On Large Tweaks in Tweakable Even-Mansour with Linear Tweak and Key Mixing

IF 1.7 Q3 COMPUTER SCIENCE, SOFTWARE ENGINEERING

IACR Transactions on Symmetric Cryptology Pub Date : 2023-12-08 DOI:10.46586/tosc.v2023.i4.330-364

Benoît Cogliati, J. Ethan, Ashwin Jha, Soumya Kanti Saha

{"title":"On Large Tweaks in Tweakable Even-Mansour with Linear Tweak and Key Mixing","authors":"Benoît Cogliati, J. Ethan, Ashwin Jha, Soumya Kanti Saha","doi":"10.46586/tosc.v2023.i4.330-364","DOIUrl":null,"url":null,"abstract":"In this paper, we provide the first analysis of the Iterated Tweakable Even-Mansour cipher with linear tweak and key (or tweakey) mixing, henceforth referred as TEML, for an arbitrary tweak(ey) size kn for all k ≥ 1, and arbitrary number of rounds r ≥ 2. Note that TEML captures the high-level design paradigm of most of the existing tweakable block ciphers (TBCs), including SKINNY, Deoxys, TweGIFT, TweAES etc. from a provable security point of view. At ASIACRYPT 2015, Cogliati and Seurin initiated the study of TEML by showing that 4-round TEML with a 2n-bit uniform at random key, and n-bit tweak is secure up to 22n/3 queries. In this work, we extend this line of research in two directions. First, we propose a necessary and sufficient class of linear tweakey schedules to absorb mn-bit tweak(ey) material in a minimal number of rounds, for all m ≥ 1. Second, we give a rigorous provable security treatment for r-round TEML, for all r ≥ 2. In particular, we first show that the 2r-round TEML with a (2r + 1)n-bit key, αn-bit tweak, and a special class of tweakey schedule is IND-CCA secure up to O(2r−α/r n) queries. Our proof crucially relies on the use of the coupling technique to upper-bound the statistical distance of the outputs of TEML cipher from the uniform distribution. Our main echnical contribution is a novel approach for computing the probability of failure in coupling, which could be of independent interest for deriving tighter bounds in coupling-based security proofs. Next, we shift our focus to the chosen-key setting, and show that (r + 3)-round TEML, with rn bits of tweakey material and a special class of tweakey schedule, offers some form of resistance to chosen-key attacks. We prove this by showing that r + 3 rounds of TEML are both necessary and sufficient for sequential indifferentiability. As a consequence of our results, we provide a sound provable security footing for the TWEAKEY framework, a high level design rationale of popular TBC.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"40 4","pages":""},"PeriodicalIF":1.7000,"publicationDate":"2023-12-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Transactions on Symmetric Cryptology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tosc.v2023.i4.330-364","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

In this paper, we provide the first analysis of the Iterated Tweakable Even-Mansour cipher with linear tweak and key (or tweakey) mixing, henceforth referred as TEML, for an arbitrary tweak(ey) size kn for all k ≥ 1, and arbitrary number of rounds r ≥ 2. Note that TEML captures the high-level design paradigm of most of the existing tweakable block ciphers (TBCs), including SKINNY, Deoxys, TweGIFT, TweAES etc. from a provable security point of view. At ASIACRYPT 2015, Cogliati and Seurin initiated the study of TEML by showing that 4-round TEML with a 2n-bit uniform at random key, and n-bit tweak is secure up to 22n/3 queries. In this work, we extend this line of research in two directions. First, we propose a necessary and sufficient class of linear tweakey schedules to absorb mn-bit tweak(ey) material in a minimal number of rounds, for all m ≥ 1. Second, we give a rigorous provable security treatment for r-round TEML, for all r ≥ 2. In particular, we first show that the 2r-round TEML with a (2r + 1)n-bit key, αn-bit tweak, and a special class of tweakey schedule is IND-CCA secure up to O(2r−α/r n) queries. Our proof crucially relies on the use of the coupling technique to upper-bound the statistical distance of the outputs of TEML cipher from the uniform distribution. Our main echnical contribution is a novel approach for computing the probability of failure in coupling, which could be of independent interest for deriving tighter bounds in coupling-based security proofs. Next, we shift our focus to the chosen-key setting, and show that (r + 3)-round TEML, with rn bits of tweakey material and a special class of tweakey schedule, offers some form of resistance to chosen-key attacks. We prove this by showing that r + 3 rounds of TEML are both necessary and sufficient for sequential indifferentiability. As a consequence of our results, we provide a sound provable security footing for the TWEAKEY framework, a high level design rationale of popular TBC.

查看原文本刊更多论文

关于带有线性调整和密钥混合的可调整偶数曼苏尔中的大调整

本文首次分析了迭代可调整偶数曼苏尔密码（Iterated Tweakable Even-Mansour cipher with linear tweak and key (or tweakey) mixing）（以下简称 TEML），对于所有 k ≥ 1 的任意 tweak(ey) 大小 kn 和任意回合数 r ≥ 2，TEML 都是线性的。请注意，TEML 从可证明安全性的角度捕捉到了大多数现有可调整块密码（TBC）的高层设计范式，包括 SKINNY、Deoxys、TweGIFT、TweAES 等。在 2015 年的 ASIACRYPT 会议上，Cogliati 和 Seurin 发起了对 TEML 的研究，他们证明了具有 2n 位统一随机密钥和 n 位调整的 4 轮 TEML 在 22n/3 查询以内都是安全的。在这项工作中，我们从两个方向扩展了这一研究方向。首先，我们提出了一类必要且充分的线性 tweakey 时间表，在所有 m ≥ 1 的情况下，以最少的轮数吸收 mn 位 tweak(ey) 材料。其次，对于所有 r ≥ 2，我们给出了 r 轮 TEML 的严格可证明安全处理方法。特别是，我们首先证明了具有 (2r + 1)n 位密钥、αn 位调整和一类特殊的双密钥时间表的 2r 轮 TEML 在 O(2r-α/r n) 次查询之前是 IND-CCA 安全的。我们的证明主要依赖于使用耦合技术对 TEML 密码的输出与均匀分布的统计距离进行上界。我们的主要技术贡献是计算耦合失败概率的新方法，这对于在基于耦合的安全证明中推导出更严格的边界可能具有独立的意义。接下来，我们将重点转移到选择密钥环境，并证明了 (r + 3)-round TEML（具有 rn 比特二进制密钥材料和一类特殊的二进制密钥时间表）能以某种形式抵御选择密钥攻击。我们通过证明 r + 3 轮 TEML 对于顺序无关性既是必要的也是充分的来证明这一点。由于我们的结果，我们为 TWEAKEY 框架提供了一个可靠的、可证明的安全基础，而 TWEAKEY 框架是流行的 TBC 的高层设计原理。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IACR Transactions on Symmetric Cryptology Mathematics-Applied Mathematics

CiteScore

5.50

自引率

22.90%

发文量