On Large Tweaks in Tweakable Even-Mansour with Linear Tweak and Key Mixing.pdf (8.98 MB)

On Large Tweaks in Tweakable Even-Mansour with Linear Tweak and Key Mixing

Download (8.98 MB)
journal contribution
posted on 2024-02-05, 07:43 authored by Benoît Cogliati, Jordan EthanJordan Ethan, Ashwin Jha, Soumya Kanti Saha
In this paper, we provide the first analysis of the Iterated Tweakable Even-Mansour cipher with linear tweak and key (or tweakey) mixing, henceforth referred as TEML, for an arbitrary tweak(ey) size kn for all k ≥ 1, and arbitrary number of rounds r ≥ 2. Note that TEML captures the high-level design paradigm of most of the existing tweakable block ciphers (TBCs), including SKINNY, Deoxys, TweGIFT, TweAES etc. from a provable security point of view. At ASIACRYPT 2015, Cogliati and Seurin initiated the study of TEML by showing that 4-round TEML with a 2n-bit uniform at random key, and n-bit tweak is secure up to 22n/3 queries. In this work, we extend this line of research in two directions. First, we propose a necessary and sufficient class of linear tweakey schedules to absorb mn-bit tweak(ey) material in a minimal number of rounds, for all m ≥ 1. Second, we give a rigorous provable security treatment for r-round TEML, for all r ≥ 2. In particular, we first show that the 2r-round TEML with a (2r + 1)n-bit key, αn-bit tweak, and a special class of tweakey schedule is IND-CCA secure up to O(2r−α/r n) queries. Our proof crucially relies on the use of the coupling technique to upper-bound the statistical distance of the outputs of TEML cipher from the uniform distribution. Our main echnical contribution is a novel approach for computing the probability of failure in coupling, which could be of independent interest for deriving tighter bounds in coupling-based security proofs. Next, we shift our focus to the chosen-key setting, and show that (r + 3)-round TEML, with rn bits of tweakey material and a special class of tweakey schedule, offers some form of resistance to chosen-key attacks. We prove this by showing that r + 3 rounds of TEML are both necessary and sufficient for sequential indifferentiability. As a consequence of our results, we provide a sound provable security footing for the TWEAKEY framework, a high level design rationale of popular TBC.


Primary Research Area

  • Algorithmic Foundations and Cryptography


IACR Transactions on Symmetric Cryptology



Page Range



Universitatsbibliothek der Ruhr-Universitat Bochum

Open Access Type

  • Gold

Sub Type

  • Article


@article{Cogliati:Ethan:Jha:Saha, title = "On Large Tweaks in Tweakable Even-Mansour with Linear Tweak and Key Mixing", author = "Cogliati, Benoît" AND "Ethan, Jordan" AND "Jha, Ashwin" AND "Saha, Soumya Kanti", journal = "IACR Transactions on Symmetric Cryptology", number = "4", pages = "330--364", publisher = "Universitatsbibliothek der Ruhr-Universitat Bochum", issn = "2519-173X", doi = "10.46586/tosc.v2023.i4.330-364" }

Usage metrics


    No categories selected



    Ref. manager