# Beyond-Birthday-Bound Security for Tweakable Even-Mansour Ciphers with Linear Tweak and Key Mixing

- 14 Citations
- 1.6k Downloads

## Abstract

The iterated Even-Mansour construction defines a block cipher from a tuple of public *n*-bit permutations \((P_1,\ldots ,P_r)\) by alternatively xoring some *n*-bit round key \(k_i\), \(i=0,\ldots ,r\), and applying permutation \(P_i\) to the state. The *tweakable* Even-Mansour construction generalizes the conventional Even-Mansour construction by replacing the *n*-bit round keys by *n*-bit strings derived from a master key *and a tweak*, thereby defining a tweakable block cipher. Constructions of this type have been previously analyzed, but they were either secure only up to the birthday bound, or they used a nonlinear mixing function of the key and the tweak (typically, multiplication of the key and the tweak seen as elements of some finite field) which might be costly to implement. In this paper, we tackle the question of whether it is possible to achieve beyond-birthday-bound security for such a construction by using only linear operations for mixing the key and the tweak into the state. We answer positively, describing a 4-round construction with a 2*n*-bit master key and an *n*-bit tweak which is provably secure in the Random Permutation Model up to roughly \(2^{2n/3}\) adversarial queries.

## Keywords

Tweakable block cipher Iterated Even-Mansour cipher Key-alternating cipher Beyond-birthday-bound security## 1 Introduction

**Background.** A block cipher with key space \(\mathcal {K}\) and message space \(\mathcal {M}\) is a family of permutations of \(\mathcal {M}\) indexed by the key \(\mathbf {k}\in \mathcal {K}\). A *tweakable* block cipher (TBC) takes an additional (potentially public) input parameter \(\mathbf {t}\in \mathcal {T}\) called a *tweak* aiming at providing inherent variability in about the same way an IV or nonce brings variability to an encryption scheme. Some block ciphers such as the Hasty Pudding Cipher [35], Mercy [10], or Threefish (the block cipher underlying the Skein hash function [15]) were designed so as to natively support tweaks. The syntax and security requirements for tweakable block ciphers were formally articulated in a seminal paper by Liskov, Rivest and Wagner [24]. Since then, TBCs have found multiple applications such as (tweakable) length-preserving encryption modes [18, 19], online ciphers [1, 33], and authenticated encryption modes [24, 31, 32].

Liskov *et al.* [24] also proposed two generic constructions of a TBC from a standard block cipher, achieving security up to the so-called birthday bound, i.e., when the adversary is allowed at most roughly \(2^{n/2}\) queries to the encryption or decryption oracle, where *n* is the block size (that is, the message space of the TBC is \(\mathcal {M}=\{0,1\}^n\)). The “black-box” design strategy (i.e., building a TBC on top of an existing standard block cipher, in a black-box way) has since then been the main avenue of research. Earlier proposals, such as XEX [31] and variants [4, 26] were related to the second of the two original proposals of Liskov *et al.*, and were limited to birthday-bound security as well. Recently, a number of constructions achieving beyond-birthday-bound security have emerged, such as Minematsu’s construction [27], the CLRW construction [22, 23, 30], and two constructions by Mennink [25]. All those constructions enjoy a security proof in the standard model (i.e., assuming that the underlying block cipher is a pseudorandom permutation), except for Mennink’s constructions that were analyzed in the ideal cipher model.

**Tweaking Even-Mansour Ciphers.**Unfortunately, none of the currently known black-box TBC constructions with beyond-birthday-bound security can be deemed truly practical (even though some of them might come close to it [25]). Hence, it might be beneficial to “open the hood” and to study how to build a TBC from some lower level primitive than a full-fledged conventional block cipher, e.g., a pseudorandom function or a public permutation. For example, Goldenberg

*et al.*[16] investigated how to include a tweak in Feistel ciphers. This was extended to generalized Feistel ciphers by Mitsuda and Iwata [28]. Recently, a similar study was undertaken for the second large class of block ciphers besides Feistel ciphers, namely key-alternating ciphers [11], a super-class of Substitution-Permutation Networks (SPNs). An

*r*-round key-alternating cipher based on a tuple of public

*n*-bit permutations \((P_1,\ldots ,P_r)\) maps a plaintext \(x\in \{0,1\}^n\) to the ciphertext defined as

*n*-bit round keys \(k_0,\ldots ,k_r\) are either independent or derived from a master key \(\mathbf {k}\). When the \(P_i\)’s are modeled as public permutation oracles, construction (1) is also referred to as the (iterated) Even-Mansour construction, in reference to Even and Mansour who pioneered the analysis of this construction in the Random Permutation Model [13]. While Even and Mansour limited themselves to proving birthday-bound security in the case \(r=1\), larger numbers of rounds were studied in subsequent works [3, 21, 36]. The general case has been recently (tightly) settled by Chen and Steinberger [6], who proved that the

*r*-round iterated Even-Mansour cipher with

*r*-wise independent round keys ensures security up to roughly \(2^{\frac{rn}{r+1}}\) adversarial queries.

In order to incorporate a tweak \(\mathbf {t}\) in the iterated Even-Mansour construction, it is tantalizing to generalize (1) by replacing round keys \(k_i\) by some function \(f_i(\mathbf {k},\mathbf {t})\) of the master key \(\mathbf {k}\) *and* the tweak \(\mathbf {t}\) (see Fig. 1). We will refer to such a construction as a *Tweakable Even-Mansour* (TEM) construction.^{1} This is exactly the spirit of the \(\mathsf {TWEAKEY}\) framework introduced by Jean *et al.* [20]. In fact, these authors go one step further and propose to unify the key and tweak inputs into what they dub the *tweakey*. The main topic of this paper being provable security (in the traditional model where the key is secret and the tweak is chosen by the adversary), we will not make such a bold move here, since we are not aware of any formal security model adequately capturing what Jean *et al.* had in mind.

The investigation of the theoretical soundness of this design strategy was initiated in three recent papers. First, Cogliati and Seurin [8], and independently Farshim and Procter [14], analyzed the simple case of an *n*-bit key *k* and an *n*-bit tweak *t* simply xored together at each round, i.e., \(f_i(k,t)=k\oplus t\) for each \(i=0,\ldots ,r\).^{2} They gave attacks up to two rounds, and proved birthday-bound security for three rounds. In fact, the security of this construction caps at \(2^{n/2}\) queries independently of the number of rounds. Indeed, it can be written \(\widetilde{E}(k,t,x)=E(k\oplus t,x)\), where *E* is the conventional iterated Even-Mansour cipher with the trivial key-schedule (i.e., the same round key is xored between each round), and by a result of Bellare and Kohno [2, Corollary 5.7], a tweakable block cipher of this form can never offer more than \(\kappa /2\) bits of security, where \(\kappa \) is the key-length of *E* (i.e., \(\kappa =n\) in the case at hand). Hence, if we want beyond-birthday-bound security, we have no choice but to consider more complex functions \(f_i\) (at the bare minimum, these functions, even if linear, should prevent the TBC construction from being of the form \(E(k\oplus t,x)\) for some block cipher *E* with *n*-bit keys).

This was undertaken by Cogliati, Lampe, and Seurin [7], who considered nonlinear ways of mixing the key and the tweak. More specifically, they studied the case where \(f_i(\mathbf {k},t)=H_{k_i}(t)\), where the family of functions \((H_k)\) is uniform and almost XOR-universal, and the master key is \(\mathbf {k}=(k_0,\ldots ,k_r)\). A classical example is multiplication-based hashing, i.e., \(f_i(\mathbf {k},t)=k_i \otimes t\), where \(\otimes \) denotes the multiplication in the finite field \(\mathbb {F}_{2^n}\), the tweak \(t=0\) being forbidden. Cogliati *et al.* showed that one round is secure up to the birthday bound, and that two rounds are secure up to roughly \(2^{2n/3}\) adversarial queries.^{3} They also provided a (non-tight) asymptotic security bound improving as the number of rounds grows. However, implementing a xor-universal hash function might be costly, and linear functions \(f_i\)’s would be highly preferable for obvious efficiency reasons.

**Our Results.**In this paper, we ask whether it is possible to come with a tweakable Even-Mansour construction achieving both:

- 1.
a linear mixing of the tweak and the key to the state;

- 2.
beyond-birthday-bound security.

*n*-bit keys and

*n*-bit tweaks. The starting point is the 4-round iterated Even-Mansour construction with a 2

*n*-bit master key \((k_0,k_1)\), \(k_0\) and \(k_1\) being both

*n*bits, and what we call the “alternating” key schedule, namely round keys are \(k_0\), \(k_1\), \(k_0\), etc. This is for example how LED-128 is designed [17]. To turn this block cipher into a tweakable Even-Mansour construction, we simply add the

*n*-bit tweak

*t*between each permutation (see Fig. 2). In other words, if we denote \(E((k_0,k_1),x)\) the conventional Even-Mansour cipher with alternating round keys, the tweakable construction that we consider can be written

*et al.*[7] to analyze so-called good transcripts.

**Application to Related-Key Security.**Our result can be rephrased in terms of related-key security [2] of the conventional Even-Mansour cipher: the 4-round conventional Even-Mansour cipher with the alternating key-schedule is secure up to roughly \(2^{2n/3}\) adversarial queries against related-key attacks for the set of related-key deriving functions.

*n*-bit string to the master key \((k_0,k_1)\). It remains an open problem (already stated in [8]) to find an Even-Mansour construction provably secure beyond the birthday bound against \(\varPhi ^{\oplus }\)-related-key attacks.

**Open Problems.** We propose three challenging open problems, the first two being restricted to the case of *n*-bit tweaks. First, what would be the analogue of the Chen-Steinberger result [6] in the tweakable setting? In more details, we know how to deliver *n* / 2 bits of security with an *n*-bit master key [8, 14] and this paper shows how to reach 2*n* / 3 bits of security with a 2*n*-bit master key. Hence, it is natural to ask whether one can obtain \(rn/(r+1)\) bits of security from an *rn*-bit master key for \(r>2\), and what would be the adequate number of rounds and the corresponding (linear) “tweak-and-key” schedule. Second, Chen *et al.* [5] showed that the 2-round conventional Even-Mansour construction can provably deliver 2*n* / 3 bits of security even with an *n*-bit master key (for example, when the two inner permutations are independent, the trivial key-schedule is sufficient). Again, what would be the analogue of this result in the tweakable setting? Can we design a TEM construction with an *n*-bit master key and an *n*-bit tweak delivering 2*n* / 3 bits of security, or even more? Finally, it is natural to ask whether one can extend the construction of this paper to handle larger tweaks, in particular 2*n*-bit tweaks. We show in the full version of this paper [9] that the naive way of proceeding, namely adding alternatively \(t_0\) and \(t_1\), is insecure for four rounds. Hence, this seems to require at least five rounds.

We also remark that attacks against the (conventional) iterated Even-Mansour cipher with the alternating key-schedule have been investigated by Dinur *et al.* [12]. It would be interesting to study whether these attacks can be adapted (and potentially improved) in the tweakable setting.

**Organization.** In Sect. 2, we introduce the notation, the security definitions, and give some background on the H-coefficients technique. Our main result is proved in Sect. 3.

## 2 Preliminaries

### 2.1 Notation and General Definitions

**General Notation.** In all the following, we fix an integer \(n\ge 1\) and denote \(N=2^n\). For integers \(1\le b\le a\), we will write \((a)_b=a(a-1)\cdots (a-b+1)\) and \((a)_0=1\) by convention. The set of all permutations of \(\{0,1\}^n\) will be denoted \(\mathsf {P}(n)\).

**Tweakable Block Ciphers.** A *tweakable block cipher* with key space \(\mathcal {K}\), tweak space \(\mathcal {T}\), and message space \(\mathcal {M}\) is a mapping \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) such that for any key \(k\in \mathcal {K}\) and any tweak \(t\in \mathcal {T}\), \(x\mapsto \widetilde{E}(k,t,x)\) is a permutation of \(\mathcal {M}\). We denote \(\mathsf {TBC}(\mathcal {K},\mathcal {T},n)\) the set of all tweakable block ciphers with key space \(\mathcal {K}\), tweak space \(\mathcal {T}\), and message space \(\{0,1\}^n\). A *tweakable permutation* with tweak space \(\mathcal {T}\) and message space \(\mathcal {M}\) is a mapping \(\widetilde{P}: \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) such that for any tweak \(t\in \mathcal {T}\), \(x\mapsto \widetilde{P}(t,x)\) is a permutation of \(\mathcal {M}\). We denote \(\mathsf {TP}(\mathcal {T},n)\) the set of all tweakable permutations with tweak space \(\mathcal {T}\) and message space \(\{0,1\}^n\).

**Tweakable Even-Mansour Constructions.**Fix integers \(n,r\ge 1\). Let \(\mathcal {K}\) and \(\mathcal {T}\) be two sets, and let \(\mathbf {f}=(f_0,\ldots ,f_r)\) be a \((r+1)\)-tuple of functions from \(\mathcal {K}\times \mathcal {T}\) to \(\{0,1\}^n\). The

*r*-round tweakable Even-Mansour construction \(\mathsf {TEM}[n,r,\mathbf {f}]\) specifies, from an

*r*-tuple \(\mathbf {P}=(P_1,\ldots ,P_r)\) of permutations of \(\{0,1\}^n\), a tweakable block cipher with key space \(\mathcal {K}\), tweak space \(\mathcal {T}\), and message space \(\{0,1\}^n\), simply denoted \(\mathsf {TEM}^{\mathbf {P}}\) in the following (parameters \([n,r,\mathbf {f}]\) will always be clear from the context) which maps a key \(\mathbf {k}\in \mathcal {K}\), a tweak \(\mathbf {t}\in \mathcal {T}\), and a plaintext \(x\in \{0,1\}^n\) to the ciphertext defined as (see Fig. 1):

*n*-bit strings, or simply \(\mathbf {k}=k\), resp. \(\mathbf {t}=t\) when \(a=1\), resp. \(b=1\). When all \(f_i\)’s are linear over \((\{0,1\}^n)^{a+b}\), we say that the construction has

*linear tweak and key mixing*.

**Previously Studied Constructions.** Two types of TEM constructions have already been studied. In [8], Cogliati and Seurin considered the simplest case where \(a=b=1\) (*n*-bit keys and *n*-bit tweaks) and \(f_i(k,t)=k\oplus t\) for each \(i=0,\ldots ,r\). This construction has linear tweak and key mixing, and is secure up to \(2^{n/2}\) adversarial queries starting from \(r=3\). (The results of [8] were formulated in terms of xor-induced related-key attacks against the conventional iterated Even-Mansour construction, but in this simple case the two security notions are in fact equivalent.) In [7], Cogliati, Lampe, and Seurin studied a large class of nonlinear mixing functions, in particular, for *n*-bit tweaks, finite field multiplication-based ones, i.e., \(f(k,t)=k\otimes t\), or more generally, for *bn*-bit tweaks, polynomial hashing-based functions, i.e., \(f(k,(t_0,\ldots ,t_{b-1}))=\sum _{i=0}^{b-1} k^{i+1}\otimes t_i\).

### 2.2 Security Definitions

Fix some family of functions \(\mathbf {f}=(f_0,\ldots ,f_r)\) from \(\mathcal {K}\times \mathcal {T}\) to \(\{0,1\}^n\). To study the security of the construction \(\mathsf {TEM}[n,r,\mathbf {f}]\) in the Random Permutation Model, we consider a distinguisher \(\mathcal {D}\) which interacts with \(r+1\) oracles that we denote generically \((\widetilde{P}_0,P_1,\ldots ,P_r)\), where syntactically \(\widetilde{P}_0\) is a tweakable permutation with tweak space \(\mathcal {T}\) and message space \(\{0,1\}^n\), and \(P_1,\ldots ,P_r\) are permutations of \(\{0,1\}^n\). The goal of \(\mathcal {D}\) is to distinguish two “worlds”: the so-called *real world*, where \(\mathcal {D}\) interacts with \((\mathsf {TEM}^{\mathbf {P}}_{\mathbf {k}},\mathbf {P})\), where \(\mathbf {P}=(P_1,\ldots ,P_r)\) is a tuple of public random permutations and the key \(\mathbf {k}\) is drawn uniformly at random from \(\mathcal {K}\), and the so-called *ideal world* \((\widetilde{P}_0,\mathbf {P})\), where \(\widetilde{P}_0\) is a uniformly random tweakable permutation and \(\mathbf {P}\) is a tuple of random permutations of \(\{0,1\}^n\) independent from \(\widetilde{P}_0\). We will refer to \(\widetilde{P}_0\) as the *construction oracle* and to \(P_1,\ldots ,P_r\) as the *inner permutation oracles*.

*wlog*that they are deterministic. We also assume that they never make pointless queries (i.e., queries whose answers can be unambiguously deduced from previous answers). The distinguisher is allowed to query all oracles adaptively in both directions; this corresponds to adaptive chosen-plaintext and ciphertext attacks (CCA).

### 2.3 The H-Coefficients Technique

As in many previous works [5, 6, 7, 8], our security proof will use the H-coefficients technique [29], which we explain here.

**Transcript.** Recall that the distinguisher \(\mathcal {D}\) interacts with a tuple of \(r+1\) oracles denoted \((\widetilde{P}_0,P_1,\ldots ,P_r)\). In the real world, the construction oracle \(\widetilde{P}_0\) is \(\mathsf {TEM}^\mathbf {P}_\mathbf {k}\) where \(\mathbf {P}=(P_1,\ldots ,P_r)\) and \(\mathbf {k}\) is random, whereas in the ideal world it is a random tweakable permutation independent from \((P_1,\ldots ,P_r)\). From the interaction of \(\mathcal {D}\) with these oracles, we define the *queries transcript* (\(\mathcal {Q}_C,\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_r})\) of the attack as follows. The list \(\mathcal {Q}_C\) records the queries to the construction oracle: if \(\mathcal {D}\) made either a direct query \((\mathbf {t},x)\) to the construction oracle \(\widetilde{P}_0\) which was answered by *y*, or an inverse query \((\mathbf {t},y)\) which was answered by *x*, then the triple \((\mathbf {t},x,y)\in \mathcal {T}\times \{0,1\}^n \times \{0,1\}^n\) is added to \(\mathcal {Q}_C\). Similarly, for \(1\le i \le r\), \(\mathcal {Q}_{P_i}\) contains all pairs \((u,v)\in \{0,1\}^n\times \{0,1\}^n\) such that \(\mathcal {D}\) made either a direct query *u* to permutation \(P_i\) which was answered by *v*, or an inverse query *v* which was answered by *u*. Note that queries are recorded in a directionless and unordered way, but by our assumption that the distinguisher is deterministic, the raw interaction of \(\mathcal {D}\) with its oracles can unambiguously be reconstructed from the queries transcript (see e.g. [6] for more details). Note also that by our assumption that \(\mathcal {D}\) never makes pointless queries, each query to the construction oracle results in a distinct triple in \(\mathcal {Q}_C\), and each query to \(P_i\) results in a distinct pair in \(\mathcal {Q}_{P_i}\). Moreover, since we assume that the distinguisher always makes the maximal number of allowed queries to each oracle, one has \(|\mathcal {Q}_C|=q_c\) and \(|\mathcal {Q}_{P_i}|=q_p\) for \(1\le i \le r\). In all the following, we also denote *m* the number of distinct tweaks appearing in \(\mathcal {Q}_C\), and \(q_i\) the number of queries for the *i*-th tweak, \(1\le i\le m\), ordering the tweaks arbitrarily. Note that one always has \(\sum _{i=1}^m q_i=q_c\), even though *m* may depend on the answers received from the oracles.

A queries transcript is said *attainable* (with respect to some fixed distinguisher \(\mathcal {D}\)) if there exists oracles \((\widetilde{P}_0,\mathbf {P})\) such that the interaction of \(\mathcal {D}\) with \((\widetilde{P}_0,\mathbf {P})\) results in this transcript (in other words, the probability to obtain this transcript in the ideal world is non-zero). Moreover, in order to have a simple definition of bad transcripts, the actual key \(\mathbf {k}\) is revealed to the adversary at the end of the experiment if we are in the real world, while in the ideal world, a “dummy” key \(\mathbf {k}\leftarrow _{\$}\mathcal {K}\) is simply drawn uniformly at random independently from the answers of the oracle \(\widetilde{P}_0\) (this is obviously without loss of generality since this can only help the distinguisher and increase its advantage). All in all, a transcript \(\tau \) is a tuple \(\tau =(\mathcal {Q}_C,\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_r},\mathbf {k})\), and we say that a transcript is attainable if the corresponding queries transcript \((\mathcal {Q}_C,\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_r})\) is attainable. We denote \(\varTheta \) the set of attainable transcripts. In all the following, we denote \(T_\mathrm{re}\), resp. \(T_\mathrm{id}\), the probability distribution of the transcript \(\tau \) induced by the real world, resp. the ideal world (note that these two probability distributions depend on the distinguisher). By extension, we use the same notation to denote a random variable distributed according to each distribution. The main lemma of the H-coefficients technique is the following one (see e.g. [5, 6] for the proof).

### **Lemma 1**

^{4}

**Useful Observations.**We end this section with some useful preliminary observations. First, we introduce some additional notation. Given a permutation queries transcript \(\mathcal {Q}\) and a permutation

*P*, we say that

*P*

*extends*\(\mathcal {Q}\), denoted \(P\vdash \mathcal {Q}\), if \(P(u)=v\) for all \((u,v)\in \mathcal {Q}\). By extension, given a tuple of permutation queries transcripts \(\mathcal {Q}_{\mathbf {P}}=(\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_r})\) and a tuple of permutations \(\mathbf {P}=(P_1,\ldots ,P_r)\), we say that \(\mathbf {P}\) extends \(\mathcal {Q}_{\mathbf {P}}\), denoted \(\mathbf {P}\vdash \mathcal {Q}_{\mathbf {P}}\), if \(P_i\vdash \mathcal {Q}_{P_i}\) for each \(i=1,\ldots ,r\). Note that for a permutation transcript of size \(q_p\), one has

*extends*\(\widetilde{\mathcal {Q}}\), denoted \(\widetilde{P}\vdash \widetilde{\mathcal {Q}}\), if \(\widetilde{P}(t,x)=y\) for all \((t,x,y)\in \widetilde{\mathcal {Q}}\). For a tweakable permutation transcript \(\widetilde{\mathcal {Q}}\) with

*m*distinct tweaks and \(q_i\) queries corresponding to the

*i*-th tweak, one has

*iff*\(\widetilde{P}_0\vdash \mathcal {Q}_C\) and \(P_i\vdash \mathcal {Q}_{P_i}\) for \(1\le i\le r\). In the ideal world, the key \(\mathbf {k}\), the permutations \(P_1,\ldots ,P_r\), and the tweakable permutation \(\widetilde{P}_0\) are all uniformly random and independent, so that, by (2) and (3), the probability of getting any attainable transcript \(\tau =(\mathcal {Q}_C,\mathcal {Q}_{\mathbf {P}},\mathbf {k})\) in the ideal world is

### 2.4 An Extended Sum-Capture Lemma

To upper bound the probability of getting a bad transcript in the ideal world, we will need a generalization of the sum-capture theorem from [5] (that applied to a random permutation) to the case of a *family* of random permutations (in other words, a random tweakable permutation).

We denote \(\mathsf {GL}(n)\) the general linear group of degree *n* over \(\mathbb {F}_2\), i.e., the set of all automorphisms (linear bijective mappings) of \(\mathbb {F}_2^n\).

### **Lemma 2**

*q*(two-sided) adaptive queries to \(\widetilde{P}\). Let \(\widetilde{\mathcal {Q}}=((t_1,x_1,y_1),\ldots ,(t_q,x_q,y_q))\) denote the transcript of the interaction of \(\mathcal {A}\) with \(\widetilde{P}\). For any two subsets

*U*and

*V*of \(\{0,1\}^n\), let

The proof of this lemma is a simple generalization of the one from [5] and can be found in the full version of this paper [9].

## 3 Beyond-Birthday-Bound Security

### 3.1 Statement of the Result and Discussion

In this section, we consider the 4-round tweakable Even-Mansour construction \(\mathsf {TEM}[n,4,\mathbf {f}]\) with 2*n*-bit keys and *n*-bit tweaks depicted on Fig. 2. The main result of this paper is the following one:

### **Theorem 1**

Hence, this construction ensures CCA-security as long as \(q_c\) and \(q_p\) are small compared to \(2^{2n/3}\), up to logarithmic terms in \(N=2^n\).

### 3.2 Definition and Probability of Bad Transcripts

### **Definition 1**

- (B-1)
there exists \((t,x,y)\in \mathcal {Q}_C\), \((u_1,v_1)\in \mathcal {Q}_{P_1}\), and \((u_4,v_4)\in \mathcal {Q}_{P_4}\) such that \(k_0\oplus t =x\oplus u_1=v_4\oplus y\);

- (B-2)
there exists \((t,x,y)\in \mathcal {Q}_C\), \((u_1,v_1)\in \mathcal {Q}_{P_1}\), and \((u_2,v_2)\in \mathcal {Q}_{P_2}\) such that \(k_0\oplus t =x\oplus u_1\) and \(k_1\oplus t=v_1\oplus u_2\);

- (B-3)
there exists \((t,x,y)\in \mathcal {Q}_C\), \((u_3,v_3)\in \mathcal {Q}_{P_3}\), and \((u_4,v_4)\in \mathcal {Q}_{P_4}\) such that \(k_1\oplus t =v_3\oplus u_4\) and \(k_0\oplus t =v_4\oplus y\);

- (B-4)
\(\alpha _1\ge \sqrt{q_c}/2\);

- (B-5)
\(\alpha _4\ge \sqrt{q_c}/2\);

- (B-6)
\(\alpha _{2,3}\ge q_p\sqrt{q_c}\);

- (B-7)
\(\nu _2\ge \sqrt{q_p}\);

- (B-8)
\(\nu _3\ge \sqrt{q_p}\).

Otherwise we say that \(\tau \) is good.^{5} We denote \(\varTheta _\mathrm{good}\), resp. \(\varTheta _\mathrm{bad}\) the set of good, resp. bad transcripts.

We start by upper bounding the probability of getting bad transcripts in the ideal world.

### **Lemma 3**

### *Proof*

We upper bound the probability of each condition in turn. We denote \(\varTheta _i\) the set of attainable transcripts satisfying condition (B-*i*). Recall that in the ideal world, the key \((k_0,k_1)\) is drawn independently from the queries transcript.

*Condition (B-1).*Let \(\mathsf {BadK}_1\) be the set of keys \(k_0\) such that there exists \((t,x,y)\in \mathcal {Q}_C\), \((u_1,v_1)\in \mathcal {Q}_{P_1}\), and \((u_4,v_4)\in \mathcal {Q}_{P_4}\) such that \(k_0\oplus t =x\oplus u_1=y\oplus v_4\). Note that \(\mathsf {BadK}_1\) only depends on the queries transcript, hence for any constant

*C*we have, since \(k_0\) is uniformly random,

*Conditions (B-2) and (B-3).*We consider (B-2). For each \((t,x,y)\in \mathcal {Q}_C\), \((u_1,v_1)\in \mathcal {Q}_{P_1}\), and \((u_2,v_2)\in \mathcal {Q}_{P_2}\), the probability, over the random draw of \((k_0,k_1)\), that \(k_0\oplus t =x\oplus u_1\) and \(k_1\oplus t=v_1\oplus u_2\) is \(1/N^2\) since \((k_0,k_1)\) is uniform and independent from the queries transcript. Summing over the \(q_cq_p^2\) possibilities for (

*t*,

*x*,

*y*), \((u_1,v_1)\), and \((u_2,v_2)\) yields

*Conditions (B-4) and (B-5).*We consider (B-4). Seeing \(\alpha _1\) as a random variable over the random draw of \((k_0,k_1)\), one has

*Condition (B-6).*Again, we see \(\alpha _{2,3}\) as a random variable over the random draw of \(k_0\). Then

*Conditions (B-7) and (B-8).*Consider (B-7). We see the distinguisher combined with \(\widetilde{P}_0\) and the inner permutations \(P_1\), \(P_3\), and \(P_4\) as a probabilistic algorithm \(\mathcal {A}\) interacting with \(P_2\), and we see \(\nu _2\) as a random variable over the random choice of \(P_2\) and the randomness of \(\mathcal {A}\). One has

*i*-th and the

*j*-th query, and assume

*wlog*that \(i<j\). If the

*j*-th is a direct query \(u_{2,j}\), then \(v_{2,j}\) is uniformly random in a set of size \(N-j+1\). Similarly, if this is a inverse query \(v_{2,j}\), then \(u_{2,j}\) is uniformly random in a set of size \(N-j+1\). In all cases, the probability that \(u_{2,i}\oplus v_{2,i}=u_{2,j}\oplus v_{2,j}\) is at most \(1/(N-q_p)\). Hence,

### 3.3 Analysis of Good Transcripts

*et al.*[7].

We start by giving the conditions defining good pairs of permutations \((P_1,P_4)\). We stress that these conditions cannot be accommodated in the definition of bad transcripts since they depend on values of \(P_1\) and \(P_4\) which do *not* appear in the queries transcript, so that they cannot be defined from the transcript \(\tau \) alone. We also warn the reader upfront that conditions (C-5) and (C-6) are “dummy” conditions that will easily be seen to be impossible to fulfill, yet will allow us to cleanly use the previous result of Cogliati *et al.* [7].

### **Definition 2**

- (C-1)there exists \((t,x,y)\in \mathcal {Q}_C\), \(u_2 \in U_2\), and \(v_3 \in V_3\) such that$$\begin{aligned} \left\{ \begin{array}{l} P_1(x\oplus k_0 \oplus t)\oplus k_1 \oplus t=u_2\\ P_4^{-1}(y\oplus k_0 \oplus t)\oplus k_1 \oplus t=v_3; \end{array} \right. \end{aligned}$$
- (C-2)there exists \((t,x,y)\in \mathcal {Q}_C\), \((u_2,v_2)\in \mathcal {Q}_{P_2}\), and \(u_3\in U_3\) such that$$\begin{aligned} \left\{ \begin{array}{l} P_1(x\oplus k_0 \oplus t)\oplus k_1 \oplus t=u_2\\ v_2\oplus k_0 \oplus t=u_3; \end{array} \right. \end{aligned}$$
- (C-3)there exists \((t,x,y)\in \mathcal {Q}_C\), \((u_3,v_3)\in \mathcal {Q}_{P_3}\), and \(v_2\in V_2\) such that$$\begin{aligned} \left\{ \begin{array}{l} P_4^{-1}(y\oplus k_0 \oplus t)\oplus k_1 \oplus t=v_3 \\ u_3\oplus k_0 \oplus t=v_2; \end{array} \right. \end{aligned}$$
- (C-4)there exists \((t,x,y),(t',x',y'),(t'',x'',y'')\in \mathcal {Q}_C\) with (
*t*,*x*,*y*) distinct from \((t',x',y')\) and from \((t'',x'',y'')\) such that$$\begin{aligned} \left\{ \begin{array}{l} P_1(x\oplus k_0 \oplus t)\oplus t=P_1(x'\oplus k_0 \oplus t')\oplus t' \\ P_4^{-1}(y\oplus k_0 \oplus t)\oplus t=P_4^{-1}(y''\oplus k_0 \oplus t'')\oplus t''; \end{array} \right. \end{aligned}$$ - (C-5)there exists \((t,x,y,)\ne (t',x',y')\in \mathcal {Q}_C\) such that$$\begin{aligned} \left\{ \begin{array}{l} P_1(x\oplus k_0 \oplus t)\oplus t=P_1(x'\oplus k_0 \oplus t')\oplus t'\\ t=t'; \end{array} \right. \end{aligned}$$
- (C-6)there exists \((t,x,y,)\ne (t',x',y')\in \mathcal {Q}_C\) such that$$\begin{aligned} \left\{ \begin{array}{l} P_4^{-1}(y\oplus k_0 \oplus t)\oplus t=P_4^{-1}(y'\oplus k_0 \oplus t')\oplus t' \\ t=t'; \end{array} \right. \end{aligned}$$
- (C-7)there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) and \(u_2\in U_2\) such that$$\begin{aligned} \left\{ \begin{array}{l} P_1(x\oplus k_0 \oplus t)\oplus k_1 \oplus t=u_2 \\ P_4^{-1}(y\oplus k_0 \oplus t)\oplus t=P_4^{-1}(y'\oplus k_0 \oplus t')\oplus t'; \end{array} \right. \end{aligned}$$
- (C-8)there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) and \(v_3\in V_3\) such that$$\begin{aligned} \left\{ \begin{array}{l} P_4^{-1}(y\oplus k_0 \oplus t)\oplus k_1 \oplus t=v_3 \\ P_1(x\oplus k_0 \oplus t)\oplus t=P_1(x'\oplus k_0 \oplus t')\oplus t'; \end{array} \right. \end{aligned}$$
- (C-9)there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) and \((u_2,v_2),(u'_2,v'_2)\in \mathcal {Q}_{P_2}\) such that$$\begin{aligned} \left\{ \begin{array}{l} P_1(x\oplus k_0 \oplus t)\oplus k_1 \oplus t=u_2 \\ P_1(x'\oplus k_0 \oplus t')\oplus k_1 \oplus t'=u'_2\\ v_2 \oplus t=v'_2\oplus t'; \end{array} \right. \end{aligned}$$
- (C-10)there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) and \((u_3,v_3),(u'_3,v'_3)\in \mathcal {Q}_{P_3}\) such that$$\begin{aligned} \left\{ \begin{array}{l} P_4^{-1}(y\oplus k_0 \oplus t) \oplus k_1 \oplus t=v_3\\ P_4^{-1}(y'\oplus k_0 \oplus t') \oplus k_1 \oplus t'=v'_3\\ u_3 \oplus t=u'_3\oplus t'; \end{array} \right. \end{aligned}$$
- (C-11)
\(\alpha _2 \ge \sqrt{q_c}\);

- (C-12)
\(\alpha _3 \ge \sqrt{q_c}\);

- (C-13)
\(\beta _2 \ge \sqrt{q_c}\);

- (C-14)
\(\beta _3 \ge \sqrt{q_c}\);

In all the following, we denote \(\varPi \) the set of pairs of permutations \((P_1,P_4)\) such that \(P_1\vdash \mathcal {Q}_{P_1}\) and \(P_4\vdash \mathcal {Q}_{P_4}\). The first step towards studying good transcripts will be to upper bound the probability that the pair \((P_1,P_4)\) is bad.

### **Lemma 4**

### *Proof*

We upper bound the probabilities of the fourteen conditions in turn. We denote \(\varPi _i\) the set of pairs of permutations \((P_1,P_4)\in \varPi \) satisfying condition (C-*i*).

*Condition (C-1).*Fix \((t,x,y)\in \mathcal {Q}_C\), \(u_2\in U_2\), and \(v_3\in V_3\). Note that if \(x\oplus k_0 \oplus t =u_1\) for some \((u_1,v_1)\in \mathcal {Q}_{P_1}\), then \(v_1\oplus k_1\oplus t\) cannot be equal to \(u_2\) since otherwise \(\tau \) would satisfy (B-2). Similarly, if \(y\oplus k_0\oplus t=v_4\) for some \((u_4,v_4)\in \mathcal {Q}_{P_4}\), then \(u_4\oplus k_1\oplus t\) cannot be equal to \(v_3\) since otherwise \(\tau \) would satisfy (B-3). On the other hand, if \(x\oplus k_0 \oplus t \notin U_1\) and \(y\oplus k_0\oplus t\notin V_4\), then the probability over \((P_1,P_4)\leftarrow _{\$}\varPi \) that

*t*,

*x*,

*y*), \(u_2\), and \(v_3\) yields

*Conditions (C-2) and (C-3).*We consider (C-2), the reasoning for (C-3) is similar. Fix \((t,x,y)\in \mathcal {Q}_C\), \((u_2,v_2)\in \mathcal {Q}_{P_2}\), and \(u_3\in U_3\). Note first that for (C-2) to be satisfied, one must have \(v_2\oplus k_0\oplus t = u_3\), and there are by definition at most \(\alpha _{2,3}\) triplets \(((t,x,y),v_2,u_3)\) satisfying this equality. If \(x\oplus k_0 \oplus t =u_1\) for some \((u_1,v_1)\in \mathcal {Q}_{P_1}\), then \(v_1\oplus k_1\oplus t\) cannot be equal to \(u_2\) since otherwise \(\tau \) would satisfy (B-2). On the other hand, if \(x\oplus k_0 \oplus t \notin U_1\), then the probability that \(P_1(x\oplus k_0 \oplus t)=u_2\oplus k_1 \oplus t\) is at most \(1/(N-q_p)\le 2/N\) (it is zero if \(u_2\oplus k_1 \oplus t \in V_1\), and \(1/(N-q_p)\) otherwise). Summing over the at most \(\alpha _{2,3}\) possibilities for (

*t*,

*x*,

*y*), \((u_2,v_2)\), and \(u_3\), with \(\alpha _{2,3}\le q_p\sqrt{q_c}\) since otherwise \(\tau \) would satisfy (B-6), we obtain

*Condition (C-4).*Fix \((t,x,y),(t',x',y'),(t'',x'',y'')\in \mathcal {Q}_C\) with (

*t*,

*x*,

*y*) distinct from \((t',x',y')\) and from \((t'',x'',y'')\). First, note that if \(x\oplus k_0\oplus t=x'\oplus k_0\oplus t'\) or \(y\oplus k_0\oplus t=y''\oplus k_0\oplus t''\), then (C-4) cannot be satisfied. Hence, we assume that none of these two equalities holds. We consider three cases. Assume first that \(x\oplus k_0 \oplus t =u_1\) for some \((u_1,v_1)\in \mathcal {Q}_{P_1}\). Note that there are at most \(\alpha _1\) possibilities for (

*t*,

*x*,

*y*), and \(\alpha _1\le \sqrt{q_c}/2\) since otherwise \(\tau \) would satisfy (B-4). Moreover \(y\oplus k_0\oplus t\notin V_4\) since otherwise \(\tau \) would satisfy (B-1). Hence, the probability that

*t*,

*x*,

*y*) and \((t'',x'',y'')\), the probability of this first case is at most \(q_c^{3/2}/N\). The second case where \(y\oplus k_0\oplus t\in V_4\) is handled similarly. Finally, consider the case where \(x\oplus k_0\oplus t \notin U_1\) and \(y\oplus k_0\oplus t\notin V_4\). Then the probability that

*t*,

*x*,

*y*), \((t',x',y')\), and \((t'',x'',y'')\), the probability of this third case is at most \(4q_c^3/N^2\). Overall, we obtain

*Conditions (C-5) and (C-6).*These conditions cannot be satisfied. Indeed, assume that there exits \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) satisfying (C-5). Since \(t=t'\), then \(x\ne x'\) by the assumption that the distinguisher never makes pointless queries. This obviously implies that \(P_1(x\oplus k_0 \oplus t)\oplus t\ne P_1(x'\oplus k_0 \oplus t')\oplus t'\), a contradiction. The reasoning is similar for (C-6). Hence,

*Conditions (C-7) and (C-8).*We consider condition (C-7). Fix queries \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) and \(u_2\in U_2\). We will consider two cases: first, the case where \(y\oplus k_0\oplus t\in V_4\), and then the case where \(y\oplus k_0\oplus t\notin V_4\). For both cases, note that if \(x\oplus k_0 \oplus t =u_1\) for some \((u_1,v_1)\in \mathcal {Q}_{P_1}\), then \(v_1\oplus k_1\oplus t\) cannot be equal to \(u_2\) since otherwise \(\tau \) would satisfy (B-2). Hence, we can assume that \(x\oplus k_0 \oplus t \not \in U_1\). It follows that the probability that

*t*,

*x*,

*y*), \((t',x',y')\), and \(u_2\), we see that the probability of the second case is at most \(4q_c^2 q_p/N^2\). Overall,

*Conditions (C-9) and (C-10).*Consider condition (C-9). First note that, if the condition is satisfied, we have \(x\oplus k_0 \oplus t \not \in U_1\), \(x'\oplus k_0 \oplus t' \not \in U_1\), \(u_2\oplus k_1 \oplus t \not \in V_1\) and \(u'_2\oplus k_1 \oplus t' \not \in V_1\), otherwise (B-2) is fulfilled. Moreover, if \((u_2,v_2)=(u'_2,v'_2)\), then \(t=t'\), thus \(x=x'\), which is impossible. Hence we must have \((u_2,v_2)\ne (u'_2,v'_2)\). The condition can be divided into two conditions:

- 9.1
there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) and \((u_2,v_2)\ne (u'_2,v'_2)\in \mathcal {Q}_{P_2}\) such that \(x\oplus t=x'\oplus t'\), \(P_1(x\oplus k_0 \oplus t)=u_2 \oplus k_1 \oplus t\) and \(P_1(x'\oplus k_0 \oplus t')=u'_2 \oplus k_1 \oplus t'\) and \(v_2 \oplus t=v'_2\oplus t'\);

- 9.2
there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) and \((u_2,v_2)\ne (u'_2,v'_2)\in \mathcal {Q}_{P_2}\) such that \(x\oplus t\ne x'\oplus t'\), \(P_1(x\oplus k_0 \oplus t)=u_2 \oplus k_1 \oplus t\) and \(P_1(x'\oplus k_0 \oplus t')=u'_2 \oplus k_1 \oplus t'\) and \(v_2 \oplus t=v'_2\oplus t'\).

*Conditions (C-11) and (C-12).*We see \(\alpha _2\) (resp. \(\alpha _3\)) as a random variable over the choice of \(P_1\) (resp. \(P_4\)). Note that

*Conditions (C-13) and (C-14).*Consider condition (C-13). Note thatWe denote \(\beta '_2\) the last term of this sum. Thus

We are now ready for the second step of the reasoning.

### **Definition 3**

### **Lemma 5**

### *Proof*

We can now directly appeal to a previous result by Cogliati *et al.* [7].

### **Lemma 6**

### *Proof*

One can check that the queries transcript \(\tau '=(\mathcal {Q}'_C,\mathcal {Q}_{P_2},\mathcal {Q}_{P_3})\) satisfies exactly the conditions defining a good transcript as per [7, Definition 2]. Moreover, the ratio \(\tilde{\mathsf {p}}(\tau ,P_1,P_4)/\prod _{i=1}^m1/(N)_{q_i}\) is exactly the ratio of the probabilities to get \(\tau '\) in the real and in the ideal world once a good pair \((P_1,P_4)\) is fixed. Hence, we can apply [7, Lemma 6] that directly yields the result.^{6} \(\square \)

We are now ready to prove the main lemma of this section.

### **Lemma 7**

### *Proof*

**Concluding.**We are now ready to prove Theorem 1. Combining Lemmas 1, 3, and 7, one hasSince the result holds trivially when \(q_c^{3}>N^2\), \(q_c^2q_p>N^2\), or \(q_cq_p^2>N^2\), we can assume that \(q_c^{3}\le N^2\), \(q_c^2q_p\le N^2\), and \(q_cq_p^2\le N^2\), so that

## Footnotes

- 1.
We warn that the naming

*Tweakable Even-Mansour*construction was previously used by the designers of Minalpher [34], a candidate to the CAESAR competition, to designate a permutation-based variant of Rogaway’s XEX construction [31], i.e., a 1-round Even-Mansour construction where the derivation functions \(f_0\) and \(f_1\) applied to \((\mathbf {k},\mathbf {t})\) are allowed to depend on the internal permutation \(P_1\) (something we do not consider in this paper). - 2.
- 3.
More precisely, the birthday-bound result applies to the variant of the construction were the same key is used before and after permutation \(P_1\), and the \(2^{2n/3}\)-security bound applies to the cascade of this construction with two independent keys and two independent permutations.

- 4.
Recall that for an attainable transcript, one has \({\text {Pr}}[T_\mathrm{id}=\tau ]>0\).

- 5.
We define conditions (B-4) and (B-5) using \(\sqrt{q_c}/2\) rather than \(\sqrt{q_c}\) in order to be able later to directly apply a previous result by Cogliati

*et al.*[7]. - 6.

## Notes

### Acknowledgment

We wish to thank the anonymous reviewers of ASIACRYPT 2015 for their useful suggestions.

## References

- 1.Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013) CrossRefGoogle Scholar
- 2.Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003)CrossRefGoogle Scholar
- 3.Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F.-X., Steinberger, J., Tischhauser, E.: Key-alternating ciphers in a provable setting: encryption using a small number of public permutations. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 45–62. Springer, Heidelberg (2012) CrossRefGoogle Scholar
- 4.Chakraborty, D., Sarkar, P.: A general construction of tweakable block ciphers and different modes of operations. In: Lipmaa, H., Yung, M., Lin, D. (eds.) Inscrypt 2006. LNCS, vol. 4318, pp. 88–102. Springer, Heidelberg (2006) CrossRefGoogle Scholar
- 5.Chen, S., Lampe, R., Lee, J., Seurin, Y., Steinberger, J.: Minimizing the two-round Even-Mansour cipher. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 39–56. Springer, Heidelberg (2014). http://eprint.iacr.org/2014/443 Google Scholar
- 6.Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). http://eprint.iacr.org/2013/222 CrossRefGoogle Scholar
- 7.Cogliati, B., Lampe, R., Seurin, Y.: Tweaking even-mansour ciphers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015 - Proceedings, Part I. LNCS, vol. 9215, pp. 189–208. Springer, Heidelberg (2015). http://eprint.iacr.org/2015/539 CrossRefGoogle Scholar
- 8.Cogliati, B., Seurin, Y.: On the provable security of the iterated even-mansour cipher against related-key and chosen-key attacks. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 584–613. Springer, Heidelberg (2015). http://eprint.iacr.org/2015/069 Google Scholar
- 9.Cogliati, B., Seurin, Y.: Beyond-Birthday-Bound Security for Tweakable Even-Mansour Ciphers with Linear Tweak and Key Mixing. Full version of this paper. Available at http://eprint.iacr.org/2015/851
- 10.Crowley, P.: Mercy: a fast large block cipher for disk sector encryption. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 49–63. Springer, Heidelberg (2001) CrossRefGoogle Scholar
- 11.Daemen, J., Rijmen, V.: The wide trail design strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001) CrossRefGoogle Scholar
- 12.Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Cryptanalysis of iterated even-mansour schemes with two keys. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 439–457. Springer, Heidelberg (2014). http://eprint.iacr.org/2013/674 Google Scholar
- 13.Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol.
**10**(3), 151–162 (1997)zbMATHMathSciNetCrossRefGoogle Scholar - 14.Farshim, P., Procter, G.: The related-key security of iterated Even–Mansour ciphers. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 342–363. Springer, Heidelberg (2015). http://eprint.iacr.org/2014/953 CrossRefGoogle Scholar
- 15.Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein Hash Function Family. SHA3 Submission to NIST (Round 3) (2010)Google Scholar
- 16.Goldenberg, D., Hohenberger, S., Liskov, M., Schwartz, E.C., Seyalioglu, H.: On tweaking luby-rackoff blockciphers. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 342–356. Springer, Heidelberg (2007) CrossRefGoogle Scholar
- 17.Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011) CrossRefGoogle Scholar
- 18.Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003) CrossRefGoogle Scholar
- 19.Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004) CrossRefGoogle Scholar
- 20.Jean, J., Nikolic, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014 - Proceedings, Part II. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014)Google Scholar
- 21.Lampe, R., Patarin, J., Seurin, Y.: An asymptotically tight security analysis of the iterated Even-Mansour cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 278–295. Springer, Heidelberg (2012) CrossRefGoogle Scholar
- 22.Lampe, R., Seurin, Y.: Security analysis of key-alternating feistel ciphers. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 243–264. Springer, Heidelberg (2015) Google Scholar
- 23.Landecker, W., Shrimpton, T., Terashima, R.S.: Tweakable blockciphers with beyond birthday-bound security. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 14–30. Springer, Heidelberg (2012). http://eprint.iacr.org/2012/450 CrossRefGoogle Scholar
- 24.Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002) CrossRefGoogle Scholar
- 25.Mennink, B.: Optimally secure tweakable blockciphers. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 428–448. Springer, Heidelberg (2015). http://eprint.iacr.org/2015/363 CrossRefGoogle Scholar
- 26.Minematsu, K.: Improved security analysis of XEX and LRW modes. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 96–113. Springer, Heidelberg (2007) CrossRefGoogle Scholar
- 27.Minematsu, K.: Beyond-birthday-bound security based on tweakable block cipher. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 308–326. Springer, Heidelberg (2009) CrossRefGoogle Scholar
- 28.Mitsuda, A., Iwata, T.: Tweakable pseudorandom permutation from generalized feistel structure. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 22–37. Springer, Heidelberg (2008) CrossRefGoogle Scholar
- 29.Patarin, J.: The “Coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009) CrossRefGoogle Scholar
- 30.Procter, G.: A Note on the CLRW2 Tweakable Block Cipher Construction. IACR Cryptology ePrint Archive, Report 2014/111 (2014). http://eprint.iacr.org/2014/111
- 31.Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004) CrossRefGoogle Scholar
- 32.Rogaway, P., Bellare, M., Black, J.: OCB: a block-cipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur.
**6**(3), 365–403 (2003)CrossRefGoogle Scholar - 33.Rogaway, P., Zhang, H.: Online ciphers from tweakable blockciphers. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 237–249. Springer, Heidelberg (2011) CrossRefGoogle Scholar
- 34.Sasaki, Y., Todo, Y., Aoki, K., Naito, Y., Sugawara, T., Murakami, Y., Matsui, M., Hirose, S.: Minalpher v1. Submission to the CAESAR competition (2014)Google Scholar
- 35.Schroeppel, R.: The Hasty Pudding Cipher. AES submission to NIST (1998)Google Scholar
- 36.Steinberger, J.: Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance. IACR Cryptology ePrint Archive, Report 2012/481 (2012). http://eprint.iacr.org/2012/481