On Large Tweaks in Tweakable Even-Mansour with Linear Tweak and Key Mixing


  • Benoît Cogliati Thales DIS France SAS, Meudon, France
  • Jordan Ethan CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
  • Ashwin Jha CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
  • Soumya Kanti Saha Indian Institute of Science, Bengaluru, India




TEM, indifferentiability, indistinguishability, coupling


In this paper, we provide the first analysis of the Iterated Tweakable Even-Mansour cipher with linear tweak and key (or tweakey) mixing, henceforth referred as TEML, for an arbitrary tweak(ey) size kn for all k ≥ 1, and arbitrary number of rounds r ≥ 2. Note that TEML captures the high-level design paradigm of most of the existing tweakable block ciphers (TBCs), including SKINNY, Deoxys, TweGIFT, TweAES etc. from a provable security point of view. At ASIACRYPT 2015, Cogliati and Seurin initiated the study of TEML by showing that 4-round TEML with a 2n-bit uniform at random key, and n-bit tweak is secure up to 22n/3 queries. In this work, we extend this line of research in two directions. First, we propose a necessary and sufficient class of linear tweakey schedules to absorb mn-bit tweak(ey) material in a minimal number of rounds, for all m ≥ 1. Second, we give a rigorous provable security treatment for r-round TEML, for all r ≥ 2. In particular, we first show that the 2r-round TEML with a (2r + 1)n-bit key, αn-bit tweak, and a special class of tweakey schedule is IND-CCA secure up to O(2r−α/r n) queries. Our proof crucially relies on the use of the coupling technique to upper-bound the statistical distance of the outputs of TEML cipher from the uniform distribution. Our main echnical contribution is a novel approach for computing the probability of failure in coupling, which could be of independent interest for deriving tighter bounds in coupling-based security proofs. Next, we shift our focus to the chosen-key setting, and show that (r + 3)-round TEML, with rn bits of tweakey material and a special class of tweakey schedule, offers some form of resistance to chosen-key attacks. We prove this by showing that r + 3 rounds of TEML are both necessary and sufficient for sequential indifferentiability. As a consequence of our results, we provide a sound provable security footing for the TWEAKEY framework, a high level design rationale of popular TBC.




How to Cite

Cogliati, B., Ethan, J., Jha, A., & Kanti Saha, S. (2023). On Large Tweaks in Tweakable Even-Mansour with Linear Tweak and Key Mixing. IACR Transactions on Symmetric Cryptology, 2023(4), 330–364. https://doi.org/10.46586/tosc.v2023.i4.330-364