Connecting tweakable and multi-key blockcipher security

The significance of understanding blockcipher security in the multi-key setting is highlighted by the extensive literature on attacks, and how effective key size can be significantly reduced. Nevertheless, little attention has been paid in formally understanding the design of multi-key secure blockciphers. In this work, we formalize the multi-key security of tweakable blockciphers in case of general key derivation functions. We show an equivalence between blockcipher multi-key security and tweakable blockcipher security. Our equivalence connects two objects of study, the iterated Even–Mansour (EUROCRYPT 2012) and the iterated Tweakable Even–Mansour (CRYPTO 2015), which establishes that results in both areas are, to a certain extent, transferable. Using our novel equivalence relation, we derive new bounds for both constructions, pave the path towards the solution of two well-studied conjectures, and show that, contrary to common knowledge, key derivation functions need not necessarily be pseudorandom functions in order to provide security: for the iterated Even–Mansour universal hash functions suffice.


Introduction
A necessity for any cryptographic system is the ability to support communication among many users, for potentially long periods of time.Enabling security in such scenarios requires distributing many keys, not only per user, but also per unit of time.As a result, understanding the multi-key security of cryptographic algorithms is important.
In applications where symmetric-key algorithms are used for the bulk of communication, the difficulty in maintaining security in multi-key settings involves not only initially distributing and managing keys for each pair of communicating parties, but also ensuring that keys are not used beyond recommended data and time limits.How long a key can be used and how much data it can process is determined via cryptanalysis and security bounds estimating adversarial success probability.However, until recently, most analysis has been performed in the single-key setting, even though analyzing cryptographic algorithms in the multi-key setting has more practical significance.
Nevertheless, the limitations of the multi-key setting are well-understood for a large variety of cryptographic algorithms, such as public key encryption [5], key establishment protocols [9,13], signatures [65], and message authentication codes [6,17].Blockciphers are no exception, and have been the subject of many attacks taking advantage of the availability of multiple keys.For example, Biham [7] showed that the effective key size of blockciphers can halve in the multi-key setting, provided sufficiently many keys are employed in the encryption of a known plaintext.Subsequent attacks used time-memory-key tradeoffs [12,29,34,41] for improvements.
Despite the multitude of attacks, little exploration has been done concerning the design of blockciphers in the multi-key setting.This is most likely due to the result stating that the multi-key security of a blockcipher can be reduced to its single-key security with a security loss proportional to the number of keys used, a fact which has been formally proven for public key encryption schemes [5] and message authentication codes [17], among others.This reduction relies on the fact that all keys are independent and uniformly distributed.In practice, however, generating keys is often done via the use of key derivation functions (KDFs), which use a master key to output many different keys.Therefore, to be able to rely on single-key security, such a KDF must behave like a pseudorandom function, so that its outputs are computationally indistinguishable from independent, uniformly distributed values.

Linking multi-key security with tweakable blockciphers
Our main contribution is drawing a powerful connection between the multi-key security of blockciphers and the security of tweakable blockciphers.As a first step towards the connection, we present a generalized definition of multi-key security of (tweakable) blockciphers in Sect.3.While earlier definitions, including Mouha and Luykx [64], only considered independent, uniformly generated keys, we introduce KDFs in the definition of multi-key security, and say that the combination of a blockcipher with KDF is secure if it is indistinguishable from uniform random permutations.
By explicitly including KDFs into blockcipher security, and viewing key schedules as a type of KDF, one can put weak, known, and related key attacks in perspective with multi-key security.More importantly, due to the explicit inclusion of KDFs, the connection between multi-key and tweakable blockcipher security (Sect.4) is immediate.This connection allows one to use the large body of work on tweakable blockciphers (see Sect. 5) to understand the multi-key security of blockciphers, and vice versa.
Finally, via the connection with tweakable blockciphers, related-key security of blockciphers [10] can also be linked to multi-key security.In more detail, in related-key security, an attacker may transform the master key via a related-key-deriving function, which could also be interpreted as deriving a new subkey in the multi-key setting.

Application to even-mansour and tweakable even-mansour
By identifying KDFs with key schedules, or rather TWEAKEY schedules [48], which process both tweak and key input to generate subkeys for use in blockciphers, significant performance gains can be made depending upon the application.KDFs are usually designed to behave like pseudorandom functions, which is the optimal choice when blockciphers are treated like black boxes.However, in order to improve performance blockciphers cannot be treated as black boxes, and KDFs must be designed with specific blockciphers in mind, which is what a TWEAKEY schedule is.
Instead of looking at one specific blockcipher, or treating them as black boxes, we take an intermediate approach and apply our observations to the iterated Even-Mansour construction EM[r ] [11,30,31] and the Tweakable Even-Mansour construction TEM[r ] [21], which can be viewed as generic versions of key alternating ciphers [27,28], the design approach to the AES [28].As depicted in Fig. 1, both constructions process their input using r ≥ 1 consecutive, independent permutations interleaved with maskings derived from the key; the main difference between the constructions is that in TEM[r ] the maskings are derived from the key and the tweak via a universal hash function.See Sect. 5 for a detailed explanation of the constructions.
Chen and Steinberger [19] proved that EM[r ] achieves asymptotically 2 rn/(r +1) singlekey security for arbitrary r ≥ 1. Hoang and Tessaro [42] recently simplified their bound and improved it by a constant factor.They additionally demonstrated how the results directly generalize to the multi-key setting based on uniformly random KDF.For TEM[r ], Cogliati et al. [16] proved 2 n/2 single-key security for r = 1, 2 2n/3 for r = 2, and 2 rn/(r +2) for any even r , and conjectured that it achieves (tight) 2 rn/(r +1) single-key security for any r ≥ 1.These results are summarized in Table 1, with further related work in Sect. 5.
First, we use our new equivalence result as a tool to transfer the EM[r ] multi-key bound to TEM[r ] in Sect.5.4, establishing a 2 rn/(r +1) bound for any r , as long as the universal hash function is replaced by a uniform random function, and the adversaries use a limited number of tweaks.In applications where the number of tweaks can be limited to a small number, as might, for example, be the case in certain authenticated encryption schemes [2,26,68], our newly obtained bound on TEM[r ] improves over the state of the art, and even solves the conjecture by Cogliati et al. in 2015 [21] for the specific case of uniformly random masking.The replacement of the universal hash function by a uniform random function may in certain settings by a burden, but this condition allows us to make a first step towards solving this conjecture for general masking.The new bounds are summarized in Table 1.
As a bonus, the new TEM[r ] bound carries over to its blockcipher-based sibling LRW[r ] [53,55,56,67]; see Fig. 1 for its depiction, and Sect. 5 for a detailed explanation of the construction.Our bounds therefore also partially solve the related conjecture by Landecker New et al. [56] and Lampe and Seurin [55] on LRW[r ], provided the maximum number of tweaks can be bounded and the masking is random.Finally, we also consider multi-key security of EM[r ] with a KDF that is not necessarily random.Using aforementioned equivalence in reverse direction, in Sect.5.4 we transfer the results from Cogliati et al. [16] on TEM[r ] to multi-key security bounds of EM[r ] which do not degrade relative to the number of users, but with the same limitations on r as with the TEM[r ] bounds (see Table 1).The bound is identical to that of [16].Interestingly, we are able to conclude that a pseudorandom KDF is not necessary to achieve multi-key security with the EM[r ] construction.Since the tweaks for TEM[r ] are generated using universal hash functions, such functions suffice as KDF for EM[r ].

Performance gains
Besides the necessity of using pseudorandom KDFs when the blockcipher is treated as a black box, it is also important if the application scenario contains malicious users: it should be infeasible for one pair of communicating users to guess the keys of other users.Therefore, weakening the KDF must be done with care.However, there are applications where the users are known not to be malicious.
Consider wireless sensor networks for example, which consist of small autonomous sensors used to monitor environmental conditions.Using our connection between multi-key security and tweakable blockciphers, it is clear that in those settings one could replace the combination of a KDF and blockcipher with a single tweakable blockcipher, where the "keys" for each of the sensors would correspond to different tweaks for the tweakable blockcipher.Even though each of the sensors could easily compute the "key" of any other sensor, the main security threat in this scenario are external attackers, not the sensors themselves.This approach is formalized in Sect.6.
The only issue would be key compromise of a sensor, which would immediately leak the key, and therefore security of the entire system would be lost.Even if it is difficult to ensure that no sensor will leak its key, one can still avoid using pseudorandom KDFs.For example, an intermediate solution is to group together sensors, and to distribute an independent key to each group, while communication within the group is performed by changing tweaks.In Sect.3.2 we describe another solution, which uses universal hash functions which are secure against collusion of a group of users, meaning a certain number of sensors could be compromised without the entire system loosing security.

Preliminaries
The set of bit strings of length n ≥ 0 is denoted {0, 1} n .For two sets X , Y, the set of all functions from X → Y is denoted Func(X , Y), the case of X = Y being abbreviated to Func(X ).The set of permutations on X is denoted Perm(X ).Uniform random drawing of an element x from X is denoted x $ ← − X .

Blockciphers and tweakable blockciphers
A blockcipher is a mapping E : K × M → M where for every key k ∈ K, the function Note that a conventional blockcipher is a tweakable blockcipher with tweak space of size 1, meaning that tweakable blockcipher security definitions can be applied to blockciphers.Therefore, we will only discuss the security of tweakable ciphers, which will be denoted explicitly with the use of 'T' and '∼'.The corresponding notation for conventional blockciphers follows by removing the 'T's and '∼'s.
Let E : K × T × M → M be a tweakable blockcipher that is internally based on r ≥ 1 primitives Π 1 , . . ., Π r ∈ Prims, where Prims is some set of primitives.Examples include Prims = Perm(M), which is used in the Even-Mansour constructions, and Prims = Func(M ), which is used in Feistel networks where M is of size smaller than M.
In the following definition we consider a distinguisher D that either interacts in a "real world", where it has query access to E k with secret k $ ← − K, or an "ideal world", where D interacts with an ideal tweakable permutation π $ ← − TPerm(T , M).In both worlds D gets access to the idealized primitives Π = (Π 1 , . . ., Π r ) $ ← − Prims r .The goal of D is to distinguish the real from the ideal world.

Definition 1 (STPRP security) Consider
where the probabilities are taken over the random choices of k The distinguisher has two-sided query access to each of its oracles.For any q, , p ≥ 0 with ≤ |T |, we define Adv stprp E (q, , p) to be the maximum advantage over any distinguisher D that makes at most q queries to the construction for at most different tweaks, and p queries to each of the primitives.
Inclusion of the parameter might seem artificial, but it can be set arbitrarily large and therefore does not limit applicability of the definition.Although it is included to describe distinguishers more accurately, it has a meaningful connection to the security bounds of MAC functions and authenticated encryption schemes based on blockciphers.In more detail, consider an authenticated encryption scheme based on a tweakable blockcipher, denote by the maximal message length, and the number of different tweaks employed in the authenticated encryption schemes.On the one hand, the parameter often plays a significant role in the security bounds, while on the other hand, the values and are often close to each other, and differ at most by a multiplicative constant.For example, for COPA [2], ELmE [26], and SCT [68], we have ≈ 2 .

Universal hash functions
Let (Y, ⊕) be an abelian group.Let H = {h k : X → Y | k ∈ K} be a family of functions indexed by a key k ∈ K.We say that H is uniform if for any x ∈ X and y ∈ Y, we have We say that H is ε-UAXU if it is uniform and ε-AXU.
A result that we will use later is that a uniform random function is also uniform and AXU.More formally, define as a family of functions defined as Throughout, we will simply write F X n for F X {0,1} n .Our interest in uniform random functions is purely in connecting our definition of multi-key security to the conventional definitions.

Multi-key security
Mouha and Luykx [64] formalized the notion of multi-key security of blockciphers, and applied it to one round of Even-Mansour (cf.Sect.5.1).We introduce the generalization of this model to (i) tweakable blockcipher constructions and (ii) arbitrary key derivation functions.The model shows similarity with that of Hoang and Tessaro [42].As in Sect.2.1 we will discuss the multi-key security model for tweakable blockciphers, including 'T's and '∼'s.The multi-key security for conventional blockciphers follows by removing the 'T's and '∼'s.
In the definition below, μ represents the number of instantiations with which the adversary interacts.A master key k $ ← − K is generated for use in the key derivation function (KDF) F : K × X → K, which maps the master key along with what we call an ID in x ∈ X , to a key in K. Here, the different IDs correspond to the different instances in the multi-key setting.The adversary can adaptively choose IDs via the oracle E F(k,•) , where the ID is input via F(k, •).The adversary can instantiate at most μ IDs.The ideal functionality corresponding to E F(k,•) is π (•) , which is formalized as a tweakable permutation with tweak space T × X : the subscript input (•) can be viewed as a tweak input from X which specifies the selected user, which in turn specifies a particular tweakable permutation to use. Figure 2 The distinguisher has two-sided query access to each of its oracles.For any μ, q, , p ≥ 0, we define Adv tmk E,F (μ, q, , p) to be the maximum advantage over any distinguisher D that makes at most q queries to the μ constructions (in whatever distribution), for at most different tweaks per construction, and p queries to each of the primitives.

Compatibility with prior definitions
The original multi-key definition of Mouha and Luykx [64] can be viewed as a special case of Definition 2, by considering non-tweakable blockciphers with keys generated using a uniformly random KDF, that is, F X K of (1).Definition 1, conventional STPRP security, is a special case of Definition 2 as well, seen by putting μ = 1 and taking the KDF to be F X K again: Note that, as with our definition of STPRP security, we explicitly include primitives with which the adversary can interact.This is in order to capture ideal model definitions and proofs, but standard model definitions are also included by only considering adversaries which make zero queries to the primitives.
Due to the generalized nature of our definition, it is in fact equivalent to the definition of related-key security of (tweakable) blockciphers [10,21,32], although the applications structurally differ in the types of key derivation functions considered.Particularly, related-key security targets simple KDFs, often as simple as bitwise XOR or bitwise addition, while for multi-key security the KDFs are usually stronger primitives, and in most cases are pseudorandom.Nevertheless, the obvious equivalence between related-key security and our generalized multi-key security definition hints at the existence of more applications of our work in the context of related-key security, although this direction is beyond the scope of our work.

On multi-key-derivation functions
Taking a uniformly random KDF is, naturally, the most secure way of multi-key derivation, but it requires a lot of randomness.Definition 2 allows us to consider more general KDFs, including universal hash functions and pseudorandom number generators.
When choosing a KDF which is not pseudorandom, caution is needed to prevent relatedkey attacks when users are malicious.Particularly, if too many multi-keys are derived with the master key, the application may be prone to attacks.For example, taking a counter as KDF, F(k, x) = k ⊕ x, allows for users to derive each others' keys without knowledge of the master key, as for any x, x we have F(k, x ) = F(k, x) ⊕ x ⊕ x .More generally, it is desirable that F generates multi-keys that have enough entropy, even conditioned on a small set of other multi-keys.In other words, it should not be possible for a small set of malicious users to collude and compute the keys of the honest users.One solution to this issue is via γ -strongly universal hash functions, as introduced by Wegman and Carter [78].In more detail, let 1 ≤ γ ≤ μ, and consider KDF F : K γ × X → K defined as It is impossible for any set of γ − 1 colluding users to obtain the keys of the remaining honest users.On the other hand, any γ colluding users {x 1 , . . ., x γ } can recover the master key k (1) • • • k (γ ) by invertibility of the Vandermonde matrix: k (2)  . . .

Tweakable blockciphers versus multi-key security
By introducing KDF's in the definition of multi-key security of blockciphers, the connection between multi-key security and tweakable security of blockciphers is nearly immediate: an ID can be viewed as a tweak, and a tweak can be viewed as an ID.Hence, taking a blockcipher E : K × M → M and a KDF F : K × T → K, we can define the tweakable blockcipher E : K × T × M → M which identifies tweaks in T with IDs in X , that is ( This construction can be seen as a generalization of Minematsu's tweakable blockcipher [63], but it has many more applications.In fact, extracting a blockcipher E from a tweakable blockcipher E by reversing the above construction is sometimes possible as well.For example, if E is the Even-Mansour construction of Sect.5.1, and F is a UAXU family of hash functions, then E corresponds to the Tweakable Even-Mansour construction of Sect.5.2. A distinguisher D 1 attacking the MK security of E with respect to F can be converted into a distinguisher D 2 attacking the STPRP security of E, by mapping each ID queried by D 1 into a tweak queried by D 2 .Conversely, any STPRP distinguisher D 2 can be converted into a MK distinguisher D 1 by using the reverse transformation, namely, map each tweak into a different ID.Formally, we achieve the following theorem.and E the construction from (2).Let μ ≥ 1 and q, , p ≥ 0. If μ ≤ , then, Proof Let D 1 be a MK distinguisher against E with respect to F, and let D 2 be described as above, namely, each input m made to ID t ∈ T is converted into a E-query (t, m) with tweak t and input m.All primitive queries and D 1 's final decision are forwarded by k , where the ID input of E is changed to tweak input for E. Similarly, a permutation π (•) with ID input, is equivalent to a tweakable permutation π where the IDs are mapped to tweaks.This means we have, and since μ ≤ , we establish The reverse inequality can be obtained similarly.
Proposition 2 (Multi-Key Security of EM [1] [64]) Consider F = F X n of (1).Let μ ≥ 1 and q, p ≥ 0.Then, Hoang and Tessaro [42] derived a strong generic reduction from multi-key to single-key security and transferred their result (Proposition 1) to the multi-key setting.

Iterated LRW
The Tweakable Even-Mansour construction is closely related to the iterated LRW construction [53].In more detail, the r -round LRW[r ] construction is based on r blockcipher calls instead of r permutations.It is defined identically as in (5), with P 1 , . . ., P r instantiated as E z 1 , . . ., E z r for independent keys z 1 , . . ., z r .We can likewise use the definition of STPRP security of Definition 1 where, now, p bounds the total number of evaluations of E a distinguisher can make.A security analysis for r = 1 was performed by Liskov et al. [53], r = 2 by Landecker et al. [56] and Procter [67], and for a general number of even rounds by Lampe and Seurin [55].These results on LRW[r ] are comparable to the bounds of Proposition 4, which should not be surprising as The derivation of this bound is fairly straightforward: first, replace the blockcipher calls E z 1 , . . ., E z r by r independent secret permutations P 1 , . . ., P r .This step costs at most r • Adv sprp E (q, p).What remains is the TEM[r ] construction with the difference that the adversary has no access to the secret underlying permutations, hence we have p = 0: Adv stprp TEM[r ] (q, , 0).See also [16,Remark 1].Further constructions related to LRW [1] include the XEX construction [71] and its generalizations [18,37,62], tweakable Feistel schemes [36,60], and tweakable blockciphers with tweak-dependent rekeying [58,61,63].

Application of equivalence of Sect. 4
Theorem 1 along with Proposition 4 implies multi-key security of EM[r ] with KDF F : (K) r × X → {0, 1} (r +1)n defined as (see also (6)) (8) where H = {h k : X → {0, 1} n | k ∈ K} is an ε-UAXU family of hash functions.Note that F is not UAXU itself, but it is still sufficiently strong to achieve multi-key security of EM [r ].Although F's outputs admit a specific type of r -wise independence, it is clear to see that the result immediately generalizes to any F which outputs r -wise independent keys with the same joint distribution.
Corollary 1 Consider F of (8).Let μ ≥ 1, r ≥ 1, and q, p ≥ 0.Then, Note that the result of Proposition 3 is better than that of Corollary 1, but it explicitly requires random key-derivation while Corollary 1 allows for a more flexible key-derivation.By using the equivalence reduction of Theorem 1 in reverse direction, we can transfer Proposition 3 to the security of Tweakable Even-Mansour TEM[r ].
Corollary 3 Let E : K × {0, 1} n → {0, 1} n be a blockcipher, and consider the 2 −n -UAXU family of hash functions F T n of (1).Let r ≥ 1 and q, , p ≥ 0 such that q + p ≤ 2 n /3.Then, As a matter of fact, the two corollaries apply to TEM[r ] and LRW[r ] for any form of r -wise independence keying (not just ( 6)).Clearly, for r = 1 and r = 2, above corollaries do not improve over the state of the art for LRW[r ] [53,55,56] and TEM[r ] [21].On the other hand, for r ≥ 3, the corollaries solve the conjectures on the two schemes for a specific scenario: the UAXU family of hash functions is F T n of (1).

Tweakable blockciphers versus related-key security
The first formalization of related-key security was by Bellare and Kohno [10].Cogliati and Seurin [21] generalized the model to blockciphers and applied it to cascaded Even-Mansour (cf.Sect.5.1).Mennink [59] provided a formalism for the case of tweakable blockcipher constructions.
The definition of related-key security is in fact strongly related to that of multi-key security of Sect. 3. In related-key attacks, a set of related-key-deriving functions Φ is defined prior to the experiment.The adversary can adaptively choose related-key functions ϕ from Φ that transform the key under which the query is made: E ϕ(k) .As such, one can specifically see related-key security as multi-key security using key derivation function , which is formalized as a tweakable permutation with tweak space T × Φ: the subscript input (•) can be viewed as a tweak input from Φ which specifies the selected user, which in turn specifies a particular tweakable permutation to use.Definition 3 (TRK security) Let Φ be a set of related-key-deriving functions.Consider tweakable blockcipher E : K × T × M → M based on r ≥ 1 primitives Π 1 , . . ., Π r ∈ Prims, and let F : where the probabilities are taken over the random choices of k The distinguisher has two-sided query access to each of its oracles.For any q, , p ≥ 0, we define Adv trk E,Φ (q, , p) to be the maximum advantage over any distinguisher D that makes at most q queries to the construction for at most different related-key-deriving functions per construction, and p queries to each of the primitives.

On related-key-derivation functions
If Φ simply consists of the identity function, Φ = {ϕ : k → k}, Definition 3 boils down to conventional STPRP security, Definition 1: 123 Two well-known sets of related-key-deriving functions [10,45] are the and additive differences on the keys: where + denotes modular addition.More involved sets of related-key-deriving functions where the functions may depend on the cryptographic primitives are discussed in [4,59].

Relation
The relation between tweakable blockciphers and the related-key security of conventional blockciphers was already pointed out by Cogliati et al. [16,20,21].At a high level, they suggest that if a blockcipher E : K × M → M is related-key secure for related-key-deriving functions Φ, then the tweakable blockcipher E : K × T × M → M with T = Φ, that is defined as is an equally secure tweakable blockcipher: (q, , p) = Adv rk E,Φ (q, , p) , for any q, , p.As a matter of fact, Cogliati et al. restrict their observation to XOR-induced related-key-deriving functions Φ ⊕ of Sect.6.1, but their observation straightforwardly generalizes.Lucks [57] and Tessaro [77] considered constructions comparable to (9), albeit not in the context of tweakable blockciphers.However, the reverse direction appears to be underexposed, despite its seemingly broad spectrum of potential applications.Assume we have a tweakable blockcipher E : K × T × M → M, and define a blockcipher E : Then, for the set of related-key-deriving functions which can be seen as a set of partially-transforming related-key-deriving functions in the terminology of Lucks [57], we can derive the following result.
Proof Let D 1 be a RK distinguisher against E with respect to Φ id ⊕ .Let D 2 be as follows: first, it selects a random tweak t.Then, each query (δ, m) made by D 1 (we can without loss of generality describe an element ϕ δ ∈ Φ id ⊕ by δ) is transformed into a query (t ⊕ δ, m) to E, and the response is relayed.D 1 's final decision is forwarded by D 1 .By design, and the result is established by maximizing over all distinguishers with complexity (q, , p).
We can use this construction to allow for multiple instances of blockcipher E under related keys, by keeping the master key k the same, and changing t for all users.For instance, if μ instances of E are required, these could be generated via the following offsets:

Conclusion
Our research illustrates how placing existing security definitions in a different context can lead to fruitful insights.After extending the definition of blockcipher multi-key security to include KDFs, the connection with tweakable blockcipher security immediately follows, and with it the connections to related-key security and the security of blockcipher key schedules.We applied these connections to illustrate how results on the iterated Even-Mansour and the iterated Tweakable Even-Mansour can be transferred between each other, resulting in new theoretical results.Furthermore, our definitions and results pave the way to understanding the design of KDFs, in particular, ones which are not necessarily PRFs.We saw how the KDFs can be implemented as universal hash functions, which could result in efficiency improvements in practice.
[19] top to bottom: r rounds of iterated Even-Mansour, Tweakable Even-Mansour, and Cascaded LRW.Here, k i and z i are key material, P i are permutations, E is a blockcipher, and h k i are universal hash functions.All schemes reveal strong similarity, with one caveat: LRW[r ] and TEM[r ] explicitly have r -wise independent masking, while EM[r ] uses r + 1 keys.However, the state of the art security analysis on EM[r ] also covers r -wise independent keying[19]