@article{Cogliati_Ethan_Lallemand_Lee_Lee_Minier_2021, title={CTET+: A Beyond-Birthday-Bound Secure Tweakable Enciphering Scheme Using a Single Pseudorandom Permutation}, volume={2021}, url={https://tosc.iacr.org/index.php/ToSC/article/view/9327}, DOI={10.46586/tosc.v2021.i4.1-35}, abstractNote={<p>In this work, we propose a construction of 2-round tweakable substitutionpermutation networks using a single secret S-box. This construction is based on non-linear permutation layers using independent round keys, and achieves security beyond the birthday bound in the random permutation model. When instantiated with an n-bit block cipher with <em>ωn</em>-bit keys, the resulting tweakable block cipher, dubbed CTET<sup>+</sup>, can be viewed as a tweakable enciphering scheme that encrypts <em>ωκ</em>-bit messages for any integer <em>ω</em> ≥ 2 using 5n + <em>κ</em>-bit keys and <em>n</em>-bit tweaks, providing 2<em>n</em>/3-bit security.<br>Compared to the 2-round non-linear SPN analyzed in [CDK<sup>+</sup>18], we both minimize it by requiring a single permutation, and weaken the requirements on the middle linear layer, allowing better performance. As a result, CTET<sup>+</sup> becomes the first tweakable enciphering scheme that provides beyond-birthday-bound security using a single permutation, while its efficiency is still comparable to existing schemes including AES-XTS, EME, XCB and TET. Furthermore, we propose a new tweakable enciphering scheme, dubbed AES<sub>6</sub>-CTET<sup>+</sup>, which is an actual instantiation of CTET<sup>+</sup> using a reduced round AES block cipher as the underlying secret S-box. Extensive<br>cryptanalysis of this algorithm allows us to claim 127 bits of security.<br>Such tweakable enciphering schemes with huge block sizes become desirable in the context of disk encryption, since processing a whole sector as a single block significantly worsens the granularity for attackers when compared to, for example, AES-XTS, which treats every 16-byte block on the disk independently. Besides, as a huge amount of data is being stored and encrypted at rest under many different keys in clouds, beyond-birthday-bound security will most likely become necessary in the short term.</p>}, number={4}, journal={IACR Transactions on Symmetric Cryptology}, author={Cogliati, Benoît and Ethan, Jordan and Lallemand, Virginie and Lee, Byeonghak and Lee, Jooyoung and Minier, Marine}, year={2021}, month={Dec.}, pages={1–35} }