posted on 2024-02-05, 07:43authored byBenoît Cogliati, Jordan EthanJordan Ethan, Ashwin Jha, Soumya Kanti Saha
In this paper, we provide the first analysis of the Iterated Tweakable Even-Mansour cipher with linear tweak and key (or tweakey) mixing, henceforth referred as TEML, for an arbitrary tweak(ey) size kn for all k ≥ 1, and arbitrary number of rounds r ≥ 2. Note that TEML captures the high-level design paradigm of most of the existing tweakable block ciphers (TBCs), including SKINNY, Deoxys, TweGIFT, TweAES etc. from a provable security point of view. At ASIACRYPT 2015, Cogliati and Seurin initiated the study of TEML by showing that 4-round TEML with a 2n-bit uniform at random key, and n-bit tweak is secure up to 22n/3 queries. In this work, we extend this line of research in two directions. First, we propose a necessary and sufficient class of linear tweakey schedules to absorb mn-bit tweak(ey) material in a minimal number of rounds, for all m ≥ 1. Second, we give a rigorous provable security treatment for r-round TEML, for all r ≥ 2. In particular, we first show that the 2r-round TEML with a (2r + 1)n-bit key, αn-bit tweak, and a special class of tweakey schedule is IND-CCA secure up to O(2r−α/r n) queries. Our proof crucially relies on the use of the coupling technique to upper-bound the statistical distance of the outputs of TEML cipher from the uniform distribution. Our main echnical contribution is a novel approach for computing the probability of failure in coupling, which could be of independent interest for deriving tighter bounds in coupling-based security proofs. Next, we shift our focus to the chosen-key setting, and show that (r + 3)-round TEML, with rn bits of tweakey material and a special class of tweakey schedule, offers some form of resistance to chosen-key attacks. We prove this by showing that r + 3 rounds of TEML are both necessary and sufficient for sequential indifferentiability. As a consequence of our results, we provide a sound provable security footing for the TWEAKEY framework, a high level design rationale of popular TBC.
History
Primary Research Area
Algorithmic Foundations and Cryptography
Journal
IACR Transactions on Symmetric Cryptology
Volume
2023
Page Range
330-364
Publisher
Universitatsbibliothek der Ruhr-Universitat Bochum
Open Access Type
Gold
Sub Type
Article
BibTeX
@article{Cogliati:Ethan:Jha:Saha,
title = "On Large Tweaks in Tweakable Even-Mansour with Linear Tweak and Key Mixing",
author = "Cogliati, Benoît" AND "Ethan, Jordan" AND "Jha, Ashwin" AND "Saha, Soumya Kanti",
journal = "IACR Transactions on Symmetric Cryptology",
number = "4",
pages = "330--364",
publisher = "Universitatsbibliothek der Ruhr-Universitat Bochum",
issn = "2519-173X",
doi = "10.46586/tosc.v2023.i4.330-364"
}