International Association for Cryptologic Research (IACR)
Abstract
At FSE\u2715, Mennink introduced two tweakable block ciphers, F[1] and F[2], both utilizing an n-bit tweak. It was demonstrated that F[1] is secure for up to 22n/3 queries, while F[2] is secure for up to 2n queries, assuming the underlying block cipher is an ideal cipher with n-bit key and n-bit data. Later, at ASIACRYPT\u2716, Wang et al. showed a birthday bound attack on Mennink\u27s design (which was later corrected in the eprint version {\textbf eprint 2015/363}) and proposed 32 new candidates for tweakable block ciphers that are derived from n-bit ideal block ciphers. It was shown that all the 32 constructions are provably secure up to 2n queries. All the proposed designs by both Mennink and Wang et al. admit only n-bit tweaks. In FSE\u2723, Shen and Standaert proposed a tweakable block cipher, G2, which uses 2n-bit tweaks and is constructed from three n-bit block cipher calls, proving its security up to n bits, assuming that the underlying block cipher is an ideal cipher. They have also shown that it is impossible to design a tweakable block cipher with 2n-bit tweaks using only two n-bit block cipher calls while achieving security beyond the birthday bound. In this paper, we advance this research further. We show that any tweakable block cipher design with 3n-bit tweaks based on only three block cipher calls, where at least one key is tweak-independent, is vulnerable to a birthday bound distinguishing attack. We then propose a tweakable block cipher, G3∗ that uses three block cipher calls and admits 3n-bit tweaks, achieves security up to O(22n/3) queries when all three block cipher keys are tweak-dependent. Furthermore, we prove that using four ideal block cipher calls, with at least one key being tweak-dependent, is necessary and sufficient to achieve n-bit security for a tweakable block cipher that admits 3n-bit tweaks. Finally, we propose a tweakable block cipher, Gr, which uses (r+1) block cipher calls and processes rn-bit tweaks, achieving security up to O(2n) queries when at least one block cipher key is tweak-dependent