2012
DOI: 10.1007/978-3-642-32009-5_2
|View full text |Cite
|
Sign up to set email alerts
|

Tweakable Blockciphers with Beyond Birthday-Bound Security

Abstract: Abstract. Liskov, Rivest and Wagner formalized the tweakable blockcipher (TBC) primitive at CRYPTO'02. The typical recipe for instantiating a TBC is to start with a blockcipher, and then build up a construction that admits a tweak. Almost all such constructions enjoy provable security only to the birthday bound, and the one that does achieve security beyond the birthday bound (due to Minematsu) severely restricts the tweak size and requires per-invocation blockcipher rekeying. This paper gives the first TBC co… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
41
0

Year Published

2013
2013
2019
2019

Publication Types

Select...
7

Relationship

1
6

Authors

Journals

citations
Cited by 56 publications
(41 citation statements)
references
References 33 publications
0
41
0
Order By: Relevance
“…. , h σ ) instantiations of a universal hash function family H. Landecker et al [35] and Procter [48] showed that this construction achieves approximately 2 2n/3 security for two rounds, and Lampe and Seurin [34] proved security up to about 2 σn/(σ+2) for an arbitrary even number of rounds. It is conjectured that this scheme achieves 2 σn/(σ+1) security for any σ ≥ 1 [34].…”
Section: Lrw2[σ]([k H] T M) = Lrw2([k σ H σ ] T · · · Lrw2([k mentioning
confidence: 99%
See 1 more Smart Citation
“…. , h σ ) instantiations of a universal hash function family H. Landecker et al [35] and Procter [48] showed that this construction achieves approximately 2 2n/3 security for two rounds, and Lampe and Seurin [34] proved security up to about 2 σn/(σ+2) for an arbitrary even number of rounds. It is conjectured that this scheme achieves 2 σn/(σ+1) security for any σ ≥ 1 [34].…”
Section: Lrw2[σ]([k H] T M) = Lrw2([k σ H σ ] T · · · Lrw2([k mentioning
confidence: 99%
“…All results on tweakable blockciphers in the standard cipher model [15,[34][35][36]42,43,48,50], implicitly rely on a generic standard-to-ideal reduction, where the keyed blockcipher calls are replaced with secret ideal permutations. This step usually costs Adv srkprp Φ,E (D), where D is some strong related-key PRP distinguisher with a certain amount of resources, usually q queries to the keyed oracle E φ(k) and τ time, and Φ is the set of related-key deriving functions φ that D is allowed to choose.…”
Section: Optimal Security In Standard Model?mentioning
confidence: 99%
“…These constructions overcome the birthday bound by using 2n-bit blockciphers as primitives, which are in turn constructed from an n-bit TBC. To our knowledge, CLRW2 [23] is the most efficient n-bit TBC with beyond-birthday-bound security that supports the necessary tweakspace (Minematsu's TBC [28] limits tweak lengths to fewer than n/2 bits). Compared to TCT 2 , instantiating the LargeBlock constructions with this primitive ultimately requires an extra six finite field multiplications for each n bits of input.…”
Section: Related Workmentioning
confidence: 99%
“…For the FIL component, we can use Coron et al's [15] CDMS construction to get a 2n-bit TBC from an n-bit TBC, and implement the latter using the CLRW2, a recent beyond-birthday-bound secure construction by Landecker, Shrimpton, and Terashima [23]. Table 10 describes both constructions.…”
Section: Aiming For Beyond Birthday-bound Security: Tctmentioning
confidence: 99%
See 1 more Smart Citation