Tweaking EvenMansour Ciphers
 28 Citations
 2.8k Downloads
Abstract
We study how to construct efficient tweakable block ciphers in the Random Permutation model, where all parties have access to public random permutation oracles. We propose a construction that combines, more efficiently than by mere blackbox composition, the CLRW construction (which turns a traditional block cipher into a tweakable block cipher) of Landecker et al. (CRYPTO 2012) and the iterated EvenMansour construction (which turns a tuple of public permutations into a traditional block cipher) that has received considerable attention since the work of Bogdanov et al. (EUROCRYPT 2012). More concretely, we introduce the (oneround) tweakable EvenMansour (TEM) cipher, constructed from a single nbit permutation P and a uniform and almost XORuniversal family of hash functions \((H_k)\) from some tweak space to \(\{0,1\}^n\), and defined as \((k,t,x)\mapsto H_k(t)\oplus P(H_k(t)\oplus x)\), where k is the key, t is the tweak, and x is the nbit message, as well as its generalization obtained by cascading r independently keyed rounds of this construction. Our main result is a security bound up to approximately \(2^{2n/3}\) adversarial queries against adaptive chosenplaintext and ciphertext distinguishers for the tworound TEM construction, using Patarin’s Hcoefficients technique. We also provide an analysis based on the coupling technique showing that asymptotically, as the number of rounds r grows, the security provided by the rround TEM construction approaches the informationtheoretic bound of \(2^n\) adversarial queries.
Keywords
Tweakable block cipher CLRW construction Keyalternating cipher Evenmansour construction Hcoefficients technique Coupling technique1 Introduction
Tweakable Block Ciphers. Tweakable block ciphers (TBCs for short) are a generalization of traditional block ciphers which, in addition to the usual inputs (message and cryptographic key), take an extra (potentially adversarially controlled) input for variability called a tweak. Hence, the signature of a tweakable block cipher is \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\), where \(\mathcal {K}\) is the key space, \(\mathcal {T}\) the tweak space, and \(\mathcal {M}\) the message space. This primitive has been rigorously formalized by Liskov et al. [25], and has proved to be very useful to construct various higher level cryptographic schemes such as (tweakable) lengthpreserving encryption modes [17, 18], online ciphers [2, 34], message authentication codes [24, 25], and authenticated encryption modes [25, 32, 33].
Besides pseudorandomness, the iterated EvenMansour construction (with a sufficient number of rounds) has also been shown to achieve resistance to knownkey attacks [3], relatedkey attacks [9, 14], and chosenkey attacks [9], as well as indifferentiability from an ideal cipher [1, 22].
To arrive at this result, we could have adapted the gamebased proof of [24] for the tworound CLRW construction to accommodate the fact that in the TEM setting, the adversary has additionally oracle access to the inner permutations \(P_1\) and \(P_2\). Yet we preferred to use the Hcoefficients technique [30], which was successfully applied to the analysis of the iterated EvenMansour cipher [6, 7], and adjust it to take into account the existence of the tweak in the TEM construction. Our choice was motivated by the fact that the Hcoefficientsbased security proof for the tworound EvenMansour cipher is (in our opinion) simpler than the gamebased proof for the tworound CLRW construction. Actually, our security proof for the tworound TEM construction can easily be simplified (by making the inner permutations secret, or, more formally, letting the number of queries \(q_p\) to the inner permutations be zero in our security bound as given by Theorem 2) to yield a new, Hcoefficientsbased proof of the security result of [24] for the tworound CLRW construction (our own bound matching Landecker et al.’s one [24] up to multiplicative constants).^{6} It seems interesting to us that our proof entails a new and conceptually simpler (at least to us) proof of a previous result that turned out quite delicate to get right with gamebased techniques [31]. We explain how to “extract” from our work a Hcoefficients proof for the tworound CLRW construction in the full version of this paper [8].
We were unable to extend our Hcoefficients security proof to \(r>2\) rounds.^{7} Instead, we provide an asymptotic analysis of the TEM construction (as r grows) based on the coupling technique [19, 28]. This part combines in a rather straightforward way the approach of [21] (which applied the coupling technique to the iterated EvenMansour cipher) and of [23] (which applied the coupling technique to the CLRW construction). This allows us to prove that the rround TEM construction is secure up to roughly \(2^{\frac{rn}{r+2}}\) adversarial queries (against adaptive chosenplaintext and ciphertext attacks). As with previous work, we conjecture that the “real” security bound is actually \(2^{\frac{rn}{r+1}}\) queries (which we prove to hold for the weaker class of nonadaptive chosenplaintext adversaries), but that the coupling technique is not adapted to prove this.
Application to RelatedKey Security. There are strong connections between tweakable block ciphers and the relatedkey security of traditional block ciphers [4, 25]. We expand on this in the full version of the paper [8], explaining how our results have immediate implications for the relatedkey security of the traditional (iterated) EvenMansour cipher with a nonlinear keyschedule.
Related Work and Perspectives. There are very few papers studying generic ways of building tweakable block ciphers from some lowerlevel primitive than a traditional block cipher. One notable exception is the work of Goldenberg et al. [16] who studied how to tweak (generically) Feistel ciphers (in other words, they showed how to construct tweakable block ciphers from pseudorandom functions). This was extended to generalized Feistels by Mitsuda and Iwata [27]. Our own work seems to be the first (besides [9], that capped at the birthday bound) to explore theoretically sound ways to construct “bydesign” tweakable block ciphers with an SPN or more generally a keyalternating structure. In a sense, it can be seen as complementary to the recent \(\mathsf {TWEAKEY}\) framework introduced by Jean et al. [20], that tackled a similar goal but adopted a more practical and attackdriven (rather than prooforiented) angle. We hope that combining these two approaches will pave the way towards efficient and theoretically sound ways of building tweakable keyalternating ciphers, or tweaking existing ones such as \(\mathsf {AES}\). We also note that the term tweakable EvenMansour was previously used by the designers of Minalpher [35] (a candidate to the CAESAR competition) to designate a permutationbased variant of Rogaway’s XEX construction [32]. It relates to construction (4) by eliminating the AXU hash function \(H_k(t)\) and replacing it by \(\varDelta =(k\Vert t)\oplus P(k\Vert t)\) (thereby halving tweak and keylength), in about the same way XEX replaces the AXU hash function of the LRW construction (1) by a “gadget” calling the underlying block cipher \(E_k\). The designers of Minalpher prove that this construction also achieves birthdaybound security.
Finally, we bring up some open problems. First, as already mentioned, it would be very interesting to give a tight analysis of the TEM construction for any number \(r>2\) of rounds (a first, hopefully simpler step towards this goal would be to give a tight bound for the CLRW construction for \(r>2\)). Second, variants with the same permutation and/or nonindependent round keys are also worth studying, as was done in [6] for the (traditional) tworound iterated EvenMansour cipher. Third, since implementing an AXU hash function family might be costly, it would be very valuable to explore whether linear operations for mixing the key and the tweak into the state of an EvenMansourlike construction might be enough to get security beyond the birthday bound.
2 Preliminaries
2.1 Notation and General Definitions
General Notation. In all the following, we fix an integer \(n\ge 1\) and denote \(N=2^n\). For integers \(1\le b\le a\), we will write \((a)_b=a(a1)\cdots (ab+1)\) and \((a)_0=1\) by convention. The set of all permutations of \(\{0,1\}^n\) will be denoted \(\mathsf {P}(n)\). Given a nonempty set X, we denote \(x\leftarrow _{\$}X\) the draw of an element x from X uniformly at random.
Tweakable Block Ciphers. A tweakable block cipher with key space \(\mathcal {K}\), tweak space \(\mathcal {T}\), and message space \(\mathcal {M}\) is a mapping \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) such that for any key \(k\in \mathcal {K}\) and any tweak \(t\in \mathcal {T}\), \(x\mapsto \widetilde{E}(k,t,x)\) is a permutation of \(\mathcal {M}\). We denote \(\mathsf {TBC}(\mathcal {K},\mathcal {T},n)\) the set of all tweakable block ciphers with key space \(\mathcal {K}\), tweak space \(\mathcal {T}\), and message space \(\{0,1\}^n\). A tweakable permutation with tweak space \(\mathcal {T}\) and message space \(\mathcal {M}\) is a mapping \(\widetilde{P}: \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) such that for any tweak \(t\in \mathcal {T}\), \(x\mapsto \widetilde{P}(t,x)\) is a permutation of \(\mathcal {M}\). We denote \(\mathsf {TP}(\mathcal {T},n)\) the set of all tweakable permutations with tweak space \(\mathcal {T}\) and message space \(\{0,1\}^n\).
Convention 1
Uniform AXU Hash Function Family. We will need the following properties of the hash function family \(\mathcal {H}\).
Definition 1
Example 1
2.2 Security Definitions
Fix some family of functions \(\mathcal {H}=(H_k)_{k\in \mathcal {K}}\) from \(\mathcal {T}\) to \(\{0,1\}^n\). To study the security of the construction \(\mathsf {TEM}[n,r,\mathcal {H}]\) in the Random Permutation Model, we consider a distinguisher \(\mathcal {D}\) which interacts with \(r+1\) oracles that we denote generically \((\widetilde{P}_0,P_1,\ldots ,P_r)\), where syntactically \(\widetilde{P}_0\) is a tweakable permutation with tweak space \(\mathcal {T}\) and message space \(\{0,1\}^n\), and \(P_1,\ldots ,P_r\) are permutations of \(\{0,1\}^n\). The goal of \(\mathcal {D}\) is to distinguish two “worlds”: the socalled real world, where \(\mathcal {D}\) interacts with \((\mathsf {TEM}^{\mathbf {P}}_{\mathbf {k}},\mathbf {P})\), where \(\mathbf {P}=(P_1,\ldots ,P_r)\) is a tuple of public random permutations and the key \(\mathbf {k}=(k_1,\ldots ,k_r)\) is drawn uniformly at random from \(\mathcal {K}^r\), and the socalled ideal world\((\widetilde{P}_0,\mathbf {P})\), where \(\widetilde{P}_0\) is a uniformly random tweakable permutation and \(\mathbf {P}\) is a tuple of random permutations of \(\{0,1\}^n\) independent from \(\widetilde{P}_0\). We will refer to \(\widetilde{P}_0\) as the construction oracle and to \(P_1,\ldots ,P_r\) as the inner permutation oracles.

a nonadaptive chosenplaintext (NCPA) distinguisher runs in two phases: during the first phase, it only queries the inner permutations, adaptively and in both directions; in the second phase, it issues a tuple of nonadaptive chosenplaintext queries to the construction oracle and receives the corresponding answers (this tuple of queries may depend on the answers received in the first phase, but all queries must be chosen nonadaptively before receiving any answer from the construction oracle);

an adaptive chosenplaintext and ciphertext (CCA) distinguisher is not restricted in how it queries its oracles: it can make adaptive bidirectional queries to all its oracles.
We stress that the NCPA model is not very interesting in itself^{8} and will only be useful as an intermediate step for the couplingbased security proof in Sect. 4.
3 Tight Bounds for One and Two Rounds
3.1 The HCoefficients Technique
We start by describing Patarin’s Hcoefficients technique [30], which has enjoyed increasing adoption since Chen and Steinberger used it to prove the security of the iterated EvenMansour cipher for an arbitrary number of rounds [7].
Transcript. We summarize the interaction of \(\mathcal {D}\) with its oracles in what we call the queries transcript (\(\mathcal {Q}_C,\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_r})\) of the attack, where \(\mathcal {Q}_C\) records the queries to the construction oracle and \(\mathcal {Q}_{P_i}\), \(1\le i \le r\), records the queries to inner permutation \(P_i\). More precisely, \(\mathcal {Q}_C\) contains all triples \((t,x,y)\in \mathcal {T}\times \{0,1\}^n \times \{0,1\}^n\) such that \(\mathcal {D}\) either made the direct query (t, x) to the construction oracle and received answer y, or made the inverse query (t, y) and received answer x. Similarly, for \(1\le i \le r\), \(\mathcal {Q}_{P_i}\) contains all pairs \((u,v)\in \{0,1\}^n\times \{0,1\}^n\) such that \(\mathcal {D}\) either made the direct query u to permutation \(P_i\) and received answer v, or made the inverse query v and received answer u. Note that queries are recorded in a directionless and unordered fashion, but by our assumption that the distinguisher is deterministic, there is a onetoone mapping between this representation and the raw transcript of the interaction of \(\mathcal {D}\) with its oracles (see e.g. [7] for more details). Note also that by our assumption that \(\mathcal {D}\) never makes pointless queries, each query to the construction oracle results in a distinct triple in \(\mathcal {Q}_C\), and each query to \(P_i\) results in a distinct pair in \(\mathcal {Q}_{P_i}\), so that \(\mathcal {Q}_C=q_c\) and \(\mathcal {Q}_{P_i}=q_p\) for \(1\le i \le r\) since we assume that the distinguisher always makes the maximal number of allowed queries to each oracle. In all the following, we also denote m the number of distinct tweaks appearing in \(\mathcal {Q}_C\), and \(q_i\) the number of queries for the ith tweak, \(1\le i\le m\), using an arbitrary ordering of the tweaks. Note that m may depend on the answers received from the oracles, yet one always has \(\sum _{i=1}^m q_i=q_c\).
We say that a queries transcript is attainable (with respect to some fixed distinguisher \(\mathcal {D}\)) if there exists oracles \((\widetilde{P}_0,\mathbf {P})\) such that the interaction of \(\mathcal {D}\) with \((\widetilde{P}_0,\mathbf {P})\) yields this transcript (said otherwise, the probability to obtain this transcript in the “ideal” world is nonzero). Moreover, in order to have a simple definition of bad transcripts, we reveal to the adversary at the end of the experiment the actual tuple of keys \(\mathbf {k}=(k_1,\ldots ,k_r)\) if we are in the real world, while in the ideal world, we simply draw dummy keys \((k_1\ldots ,k_r)\leftarrow _{\$}\mathcal {K}^r\) independently from the answers of the oracle \(\widetilde{P}_0\). (This can obviously only increase the advantage of the distinguisher, so that this is without loss of generality). All in all, a transcript \(\tau \) is a tuple \(\tau =(\mathcal {Q}_C,\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_r},\mathbf {k})\), and we say that a transcript is attainable if the corresponding queries transcript \((\mathcal {Q}_C,\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_r})\) is attainable. We denote \(\varTheta \) the set of attainable transcripts. In all the following, we denote \(T_\mathrm{re}\), resp. \(T_\mathrm{id}\), the probability distribution of the transcript \(\tau \) induced by the real world, resp. the ideal world (note that these two probability distributions depend on the distinguisher). By extension, we use the same notation to denote a random variable distributed according to each distribution. The main lemma of the Hcoefficients technique is the following one (see e.g. [6, 7] for the proof).
Lemma 1
3.2 Security Proof for One Round
Theorem 1
The proof uses the Hcoefficients technique that we exposed in Sect. 3.1, and serves as a good warmup before the more complex tworound case. For reasons of space, it is deferred to the full version of the paper [8].
3.3 Security Proof for Two Rounds
Theorem 2
In particular, assuming \(\mathcal {H}\) is XU for simplicity (i.e., \(\varepsilon =2^{n}\)), one can see that the tworound TEM construction ensures security up to approximately \(2^{2n/3}\) adversarial queries. In fact, for any number \(q_c\ll 2^{2n/3}\) of construction queries, the tworound TEM construction remains secure as long as \(q_p\) is small compared with \(2^n/\sqrt{q_c}\).
The proof uses the Hcoefficients technique. As usual, we will first define bad transcripts and upper bound their probability in the ideal world, and then show that the probabilities to obtain any good transcript in the real world and the ideal world are sufficiently close.
Definition 2
 (C1)
there exists \((t,x,y)\in \mathcal {Q}_C\), \(u_1 \in U_1\), and \(v_2 \in V_2\) such that \(x\oplus h_1(t)=u_1\) and \(y\oplus h_2(t)=v_2\);
 (C2)
there exists \((t,x,y)\in \mathcal {Q}_C\), \((u_1,v_1)\in \mathcal {Q}_{P_1}\), and \(u_2\in U_2\) such that \(x\oplus h_1(t)=u_1\) and \(v_1\oplus h_1(t)\oplus h_2(t)=u_2\);
 (C3)
there exists \((t,x,y)\in \mathcal {Q}_C\), \((u_2,v_2)\in \mathcal {Q}_{P_2}\), and \(v_1\in V_1\) such that \(y\oplus h_2(t)=v_2\) and \(v_1\oplus h_1(t)\oplus h_2(t)=u_2\);
 (C4)
there exists \((t,x,y),(t',x',y'),(t'',x'',y'')\in \mathcal {Q}_C\) with (t, x, y) distinct from \((t',x',y')\) and from \((t'',x'',y'')\) such that \(x\oplus h_1(t)=x'\oplus h_1(t')\) and \(y\oplus h_2(t)=y''\oplus h_2(t'')\);
 (C5)
there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) such that \(x\oplus h_1(t)=x'\oplus h_1(t')\) and \(h_1(t)\oplus h_2(t)=h_1(t')\oplus h_2(t')\);
 (C6)
there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) such that \(y\oplus h_2(t)=y'\oplus h_2(t')\) and \(h_1(t)\oplus h_2(t)=h_1(t')\oplus h_2(t')\);
 (C7)
there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) and \(u_1\in U_1\) such that \(y\oplus h_2(t)=y'\oplus h_2(t')\) and \(x\oplus h_1(t)=u_1\);
 (C8)
there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) and \(v_2\in V_2\) such that \(x\oplus h_1(t)=x'\oplus h_1(t')\) and \(y\oplus h_2(t)=v_2\);
 (C9)
there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\), \((u_1,v_1),(u'_1,v'_1)\in \mathcal {Q}_{P_1}\) such that \(x\oplus h_1(t)=u_1\), \(x'\oplus h_1(t')=u'_1\) and \(v_1\oplus h_1(t)\oplus h_2(t) = v'_1\oplus h_1(t')\oplus h_2(t')\);
 (C10)
there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\), \((u_2,v_2),(u'_2,v'_2)\in \mathcal {Q}_{P_2}\) such that \(y\oplus h_2(t)=v_2\), \(y'\oplus h_2(t')=v'_2\) and \(u_2\oplus h_1(t)\oplus h_2(t) = u'_2\oplus h_1(t')\oplus h_2(t')\);
 (C11)
\(\alpha _1 \ge \sqrt{q_c}\);
 (C12)
\(\alpha _2 \ge \sqrt{q_c}\);
 (C13)
\(\beta _1 \ge \sqrt{q_c}\);
 (C14)
\(\beta _2 \ge \sqrt{q_c}\).
Otherwise we say that \(\tau \) is good. We denote \(\varTheta _\mathrm{good}\), resp. \(\varTheta _\mathrm{bad}\) the set of good, resp. bad transcripts. \(\Diamond \)
We start by upper bounding the probability to get a bad transcript in the ideal world.
Lemma 2
Proof
Let \((\mathcal {Q}_C,\mathcal {Q}_{P_1},\mathcal {Q}_{P_2})\) be any attainable queries transcript. Recall that in the ideal world, \((h_1,h_2)\) is drawn independently from the queries transcript. We upper bound the probabilities of the fourteen conditions in turn. We denote \(\varTheta _i\) the set of attainable transcripts fulfilling condition (Ci).
Analysis of Good Transcripts. Next, we have to study good transcripts.
Lemma 3
Proof
Deferred to the full version of the paper [8] for reasons of space. \(\square \)
4 Asymptotic Bounds via the Coupling Technique
When the number of rounds r of the TEM construction grows, one has the following result.
Theorem 3
For odd r, we have \(\mathbf{Adv }^{\mathrm {cca}}_{\mathsf {TEM}[n,r,\mathcal {H}]}\le \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {TEM}[n,r1,\mathcal {H}]}\), so that we can use the above bound with \(r1\). Using an \(\varepsilon \text {AXU}\) function family with \(\varepsilon \simeq 2^{n}\), we see that the iterated tweakable EvenMansour cipher with an even number r of rounds achieves CCAsecurity up to roughly \(2^{\frac{rn}{r+2}}\) adversarial queries.
The proof relies on the coupling technique. Since it combines in a rather straightforward way the approach of [21, 23], the proof is entirely deferred to the full version of the paper [8].
Footnotes
 1.
 2.
When we talk about adversarial queries without being more specific in such a context where the attacker, in addition to the construction oracle, also has oracle access to the inner permutation(s), we mean indifferently construction and inner permutation queries.
 3.
 4.
For \(r>2\), since the analysis of the CLRW construction in [23] is not tight, this is even worse.
 5.
 6.
In fact, this is not as straightforward as it might seem, since our results assume that the hash function family \(\mathcal {H}\) is uniform in addition to being AXU, whereas the security result of [24] only requires \(\mathcal {H}\) to be AXU. Inspection of our proof indicates however that the uniformity assumption on \(\mathcal {H}\) can be safely lifted when the adversary is not allowed to query the inner permutations.
 7.
For readers familiar with [7], which tightly analyzed the security of the traditional iterated EM cipher for any number of rounds, the main obstacle is that in the tweakable EM setting, the paths for two construction queries with distinct tweaks can collide at the input of inner permutations, whereas this can never happen in the traditional EM setting. While this is exactly the difficulty that we are able to handle for \(r=2\) in Lemma 3, getting a combinatorial lemma similar to [7, Lemma 1] that would allow to analyze good transcripts for any number of rounds in the tweakable setting seems more challenging.
 8.
Indeed, forbidding the adversary to query the inner permutation oracles at some point of the attack takes us away from the spirit of the Random Permutation model, which is thought as a heuristically sound way of modeling some complex (but otherwise public and fully described) permutation that the adversary can always evaluate at will.
 9.
Recall that for an attainable transcript, one has \(\Pr [T_\mathrm{id}=\tau ]>0\).
References
 1.Andreeva, E., Bogdanov, A., Dodis, Y., Mennink, B., Steinberger, J.P.: On the indifferentiability of keyalternating ciphers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 531–550. Springer, Heidelberg (2013). http://eprint.iacr.org/2013/061 CrossRefGoogle Scholar
 2.Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 3.Andreeva, E., Bogdanov, A., Mennink, B.: Towards understanding the knownkey security of block ciphers. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 348–366. Springer, Heidelberg (2014) Google Scholar
 4.Bellare, M., Kohno, T.: A theoretical treatment of relatedkey attacks: RKAPRPs, RKAPRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 5.Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F.X., Steinberger, J., Tischhauser, E.: Keyalternating ciphers in a provable setting: encryption using a small number of public permutations. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 45–62. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 6.Chen, S., Lampe, R., Lee, J., Seurin, Y., Steinberger, J.: Minimizing the tworound evenmansour cipher. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 39–56. Springer, Heidelberg (2014). http://eprint.iacr.org/2014/443 Google Scholar
 7.Chen, S., Steinberger, J.: Tight security bounds for keyalternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). http://eprint.iacr.org/2013/222 CrossRefGoogle Scholar
 8.Cogliati, B., Lampe, R., Seurin, Y.: Tweaking evenmansour ciphers. Full version of this paper. http://eprint.iacr.org/2015/539
 9.Cogliati, B., Seurin, Y.: On the provable security of the iterated evenmansour cipher against relatedkey and chosenkey attacks. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 584–613. Springer, Heidelberg (2015). http://eprint.iacr.org/2015/069 Google Scholar
 10.Crowley, P.: Mercy: a fast large block cipher for disk sector encryption. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 49–63. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 11.Daemen, J., Rijmen, V.: The wide trail design strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 12.Dunkelman, O., Keller, N., Shamir, A.: Minimalism in cryptography: the evenmansour scheme revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 13.Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Crypt. 10(3), 151–162 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
 14.Farshim, P., Procter, G.: The relatedkey security of iterated evenmansour ciphers. In: Fast Software Encryption  FSE 2015 (2015, to appear). Full version available at http://eprint.iacr.org/2014/953
 15.Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The skein hash function family. SHA3 Submission to NIST (Round 3) (2010)Google Scholar
 16.Goldenberg, D., Hohenberger, S., Liskov, M., Schwartz, E.C., Seyalioglu, H.: On tweaking lubyrackoff blockciphers. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 342–356. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 17.Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 18.Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CTRSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 19.Hoang, V.T., Rogaway, P.: On generalized feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 613–630. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 20.Jean, J., Nikolic, I., Peyrin, T.: Tweaks and keys for block ciphers: the tweakey framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014) Google Scholar
 21.Lampe, R., Patarin, J., Seurin, Y.: An asymptotically tight security analysis of the iterated evenmansour cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 278–295. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 22.Lampe, R., Seurin, Y.: How to construct an ideal cipher from a small set of public permutations. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 444–463. Springer, Heidelberg (2013). http://eprint.iacr.org/2013/255 CrossRefGoogle Scholar
 23.Lampe, R., Seurin, Y.: Tweakable blockciphers with asymptotically optimal security. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 133–152. Springer, Heidelberg (2014) Google Scholar
 24.Landecker, W., Shrimpton, T., Terashima, R.S.: Tweakable blockciphers with beyond birthdaybound security. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 14–30. Springer, Heidelberg (2012). http://eprint.iacr.org/2012/450 CrossRefGoogle Scholar
 25.Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 26.Minematsu, K.: Beyondbirthdaybound security based on tweakable block cipher. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 308–326. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 27.Mitsuda, A., Iwata, T.: Tweakable pseudorandom permutation from generalized feistel structure. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 22–37. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 28.Morris, B., Rogaway, P., Stegers, T.: How to encipher messages on a small domain. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 286–302. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 29.Nyberg, K., Knudsen, L.R.: Provable security against differential cryptanalysis. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 566–574. Springer, Heidelberg (1993) CrossRefGoogle Scholar
 30.Patarin, J.: The “Coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 31.Procter, G.: A note on the CLRW2 tweakable block cipher construction. IACR Cryptology ePrint Archive, report 2014/111 (2014). http://eprint.iacr.org/2014/111
 32.Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 33.Rogaway, P., Bellare, M., Black, J.: OCB: a blockcipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur. 6(3), 365–403 (2003)CrossRefGoogle Scholar
 34.Rogaway, P., Zhang, H.: Online ciphers from tweakable blockciphers. In: Kiayias, A. (ed.) CTRSA 2011. LNCS, vol. 6558, pp. 237–249. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 35.Sasaki, Y., Todo, Y., Aoki, K., Naito, Y., Sugawara, T., Murakami, Y., Matsui, M., Hirose, S.: Minalpher v1. Submission to the CAESAR competition (2014)Google Scholar
 36.Schroeppel, R.: The hasty pudding cipher. AES submission to NIST (1998)Google Scholar
 37.Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996) Google Scholar
 38.Steinberger, J.: Improved security bounds for Keyalternating ciphers via Hellinger distance. IACR Cryptology ePrint Archive, report 2012/481 (2012). http://eprint.iacr.org/2012/481