1 Introduction

A necessity for any cryptographic system is the ability to support communication among many users, for potentially long periods of time. Enabling security in such scenarios requires distributing many keys, not only per user, but also per unit of time. As a result, understanding the multi-key security of cryptographic algorithms is important.

In applications where symmetric-key algorithms are used for the bulk of communication, the difficulty in maintaining security in multi-key settings involves not only initially distributing and managing keys for each pair of communicating parties, but also ensuring that keys are not used beyond recommended data and time limits. How long a key can be used and how much data it can process is determined via cryptanalysis and security bounds estimating adversarial success probability. However, until recently, most analysis has been performed in the single-key setting, even though analyzing cryptographic algorithms in the multi-key setting has more practical significance.

Nevertheless, the limitations of the multi-key setting are well-understood for a large variety of cryptographic algorithms, such as public key encryption [5], key establishment protocols [9, 13], signatures [65], and message authentication codes [6, 17]. Blockciphers are no exception, and have been the subject of many attacks taking advantage of the availability of multiple keys. For example, Biham [7] showed that the effective key size of blockciphers can halve in the multi-key setting, provided sufficiently many keys are employed in the encryption of a known plaintext. Subsequent attacks used time-memory-key tradeoffs [12, 29, 34, 41] for improvements.

Despite the multitude of attacks, little exploration has been done concerning the design of blockciphers in the multi-key setting. This is most likely due to the result stating that the multi-key security of a blockcipher can be reduced to its single-key security with a security loss proportional to the number of keys used, a fact which has been formally proven for public key encryption schemes [5] and message authentication codes [17], among others. This reduction relies on the fact that all keys are independent and uniformly distributed. In practice, however, generating keys is often done via the use of key derivation functions (KDFs), which use a master key to output many different keys. Therefore, to be able to rely on single-key security, such a KDF must behave like a pseudorandom function, so that its outputs are computationally indistinguishable from independent, uniformly distributed values.

1.1 Linking multi-key security with tweakable blockciphers

Our main contribution is drawing a powerful connection between the multi-key security of blockciphers and the security of tweakable blockciphers. As a first step towards the connection, we present a generalized definition of multi-key security of (tweakable) blockciphers in Sect. 3. While earlier definitions, including Mouha and Luykx [64], only considered independent, uniformly generated keys, we introduce KDFs in the definition of multi-key security, and say that the combination of a blockcipher with KDF is secure if it is indistinguishable from uniform random permutations.

By explicitly including KDFs into blockcipher security, and viewing key schedules as a type of KDF, one can put weak, known, and related key attacks in perspective with multi-key security. More importantly, due to the explicit inclusion of KDFs, the connection between multi-key and tweakable blockcipher security (Sect. 4) is immediate. This connection allows one to use the large body of work on tweakable blockciphers (see Sect. 5) to understand the multi-key security of blockciphers, and vice versa.

Finally, via the connection with tweakable blockciphers, related-key security of blockciphers [10] can also be linked to multi-key security. In more detail, in related-key security, an attacker may transform the master key via a related-key-deriving function, which could also be interpreted as deriving a new subkey in the multi-key setting.

1.2 Application to even–mansour and tweakable even–mansour

By identifying KDFs with key schedules, or rather TWEAKEY schedules [48], which process both tweak and key input to generate subkeys for use in blockciphers, significant performance gains can be made depending upon the application. KDFs are usually designed to behave like pseudorandom functions, which is the optimal choice when blockciphers are treated like black boxes. However, in order to improve performance blockciphers cannot be treated as black boxes, and KDFs must be designed with specific blockciphers in mind, which is what a TWEAKEY schedule is.

Instead of looking at one specific blockcipher, or treating them as black boxes, we take an intermediate approach and apply our observations to the iterated Even–Mansour construction \(\mathrm {EM} [r]\) [11, 30, 31] and the Tweakable Even–Mansour construction \(\mathrm {TEM} [r]\) [21], which can be viewed as generic versions of key alternating ciphers [27, 28], the design approach to the AES [28]. As depicted in Fig. 1, both constructions process their input using \(r\ge 1\) consecutive, independent permutations interleaved with maskings derived from the key; the main difference between the constructions is that in \(\mathrm {TEM} [r]\) the maskings are derived from the key and the tweak via a universal hash function. See Sect. 5 for a detailed explanation of the constructions.

Fig. 1
figure 1

From top to bottom: r rounds of iterated Even–Mansour, Tweakable Even–Mansour, and Cascaded LRW. Here, \(k_i\) and \(z_i\) are key material, \(P_i\) are permutations, E is a blockcipher, and \(h_{k_i}\) are universal hash functions. All schemes reveal strong similarity, with one caveat: \(\mathrm {LRW} [r]\) and \(\mathrm {TEM} [r]\) explicitly have r-wise independent masking, while \(\mathrm {EM} [r]\) uses \(r+1\) keys. However, the state of the art security analysis on \(\mathrm {EM} [r]\) also covers r-wise independent keying [19]

Chen and Steinberger [19] proved that \(\mathrm {EM} [r]\) achieves asymptotically \(2^{rn/(r+1)}\) single-key security for arbitrary \(r\ge 1\). Hoang and Tessaro [42] recently simplified their bound and improved it by a constant factor. They additionally demonstrated how the results directly generalize to the multi-key setting based on uniformly random KDF. For \(\mathrm {TEM} [r]\), Cogliati et al. [16] proved \(2^{n/2}\) single-key security for \(r = 1\), \(2^{2n/3}\) for \(r = 2\), and \(2^{rn/(r+2)}\) for any even r, and conjectured that it achieves (tight) \(2^{rn/(r+1)}\) single-key security for any \(r\ge 1\). These results are summarized in Table 1, with further related work in Sect. 5.

First, we use our new equivalence result as a tool to transfer the \(\mathrm {EM} [r]\) multi-key bound to \(\mathrm {TEM} [r]\) in Sect. 5.4, establishing a \(2^{rn/(r+1)}\) bound for any r, as long as the universal hash function is replaced by a uniform random function, and the adversaries use a limited number of tweaks. In applications where the number of tweaks can be limited to a small number, as might, for example, be the case in certain authenticated encryption schemes [2, 26, 68], our newly obtained bound on \(\mathrm {TEM} [r]\) improves over the state of the art, and even solves the conjecture by Cogliati et al. in 2015 [21] for the specific case of uniformly random masking. The replacement of the universal hash function by a uniform random function may in certain settings by a burden, but this condition allows us to make a first step towards solving this conjecture for general masking. The new bounds are summarized in Table 1.

Table 1 State of the art and new results on \(\mathrm {EM} [r]\), \(\mathrm {TEM} [r]\), and \(\mathrm {LRW} [r]\), with n the size of the permutation or blockcipher, \(\mu \) the number of users, and \(\ell \) the number of tweaks used

As a bonus, the new \(\mathrm {TEM} [r]\) bound carries over to its blockcipher-based sibling \(\mathrm {LRW} [r]\) [53, 55, 56, 67]; see Fig. 1 for its depiction, and Sect. 5 for a detailed explanation of the construction. Our bounds therefore also partially solve the related conjecture by Landecker et al. [56] and Lampe and Seurin [55] on \(\mathrm {LRW} [r]\), provided the maximum number of tweaks can be bounded and the masking is random.

Finally, we also consider multi-key security of \(\mathrm {EM} [r]\) with a KDF that is not necessarily random. Using aforementioned equivalence in reverse direction, in Sect. 5.4 we transfer the results from Cogliati et al. [16] on \(\mathrm {TEM} [r]\) to multi-key security bounds of \(\mathrm {EM} [r]\) which do not degrade relative to the number of users, but with the same limitations on r as with the \(\mathrm {TEM} [r]\) bounds (see Table 1). The bound is identical to that of [16]. Interestingly, we are able to conclude that a pseudorandom KDF is not necessary to achieve multi-key security with the \(\mathrm {EM} [r]\) construction. Since the tweaks for \(\mathrm {TEM} [r]\) are generated using universal hash functions, such functions suffice as KDF for \(\mathrm {EM} [r]\).

1.3 Performance gains

Besides the necessity of using pseudorandom KDFs when the blockcipher is treated as a black box, it is also important if the application scenario contains malicious users: it should be infeasible for one pair of communicating users to guess the keys of other users. Therefore, weakening the KDF must be done with care. However, there are applications where the users are known not to be malicious.

Consider wireless sensor networks for example, which consist of small autonomous sensors used to monitor environmental conditions. Using our connection between multi-key security and tweakable blockciphers, it is clear that in those settings one could replace the combination of a KDF and blockcipher with a single tweakable blockcipher, where the “keys” for each of the sensors would correspond to different tweaks for the tweakable blockcipher. Even though each of the sensors could easily compute the “key” of any other sensor, the main security threat in this scenario are external attackers, not the sensors themselves. This approach is formalized in Sect. 6.

The only issue would be key compromise of a sensor, which would immediately leak the key, and therefore security of the entire system would be lost. Even if it is difficult to ensure that no sensor will leak its key, one can still avoid using pseudorandom KDFs. For example, an intermediate solution is to group together sensors, and to distribute an independent key to each group, while communication within the group is performed by changing tweaks. In Sect. 3.2 we describe another solution, which uses universal hash functions which are secure against collusion of a group of users, meaning a certain number of sensors could be compromised without the entire system loosing security.

2 Preliminaries

The set of bit strings of length \(n\ge 0\) is denoted \(\{0,1\}^{n}\). For two sets \(\mathcal {X},\mathcal {Y}\), the set of all functions from \(\mathcal {X}\rightarrow \mathcal {Y}\) is denoted \(\mathsf {Func} (\mathcal {X},\mathcal {Y})\), the case of \(\mathcal {X}=\mathcal {Y}\) being abbreviated to \(\mathsf {Func} (\mathcal {X})\). The set of permutations on \(\mathcal {X}\) is denoted \(\mathsf {Perm} (\mathcal {X})\). Uniform random drawing of an element x from \(\mathcal {X}\) is denoted \(x\xleftarrow {{\scriptscriptstyle \$}}\mathcal {X}\).

2.1 Blockciphers and tweakable blockciphers

A blockcipher is a mapping \(E:\mathcal {K}\times \mathcal {M}\rightarrow \mathcal {M}\) where for every key \(k\in \mathcal {K}\), the function \(E(k,\cdot )\) is a permutation on \(\mathcal {M}\). Its inverse is denoted \(E^{-1}(k,\cdot )\). A tweakable blockcipher is a mapping \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) where for every key \(k\in \mathcal {K}\) and every tweak \(t\in \mathcal {T}\), the function \(\widetilde{E}(k,t,\cdot )\) is a permutation on \(\mathcal {M}\). Its inverse is denoted \(\widetilde{E}^{-1}(k,t,\cdot )\). Denote by \(\mathsf {TPerm} (\mathcal {T},\mathcal {M})\) the set of all functions \(\widetilde{\pi }:\mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) such that \(\widetilde{\pi }(t,\cdot )\in \mathsf {Perm} (\mathcal {M})\) for all \(t\in \mathcal {T}\).

Note that a conventional blockcipher is a tweakable blockcipher with tweak space of size 1, meaning that tweakable blockcipher security definitions can be applied to blockciphers. Therefore, we will only discuss the security of tweakable ciphers, which will be denoted explicitly with the use of ‘T’ and ‘\(\sim \)’. The corresponding notation for conventional blockciphers follows by removing the ‘T’s and ‘\(\sim \)’s.

Let \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) be a tweakable blockcipher that is internally based on \(r\ge 1\) primitives \(\varPi _1,\ldots ,\varPi _r\in \mathsf {Prims} \), where \(\mathsf {Prims} \) is some set of primitives. Examples include \(\mathsf {Prims} =\mathsf {Perm} (\mathcal {M})\), which is used in the Even–Mansour constructions, and \(\mathsf {Prims} =\mathsf {Func} (\mathcal {M}')\), which is used in Feistel networks where \(\mathcal {M}'\) is of size smaller than \(\mathcal {M}\).

In the following definition we consider a distinguisher \(\mathcal {D}\) that either interacts in a “real world”, where it has query access to \(\widetilde{E}_k\) with secret \(k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}\), or an “ideal world”, where \(\mathcal {D}\) interacts with an ideal tweakable permutation \(\widetilde{\pi }\xleftarrow {{\scriptscriptstyle \$}}\mathsf {TPerm} (\mathcal {T},\mathcal {M})\). In both worlds \(\mathcal {D}\) gets access to the idealized primitives \({\varPi }=(\varPi _1,\ldots ,\varPi _r)\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Prims} ^r\). The goal of \(\mathcal {D}\) is to distinguish the real from the ideal world.

Definition 1

(STPRP security) Consider \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) based on \(r\ge 1\) primitives \(\varPi _1,\ldots ,\varPi _r\in \mathsf {Prims} \). The \(\mathrm {STPRP}\) (strong tweakable pseudorandom permutation) advantage of a distinguisher \(\mathcal {D}\) is

$$\begin{aligned} \mathbf {Adv} _{\widetilde{E}}^{\mathsf {stprp}}(\mathcal {D}) = \varDelta _{\mathcal {D}}(\widetilde{E}_k,{\varPi }\;;\;\widetilde{\pi },{\varPi }) = \left| \mathbf {Pr}\left( \mathcal {D}^{\widetilde{E}_k,{\varPi }} = 1 \right) - \mathbf {Pr}\left( \mathcal {D}^{\widetilde{\pi },{\varPi }} = 1 \right) \right| \,, \end{aligned}$$

where the probabilities are taken over the random choices of \(k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}\), \({\varPi }\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Prims} ^r\), and \(\widetilde{\pi }\xleftarrow {{\scriptscriptstyle \$}}\mathsf {TPerm} (\mathcal {T},\mathcal {M})\). The distinguisher has two-sided query access to each of its oracles. For any \(q,\ell ,p\ge 0\) with \(\ell \le |\mathcal {T}|\), we define \(\mathbf {Adv} _{\widetilde{E}}^{\mathsf {stprp}}(q,\ell ,p)\) to be the maximum advantage over any distinguisher \(\mathcal {D}\) that makes at most q queries to the construction for at most \(\ell \) different tweaks, and p queries to each of the primitives.

Inclusion of the parameter \(\ell \) might seem artificial, but it can be set arbitrarily large and therefore does not limit applicability of the definition. Although it is included to describe distinguishers more accurately, it has a meaningful connection to the security bounds of MAC functions and authenticated encryption schemes based on blockciphers. In more detail, consider an authenticated encryption scheme based on a tweakable blockcipher, denote by \(\ell '\) the maximal message length, and \(\ell \) the number of different tweaks employed in the authenticated encryption schemes. On the one hand, the parameter \(\ell '\) often plays a significant role in the security bounds, while on the other hand, the values \(\ell \) and \(\ell '\) are often close to each other, and differ at most by a multiplicative constant. For example, for COPA [2], ELmE [26], and SCT [68], we have \(\ell \approx 2\ell '\).

2.2 Universal hash functions

Let \((\mathcal {Y},\oplus )\) be an abelian group. Let \(H = \{h_k:\mathcal {X}\rightarrow \mathcal {Y}\mid k\in \mathcal {K}\}\) be a family of functions indexed by a key \(k\in \mathcal {K}\). We say that H is uniform if for any \(x\in \mathcal {X}\) and \(y\in \mathcal {Y}\), we have

$$\begin{aligned} \mathbf {Pr}\left( k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}\;:\; h_k(x)=y\right) = 1/|\mathcal {Y}|\,. \end{aligned}$$

We say that H is \(\varepsilon \)-almost-XOR-universal ( \(\varepsilon \)-AXU) Footnote 1 if for any distinct \(x,x'\in \mathcal {X}\) and \(y\in \mathcal {Y}\), we have

$$\begin{aligned} \mathbf {Pr}\left( k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}\;:\; h_k(x)\oplus h_k(x')=y\right) \le \varepsilon . \end{aligned}$$

We say that H is \(\varepsilon \)-UAXU if it is uniform and \(\varepsilon \)-AXU.

Fig. 2
figure 2

Multi-key security model (Definition 2). \(k_1,\ldots ,k_\mu \) are the \(\mu \) derived keys

A result that we will use later is that a uniform random function is also uniform and AXU. More formally, define

$$\begin{aligned} \mathsf {F} ^{\mathcal {X}}_{\mathcal {Y}}: \mathsf {Func} (\mathcal {X},\mathcal {Y})\times \mathcal {X}\rightarrow \mathcal {Y} \end{aligned}$$

as a family of functions defined as \(\mathsf {F} ^{\mathcal {X}}_{\mathcal {Y}}(f,x)=f(x)\).

Lemma 1

\(\mathsf {F} ^{\mathcal {X}}_{\mathcal {Y}}\) is uniform and \(|\mathcal {Y}|^{-1}\)-AXU.

Throughout, we will simply write \(\mathsf {F} ^{\mathcal {X}}_{n}\) for \(\mathsf {F} ^{\mathcal {X}}_{\{0,1\}^{n}}\). Our interest in uniform random functions is purely in connecting our definition of multi-key security to the conventional definitions.

3 Multi-key security

Mouha and Luykx [64] formalized the notion of multi-key security of blockciphers, and applied it to one round of Even–Mansour (cf. Sect. 5.1). We introduce the generalization of this model to (i) tweakable blockcipher constructions and (ii) arbitrary key derivation functions. The model shows similarity with that of Hoang and Tessaro [42]. As in Sect. 2.1 we will discuss the multi-key security model for tweakable blockciphers, including ‘T’s and ‘\(\sim \)’s. The multi-key security for conventional blockciphers follows by removing the ‘T’s and ‘\(\sim \)’s.

In the definition below, \(\mu \) represents the number of instantiations with which the adversary interacts. A master key \(k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}'\) is generated for use in the key derivation function (KDF) \(F:\mathcal {K}'\times \mathcal {X}\rightarrow \mathcal {K}\), which maps the master key along with what we call an ID in \(x\in \mathcal {X}\), to a key in \(\mathcal {K}\). Here, the different IDs correspond to the different instances in the multi-key setting. The adversary can adaptively choose IDs via the oracle \(\widetilde{E}_{F(k,\cdot )}\), where the ID is input via \(F(k,\cdot )\). The adversary can instantiate at most \(\mu \) IDs. The ideal functionality corresponding to \(\widetilde{E}_{F(k,\cdot )}\) is \(\widetilde{\pi }_{(\cdot )}\), which is formalized as a tweakable permutation with tweak space \(\mathcal {T}\times \mathcal {X}\): the subscript input \((\cdot )\) can be viewed as a tweak input from \(\mathcal {X}\) which specifies the selected user, which in turn specifies a particular tweakable permutation to use. Figure 2 depicts the oracles with which distinguisher \(\mathcal {D}\) interacts.

Definition 2

(TMK security) Let \(\mu \ge 1\). Consider tweakable blockcipher \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) based on \(r\ge 1\) primitives \(\varPi _1,\ldots ,\varPi _r\in \mathsf {Prims} \), and let \(F:\mathcal {K}'\times \mathcal {X}\rightarrow \mathcal {K}\) with \(|\mathcal {X}|\ge \mu \) be a KDF. The \(\mathrm {TMK}\) advantage of a distinguisher \(\mathcal {D}\) is

$$\begin{aligned} \mathbf {Adv} _{\widetilde{E},F}^{\mathsf {tmk}}(\mathcal {D})&= \varDelta _{\mathcal {D}}\left( \widetilde{E}_{F(k,\cdot )},{\varPi }\;;\;\widetilde{\pi }_{(\cdot )},{\varPi }\right) \\&= \left| \mathbf {Pr}\left( \mathcal {D}^{\widetilde{E}_{F(k,\cdot )},{\varPi }} = 1 \right) - \mathbf {Pr}\left( \mathcal {D}^{\widetilde{\pi }_{(\cdot )},{\varPi }} = 1 \right) \right| \,, \end{aligned}$$

where the probabilities are taken over the random choices of \(k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}'\), \({\varPi }\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Prims} ^r\), and \(\widetilde{\pi }_{(\cdot )}\xleftarrow {{\scriptscriptstyle \$}}\mathsf {TPerm} (\mathcal {T}\times \mathcal {X},\mathcal {M})\). The distinguisher has two-sided query access to each of its oracles. For any \(\mu ,q,\ell ,p\ge 0\), we define \(\mathbf {Adv} _{\widetilde{E},F}^{\mathsf {tmk}}(\mu ,q,\ell ,p)\) to be the maximum advantage over any distinguisher \(\mathcal {D}\) that makes at most q queries to the \(\mu \) constructions (in whatever distribution), for at most \(\ell \) different tweaks per construction, and p queries to each of the primitives.

3.1 Compatibility with prior definitions

The original multi-key definition of Mouha and Luykx [64] can be viewed as a special case of Definition 2, by considering non-tweakable blockciphers with keys generated using a uniformly random KDF, that is, \(\mathsf {F} ^{\mathcal {X}}_{\mathcal {K}}\) of (1). Definition 1, conventional \(\mathrm {STPRP}\) security, is a special case of Definition 2 as well, seen by putting \(\mu = 1\) and taking the KDF to be \(\mathsf {F} ^{\mathcal {X}}_{\mathcal {K}}\) again:

$$\begin{aligned} \mathbf {Adv} _{\widetilde{E},\mathsf {F} ^{\mathcal {X}}_{\mathcal {K}}}^{\mathsf {tmk}}(\mathcal {D}) = \mathbf {Adv} _{\widetilde{E}}^{\mathsf {stprp}}(\mathcal {D})\,. \end{aligned}$$

Note that, as with our definition of \(\mathrm {STPRP}\) security, we explicitly include primitives with which the adversary can interact. This is in order to capture ideal model definitions and proofs, but standard model definitions are also included by only considering adversaries which make zero queries to the primitives.

Due to the generalized nature of our definition, it is in fact equivalent to the definition of related-key security of (tweakable) blockciphers [10, 21, 32], although the applications structurally differ in the types of key derivation functions considered. Particularly, related-key security targets simple KDFs, often as simple as bitwise XOR or bitwise addition, while for multi-key security the KDFs are usually stronger primitives, and in most cases are pseudorandom. Nevertheless, the obvious equivalence between related-key security and our generalized multi-key security definition hints at the existence of more applications of our work in the context of related-key security, although this direction is beyond the scope of our work.

3.2 On multi-key-derivation functions

Taking a uniformly random KDF is, naturally, the most secure way of multi-key derivation, but it requires a lot of randomness. Definition 2 allows us to consider more general KDFs, including universal hash functions and pseudorandom number generators.

When choosing a KDF which is not pseudorandom, caution is needed to prevent related-key attacks when users are malicious. Particularly, if too many multi-keys are derived with the master key, the application may be prone to attacks. For example, taking a counter as KDF, \(F(k,x)=k\oplus x\), allows for users to derive each others’ keys without knowledge of the master key, as for any \(x,x'\) we have \(F(k,x')=F(k,x)\oplus x\oplus x'\). More generally, it is desirable that \(F\) generates multi-keys that have enough entropy, even conditioned on a small set of other multi-keys. In other words, it should not be possible for a small set of malicious users to collude and compute the keys of the honest users. One solution to this issue is via \(\gamma \)-strongly universal hash functions, as introduced by Wegman and Carter [78]. In more detail, let \(1\le \gamma \le \mu \), and consider KDF \(F:\mathcal {K}^\gamma \times \mathcal {X}\rightarrow \mathcal {K}\) defined as

$$\begin{aligned} F(k^{(1)}\Vert k^{(2)}\Vert \cdots \Vert k^{(\gamma )},x) = \bigoplus _{i=1}^\gamma x^i\cdot k^{(i)}\,. \end{aligned}$$

It is impossible for any set of \(\gamma -1\) colluding users to obtain the keys of the remaining honest users. On the other hand, any \(\gamma \) colluding users \(\{x_1,\ldots ,x_\gamma \}\) can recover the master key \(k^{(1)}\Vert \cdots \Vert k^{(\gamma )}\) by invertibility of the Vandermonde matrix:

$$\begin{aligned} \left( \begin{array}{c} k^{(1)}\\ k^{(2)}\\ \vdots \\ k^{(\gamma )} \end{array}\right) = \left( \begin{array}{cccc} x_1^1 &{} x_1^2 &{} \cdots &{} x_1^{\gamma } \\ x_2^1 &{} x_2^2 &{} \cdots &{} x_2^{\gamma } \\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ x_\gamma ^1&{} x_\gamma ^2&{} \cdots &{} x_\gamma ^{\gamma }\\ \end{array}\right) ^{-1} \left( \begin{array}{c} k_{x_1}\\ k_{x_2}\\ \vdots \\ k_{x_{\gamma }} \end{array}\right) \,. \end{aligned}$$

Other examples of \(\gamma \)-universal hash functions for general \(\gamma \) include tabulation hashing and extensions [72, 79]. For the specific case of \(\gamma =2\), examples abound [8, 23, 24, 40, 50, 76].

On a more general note, we remark that typically stand-alone key derivation functions are multi-purpose, with main application the key derivation from passwords and salts. We refer to Yao and Yin [35], Krawczyk [43, 49], and ISO-18033-3 [47] for various designs and analyses.

4 Tweakable blockciphers versus multi-key security

By introducing KDF’s in the definition of multi-key security of blockciphers, the connection between multi-key security and tweakable security of blockciphers is nearly immediate: an ID can be viewed as a tweak, and a tweak can be viewed as an ID. Hence, taking a blockcipher \(E:\mathcal {K}\times \mathcal {M}\rightarrow \mathcal {M}\) and a KDF \(F:\mathcal {K}'\times \mathcal {T}\rightarrow \mathcal {K}\), we can define the tweakable blockcipher \(\widetilde{E}:\mathcal {K}'\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) which identifies tweaks in \(\mathcal {T}\) with IDs in \(\mathcal {X}\), that is

$$\begin{aligned} \widetilde{E}_k(t,m)=E_{F(k,t)}(m)\,. \end{aligned}$$

This construction can be seen as a generalization of Minematsu’s tweakable blockcipher [63], but it has many more applications. In fact, extracting a blockcipher \(E\) from a tweakable blockcipher \(\widetilde{E}\) by reversing the above construction is sometimes possible as well. For example, if \(E\) is the Even–Mansour construction of Sect. 5.1, and \(F\) is a UAXU family of hash functions, then \(\widetilde{E}\) corresponds to the Tweakable Even–Mansour construction of Sect. 5.2.

A distinguisher \(\mathcal {D}_1\) attacking the \(\mathrm {MK}\) security of \(E\) with respect to \(F\) can be converted into a distinguisher \(\mathcal {D}_2\) attacking the \(\mathrm {STPRP}\) security of \(\widetilde{E}\), by mapping each ID queried by \(\mathcal {D}_1\) into a tweak queried by \(\mathcal {D}_2\). Conversely, any \(\mathrm {STPRP}\) distinguisher \(\mathcal {D}_2\) can be converted into a \(\mathrm {MK}\) distinguisher \(\mathcal {D}_1\) by using the reverse transformation, namely, map each tweak into a different ID. Formally, we achieve the following theorem.

Theorem 1

Let \(E:\mathcal {K}\times \mathcal {M}\rightarrow \mathcal {M}\) be a blockcipher, \(F:\mathcal {K}'\times \mathcal {T}\rightarrow \mathcal {K}\) a KDF, and \(\widetilde{E}\) the construction from (2). Let \(\mu \ge 1\) and \(q,\ell ,p\ge 0\). If \(\mu \le \ell \), then,

$$\begin{aligned} \mathbf {Adv} _{E,F}^{\mathsf {mk}}(\mu ,q,p) \le \mathbf {Adv} _{\widetilde{E}}^{\mathsf {stprp}}(q,\ell ,p)\,. \end{aligned}$$

If \(\ell \le \mu \), then,

$$\begin{aligned} \mathbf {Adv} _{\widetilde{E}}^{\mathsf {stprp}}(q,\ell ,p) \le \mathbf {Adv} _{E,F}^{\mathsf {mk}}(\mu ,q,p)\,. \end{aligned}$$


Let \(\mathcal {D}_1\) be a \(\mathrm {MK}\) distinguisher against \(E\) with respect to \(F\), and let \(\mathcal {D}_2\) be described as above, namely, each input m made to ID \(t\in \mathcal {T}\) is converted into a \(\widetilde{E}\)-query (tm) with tweak t and input m. All primitive queries and \(\mathcal {D}_1\)’s final decision are forwarded by \(\mathcal {D}_2\). Note that \(E_{F(k,\cdot )} = \widetilde{E}_k^{(\cdot )}\), where the ID input of \(E\) is changed to tweak input for \(\widetilde{E}\). Similarly, a permutation \(\pi _{(\cdot )}\) with ID input, is equivalent to a tweakable permutation \(\widetilde{\pi }\) where the IDs are mapped to tweaks. This means we have,

$$\begin{aligned} \mathbf {Adv} _{E,F}^{\mathsf {mk}}(\mathcal {D}_1)&= \varDelta _{\mathcal {D}_1}(E_{F(k,\cdot )},{\varPi }\;;\;\pi _{(\cdot )},{\varPi })\\&= \varDelta _{\mathcal {D}_2}(\widetilde{E}_{k},{\varPi }\;;\;\widetilde{\pi },{\varPi }) = \mathbf {Adv} _{\widetilde{E}}^{\mathsf {stprp}}(\mathcal {D}_2)\,, \end{aligned}$$

and since \(\mu \le \ell \), we establish

$$\begin{aligned} \mathbf {Adv} _{E,F}^{\mathsf {mk}}(\mu ,q,p) \le \mathbf {Adv} _{\widetilde{E}}^{\mathsf {stprp}}(q,\ell ,p)\,. \end{aligned}$$

The reverse inequality can be obtained similarly. \(\square \)

5 Application of equivalence of Sect. 4

We briefly summarize the state of the art on iterated Even–Mansour (Sect. 5.1), Tweakable Even–Mansour (Sect. 5.2), and LRW (Sect. 5.3). Then, we consider the application of the equivalence of Sect. 4 to these constructions in Sect. 5.4.

5.1 Iterated Even–Mansour

For \(r\ge 1\), we define the r-round iterated Even–Mansour construction \(\mathrm {EM} [r]:\{0,1\}^{(r+1)n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\) as (see also Fig. 1)

$$\begin{aligned} \mathrm {EM} [r]_{k_1,\ldots ,k_{r+1}}(m) = P_r(\cdots P_1(m\oplus k_1)\cdots \oplus k_r) \oplus k_{r+1}\,, \end{aligned}$$

where \(\mathbf{P}=(P_1,\ldots ,P_r)\in \mathsf {Perm} (\{0,1\}^{n})^r\) are n-bit permutations. The first formal presentation of this construction is by Even and Mansour at ASIACRYPT ’91 [30, 31], who introduced it for \(r=1\) and proved that it achieves \(2^{n/2}\) security. Daemen proved tightness of this bound [22]. The general construction was introduced by Bogdanov et al. [11]. Following a line of research set, among others, by Dunkelman et al. [25], Lampe et al. [52], and Steinberger [74], Chen and Steinberger [19] proved that \(\mathrm {EM} [r]\) tightly achieves \(\mathcal {O}(2^{rn/(r+1)})\) single-key blockcipher security in the model of Sect. 2.1. This bound is, however, asymptotic, and Hoang and Tessaro [42] recently improved their bound on \(\mathrm {EM} [r]\).

Proposition 1

(Single-Key Security of \(\mathrm {EM}\) [r] [19, 42]) Let \(r\ge 1\) and \(q,p\ge 0\). Then,

$$\begin{aligned} \mathbf {Adv} _{\mathrm {EM} [r]}^{\mathsf {sprp}}(q,p)\le \frac{q(4p)^r}{(2^n)^r}\,. \end{aligned}$$

Their bound is in fact a bit more fine-grained, having p separated over all r primitives. It is important that the results on \(\mathrm {EM} [r]\) [19, 42] effectively require r-wise independency of the key, i.e., for any \(i\in \{1,\ldots ,r+1\}\), \((k_1,\ldots ,k_{i-1},k_{i+1},\ldots ,k_{r+1})\) has a uniform distribution on \(\{0,1\}^{rn}\) [19, p. 329].

Andreeva et al. [3] and Mouha and Luykx [64] considered one round of Even–Mansour in the multi-key setting, and showed that similar results are achieved.

Proposition 2

(Multi-Key Security of EM[1] [64]) Consider \(F=\mathsf {F} ^{\mathcal {X}}_{n}\) of (1). Let \(\mu \ge 1\) and \(q,p\ge 0\). Then,

$$\begin{aligned} \mathbf {Adv} _{\mathrm {EM} [1],\mathsf {F} ^{\mathcal {X}}_{n}}^{\mathsf {mk}}(\mu ,q,p) \le \frac{q^2+2qp}{2^n}\,. \end{aligned}$$

Hoang and Tessaro [42] derived a strong generic reduction from multi-key to single-key security and transferred their result (Proposition 1) to the multi-key setting.

Proposition 3

(Multi-Key Security of EM[r] [42]) Consider \(F=\mathsf {F} ^{\mathcal {X}}_{n}\) of (1). Let \(\mu \ge 1\), \(r\ge 1\), and \(q,p\ge 0\). Then,

$$\begin{aligned} \mathbf {Adv} _{\mathrm {EM} [r],\mathsf {F} ^{\mathcal {X}}_{n}}^{\mathsf {mk}}(\mu ,q,p) \le \frac{2q(4(p+rq))^r}{(2^n)^r}\,. \end{aligned}$$

Beyond single-key and multi-key security, further works on \(\mathrm {EM} [r]\) cover the related-key security [21, 32], chosen-key security [1, 38, 54], and security of minimized \(\mathrm {EM} [2]\) [15].

5.2 Iterated tweakable Even–Mansour

At CRYPTO 2015, Cogliati et al. [16] introduced the generic Tweakable Even–Mansour construction based on universal hash functions. For a permutation \(P\in \mathsf {Perm} (\{0,1\}^{n})\) and a universal hash function \(h_k:\mathcal {T}\rightarrow \{0,1\}^{n}\), define

$$\begin{aligned} \varPsi [P](k,t,m) = h_k(t)\oplus P(m\oplus h_k(t))\,. \end{aligned}$$

For \(r\ge 1\), we define the r-round iterated Tweakable Even–Mansour construction \(\mathrm {TEM} [r]:\mathcal {K}^r\times \mathcal {T}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\) as (see also Fig. 1)

$$\begin{aligned} \mathrm {TEM} [r]_{k_1,\ldots ,k_r}(t,m)= & {} \varPsi [P_r](k_r,t,\cdots \varPsi [P_1](k_1,t,m)\cdots )\nonumber \\= & {} P_r(\cdots P_1(m\oplus h_{k_1}(t))\oplus h_{k_1}(t) \cdots \oplus h_{k_r}(t)) \oplus h_{k_r}(t), \end{aligned}$$

where \(\mathbf{P}=(P_1,\ldots ,P_r)\in \mathsf {Perm} (\{0,1\}^{n})^r\) are n-bit permutations, and \(H = \{h_k:\mathcal {T}\rightarrow \{0,1\}^{n} \mid k\in \mathcal {K}\}\) is a uniform almost-XOR-universal hash function family. Cogliati et al. [16] derived the following security results for \(\mathrm {TEM} [r]\).

Proposition 4

(Single-Key Security of TEM[r] [16]) Let \(H = \{h_k:\mathcal {T}\rightarrow \{0,1\}^{n}\mid k\in \mathcal {K}\}\) be an \(\varepsilon \)-UAXU family of hash functions. Let \(r\ge 1\) and \(q,\ell ,p\ge 0\). Then,

$$\begin{aligned} \mathbf {Adv} _{\mathrm {TEM} [1]}^{\mathsf {stprp}}(q,\ell ,p)&\le q^2\varepsilon + \frac{2qp}{2^n}\,,\\ \mathbf {Adv} _{\mathrm {TEM} [2]}^{\mathsf {stprp}}(q,\ell ,p)&\le \frac{29q^{1/2}p}{2^n} + q^{1/2}p\varepsilon + 4q^{3/2}\varepsilon + \frac{30q^{3/2}}{2^n}\,,\\ \mathbf {Adv} _{\mathrm {TEM} [2r]}^{\mathsf {stprp}}(q,\ell ,p)&\le 4q^{1/2}\left( 2q\varepsilon + \frac{2p}{2^n}\right) ^{r/2}\,. \end{aligned}$$

Note that \(\mathrm {TEM} [r]\) is in fact the \(\mathrm {EM} [r]\) construction where the keys \((k_1,\ldots ,k_{r+1})\) are replaced with

$$\begin{aligned} h_{k_1}(t)\,,\, h_{k_1}(t)\oplus h_{k_2}(t)\,,\, \ldots \,,\, h_{k_{r-1}}(t)\oplus h_{k_r}(t)\,,\, h_{k_r}(t)\,. \end{aligned}$$

In particular, \(\mathrm {TEM} [r]\) also has r-wise independent masking, be it of a specific form.

Further constructions related to \(\mathrm {TEM} [r]\), and to which our findings can be applied as well, are XPX [59], MEM [37], and a variant of \(\mathrm {TEM} [4]\) with linear mixing [20].

5.3 Iterated LRW

The Tweakable Even–Mansour construction is closely related to the iterated LRW construction [53]. In more detail, the r-round \(\mathrm {LRW} [r]\) construction is based on r blockcipher calls instead of r permutations. It is defined identically as in (5), with \(P_1,\ldots ,P_r\) instantiated as \(E_{z_1},\ldots ,E_{z_r}\) for independent keys \(z_1,\ldots ,z_r\).We can likewise use the definition of STPRP security of Definition 1 where, now, p bounds the total number of evaluations of E a distinguisher can make. A security analysis for \(r=1\) was performed by Liskov et al. [53], \(r=2\) by Landecker et al. [56] and Procter [67], and for a general number of even rounds by Lampe and Seurin [55]. These results on \(\mathrm {LRW} [r]\) are comparable to the bounds of Proposition 4, which should not be surprising as

$$\begin{aligned} \mathbf {Adv} _{\mathrm {LRW} [r]}^{\mathsf {stprp}}(q,\ell ,p) \le \mathbf {Adv} _{\mathrm {TEM} [r]}^{\mathsf {stprp}}(q,\ell ,0) + r\cdot \mathbf {Adv} _{E}^{\mathsf {sprp}}(q,p)\,. \end{aligned}$$

The derivation of this bound is fairly straightforward: first, replace the blockcipher calls \(E_{z_1},\ldots ,E_{z_r}\) by r independent secret permutations \(P_1,\ldots ,P_r\). This step costs at most \(r\cdot \mathbf {Adv} _{E}^{\mathsf {sprp}}(q,p)\). What remains is the \(\mathrm {TEM} [r]\) construction with the difference that the adversary has no access to the secret underlying permutations, hence we have \(p=0\): \(\mathbf {Adv} _{\mathrm {TEM} [r]}^{\mathsf {stprp}}(q,\ell ,0)\). See also [16, Remark 1].

Further constructions related to \(\mathrm {LRW} [1]\) include the XEX construction [71] and its generalizations [18, 37, 62], tweakable Feistel schemes [36, 60], and tweakable blockciphers with tweak-dependent rekeying [58, 61, 63].

5.4 Application of equivalence of Sect. 4

Theorem 1 along with Proposition 4 implies multi-key security of \(\mathrm {EM} [r]\) with KDF \(F:(\mathcal {K})^r\times \mathcal {X}\rightarrow \{0,1\}^{(r+1)n}\) defined as (see also (6))

$$\begin{aligned} F(k_1,\ldots ,k_r,x) = \big (h_{k_1}(x), h_{k_1}(x) \oplus h_{k_2}(x), \ldots , h_{k_{r-1}}(x) \oplus h_{k_r}(x), h_{k_r}(x) \big ), \end{aligned}$$

where \(H = \{h_k:\mathcal {X}\rightarrow \{0,1\}^{n}\mid k\in \mathcal {K}\}\) is an \(\varepsilon \)-UAXU family of hash functions. Note that \(F\) is not UAXU itself, but it is still sufficiently strong to achieve multi-key security of \(\mathrm {EM} [r]\). Although \(F\)’s outputs admit a specific type of r-wise independence, it is clear to see that the result immediately generalizes to any \(F\) which outputs r-wise independent keys with the same joint distribution.

Corollary 1

Consider \(F\) of (8). Let \(\mu \ge 1\), \(r\ge 1\), and \(q,p\ge 0\). Then,

$$\begin{aligned} \mathbf {Adv} _{\mathrm {EM} [1],F}^{\mathsf {mk}}(\mu ,q,p)&\le q^2\varepsilon + \frac{2qp}{2^n}\,,\\ \mathbf {Adv} _{\mathrm {EM} [2],F}^{\mathsf {mk}}(\mu ,q,p)&\le \frac{29q^{1/2}p}{2^n} + q^{1/2}p\varepsilon + 4q^{3/2}\varepsilon + \frac{30q^{3/2}}{2^n}\,,\\ \mathbf {Adv} _{\mathrm {EM} [2r],F}^{\mathsf {mk}}(\mu ,q,p)&\le 4q^{1/2}\left( 2q\varepsilon + \frac{2p}{2^n}\right) ^{r/2}\,. \end{aligned}$$

Note that the result of Proposition 3 is better than that of Corollary 1, but it explicitly requires random key-derivation while Corollary 1 allows for a more flexible key-derivation.

By using the equivalence reduction of Theorem 1 in reverse direction, we can transfer Proposition 3 to the security of Tweakable Even–Mansour \(\mathrm {TEM} [r]\).

Corollary 2

Consider the \(2^{-n}\)-UAXU family of hash functions \(\mathsf {F} ^{\mathcal {T}}_{n}\) of (1). Let \(r\ge 1\) and \(q,\ell ,p\ge 0\). Then,

$$\begin{aligned} \mathbf {Adv} _{\mathrm {TEM} [r]}^{\mathsf {stprp}}(q,\ell ,p) \le \frac{2q(4(p+rq))^r}{(2^n)^r}\,. \end{aligned}$$

Similarly, for \(\mathrm {LRW} [r]\), we can find via (7) the following corollary.

Corollary 3

Let \(E:\mathcal {K}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\) be a blockcipher, and consider the \(2^{-n}\)-UAXU family of hash functions \(\mathsf {F} ^{\mathcal {T}}_{n}\) of (1). Let \(r\ge 1\) and \(q,\ell ,p\ge 0\) such that \(q+p\le 2^n/3\). Then,

$$\begin{aligned} \mathbf {Adv} _{\mathrm {LRW} [r]}^{\mathsf {stprp}}(q,\ell ,p) \le \frac{2q(4(p+rq))^r}{(2^n)^r} + r\cdot \mathbf {Adv} _{E}^{\mathsf {sprp}}(q,p)\,. \end{aligned}$$

As a matter of fact, the two corollaries apply to \(\mathrm {TEM} [r]\) and \(\mathrm {LRW} [r]\) for any form of r-wise independence keying (not just (6)). Clearly, for \(r=1\) and \(r=2\), above corollaries do not improve over the state of the art for \(\mathrm {LRW} [r]\) [53, 55, 56] and \(\mathrm {TEM} [r]\) [21]. On the other hand, for \(r\ge 3\), the corollaries solve the conjectures on the two schemes for a specific scenario: the UAXU family of hash functions is \(\mathsf {F} ^{\mathcal {T}}_{n}\) of (1).

6 Tweakable blockciphers versus related-key security

The first formalization of related-key security was by Bellare and Kohno [10]. Cogliati and Seurin [21] generalized the model to blockciphers and applied it to cascaded Even–Mansour (cf. Sect. 5.1). Mennink [59] provided a formalism for the case of tweakable blockcipher constructions.

The definition of related-key security is in fact strongly related to that of multi-key security of Sect. 3. In related-key attacks, a set of related-key-deriving functions \(\varPhi \) is defined prior to the experiment. The adversary can adaptively choose related-key functions \(\varphi \) from \(\varPhi \) that transform the key under which the query is made: \(\widetilde{E}_{\varphi (k)}\). As such, one can specifically see related-key security as multi-key security using key derivation function \(F:\mathcal {K}\times \varPhi \rightarrow \mathcal {K}\) defined as \(F(k,\varphi )=\varphi (k)\). The ideal functionality corresponding to \(\widetilde{E}_{F(k,\cdot )}\) is \(\widetilde{\pi }_{(\cdot )}\), which is formalized as a tweakable permutation with tweak space \(\mathcal {T}\times \varPhi \): the subscript input \((\cdot )\) can be viewed as a tweak input from \(\varPhi \) which specifies the selected user, which in turn specifies a particular tweakable permutation to use.

Definition 3

(TRK security) Let \(\varPhi \) be a set of related-key-deriving functions. Consider tweakable blockcipher \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) based on \(r\ge 1\) primitives \(\varPi _1,\ldots ,\varPi _r\in \mathsf {Prims} \), and let \(F:\mathcal {K}\times \varPhi \rightarrow \mathcal {K}\) be defined as \(F(k,\varphi )=\varphi (k)\). The \(\mathrm {TRK}\) advantage of a distinguisher \(\mathcal {D}\) is

$$\begin{aligned} \mathbf {Adv} _{\widetilde{E},\varPhi }^{\mathsf {trk}}(\mathcal {D})&= \varDelta _{\mathcal {D}}\left( \widetilde{E}_{F(k,\cdot )},{\varPi }\;;\;\widetilde{\pi }_{(\cdot )},{\varPi }\right) \\&= \left| \mathbf {Pr}\left( \mathcal {D}^{\widetilde{E}_{F(k,\cdot )},{\varPi }} = 1 \right) - \mathbf {Pr}\left( \mathcal {D}^{\widetilde{\pi }_{(\cdot )},{\varPi }} = 1 \right) \right| \,, \end{aligned}$$

where the probabilities are taken over the random choices of \(k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}\), \({\varPi }\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Prims} ^r\), and \(\widetilde{\pi }_{(\cdot )}\xleftarrow {{\scriptscriptstyle \$}}\mathsf {TPerm} (\mathcal {T}\times \varPhi ,\mathcal {M})\). The distinguisher has two-sided query access to each of its oracles. For any \(q,\ell ,p\ge 0\), we define \(\mathbf {Adv} _{\widetilde{E},\varPhi }^{\mathsf {trk}}(q,\ell ,p)\) to be the maximum advantage over any distinguisher \(\mathcal {D}\) that makes at most q queries to the construction for at most \(\ell \) different related-key-deriving functions per construction, and p queries to each of the primitives.

6.1 On related-key-derivation functions

If \(\varPhi \) simply consists of the identity function, \(\varPhi =\{\varphi :k\mapsto k\}\), Definition 3 boils down to conventional \(\mathrm {STPRP}\) security, Definition 1:

$$\begin{aligned} \mathbf {Adv} _{\widetilde{E},\{\varphi :k\mapsto k\}}^{\mathsf {trk}}(\mathcal {D}) = \mathbf {Adv} _{\widetilde{E}}^{\mathsf {stprp}}(\mathcal {D})\,. \end{aligned}$$

Two well-known sets of related-key-deriving functions [10, 45] are the XOR and additive differences on the keys:

$$\begin{aligned} \varPhi _{\oplus }&= \{\varphi _\delta :k\mapsto k\oplus \delta \mid \delta \in \mathcal {K}\}\,,\\ \varPhi _{+}&= \{\varphi _\delta :k\mapsto k+ \delta \mid \delta \in \mathcal {K}\}\,, \end{aligned}$$

where \(+\) denotes modular addition. More involved sets of related-key-deriving functions where the functions may depend on the cryptographic primitives are discussed in [4, 59].

6.2 Relation

The relation between tweakable blockciphers and the related-key security of conventional blockciphers was already pointed out by Cogliati et al. [16, 20, 21]. At a high level, they suggest that if a blockcipher \(E:\mathcal {K}\times \mathcal {M}\rightarrow \mathcal {M}\) is related-key secure for related-key-deriving functions \(\varPhi \), then the tweakable blockcipher \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) with \(\mathcal {T}=\varPhi \), that is defined as

$$\begin{aligned} \widetilde{E}_k(\phi ,m)=E_{\phi (k)}(m)\,, \end{aligned}$$

is an equally secure tweakable blockcipher:

$$\begin{aligned} \mathbf {Adv} _{\widetilde{E}}^{\mathsf {stprp}}(q,\ell ,p) = \mathbf {Adv} _{E,\varPhi }^{\mathsf {rk}}(q,\ell ,p)\,, \end{aligned}$$

for any \(q,\ell ,p\). As a matter of fact, Cogliati et al. restrict their observation to XOR-induced related-key-deriving functions \(\varPhi _\oplus \) of Sect. 6.1, but their observation straightforwardly generalizes. Lucks [57] and Tessaro [77] considered constructions comparable to (9), albeit not in the context of tweakable blockciphers.

However, the reverse direction appears to be underexposed, despite its seemingly broad spectrum of potential applications. Assume we have a tweakable blockcipher \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\), and define a blockcipher \(E:(\mathcal {K}\times \mathcal {T})\times \mathcal {M}\rightarrow \mathcal {M}\) as

$$\begin{aligned} E_{k\Vert t}(m)=\widetilde{E}_k(t,m)\,. \end{aligned}$$

Then, for the set of related-key-deriving functions

$$\begin{aligned} \varPhi _{\mathrm {id}\Vert \oplus } = \left\{ \varphi _\delta :k\Vert t\mapsto k\Vert (t\oplus \delta ) \mid \delta \in \mathcal {T}\right\} \,, \end{aligned}$$

which can be seen as a set of partially-transforming related-key-deriving functions in the terminology of Lucks [57], we can derive the following result.

Theorem 2

Let \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) be a tweakable blockcipher, and \(E\) the construction from (10). Let \(q,\ell ,p\ge 0\). Then,

$$\begin{aligned} \mathbf {Adv} _{E,\varPhi _{\mathrm {id}\Vert \oplus }}^{\mathsf {rk}}(q,\ell ,p) \le \mathbf {Adv} _{\widetilde{E}}^{\mathsf {stprp}}(q,\ell ,p)\,. \end{aligned}$$


Let \(\mathcal {D}_1\) be a \(\mathrm {RK}\) distinguisher against \(E\) with respect to \(\varPhi _{\mathrm {id}\Vert \oplus }\). Let \(\mathcal {D}_2\) be as follows: first, it selects a random tweak t. Then, each query \((\delta ,m)\) made by \(\mathcal {D}_1\) (we can without loss of generality describe an element \(\varphi _\delta \in \varPhi _{\mathrm {id}\Vert \oplus }\) by \(\delta \)) is transformed into a query \((t\oplus \delta ,m)\) to \(\widetilde{E}\), and the response is relayed. \(\mathcal {D}_1\)’s final decision is forwarded by \(\mathcal {D}_1\). By design,

$$\begin{aligned} \mathbf {Adv} _{E,\varPhi _{\mathrm {id}\Vert \oplus }}^{\mathsf {rk}}(\mathcal {D}_1) = \mathbf {Adv} _{\widetilde{E}}^{\mathsf {stprp}}(\mathcal {D}_2)\,, \end{aligned}$$

and the result is established by maximizing over all distinguishers with complexity \((q,\ell ,p)\).

\(\square \)

We can use this construction to allow for multiple instances of blockcipher \(E\) under related keys, by keeping the master key k the same, and changing t for all users. For instance, if \(\mu \) instances of \(E\) are required, these could be generated via the following offsets:

$$\begin{aligned} E_{k\Vert t}\,,\, E_{k\Vert t\oplus 1}\,,\, \ldots \,,\, E_{k\Vert t\oplus \mu -1}\,. \end{aligned}$$

7 Conclusion

Our research illustrates how placing existing security definitions in a different context can lead to fruitful insights. After extending the definition of blockcipher multi-key security to include KDFs, the connection with tweakable blockcipher security immediately follows, and with it the connections to related-key security and the security of blockcipher key schedules. We applied these connections to illustrate how results on the iterated Even–Mansour and the iterated Tweakable Even–Mansour can be transferred between each other, resulting in new theoretical results. Furthermore, our definitions and results pave the way to understanding the design of KDFs, in particular, ones which are not necessarily PRFs. We saw how the KDFs can be implemented as universal hash functions, which could result in efficiency improvements in practice.