Results 1 
2 of
2
BeyondBirthdayBound Security for Tweakable EvenMansour Ciphers with Linear Tweak and Key Mixing?
, 2015
"... Abstract. The iterated EvenMansour construction defines a block cipher from a tuple of public nbit permutations (P1,..., Pr) by alternatively xoring some nbit round key ki, i = 0,..., r, and applying permutation Pi to the state. The tweakable EvenMansour construction generalizes the conventional ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. The iterated EvenMansour construction defines a block cipher from a tuple of public nbit permutations (P1,..., Pr) by alternatively xoring some nbit round key ki, i = 0,..., r, and applying permutation Pi to the state. The tweakable EvenMansour construction generalizes the conventional EvenMansour construction by replacing the nbit round keys by nbit strings derived from a master key and a tweak, thereby defining a tweakable block cipher. Constructions of this type have been previously analyzed, but they were either secure only up to the birthday bound, or they used a nonlinear mixing function of the key and the tweak (typically, multiplication of the key and the tweak seen as elements of some finite field) which might be costly to implement. In this paper, we tackle the question of whether it is possible to achieve beyondbirthdaybound security for such a construction by using only linear operations for mixing the key and the tweak into the state. We answer positively, describing a 4round construction with a 2nbit master key and an nbit tweak which is provably secure in the Random Permutation Model up to roughly 22n/3 adversarial queries.
of iterated EvenMansour ciphers, EM(r), r ≥ 1 (see, e.g., [11],[4],[14],[7],[1] and
"... Abstract. In the last years, much research work has been invested into the security analysis of key alternating ciphers in the random oracle model. These are pseudorandom permutations (PRPs), sometimes also called iterated EvenMansour ciphers, which are defined by alternatingly adding nbit subkey ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. In the last years, much research work has been invested into the security analysis of key alternating ciphers in the random oracle model. These are pseudorandom permutations (PRPs), sometimes also called iterated EvenMansour ciphers, which are defined by alternatingly adding nbit subkeys ki and calling public nbit permutations Pi. Besides the fact, that results of this kind concern the fundamental questions of understanding the nature of pseudorandomness, a practical motivation for this study is that many modern block cipher designs correspond exactly to variants of iterated EvenMansour ciphers. In this paper, we study similar construction for pseudorandom functions (PRFs), where additionally the access to a public nbit (oneway) function F is allowed. In particular, we show a sharp n/2security bound for the simplest possible construction F (x ⊕ k) and a sharp 2/3 · nbound for the FP (1)construction F (P (x ⊕ k) ⊕ k), both in the random oracle model. The latter result contrasts with a sharp bound of the same order