XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees

Mennink, Bart

doi:10.1007/978-3-662-53018-4_3

Bart Mennink¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9814))

Included in the following conference series:

Annual International Cryptology Conference

3995 Accesses

Abstract

We present $\mathrm {XPX}$, a tweakable blockcipher based on a single permutation $P$. On input of a tweak $(t_{11},t_{12},t_{21},t_{22})\in \mathcal {T}$ and a message m, it outputs ciphertext $c=P(m\oplus \varDelta _1)\oplus \varDelta _2$, where $\varDelta _1=t_{11}k\oplus t_{12}P(k)$ and $\varDelta _2=t_{21}k\oplus t_{22}P(k)$. Here, the tweak space $\mathcal {T}$ is required to satisfy a certain set of trivial conditions (such as $(0,0,0,0)\not \in \mathcal {T}$). We prove that $\mathrm {XPX}$ with any such tweak space is a strong tweakable pseudorandom permutation. Next, we consider the security of $\mathrm {XPX}$ under related-key attacks, where the adversary can freely select a key-deriving function upon every evaluation. We prove that $\mathrm {XPX}$ achieves various levels of related-key security, depending on the set of key-deriving functions and the properties of $\mathcal {T}$. For instance, if $t_{12}, t_{22}\ne 0$ and $(t_{21}, t_{22})\ne (0,1)$ for all tweaks, $\mathrm {XPX}$ is XOR-related-key secure. $\mathrm {XPX}$ generalizes Even-Mansour ($\mathrm {EM}$), but also Rogaway’s $\mathrm {XEX}$ based on $\mathrm {EM}$, and various other tweakable blockciphers. As such, $\mathrm {XPX}$ finds a wide range of applications. We show how our results on $\mathrm {XPX}$ directly imply related-key security of the authenticated encryption schemes Prøst-$\mathrm {COPA}$ and $\mathrm {Minalpher}$, and how a straightforward adjustment to the MAC function $\mathrm {Chaskey}$ and to keyed Sponges makes them provably related-key secure.

You have full access to this open access chapter, Download conference paper PDF

Beyond-Birthday-Bound Security for Tweakable Even-Mansour Ciphers with Linear Tweak and Key Mixing

Tweakable Block Ciphers Secure Beyond the Birthday Bound in the Ideal Cipher Model

Tweak-Length Extension for Tweakable Blockciphers

Keywords

1 Introduction

Even-Mansour Blockcipher. A blockcipher $E:\mathcal {K}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}$ is a function that is a permutation on $\{0,1\}^{n}$ for every key $k\in \mathcal {K}$. The simplest way of designing a blockcipher is the Even-Mansour construction [23, 24]: it is built on top of a single n-bit permutation $P$:

$$\begin{aligned} \mathrm {EM} _{k_1,k_2}(m) = P(m\oplus k_1) \oplus k_2. \end{aligned}$$

(1)

See also Fig. 1. In the classical indistinguishability security model, this construction achieves security up to approximately $2^{n/2}$ queries, both for the case where the keys are independent [23, 24] as well as for the case where $k_1=k_2$ [22]. On the downside, this construction clearly does not achieve security against related-key distinguishers that may freely choose an offset $\delta $ to transform the key. Indeed, for any $\delta \ne 0$, we have $\mathrm {EM} _{k_1,k_2}(m) = \mathrm {EM} _{k_1\oplus \delta ,k_2}(m\oplus \delta )$. Recently, Farshim and Procter [25] and Cogliati and Seurin [17] reconsidered the security of Even-Mansour in the related-key security model. The former considered the case of $k_1=k_2$, and derived minimal conditions on the set of key-deriving functions such that $\mathrm {EM} $ is related-key secure. The latter showed that if $k_1=\gamma _1(k)$ and $k_2=\gamma _2(k)$ for two almost perfect nonlinear permutations $\gamma _1,\gamma _2$ [45], the construction is XOR-related-key secure. Karpman showed how to transform related-key distinguishing attacks on $\mathrm {EM}$ to key recovery attacks [28].

Even though our focus is on the single-round Even-Mansour (1), we briefly elaborate on its generalization, the iterated $r\ge 1$ round Even-Mansour construction:

$$\begin{aligned} \mathrm {EM} [r]_{k_1,\ldots ,k_{r+1}}(m) = P_r(\cdots P_1(m\oplus k_1)\cdots \oplus k_r) \oplus k_{r+1}, \end{aligned}$$

where $P_1,\ldots ,P_r$ are n-bit permutations. It has been proved that this construction tightly achieves $\mathcal {O}(2^{rn/(r+1)})$ security in the single-key indistinguishability model [9, 13, 14, 30, 50]. It has furthermore been analyzed in the chosen-key indifferentiability model [2, 31], the known-key indifferentiability model [4, 18], and the related-key indistinguishability model [17, 25]. As our work centers around the 1-round Even-Mansour of (1), we will not discuss these results in detail; we refer to Cogliati and Seurin [17] for a recent and complete discussion of the state of the art.

Tweakable Blockciphers. A tweakable blockcipher $\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}$ generalizes over $E$ by ways of an additional parameter, the tweak $t\in \mathcal {T}$. The tweak is a public parameter which brings additional flexibility to the cipher. In more detail, $\widetilde{E}$ is a family of permutations on $\{0,1\}^{n}$, indexed by $(k,t)\in \mathcal {K}\times \mathcal {T}$. Liskov et al. [34] formalized the principle of tweakable blockciphers, and introduced two modular constructions based on a classical blockcipher. One of their proposals is the following:

$$\begin{aligned} \mathrm {LRW} _{k,h}(t,m)&= E_k(m\oplus h(t))\oplus h(t), \end{aligned}$$

where h is a universal hash function taken from a family of hash functions H. This construction is proven to achieve security up to $2^{n/2}$ queries. Rogaway [48] introduced $\mathrm {XEX}$: it generalizes over $\mathrm {LRW}$ by eliminating the universal hash function (and thus by halving the key size) and by replacing it by an efficient tweaking mechanism based on $E_k$. In more detail, he suggested the use of masking $\varDelta =\mathtt {x}_1^{\alpha _1}\cdots \mathtt {x}_\ell ^{\alpha _\ell }E_k(N)$ for some pre-defined generators $\mathtt {x}_1,\ldots ,\mathtt {x}_\ell \in \mathrm {GF}(2^n)$ (Fig. 2):

$$\begin{aligned} \mathrm {XEX} _k((\alpha _1,\ldots ,\alpha _\ell ,N),m)&= E_k(m \oplus \varDelta ) \oplus \varDelta . \end{aligned}$$

(2)

If the generators and the tweak space are defined such that the $\mathtt {x}_1^{\alpha _1}\cdots \mathtt {x}_\ell ^{\alpha _\ell }$ are unique and unequal to 1 for all tweaks, $\mathrm {XEX}$ achieves birthday bound security [40, 48]. Along with $\mathrm {XEX}$, Rogaway also considered $\mathrm {XE}$, its cousin which only masks the inputs to $E$ and achieves PRP instead of SPRP security. Here, $\ell $ is usually a small number, and the generators and the tweak space are defined in such a way that adjusting the tweak is very cheap. For instance, practical applications with $n=128$ often take $\ell \le 3$ and $(\mathtt {x}_1,\mathtt {x}_2,\mathtt {x}_3)=(2,3,7)$, and an allowed tweak space would be $[1,2^{n/2}]\times [0,10]\times [0,10]\times \{0,1\}^{n}$. Chakraborty and Sarkar [11] generalized $\mathrm {XEX}$ to word-based powering-up, and more recently Granger et al. [27] presented a generalization to constant-time LFSR-based masking.

Sasaki et al. [49] recently introduced the “Tweakable Even-Mansour” ($\mathrm {TEM}$) for the purpose of the $\mathrm {Minalpher}$ authenticated encryption scheme. $\mathrm {TEM}$ is a variant of $\mathrm {XEX}$ with $E_k$ replaced by a public permutation $P$:

$$\begin{aligned} \mathrm {TEM} _k((\alpha _1,\ldots ,\alpha _\ell ,N),m)&= P(m \oplus \varDelta ) \oplus \varDelta , \end{aligned}$$

(3)

where $\varDelta =\mathtt {x}_1^{\alpha _1}\cdots \mathtt {x}_\ell ^{\alpha _\ell }\big (k\Vert N \oplus P(k\Vert N)\big )$ for some generators $\mathtt {x}_1,\ldots ,\mathtt {x}_\ell \in \mathrm {GF}(2^n)$. (The masking is in fact slightly different, but adjusted for the sake of presentation; cf. Sect. 6.3 for the details.) Independently, Cogliati et al. [15] considered the generalization of $\mathrm {LRW} $ to the permutation-based setting. The contribution by Granger et al. [27], Masked $\mathrm {EM}$ or $\mathrm {MEM}$, is in fact a generalization of $\mathrm {TEM} $ to masking $\varDelta =f_1^{\alpha _1}\circ \cdots \circ f_\ell ^{\alpha _\ell }\circ P(k\Vert N)$ for some LFSRs $f_1,\ldots ,f_\ell :\{0,1\}^{n}\rightarrow \{0,1\}^{n}$, but their goal is merely to achieve improved efficiency rather than to achieve improved security.

These constructions all achieve approximately birthday bound security, and extensive research has been performed on achieving beyond birthday bound security for tweakable blockciphers [32, 33, 35, 36, 41, 47]. Because this is out of scope for this article, we will not go into detail; we refer to Mennink [36] and Cogliati and Seurin [16] for a recent and complete discussion of the state of the art.

Application of Tweakable Blockciphers. Tweakable blockciphers find a wide spectrum of applications, most importantly in the area of authenticated encryption and message authentication. For instance, $\mathrm {XEX}$ has been originally introduced for the authenticated encryption scheme OCB2 and the message authentication code PMAC [48], and its idea has furthermore been adopted in 18 out of 57 initial submissions to the CAESAR [10] competition for the design of a new authenticated encryption scheme: Deoxys, Joltik, KIASU, and SCREAM use a dedicated tweakable blockcipher; AEZ, CBA, COBRA, COPA, ELmD, iFeed, Marble, OCB, OTR, POET, and SHELL are (in-)directly inspired by $\mathrm {XE}$ or $\mathrm {XEX}$; OMD transforms $\mathrm {XE}$ to a random function setting; and $\mathrm {Minalpher}$ uses $\mathrm {TEM}$. Finally, the Prøstsubmission is simply a permutation $P$, which is (among others) plugged into $\mathrm {COPA}$ and $\mathrm {OTR}$ in an Even-Mansour mode. We note that $\mathrm {OTR}$ internally uses $\mathrm {XE}$, while $\mathrm {COPA}$ uses $\mathrm {XEX}$ with $N=0$ (see also Sect. 6.2).

Related-Key Security of XEX and TEM. $\mathrm {XEX}$ resists related-key attacks if the underlying blockcipher is sufficiently related-key secure. However, this premise is not necessarily true if Even-Mansour is plugged into $\mathrm {XEX}$, as is done in Prøst-$\mathrm {COPA}$ and Prøst-$\mathrm {OTR}$. In fact, Dobraunig et al. [21] derived a related-key attack on Prøst-$\mathrm {OTR}$. This attack uses that the underlying $\mathrm {XE}$-with-$\mathrm {EM}$ construction is not secure under related-key attacks, and it ultimately led to the withdrawal of Prøst-$\mathrm {OTR}$. The attack exploits the nonce N that is used in the masking. Karpman [28] generalized the attack to a key recovery attack. Because $\mathrm {COPA}$ uses $\mathrm {XEX}$ without nonce (hence with $N=0$), the attack of Dobraunig et al. does not seem to be directly applicable to Prøst-$\mathrm {COPA}$. Nevertheless, it is unclear whether a variant of it generalizes to Prøst-$\mathrm {COPA}$.

1.1 Our Contribution

We present the tweakable blockcipher $\mathrm {XPX} $. It can be seen as a natural generalization of $\mathrm {TEM} $ as well as of $\mathrm {XEX} $ with integrated Even-Mansour, and due to its generality it has direct implications for various schemes in literature. In more detail, $\mathrm {XPX} $ is a tweakable blockcipher based on an n-bit permutation $P$. It has a key space $\{0,1\}^{n}$, a tweak space $\mathcal {T}\subseteq \left( \{0,1\}^{n}\right) ^4$ (see below), and a message space $\{0,1\}^{n}$. It is defined as

$$\begin{aligned} \mathrm {XPX} _k((t_{11},t_{12},t_{21},t_{22}),m) = P(m\oplus \varDelta _1 )\oplus \varDelta _2, \end{aligned}$$

(4)

with $\varDelta _1=t_{11}k\oplus t_{12}P(k)$ and $\varDelta _2=t_{21}k\oplus t_{22}P(k)$. Note that $\mathrm {XPX} $ boils down to the original Even-Mansour blockcipher by taking $\mathcal {T}_{\mathrm {EM}}=\{(1,0,1,0)\}$. It also generalizes XEX based on Even-Mansour and with $N=0$, by defining $\mathcal {T}_{\mathrm {XEX}}$ to be a tweak space depending on $(\alpha _1,\ldots ,\alpha _\ell )$, and similarly captures TEM and MEM to a certain degree (cf. Sect. 3 for the details).

Valid Tweak Sets. Obviously, $\mathrm {XPX} $ is not secure for any possible tweak space $\mathcal {T}$. For instance, if $(0,0,0,0)\in \mathcal {T}$, the scheme is trivially insecure. Also, if $(1,0,0,1)\in \mathcal {T}$, an attacker can easily distinguish by observing that $\mathrm {XPX} _k((1,0,0,1),0)=0$. Therefore, it makes sense to limit the tweak space in some way, and we define the notion of $\mathrm {valid}$ tweak spaces. This condition eliminates the trivial cases (such as above two) and allows us to focus on the “interesting” tweaks. We remark that $\mathcal {T}_{\mathrm {EM}}$ and $\mathcal {T}_{\mathrm {XEX}}$ are $\mathrm {valid}$ tweak spaces.

Single-Key Security. As a first step, we consider the security of $\mathrm {XPX}$ in the traditional single-key indistinguishability setting, and we prove that if $\mathcal {T}$ is a $\mathrm {valid}$ set, then $\mathrm {XPX}$ achieves strong PRP (SPRP) security up to about $2^{n/2}$ queries. The proof is performed in the ideal permutation model, and uses Patarin’s H-coefficient technique [46] which has found recent adoption in, among others, generic blockcipher analysis [13, 14, 17, 19, 35, 36] and security of message authentication algorithms [5, 20, 39, 43].

Related-Key Security. Next, we consider the security of $\mathrm {XPX}$ in the related-key setting, where for every query, the adversary can additionally choose a function to transform the key. We focus on the following two types of key-deriving function sets:

$\varPhi _{\oplus }$: the set of functions that transform k to $k\oplus \delta $, for any offset $\delta $;
$\varPhi _{P\oplus }$: the set of functions that transform k to $k\oplus \delta $, or that transform $P(k)$ to $P(k)\oplus \delta $, for any offset $\delta $.

The first set, $\varPhi _{\oplus }$, has been formally introduced alongside the formal specification of related-key security by Bellare and Kohno [6]. It is the most logical choice, given that the maskings in $\mathrm {XPX}$ itself are XORed into the state. We remark that Cogliati and Seurin [17] also use $\varPhi _{\oplus }$ in their related-key analysis of Even-Mansour. The second set, $\varPhi _{P\oplus }$, is a natural generalization of $\varPhi _{\oplus }$, noting that the masks in $\mathrm {XPX}$ are of the form $t_{i1}k\oplus t_{i2}P(k)$. For the case of $\varPhi _{P\oplus }$, we assume that the underlying permutation is available for the key-deriving functions. Albrecht et al. [1] showed how to generalize the setting of Bellare and Kohno [6] to primitive-dependent key-deriving functions. In this work, we consider the related-key security for $\mathrm {XPX}$ in a security model that is a straightforward generalization of the models of Bellare and Kohno and Albrecht et al. to tweakable blockciphers.

For the two key-deriving sets $\varPhi _{\oplus }$ and $\varPhi _{P\oplus }$, we show that $\mathrm {XPX}$ achieves the following levels of related-key security:

In brief, if $P(k)$ does not drop from the masking $\varDelta _1$ (resp. maskings $\varDelta _1,\varDelta _2$) the scheme achieves PRP (resp. SPRP) related-key security under $\varPhi _{\oplus }$. To achieve related-key security under $\varPhi _{P\oplus }$, we require that this condition holds for both k and $P(k)$. The requirement “$(t_{21},t_{22})\ne (0,1)$” is technically equivalent to the requirement for $\mathrm {XEX}$ that $\mathtt {x}_1^{\alpha _1}\cdots \mathtt {x}_\ell ^{\alpha _\ell }\ne 1$ for all tweaks: if the conditions were violated, both schemes can be attacked in a similar way.

The proof for related-key security is again performed using the H-coefficient technique, but various difficulties arise, mostly due to the fact that we pursue stronger security requirements and that we aim to minimize the number of conditions we put on the tweaks.

1.2 Applications

$\mathrm {XPX}$ as described in (4) appears in many constructions or modes (either directly or indirectly), and can be used to argue related-key security for these modes. We exemplify this for authenticated encryption and for message authentication codes.

Firstly, Prøst-$\mathrm {COPA}$ is related-key secure for both key-deriving function sets $\varPhi _{\oplus }$ and $\varPhi _{P\oplus }$. The crux behind this observation is that the $\mathrm {XEX} $-with-$\mathrm {EM} $ evaluations in Prøst-$\mathrm {COPA}$ are in fact $\mathrm {XPX}$ evaluations with $t_{11},t_{12},t_{21},t_{22}\ne 0$ for all tweaks. (Recall that $\mathrm {EM} $ itself is not related-key secure and this result cannot be shown by straightforward reduction.) A similar observation can be made for $\mathrm {Minalpher}$, with an additional technicality that the key k in $\mathrm {TEM}$ is not of full size. Due to the structural differences between the masking approaches of $\mathrm {XPX}$ and $\mathrm {MEM}$ [27], multiplication versus influence via function evaluation, the proof techniques are technically incompatible. Nonetheless, it is of interest to combine our results with the observations from [27], improving both the security and the efficiency of existing modes.

Secondly, we consider the $\mathrm {Chaskey}$ permutation-based MAC function by Mouha et al. [42, 43]. We first note that the proof of [43] is implicitly using $\mathrm {XPX}$ with a tweak space of size $|\mathcal {T}|=3$. Next, we introduce $\mathrm {Chaskey} '$, an adjustment of $\mathrm {Chaskey}$ that uses permuted key $P(k)$ instead of k, which achieves XOR-related-key security. Similar findings can be made for keyed Sponges.

It may be of interest to generalize $\mathrm {XPX} $ to the case where the maskings are performed using universal hash functions, e.g., $\varDelta _i=h_1(t_{i1}) \oplus h_2(t_{i2})$. This generalization may, however, in certain settings be less efficient as one evaluation of the permutation is traded for two hash function evaluations.

1.3 Outline

Section 2 introduces preliminary notation as well as the security models targeted in this work. $\mathrm {XPX}$ is introduced in Sect. 3. In Sect. 4, the notion of $\mathrm {valid}$ tweak spaces is defined and justified. $\mathrm {XPX}$ is analyzed for the various security models in Sect. 5. We apply the results on $\mathrm {XPX}$ to authenticated encryption in Sect. 6 and to MACs in Sect. 7.

2 Preliminaries

By $\{0,1\}^{n}$ we denote the set of bit strings of length n. Let $\mathrm {GF}(2^n)$ be the field of order $2^n$. We identify bit strings from $\{0,1\}^{n}$ and finite field elements in $\mathrm {GF}(2^n)$. This is done by representing a string $a=a_{n-1}a_{n-2}\cdots a_1a_0\in \{0,1\}^n$ as polynomial $a(\mathtt {x})=a_{n-1}\mathtt {x}^{n-1}+ a_{n-2}\mathtt {x}^{n-2}+\cdots + a_1\mathtt {x}+ a_0\in \mathrm {GF}(2^n)$ and vice versa. There is additionally a one-to-one correspondence between $[0,2^n-1]$ and $\{0,1\}^{n}$, by considering $a(\mathtt {2})\in [0,2^n-1]$. For $a,b\in \{0,1\}^{n}$, we define addition $a\oplus b$ as addition of the polynomials $a(\mathtt {x})+b(\mathtt {x})\in \mathrm {GF}(2^n)$. Multiplication $a\otimes b$ is defined with respect to the irreducible polynomial $f(\mathtt {x})$ used to represent $\mathrm {GF}(2^n)$: $a(\mathtt {x})\cdot b(\mathtt {x})\bmod f(\mathtt {x})$.

For integers $a\ge b\ge 1$, we denote by ${(a)}_{b}=a(a-1)\cdots (a-b+1)=\frac{a!}{(a-b)!}$ the falling factorial power. If $\mathcal {M}$ is some set, $m\xleftarrow {{\scriptscriptstyle \$}}\mathcal {M}$ denotes the uniformly random drawing of m from $\mathcal {M}$. The size of $\mathcal {M}$ is denoted by $\left| \mathcal {M}\right| $. By $\mathsf {Perm} (\mathcal {M})$ we denote the set of all permutations on $\mathcal {M}$.

A blockcipher $E:\mathcal {K}\times \mathcal {M}\rightarrow \mathcal {M}$ is a function such that for every key $k\in \mathcal {K}$, the mapping $E_k(\cdot )=E(k,\cdot )$ is a permutation on $\mathcal {M}$. For fixed k its inverse is denoted by $E_k^{-1}(\cdot )$. A tweakable blockcipher $\widetilde{E}$ is a function $\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}$ such that for every $k\in \mathcal {K}$ and tweak $t\in \mathcal {T}$, the mapping $\widetilde{E}_k(t,\cdot )=\widetilde{E}(k,t,\cdot )$ is a permutation on $\mathcal {M}$. Like before, its inverse is denoted by $\widetilde{E}_k^{-1}(\cdot ,\cdot )$. Denote by $\widetilde{\mathsf {Perm}}(\mathcal {T},\mathcal {M})$ the set of tweakable permutations, i.e., the set of all families of permutations on $\mathcal {M}$ indexed with $t\in \mathcal {T}$.

Note that a blockcipher is a special case of a tweakable blockcipher with $|\mathcal {T}|=1$, and hence it suffices to restrict our analysis to tweakable blockciphers. In this work, we target the design of a tweakable blockcipher $\widetilde{E}$ from an underlying permutation $P$, which is modeled as a perfectly random permutation $P\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm} (\mathcal {M})$. In Sect. 2.1 we describe the single-key security model and in Sect. 2.2 the related-key security model. We give a description of Patarin’s technique for bounding distinguishing advantages in Sect. 2.3.

2.1 Single-Key Security Model

Consider a tweakable blockcipher $\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}$ based on a random permutation $P\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm} (\mathcal {M})$. Let $\widetilde{\pi }\xleftarrow {{\scriptscriptstyle \$}}\widetilde{\mathsf {Perm}}(\mathcal {T},\mathcal {M})$ be an ideal tweakable permutation. The single-key security of $\widetilde{E}$ is informally captured by a distinguisher $\mathcal {D}$ that has adaptive oracle access to either $(\widetilde{E}_k,P)$, for some secret key $k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}$, or $(\widetilde{\pi },P)$. The distinguisher always has two-directional access to $P$. It may or may not have two-directional access to the construction oracle ($\widetilde{E}_k$ or $\widetilde{\pi }$) depending on whether we consider PRP or strong PRP security. The distinguisher is computationally unbounded, deterministic, and it never makes duplicate queries.

Security Definitions. More formally, we define the PRP security of $\widetilde{E}$ based on $P$ as

$$\begin{aligned} \mathbf {Adv} _{\widetilde{E}}^{\mathrm {prp}}(\mathcal {D})&= \left| \mathbf {Pr} \left[ \mathcal {D}^{\widetilde{E}_k,P^{\pm }} = 1 \right] - \mathbf {Pr} \left[ \mathcal {D}^{\widetilde{\pi },P^{\pm }} = 1 \right] \right| , \end{aligned}$$

and the strong PRP (SPRP) security of $\widetilde{E}$ based on $P$ as

$$\begin{aligned} \mathbf {Adv} _{\widetilde{E}}^{\mathrm {sprp}}(\mathcal {D})&= \left| \mathbf {Pr} \left[ \mathcal {D}^{\widetilde{E}_k^{\pm },P^{\pm }} = 1 \right] - \mathbf {Pr} \left[ \mathcal {D}^{\widetilde{\pi }^{\pm },P^{\pm }} = 1 \right] \right| , \end{aligned}$$

where the probabilities are taken over the random selections of $k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}$, $P\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm} (\mathcal {M})$, and $\widetilde{\pi }\xleftarrow {{\scriptscriptstyle \$}}\widetilde{\mathsf {Perm}}(\mathcal {T},\mathcal {M})$. For $q,r\ge 0$, we define by

$$\begin{aligned} \mathbf {Adv} _{\widetilde{E}}^{\mathrm {(s)prp}}(q,r) = \max _\mathcal {D}\mathbf {Adv} _{\widetilde{E}}^{\mathrm {(s)prp}}(\mathcal {D}) \end{aligned}$$

the security of $\widetilde{E}$ against any single-key distinguisher $\mathcal {D}$ that makes q queries to the construction oracle ($\widetilde{E}_k$ or $\widetilde{\pi }_k$) and r queries to the primitive oracle.

2.2 Related-Key Security Model

We generalize the security definitions of Sect. 2.1 to related-key security using the theoretical framework of Bellare and Kohno [6] and Albrecht et al. [1]. The generalization is similar to the one of Cogliati and Seurin [17] with the difference that tweakable blockciphers are considered (and that we consider more general key-deriving functions).

Related-Key Oracle. In related-key attacks, the distinguisher may query its construction oracle not just on $\widetilde{E}_k$, but on $\widetilde{E}_{\varphi (k)}$ for some function $\varphi $ chosen by the distinguisher. This function may vary for the different construction queries, but should come from a pre-described set. Let $\varPhi $ be a set of key-deriving functions (a KDF-set). For a tweakable blockcipher $\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}$, we define a related-key oracle $\mathsf {RK} [\widetilde{E}]:\mathcal {K}\times \varPhi \times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}$ as

$$\begin{aligned} \mathsf {RK} [\widetilde{E}](k,\varphi ,t,m) = \mathsf {RK} [\widetilde{E}]_k(\varphi ,t,m) = \widetilde{E}_{\varphi (k)}(t,m). \end{aligned}$$

For fixed $\varphi $ its inverse is denoted $\mathsf {RK} [\widetilde{E}]_k^{-1}(\varphi ,t,c)=\widetilde{E}_{\varphi (k)}^{-1}(t,c)$. Denote by $\widetilde{\mathsf {RK} \text {-}\mathsf {Perm}}(\varPhi ,\mathcal {T},\mathcal {M})$ the set of tweakable related-key permutations, i.e., the set of all families of permutations on $\mathcal {M}$ indexed with $(\varphi ,t)\in \varPhi \times \mathcal {T}$.

Security Definitions. For a KDF-set $\varPhi $, we define the related-key (strong) PRP (RK-(S)PRP) security of $\widetilde{E}$ based on $P$ as

$$\begin{aligned} \mathbf {Adv} _{\varPhi ,\widetilde{E}}^{\mathrm {rk\text {-}prp}}(\mathcal {D})&= \left| \mathbf {Pr} \left[ \mathcal {D}^{\mathsf {RK} [\widetilde{E}]_k,P^{\pm }} = 1 \right] - \mathbf {Pr} \left[ \mathcal {D}^{\widetilde{\mathsf {RK} \pi },P^{\pm }} = 1 \right] \right| ,\\ \mathbf {Adv} _{\varPhi ,\widetilde{E}}^{\mathrm {rk\text {-}sprp}}(\mathcal {D})&= \left| \mathbf {Pr} \left[ \mathcal {D}^{\mathsf {RK} [\widetilde{E}]_k^{\pm },P^{\pm }} = 1 \right] - \mathbf {Pr} \left[ \mathcal {D}^{\widetilde{\mathsf {RK} \pi }^{\pm },P^{\pm }} = 1 \right] \right| , \end{aligned}$$

where the probabilities are taken over the random selections of $k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}$, $P\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm} (\mathcal {M})$, and $\widetilde{\mathsf {RK} \pi }\xleftarrow {{\scriptscriptstyle \$}}\widetilde{\mathsf {RK} \text {-}\mathsf {Perm}}(\varPhi ,\mathcal {T},\mathcal {M})$. For $q,r\ge 0$, we define by

$$\begin{aligned} \mathbf {Adv} _{\varPhi ,\widetilde{E}}^{\mathrm {rk\text {-}(s)prp}}(q,r) = \max _\mathcal {D}\mathbf {Adv} _{\varPhi ,\widetilde{E}}^{\mathrm {rk\text {-}(s)prp}}(\mathcal {D}) \end{aligned}$$

the security of $\widetilde{E}$ against any related-key distinguisher $\mathcal {D}$ that makes q queries to the construction oracle ($\mathsf {RK} [\widetilde{E}]_k$ or $\widetilde{\mathsf {RK} \pi }$) and r queries to the primitive oracle. Note that we have opted to design the ideal world to behave independently for each $\varphi $. This only increases the adversarial success probability in comparison with earlier models: if for some $k\in \mathcal {K}$ there exist two distinct $\varphi ,\varphi '\in \varPhi $ such that $\varphi (k)=\varphi '(k)$ with non-negligible probability, $\widetilde{\mathsf {RK} \pi }_k$ behaves as two independent tweakable permutations for these two key-deriving functions but $\mathsf {RK} [\widetilde{E}]_k$ does not. In this case, $\mathcal {D}$ can easily distinguish (it corresponds to the collision-resistance property in [6]). We remark that, by using this approach, related-key security can be seen as a specific case of tweakable blockcipher security.

Key-Deriving Functions. Note that for $\varPhi _{\mathrm {id}}= \{\varphi :k\mapsto k\}$, we simply have $\mathbf {Adv} _{\varPhi _{\mathrm {id}},\widetilde{E}}^{\mathrm {rk\text {-}(s)prp}}(\mathcal {D})=\mathbf {Adv} _{\widetilde{E}}^{\mathrm {(s)prp}}(\mathcal {D})$, and we will sometimes view single-key security as related-key security under KDF-set $\varPhi _{\mathrm {id}}$. Two other KDF-sets we consider in this work are the following:

$$\begin{aligned} \begin{aligned} \varPhi _{\oplus }&= \{\varphi _\delta :k\mapsto k\oplus \delta \mid \delta \in \mathcal {K}\},\\ \varPhi _{P\oplus }&= \{\varphi _{\delta ,\epsilon }:k\mapsto P^{-1}(P(k)\oplus \epsilon )\oplus \delta \mid \delta ,\epsilon \in \mathcal {K}, \delta =0\vee \epsilon =0 \}. \end{aligned} \end{aligned}$$

(5)

We regularly simply write $\delta \in \varPhi _{\oplus }$ to say that $\varphi _\delta \in \varPhi _{\oplus }$, and similarly write $(\delta ,\epsilon )\in \varPhi _{P\oplus }$ to say that $\varphi _{\delta ,\epsilon }\in \varPhi _{P\oplus }$.^{Footnote 1}

Note that every $\varphi _\delta \in \varPhi _{\oplus }$ satisfies $\varphi _\delta =\varphi _{\delta ,0}\in \varPhi _{P\oplus }$, and hence $\varPhi _{\oplus }\subseteq \varPhi _{P\oplus }$ by construction. The side condition “$\delta =0\vee \epsilon =0$” for $\varPhi _{P\oplus }$ deserves an additional explanation. In our scheme $\mathrm {XPX} $, the in- and outputs will be masked using the values $(k,P(k))$. A function $\varphi _\delta \in \varPhi _{\oplus }$ (or, equivalently, $\varphi _{\delta ,0}\in \varPhi _{P\oplus }$) transforms these values to $(k\oplus \delta ,P(k\oplus \delta ))$. The set $\varPhi _{P\oplus }$ generalizes the strength of the attacker by also transforming $P(k)$ under XOR. In more detail, for any $\epsilon $, $\varphi _{0,\epsilon }\in \varPhi _{P\oplus }$ transforms $(k,P(k))$ to $(P^{-1}(P(k)\oplus \epsilon ),P(k)\oplus \epsilon )$. From a theoretical point, it may be of interest to drop the side condition from $\varPhi _{P\oplus }$. This would, however, make the security analysis of $\mathrm {XPX}$ much more complicated and technically demanding.

2.3 Patarin’s Technique

We use the H-coefficient technique by Patarin [46] and Chen and Steinberger [14], and we introduce it for our definitions of related-key security. Recall that these definitions simplify to single-key security by using KDF-set $\varPhi _{\mathrm {id}}$.

Let $P\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm} (\mathcal {M})$, and $\widetilde{\mathsf {RK} \pi }\xleftarrow {{\scriptscriptstyle \$}}\widetilde{\mathsf {Perm}}(\varPhi ,\mathcal {T},\mathcal {M})$. Let $k\xleftarrow {{\scriptscriptstyle \$}}\mathcal {K}$ and $\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}$ be a tweakable blockcipher based on $P$. Consider any fixed deterministic distinguisher $\mathcal {D}$ for the RK-(S)PRP security of $\widetilde{E}$. It has access to either the real world $\mathcal {O}_\mathrm {re}=(\mathsf {RK} [\widetilde{E}]_k^{(\pm )},P^{\pm })$ or the ideal world $\mathcal {O}_\mathrm {id}=(\widetilde{\mathsf {RK} \pi }^{(\pm )},P^{\pm })$ and its goal is to distinguish both. Here, the distinguisher has inverse query access to the construction oracle if and only if we are considering strong PRP security (hence the parentheses around ±). The information that $\mathcal {D}$ learns from the interaction with $\mathcal {O}_\mathrm {re}/\mathcal {O}_\mathrm {id}$ is collected in a view $v$. Denote by $X_\mathrm {re}$ (resp. $X_\mathrm {id}$) the probability distribution of views when interacting with $\mathcal {O}_\mathrm {re}$ (resp. $\mathcal {O}_\mathrm {id}$). Let $\mathcal {V}$ be the set of all attainable views, i.e., views that occur in the ideal world with non-zero probability.

Lemma 1

(Patarin’s Technique). Let $\mathcal {D}$ be a deterministic distinguisher. Consider a partition $\mathcal {V}=\mathcal {V}_\mathrm {good} \cup \mathcal {V}_\mathrm {bad} $ of the set of attainable views. Let $0\le \varepsilon \le 1$ be such that for all $v\in \mathcal {V}_\mathrm {good} $,

$$\begin{aligned} \mathbf {Pr} \left[ X_\mathrm {re}=v\right] \ge (1-\varepsilon )\mathbf {Pr} \left[ X_\mathrm {id}=v\right] . \end{aligned}$$

(6)

Then, the distinguishing advantage satisfies $\mathbf {Adv} _{}^{\mathrm {}}(\mathcal {D})\le \varepsilon + \mathbf {Pr} \left[ X_\mathrm {id}\in \mathcal {V}_\mathrm {bad} \right] $.

A proof of this lemma is given in [13, 14, 38]. The idea of the technique is that only few views are significantly more likely to appear in $\mathcal {O}_\mathrm {id}$ than in $\mathcal {O}_\mathrm {re}$. In other words, the ratio (6) is close to 1 for all but the “bad” views. Note that taking a large $\mathcal {V}_\mathrm {bad} $ implies a higher $\mathbf {Pr} \left[ X_\mathrm {id}\in \mathcal {V}_\mathrm {bad} \right] $, while a small $\mathcal {V}_\mathrm {bad} $ implies a higher $\varepsilon $. The definition of what views are “bad” is thus a tradeoff between the two terms.

Let $v_{C}=\{(\varphi _1,t_1,m_1,c_1),\ldots ,(\varphi _q,t_q,m_q,c_q)\}$ be a view on a construction oracle. We say that a tweakable related-key permutation $\widetilde{\mathsf {RK} \pi }\in \widetilde{\mathsf {Perm}}(\varPhi ,\mathcal {T},\mathcal {M})$ extends $v_{C}$, denoted $\widetilde{\mathsf {RK} \pi }\vdash v_{C}$, if $\widetilde{\mathsf {RK} \pi }(\varphi ,t,m) = c$ for each $(\varphi ,t,m,c)\in v_{C}$. Note that if $\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}$ is a tweakable blockcipher and $k\in \mathcal {K}$, then $\mathsf {RK} [\widetilde{E}]_k\in \widetilde{\mathsf {Perm}}(\varPhi ,\mathcal {T},\mathcal {M})$ and the definition reads $\mathsf {RK} [\widetilde{E}]_k\vdash v_{C}$. Similarly, if $v_{P}=\{(x_1,y_1),\ldots ,(x_r,y_r)\}$ is a primitive view, we say that a permutation $P\in \mathsf {Perm} (\mathcal {M})$ extends $v_{P}$, denoted $P\vdash v_{P}$, if $P(x) = y$ for each $(x,y)\in v_{P}$.

3 $\mathrm {XPX}$

Let $P$ be any n-bit permutation. We present the tweakable blockcipher $\mathrm {XPX}$ that has a key space $\{0,1\}^{n}$, a tweak space $\mathcal {T}\subseteq \left( \{0,1\}^{n}\right) ^4$, and a message and ciphertext space $\{0,1\}^{n}$. Formally, $\mathrm {XPX}: \{0,1\}^{n}\times \mathcal {T}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}$ is defined as

$$\begin{aligned} \begin{aligned} \mathrm {XPX} _k((t_{11},t_{12},t_{21},t_{22}),m) = P(m\oplus \varDelta _1) \oplus \varDelta _2 \,\text {, where }&\varDelta _1=t_{11}k\oplus t_{12}P(k),\\ \text { and }&\varDelta _2=t_{21}k\oplus t_{22}P(k). \end{aligned} \end{aligned}$$

(7)

$\mathrm {XPX}$ is depicted in Fig. 3. The design is general in that $\mathcal {T}$ can (still) be any set, and we highlight two examples.

Even-Mansour. $\mathrm {XPX}$ meets the single-key Even-Mansour construction (1) by fixing $\mathcal {T}=\{(1,0,1,0)\}$. More generally, if $|\mathcal {T}|=1$, we are simply considering an ordinary (not a tweakable) blockcipher;
XEX with Even-Mansour. $\mathrm {XPX}$ covers $\mathrm {XEX}$ based on Even-Mansour with $N=0$ by taking
$$\begin{aligned} \mathcal {T}= \left\{ \begin{array}{l} (\mathtt {x}_1^{\alpha _1}\cdots \mathtt {x}_\ell ^{\alpha _\ell }\oplus 1 , \mathtt {x}_1^{\alpha _1}\cdots \mathtt {x}_\ell ^{\alpha _\ell },\\ \mathtt {x}_1^{\alpha _1}\cdots \mathtt {x}_\ell ^{\alpha _\ell }\oplus 1 , \mathtt {x}_1^{\alpha _1}\cdots \mathtt {x}_\ell ^{\alpha _\ell }) \end{array} \;\bigg |\; (\alpha _1,\ldots ,\alpha _\ell )\in \mathbb {I}_1\times \cdots \times \mathbb {I}_\ell \right\} , \end{aligned}$$
where $\mathtt {x}_1,\ldots ,\mathtt {x}_\ell $ and tweak space $\mathbb {I}_1\times \cdots \times \mathbb {I}_\ell $ are as described in Sect. 1. In this case, $(\alpha _1,\ldots ,\alpha _\ell )$ is in fact the “real” tweak, and $(t_{11},t_{12},t_{21},t_{22})$ is a function of $(\alpha _1,\ldots ,\alpha _\ell )$.

Further applications follow in Sects. 6 and 7. Obviously, $\mathrm {XPX}$ does not achieve security for all choices of $\mathcal {T}$; e.g., if $(1,0,1,1)\in \mathcal {T}$, then we have

$$\begin{aligned} \mathrm {XPX} _k((1,0,1,1),0)=k. \end{aligned}$$

(8)

In Sect. 4, we derive a minimal set of conditions on $\mathcal {T}$ to make the $\mathrm {XPX}$ construction meaningful. Then, in Sect. 5 we prove that $\mathrm {XPX}$ is secure in various settings, from single-key (S)PRP security to RK-SPRP security for the key-deriving function sets of Sect. 2.2.

4 Valid Tweak Sets

To eliminate trivial cases such as (8), we define a set of minimal conditions $\mathcal {T}$ needs to satisfy in order for $\mathrm {XPX}$ to achieve a reasonable level of security. In more detail, we define the notion of a valid tweak space $\mathcal {T}$. After the definition we present its rationale. We give some example of valid tweak spaces in Sect. 4.1, and show that $\mathrm {XPX}$ is insecure if $\mathcal {T}$ is in$\mathrm {valid}$ in Sect. 4.2.

Definition 1

We say that $\mathcal {T}$ is $\mathrm {valid}$ if:

(i)
For any $(t_{11},t_{12},t_{21},t_{22})\in \mathcal {T}$ we have $(t_{11},t_{12})\ne (0,0)$ and $(t_{21},t_{22})\ne (0,0)$;
(ii)
For any distinct $(t_{11},t_{12},t_{21},t_{22}),(t_{11}',t_{12}',t_{21}',t_{22}')\in \mathcal {T}$ we have $(t_{11},t_{12})\ne (t_{11}',t_{12}')$ and $(t_{21},t_{22})\ne (t_{21}',t_{22}')$;
(iii)
If $(1,0,t_{21},t_{22})\in \mathcal {T}$ for some $t_{21},t_{22}$:
1. (a)
  $t_{21}\ne 0$ and $t_{22}\ne 1$;
2. (b)
  For any other $(t_{11}',t_{12}',t_{21}',t_{22}')\in \mathcal {T}$ and $b\in \{0,1\}$ we have
  $$\begin{aligned}&t_{11}'\ne t_{12}'t_{21}(t_{22}\oplus 1)^{-1}\oplus b\text { and }t_{22}'\ne t_{21}'t_{21}^{-1}(t_{22}\oplus 1)\oplus b; \end{aligned}$$
3. (c)
  For any distinct $(t_{11}',t_{12}',t_{21}',t_{22}'),(t_{11}'',t_{12}'',t_{21}'',t_{22}'')\in \mathcal {T}$ we have
  $$\begin{aligned}&t_{12}'\oplus t_{12}'' \ne (t_{11}'\oplus t_{11}'')t_{21}^{-1}(t_{22}\oplus 1)\text { and }t_{22}'\oplus t_{22}'' \ne (t_{21}'\oplus t_{21}'')t_{21}^{-1}(t_{22}\oplus 1); \end{aligned}$$
(iv)
If $(t_{11},t_{12},0,1)\in \mathcal {T}$ for some $t_{11},t_{12}$:
1. (a)
  $t_{12}\ne 0$ and $t_{11}\ne 1$;
2. (b)
  For any other $(t_{11}',t_{12}',t_{21}',t_{22}')\in \mathcal {T}$ and $b\in \{0,1\}$ we have
  $$\begin{aligned}&t_{11}'\ne t_{12}'t_{12}^{-1}(t_{11}\oplus 1)\oplus b\text { and }t_{22}'\ne t_{21}'t_{12}(t_{11}\oplus 1)^{-1}\oplus b; \end{aligned}$$
3. (c)
  For any distinct $(t_{11}',t_{12}',t_{21}',t_{22}'),(t_{11}'',t_{12}'',t_{21}'',t_{22}'')\in \mathcal {T}$ we have
  $$\begin{aligned}&t_{11}'\oplus t_{11}'' \ne (t_{12}'\oplus t_{12}'')t_{12}^{-1}(t_{11}\oplus 1)\text { and }t_{21}'\oplus t_{21}'' \ne (t_{22}'\oplus t_{22}'')t_{12}^{-1}(t_{11}\oplus 1). \end{aligned}$$

Conditions (i) and (ii) are basic requirements, in essence guaranteeing that the input to and output of the underlying permutation $P$ is always masked. Conditions (iii) and (iv) are more obscure but are in fact necessary to prevent the key from being leaked. The presence of conditions (iii-a) and (iv-a) is justified by equation (8), but even beyond that, an evaluation $\mathrm {XPX} _k((1,0,t_{21},t_{22}),0)$ for some $t_{21}\ne 0$ and $t_{22}\ne 1$ leaks the value $t_{21}k\oplus (t_{22}\oplus 1)P(k)$ and additional conditions are required.

4.1 Examples of Valid Tweak Spaces

Due to our quest for a minimal definition of $\mathrm {valid}$ tweak spaces, Definition 1 is a bit hard to parse. Fortunately, conditions (iii) and (iv) often turn out to be trivially satisfied, as we will show in the next examples.

Example 1

Consider a tweak space $\mathcal {T}$ where all tweaks are of the form $(t_{11},0,t_{21},0)$ for $t_{11},t_{21}\ne 0$. The tweak space is valid if and only if

every $t_{11}$ appears at most once;
every $t_{21}$ appears at most once.

Concretely, condition (i) of Definition 1 is satisfied as $t_{11},t_{21}\ne 0$; condition (ii) is enforced by above two simplified conditions; conditions (iii) and (iv) turn out to hold trivially for the specific type of tweaks. This example corresponds to $\mathrm {XPX} $ with $\varDelta _1=t_{11}k$ and $\varDelta _2=t_{21}k$, and covers, among others, the Even-Mansour construction. Interestingly, by putting $t_{11}=t_{21}=:t$, $\mathrm {XPX} $ corresponds to Cogliati et al. [15]’s tweakable Even-Mansour construction with universal hash function $h_k(t)=k\cdot t$.

Example 2

Consider a tweak space $\mathcal {T}$ where all tweaks are of the form $(0,t_{12},0,t_{22})$ for $t_{12},t_{22}\ne 0$. The tweak space is valid if and only if

every $t_{12}$ appears at most once;
every $t_{22}$ appears at most once.

This example corresponds to $\mathrm {XPX} $ with $\varDelta _1=t_{12}P(k)$ and $\varDelta _2=t_{22}P(k)$, and it is the symmetrical equivalent of Example 1.

Example 3

Consider a tweak space $\mathcal {T}$ where all tweaks $(t_{11},t_{12},t_{21},t_{22})$ satisfy $t_{11},t_{12},t_{21},t_{22}\ne 0$. The tweak space is valid if and only if

every $(t_{11},t_{12})$ appears at most once;
every $(t_{21},t_{22})$ appears at most once.

As in Example 1, condition (i) of Definition 1 is satisfied as $t_{11},t_{12},t_{21},t_{22}\ne 0$; condition (ii) is enforced by above two simplified conditions; conditions (iii) and (iv) turn out to hold trivially for the specific type of tweaks. This example covers, among others, $\mathrm {XEX}$ with Even-Mansour, noticing that $\mathrm {XEX}$ requires that $(\alpha _1,\ldots ,\alpha _\ell )\ne (0,\ldots ,0)$ [48].

4.2 Minimality of Definition 1

In below proposition, we show that $\mathrm {XPX}$ is insecure whenever $\mathcal {T}$ is invalid. We remark that the second part of condition (ii) and the entire condition (iv) are not strictly needed for PRP security and only apply to SPRP security. We nevertheless included them for completeness.

Proposition 1

Let $n\ge 1$ and let $\mathcal {T}\subseteq \left( \{0,1\}^{n}\right) ^4$ an $\mathrm {in}$ $\mathrm {valid}$ set. We have

$$\begin{aligned} \mathbf {Adv} _{\mathrm {XPX}}^{\mathrm {sprp}}(5,2) \ge 1-1/(2^n-1). \end{aligned}$$

Proof

We consider conditions (i), (ii), and (iii) separately. Condition (iv) is symmetrically equivalent to (iii), and omitted.

Condition (i). Assume, w.l.o.g., that $(0,0,t_{21},t_{22})\in \mathcal {T}$ for some $t_{21},t_{22}$. For any $m\in \{0,1\}^{n}$ we have $\mathrm {XPX} _k((0,0,t_{21},t_{22}),m)\oplus P(m)=t_{21}k\oplus t_{22}P(k)$. Making these two queries for two different messages $m\ne m'$ gives a collision with probability 1. For a random $\widetilde{\pi }$ this happens with probability at most $1/(2^n-1)$. Thus, if condition (i) is violated, $\mathbf {Adv} _{\mathrm {XPX}}^{\mathrm {sprp}}(2,2) \ge 1-1/(2^n-1)$. The analysis for $(t_{11},t_{12},0,0)\in \mathcal {T}$ is equivalent.

Condition (ii). Assume, w.l.o.g., that $(t_{11},t_{12},t_{21},t_{22}),(t_{11},t_{12},t_{21}',t_{22}')\in \mathcal {T}$ for some $(t_{21},t_{22})\ne (t_{21}',t_{22}')$. For any m,

$$\begin{aligned}&\;\mathrm {XPX} _k((t_{11},t_{12},t_{21},t_{22}),m) \oplus \mathrm {XPX} _k((t_{11},t_{12},t_{21}',t_{22}'),m)\\ =&\; (t_{21}\oplus t_{21}')k\oplus (t_{22}\oplus t_{22}')P(k). \end{aligned}$$

Making these queries for two different messages $m\ne m'$ gives a collision with probability 1. For a random $\widetilde{\pi }$ this happens with probability at most $1/(2^n-1)$. Thus, if condition (ii) is violated, $\mathbf {Adv} _{\mathrm {XPX}}^{\mathrm {sprp}}(4,0) \ge 1-1/(2^n-1)$.

Condition (iii-a). Suppose $(1,0,t_{21},t_{22})\in \mathcal {T}$ for some $t_{21},t_{22}$. By construction, $\mathrm {XPX} _k((1,0,t_{21},t_{22}),0)=t_{21}k\oplus (t_{22}\oplus 1)P(k)$. If $t_{21}=0$ or $t_{22}=1$, this value leaks k or $P(k)$. By making one additional invocation of $P^\pm $ the other value is learned as well, giving the distinguisher both $(k,P(k))$. For arbitrary $m\ne 0$, the distinguisher now queries $\mathrm {XPX} _k((1,0,t_{21},t_{22}),m)=c$ and $P(m\oplus k)=y$ and verifies whether $c=y\oplus t_{21}k\oplus t_{22}P(k)$. For a random $\widetilde{\pi }$ this happens with probability at most $1/(2^n-1)$. Thus, if condition (iii-a) is violated, $\mathbf {Adv} _{\mathrm {XPX}}^{\mathrm {sprp}}(2,2) \ge 1-1/(2^n-1)$.

Condition (iii-b). Suppose $(1,0,t_{21},t_{22})\in \mathcal {T}$ for some $t_{21},t_{22}$, and assume $t_{21}\ne 0$ and $t_{22}\ne 1$ (otherwise, the attack of (iii-a) applies). Suppose there is a $(t_{11}',t_{12}',t_{21}',t_{22}')\in \mathcal {T}$ such that $t_{22}' = t_{21}'t_{21}^{-1}(t_{22}\oplus 1)\oplus b$ for some $b\in \{0,1\}$. This is without loss of generality, as the other case is symmetric and the attack applies by reversing all queries for tweak $(t_{11}',t_{12}',t_{21}',t_{22}')$. We first consider case $b=0$, case $b=1$ is treated later.

For $b=0$: firstly, the attacker queries $\mathrm {XPX} _k((1,0,t_{21},t_{22}),0)$ to receive $c=t_{21}k\oplus (t_{22}\oplus 1)P(k)$. Fix any $c'\in \{0,1\}^{n}$, and query $\mathrm {XPX} _k^{-1}((t_{11}',t_{12}',t_{21}',t_{22}'),c')$ to receive $m' = t_{11}'k\oplus t_{12}'P(k)\oplus P^{-1}(\mathrm {inp}')$ where $\mathrm {inp}'=c'\oplus t_{21}'k\oplus t_{22}'P(k)$. Eliminating $P(k)$ using c gives

$$\begin{aligned} \mathrm {inp}' = c'\oplus t_{22}'(t_{22}\oplus 1)^{-1}c \oplus \big (t_{21}'\oplus t_{22}'(t_{22}\oplus 1)^{-1}t_{21}\big )k = c'\oplus t_{22}'(t_{22}\oplus 1)^{-1}c, \end{aligned}$$

where we use the violation of property (iii-b). Therefore,

$$\begin{aligned} m' \oplus P^{-1}(c'\oplus t_{22}'(t_{22}\oplus 1)^{-1}c) = t_{11}'k\oplus t_{12}'P(k). \end{aligned}$$

This equation is independent of the choice of $c'$. Making these queries for two different ciphertexts $c'\ne c''$ gives a collision with probability 1. For a random $\widetilde{\pi }$ this happens with probability at most $1/(2^n-1)$. Thus, if condition (iii-b) is violated with $b=0$, $\mathbf {Adv} _{\mathrm {XPX}}^{\mathrm {sprp}}(3,2) \ge 1-1/(2^n-1)$.

For $b=1$: in this case we specifically consider $c'=t_{21}'t_{21}^{-1}c$, and have

$$\begin{aligned} \mathrm {inp}'&= t_{21}'t_{21}^{-1}c\oplus t_{21}'k\oplus t_{22}'P(k)\\&= \big (t_{21}'t_{21}^{-1}(t_{22}\oplus 1)\oplus t_{22}'\big )P(k) = P(k), \end{aligned}$$

using that $c=t_{21}k\oplus (t_{22}\oplus 1)P(k)$ and the violation of property (iii-b). Therefore,

$$\begin{aligned} \left( \begin{array}{c@{\;\;}c} t_{21}&{}t_{22}\oplus 1\\ t_{11}'\oplus 1&{}t_{12}' \end{array}\right) \left( \begin{array}{c} k\\ P(k) \end{array}\right) = \left( \begin{array}{c} c\\ m' \end{array}\right) , \end{aligned}$$

If this matrix is singular, it implies that $m'=\mathrm {const}\cdot c$ with $\mathrm {const}=t_{21}^{-1}(t_{11}'\oplus 1)=(t_{22}\oplus 1)^{-1}t_{12}'$. For a random tweakable permutation this happens with probability at most $1/2^n$. On the other hand, if it is non-singular, this reveals k and $P(k)$.

For arbitrary $m\ne 0$, the distinguisher now queries $\mathrm {XPX} _k((1,0,t_{21},t_{22}),m'')=c''$ and $P(m''\oplus k)=y$ and verifies whether $c''=y\oplus t_{21}k\oplus t_{22}P(k)$. For a random $\widetilde{\pi }$ this happens with probability at most $1/(2^n-1)$. Thus, if condition (iii-b) is violated with $b=1$, $\mathbf {Adv} _{\mathrm {XPX}}^{\mathrm {sprp}}(3,1) \ge 1-1/(2^n-1)$.

Condition (iii-c). Suppose $(1,0,t_{21},t_{22})\in \mathcal {T}$ for some $t_{21},t_{22}$, and assume $t_{21}\ne 0$ and $t_{22}\ne 1$ (otherwise, the attack of (iii-a) applies). Suppose there are $(t_{11}',t_{12}',t_{21}',t_{22}'),(t_{11}'',t_{12}'',t_{21}'',t_{22}'')\in \mathcal {T}$ such that $t_{22}'\oplus t_{22}'' = (t_{21}'\oplus t_{21}'')t_{21}^{-1}(t_{22}\oplus 1)$. This is without loss of generality, as the other case is symmetric and the attack applies by reversing all queries for tweaks $(t_{11}',t_{12}',t_{21}',t_{22}'),(t_{11}'',t_{12}'',t_{21}'',t_{22}'')$. Firstly, the attacker makes queries $\mathrm {XPX} _k((1,0,t_{21},t_{22}),0)$ to receive $c=t_{21}k\oplus (t_{22}\oplus 1)P(k)$. Now, fix any $c'\in \{0,1\}^{n}$, and query

$\mathrm {XPX} _k^{-1}((t_{11}',t_{12}',t_{21}',t_{22}'),c')$ to receive $m' = t_{11}'k\oplus t_{12}'P(k)\oplus P^{-1}(\mathrm {inp}')$ where $\mathrm {inp}'=c'\oplus t_{21}'k\oplus t_{22}'P(k)$;
$\mathrm {XPX} _k^{-1}((t_{11}'',t_{12}'',t_{21}'',t_{22}''),c'\oplus (t_{21}'\oplus t_{21}'')t_{21}^{-1}c)$ to receive $m'' = t_{11}''k\oplus t_{12}''P(k)\oplus P^{-1}(\mathrm {inp}'')$ where $\mathrm {inp}''=c'\oplus (t_{21}'\oplus t_{21}'')t_{21}^{-1}c\oplus t_{21}''k\oplus t_{22}''P(k)$.

Plugging c into $\mathrm {inp}'$ and $\mathrm {inp}''$ gives

$$\begin{aligned} \mathrm {inp}''&= c' \oplus t_{21}'k \oplus \big (t_{22}''\oplus (t_{21}'\oplus t_{21}'')t_{21}^{-1}(t_{22}\oplus 1)\big )P(k)\\&= c'\oplus t_{21}'k\oplus t_{22}'P(k) = \mathrm {inp}', \end{aligned}$$

where we use the violation of property (iii-c). Therefore,

$$\begin{aligned} m' \oplus m'' = (t_{11}'\oplus t_{11}'')k \oplus (t_{12}'\oplus t_{12}'')P(k). \end{aligned}$$

This equation is independent of the choice of $c'$. Making these queries for two different ciphertexts $c'\ne c''$ gives a collision with probability 1. For a random $\widetilde{\pi }$ this happens with probability at most $1/(2^n-1)$. Thus, if condition (iii-c) is violated, $\mathbf {Adv} _{\mathrm {XPX}}^{\mathrm {sprp}}(5,0) \ge 1-1/(2^n-1)$.

Conclusion. In any case, a distinguishing attack with success probability at least $1-1/(2^n-1)$ can be performed in at most 5 construction queries and 2 primitive queries. $\square $

5 Security of $\mathrm {XPX}$

In this section, we analyze the security of $\mathrm {XPX}$ in various security models. We will focus on $\mathrm {valid}$ $\mathcal {T}$ only. Theorem 1 captures all security levels for the three key-deriving function sets of (5).

Theorem 1

Let $n\ge 1$ and let $\mathcal {T}\subseteq \left( \{0,1\}^{n}\right) ^4$ be a $\mathrm {valid}$ set.

(a)
We have
$$\begin{aligned} \mathbf {Adv} _{\mathrm {XPX}}^{\mathrm {prp}}(q,r) \le \mathbf {Adv} _{\mathrm {XPX}}^{\mathrm {sprp}}(q,r) \le \frac{(q+1)^2+2q(r+1)+2r}{2^n}. \end{aligned}$$
(b)
If for all $(t_{11},t_{12},t_{21},t_{22})\in \mathcal {T}$ we have $t_{12}\ne 0$, then
$$\begin{aligned} \mathbf {Adv} _{\varPhi _{\oplus },\mathrm {XPX}}^{\mathrm {rk\text {-}prp}}(q,r) \le \frac{\frac{7}{2}q^2+4qr}{2^n-q}. \end{aligned}$$
(c)
If for all $(t_{11},t_{12},t_{21},t_{22})\in \mathcal {T}$ we have $t_{12},t_{22}\ne 0$ and $(t_{21},t_{22})\ne (0,1)$, then
$$\begin{aligned} \mathbf {Adv} _{\varPhi _{\oplus },\mathrm {XPX}}^{\mathrm {rk\text {-}sprp}}(q,r) \le \frac{\frac{7}{2}q^2+4qr}{2^n}. \end{aligned}$$
(d)
If for all $(t_{11},t_{12},t_{21},t_{22})\in \mathcal {T}$ we have $t_{11},t_{12}\ne 0$, then
$$\begin{aligned} \mathbf {Adv} _{\varPhi _{P\oplus },\mathrm {XPX}}^{\mathrm {rk\text {-}prp}}(q,r) \le \frac{4q^2+4qr}{2^n-q}. \end{aligned}$$
(e)
If for all $(t_{11},t_{12},t_{21},t_{22})\in \mathcal {T}$ we have $t_{11},t_{12},t_{21},t_{22}\ne 0$, then
$$\begin{aligned} \mathbf {Adv} _{\varPhi _{P\oplus },\mathrm {XPX}}^{\mathrm {rk\text {-}sprp}}(q,r) \le \frac{4q^2+4qr}{2^n}. \end{aligned}$$

In Sect. 5.1, we prove that the conditions $\mathcal {T}$ are minimal, meaning that the security proof cannot go through if the conditions are omitted. The proof of Theorem 1(a) is given in Sect. 5.2. The proofs of Theorem 1(b-c) and (d-e) are given in the full version [37].

5.1 Minimality of the Conditions of Theorem 1

We show that the conditions we put on $\mathcal {T}$ in Theorem 1 are minimal, in the sense that $\mathrm {XPX} $ can be broken if the conditions are omitted. For the validity condition on $\mathcal {T}$, this is already justified by Proposition 1. Below proposition considers the remaining conditions on $\mathcal {T}$ put by parts (b)-(e) of Theorem 1.

Proposition 2

Let $n\ge 1$ and let $\mathcal {T}\subseteq \left( \{0,1\}^{n}\right) ^4$ a $\mathrm {valid}$ set.

(a)
If $(t_{11},0,t_{21},t_{22})\in \mathcal {T}$ for some $t_{11},t_{21},t_{22}$, then
$$\begin{aligned} \mathbf {Adv} _{\varPhi _{\oplus },\mathrm {XPX}}^{\mathrm {rk\text {-}prp}}(4,0) \ge 1-1/(2^n-1). \end{aligned}$$
(b)
If $(t_{11},t_{12},t_{21},0)\in \mathcal {T}$ or $(t_{11},t_{12},0,1)\in \mathcal {T}$ for some $t_{11},t_{12},t_{21}$, then
$$\begin{aligned} \mathbf {Adv} _{\varPhi _{\oplus },\mathrm {XPX}}^{\mathrm {rk\text {-}sprp}}(4,0) \ge 1-1/(2^n-1). \end{aligned}$$
(c)
If $(0,t_{12},t_{21},t_{22})\in \mathcal {T}$ for some $t_{12},t_{21},t_{22}$, then
$$\begin{aligned} \mathbf {Adv} _{\varPhi _{P\oplus },\mathrm {XPX}}^{\mathrm {rk\text {-}prp}}(4,0) \ge 1-1/(2^n-1). \end{aligned}$$
(d)
If $(t_{11},t_{12},0,t_{22})\in \mathcal {T}$ for some $t_{11},t_{12},t_{22}$, then
$$\begin{aligned} \mathbf {Adv} _{\varPhi _{P\oplus },\mathrm {XPX}}^{\mathrm {rk\text {-}sprp}}(4,0) \ge 1-1/(2^n-1). \end{aligned}$$

Proof

We consider the four cases separately.

Case (b). Suppose $(t_{11},0,t_{21},t_{22})\in \mathcal {T}$ for some $t_{11},t_{21},t_{22}$. Fix any $\delta \ne \delta '$ and any $m\in \{0,1\}^{n}$. The attacker makes the following queries:

$\mathrm {XPX} _k(\delta ,(t_{11},0,t_{21},t_{22}),m)$ to receive $c= t_{21}(k\oplus \delta )\oplus t_{22}P(k\oplus \delta )\oplus P(\mathrm {inp})$ where $\mathrm {inp}=m\oplus t_{11}(k\oplus \delta )$;
$\mathrm {XPX} _k(\delta ',(t_{11},0,t_{21},t_{22}),m\oplus t_{11}(\delta \oplus \delta '))$ to receive $c'= t_{21}(k\oplus \delta ')\oplus t_{22}P(k\oplus \delta ')\oplus P(\mathrm {inp'})$ where $\mathrm {inp}'=m\oplus t_{11}(\delta \oplus \delta ')\oplus t_{11}(k\oplus \delta ')$.

By construction, $\mathrm {inp}' = \mathrm {inp}$, and thus

$$\begin{aligned} c\oplus c' = t_{21}(\delta \oplus \delta ')\oplus t_{22}\big (P(k\oplus \delta )\oplus P(k\oplus \delta ')\big ). \end{aligned}$$

This equation is independent of the choice of m. Making these queries for two different messages $m\ne m'$ gives a collision with probability 1. For a random $\widetilde{\mathsf {RK} \pi }$ this happens with probability at most $1/(2^n-1)$. Thus, $\mathbf {Adv} _{\varPhi _{\oplus },\mathrm {XPX}}^{\mathrm {rk\text {-}prp}}(4,0) \ge 1-1/(2^n-1)$.

Case (c). If $(t_{11},t_{12},t_{21},0)\in \mathcal {T}$ for some $t_{11},t_{12},t_{21}$ the attack is the inverse of the one for case (b). Now, suppose $(t_{11},t_{12},0,1)\in \mathcal {T}$ for some $t_{11},t_{12}$. The attacker makes the following queries:

$\mathrm {XPX} _k^{-1}(0,(t_{11},t_{12},0,1),0)$ to receive $m=(t_{11}\oplus 1)k\oplus t_{12}P(k)$;
$\mathrm {XPX} _k(0,(t_{11},t_{12},0,1),m\oplus \delta )$ for $\delta \ne 0$ to receive
$$\begin{aligned} c_\delta&= P(k) \oplus P(m\oplus \delta \oplus t_{11}k\oplus t_{12}P(k))\\&= P(k) \oplus P(k\oplus \delta ). \end{aligned}$$

Now, fix any $m'$ and query

$\mathrm {XPX} _k(\delta ,(t_{11},t_{12},0,1),m')$ to receive $c'= P(m'\oplus t_{11}(k\oplus \delta )\oplus t_{12}P(k\oplus \delta )) \oplus P(k\oplus \delta )$;
$\mathrm {XPX} _k(0,(t_{11},t_{12},0,1),m'\oplus t_{11}\delta \oplus t_{12}c_\delta )$ to receive $c''= P(m'\oplus t_{11}\delta \oplus t_{12}c_\delta \oplus t_{11}k\oplus t_{12}P(k)) \oplus P(k)$.

These queries satisfy $c'\oplus c'' = c_\delta $. For a random $\widetilde{\mathsf {RK} \pi }$ this happens with probability at most $1/(2^n-1)$. Thus, $\mathbf {Adv} _{\varPhi _{\oplus },\mathrm {XPX}}^{\mathrm {rk\text {-}sprp}}(4,0) \ge 1-1/(2^n-1)$.

Case (d). Suppose $(0,t_{12},t_{21},t_{22})\in \mathcal {T}$ for some $t_{12},t_{21},t_{22}$. Fix any $\delta \ne \delta '$ and any $m\in \{0,1\}^{n}$. The attacker makes the following queries:

$\mathrm {XPX} _k((0,\delta ),(0,t_{12},t_{21},t_{22}),m)$ to receive $c= t_{21}P^{-1}(P(k)\oplus \delta )\oplus t_{22}(P(k)\oplus \delta )\oplus P(\mathrm {inp})$ where $\mathrm {inp}=m\oplus t_{12}(P(k)\oplus \delta )$;
$\mathrm {XPX} _k((0,\delta '),(0,t_{12},t_{21},t_{22}),m\oplus t_{12}(\delta \oplus \delta '))$ to receive $c'= t_{21}P^{-1}(P(k)\oplus \delta ')\oplus t_{22}(P(k)\oplus \delta ')\oplus P(\mathrm {inp'})$ where $\mathrm {inp}'=m\oplus t_{12}(\delta \oplus \delta ')\oplus t_{12}(P(k)\oplus \delta ')$.

By construction, $\mathrm {inp}' = \mathrm {inp}$, and thus

$$\begin{aligned} c\oplus c' = t_{21}\big (P^{-1}(P(k)\oplus \delta )\oplus P^{-1}(P(k)\oplus \delta ')\big ) \oplus t_{22}(\delta \oplus \delta '). \end{aligned}$$

This equation is independent of the choice of m. Making these queries for two different messages $m\ne m'$ gives a collision with probability 1. For a random $\widetilde{\mathsf {RK} \pi }$ this happens with probability at most $1/(2^n-1)$. Thus, $\mathbf {Adv} _{\varPhi _{P\oplus },\mathrm {XPX}}^{\mathrm {rk\text {-}prp}}(4,0) \ge 1-1/(2^n-1)$.

Case (e). The attack is the inverse of the one for case (d). $\square $

5.2 Proof of Theorem 1(a)

Note that $\mathbf {Adv} _{\mathrm {XPX}}^{\mathrm {prp}}(q,r) \le \mathbf {Adv} _{\mathrm {XPX}}^{\mathrm {sprp}}(q,r)$ holds by construction, and we will focus on bounding the latter. The proof is a generalization of the proofs of Even-Mansour [5, 15, 22, 23, 25, 43], but difficulties arise due to the tweaks.

Let $k\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}$, $P\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm} (\{0,1\}^{n})$, and $\widetilde{\pi }\xleftarrow {{\scriptscriptstyle \$}}\widetilde{\mathsf {Perm}}(\mathcal {T},\{0,1\}^{n})$. Consider any fixed deterministic distinguisher $\mathcal {D}$ for the SPRP security of $\mathrm {XPX} $. In the real world it has access to $(\mathrm {XPX} _k,P)$, and in the ideal world to $(\widetilde{\pi },P)$. It makes q construction queries which are summarized in view $v_1=\{((t_{11},t_{12},t_{21},t_{22})_1,m_1,c_1),\ldots ,((t_{11},t_{12},t_{21},t_{22})_q,m_q,c_q)\}$. It additionally makes r queries to $P$, summarized in a view $v_2=\{(x_1,y_1),\ldots ,(x_r,y_r)\}$. As $\mathcal {D}$ is deterministic this properly summarizes the conversation.

To suit the analysis, we generalize our oracles by providing $\mathcal {D}$ with extra data. How these extra data look like, depends on whether or not $\mathcal {T}$ contains tweak tuple $(1,0,\bar{t}_{21},\bar{t}_{22})$ or $(\bar{t}_{11},\bar{t}_{12},0,1)$.^{Footnote 2} Because of their dedicated treatment, we will always refer to these tweak tuples with overlines. As $\mathcal {T}$ is $\mathrm {valid}$, and more specifically by condition (iii-b), at most one of the two tweaks is in $\mathcal {T}$, but it may as well be that none of these is allowed.

More formally, before $\mathcal {D}$’s interaction with the oracles, we reveal forward construction query $((1,0,\bar{t}_{21},\bar{t}_{22}),0,\bar{c})$ or inverse construction query $((\bar{t}_{11},\bar{t}_{12},0,1),\bar{m},0)$, depending on whether one of the two tweaks is in $\mathcal {T}$, and store the resulting tuple in view $v_0$. If none of the two tweaks is in $\mathcal {T}$, we simply have $|v_0|=0$.

Then, after $\mathcal {D}$’s interaction with its oracles but before $\mathcal {D}$ makes its final decision, we reveal $v_k=\{(k,k^\star )\}$. In the real world, k is the key used for encryption and $k^\star =P(k)$. In the ideal world, $k\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}$ will be a randomly drawn dummy key and $k^\star $ will be defined based on k and $v_0$. If $|v_0|=0$, then $k^\star \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}$. Otherwise, it is the unique^{Footnote 3} value that satisfies

$$\begin{aligned} \begin{aligned} \bar{t}_{21}k\oplus (\bar{t}_{22}\oplus 1)k^\star = \bar{c}&\text { if }v_0=\{((1,0,\bar{t}_{21},\bar{t}_{22}),0,\bar{c})\},\text { or}\\ (\bar{t}_{11}\oplus 1)k\oplus \bar{t}_{12}k^\star = \bar{m}&\text { if }v_0=\{((\bar{t}_{11},\bar{t}_{12},0,1),\bar{m},0)\}. \end{aligned} \end{aligned}$$

(9)

Clearly, these disclosures are without loss of generality as they may only help the distinguisher. The complete view is denoted $v=(v_0,v_1,v_2,v_k)$. Recall that $\mathcal {D}$ is assumed not to make any repeat queries, and hence $v_0\cup v_1$ and $v_2$ do not contain any duplicate elements. Note that $v_k$ may collide with $v_2$, but this will be captured as a bad event.

Throughout, we consider attainable views only. Recall that a view is attainable if it can be obtained in the ideal world. For $v_0\cup v_1$, this is the case if and only if for any distinct $i,i'$ such that $(t_{11},t_{12},t_{21},t_{22})_i=(t_{11},t_{12},t_{21},t_{22})_{i'}$, we have $m_i\ne m_{i'}$ and $c_i\ne c_{i'}$. For $v_2$ the condition is equivalent: there should be no two distinct $(x,y),(x',y')\in v_2$ such that $x=x'$ or $y=y'$. Attainability implies for $v_k$ that $k^\star $ satisfies (9) if $|v_0|=1$.

We say that a view $v$ is bad if one of the following conditions holds:

$$\begin{aligned} \mathsf {BV} _{1}:\;\;&\text {for some }(x,y)\in v_2\text { and }(k,k^\star )\in v_k\text {:}\\&\qquad \mathsf {BV} _{1a}:\; k=x,\text { or }\\&\qquad \mathsf {BV} _{1b}:\; k^\star =y,\text { or }\\ \mathsf {BV} _{2}:\;\;&\text {for some }((t_{11},t_{12},t_{21},t_{22}),m,c)\in v_1\text {, }(x,y)\in v_2\cup v_k\text {, and }(k,k^\star )\in v_k\text {:}\\&\qquad \mathsf {BV} _{2a}:\; m\oplus t_{11}k\oplus t_{12}k^\star = x,\text { or }\\&\qquad \mathsf {BV} _{2b}:\; c\oplus t_{21}k\oplus t_{22}k^\star = y,\text { or }\\ \mathsf {BV} _{3}:\;\;&\text {for some distinct }((t_{11},t_{12},t_{21},t_{22}),m,c),((t_{11}',t_{12}',t_{21}',t_{22}'),m',c')\in v_0\cup v_1\\&\qquad \qquad \text {and }(k,k^\star )\in v_k\text {:}\\&\qquad \mathsf {BV} _{3a}:\; m\oplus t_{11}k\oplus t_{12}k^\star = m'\oplus t_{11}'k\oplus t_{12}'k^\star ,\text { or }\\&\qquad \mathsf {BV} _{3b}:\; c\oplus t_{21}k\oplus t_{22}k^\star = c'\oplus t_{21}'k\oplus t_{22}'k^\star . \end{aligned}$$

Note that every tuple in $v_0\cup v_1$ uniquely corresponds to an evaluation of the underlying $P$, namely via (7) where $v_k$ is used as key material. The above conditions cover all cases where two different tuples in $v$ collide at their $P$ evaluation. In more detail, $\mathsf {BV} _{1}$ covers the case where $v_k=\{(k,k^\star )\}$ collides with a tuple in $v_2$, $\mathsf {BV} _{2}$ the case where a tuple in $v_1$ collides with a tuple in $v_2\cup v_k$, and $\mathsf {BV} _{3}$ the case where two tuples in $v_0\cup v_1$ collide with each other. Note that two different tuples in $v_2$ never collide (by construction), and that the case of a tuple of $v_0$ colliding with $v_2$ is implicitly covered in $\mathsf {BV} _{1}$. The only remaining case, $v_0$ colliding with $v_k$, is not required to be a bad event, as this is the exact way $v_k$ is defined.

In accordance with Patarin’s technique (Lemma 1), we derive an upper bound on $\mathbf {Pr} \left[ X_\mathrm {id}\in \mathcal {V}_\mathrm {bad} \right] $ in Lemma 2, and in Lemma 3 we will prove that $\varepsilon =0$ works for good views.

Lemma 2

For Theorem 1(a), we have $\mathbf {Pr} \left[ X_\mathrm {id}\in \mathcal {V}_\mathrm {bad} \right] \le \frac{(q+1)^2+2q(r+1)+2r}{2^n}$.

Proof

Consider a view $v$ in the ideal world $(\widetilde{\pi },P)$. We will essentially compute

$$\begin{aligned} \mathbf {Pr} \left[ \mathsf {BV} _{1}\vee \mathsf {BV} _{2}\vee \mathsf {BV} _{3}\right] \le \mathbf {Pr} \left[ \mathsf {BV} _{1}\right] + \mathbf {Pr} \left[ \mathsf {BV} _{2}\mid \lnot \mathsf {BV} _{1}\right] + \mathbf {Pr} \left[ \mathsf {BV} _{3}\right] . \end{aligned}$$

(10)

We have $k\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}$. If $|v_0|=0$, we would also have $k^\star \xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}$. If $|v_0|=1$, the value $k^\star $ is defined based on $v_0$. In fact, the probability that a transcript is bad is largest in case $|v_0|=1$ and we consider this case only (the derivation for $|v_0|=0$ is in fact a simplification of the below one). Without loss of generality, $v_0=\{((\bar{t}_{11},\bar{t}_{12},0,1),\bar{m},0)\}$, where $\bar{t}_{11}\ne 1$ and $\bar{t}_{12}\ne 0$ by validity of $\mathcal {T}$. By (9), we have

$$\begin{aligned} k^\star = \bar{t}_{12}^{-1}\big ((\bar{t}_{11}\oplus 1)k \oplus \bar{m}\big ). \end{aligned}$$

At a high level, we will prove that all bad events become a condition on k once $k^\star $ gets replaced using this equation. We will use validity of $\mathcal {T}$ (and more specifically point (iv)) to show that these are non-trivial conditions (i.e., k never cancels out).

Condition $\varvec{\mathsf {BV} _{1}}$ . Condition $\mathsf {BV} _{1a}$ is clearly satisfied with probability $r/2^n$. Regarding $\mathsf {BV} _{1b}$, we have r choices for $(x,y)\in v_2$, and k is a bad key if

$$\begin{aligned} k = (\bar{t}_{11}\oplus 1)^{-1}(\bar{t}_{12}y\oplus \bar{m}), \end{aligned}$$

where we use that $\bar{t}_{11}\ne 1$. This happens with probability at most $r/2^n$. Therefore, $\mathbf {Pr} \left[ \mathsf {BV} _{1}\right] \le 2r/2^n$.

Condition $\varvec{\mathsf {BV} _{2}}$ . Consider any choice of $((t_{11},t_{12},t_{21},t_{22}),m,c)\in v_1$ and $(x,y)\in v_2\cup v_k$. Regarding $\mathsf {BV} _{2a}$, it is set if

$$\begin{aligned} t_{11}k\oplus t_{12}\bar{t}_{12}^{-1}\big ((\bar{t}_{11}\oplus 1)k \oplus \bar{m}\big ) = x\oplus m. \end{aligned}$$

This translates to

$$\begin{aligned}&\big (t_{11}\oplus t_{12}\bar{t}_{12}^{-1}(\bar{t}_{11}\oplus 1)\oplus 1\big )k = m \oplus t_{12}\bar{t}_{12}^{-1}\bar{m}\qquad \quad \text { if }(x,y)=(k,k^\star )\in v_k,\\&\big (t_{11}\oplus t_{12}\bar{t}_{12}^{-1}(\bar{t}_{11}\oplus 1)\big )k = x\oplus m \oplus t_{12}\bar{t}_{12}^{-1}\bar{m}\qquad \quad \text { if }(x,y)\in v_2\,\text {.} \end{aligned}$$

Here, we use that $\lnot \mathsf {BV} _{1}$ holds. Now, if $(t_{11},t_{12},t_{21},t_{22})=(\bar{t}_{11},\bar{t}_{12},0,1)$, we necessarily have $m\ne \bar{m}$ as $v$ does not contain any duplicate elements. Then, the key is bad with probability 0 if $(x,y)=(k,k^\star )\in v_k$ and with probability $1/2^n$ otherwise. If $(t_{11},t_{12},t_{21},t_{22})\ne (\bar{t}_{11},\bar{t}_{12},0,1)$, the factor in front of k is nonzero as $\mathcal {T}$ is valid (condition (iv-b)), and k satisfies this equation with probability $1/2^n$. Concluding, $\mathsf {BV} _{2a}$ is set with probability at most $q(r+1)/2^n$. Regarding $\mathsf {BV} _{2b}$, it is set if

$$\begin{aligned} t_{21}k\oplus t_{22}\bar{t}_{12}^{-1}\big ((\bar{t}_{11}\oplus 1)k \oplus \bar{m}\big ) = y\oplus c. \end{aligned}$$

As before, this translates to

$$\begin{aligned} \begin{array}{lll} &{}\big (t_{21}\oplus (t_{22}\oplus 1)\bar{t}_{12}^{-1}(\bar{t}_{11}\oplus 1)\big )k = c\oplus (t_{22}\oplus 1)\bar{t}_{12}^{-1}\bar{m}&{}\quad \text { if }(x,y)=(k,k^\star )\in v_k\,\text {,}\\ &{}\big (t_{21}\oplus t_{22}\bar{t}_{12}^{-1}(\bar{t}_{11}\oplus 1)\big )k = y\oplus c \oplus t_{22}\bar{t}_{12}^{-1}\bar{m}&{}\quad \text { if }(x,y)\in v_2\,\text {.} \\ \end{array} \end{aligned}$$

The remainder of the analysis is the same, showing that $\mathsf {BV} _{2b}$ is set with probability at most $q(r+1)/2^n$. Therefore, $\mathbf {Pr} \left[ \mathsf {BV} _{2}\right] \le 2q(r+1)/2^n$.

Condition $\varvec{\mathsf {BV} _{3}}$ . Consider any two distinct $((t_{11},t_{12},t_{21},t_{22}),m,c),((t_{11}',t_{12}',t_{21}',t_{22}'),m',c')\in v_0\cup v_1$. If $(t_{11},t_{12},t_{21},t_{22})=(t_{11}',t_{12}',t_{21}',t_{22}')$, then necessarily $m\ne m'$ and $c\ne c'$ and $\mathsf {BV} _{3}$ cannot be satisfied. Otherwise, we have $(t_{11},t_{12})\ne (t_{11}',t_{12}')$ and $(t_{21},t_{22})\ne (t_{21}',t_{22}')$ because of valid $\mathcal {T}$. Plugging $k^\star $ into the equation of $\mathsf {BV} _{3a}$ gives

$$\begin{aligned} \big (t_{11}\oplus t_{11}' \oplus (t_{12}\oplus t_{12}')\bar{t}_{12}^{-1}(\bar{t}_{11}\oplus 1)\big )k = m\oplus m' \oplus (t_{12}\oplus t_{12}')\bar{t}_{12}^{-1}\bar{m}. \end{aligned}$$

As before, $t_{11}\oplus t_{11}' \oplus (t_{12}\oplus t_{12}')\bar{t}_{12}^{-1}(\bar{t}_{11}\oplus 1)\ne 0$: if $(t_{11},t_{12})$ or $(t_{11}',t_{12}')$ equals $(\bar{t}_{11},\bar{t}_{12})$ this is due to validity of $\mathcal {T}$ point (iv-b), and otherwise due to point (iv-c). Therefore, k satisfies this equation with probability $1/2^n$. Thus, $\mathsf {BV} _{3a}$ is set with probability at most ${q+1\atopwithdelims ()2}/2^n$. Regarding $\mathsf {BV} _{3b}$, we similarly find

$$\begin{aligned} \big (t_{21}\oplus t_{21}'\oplus (t_{22}\oplus t_{22}')\bar{t}_{12}^{-1}(\bar{t}_{11}\oplus 1)\big )k = c\oplus c'\oplus (t_{22}\oplus t_{22}')\bar{t}_{12}^{-1}\bar{m}, \end{aligned}$$

and $\mathsf {BV} _{3b}$ is set with probability at most ${q+1\atopwithdelims ()2}/2^n$. Therefore, $\mathbf {Pr} \left[ \mathsf {BV} _{3}\right] \le 2{q+1\atopwithdelims ()2}/2^n \le (q+1)^2/2^n$.

Conclusion. Using (10), we have $\mathbf {Pr} \left[ X_\mathrm {id}\in \mathcal {V}_\mathrm {bad} \right] \le \frac{(q+1)^2+2q(r+1)+2r}{2^n}$. This completes the proof. $\square $

Lemma 3

For Theorem 1(a), we have $\mathbf {Pr} \left[ X_\mathrm {re}=v\right] \ge \mathbf {Pr} \left[ X_\mathrm {id}=v\right] $ for any good transcript $v\in \mathcal {V}_\mathrm {good} $.

Proof

For the computation of $\mathbf {Pr} \left[ X_\mathrm {re}=v\right] $ and $\mathbf {Pr} \left[ X_\mathrm {id}=v\right] $, it suffices to compute the fraction of oracles that could result in view $v$. Recall that we assume that $\mathcal {D}$ never makes redundant queries, and particularly that $v_0\cup v_1$ consists of $|v_0|+q$ distinct oracle queries.

In the real world, k will always be a randomly drawn key. The tuples $v_0\cup v_1$ are construction evaluations and the tuples $v_1\cup v_k$ are direct permutation evaluations. If $|v_0|=0$, all of these tuples define a unique $P$-evaluation, $q+r+1$ in total. This is because of the fact that we consider good transcripts. If $|v_0|=1$, the $P$-evaluations by $v_0$ and $v_k$ are the same, but apart from that all tuples define unique $P$-evaluations. So also in this case, we have $q+r+1$ $P$-evaluations. Therefore,

$$\begin{aligned} \mathbf {Pr} \left[ X_\mathrm {re}=v\right] =&\;\mathbf {Pr} \left[ k'\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\;:\; k'=k\right] \!\cdot \\&\;\mathbf {Pr} \left[ P\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm} (\mathcal {M}) \;:\; \mathrm {XPX} _k^P\vdash v_0\cup v_1 \wedge P\vdash v_2\cup v_k\right] \\ =&\;\frac{1}{2^n}\cdot \frac{1}{{(2^n)}_{q+r+1}}. \end{aligned}$$

For the analysis in the ideal world, we group the tuples in $v_0\cup v_1$ according to the tweak value. Formally, for $t=(t_{11},t_{12},t_{21},t_{22})\in \mathcal {T}$, we define

$$\begin{aligned} \#_t = |\{(t,m,c)\in v_0\cup v_1 \mid m,c\in \{0,1\}^{n}\}|. \end{aligned}$$

The computation of $\mathbf {Pr} \left[ X_\mathrm {id}=v\right] $ now differs depending on whether $|v_0|=0$ or $|v_0|=1$. If $|v_0|=0$:

$$\begin{aligned} \mathbf {Pr} \left[ X_\mathrm {id}=v\wedge |v_0|=0\right] =&\;\mathbf {Pr} \left[ k',{k^\star }'\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\;:\; k'=k \wedge {k^\star }'=k^\star \right] \cdot \\&\;\mathbf {Pr} \left[ \widetilde{\pi }\xleftarrow {{\scriptscriptstyle \$}}\widetilde{\mathsf {Perm}}(\mathcal {T},\mathcal {M}) \;:\; \widetilde{\pi }\vdash v_1\right] \cdot \\&\;\mathbf {Pr} \left[ P\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm} (\mathcal {M}) \;:\; P\vdash v_2\right] \\ =&\;\frac{1}{2^{2n}}\cdot \frac{1}{\prod _t {(2^n)}_{\#_t}}\cdot \frac{1}{{(2^n)}_{r}},\text { where }\textstyle \sum _t\#_t=q\,\text {.} \end{aligned}$$

If $|v_0|=1$:

$$\begin{aligned} \mathbf {Pr} \left[ X_\mathrm {id}=v\wedge |v_0|=1\right] =&\;\mathbf {Pr} \left[ k'\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{n}\;:\; k'=k\right] \cdot \\&\;\mathbf {Pr} \left[ \widetilde{\pi }\xleftarrow {{\scriptscriptstyle \$}}\widetilde{\mathsf {Perm}}(\mathcal {T},\mathcal {M}) \;:\; \widetilde{\pi }\vdash v_0\cup v_1\right] \cdot \\&\;\mathbf {Pr} \left[ P\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm} (\mathcal {M}) \;:\; P\vdash v_2\right] \\ =&\;\frac{1}{2^n}\cdot \frac{1}{\prod _t {(2^n)}_{\#_t}}\cdot \frac{1}{{(2^n)}_{r}},\text { where }\textstyle \sum _t\#_t=q+1\,\text {.} \end{aligned}$$

In either case,

$$\begin{aligned} \mathbf {Pr} \left[ X_\mathrm {id}=v\right]&\le \frac{1}{2^n}\cdot \frac{1}{\prod _t {(2^n)}_{\#_t}}\cdot \frac{1}{{(2^n)}_{r}},\text { where }\textstyle \sum _t\#_t=q+1\\&\le \frac{1}{2^n}\cdot \frac{1}{{(2^n)}_{q+r+1}}\\&= \mathbf {Pr} \left[ X_\mathrm {re}=v\right] , \end{aligned}$$

where we use that ${(a)}_{b_1}{(a)}_{b_2}\ge {(a)}_{b_1+b_2}$. This completes the proof. $\square $

6 Application to Authenticated Encryption

We will show how $\mathrm {XPX}$ applies to the Prøst-$\mathrm {COPA}$ [3, 29] and Minalpher [49] authenticated encryption schemes. Before doing so, we briefly discuss the security model.

6.1 Security Model

Authenticated encryption covers the case where both privacy and authenticity of data is required. In more detail, an authenticated encryption scheme consists of an encryption function $\mathsf {Enc} $ and a decryption function $\mathsf {Dec} $. $\mathsf {Enc} $ gets as input a key, nonce, associated data, and message, and outputs a ciphertext and a tag. $\mathsf {Dec} $ gets as input a key, nonce, associated data, ciphertext, and tag, and it either outputs a message (if the authentication is correct) or a dedicated $\bot $ symbol.

Let $\mathsf {AE} =(\mathsf {Enc},\mathsf {Dec})$ be an authenticated encryption scheme, and let $\mathcal {P}$ be an idealized primitive upon which $\mathsf {AE} $ is based, if any (note that if $\mathsf {AE} $ is based on a blockcipher, $\mathcal {P}$ is non-existent). Let k be a randomly drawn key. Let ${\$}$ be a function with the same interface as $E_k$, but that returns fresh and random answers to every query. Let $\bot $ be a function that outputs $\bot $ on every query. We define the privacy of $\mathsf {AE} $ based on $\mathcal {P}$ as

$$\begin{aligned} \mathbf {Adv} _{\mathsf {AE}}^{\mathrm {priv}}(\mathcal {D})&= \left| \mathbf {Pr} \left[ \mathcal {D}^{\mathsf {Enc} _k,\mathcal {P}^{\pm }} = 1 \right] - \mathbf {Pr} \left[ \mathcal {D}^{\$,\mathcal {P}^{\pm }} = 1 \right] \right| , \end{aligned}$$

and the authenticity of $\mathsf {AE} $ based on $\mathcal {P}$ as

$$\begin{aligned} \mathbf {Adv} _{\mathsf {AE}}^{\mathrm {auth}}(\mathcal {D})&= \left| \mathbf {Pr} \left[ \mathcal {D}^{\mathsf {Enc} _k,\mathsf {Dec} _k,\mathcal {P}^{\pm }} = 1 \right] - \mathbf {Pr} \left[ \mathcal {D}^{\mathsf {Enc} _k,\bot ,\mathcal {P}^{\pm }} = 1 \right] \right| . \end{aligned}$$

In both definitions, some conditions on $\mathcal {D}$ may apply (such as the nonce-respecting condition). For $q,\ell ,\sigma ,r\ge 0$, we define by

$$\begin{aligned} \mathbf {Adv} _{\mathsf {AE}}^{\mathrm {priv/auth}}(q,\ell ,\sigma ,r) = \max _\mathcal {D}\mathbf {Adv} _{\mathsf {AE}}^{\mathrm {priv/auth}}(\mathcal {D}) \end{aligned}$$

the security of $\mathsf {AE} $ against any distinguisher $\mathcal {D}$ that makes q queries to the construction oracle, each of length at most $\ell $ and of total size $\sigma $, and r queries to the primitive oracle.

So far, the model is in the single-key setting, But it generalizes to related-key security straightforwardly (the way Sect. 2.2 generalizes Sect. 2.1). We denote the corresponding related-key security definitions by

$$\begin{aligned} \mathbf {Adv} _{\varPhi ,\mathsf {AE}}^{\mathrm {rk\text {-}priv/auth}}(\mathcal {D}) \text { and }\mathbf {Adv} _{\varPhi ,\mathsf {AE}}^{\mathrm {rk\text {-}priv/auth}}(q,\ell ,\sigma ,r), \end{aligned}$$

where $\varPhi $ is some key-deriving function set.

6.2 Prøst-$\mathrm {COPA}$

$\mathrm {COPA}$ is an authenticated encryption scheme by Andreeva et al. [3]. $\mathrm {COPA}$ for integral message is depicted in Fig. 4 (we refer to [3] for the general case). At its core, it is using a blockcipher $E$ in $\mathrm {XEX}$ mode (2) with masks $\varDelta =2^\alpha 3^\beta 7^\gamma E_k(0)$, where $(\alpha ,\beta ,\gamma )$ is the tweak coming from tweak space $\{0,\ldots ,\ell \}\times \{0,\ldots ,5\}\times \{0,1\}\backslash \{(0,0,0)\}=\mathcal {T}_{\mathrm {COPA}}$.^{Footnote 4}

Before discussing the related-key security of $\mathrm {COPA}$, we quickly revisit the original security proof at a high level. Consider an attacker against $\mathrm {COPA}$ that has resources $(q,\ell ,\sigma ,r)$. As a first step, all $\mathrm {XEX}$ evaluations in $\mathrm {COPA}$ are replaced with a random tweakable permutation $\widetilde{\pi }\xleftarrow {{\scriptscriptstyle \$}}\widetilde{\mathsf {Perm}}(\mathcal {T}_{\mathrm {COPA}},\{0,1\}^{n})$. This step costs us $\mathbf {Adv} _{\mathrm {XEX}}^{\mathrm {sprp}}(2(\sigma +q),r)$. Next, $\mathrm {COPA}$ with ideal tweakable permutation is proven to achieve privacy up to bound $A_{\mathrm {priv}}(q,\ell ,\sigma ) = \frac{\sigma ^2}{2^n} + \frac{(\ell +2)(q-1)^2}{2^n}$ and authenticity up to bound $A_{\mathrm {auth}}(q,\ell ,\sigma ) = \frac{(\sigma +q)^2}{2^n} + \frac{(\ell +2)(q-1)^2}{2^n} + \frac{2q}{2^n}$. Thus:

$$\begin{aligned} \mathbf {Adv} _{\mathrm {COPA}}^{\mathrm {priv/auth}}(q,\ell ,\sigma ,r) \le \mathbf {Adv} _{\mathrm {XEX}}^{\mathrm {sprp}}(2(\sigma +q),r) + A_{\mathrm {priv/auth}}(q,\ell ,\sigma ). \end{aligned}$$

The step towards RK-security of $\mathrm {COPA}$ is quite straightforward, noting that an attacker against $\mathrm {COPA}$ with ideal tweakable related-key permutation has no benefit over an attacker against $\mathrm {COPA}$ with ideal tweakable (non-related-key) permutation.

Theorem 2

(RK-security of COPA). Let $\varPhi $ be any KDF-set. We have

$$\begin{aligned} \mathbf {Adv} _{\varPhi ,\mathrm {COPA}}^{\mathrm {rk\text {-}priv/auth}}(q,\ell ,\sigma ,r) \le \mathbf {Adv} _{\varPhi ,\mathrm {XEX}}^{\mathrm {rk\text {-}sprp}}(2(\sigma +q),r) + A_{\mathrm {priv/auth}}(q,\ell ,\sigma ). \end{aligned}$$

Proof

Consider an attacker against $\mathrm {COPA}$ that has resources $(q,\ell ,\sigma ,r)$. As a first step, all $\mathrm {XEX}$ evaluations in $\mathrm {COPA}$ are replaced with a random tweakable related-key permutation $\widetilde{\mathsf {RK} \pi }\xleftarrow {{\scriptscriptstyle \$}}\widetilde{\mathsf {RK} \text {-}\mathsf {Perm}}(\varPhi ,\mathcal {T}_{\mathrm {COPA}},\{0,1\}^{n})$. This step costs $\mathbf {Adv} _{\varPhi ,\mathrm {XEX}}^{\mathrm {rk\text {-}sprp}}(2(\sigma +q),r)$. It remains to consider $\mathrm {COPA}$ with $\widetilde{\mathsf {RK} \pi }$. However, as $\widetilde{\mathsf {RK} \pi }$ instantiates an ideal permutation for every different related-key function, every new related-key function instantiates a completely independent instance of $\mathrm {COPA}$. Formally, assume the adversary queries $\mathrm {COPA}$ for s different key-deriving functions, $\varphi _1,\ldots ,\varphi _s$, where $\varphi _i$ is used with total resources $(q_i,\ell ,\sigma _i)$. These all instantiate independent versions of $\mathrm {COPA}$, contributing $A_{\mathrm {priv/auth}}(q_i,\ell ,\sigma _i)$ to the bound, totaling to

$$\begin{aligned} \sum _{i=1}^s A_{\mathrm {priv/auth}}(q_i,\ell ,\sigma _i) \le A_{\mathrm {priv/auth}}(q,\ell ,\sigma ), \end{aligned}$$

using that $q_i\ge 1$, $\sum _{i=1}^s q_i=q$, and $\sum _{i=1}^s \sigma _i=\sigma $. The bound then applies to all adversaries. $\square $

Prøst-$\mathrm {COPA}$ [29], in turn, uses the Prøst permutation in Even-Mansour mode. In other words, Prøst-$\mathrm {COPA}$ does not simply use $\mathrm {XEX}$, but $\mathrm {XPX}$ with tweak space

(11)

Taking any of the KDF-sets $\varPhi \in \{\varPhi _{\oplus },\varPhi _{P\oplus }\}$ of (5), we find:

Corollary 1

(RK-security of Prøst-COPA). For $\varPhi $ being $\varPhi _{\oplus }$ or $\varPhi _{P\oplus }$ of (5), we have

Proof

The proof of Theorem 2 generalizes to Prøst-$\mathrm {COPA}$ straightforwardly, where $\mathbf {Adv} _{\varPhi ,\mathrm {XEX}}^{\mathrm {rk\text {-}sprp}}(2(\sigma +q),r)$ gets replaced with $\mathbf {Adv} _{\varPhi ,\mathrm {XPX}}^{\mathrm {rk\text {-}sprp}}(2(\sigma +q),r)$. This $\mathrm {XPX}$ is instantiated using tweak space of (11), which is $\mathrm {valid}$ and satisfies $t_{11},t_{12},t_{21},t_{22}\ne 0$ for any (note that $(\alpha ,\beta ,\gamma )=(0,0,0)$ is excluded). Therefore, Theorem 1(c) applies for $\varPhi =\varPhi _{\oplus }$ and Theorem 1(e) for $\varPhi =\varPhi _{P\oplus }$. In the worst case, we find that

$$\begin{aligned} \mathbf {Adv} _{\varPhi ,\mathrm {XPX}}^{\mathrm {rk\text {-}sprp}}(2(\sigma +q),r)&\le \frac{16(\sigma +q)^2+8(\sigma +q)r}{2^n}, \end{aligned}$$

completing the proof. $\square $

Note that if Prøst-$\mathrm {COPA}$ were not to use Prøst permutation in Even-Mansour mode, but if it simply had $E=P$, then the resulting $\mathrm {XPX}$ construction would have tweak space

This tweak space does not satisfy the conditions of Theorem 1(e) and we can only argue the related-key security of Prøst-$\mathrm {COPA}$ under $\varPhi _{\oplus }$.

6.3 Minalpher

$\mathrm {Minalpher}$ is an authenticated encryption scheme by Sasaki et al. [49]. $\mathrm {Minalpher}$ for integral message is depicted in Fig. 5 (we refer to [49] for the general case). At its core, it is using tweakable Even-Mansour $\mathrm {TEM}$ of (3): an evaluation of an n-bit permutation with masks^{Footnote 5} $\varDelta =2^\alpha 3^\beta \big (k\Vert \mathsf {flag}\Vert N \oplus P(k\Vert \mathsf {flag}\Vert N)\big )$, where $(\alpha ,\beta ,\mathsf {flag},N)$ is the tweak coming from tweak space

$$\begin{aligned} \big (\{0,\ldots ,\ell \}\!\times \!\{0,1,2\}\big )\backslash \{(0,0)\}\!\times \!\{\mathsf {flag}_{\mathsf {m}},\mathsf {flag}_{\mathsf {ad}},\mathsf {flag}_{\mathsf {mac}}\}\!\times \!\{0,1\}^{n/2-s}=\mathcal {T}_{\mathrm {Minalpher}}. \end{aligned}$$

Here, the key k is of size n / 2 bits, the flag of size s bits, and the nonce N of size $n/2-s$ bits.

The authors prove, among others, that $\mathbf {Adv} _{\mathrm {TEM}}^{\mathrm {sprp}}(q,r) \le \mathcal {O}((q+r)^2/2^n + (q+r)/2^{n/2})$. The extra term $\mathcal {O}((q+r)/2^{n/2})$ is new compared to Theorem 1(a), and is caused by the shorter key size. A bit of thought reveals that, because the tweaks $\mathsf {flag}\Vert N$ are concatenated to k instead of XORed with k, the results of Theorem 1(b-e) generalize to $\mathrm {TEM}$. Here, again, the specific key length needs to be taken into account. In [49], the designers prove that if the underlying $\mathrm {TEM}$ is sufficiently strong, $\mathrm {Minalpher}$ is a secure authenticated encryption scheme. In a similar fashion as Theorem 2 and Corollary 1, a generalization of Theorem 1(b-e) can be used to argue the related-key security of $\mathrm {Minalpher}$.

7 Application to MAC

Various novel MAC functions, such as the keyed Sponges [5, 7, 12, 26, 39, 44] and Chaskey [42, 43], consist of a sequential application of a permutation, where the key is used to mask the state. We discuss an application of the analysis of $\mathrm {XPX}$ to Chaskey in detail, and explain how similar reasoning applies to keyed Sponges. We first briefly discuss the security model.

7.1 Security Model

A MAC function is expected to guarantee authenticity. However, we consider a different security model, namely PRF security. More formally, let $\mathsf {MAC} $ be a MAC function that gets as input a key and message, and outputs a tag. Let $\mathcal {P}$ be an idealized primitive upon which $\mathsf {MAC} $ is based (optional, for instance a blockcipher or permutation). Let k be a randomly drawn key. Let ${\$}$ be a function with the same interface as $\mathsf {MAC} $, but that returns fresh and random answers to every query. We define the PRF security of $\mathsf {MAC} $ based on $\mathcal {P}$ as

$$\begin{aligned} \mathbf {Adv} _{\mathsf {MAC}}^{\mathrm {prf}}(\mathcal {D})&= \left| \mathbf {Pr} \left[ \mathcal {D}^{\mathsf {MAC} _k,\mathcal {P}^{\pm }} = 1 \right] - \mathbf {Pr} \left[ \mathcal {D}^{\$,\mathcal {P}^{\pm }} = 1 \right] \right| . \end{aligned}$$

For $q,\ell ,\sigma ,r\ge 0$, we define by

$$\begin{aligned} \mathbf {Adv} _{\mathsf {MAC}}^{\mathrm {prf}}(q,\ell ,\sigma ,r) = \max _\mathcal {D}\mathbf {Adv} _{\mathsf {MAC}}^{\mathrm {prf}}(\mathcal {D}) \end{aligned}$$

the security of $\mathsf {MAC} $ against any distinguisher $\mathcal {D}$ that makes q queries to the construction oracle, each of length at most $\ell $ and of total size $\sigma $, and r queries to the primitive oracle.

As before, the definition generalizes to related-key security straightforwardly, and we denote the corresponding related-key security definitions by

$$\begin{aligned} \mathbf {Adv} _{\varPhi ,\mathsf {MAC}}^{\mathrm {rk\text {-}prf}}(\mathcal {D}) \text { and }\mathbf {Adv} _{\varPhi ,\mathsf {MAC}}^{\mathrm {rk\text {-}prf}}(q,\ell ,\sigma ,r), \end{aligned}$$

where $\varPhi $ is some key-deriving function set.

7.2 Chaskey

$\mathrm {Chaskey}$ is a permutation-based MAC function by Mouha et al. [42, 43]. We consider a small adjustment, called $\mathrm {Chaskey} '$, that processes the initialized state with an evaluation of the permutation. $\mathrm {Chaskey} $ and $\mathrm {Chaskey} '$ without final truncation are depicted in Fig. 6.

Mouha et al. [43] proved the security of $\mathrm {Chaskey}$ (without the first evaluation of $P$). It consists of the idea that XORing the key k twice in-between every two consecutive $P$ evaluations gives a blockcipher-based $\mathrm {Chaskey}$ using Even-Mansour constructions $m\mapsto P(m\oplus k)\oplus k$, $m\mapsto P(m\oplus 3k)\oplus 2k$, and $m\mapsto P(m\oplus 5k)\oplus 4k$. The security of $\mathrm {Chaskey}$ boils down to the advantage of a distinguisher in distinguishing these three constructions from three ideal permutations, an advantage the authors dub the “3PRP” security. This 3PRP security is effectively equivalent to the PRP security of $\mathrm {XPX}$ with tweak space $\{(1,0,1,0),(3,0,2,0),(5,0,4,0)\}=\mathcal {T}_{\mathrm {Chaskey}}$, and we find:^{Footnote 6}

$$\begin{aligned} \mathbf {Adv} _{\mathrm {Chaskey}}^{\mathrm {prf}}(q,\ell ,\sigma ,r) \le \mathbf {Adv} _{\mathrm {XPX}}^{\mathrm {prp}}(\sigma ,r) + \frac{2\sigma ^2}{2^n}. \end{aligned}$$

Now, for $\mathrm {Chaskey} '$, the idea is to XOR $P(k)\oplus P(k)$ everywhere in-between two consecutive $P$ evaluations except for the first two. In this case, $\mathrm {Chaskey} '$ would simply be using $\mathrm {XPX}$ with tweak space

$$\begin{aligned} \{(0,1,0,1),(2,1,2,0),(4,1,4,0)\}=\mathcal {T}_{\mathrm {Chaskey} '}. \end{aligned}$$

Note that $\mathcal {T}_{\mathrm {Chaskey} '}$ satisfies the conditions of Theorem 1(b). Similarly to Theorem 2 and Corollary 1, we directly obtain:

Corollary 2

(RK-security of Chaskey $'$ ). For $\varPhi _{\oplus }$ of (5), we have

$$\begin{aligned} \mathbf {Adv} _{\varPhi _{\oplus },\mathrm {Chaskey} '}^{\mathrm {rk\text {-}prf}}(q,\ell ,\sigma ,r)&\le \frac{\frac{7}{2}\sigma ^2+4\sigma r}{2^n-\sigma } + \frac{2\sigma ^2}{2^n}. \end{aligned}$$

7.3 Keyed Sponge

Following [7, 12], Andreeva et al. [5] formalized two Sponges: the inner-keyed Sponge and the outer-keyed Sponge. Gaži et al. [26] generalized these results (among others) to full-state absorption. This construction, to some extent, resembles the Donkey Sponge construction [8]. Mennink et al. [39] considered the full-state Sponge and full-state Duplex. In a similar fashion as the analysis of Sect. 7.2, the inner-keyed Sponge [5], the Donkey Sponge [8], and the full-state Sponge and Duplex [39] can be adjusted to achieve related-key security.

Notes

1.
$\varPhi _{P\oplus }$ could alternatively be written as the set of functions $\varphi _{b,\delta }:k\mapsto \big (k\oplus \delta \text { (if b=0) or }P^{-1}(P(k)\oplus \delta )\text { (if b=1)}\big )$. We have opted for the writeup in (5) to make the appearance of the key relation ($\delta $ or $\epsilon $) more explicit.
2.
Indeed, if (for instance) $(1,0,\bar{t}_{21},\bar{t}_{22})\in \mathcal {T}$, a construction query $((1,0,\bar{t}_{21},\bar{t}_{22}),0)$ will reveal $\bar{c}=\bar{t}_{21}k\oplus (\bar{t}_{22}\oplus 1)P(k)$ and a special analysis is needed.
3.
Because $\mathcal {T}$ is valid, $\bar{t}_{21},\bar{t}_{22}\oplus 1\ne 0$ in the former case and $\bar{t}_{11}\oplus 1,\bar{t}_{12}\ne 0$ in the latter.
4.
The fact that $(0,0,0)\not \in \mathcal {T}_{\mathrm {COPA}}$ is important, cf. Rogaway [48] and Minematsu [40] who describe an attack on $\mathrm {XEX}$ if (0, 0, 0) were permitted.
5.
The original specification uses a generator $\mathtt {y}$ instead of 2.
6.
The authors of [43] effectively consider MAC security instead of PRF security, but the analysis carries over.

References

Albrecht, M.R., Farshim, P., Paterson, K.G., Watson, G.J.: On cipher-dependent related-key attacks in the ideal-cipher model. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 128–145. Springer, Heidelberg (2011)
Chapter Google Scholar
Andreeva, E., Bogdanov, A., Dodis, Y., Mennink, B., Steinberger, J.P.: On the indifferentiability of key-alternating ciphers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 531–550. Springer, Heidelberg (2013)
Chapter Google Scholar
Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013)
Chapter Google Scholar
Andreeva, E., Bogdanov, A., Mennink, B.: Towards understanding the known-key security of block ciphers. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 348–366. Springer, Heidelberg (2014)
Google Scholar
Andreeva, E., Daemen, J., Mennink, B., Van Assche, G.: Security of keyed sponge constructions using a modular proof approach. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 364–384. Springer, Heidelberg (2015)
Chapter Google Scholar
Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003)
Chapter Google Scholar
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the security of the keyed sponge construction. In: Symmetric Key Encryption Workshop (SKEW 2011) (2011)
Google Scholar
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Permutation-based encryption, authentication and authenticated encryption. In: Directions in Authenticated Ciphers (DIAC 2012) (2012)
Google Scholar
Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F.-X., Steinberger, J., Tischhauser, E.: Key-alternating ciphers in a provable setting: encryption using a small number of public permutations. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 45–62. Springer, Heidelberg (2012)
Chapter Google Scholar
CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness, May 2015. http://competitions.cr.yp.to/caesar.html
Chakraborty, D., Sarkar, P.: A general construction of tweakable block ciphers and different modes of operations. In: Lipmaa, H., Yung, M., Lin, D. (eds.) Inscrypt 2006. LNCS, vol. 4318, pp. 88–102. Springer, Heidelberg (2006)
Chapter Google Scholar
Chang, D., Dworkin, M., Hong, S., Kelsey, J., Nandi, M.: A keyed sponge construction with pseudorandomness in the standard model. In: NIST’s 3rd SHA-3 Candidate Conference 2012 (2012)
Google Scholar
Chen, S., Lampe, R., Lee, J., Seurin, Y., Steinberger, J.: Minimizing the two-round Even-Mansour cipher. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 39–56. Springer, Heidelberg (2014)
Chapter Google Scholar
Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014)
Chapter Google Scholar
Cogliati, B., Lampe, R., Seurin, Y.: Tweaking Even-Mansour ciphers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 493–517. Springer, Heidelberg (2015)
Chapter Google Scholar
Cogliati, B., Seurin, Y.: Beyond-birthday-bound security for tweakable Even-Mansour ciphers with linear tweak and key mixing. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 134–158. Springer, Heidelberg (2015)
Chapter Google Scholar
Cogliati, B., Seurin, Y.: On the provable security of the iterated Even-Mansour cipher against related-key and chosen-key attacks. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 584–613. Springer, Heidelberg (2015)
Google Scholar
Cogliati, B., Seurin, Y.: Strengthening the known-key security notion for block ciphers. In: FSE 2016. LNCS, Springer, Heidelberg (2016, to appear)
Google Scholar
Dai, Y., Lee, J., Mennink, B., Steinberger, J.: The security of multiple encryption in the ideal cipher model. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 20–38. Springer, Heidelberg (2014)
Chapter Google Scholar
Datta, N., Nandi, M.: ELmD v1.0, submission to CAESAR competition (2014)
Google Scholar
Dobraunig, C., Eichlseder, M., Mendel, F.: Related-key forgeries for Prøst-OTR. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 282–296. Springer, Heidelberg (2015)
Chapter Google Scholar
Dunkelman, O., Keller, N., Shamir, A.: Minimalism in cryptography: the Even-Mansour scheme revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012)
Chapter Google Scholar
Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 201–224. Springer, Heidelberg (1993)
Google Scholar
Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997)
Article MathSciNet MATH Google Scholar
Farshim, P., Procter, G.: The related-key security of iterated Even-Mansour ciphers. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 342–363. Springer, Heidelberg (2015)
Chapter Google Scholar
Gaži, P., Pietrzak, K., Tessaro, S.: The exact PRF security of truncation: tight bounds for keyed sponges and truncated CBC. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015 Part I. LNCS, vol. 9215, pp. 368–387. Springer, Heidelberg (2015)
Chapter Google Scholar
Granger, R., Jovanovic, P., Mennink, B., Neves, S.: Improved masking for tweakable blockciphers with applications to authenticated encryption. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 263–293. Springer, Heidelberg (2016)
Chapter Google Scholar
Karpman, P.: From distinguishers to key recovery: improved related-key attacks on Even-Mansour. In: López, J., Mitchell, C.J. (eds.) ISC 2015. LNCS, vol. 9290, pp. 177–188. Springer, Heidelberg (2015)
Chapter Google Scholar
Kavun, E., Lauridsen, M., Leander, G., Rechberger, C., Schwabe, P., Yalçın, T.: Prøst v1, submission to CAESAR competition (2014)
Google Scholar
Lampe, R., Patarin, J., Seurin, Y.: An asymptotically tight security analysis of the iterated even-mansour cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 278–295. Springer, Heidelberg (2012)
Chapter Google Scholar
Lampe, R., Seurin, Y.: How to construct an ideal cipher from a small set of public permutations. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 444–463. Springer, Heidelberg (2013)
Chapter Google Scholar
Lampe, R., Seurin, Y.: Tweakable blockciphers with asymptotically optimal security. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 133–152. Springer, Heidelberg (2014)
Google Scholar
Landecker, W., Shrimpton, T., Terashima, R.S.: Tweakable blockciphers with beyond birthday-bound security. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 14–30. Springer, Heidelberg (2012)
Chapter Google Scholar
Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002)
Chapter Google Scholar
Mennink, B.: Optimally secure tweakable blockciphers. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 428–448. Springer, Heidelberg (2015)
Chapter Google Scholar
Mennink, B.: Optimally secure tweakable blockciphers. Cryptology ePrint Archive, report 2015/363, full version of [35] (2015)
Google Scholar
Mennink, B.: XPX: Generalized tweakable Even-Mansour with improved security guarantees. Cryptology ePrint Archive, report 2015/476, full version of this paper (2015)
Google Scholar
Mennink, B., Preneel, B.: On the XOR of multiple random permutations. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 619–634. Springer, Heidelberg (2015)
Chapter Google Scholar
Mennink, B., Reyhanitabar, R., Vizár, D.: Security of full-state keyed sponge and duplex: applications to authenticated encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 465–489. Springer, Heidelberg (2015)
Chapter Google Scholar
Minematsu, K.: Improved security analysis of XEX and LRW modes. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 96–113. Springer, Heidelberg (2007)
Chapter Google Scholar
Minematsu, K.: Beyond-birthday-bound security based on tweakable block cipher. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 308–326. Springer, Heidelberg (2009)
Chapter Google Scholar
Mouha, N.: Chaskey: a MAC algorithm for microcontrollers - status update and proposal of Chaskey-12. Cryptology ePrint Archive, report 2015/1182 (2015)
Google Scholar
Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Heidelberg (2014)
Chapter Google Scholar
Naito, Y., Yasuda, K.: New bounds for keyed sponges with extendable output: Independence between capacity and message length. In: FSE 2016. LNCS, Springer, Heidelberg (2016, to appear)
Google Scholar
Nyberg, K., Knudsen, L.R.: Provable security against differential cryptanalysis. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 566–574. Springer, Heidelberg (1993)
Google Scholar
Patarin, A.: A proof of security in $O(2^{n})$ for the Xor of two randompermutations. In: Safavi-Naini, R. (ed.) ICITS 2008. LNCS, vol. 5155, pp. 232–248. Springer, Heidelberg (2008)
Chapter Google Scholar
Procter, G.: A note on the CLRW2 tweakable block cipher construction. Cryptology ePrint Archive, report 2014/111 (2014)
Google Scholar
Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004)
Chapter Google Scholar
Sasaki, Y., Todo, Y., Aoki, K., Naito, Y., Sugawara, T., Murakami, Y., Matsui, M., Hirose, S.: Minalpher v1, submission to CAESAR competition (2014)
Google Scholar
Steinberger, J.: Improved security bounds for key-alternating ciphers via Hellinger distance. Cryptology ePrint Archive, report 2012/481 (2012)
Google Scholar

Download references

Acknowledgments

This work was supported in part by the Research Council KU Leuven: GOA TENSE (GOA/11/007), and in part by COST Action “Cryptography for Secure Digital Interaction.” Bart Mennink is a Postdoctoral Fellow of the Research Foundation – Flanders (FWO). The author would like to thank the DTU Compute team and the anonymous reviewers of CRYPTO 2016 for their comments and suggestions.

Author information

Authors and Affiliations

Department of Electrical Engineering, ESAT/COSIC, KU Leuven and iMinds, Leuven, Belgium
Bart Mennink

Authors

Bart Mennink
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bart Mennink .

Editor information

Editors and Affiliations

Impinj, Inc. , Seattle, Washington, USA
Matthew Robshaw
University of Maryland , College Park, Maryland, USA
Jonathan Katz

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Mennink, B. (2016). XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees. In: Robshaw, M., Katz, J. (eds) Advances in Cryptology – CRYPTO 2016. CRYPTO 2016. Lecture Notes in Computer Science(), vol 9814. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-53018-4_3

Download citation

DOI: https://doi.org/10.1007/978-3-662-53018-4_3
Published: 21 July 2016
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-53017-7
Online ISBN: 978-3-662-53018-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees

Abstract

Similar content being viewed by others

Beyond-Birthday-Bound Security for Tweakable Even-Mansour Ciphers with Linear Tweak and Key Mixing

Tweakable Block Ciphers Secure Beyond the Birthday Bound in the Ideal Cipher Model

Tweak-Length Extension for Tweakable Blockciphers

Keywords

1 Introduction

1.1 Our Contribution

1.2 Applications

1.3 Outline

2 Preliminaries

2.1 Single-Key Security Model

2.2 Related-Key Security Model

2.3 Patarin’s Technique

Lemma 1

3 \(\mathrm {XPX}\)

4 Valid Tweak Sets

Definition 1

4.1 Examples of Valid Tweak Spaces

Example 1

Example 2

Example 3

4.2 Minimality of Definition 1

Proposition 1

Proof

5 Security of \(\mathrm {XPX}\)

Theorem 1

5.1 Minimality of the Conditions of Theorem 1

Proposition 2

Proof

5.2 Proof of Theorem 1(a)

Lemma 2

Proof

Lemma 3

Proof

6 Application to Authenticated Encryption

6.1 Security Model

6.2 Prøst-\(\mathrm {COPA}\)

Theorem 2

Proof

Corollary 1

Proof

6.3 Minalpher

7 Application to MAC

7.1 Security Model

7.2 Chaskey

Corollary 2

7.3 Keyed Sponge

Notes

References

Acknowledgments

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us