Forking Tweakable Even-Mansour Ciphers

A forkcipher is a keyed, tweakable function mapping an n-bit input to a 2nbit output, which is equivalent to concatenating two outputs from two permutations. A forkcipher can be a useful primitive to design authenticated encryption schemes for short messages. A forkcpher is typically designed within the iterate-fork-iterate (IFI) paradigm, while the provable security of such a construction has not been widely explored. In this paper, we propose a method of constructing a forkcipher using public permutations as its building primitives. It can be seen as applying the IFI paradigm to the tweakable Even-Mansour ciphers. So our construction is dubbed the forked tweakable Even-Mansour (FTEM) cipher. Our main result is to prove that a (1, 1)-round FTEM cipher (applying a single-round TEM to a plaintext, followed by two independent copies of a single-round TEM) is secure up to 2 2n 3 queries in the ideal permutation model.

for a secret key k and three independent tweaks t 0 , t 1 , t 2 . If TBC is modeled as an ideal tweakable permutation, then the three tweaked permutations will behave like independent secret random permutations, say p 0 , p 1 , p 2 , where p 1 (p(·))||p 2 (p(·)) will be perfectly secure, namely, the concatenation of two independent random permutations.
In this paper, we weaken the ingredients by using three public permutations, where all parties have access to the underlying primitives; we will propose a way of constructing a forkcipher on top of random permutations, and study its provable security in the ideal permutation model. This can be seen as the first step in making the model analyzed in provable security fashion more faithful to an actual iterate-fork-iterate instance, such as ForkSkinny. This approach is also akin to the corpus of work that investigate generic security of various cryptographic constructions such as key alternating ciphers, Feistel ciphers, and so on.
(Tweakable) Iterated Even-Mansour Ciphers. The iterated Even-Mansour (EM) construction [EM97,DR02] is one of the simplest block cipher constructions, abstracting substitution-permutation ciphers. The Even-Mansour construction based on an n-bit permutation P encrypts an n-bit plaintext x with two n-bit keys k and k by computing It has been proved that EM is secure up to the birthday bound [EM97]. Moreover, its r-round variant is proved to be secure up to 2 rn/(r+1) queries [CS14].
Cogliati et al. [CS15] proposed to tweak EM, and the resulting tweakable cipher is called the tweakable Even-Mansour (TEM) cipher. This construction uses a family of hash functions, where each round key k of EM is replaced by h(t) for a tweak t and a hash key h. They proved that a 2-round TEM is secure up to 2 2n 3 queries when the underlying permutations and the round hash keys are all independent.

Our Contribution
In this paper, we propose to fork an r-round TEM. Our construction, dubbed FTEM, is parameterized by r 1 and r 2 such that r 1 + r 2 = r; an (r 1 , r 2 )-round FTEM encrypts a plaintext using an r 1 -round TEM cipher and the resulting output is encrypted by two independent r 2 -round TEM ciphers. In this paper, we focus on a (1, 1)-round FTEM that encrypts an n-bit plaintext x with key h = (h 1 , h 2 , h 3 ) ∈ H 3 and tweak t by computing h 2 (t) ⊕ P −1 2 (h 1 (t) ⊕ h 2 (t) ⊕ P 1 (x ⊕ h 1 (t)))||h 3 (t) ⊕ P −1 3 (h 1 (t) ⊕ h 3 (t) ⊕ P 1 (x ⊕ h 1 (t))), where P 1 , P 2 , P 3 are n-bit permutations, and H is a family of hash functions (see Figure 1). As the main contribution of this paper, we prove that, when H is a uniform δ-almost XOR-universal family of functions, the distinguishing advantage of any adversary making p primitive queries and q construction queries is upper bounded by So, when δ is close to 1/2 n , a (1, 1)-round FTEM is secure up to 2 2n 3 adversarial queries in the random permutation model (assuming p = q). However, from a practical point of view, one should carefully interpret this bound since p and q, which represent offline and online complexity respectively, may be unbalanced; for example, when FTEM is instantiated with a lightweight permutation with n = 80, and when p is as high as 2 64 , q has to be kept much smaller than 2 32 .
Proof Technique. It is straightforward to prove the security of a (1, 1)-round FTEM up to the birthday bound since the three underlying 1-round Even-Mansour ciphers will behave like independent random permutations in the multi-key setting. In order to prove beyond-birthday security, we moved one step further by extending the security proof of the two-round TEM ciphers (with the standard H-coefficient technique).
For simplicity of proof, we assume that an adversary is given an additional primitive query for free whenever two construction queries make a collision at the input to the underlying permutation. Then we upper bound the probability of two collisions made by three queries. Without such "bad" events, one can prove that the probabilities of obtaining a good transcript are close in the real and in the ideal world.
By taking only a half of the output from a (1, 1)-round FTEM, one immediately obtains a two-round TEM. Therefore, our result implies that forking does not dilute the security of a two-round TEM, while improving performance by doubling its output size. Besides providing theoretical insights on forkciphers, our result also has a practical interest in the context of permutation-based cryptography. For example, if our construction is instantiated with the Keccak permutation [BDPA09] or with Gimli [BKL + 17], then we obtain a wide forkcipher with a huge message space, while achieving provable security beyond the birthday bound. Figure 1: Tweakable Even-Mansour forkcipher of (1,1)-round, based on public permutations P 1 , P 2 , P 3 and hash functions h 1 , h 2 , h 3 .

Notation
In all of the following, we fix a positive integer n such that n ≥ 3, and write N = 2 n . For a positive integer q, we write [q] = {1, . . . , q}.
Given a non-empty finite set X , x ← $ X denotes that x is chosen uniformly at random from X . The set of all functions from X to Y is denoted Func(X , Y), and the set of all permutations of X is denoted Perm(X ). The set of all permutations of {0, 1} n is simply denoted Perm(n). The set of all sequences that consist of b pairwise distinct elements of X is denoted X * b . The set of all subsets of X with b elements is denoted X #b . For example, for distinct elements a, b ∈ X , (a, b) and (b, a) are distinguished in X * 2 , while {a, b} = {b, a} in X #2 . For integers 1 ≤ b ≤ a, we will write (a) b = a(a − 1) · · · (a − b + 1) and (a) 0 = 1 by convention. If |X | = a, then (a) b becomes the size of X * b . When two sets X and Y are disjoint, their (disjoint) union is denoted X Y.

Uniform and XOR-Universal Hash Functions
Let δ > 0, and let H be a family of functions h : T → {0, 1} n for a non-empty set T .
1. H is said to be uniform if for any x ∈ T and any y ∈ {0, 1} n , 2. H is said to be δ-almost XOR-universal (δ-AXU) if for any distinct x, x ∈ T and any y ∈ {0, 1} n , A Useful Lemma. The following lemma will be used later in our security proof.
Lemma 1. Let N, a, b, c, t be positive integers such that t + a ≤ N/2, t + b ≤ N/2 and t + c ≤ N/2. Then, the following inequality holds.
Proof. One has

Tweakable Block Cipher
A tweakable permutation TP with tweak space T and message space X is a mapping TP : T × X → X such that, for any tweak t ∈ T , x → TP(t, x) is a permutation of X . Throughout the paper, we will fix X = {0, 1} n , and write T P(T , n) to mean the set of all tweakable permutations with tweak space T and message space {0, 1} n . A tweakable block cipher TBC with key space K, tweak space T and message space X is a mapping TBC : K × T × X → X such that for any key k ∈ K, (t, x) → TBC(k, t, x) is a tweakable permutation with tweak space T and message space X .
A tweakable Even-Mansour cipher is a natural construction of a tweakable block cipher using public permutations. Let H be a family of functions h : T → {0, 1} n for a non-empty set T . Given an r-tuple P = (P 1 , . . . , P r ) of permutations of {0, 1} n (for some positive integer r), the r-round tweakable Even-Mansour cipher TEM P : H r ×T ×{0, 1} n → {0, 1} n maps a key h = (h 1 , . . . , h r ) ∈ H r , a tweak t ∈ T , and a plaintext x ∈ {0, 1} n to the following ciphertext.
where for each i ∈ {1, . . . , r}, x ∈ X and t ∈ T , We will interchangeably write TEM P (h, t, x) and TEM P h (t, x).

Forkcipher
The encryption algorithm takes a key K ∈ K, a tweak t ∈ T , a message x ∈ {0, 1} n and an output selector b, and outputs the "left" n-bit ciphertext Let H be a family of functions h : T → {0, 1} n for a tweak space T . For positive integers r 1 and r 2 , the (r 1 , r 2 )-round tweakable Even-Mansour forkcipher FTEM P1,P2,P3 based on an r 1 -tuple P 1 and r 2 -tuples P 2 and P 3 of n-bit permutations operates on , a tweak t ∈ T and a plaintext x ∈ {0, 1} n .

Indistinguishability
The focus of this paper will be put on the case that r 1 = r 2 = 1. In this case, the tweakable Even-Mansour forkcipher is based on a set of three independent permutations, denoted P = (P 1 , P −1 2 , P −1 3 ) 1 ; precisely, let In the real world, a secret key h = (h 1 , h 2 , h 3 ) ∈ H 3 is chosen uniformly at random. A set of three permutations P 1 , P 2 , and P 3 are also chosen independently at random from Perm(n). A distinguisher A is given access to a construction oracle, denoted CONS re , as well as P = (P 1 , P 2 , P 3 ); the oracle CONS re takes as input a tweak t ∈ T , x ∈ {0, 1} n which is either a plaintext or a (partial) ciphertext, and j ∈ {1, 2, 3}, and returns with indices taken modulo 3. 2 In the ideal world, tweakable permutations Q and R are chosen from T P(T , n) independently at random; a distinguisher A is given access to a construction oracle (with the same interface as CONS re ), denoted CONS id , defined as follows.
On the other hand, oracle access to P = (P 1 , P 2 , P 3 ) is still allowed in this world.
The adversarial goal is to tell apart the two worlds by adaptively making oracle queries to the construction and each of the permutations. Formally, A's distinguishing advantage is defined by where the maximum is taken over all adversaries A making at most p queries to each of the inner permutations and at most q queries to the construction oracle.

H-coefficient Technique
Suppose that a distinguisher A makes p queries to each of the permutations, and q queries to the construction oracle. The queries made to the construction oracle are recorded in a query history ). For j = 1, 2, 3, the queries made to P j are recorded in a query history represents the evaluation P j (u i j ) = v i j obtained by the i-th query to P j . We will often omit the index j when it is clear from context. Let At the end of the interaction, we will provide the adversary A with the actual key h. In the ideal world, a dummy key h will be selected uniformly at random from H 3 , and given to A. This will not degrade the adversarial distinguishing advantage since the distinguisher is free to ignore this additional information. We will call the transcript of the attack; it contains all the information that A has obtained at the end of the attack. When we consider an information theoretic distinguisher, we can assume that the distinguisher is deterministic without making any redundant query.
Given a permutation oracle transcript Q and a permutation P , we will write P Q if P (u) = v for every (u, v) ∈ Q. Similarly, given a tuple of permutation oracle transcripts Q = (Q 1 , . . . , Q r ) and a tuple of permutations P = (P 1 , . . . , P r ) for some r, we will write P Q if P i Q i for every i = 1, . . . , r. This notation naturally extends to construction oracle transcripts; for CONS ∈ {CONS id , CONS re }, we will write Fix a transcript τ = (h, Q C , Q P1 , Q P2 , Q P3 ). We will call the transcript τ attainable if the probability that CONS id Q C and (P 1 , P 2 , P 3 ) (Q P1 , Q P2 , Q P3 ) is nonzero in the ideal world. We also denote T id (resp. T re ) the probability distribution of the transcript τ induced by the ideal world (resp. the real world). By extension, we use the same notation to denote a random variable distributed according to each distribution.
In order to upper bound the advantage of the distinguisher, we will partition the set of attainable transcripts Γ into a set of "good" transcripts Γ good such that the probabilities to obtain some transcript τ ∈ Γ good are close in the real and in the ideal world, and a set Γ bad of "bad" transcripts such that the probability to obtain any τ ∈ Γ bad is small in the ideal world, and use the following theorem.
Lemma 2 (H-coefficient Technique [Pat08]). Fix a distinguisher A. Let Γ = Γ good Γ bad be a partition of the set of attainable transcripts. Assume that there exists ε 1 such that for any τ ∈ Γ good , and that there exists ε 2 such that Pr[T id ∈ Γ bad ] ≤ ε 2 . Then one has

Security of FTEM
In this section, we prove the security of a (1, 1)-round FTEM cipher based on a triple of public permutations P = (P 1 , P 2 , P 3 ) ∈ Perm(n) 3 using a family H of hash functions from T to {0, 1} n as the key space; for h = (h 1 , h 2 , h 3 ) ∈ H 3 , The provable security of this cipher is summarized by the following theorem.
Theorem 1. For δ > 0, let H be a uniform δ-AXU family of functions from T to {0, 1} n . Then, for any integers p and q such that p + 2q ≤ N/2, one has Proof. As a preliminary step, we extend a transcript τ by including additional information in it; after A has finished the interactions with its oracles but before it outputs its decision bit, it is provided with the hash keys h = (h 1 , h 2 , h 3 ) (as discussed in Section 2.6). Moreover, we employ a trick to simplify the proof: for i ∈ {1, 2, 3}, if there exist any pairs (t, x 1 , x 2 , x 3 ), (t , x 1 , x 2 , x 3 ) ∈ Q C such that x i ⊕h i (t) = x i ⊕h i (t ) and (x i ⊕h i (t), ·) / ∈ Q Pi , A is given an additional primitive query (x i ⊕ h i (t), P i (x i ⊕ h i (t))) by lazy sampling P i (in both the ideal and the real worlds). This additional information is included in Q Pi , and this step will be called the collision-giving phase.
The next step of the proof is to define bad events; they are typically related to collisions of queries on the input to the construction or any underlying permutation. For i ∈ {1, 2, 3}, we define By definition, we see that |Q Pi | = p + α i and α i ≤ β i . We will call an attainable transcript τ bad if one of the following conditions is satisfied: • bad5 ⇔ β i > √ q for some i ∈ {1, 2, 3}. Remark 1. By bad5, we limit the number of collisions between queries. On the other hand, if badi happens for some i ∈ {1, 2, 3, 4}, then an adversary is able to distinguish FTEM from its ideal counterpart. For example, suppose that a transcript satisfies bad1; it means that the transcript contains (t, while this equation holds with negligible probability in the ideal world.
If a transcript τ is not bad, then it will be called a good transcript. With the definition of bad transcripts as above, we can prove the following lemmas, whose proof is deferred to the end of this section.

Lemma 3. One has
Lemma 4. Let p and q be nonnegative integers such that p + 5 √ q ≤ N/2. For any τ ∈ Γ good , one has Theorem 1 follows by combining Lemma 3 and Lemma 4 with Lemma 2.

Proof of Lemma 3
For an event E, we will write p id [E] (resp. p re [E]) to denote the probability that T id (resp. T re ) satisfies E. By the union bound, we have In the following, we will bound the probability of each bad event in the ideal world. Without bad5, we can assume that α i ≤ β i ≤ √ q and |U i | ≤ p + √ q for i = 1, 2, 3.

Upper bounding
by H is uniform and since h i and h j are chosen independently. Since |Q C | ≤ q and and hence, Similarly, we obtain Upper bounding p id [bad3]. Assuming that bad5 does not hold, fix (i, j) ∈ [3] * 2 . For any (t, Summing over all possible h and all such tuple of queries, we have Upper bounding p id [bad4]. Assuming that bad5 does not hold, consider bad4 i for a fixed i ∈ {1, 2, 3}. 1. Assume that t = t . For any (t, x 1 , x 2 , x 3 ) = (t , x 1 , x 2 , x 3 ) ∈ Q C , (u j , v j ) ∈ Q Pj and (u k , v k ) ∈ Q P k , by the uniformity of H and the δ-AXU property of H and the fact that h i , h j , h k are picked independently from H, Therefore we have 2. Assume that t = t . We only consider (t, , there exists only one (t, x 1 , x 2 , x 3 ) which satisfies the above equation. So, the number of such tuples is upper bounded by (p + √ q) 2 q.
It is trivial that any tuples that do not satisfy the above equation cannot make bad4. By the uniformity of H and the fact that h j and h k are picked independently from H, Therefore, we have Considering three possibilities of choosing i, we have Upper bounding p id [bad5]. For i ∈ [3], α i and β i can be seen as a random variable using the randomness of h i . Then we have For any (t, x 1 , x 2 , x 3 ) ∈ Q C , it collides with primitive query only if an adversary gets (x i ⊕ h i (t), ·) ∈ Q Pi in the querying phase or the collision-giving phase. Then we have By Markov's inequality, Therefore we have Summing up all the upper bounds for the probabilities of individual bad events, we can conclude the proof of Lemma 3.

Proof of Lemma 4
Fix a good transcript τ = (h, Q C , Q P1 , Q P2 , Q P3 ). We will partition Q C into the following subsets.
Since P 1 , P 2 , P 3 and h 1 , h 2 , h 3 are all independent in both the real and the ideal worlds, we have where we write τ p = (Q P1 , Q P2 , Q P3 ). Let Then we have We will now lower bound p U (τ ) and p 0 (τ ).
Then for (i, j, k) ∈ [3] * 3 , • U i , U j i , U k i are pairwise disjoint since otherwise at least one of bad1 {i,j} and bad1 {i,k} holds; • V i , V j i , V k i are pairwise disjoint since otherwise at least one of bad2 (i,j) , bad2 (i,k) , and bad4 j holds; , bad1 {i,k} , and bad3 (i,k) holds. Therefore, P 1 should satisfy additional β 2 + β 3 equations that map U 2 1 to V 2 1 and map U 3 1 to V 3 1 , in order to satisfy all Q P1 , Q P2 and Q P3 . The same argument applies to P 2 and P 3 . Overall, we have . (2) Lower Bounding p 0 (τ ). For i = 1, 2, 3, P i is fixed on p i elements, where Let q = q − β 1 − β 2 − β 3 , and let m be the number of distinct tweaks appearing in Q C ; they will be denoted t 1 , . . . , t m . For i = 1, . . . , m, let Q 0,i denote a subset of Q 0 whose tweak is t i , and let q i = |Q 0,i |. Then we have Without loss of generality, we can assume that the first q 1 queries use tweak t 1 , and the next q 2 queries use tweak t 2 , and so on. Hence, we can write Q 0 = (t 1 , x 1,1 1 , x 1,1 2 , x 1,1 3 ), . . . , (t 1 , x ) .
For i = 1, . . . , m, and j = 1, . . . , q i , let By the definition of Q 0 , for each k = 1, 2, 3, allû i,j k are distinct and not included in U k ∪ U k+1 k ∪ U k+2 k with indices taken modulo 3. Let N 0 be the number of tuples ) satisfying the following conditions: ⊕ h 2 (t k ) such that k < i and = 1, . . . , q k , which excludes at most i−1 k=1 q k values forv i,j 1 ; • for each (i, j),v i,j 1 ⊕ h 1 (t i ) ⊕ h 3 (t i ) is distinct from any valuev k, 1 ⊕ h 1 (t k ) ⊕ h 3 (t k ) such that k < i and = 1, . . . , q k , which excludes at most In order to evaluate the number of tuples, for each (i, j),v i,j 1 must be chosen distinct from the previous i−1 k=1 q k + (j − 1) values. Therefore, one has ( Given that T id satisfies (Q U1 , Q U2 , Q U3 ) and τ p , the condition P 1 (û i,j 1 ) =v i,j 1 requires q distinct fresh equations on P 1 , P 2 , P 3 . Therefore we have Putting The Pieces Together. Combining (2) and (4), we have It is also obvious that Then, by (1), (5) and (6), we have It remains to lower bound R 0 and R ; by (3), we have 1 − 8q i ((p 1 + t) (p 2 + t) + (p 3 + t) (p 1 + t) + (p 3 + t) (p 1 + t)) N 2 , where the last inequality follows from Lemma 1 with t = i−1 k=1 q k . For j = 1, 2, 3 (without bad5), p j + t is upper bounded as follows.
By combining the above upper bounds with (7), and since m i=1 q i ≤ q, we have On the other hand, since β i ≤ √ q for i = 1, 2, 3 (without bad5), we have Combining (8) and (9), we can conclude the proof of Lemma 4.

Conclusion
In this paper, we have proposed to apply the IFI paradigm to tweakable Even-Mansour ciphers, and proved that a (1, 1)-round FTEM cipher is secure up to 2 2n 3 queries in the ideal permutation model.
Compared to the straightforward construction using three independent tweakable block ciphers (as discussed in [ALP + 19]), our construction is a public-permutation based counterpart with a weaker provable security bound, while using weaker primitives as well, distinguishing permutations, keys and tweaks.
It is an interesting open question whether the same level of security is possible with a smaller number of keys and permutations. We expect that this question might be resolved by using (advanced) Mirror theory and the sum-capture lemma. Another open question is to apply the iterate-multifork-iterarte paradigm [ALP + 19] to the TEM ciphers. Our conjecture is that the resulting permutation-based forkcipher will enjoy almost the same level of security.