How to Build Fully Secure Tweakable Blockciphers from Classical Blockciphers

  • Lei Wang
  • Jian Guo
  • Guoyan Zhang
  • Jingyuan Zhao
  • Dawu Gu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10031)


This paper focuses on building a tweakable blockcipher from a classical blockcipher whose input and output wires all have a size of n bits. The main goal is to achieve full \(2^n\) security. Such a tweakable blockcipher was proposed by Mennink at FSE’15, and it is also the only tweakable blockcipher so far that claimed full \(2^n\) security to our best knowledge. However, we find a key-recovery attack on Mennink’s proposal (in the proceeding version) with a complexity of about \(2^{n/2}\) adversarial queries. The attack well demonstrates that Mennink’s proposal has at most \(2^{n/2}\) security, and therefore invalidates its security claim. In this paper, we study a construction of tweakable blockciphers denoted as \(\widetilde{\mathbb {E}}[s]\) that is built on s invocations of a blockcipher and additional simple XOR operations. As proven in previous work, at least two invocations of blockcipher with linear mixing are necessary to possibly bypass the birthday-bound barrier of \(2^{n/2}\) security, we carry out an investigation on the instances of \(\widetilde{\mathbb {E}}[s]\) with \(s \ge 2\), and find 32 highly efficient tweakable blockciphers \(\widetilde{E1}\), \(\widetilde{E2}\), \(\ldots \), \(\widetilde{E32}\) that achieve \(2^n\) provable security. Each of these tweakable blockciphers uses two invocations of a blockcipher, one of which uses a tweak-dependent key generated by XORing the tweak to the key (or to a secret subkey derived from the key). We point out the provable security of these tweakable blockciphers is obtained in the ideal blockcipher model due to the usage of the tweak-dependent key.


Tweakable blockcipher Full security Ideal blockcipher Tweak-dependent key 



Lei Wang and Dawu Gu are sponsored by the Natural Science Foundation of Shanghai (16ZR1416400), Major State Basic Research Development Program (973 Plan), the National Natural Science Foundation of China (61472250), and Innovation Plan of Science and Technology of Shanghai (14511100300). Guoyan Zhang is sponsored by National Natural Science Foundation of China (61602276). Jingyuan Zhao is sponsored by the National Science Foundation of China (no. 61379139) and the Strategic Priority Research Program of the Chinese Academy of Sciences (no. XDA06100701).


  1. 1.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-42033-7_22 CrossRefGoogle Scholar
  2. 2.
    ANSI: Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques. ANSI X9.24-1: 2009 (2009)Google Scholar
  3. 3.
    Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: SIMON and SPECK: Block Ciphers for the Internet of Things. Cryptology ePrint Archive, Report 2015/585 (2015).
  4. 4.
    Biryukov, A., Wagner, D.: Advanced slide attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000). doi: 10.1007/3-540-45539-6_41 CrossRefGoogle Scholar
  5. 5.
  6. 6.
    Chakraborty, D., Sarkar, P.: A General construction of tweakable block ciphers and different modes of operations. In: Lipmaa, H., Yung, M., Lin, D. (eds.) Inscrypt 2006. LNCS, vol. 4318, pp. 88–102. Springer, Heidelberg (2006). doi: 10.1007/11937807_8 CrossRefGoogle Scholar
  7. 7.
    Chakraborty, D., Sarkar, P.: HCH: A new tweakable enciphering scheme using the hash-counter-hash approach. IEEE Trans. Inf. Theory 54(4), 1683–1699 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-55220-5_19 CrossRefGoogle Scholar
  9. 9.
    Cogliati, B., Lampe, R., Seurin, Y.: Tweaking even-mansour ciphers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 189–208. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-47989-6_9 CrossRefGoogle Scholar
  10. 10.
    Cogliati, B., Seurin, Y.: Beyond-birthday-bound security for tweakable even-mansour ciphers with linear tweak and key mixing. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 134–158. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48800-3_6 CrossRefGoogle Scholar
  11. 11.
    Cogliati, B., Seurin, Y.: On the provable security of the iterated even-mansour cipher against related-key and chosen-key attacks. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 584–613. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_23 Google Scholar
  12. 12.
    Crowley, P.: Mercy: A fast large block cipher for disk sector encryption. In: Goos, G., Hartmanis, J., Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 49–63. Springer, Heidelberg (2001). doi: 10.1007/3-540-44706-7_4 CrossRefGoogle Scholar
  13. 13.
    Daemen, J.: Limitations of the even-mansour construction. In: [26], pp. 495–498Google Scholar
  14. 14.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Heidelberg (2002)CrossRefzbMATHGoogle Scholar
  15. 15.
    Dunkelman, O., Keller, N., Shamir, A.: Minimalism in cryptography: the even-mansour scheme revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-29011-4_21 CrossRefGoogle Scholar
  16. 16.
    Dworkin, M.: Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Condentiality on Storage Devices. NIST Special Publication 800–38E (2010)Google Scholar
  17. 17.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: [26], pp. 210–224Google Scholar
  18. 18.
    Farshim, P., Procter, G.: The related-key security of iterated even-mansour ciphers. In: [33], pp. 342–363Google Scholar
  19. 19.
    Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The SKEIN Hash Function Family. NIST SHA-3 Competition (2008)Google Scholar
  20. 20.
    Goldenberg, D., Hohenberger, S., Liskov, M., Schwartz, E.C., Seyalioglu, H.: On tweaking luby-rackoff blockciphers. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 342–356. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-76900-2_21 CrossRefGoogle Scholar
  21. 21.
    Granger, R., Jovanovic, P., Mennink, B., Neves, S.: Improved masking for tweakable blockciphers with applications to authenticated encryption. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 263–293. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49890-3_11 CrossRefGoogle Scholar
  22. 22.
    Grosso, V., Leurent, G., Standaert, F., Varici, K., Journault, A., Durvaux, F., Gaspar, L., Kerckhof, S.: SCREAM Side-Channel Resistant Authenticated Encryption with Masking V3. CAESAR Competition Candidate (2015).
  23. 23.
    Halevi, S.: EME*: Extending EME to handle arbitrary-length messages with associated data. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 315–327. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30556-9_25 CrossRefGoogle Scholar
  24. 24.
    Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-45146-4_28 CrossRefGoogle Scholar
  25. 25.
    Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24660-2_23 CrossRefGoogle Scholar
  26. 26.
    Imai, H., Rivest, R.L., Matsumoto, T. (eds.): ASIACRYPT 1991. LNCS, vol. 739. Springer, Heidelberg (1993). doi: 10.1007/3-540-57332-1_17 zbMATHGoogle Scholar
  27. 27.
    Iwata, T., Wang, L.: Impact of ANSI X9.24-1:2009 key check value on ISO/IEC 9797-1:2011 MACs. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 303–322. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46706-0_16 Google Scholar
  28. 28.
    Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45608-8_15 Google Scholar
  29. 29.
    Jean, J., Nikolic, I., Peyrin, T.: Deoxys v1.3. CAESAR Competition Candidate (2015).
  30. 30.
    Jean, J., Nikolic, I., Peyrin, T.: Joltik v1.3. CAESAR Competition Candidate (2015).
  31. 31.
    Lampe, R., Seurin, Y.: Tweakable blockciphers with asymptotically optimal security. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 133–151. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43933-3_8 Google Scholar
  32. 32.
    Landecker, W., Shrimpton, T., Terashima, R.S.: Tweakable blockciphers with beyond birthday-bound security. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 14–30. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32009-5_2 CrossRefGoogle Scholar
  33. 33.
    Leander, G. (ed.): FSE 2015. LNCS, vol. 9054, pp. 428–448. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48116-5_21 CrossRefGoogle Scholar
  34. 34.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). doi: 10.1007/3-540-45708-9_3 CrossRefGoogle Scholar
  35. 35.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Mennink, B.: Optimally secure tweakable blockciphers. In: [33], pp. 428–448Google Scholar
  37. 37.
    Mennink, B.: Optimally Secure Tweakable Blockciphers. IACR Cryptology ePrint Archive 2015 363 (2015).
  38. 38.
    Mennink, B.: Private communication (2015)Google Scholar
  39. 39.
    Mennink, B.: XPX: Generalized tweakable even-mansour with improved security guarantees. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 64–94. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53018-4_3 CrossRefGoogle Scholar
  40. 40.
    Minematsu, K.: Improved security analysis of XEX and LRW modes. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 96–113. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74462-7_8 CrossRefGoogle Scholar
  41. 41.
    Minematsu, K.: Beyond-birthday-bound security based on tweakable block cipher. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 308–326. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03317-9_19 CrossRefGoogle Scholar
  42. 42.
    Minematsu, K., Iwata, T.: Tweak-length extension for tweakable blockciphers. In: Groth, J. (ed.) IMACC 2015. LNCS, vol. 9496, pp. 77–93. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-27239-9_5 CrossRefGoogle Scholar
  43. 43.
    Minematsu, K., Matsushima, T.: Tweakable enciphering schemes from hash-sum-expansion. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 252–267. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-77026-8_19 CrossRefGoogle Scholar
  44. 44.
    Mitsuda, A., Iwata, T.: Tweakable pseudorandom permutation from generalized feistel structure. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 22–37. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-88733-1_2 CrossRefGoogle Scholar
  45. 45.
    Patarin, J.: A proof of security in O(2n) for the Xor of two random permutations. In: Safavi-Naini, R. (ed.) ICITS 2008. LNCS, vol. 5155, pp. 232–248. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-85093-9_22 CrossRefGoogle Scholar
  46. 46.
    Procter, G.: A Note on the CLRW2 Tweakable Block Cipher Construction. Cryptology ePrint Archive, Report 2014/111 (2014).
  47. 47.
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30539-2_2 CrossRefGoogle Scholar
  48. 48.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: Reiter, M.K., Samarati, P., (eds.) ACM CCS 2001, pp. 196–205. ACM (2001)Google Scholar
  49. 49.
    Sarkar, P.: Efficient tweakable enciphering schemes from (block-wise) universal hash functions. IEEE Trans. Inf. Theory 55(10), 4749–4760 (2009)MathSciNetCrossRefGoogle Scholar
  50. 50.
    Schroeppel, R.: The Hasty Pudding Cipher. NIST AES Proposal (1998)Google Scholar
  51. 51.
    Wang, L.: SHELL v2.0. CAESAR Competition Candidate (2015).
  52. 52.
    Wang, L., Guo, J., Zhang, G., Zhao, J., Gu, D.: How to Build Fully Secure Tweakable Blockciphers from Classical Blockciphers. Cryptology ePrint Archive, Report 2016/876 (2016).
  53. 53.
    Wang, P., Feng, D., Wu, W.: HCTR: A variable-input-length enciphering mode. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 175–188. Springer, Heidelberg (2005). doi: 10.1007/11599548_15 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Lei Wang
    • 1
    • 4
  • Jian Guo
    • 2
  • Guoyan Zhang
    • 3
  • Jingyuan Zhao
    • 4
  • Dawu Gu
    • 1
  1. 1.Department of Computer Science and EngineeringShanghai Jiao Tong UniversityShanghaiChina
  2. 2.Nanyang Technological UniversitySingaporeSingapore
  3. 3.School of Computer Science and TechnologyShandong UniversityJinanChina
  4. 4.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina

Personalised recommendations