reverse transformation, namely, map each tweak into a different ID. Formally, we achieve the following theorem.

### Theorem 1

### Proof

*m*made to ID \(t\in \mathcal {T}\) is converted into a \(\widetilde{E}\)-query (

*t*,

*m*) with tweak

*t*and input

*m*. All primitive queries and \(\mathcal {D}_1\)’s final decision are forwarded by \(\mathcal {D}_2\). Note that \(E_{F(k,\cdot )} = \widetilde{E}_k^{(\cdot )}\), where the ID input of \(E\) is changed to tweak input for \(\widetilde{E}\). Similarly, a permutation \(\pi _{(\cdot )}\) with ID input, is equivalent to a tweakable permutation \(\widetilde{\pi }\) where the IDs are mapped to tweaks. This means we have,

## 5 Application of equivalence of Sect. 4

We briefly summarize the state of the art on iterated Even–Mansour (Sect. 5.1), Tweakable Even–Mansour (Sect. 5.2), and LRW (Sect. 5.3). Then, we consider the application of the equivalence of Sect. 4 to these constructions in Sect. 5.4.

### 5.1 Iterated Even–Mansour

*r*-round iterated Even–Mansour construction \(\mathrm {EM} [r]:\{0,1\}^{(r+1)n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\) as (see also Fig. 1)

*n*-bit permutations. The first formal presentation of this construction is by Even and Mansour at ASIACRYPT ’91 [30, 31], who introduced it for \(r=1\) and proved that it achieves \(2^{n/2}\) security. Daemen proved tightness of this bound [22]. The general construction was introduced by Bogdanov et al. [11]. Following a line of research set, among others, by Dunkelman et al. [25], Lampe et al. [52], and Steinberger [74], Chen and Steinberger [19] proved that \(\mathrm {EM} [r]\) tightly achieves \(\mathcal {O}(2^{rn/(r+1)})\) single-key blockcipher security in the model of Sect. 2.1. This bound is, however, asymptotic, and Hoang and Tessaro [42] recently improved their bound on \(\mathrm {EM} [r]\).

### Proposition 1

Their bound is in fact a bit more fine-grained, having *p* separated over all *r* primitives. It is important that the results on \(\mathrm {EM} [r]\) [19, 42] effectively require *r*-wise independency of the key, i.e., for any \(i\in \{1,\ldots ,r+1\}\), \((k_1,\ldots ,k_{i-1},k_{i+1},\ldots ,k_{r+1})\) has a uniform distribution on \(\{0,1\}^{rn}\) [19, p. 329].

Andreeva et al. [3] and Mouha and Luykx [64] considered one round of Even–Mansour in the multi-key setting, and showed that similar results are achieved.

### Proposition 2

Hoang and Tessaro [42] derived a strong generic reduction from multi-key to single-key security and transferred their result (Proposition 1) to the multi-key setting.

### Proposition 3

Beyond single-key and multi-key security, further works on \(\mathrm {EM} [r]\) cover the related-key security [21, 32], chosen-key security [1, 38, 54], and security of minimized \(\mathrm {EM} [2]\) [15].

### 5.2 Iterated tweakable Even–Mansour

*r*-round iterated Tweakable Even–Mansour construction \(\mathrm {TEM} [r]:\mathcal {K}^r\times \mathcal {T}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\) as (see also Fig. 1)

*n*-bit permutations, and \(H = \{h_k:\mathcal {T}\rightarrow \{0,1\}^{n} \mid k\in \mathcal {K}\}\) is a uniform almost-XOR-universal hash function family. Cogliati et al. [16] derived the following security results for \(\mathrm {TEM} [r]\).

### Proposition 4

*r*-wise independent masking, be it of a specific form.

Further constructions related to \(\mathrm {TEM} [r]\), and to which our findings can be applied as well, are XPX [59], MEM [37], and a variant of \(\mathrm {TEM} [4]\) with linear mixing [20].

### 5.3 Iterated LRW

*r*-round \(\mathrm {LRW} [r]\) construction is based on

*r*blockcipher calls instead of

*r*permutations. It is defined identically as in (5), with \(P_1,\ldots ,P_r\) instantiated as \(E_{z_1},\ldots ,E_{z_r}\) for independent keys \(z_1,\ldots ,z_r\).We can likewise use the definition of STPRP security of Definition 1 where, now,

*p*bounds the total number of evaluations of

*E*a distinguisher can make. A security analysis for \(r=1\) was performed by Liskov et al. [53], \(r=2\) by Landecker et al. [56] and Procter [67], and for a general number of even rounds by Lampe and Seurin [55]. These results on \(\mathrm {LRW} [r]\) are comparable to the bounds of Proposition 4, which should not be surprising as

*r*independent

*secret*permutations \(P_1,\ldots ,P_r\). This step costs at most \(r\cdot \mathbf {Adv} _{E}^{\mathsf {sprp}}(q,p)\). What remains is the \(\mathrm {TEM} [r]\) construction with the difference that the adversary has no access to the secret underlying permutations, hence we have \(p=0\): \(\mathbf {Adv} _{\mathrm {TEM} [r]}^{\mathsf {stprp}}(q,\ell ,0)\). See also [16, Remark 1].

Further constructions related to \(\mathrm {LRW} [1]\) include the XEX construction [71] and its generalizations [18, 37, 62], tweakable Feistel schemes [36, 60], and tweakable blockciphers with tweak-dependent rekeying [58, 61, 63].

### 5.4 Application of equivalence of Sect. 4

*r*-wise independence, it is clear to see that the result immediately generalizes to any \(F\) which outputs

*r*-wise independent keys with the same joint distribution.

### Corollary 1

Note that the result of Proposition 3 is better than that of Corollary 1, but it explicitly requires random key-derivation while Corollary 1 allows for a more flexible key-derivation.

By using the equivalence reduction of Theorem 1 in reverse direction, we can transfer Proposition 3 to the security of Tweakable Even–Mansour \(\mathrm {TEM} [r]\).

### Corollary 2

Similarly, for \(\mathrm {LRW} [r]\), we can find via (7) the following corollary.

### Corollary 3

As a matter of fact, the two corollaries apply to \(\mathrm {TEM} [r]\) and \(\mathrm {LRW} [r]\) *for any form of r-wise independence keying* (not just (6)). Clearly, for \(r=1\) and \(r=2\), above corollaries do not improve over the state of the art for \(\mathrm {LRW} [r]\) [53, 55, 56] and \(\mathrm {TEM} [r]\) [21]. On the other hand, for \(r\ge 3\), the corollaries solve the conjectures on the two schemes for a specific scenario: the UAXU family of hash functions is \(\mathsf {F} ^{\mathcal {T}}_{n}\) of (1).

## 6 Tweakable blockciphers versus related-key security

The first formalization of related-key security was by Bellare and Kohno [10]. Cogliati and Seurin [21] generalized the model to blockciphers and applied it to cascaded Even–Mansour (cf. Sect. 5.1). Mennink [59] provided a formalism for the case of tweakable blockcipher constructions.

The definition of related-key security is in fact strongly related to that of multi-key security of Sect. 3. In related-key attacks, a set of related-key-deriving functions \(\varPhi \) is defined prior to the experiment. The adversary can adaptively choose related-key functions \(\varphi \) from \(\varPhi \) that transform the key under which the query is made: \(\widetilde{E}_{\varphi (k)}\). As such, one can specifically see related-key security as multi-key security using key derivation function \(F:\mathcal {K}\times \varPhi \rightarrow \mathcal {K}\) defined as \(F(k,\varphi )=\varphi (k)\). The ideal functionality corresponding to \(\widetilde{E}_{F(k,\cdot )}\) is \(\widetilde{\pi }_{(\cdot )}\), which is formalized as a tweakable permutation with tweak space \(\mathcal {T}\times \varPhi \): the subscript input \((\cdot )\) can be viewed as a tweak input from \(\varPhi \) which specifies the selected user, which in turn specifies a particular tweakable permutation to use.

### Definition 3

*TRK security*) Let \(\varPhi \) be a set of related-key-deriving functions. Consider tweakable blockcipher \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) based on \(r\ge 1\) primitives \(\varPi _1,\ldots ,\varPi _r\in \mathsf {Prims} \), and let \(F:\mathcal {K}\times \varPhi \rightarrow \mathcal {K}\) be defined as \(F(k,\varphi )=\varphi (k)\). The \(\mathrm {TRK}\) advantage of a distinguisher \(\mathcal {D}\) is

*q*queries to the construction for at most \(\ell \) different related-key-deriving functions per construction, and

*p*queries to each of the primitives.

### 6.1 On related-key-derivation functions

### 6.2 Relation

### Theorem 2

### Proof

*t*. Then, each query \((\delta ,m)\) made by \(\mathcal {D}_1\) (we can without loss of generality describe an element \(\varphi _\delta \in \varPhi _{\mathrm {id}\Vert \oplus }\) by \(\delta \)) is transformed into a query \((t\oplus \delta ,m)\) to \(\widetilde{E}\), and the response is relayed. \(\mathcal {D}_1\)’s final decision is forwarded by \(\mathcal {D}_1\). By design,

\(\square \)

*k*the same, and changing

*t*for all users. For instance, if \(\mu \) instances of \(E\) are required, these could be generated via the following offsets:

## 7 Conclusion

Our research illustrates how placing existing security definitions in a different context can lead to fruitful insights. After extending the definition of blockcipher multi-key security to include KDFs, the connection with tweakable blockcipher security immediately follows, and with it the connections to related-key security and the security of blockcipher key schedules. We applied these connections to illustrate how results on the iterated Even–Mansour and the iterated Tweakable Even–Mansour can be transferred between each other, resulting in new theoretical results. Furthermore, our definitions and results pave the way to understanding the design of KDFs, in particular, ones which are not necessarily PRFs. We saw how the KDFs can be implemented as universal hash functions, which could result in efficiency improvements in practice.

## Footnotes

- 1.
The “almost” is in fact implicit in the term \(\varepsilon \), but we will maintain it conform general convention.

## Notes

### Acknowledgements

This work was supported in part by the Research Council KU Leuven: GOA TENSE (GOA/11/007). Jooyoung Lee is supported by a Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (NRF-2013R1A1A2007488). Atul Luykx is supported by a Fellowship from the Institute for the Promotion of Innovation through Science and Technology in Flanders (IWT-Vlaanderen). Bart Mennink is supported by a postdoctoral fellowship from the Netherlands Organisation for Scientific Research (NWO) under Veni grant 016.Veni.173.017. Core ideas of this work have been developed during the Asian Workshop on Symmetric Key Cryptography 2015.

## References

- 1.Andreeva E., Bogdanov A., Dodis Y., Mennink B., Steinberger J.P.: On the indifferentiability of key-alternating ciphers. In: Canetti R., Garay J.A. (eds.) CRYPTO 2013. LNCS, Part I, vol. 8042, pp. 531–550. Springer, Heidelberg (2013).Google Scholar
- 2.Andreeva E., Bogdanov A., Luykx A., Mennink B., Tischhauser E., Yasuda K.: Parallelizable and authenticated online ciphers. In: Sako K., Sarkar P. (eds.) ASIACRYPT 2013. LNCS, Part I, vol. 8269, pp. 424–443. Springer, Heidelberg (2013).Google Scholar
- 3.Andreeva E., Daemen J., Mennink B., Van Assche G.: Security of keyed sponge constructions using a modular proof approach. In: Leander G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 364–384. Springer, Heidelberg (2015).Google Scholar
- 4.Albrecht M.R., Farshim P., Paterson K.G., Watson G.J.: On cipher-dependent related-key attacks in the ideal-cipher model. In: Joux A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 128–145. Springer, Heidelberg (2011).Google Scholar
- 5.Bellare M., Boldyreva A., Micali S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000).Google Scholar
- 6.Bellare M., Bernstein D.J., Tessaro S.: Hash-function based PRFs: AMAC and its multi-user security. In: Fischlin M., Coron J.-S. (eds.) EUROCRYPT 2016. LNCS, Part I, vol. 9665, pp. 566–595. Springer, Heidelberg (2016).Google Scholar
- 7.Biham E.: How to decrypt or even substitute DES-encrypted messages in 2\({}^{\text{28 }}\) steps. Inf. Process. Lett.
**84**(3), 117–124 (2002).MathSciNetCrossRefzbMATHGoogle Scholar - 8.Bierbrauer J., Johansson T., Kabatianskii G., Smeets B.J.M.: On families of hash functions via geometric codes and concatenation. In: Stinson D.R. (ed.) CRYPTO’93. LNCS, vol. 773, pp. 331–342. Springer, Heidelberg (1994).Google Scholar
- 9.Blake-Wilson S., Johnson D., Menezes A.: Key agreement protocols and their security analysis. In: Darnell M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 30–45. Springer, Heidelberg (1997).Google Scholar
- 10.Bellare M., Kohno T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003).Google Scholar
- 11.Bogdanov A., Knudsen L.R., Leander G., Standaert F.-X., Steinberger J.P., Tischhauser E.: Key-alternating ciphers in a provable setting: encryption using a small number of public permutations—(extended abstract). In: Pointcheval D., Johansson T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 45–62. Springer, Heidelberg (2012).Google Scholar
- 12.Biryukov A., Mukhopadhyay S., Sarkar P.: Improved time-memory trade-offs with multiple data. In: Preneel B., Tavares S.E. (eds.) SAC 2005. LNCS, vol. 3897, pp. 110–127. Springer, Heidelberg (2005).Google Scholar
- 13.Bellare M., Rogaway P.: Entity authentication and key distribution. In: CRYPTO’93. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994).Google Scholar
- 14.Biham E., Youssef A.M. (eds.): SAC 2006. LNCS, vol. 4356. Springer, Heidelberg (2007).Google Scholar
- 15.Chen S., Lampe R., Lee J., Seurin Y., Steinberger J.P.: Minimizing the two-round Even-Mansour cipher. In: Garay J.A., Gennaro R. (eds.) CRYPTO 2014. LNCS Part I, vol. 8616, pp. 39–56. Springer, Heidelberg (2014).Google Scholar
- 16.Cogliati B., Lampe R., Seurin Y.: Tweaking Even-Mansour ciphers. In: Gennaro R., Robshaw M. (eds.) CRYPTO 2015, Part I, vol. 9215, pp. 189–208. Springer, Heidelberg, (2015).Google Scholar
- 17.Chatterjee S., Menezes A., Sarkar P.: Another look at tightness. In: Miri A., Vaudenay S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 293–319. Springer, Heidelberg (2011).Google Scholar
- 18.Chakraborty D., Sarkar P.: A general construction of tweakable block ciphers and different modes of operations. In: Lipmaa H., Yung M., Lin D. (eds.) Inscrypt 2006. LNCS, vol. 4318, pp. 88–102. Springer, Heidelberg (2006).Google Scholar
- 19.Chen S., Steinberger J.P.: Tight security bounds for key-alternating ciphers. In: Nguyen P.Q., Oswald E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014).Google Scholar
- 20.Cogliati B., Seurin Y.: Beyond-birthday-bound security for tweakable Even-Mansour ciphers with linear tweak and key mixing. In: Iwata T., Cheon J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 134–158. Springer, Heidelberg (2015).Google Scholar
- 21.Cogliati B., Seurin Y.: On the provable security of the iterated Even-Mansour cipher against related-key and chosen-key attacks. In: Oswald E., Fischlin M. (eds.) EUROCRYPT 2015. LNCS, Part I, vol. 9056, pp. 584–613. Springer, Heidelberg (2015).Google Scholar
- 22.Daemen J.: Limitations of the Even-Mansour construction. In: Imai H., Rivest R.L., Matsumoto T. (eds.) ASIACRYPT’91. LNCS, vol. 739, pp. 495–498. Springer, Heidelberg (1993).Google Scholar
- 23.den Boer B.: A simple and key-economical unconditional authentication scheme. J. Comput. Secur.
**2**, 65–72 (1993).Google Scholar - 24.Daniel J.: Bernstein. The Poly1305-AES message-authentication code. In: Gilbert H., Handschuh H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005).Google Scholar
- 25.Dunkelman O., Keller N., Shamir A.: Minimalism in cryptography: the Even-Mansour scheme revisited. In: Pointcheval D., Johansson T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012).Google Scholar
- 26.Datta N., Nandi M.: ELmE: A misuse resistant parallel authenticated encryption. In: Susilo W., Yi M. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 306–321. Springer, Heidelberg (2014).Google Scholar
- 27.Daemen J., Rijmen V.: The wide trail design strategy. In: Bahram H. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001).Google Scholar
- 28.Daemen J., Rijmen V.: The Design of Rijndael: AES—The Advanced Encryption Standard. Springer, Heidelberg (2002).CrossRefzbMATHGoogle Scholar
- 29.Daemen J., Rijmen V.: On the related-key attacks against aes. Proc. Rom. Acad. Ser. A
**13**(4), 395–400 (2012).MathSciNetGoogle Scholar - 30.Even S., Mansour Y.: A construction of a cipher from a single pseudorandom permutation. In: Imai H.,Rivest R.L., Matsumoto T. (eds.) ASIACRYPT’91. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993).Google Scholar
- 31.Even S., Mansour Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol.
**10**(3), 151–162 (1997).MathSciNetCrossRefzbMATHGoogle Scholar - 32.Farshim P., Procter G.: The related-key security of iterated Even-Mansour ciphers. In: Leander G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 342–363. Springer, Heidelberg (2015).Google Scholar
- 33.Fischlin M., Coron J.-S. (eds.): EUROCRYPT 2016. LNCS, Part I, vol. 9665. Springer, Heidelberg (2016).Google Scholar
- 34.Fouque P.-A., Joux A., Mavromati C.: Multi-user collisions: Applications to discrete logarithm, Even-Mansour and PRINCE. In: Sarkar P., Iwata T. (eds.) ASIACRYPT 2014. LNCS, Part I, vol. 8873, pp. 420–438. Springer, Heidelberg (2014).Google Scholar
- 35.Frances F.: Yao and Yiqun Lisa Yin. Design and analysis of password-based key derivation functions. In: Menezes A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 245–261. Springer, Heidelberg (2005).Google Scholar
- 36.Goldenberg D., Hohenberger S., Liskov M.: Elizabeth Crump Schwartz, and Hakan Seyalioglu. On tweaking Luby-Rackoff blockciphers. In: Kurosawa K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 342–356. Springer, Heidelberg (2007).Google Scholar
- 37.Granger R., Jovanovic P., Mennink B., Neves S.: Improved masking for tweakable blockciphers with applications to authenticated encryption. In: Fischlin M., Coron J.-S. (eds.) EUROCRYPT 2016. LNCS, Part I, vol. 9665, pp. 263–293. Springer, Heidelberg (2016).Google Scholar
- 38.Guo C., Lin D.: A synthetic indifferentiability analysis of interleaved double-key Even-Mansour ciphers. In: Iwata T., Cheon J.H. (eds.) ASIACRYPT 2015. LNCS, Part II, vol. 9453, pp. 389–410. Springer, Heidelberg (2015).Google Scholar
- 39.Gennaro R., Robshaw M. (eds.): CRYPTO 2015. LNCS, Part I, vol. 9215. Springer, Heidelberg (2015).Google Scholar
- 40.Halevi S., Krawczyk H.: MMH: software message authentication in the Gbit/second rates. In: Biham E. (ed.) FSE ’97. LNCS, vol. 1267, pp. 172–189. Springer, Heidelberg (1997).Google Scholar
- 41.Hong J., Sarkar P.: New applications of time memory data tradeoffs. In: Roy B.K. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 353–372. Springer, Heidelberg (2005).Google Scholar
- 42.Hoang V.T., Tessaro S.: Key-alternating ciphers and key-length extension: exact bounds and multi-user security. In: Robshaw M., Katz J. (eds.) CRYPTO 2016. LNCS, Part I, vol. 9814, pp. 3–32. Springer, Heidelberg (2016).Google Scholar
- 43.Hugo K. HMAC-based extract-and-expand key derivation function (HKDF). Request for Comments (RFC) 5869, May (2010). https://tools.ietf.org/html/rfc5869.
- 44.Iwata T., Cheon J.H. (eds.): ASIACRYPT 2015. LNCS, Part II, vol. 9453. Springer, Heidelberg (2015).Google Scholar
- 45.Iwata T., Kohno T.: New security proofs for the 3GPP confidentiality and integrity algorithms. In: Roy B.K., Meier W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 427–445. Springer, Heidelberg (2004).Google Scholar
- 46.Imai H., Rivest R.L., Matsumoto T. (eds.): ASIACRYPT ’91. LNCS, vol. 739. Springer, Heidelberg (1993).Google Scholar
- 47.ISO/IEC 18033-3:2010. Information technology—security techniques—encryption algorithms—Part 3: Block ciphers, December (2010).Google Scholar
- 48.Jean J., Nikolić I., Peyrin T.: Tweaks and keys for block ciphers: The TWEAKEY framework. In: Sarkar P., Iwata T. (eds.) ASIACRYPT 2014. LNCS, Part II, vol. 8874, pp. 274–288. Springer, Heidelberg (2014).Google Scholar
- 49.Krawczyk H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010).Google Scholar
- 50.Krovetz, T.: Message authentication on 64-bit architectures. In: Biham E., Youssef A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 327–341. Springer, Heidelberg (2007).Google Scholar
- 51.Leander G. (ed.): FSE 2015. LNCS, vol. 9054. Springer, Heidelberg (2015).Google Scholar
- 52.Lampe R., Patarin J., Seurin Y.: An asymptotically tight security analysis of the iterated Even-Mansour cipher. In: Wang X., Sako K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 278–295. Springer, Heidelberg (2012).Google Scholar
- 53.Liskov M., Rivest R.L., Wagner D.: Tweakable block ciphers. In: Yung M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002).Google Scholar
- 54.Lampe R., Seurin Y.: How to construct an ideal cipher from a small set of public permutations. In Sako K., Sarkar P. (eds.) ASIACRYPT 2013. LNCS, Part I, vol. 8269, pp. 444–463. Springer, Heidelberg (2013).Google Scholar
- 55.Lampe R., Seurin Y.: Tweakable blockciphers with asymptotically optimal security. In: Moriai S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 133–151. Springer, Heidelberg (2013).Google Scholar
- 56.Landecker W., Shrimpton T.: and R. Seth Terashima. Tweakable blockciphers with beyond birthday-bound security. In: Safavi-Naini R., Canetti R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 14–30. Springer, Heidelberg (2012).Google Scholar
- 57.Lucks S.: Ciphers secure against related-key attacks. In Roy B.K., Meier W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 359–370. Springer, Heidelberg (2004).Google Scholar
- 58.Mennink B.: Optimally secure tweakable blockciphers. In: Leander G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 428–448. Springer, Heidelberg (2015).Google Scholar
- 59.Mennink, B.: XPX: generalized tweakable Even-Mansour with improved security guarantees. In Robshaw M., Katz J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 64–94. Springer, Heidelberg (2016).Google Scholar
- 60.Mitsuda A., Iwata T.: Tweakable pseudorandom permutation from generalized Feistel structure. In: Baek J., Bao F., Chen K., Lai X. (eds.) Provable Security 2008. LNCS, vol. 5324, pp. 22–37. Springer, Heidelberg (2008).Google Scholar
- 61.Minematsu K., Iwata T.: Tweak-length extension for tweakable blockciphers. In: Groth J. (ed.) Cryptography and Coding 2015. LNCS, vol. 9496, pp. 77–93. Springer, Heidelberg (2015).Google Scholar
- 62.Minematsu, K..: Improved security analysis of XEX and LRW modes. In Biham E., Youssef A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 96–113. Springer, Heidelberg (2007).Google Scholar
- 63.Minematsu K.: Beyond-birthday-bound security based on tweakable block cipher. In: Dunkelman O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 308–326. Springer, Heidelberg (2009).Google Scholar
- 64.Mouha N., Luykx A.: Multi-key security: the Even-Mansour construction revisited. In Gennaro R., Robshaw M. (eds.) CRYPTO 2015. LNCS, Part I, vol. 9215, pp. 209–223. Springer, Heidelberg (2015)Google Scholar
- 65.Menezes A., Smart N.P.: Security of signature schemes in a multi-user setting. Des. Codes Cryptogr.
**33**(3), 261–274 (2004).MathSciNetCrossRefzbMATHGoogle Scholar - 66.Pointcheval D., Johansson T. (eds.): EUROCRYPT 2012. LNCS, vol. 7237. Springer, Heidelberg (2012).Google Scholar
- 67.Procter G.: A note on the CLRW2 tweakable block cipher construction. Cryptology ePrint Archive, Report 2014/111 (2014).Google Scholar
- 68.Peyrin T., Seurin Y.: Counter-in-Tweak: authenticated encryption modes for tweakable block ciphers. In: Robshaw M., Katz J. (eds.) CRYPTO 2016. LNCS, Part I, vol. 9814, pp. 33–63. Springer, Heidelberg (2016).Google Scholar
- 69.Robshaw M., Katz J. (eds.) CRYPTO 2016. LNCS, Part I, vol. 9814. Springer, Heidelberg (2016).Google Scholar
- 70.Roy B.K., Meier W. (eds):FSE 2004. LNCS, vol. 3017. Springer, Heidelberg (2004).Google Scholar
- 71.Rogaway P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Pil J.L. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004).Google Scholar
- 72.Siegel A.: On universal classes of extremely random constant-time hash functions. SIAM J. Comput.
**33**(3), 505–543 (2004).MathSciNetCrossRefzbMATHGoogle Scholar - 73.Sako K., Sarkar P. (eds.): ASIACRYPT 2013. LNCS, Part I, vol. 8269. Springer, Heidelberg (2013).Google Scholar
- 74.Steinberger J.: Improved security bounds for key-alternating ciphers via Hellinger distance. Cryptology ePrint Archive, Report 2012/481 (2012).Google Scholar
- 75.Stinson D.R. (ed.): CRYPTO’93. LNCS, vol. 773. Springer, Heidelberg (1994).Google Scholar
- 76.Taylor, R.: An integrity check value algorithm for stream ciphers. In: Stinson D.R. (ed.) CRYPTO’93. LNCS, vol. 773, pp. 40–48. Springer, Heidelberg (1994).Google Scholar
- 77.Tessaro S.: Optimally secure block ciphers from ideal primitives. In: Iwata T., Cheon J.H. (eds.) ASIACRYPT 2015. LNCS, Part II, vol. 9453, pp. 437–462. Springer, Heidelberg (2015).Google Scholar
- 78.Wegman M.N., Carter L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci.
**22**(3), 265–279 (1981).MathSciNetCrossRefzbMATHGoogle Scholar - 79.Zobrist A.: A new hashing method with application for game playing. Technical Report 88 Computer Sciences Department, University of Wisconsin (1970).Google Scholar

## Copyright information

**Open Access**This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.