ePrints@IIScePrints@IISc Home | About | Browse | Latest Additions | Advanced Search | Contact | Help

On Large Tweaks in Tweakable Even-Mansour with Linear Tweak and Key Mixing

Cogliati, B and Ethan, J and Jha, A and Saha, SK (2023) On Large Tweaks in Tweakable Even-Mansour with Linear Tweak and Key Mixing. In: IACR Transactions on Symmetric Cryptology, 2023 (4). pp. 330-364.

[img] PDF
ICAR_tra_sym_cry_2023_4_2023 - Published Version

Download (910kB)
Official URL: https://doi.org/10.46586/tosc.v2023.i4.330-364

Abstract

In this paper, we provide the first analysis of the Iterated Tweakable Even-Mansour cipher with linear tweak and key (or tweakey) mixing, henceforth referred as TEML, for an arbitrary tweak(ey) size kn for all k � 1, and arbitrary number of rounds r � 2. Note that TEML captures the high-level design paradigm of most of the existing tweakable block ciphers (TBCs), including SKINNY, Deoxys, TweGIFT, TweAES etc. from a provable security point of view. At ASIACRYPT 2015, Cogliati and Seurin initiated the study of TEML by showing that 4-round TEML with a 2n-bit uniform at random key, and n-bit tweak is secure up to 22n/3 queries. In this work, we extend this line of research in two directions. First, we propose a necessary and sufficient class of linear tweakey schedules to absorb mn-bit tweak(ey) material in a minimal number of rounds, for all m � 1. Second, we give a rigorous provable security treatment for r-round TEML, for all r � 2. In particular, we first show that the 2r-round TEML with a (2r + 1)n-bit key, αn-bit tweak, and a special class of tweakey schedule is IND-CCA secure up to O(2r�α rn) queries. Our proof crucially relies on the use of the coupling technique to upper-bound the statistical distance of the outputs of TEML cipher from the uniform distribution. Our main technical contribution is a novel approach for computing the probability of failure in coupling, which could be of independent interest for deriving tighter bounds in coupling-based security proofs. Next, we shift our focus to the chosen-key setting, and show that (r + 3)-round TEML, with rn bits of tweakey material and a special class of tweakey schedule, offers some form of resistance to chosen-key attacks. We prove this by showing that r + 3 rounds of TEML are both necessary and sufficient for sequential indifferentiability. As a consequence of our results, we provide a sound provable security footing for the TWEAKEY framework, a high level design rationale of popular TBC. © 2023, Ruhr-University of Bochum. All rights reserved.

Item Type: Journal Article
Publication: IACR Transactions on Symmetric Cryptology
Publisher: Ruhr-University of Bochum
Additional Information: The copyright for this article belongs to authors.
Department/Centre: Division of Electrical Sciences > Computer Science & Automation
Date Deposited: 16 Nov 2024 15:19
Last Modified: 16 Nov 2024 15:19
URI: http://eprints.iisc.ac.in/id/eprint/85312

Actions (login required)

View Item View Item