Tweaking a block cipher: multi-user beyond-birthday-bound security in the standard model

  • Benoît Cogliati


In this paper, we present a generic construction to create a secure tweakable block cipher from a secure block cipher. Our construction is very natural, requiring four calls to the underlying block cipher for each call of the tweakable block cipher. Moreover, it is provably secure in the standard model while keeping the security degradation minimal in the multi-user setting. In more details, if the underlying blockcipher E uses n-bit blocks and 2n-bit keys, then our construction is proven secure against multi-user adversaries using up to roughly \(2^n\) time and queries as long as E is a secure block cipher.


Tweakable block cipher Prp-to-prf conversion Multi-user security XORP construction Standard model 

Mathematics Subject Classification




This work has been supported in part by the European Unions H2020 Programme under grant agreement number ICT-644209. We would also like to thank the reviewers from Designs, Codes and Cryptography for their helpful comments.


  1. 1.
    Andreeva E., Bogdanov A., Luykx A., Mennink B., Tischhauser E., Yasuda K.: Parallelizable and authenticated online ciphers. In: Sako K., Sarkar P., (eds.) Advances in Cryptology—ASIACRYPT 2013 (Proceedings, Part I), LNCS, vol. 8269, pp. 424–443. Springer (2013).Google Scholar
  2. 2.
    Boldyreva A., Micali S.: Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements, pp. 259–274. Springer, Berlin (2000).zbMATHGoogle Scholar
  3. 3.
    Bellare M., Rogaway P.: Introduction to modern cryptography, pseudorandom functions (2005).
  4. 4.
    Bhattacharya S., Nandi M.: Full indifferentiable security of the xor of two or more random permutations using the chi-squared method. In: Advances in Cryptology—EUROCRYPT 2018: 37th Annual International Cryptology Conference, Tel-Aviv, Israel, Cham, 2018. Springer (2018).Google Scholar
  5. 5.
    Bhattacharya S., Nandi M.: A note on the chi-square method: a tool for proving cryptographic security. Cryptogr. Commun. (2018).Google Scholar
  6. 6.
    Biham E.: How to decrypt or even substitute des-encrypted messages in 228 steps. Inf. Process. Lett. 84(3), 117–124 (2002).MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Chakraborty D., Sarkar P.: A general construction of tweakable block ciphers and different modes of operations. In: Lipmaa H., Yung M., Lin D. (eds.) Information Security and Cryptology—Inscrypt 2006, LNCS, vol. 4318, pp. 88–102. Springer (2006).Google Scholar
  8. 8.
    Chen S., Steinberger J.: Tight Security Bounds for Key-Alternating Ciphers. In: Nguyen P.Q., Oswald E., (eds.) Advances in Cryptology—EUROCRYPT 2014, LNCS, vol. 8441, pp. 327–350. Springer (2014). Full version available at
  9. 9.
    Cogliati B., Lampe R., Seurin Y.: Tweaking even-mansour ciphers. In: Gennaro R., Robshaw M., (eds.) Advances in Cryptology—CRYPTO 2015 (Proceedings, Part I), LNCS, vol. 9215, pp. 189–208. Springer (2015). Full version available at
  10. 10.
    Cogliati B., Seurin, Y.: Beyond-birthday-bound security for tweakable even-mansour ciphers with linear tweak and key mixing. In: Advances in Cryptology—ASIACRYPT 2015—21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29–December 3, 2015, Proceedings, Part II, Lecture Notes in Computer Science, vol. 9453, pp. 134–158. Springer (2015).Google Scholar
  11. 11.
    Cogliati B., Seurin Y.: On the provable security of the iterated even-mansour cipher against related-key and chosen-key attacks. In: Oswald E., Fischlin M., (eds.) Advances in Cryptology—EUROCRYPT 2015—Proceedings, Part I, LNCS, vol. 9056, pp. 584–613. Springer (2015). Full version available at
  12. 12.
    Crowley P.: Mercy: a fast large block cipher for disk sector encryption. In: Schneier B., (ed.) Fast Software Encryption—FSE 2000, LNCS, vol. 1978, pp. 49–63. Springer (2000).Google Scholar
  13. 13.
    Dai W., Hoang V.T., Tessaro S.: Information-theoretic indistinguishability via the chi-squared method. In: Katz J., Shacham H., (eds.) Advances in Cryptology—CRYPTO 2017, pp. 497–523. Springer, Cham (2017).Google Scholar
  14. 14.
    Even S., Mansour Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997).MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Ferguson N., Lucks S., Schneier B., Whiting D., Bellare M., Kohno T., Callas J., Walker J.: The Skein Hash Function Family. SHA3 Submission to NIST (Round 3) (2010).Google Scholar
  16. 16.
    Goldenberg D., Hohenberger S., Liskov M., Schwartz E.C., Seyalioglu, H.: On tweaking Luby–Rackoff blockciphers. In: Kurosawa K., (ed.) Advances in Cryptology—ASIACRYPT 2007, LNCS, vol. 4833, pp. 342–356. Springer (2007).Google Scholar
  17. 17.
    Granger R., Jovanovic P., Mennink B., Neves S.: Improved masking for tweakable blockciphers with applications to authenticated encryption. In: Advances in Cryptology—EUROCRYPT 2016—35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, 8–12 May 2016, Proceedings, Part I, pp. 263–293 (2016).Google Scholar
  18. 18.
    Halevi S., Rogaway P.: A tweakable enciphering mode. In: Boneh D., (ed.) Advances in Cryptology—CRYPTO 2003, LNCS, vol. 2729, pp. 482–499. Springer (2003).Google Scholar
  19. 19.
    Halevi S., Rogaway P.: A parallelizable enciphering mode. In: Okamoto T., (ed.) Topics in Cryptology—CT-RSA 2004, LNCS, vol. 2964, pp. 292–304. Springer (2004).Google Scholar
  20. 20.
    Hoang V.T., Tessaro S.: Key-alternating ciphers and key-length extension: exact bounds and multi-user security. In: Robshaw M., Katz J., (eds.) Advances in Cryptology—CRYPTO 2016 (Proceedings, Part I), LNCS, vol. 9814, pp. 3–32. Springer (2016).Google Scholar
  21. 21.
    Iwata T., Mennink B., Vizár D.: Cenc is optimally secure. IACR Cryptol. ePrint Arch. 2016, 1087 (2016).Google Scholar
  22. 22.
    Jean J., Nikolic I., Peyrin T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar P., Iwata T., (eds.) Advances in Cryptology—ASIACRYPT 2014 (Proceedings, Part II), LNCS, vol. 8874, pp. 274–288. Springer (2014).Google Scholar
  23. 23.
    Kurosawa K.: Power of a public random permutation and its application to authenticated encryption. IEEE Trans. Inf. Theory 56(10), 5366–5374 (2010).MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Lampe R., Seurin Y.: Security analysis of key-alternating feistel ciphers. In: Cid C., Rechberger C., (eds.) Fast Software Encryption—FSE 2014, LNCS, vol. 8540, pp. 243–264. Springer (2014).Google Scholar
  25. 25.
    Landecker W., Shrimpton T., Terashima R.S.: Tweakable blockciphers with beyond birthday-bound security. In: Safavi-Naini R., Canetti R., (eds.) Advances in Cryptology—CRYPTO 2012, LNCS, vol. 7417, pp. 14–30. Springer (2012). Full version available at
  26. 26.
    Lee J., Luykx A., Mennink B., Minematsu K.: Connecting tweakable and multi-key blockcipher security. Des. Codes Cryptogr. (2017).Google Scholar
  27. 27.
    Liskov M., Rivest R.L., Wagner D.: Tweakable block ciphers. In: Yung M., (ed.) Advances in Cryptology—CRYPTO 2002, LNCS, vol. 2442, pp. 31–46. Springer (2002).Google Scholar
  28. 28.
    Luykx A., Mennink B., Paterson K.G.: Analyzing multi-key security degradation. Cryptology ePrint Archive, Report 2017/435 (2017).
  29. 29.
    Mennink B.: Optimally secure tweakable blockciphers. In: Leander G. (ed.) Fast Software Encryption—FSE 2015, LNCS, vol. 9054, pp. 428–448. Springer (2015). Full version available at
  30. 30.
    Mennink B.: XPX: Generalized tweakable even-mansour with improved security guarantees. In: Advances in Cryptology—CRYPTO 2016—Proceedings, LNCS. Springer (2016) (To appear).Google Scholar
  31. 31.
    Mennink B.: Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security, pp. 708–732. Springer, Cham (2017).zbMATHGoogle Scholar
  32. 32.
    Minematsu K.: Improved security analysis of XEX and LRW modes. In: Biham E., Youssef A.M., (eds.) Selected Areas in Cryptography—SAC 2006, LNCS, vol. 4356, pp. 96–113. Springer (2006).Google Scholar
  33. 33.
    Minematsu K.: Beyond-birthday-bound security based on tweakable block cipher. In: Dunkelman O., (ed.) Fast Software Encryption—FSE 2009, LNCS, vol. 5665, pp. 308–326. Springer (2009)Google Scholar
  34. 34.
    Mitsuda A., Iwata T.: Tweakable pseudorandom permutation from generalized feistel structure. In: Baek J., Bao F., Chen K., Lai X., (eds.) ProvSec 2008, LNCS, vol. 5324, pp. 22–37. Springer (2008).Google Scholar
  35. 35.
    Mouha N., Luykx A.: Multi-key Security: The Even-Mansour Construction Revisited, pp. 209–223. Springer, Berlin (2015).zbMATHGoogle Scholar
  36. 36.
    Naito Y.: Tweakable blockciphers for efficient authenticated encryptions with beyond the birthday-bound security. IACR Trans. Symmetric Cryptol. 2017(2), 1–26 (2017).Google Scholar
  37. 37.
    Patarin J.: A proof of security in \(O(2^n)\) for the Xor of two random permutations. In: Safavi-Naini R., (ed.) Information Theoretic Security—ICITS 2008, LNCS, vol. 5155, pp. 232–248. Springer (2008). Full version available at
  38. 38.
    Patarin J.: The “coefficients H” technique. In: Avanzi R.M., Keliher L., Sica F., (eds.) Selected Areas in Cryptography—SAC 2008, LNCS, vol. 5381, pp. 328–345. Springer (2008).Google Scholar
  39. 39.
    Patarin J.: Introduction to mirror theory: analysis of systems of linear equalities and linear non equalities for cryptography. IACR Cryptol. ePrint Arch. 2010, 287 (2010).Google Scholar
  40. 40.
    Patarin J.: Security of balanced and unbalanced Feistel schemes with linear non equalities (2010).
  41. 41.
    Patarin J., Montreuil A.: Benes and butterfly schemes revisited. In: Proceedings of the 8th International Conference on Information Security and Cryptology, ICISC’05, pp. 92–116. Springer, Berlin (2006).Google Scholar
  42. 42.
    Procter G.: A note on the CLRW2 tweakable block cipher construction. IACR Cryptol. ePrint Arch. Report 2014/111 (2014).
  43. 43.
    Rogaway P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee P.J. (ed.) Advances in Cryptology—ASIACRYPT 2004, LNCS, vol. 3329, pp. 16–31. Springer (2004).Google Scholar
  44. 44.
    Rogaway P., Bellare M., Black J.: OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur. 6(3), 365–403 (2003).CrossRefGoogle Scholar
  45. 45.
    Rogaway P., Zhang H.: Online ciphers from tweakable blockciphers. In: Kiayias A. (ed.) Topics in Cryptology—CT-RSA 2011, LNCS, vol. 6558, pp. 237–249. Springer (2011).Google Scholar
  46. 46.
    Sasaki Yu., Todo Y., Aoki K., Naito Y., Sugawara T., Murakami Y., Matsui M., Hirose S.: Minalpher v1. Submission to the CAESAR competition (2014).Google Scholar
  47. 47.
    Schroeppel R.: The Hasty Pudding Cipher. AES submission to NIST (1998).Google Scholar
  48. 48.
    Tessaro S.: Optimally Secure Block Ciphers from Ideal Primitives, pp. 437–462. Springer, Berlin (2015).zbMATHGoogle Scholar
  49. 49.
    Wang L., Guo J., Zhang G., Zhao J., Gu D.: How to Build Fully Secure Tweakable Blockciphers from Classical Blockciphers, pp. 455–483. Springer Berlin Heidelberg, Berlin, Heidelberg (2016).zbMATHGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  1. 1.University of LuxembourgEsch-sur-AlzetteLuxembourg

Personalised recommendations