1 Introduction

Tweakable Block Ciphers. Tweakable block ciphers (TBCs for short) are a generalization of traditional block ciphers which, in addition to the usual inputs (message and cryptographic key), take an extra (potentially adversarially controlled) input for variability called a tweak. Hence, the signature of a tweakable block cipher is \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\), where \(\mathcal {K}\) is the key space, \(\mathcal {T}\) the tweak space, and \(\mathcal {M}\) the message space. This primitive has been rigorously formalized by Liskov et al. [25], and has proved to be very useful to construct various higher level cryptographic schemes such as (tweakable) length-preserving encryption modes [17, 18], online ciphers [2, 34], message authentication codes [24, 25], and authenticated encryption modes [25, 32, 33].

Tweakable block ciphers can be designed “from scratch” (e.g., the Hasty Pudding cipher [36], Mercy [10], or Threefish, the block cipher on which the Skein hash function [15] is based), however most of the proposed constructions are on top of an existing (traditional) block cipher, in a black-box fashion. In this latter family, constructions where changing the tweak implies to change the key of the underlying block cipher (e.g., Minematsu’s construction [26]) tend to be avoided for efficiency reasons (re-keying a block cipher is often a costly operation). Hence, most of the existing proposals have the property that the key under which the underlying block cipher is called is tweak-independent. Of particular relevance to our work, the original Liskov et al.’s paper proposed the so-called LRW construction (sometimes called LRW2 in the literature since this was the second of two constructions suggested in [25]), based on a block cipher E with key space \(\mathcal {K}_E\) and message space \(\{0,1\}^n\) and an almost XOR-universal (AXU) family of hash functions \(\mathcal {H}=(H_k)_{k\in \mathcal {K}_H}\) from some set \(\mathcal {T}\) to \(\{0,1\}^n\), and defined as

$$\begin{aligned} \mathsf {LRW}^E((k,k'),t,x)=H_{k'}(t)\oplus E_k(H_{k'}(t)\oplus x), \end{aligned}$$
(1)

where \((k,k')\in \mathcal {K}_E\times \mathcal {K}_H\) is the key, \(t\in \mathcal {T}\) is the tweak, and \(x\in \{0,1\}^n\) is the message. This construction was proved secure in [25] up to the birthday bound, i.e., \(2^{n/2}\) adversarial queries (assuming the underlying block cipher E is secure in the traditional sense, i.e., it is a strong pseudorandom permutation). This was later extended by Landecker et al. [24] who considered the cascade of two rounds of the LRW construction (with independent block cipher and hash function keys for each round), and proved it secure up to about \(2^{2n/3}\) adversarial queries.Footnote 1 This was further generalized to longer cascades by Lampe and Seurin [23] who proved that the r-round Chained-LRW (CLRW) construction is secure up to roughly \(2^{\frac{rn}{r+2}}\) adversarial queries (they also conjectured that the tight security bound is \(2^{\frac{rn}{r+1}}\) queries).

The Iterated Even-Mansour Construction. The iterated Even-Mansour construction abstracts in a generic way the high-level structure of key-alternating ciphers [11]. Concretely, it defines a block cipher from a tuple of r public n-bit permutations \((P_1,\ldots ,P_r)\), the ciphertext associated to some message \(x\in \{0,1\}^n\) being computed as

$$ y=k_r\oplus P_r(k_{r-1}\oplus P_{r-1}(\cdots P_2(k_1\oplus P_1(k_0\oplus x))\cdots )), $$

where the n-bit round keys \(k_0,\ldots ,k_r\) are either independent or derived from a master key. This construction was extensively analyzed in the Random Permutation model, where the \(P_i\)’s are modeled as public random permutation oracles that the adversary can only query (bidirectionally) in a black-box way. This approach was originally taken for \(r=1\) round in the seminal paper of Even and Mansour [13], who showed that the block cipher encrypting x into \(k_1\oplus P(k_0\oplus x)\) is secure up to \(2^{n/2}\) adversarial queries.Footnote 2 Dunkelman et al. [12] subsequently remarked that the same security level is retained by the single-key one-round Even-Mansour cipher, i.e., when \(k_0=k_1\). An important step was later made by Bogdanov et al. [5], who showed that for \(r=2\) rounds, the construction ensures security up to roughly \(2^{2n/3}\) adversarial queries. Bogdanov et al.’s paper triggered a spate of results improving the pseudorandomness bound as the number r of rounds grows [21, 38], culminating with the proof by Chen and Steinberger [7] that the r-round iterated Even-Mansour construction with r-wise independent round keys ensures security up to about \(2^{\frac{rn}{r+1}}\) adversarial queries (tightly matching a generic attack described in [5]). Note that a special case of r-wise independent round keys is obtained by cascading r single-key one-round Even-Mansour ciphers (with independent keys), viz.

$$ E_{k_1,\ldots ,k_r}(x)=k_r\oplus P_r(k_r\oplus k_{r-1}\oplus P_{r-1}(k_{r-1}\oplus \cdots \oplus k_1\oplus P_1(k_1\oplus x)\cdots )), $$

in which case the high-level similarity with the CLRW construction is obvious.

Besides pseudorandomness, the iterated Even-Mansour construction (with a sufficient number of rounds) has also been shown to achieve resistance to known-key attacks [3], related-key attacks [9, 14], and chosen-key attacks [9], as well as indifferentiability from an ideal cipher [1, 22].

Our Results. We consider the problem of constructing tweakable block ciphers directly from a tuple of public permutations rather than from a full-fledged block cipher. This was partially tackled by Cogliati and Seurin in [9]. They showed how to construct a TBC with n-bit keys and n-bit tweaks from three public n-bit permutations which is secure up to the birthday bound: denoting E(kx) the 3-round iterated Even-Mansour cipher with the trivial key schedule (i.e., all round keys are equal to the n-bit master key k), let \(\widetilde{E}\) be the TBC defined as

$$\begin{aligned} \widetilde{E}(k,t,x)=E(k\oplus t,x). \end{aligned}$$
(2)

Hence, \(\widetilde{E}\) is simply the 3-round iterated Even-Mansour cipher with round keys replaced by \(k\oplus t\). Cogliati and Seurin showedFootnote 3 that this TBC is provably secure up to \(2^{n/2}\) adversarial queries in the Random Permutation Model (and that two rounds or less are insecure). The drawback of this simple construction is that any TBC of the form (2) with an underlying block cipher E of key-length \(\kappa \) can deliver at most \(\kappa /2\) bits of security [4], so that there is no hope to improve the number of queries that the construction can securely tolerate by merely increasing the number of rounds to four or more.

In this paper, we aim at getting a tweakable Even-Mansour-like construction with security beyond the birthday bound. The naive way of proceeding would be to instantiate the block cipher E in the CLRW construction with an iterated Even-Mansour cipher based on permutations \(P_1,\ldots ,P_r\). However, combining existing results for CLRW on one hand [23, 24], and for the iterated Even-Mansour cipher on the other hand [7], one would need at least \(r^2\) independent permutations to get provable \(\mathcal {O}(2^{\frac{rn}{r+1}})\)-security.Footnote 4 A more promising approach, that we take here, is to start with the construction obtained by combining the (one-round) LRW construction and the (one-round) Even-Mansour cipher, yielding what we dub the one-round tweakable Even-Mansour construction, defined from a single n-bit permutation P and an AXU family of hash functions \(\mathcal {H}'=(H'_{k'})_{k'\in \mathcal {K}'}\) from some tweak space \(\mathcal {T}\) to \(\{0,1\}^n\) as

$$\begin{aligned} \mathsf {TEM}^{P}((k,k'),t,x)=H'_{k'}(t)\oplus k\oplus P(H'_{k'}(t)\oplus k\oplus x), \end{aligned}$$
(3)

where \((k,k')\in \{0,1\}^n\times \mathcal {K}'\) is the key, \(t\in \mathcal {T}\) is the tweak, and \(x\in \{0,1\}^n\) is the message. Combining the security proofs for LRW [25] and for the one-round single-key Even-Mansour cipher [12, 13] directly yields that this construction ensures security up to \(2^{n/2}\) adversarial queries, in the Random Permutation model for P. For example, if we use the universal hash function family based on multiplication in the finite field \(\mathbb {F}_{2^n}\), i.e., \(H_{k'}(t)=k'\otimes t\), which is XOR-universal, one obtains a simple tweakable block cipher with 2n-bit keys and n-bit tweaks which is secure up to the birthday bound.

Our first insight is to consider the slightly more general construction

$$\begin{aligned} \mathsf {TEM}^{P}(k,t,x)=H_{k}(t)\oplus P(H_{k}(t)\oplus x). \end{aligned}$$
(4)

It is not too hard to show (as we do in Sect. 3.2) that this more general construction also ensures security up to \(2^{n/2}\) adversarial queries, assuming that the hash function family \(\mathcal {H}=(H_k)_{k\in \mathcal {K}}\), in addition to being AXU, is also uniform (i.e., for any \(t\in \mathcal {T}\) and any \(y\in \{0,1\}^n\), the probability over \(k\leftarrow _{\$}\mathcal {K}\) that \(H_k(t)=y\) is equal to \(2^{-n}\)).Footnote 5 This simple observation allows to save n bits of key material when using multiplication-based hashing, since \(H_k(t)=k\otimes t\) is XOR-universal and uniform if one restricts the tweak space to \(\mathbb {F}_{2^n}\setminus \{0\}\).

It is naturally tempting to consider cascading \(r>1\) rounds of construction (4) to obtain an hybrid of the iterated Even-Mansour cipher and the CLRW construction. Our main result is that the two-round construction

$$ \mathsf {TEM}^{P_1,P_2}((k_1,k_2),t,x)=H_{k_2}(t)\oplus P_2(H_{k_2}(t)\oplus H_{k_1}(t)\oplus P_1(H_{k_1}(t)\oplus x)) $$

is secure (against adaptive chosen-plaintext and ciphertext attacks) up to approximately \(2^{2n/3}\) adversarial queries (again, assuming that \(\mathcal {H}\) is uniform and AXU).

To arrive at this result, we could have adapted the game-based proof of [24] for the two-round CLRW construction to accommodate the fact that in the TEM setting, the adversary has additionally oracle access to the inner permutations \(P_1\) and \(P_2\). Yet we preferred to use the H-coefficients technique [30], which was successfully applied to the analysis of the iterated Even-Mansour cipher [6, 7], and adjust it to take into account the existence of the tweak in the TEM construction. Our choice was motivated by the fact that the H-coefficients-based security proof for the two-round Even-Mansour cipher is (in our opinion) simpler than the game-based proof for the two-round CLRW construction. Actually, our security proof for the two-round TEM construction can easily be simplified (by making the inner permutations secret, or, more formally, letting the number of queries \(q_p\) to the inner permutations be zero in our security bound as given by Theorem 2) to yield a new, H-coefficients-based proof of the security result of [24] for the two-round CLRW construction (our own bound matching Landecker et al.’s one [24] up to multiplicative constants).Footnote 6 It seems interesting to us that our proof entails a new and conceptually simpler (at least to us) proof of a previous result that turned out quite delicate to get right with game-based techniques [31]. We explain how to “extract” from our work a H-coefficients proof for the two-round CLRW construction in the full version of this paper [8].

We were unable to extend our H-coefficients security proof to \(r>2\) rounds.Footnote 7 Instead, we provide an asymptotic analysis of the TEM construction (as r grows) based on the coupling technique [19, 28]. This part combines in a rather straightforward way the approach of [21] (which applied the coupling technique to the iterated Even-Mansour cipher) and of [23] (which applied the coupling technique to the CLRW construction). This allows us to prove that the r-round TEM construction is secure up to roughly \(2^{\frac{rn}{r+2}}\) adversarial queries (against adaptive chosen-plaintext and ciphertext attacks). As with previous work, we conjecture that the “real” security bound is actually \(2^{\frac{rn}{r+1}}\) queries (which we prove to hold for the weaker class of non-adaptive chosen-plaintext adversaries), but that the coupling technique is not adapted to prove this.

Application to Related-Key Security. There are strong connections between tweakable block ciphers and the related-key security of traditional block ciphers [4, 25]. We expand on this in the full version of the paper [8], explaining how our results have immediate implications for the related-key security of the traditional (iterated) Even-Mansour cipher with a nonlinear key-schedule.

Related Work and Perspectives. There are very few papers studying generic ways of building tweakable block ciphers from some lower-level primitive than a traditional block cipher. One notable exception is the work of Goldenberg et al. [16] who studied how to tweak (generically) Feistel ciphers (in other words, they showed how to construct tweakable block ciphers from pseudorandom functions). This was extended to generalized Feistels by Mitsuda and Iwata [27]. Our own work seems to be the first (besides [9], that capped at the birthday bound) to explore theoretically sound ways to construct “by-design” tweakable block ciphers with an SPN or more generally a key-alternating structure. In a sense, it can be seen as complementary to the recent \(\mathsf {TWEAKEY}\) framework introduced by Jean et al. [20], that tackled a similar goal but adopted a more practical and attack-driven (rather than proof-oriented) angle. We hope that combining these two approaches will pave the way towards efficient and theoretically sound ways of building tweakable key-alternating ciphers, or tweaking existing ones such as \(\mathsf {AES}\). We also note that the term tweakable Even-Mansour was previously used by the designers of Minalpher [35] (a candidate to the CAESAR competition) to designate a permutation-based variant of Rogaway’s XEX construction [32]. It relates to construction (4) by eliminating the AXU hash function \(H_k(t)\) and replacing it by \(\varDelta =(k\Vert t)\oplus P(k\Vert t)\) (thereby halving tweak- and key-length), in about the same way XEX replaces the AXU hash function of the LRW construction (1) by a “gadget” calling the underlying block cipher \(E_k\). The designers of Minalpher prove that this construction also achieves birthday-bound security.

Finally, we bring up some open problems. First, as already mentioned, it would be very interesting to give a tight analysis of the TEM construction for any number \(r>2\) of rounds (a first, hopefully simpler step towards this goal would be to give a tight bound for the CLRW construction for \(r>2\)). Second, variants with the same permutation and/or non-independent round keys are also worth studying, as was done in [6] for the (traditional) two-round iterated Even-Mansour cipher. Third, since implementing an AXU hash function family might be costly, it would be very valuable to explore whether linear operations for mixing the key and the tweak into the state of an Even-Mansour-like construction might be enough to get security beyond the birthday bound.

2 Preliminaries

2.1 Notation and General Definitions

General Notation. In all the following, we fix an integer \(n\ge 1\) and denote \(N=2^n\). For integers \(1\le b\le a\), we will write \((a)_b=a(a-1)\cdots (a-b+1)\) and \((a)_0=1\) by convention. The set of all permutations of \(\{0,1\}^n\) will be denoted \(\mathsf {P}(n)\). Given a non-empty set X, we denote \(x\leftarrow _{\$}X\) the draw of an element x from X uniformly at random.

Tweakable Block Ciphers. A tweakable block cipher with key space \(\mathcal {K}\), tweak space \(\mathcal {T}\), and message space \(\mathcal {M}\) is a mapping \(\widetilde{E}:\mathcal {K}\times \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) such that for any key \(k\in \mathcal {K}\) and any tweak \(t\in \mathcal {T}\), \(x\mapsto \widetilde{E}(k,t,x)\) is a permutation of \(\mathcal {M}\). We denote \(\mathsf {TBC}(\mathcal {K},\mathcal {T},n)\) the set of all tweakable block ciphers with key space \(\mathcal {K}\), tweak space \(\mathcal {T}\), and message space \(\{0,1\}^n\). A tweakable permutation with tweak space \(\mathcal {T}\) and message space \(\mathcal {M}\) is a mapping \(\widetilde{P}: \mathcal {T}\times \mathcal {M}\rightarrow \mathcal {M}\) such that for any tweak \(t\in \mathcal {T}\), \(x\mapsto \widetilde{P}(t,x)\) is a permutation of \(\mathcal {M}\). We denote \(\mathsf {TP}(\mathcal {T},n)\) the set of all tweakable permutations with tweak space \(\mathcal {T}\) and message space \(\{0,1\}^n\).

The Iterated Tweakable Even-Mansour Construction. Fix integers \(n,r\ge 1\). Let \(\mathcal {T}\) and \(\mathcal {K}\) be two sets, and \(\mathcal {H}=(H_k)_{k\in \mathcal {K}}\) be a family of functions from \(\mathcal {T}\) to \(\{0,1\}^n\) indexed by \(\mathcal {K}\). The r-round iterated tweakable Even-Mansour construction \(\mathsf {TEM}[n,r,\mathcal {H}]\) specifies, from an r-tuple \(\mathbf {P}=(P_1,\ldots ,P_r)\) of permutations of \(\{0,1\}^n\), a tweakable block cipher with key space \(\mathcal {K}^r\), tweak space \(\mathcal {T}\), and message space \(\{0,1\}^n\), simply denoted \(\mathsf {TEM}^{\mathbf {P}}\) in the following (parameters \([n,r,\mathcal {H}]\) will always be clear from the context) which maps a key \(\mathbf {k}=(k_1,\ldots ,k_r)\in \mathcal {K}^r\), a tweak \(t\in \mathcal {T}\), and a plaintext \(x\in \{0,1\}^n\) to the ciphertext defined as (see Fig. 1):

$$ \mathsf {TEM}^{\mathbf {P}}(\mathbf {k},t,x)=\varPi ^{P_r}_{k_r,t} \circ \cdots \circ \varPi ^{P_1}_{k_1,t}(x), $$

where \(\varPi ^P_{k,t}\) is the permutation of \(\{0,1\}^n\) (corresponding to one round of the construction) defined as

$$ \varPi ^P_{k,t}(x)=H_k(t)\oplus P(H_k(t)\oplus x). $$

We will denote \(\mathsf {TEM}^{\mathbf {P}}_{\mathbf {k}}\) the mapping taking as input \((t,x)\in \mathcal {T}\times \{0,1\}^n\) and returning \(\mathsf {TEM}^{\mathbf {P}}(\mathbf {k},t,x)\).

Convention 1

In order to lighten the notation, we will often identify the hash function family \(\mathcal {H}\) and its key space \(\mathcal {K}\). This way, the key space of the r-round \(\mathsf {TEM}^{\mathbf {P}}\) tweakable block cipher is simply \(\mathcal {H}^r\), and we write

$$ \mathsf {TEM}^{\mathbf {P}}_{\mathbf {h}}(t,x)=h_r(t)\oplus P_r(h_r(t)\oplus \cdots \oplus h_1(t)\oplus P_1(h_1(t)\oplus x) \cdots ) $$

where \(\mathbf {h}=(h_1,\ldots ,h_r)\in \mathcal {H}^r\) is the key of \(\mathsf {TEM}^{\mathbf {P}}\).

Fig. 1.
figure 1

The tweakable Even-Mansour construction with r rounds, based on public permutations \(P_1,\ldots ,P_r\) and a family of hash functions \(\mathcal {H}=(H_k)_{k\in \mathcal {K}}\).

Full size image

Uniform AXU Hash Function Family. We will need the following properties of the hash function family \(\mathcal {H}\).

Definition 1

Let \(\mathcal {H}=(H_k)_{k\in \mathcal {K}}\) be a family of functions from some set \(\mathcal {T}\) to \(\{0,1\}^n\) indexed by a set of keys \(\mathcal {K}\). \(\mathcal {H}\) is said to be uniform if for any \(t\in \mathcal {T}\) and \(y\in \{0,1\}^n\),

$$ \Pr [k\leftarrow _{\$}\mathcal {K}: H_k(t)=y]=2^{-n}. $$

\(\mathcal {H}\) is said \(\varepsilon \) -almost XOR-universal (\(\varepsilon \text {-AXU}\)) if for all distinct \(t,t'\in \mathcal {T}\) and all \(y\in \{0,1\}^n\),

$$ \Pr [k\leftarrow _{\$}\mathcal {K}: H_k(t)\oplus H_k(t')=y] \le \varepsilon . $$

\(\mathcal {H}\) is simply said XOR-universal (XU) if it is \(2^{-n}\text {-AXU}\).

Example 1

Let \(\mathbb {F}_{2^n}\) be the set \(\{0,1\}^n\) seen as the field with \(2^n\) elements defined by some irreducible polynomial of degree n over \(\mathbb {F}_2\), the field with two elements, and denote \(a\otimes b\) the field multiplication of two elements \(a,b\in \mathbb {F}_{2^n}\). For any integer \(\ell \ge 1\), we define the family of functions \(\mathcal {H}=(H_k)_{k\in \mathbb {F}_{2^n}}\) with domain \((\mathbb {F}_{2^n})^\ell \) and range \(\mathbb {F}_{2^n}\) as

$$ H_k(t_1,\ldots ,t_\ell )= \sum _{i=1}^\ell k^i\otimes t_i. $$

Then \(\mathcal {H}\) is \(\ell \cdot 2^{-n}\)-AXU [37]. Note however that \(\mathcal {H}\) is not uniform since \((0,\ldots ,0)\) is always mapped to 0 independently of the key. This can be handled either by adding an independent key (resulting in 2n-bit keys), i.e., defining \(\mathcal {H}'=(H'_{k,k'})_{(k,k')\in (\mathbb {F}_{2^n})^2}\) where \(H'_{k,k'}(t_1,\ldots ,t_\ell )=H_k(t_1\ldots ,t_{\ell })\oplus k'\), or by forbidding the all-zero tweak, in which case the family is not exactly uniform, but rather \(\ell \cdot 2^{-n}\)-almost uniform, i.e., for any \(t\in \mathcal {T}\setminus \{(0,\ldots ,0)\}\) and \(y\in \{0,1\}^n\), \(\Pr \left[ k\leftarrow _{\$}\mathcal {K}:H_k(t)=y \right] \le \ell \cdot 2^{-n}\). Our results can be straightforwardly extended to the case of \(\varepsilon \)-almost uniform families of functions.

2.2 Security Definitions

Fix some family of functions \(\mathcal {H}=(H_k)_{k\in \mathcal {K}}\) from \(\mathcal {T}\) to \(\{0,1\}^n\). To study the security of the construction \(\mathsf {TEM}[n,r,\mathcal {H}]\) in the Random Permutation Model, we consider a distinguisher \(\mathcal {D}\) which interacts with \(r+1\) oracles that we denote generically \((\widetilde{P}_0,P_1,\ldots ,P_r)\), where syntactically \(\widetilde{P}_0\) is a tweakable permutation with tweak space \(\mathcal {T}\) and message space \(\{0,1\}^n\), and \(P_1,\ldots ,P_r\) are permutations of \(\{0,1\}^n\). The goal of \(\mathcal {D}\) is to distinguish two “worlds”: the so-called real world, where \(\mathcal {D}\) interacts with \((\mathsf {TEM}^{\mathbf {P}}_{\mathbf {k}},\mathbf {P})\), where \(\mathbf {P}=(P_1,\ldots ,P_r)\) is a tuple of public random permutations and the key \(\mathbf {k}=(k_1,\ldots ,k_r)\) is drawn uniformly at random from \(\mathcal {K}^r\), and the so-called ideal world \((\widetilde{P}_0,\mathbf {P})\), where \(\widetilde{P}_0\) is a uniformly random tweakable permutation and \(\mathbf {P}\) is a tuple of random permutations of \(\{0,1\}^n\) independent from \(\widetilde{P}_0\). We will refer to \(\widetilde{P}_0\) as the construction oracle and to \(P_1,\ldots ,P_r\) as the inner permutation oracles.

Similarly to [21], we consider two classes of distinguishers depending on how they can issue their queries:

  • a non-adaptive chosen-plaintext (NCPA) distinguisher runs in two phases: during the first phase, it only queries the inner permutations, adaptively and in both directions; in the second phase, it issues a tuple of non-adaptive chosen-plaintext queries to the construction oracle and receives the corresponding answers (this tuple of queries may depend on the answers received in the first phase, but all queries must be chosen non-adaptively before receiving any answer from the construction oracle);

  • an adaptive chosen-plaintext and ciphertext (CCA) distinguisher is not restricted in how it queries its oracles: it can make adaptive bidirectional queries to all its oracles.

We stress that the NCPA model is not very interesting in itselfFootnote 8 and will only be useful as an intermediate step for the coupling-based security proof in Sect. 4.

The distinguishing advantage of a distinguisher \(\mathcal {D}\) is defined as

$$ \mathbf{Adv }(\mathcal {D})\mathop =^\mathrm{def}\left| \Pr \left[ \mathcal {D}^{\mathsf {TEM}^{\mathbf {P}}_{\mathbf {k}},\mathbf {P}}=1 \right] -\Pr \left[ \mathcal {D}^{\widetilde{P}_0,\mathbf {P}}=1 \right] \right| , $$

where the first probability is taken over the random choice of \(\mathbf {k}\) and \(\mathbf {P}\), and the second probability is taken over the random choice of \(\widetilde{P}_0\) and \(\mathbf {P}\). In all the following, we consider computationally unbounded distinguishers, and hence we can assume wlog that they are deterministic. We also assume that they never make pointless queries (i.e., queries whose answers can be unambiguously deduced from previous answers).

For non-negative integers \(q_c\), \(q_p\) and \(\mathrm {ATK}\in \{\mathrm {NCPA},\mathrm {CCA}\}\), we define the insecurity of the \(\mathsf {TEM}[n,r,\mathcal {H}]\) construction against \(\mathrm {ATK}\)-attacks as

$$ \mathbf{Adv }^{\mathrm {atk}}_{\mathsf {TEM}[n,r,\mathcal {H}]}(q_c,q_p)=\max _{\mathcal {D}} \mathbf{Adv }(\mathcal {D}), $$

where the maximum is taken over all distinguishers in the class \(\mathrm {ATK}\) making exactly \(q_c\) queries to the construction oracle and exactly \(q_p\) queries to each inner permutation oracle.

3 Tight Bounds for One and Two Rounds

3.1 The H-Coefficients Technique

We start by describing Patarin’s H-coefficients technique [30], which has enjoyed increasing adoption since Chen and Steinberger used it to prove the security of the iterated Even-Mansour cipher for an arbitrary number of rounds [7].

Transcript. We summarize the interaction of \(\mathcal {D}\) with its oracles in what we call the queries transcript (\(\mathcal {Q}_C,\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_r})\) of the attack, where \(\mathcal {Q}_C\) records the queries to the construction oracle and \(\mathcal {Q}_{P_i}\), \(1\le i \le r\), records the queries to inner permutation \(P_i\). More precisely, \(\mathcal {Q}_C\) contains all triples \((t,x,y)\in \mathcal {T}\times \{0,1\}^n \times \{0,1\}^n\) such that \(\mathcal {D}\) either made the direct query (tx) to the construction oracle and received answer y, or made the inverse query (ty) and received answer x. Similarly, for \(1\le i \le r\), \(\mathcal {Q}_{P_i}\) contains all pairs \((u,v)\in \{0,1\}^n\times \{0,1\}^n\) such that \(\mathcal {D}\) either made the direct query u to permutation \(P_i\) and received answer v, or made the inverse query v and received answer u. Note that queries are recorded in a directionless and unordered fashion, but by our assumption that the distinguisher is deterministic, there is a one-to-one mapping between this representation and the raw transcript of the interaction of \(\mathcal {D}\) with its oracles (see e.g. [7] for more details). Note also that by our assumption that \(\mathcal {D}\) never makes pointless queries, each query to the construction oracle results in a distinct triple in \(\mathcal {Q}_C\), and each query to \(P_i\) results in a distinct pair in \(\mathcal {Q}_{P_i}\), so that \(|\mathcal {Q}_C|=q_c\) and \(|\mathcal {Q}_{P_i}|=q_p\) for \(1\le i \le r\) since we assume that the distinguisher always makes the maximal number of allowed queries to each oracle. In all the following, we also denote m the number of distinct tweaks appearing in \(\mathcal {Q}_C\), and \(q_i\) the number of queries for the i-th tweak, \(1\le i\le m\), using an arbitrary ordering of the tweaks. Note that m may depend on the answers received from the oracles, yet one always has \(\sum _{i=1}^m q_i=q_c\).

We say that a queries transcript is attainable (with respect to some fixed distinguisher \(\mathcal {D}\)) if there exists oracles \((\widetilde{P}_0,\mathbf {P})\) such that the interaction of \(\mathcal {D}\) with \((\widetilde{P}_0,\mathbf {P})\) yields this transcript (said otherwise, the probability to obtain this transcript in the “ideal” world is non-zero). Moreover, in order to have a simple definition of bad transcripts, we reveal to the adversary at the end of the experiment the actual tuple of keys \(\mathbf {k}=(k_1,\ldots ,k_r)\) if we are in the real world, while in the ideal world, we simply draw dummy keys \((k_1\ldots ,k_r)\leftarrow _{\$}\mathcal {K}^r\) independently from the answers of the oracle \(\widetilde{P}_0\). (This can obviously only increase the advantage of the distinguisher, so that this is without loss of generality). All in all, a transcript \(\tau \) is a tuple \(\tau =(\mathcal {Q}_C,\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_r},\mathbf {k})\), and we say that a transcript is attainable if the corresponding queries transcript \((\mathcal {Q}_C,\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_r})\) is attainable. We denote \(\varTheta \) the set of attainable transcripts. In all the following, we denote \(T_\mathrm{re}\), resp. \(T_\mathrm{id}\), the probability distribution of the transcript \(\tau \) induced by the real world, resp. the ideal world (note that these two probability distributions depend on the distinguisher). By extension, we use the same notation to denote a random variable distributed according to each distribution. The main lemma of the H-coefficients technique is the following one (see e.g. [6, 7] for the proof).

Lemma 1

Fix a distinguisher \(\mathcal {D}\). Let \(\varTheta =\varTheta _\mathrm{good}\sqcup \varTheta _\mathrm{bad}\) be a partition of the set of attainable transcripts. Assume that there exists \(\varepsilon _1\) such that for any \(\tau \in \varTheta _\mathrm{good}\), one hasFootnote 9

$$ \frac{\Pr [T_\mathrm{re}=\tau ]}{\Pr [T_\mathrm{id}=\tau ]}\ge 1-\varepsilon _1, $$

and that there exists \(\varepsilon _2\) such that \(\Pr [T_\mathrm{id}\in \varTheta _\mathrm{bad}]\le \varepsilon _2\). Then \(\mathbf{Adv }(\mathcal {D})\le \varepsilon _1+\varepsilon _2\).

Additional Notation. Given a permutation queries transcript \(\mathcal {Q}\) and a permutation P, we say that P extends \(\mathcal {Q}\), denoted \(P\vdash \mathcal {Q}\), if \(P(u)=v\) for all \((u,v)\in \mathcal {Q}\). By extension, given a tuple of permutation queries transcript \(\mathcal {Q}_{\mathbf {P}}=(\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_r})\) and a tuple of permutations \(\mathbf {P}=(P_1,\ldots ,P_r)\), we say that \(\mathbf {P}\) extends \(\mathcal {Q}_{\mathbf {P}}\), denoted \(\mathbf {P}\vdash \mathcal {Q}_{\mathbf {P}}\), if \(P_i\vdash \mathcal {Q}_{P_i}\) for each \(i=1,\ldots ,r\). Note that for a permutation transcript of size \(q_p\), one has

$$\begin{aligned} \Pr [P\leftarrow _{\$}\mathsf {P}(n): P\vdash \mathcal {Q}]=\frac{1}{(N)_{q_p}}. \end{aligned}$$
(5)

Similarly, given a tweakable permutation transcript \(\widetilde{\mathcal {Q}}\) and a tweakable permutation \(\widetilde{P}\), we say that \(\widetilde{P}\) extends \(\widetilde{\mathcal {Q}}\), denoted \(\widetilde{P}\vdash \widetilde{\mathcal {Q}}\), if \(\widetilde{P}(t,x)=y\) for all \((t,x,y)\in \widetilde{\mathcal {Q}}\). For a tweakable permutation transcript \(\widetilde{\mathcal {Q}}\) with m distinct tweaks and \(q_i\) queries corresponding to the i-th tweak, one has

$$\begin{aligned} \Pr [\widetilde{P}\leftarrow _{\$}\mathsf {TP}(\mathcal {T},n) : \widetilde{P}\vdash \widetilde{\mathcal {Q}}]=\prod _{i=1}^m\frac{1}{(N)_{q_i}}. \end{aligned}$$
(6)

Preliminary Observations. It is easy to see that the interaction of a distinguisher \(\mathcal {D}\) with oracles \((\widetilde{P}_0,P_1,\ldots ,P_r)\) yields any attainable queries transcript \((\mathcal {Q}_C,\mathcal {Q}_{\mathbf {P}})\) with \(\mathcal {Q}_{\mathbf {P}}=(\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_r})\) iff \(\widetilde{P}_0\vdash \mathcal {Q}_C\) and \(P_i\vdash \mathcal {Q}_{P_i}\) for \(1\le i\le r\). In the ideal world, the key \(\mathbf {k}\), the permutations \(P_1,\ldots ,P_r\), and the tweakable permutation \(\widetilde{P}_0\) are all uniformly random and independent, so that, by (5) and (6), the probability of getting any attainable transcript \(\tau =(\mathcal {Q}_C,\mathcal {Q}_{\mathbf {P}},\mathbf {k})\) in the ideal world is

$$ \Pr [T_\mathrm{id}=\tau ]=\frac{1}{|\mathcal {K}|^r} \times \left( \frac{1}{(N)_{q_p}} \right) ^r \times \prod _{i=1}^m\frac{1}{(N)_{q_i}}. $$

In the real world, the probability to obtain \(\tau \) is

Let

Then we have

$$\begin{aligned} \frac{\Pr [T_\mathrm{re}=\tau ]}{\Pr [T_\mathrm{id}=\tau ]}=\mathsf {p}(\tau )\Big /\prod _{i=1}^m\frac{1}{(N)_{q_i}}=\mathsf {p}(\tau )\cdot \prod _{i=1}^m (N)_{q_i}. \end{aligned}$$
(7)

Hence, to apply Lemma 1, we will have to compare \(\mathsf {p}(\tau )\) and \(\prod _{i=1}^m1/(N)_{q_i}\), assuming \(\tau \) is good (for some adequate definition of bad and good transcripts).

3.2 Security Proof for One Round

We consider here the one-round construction \(\mathsf {TEM}[n,1,\mathcal {H}]\). Using Convention 1, we have

$$ \mathsf {TEM}^{P_1}_{h_1}(t,x)=h_1(t)\oplus P_1(h_1(t)\oplus x) $$

where the key is \(h_1\leftarrow _{\$}\mathcal {H}\). We prove the following theorem.

Theorem 1

Let \(\mathcal {H}\) be a uniform \(\varepsilon \text {-AXU}\) family of functions from \(\mathcal {T}\) to \(\{0,1\}^n\). For any integers \(q_c\) and \(q_p\), one has

$$ \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {TEM}[n,1,\mathcal {H}]}(q_c,q_p)\le q_c^2\varepsilon +\frac{2q_cq_p}{N}. $$

The proof uses the H-coefficients technique that we exposed in Sect. 3.1, and serves as a good warm-up before the more complex two-round case. For reasons of space, it is deferred to the full version of the paper [8].

3.3 Security Proof for Two Rounds

Statement of the Result and Discussion. Let \(\mathcal {H}\) be an \(\varepsilon \text {-AXU}\) and uniform function family. Using Convention 1, the two-round tweakable Even-Mansour construction is written

$$ \mathsf {TEM}^{P_1,P_2}_{(h_1,h_2)}(t,x)=h_2(t)\oplus P_2\big ( h_2(t)\oplus h_1(t) \oplus P_1( h_1(t) \oplus x ) \big ) $$

where \(P_1,P_2\) are two public random permutations, \((h_1,h_2)\leftarrow _{\$}\mathcal {H}^2\) is the key, t is the tweak and x the plaintext. The main result of our paper is the following theorem.

Theorem 2

Let \(\mathcal {H}\) be a uniform \(\varepsilon \text {-AXU}\) family of functions from \(\mathcal {T}\) to \(\{0,1\}^n\). Assume that \(q_p+3q_c\le N/2\) and \(q_c\le \min \{N^{2/3},\varepsilon ^{-2/3}\}\). Then

$$ \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {TEM}[n,2,\mathcal {H}]}(q_c,q_p) \le \frac{29\sqrt{q_c}q_p}{N}+\varepsilon \sqrt{q_c}q_p+4\varepsilon q_c^{3/2}+\frac{30q_c^{3/2}}{N}. $$

In particular, assuming \(\mathcal {H}\) is XU for simplicity (i.e., \(\varepsilon =2^{-n}\)), one can see that the two-round TEM construction ensures security up to approximately \(2^{2n/3}\) adversarial queries. In fact, for any number \(q_c\ll 2^{2n/3}\) of construction queries, the two-round TEM construction remains secure as long as \(q_p\) is small compared with \(2^n/\sqrt{q_c}\).

The proof uses the H-coefficients technique. As usual, we will first define bad transcripts and upper bound their probability in the ideal world, and then show that the probabilities to obtain any good transcript in the real world and the ideal world are sufficiently close.

Definition and Probability of Bad Transcripts. Let \(\tau =(\mathcal {Q}_C,\mathcal {Q}_{P_1},\mathcal {Q}_{P_2},(h_1,h_2))\) be an attainable transcript, with \(|\mathcal {Q}_C|=q_c\) and \(|\mathcal {Q}_{P_1}|=|\mathcal {Q}_{P_2}|=q_p\). We let

$$\begin{aligned} U_1&=\{u_1\in \{0,1\}^n: (u_1,v_1)\in \mathcal {Q}_{P_1}\},&V_1 =\{v_1\in \{0,1\}^n: (u_1,v_1)\in \mathcal {Q}_{P_1}\},\\ U_2&=\{u_2\in \{0,1\}^n: (u_2,v_2)\in \mathcal {Q}_{P_2}\},&V_2=\{v_2\in \{0,1\}^n: (u_2,v_2)\in \mathcal {Q}_{P_2}\} \end{aligned}$$

denote the domains and ranges of \(\mathcal {Q}_{P_1}\) and \(\mathcal {Q}_{P_2}\) respectively. For each u and \(v\in \{0,1\}^n\), let

$$\begin{aligned} X_u&=\{ (t,x,y)\in \mathcal {Q}_C : x\oplus h_1(t)=u \},\\ Y_v&=\{ (t,x,y)\in \mathcal {Q}_C : y\oplus h_2(t)=v \}. \end{aligned}$$

We define four quantities characterizing a transcript \(\tau \), namely

$$\begin{aligned} \alpha _1&\mathop =^\mathrm{def}|\{ (t,x,y)\in \mathcal {Q}_C : x\oplus h_1(t)\in U_1\}|,\\ \alpha _2&\mathop =^\mathrm{def}|\{ (t,x,y)\in \mathcal {Q}_C : y\oplus h_2(t)\in V_2\}|,\\ \beta _1&\mathop =^\mathrm{def}|\{(t,x,y)\in \mathcal {Q}_C:\exists (t',x',y')\ne (t,x,y), x \oplus h_1(t)=x'\oplus h_1(t')\}|,\\ \beta _2&\mathop =^\mathrm{def}|\{(t,x,y)\in \mathcal {Q}_C:\exists (t',x',y')\ne (t,x,y), y \oplus h_2(t)=y'\oplus h_2(t')\}|. \end{aligned}$$

In words, \(\alpha _1\) (resp. \(\alpha _2\)) is the number of queries \((t,x,y)\in \mathcal {Q}_C\) which “collide” with a query \((u_1,v_1)\in \mathcal {Q}_{P_1}\) (resp. that collide with a query \((u_2,v_2)\in \mathcal {Q}_{P_2}\)), and \(\beta _1\) (resp. \(\beta _2\)) is the number of queries \((t,x,y)\in \mathcal {Q}_C\) which “collide” with another query \((t',x',y')\) at the input of \(P_1\) (resp. at the output of \(P_2\)). Note that one also has

$$\begin{aligned} \beta _1=\sum _{\begin{array}{c} u\in \{0,1\}^n:\\ |X_u|>1 \end{array}}|X_u|, \qquad \qquad \beta _2=\sum _{\begin{array}{c} v\in \{0,1\}^n:\\ |Y_v|>1 \end{array}}|Y_v|. \end{aligned}$$
(8)

Definition 2

We say that an attainable transcript \(\tau \) is bad if at least one of the following conditions is fulfilled (see Fig. 2 for a diagram of the first ten conditions):

  1. (C-1)

    there exists \((t,x,y)\in \mathcal {Q}_C\), \(u_1 \in U_1\), and \(v_2 \in V_2\) such that \(x\oplus h_1(t)=u_1\) and \(y\oplus h_2(t)=v_2\);

  2. (C-2)

    there exists \((t,x,y)\in \mathcal {Q}_C\), \((u_1,v_1)\in \mathcal {Q}_{P_1}\), and \(u_2\in U_2\) such that \(x\oplus h_1(t)=u_1\) and \(v_1\oplus h_1(t)\oplus h_2(t)=u_2\);

  3. (C-3)

    there exists \((t,x,y)\in \mathcal {Q}_C\), \((u_2,v_2)\in \mathcal {Q}_{P_2}\), and \(v_1\in V_1\) such that \(y\oplus h_2(t)=v_2\) and \(v_1\oplus h_1(t)\oplus h_2(t)=u_2\);

  4. (C-4)

    there exists \((t,x,y),(t',x',y'),(t'',x'',y'')\in \mathcal {Q}_C\) with (txy) distinct from \((t',x',y')\) and from \((t'',x'',y'')\) such that \(x\oplus h_1(t)=x'\oplus h_1(t')\) and \(y\oplus h_2(t)=y''\oplus h_2(t'')\);

  5. (C-5)

    there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) such that \(x\oplus h_1(t)=x'\oplus h_1(t')\) and \(h_1(t)\oplus h_2(t)=h_1(t')\oplus h_2(t')\);

  6. (C-6)

    there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) such that \(y\oplus h_2(t)=y'\oplus h_2(t')\) and \(h_1(t)\oplus h_2(t)=h_1(t')\oplus h_2(t')\);

  7. (C-7)

    there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) and \(u_1\in U_1\) such that \(y\oplus h_2(t)=y'\oplus h_2(t')\) and \(x\oplus h_1(t)=u_1\);

  8. (C-8)

    there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) and \(v_2\in V_2\) such that \(x\oplus h_1(t)=x'\oplus h_1(t')\) and \(y\oplus h_2(t)=v_2\);

  9. (C-9)

    there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\), \((u_1,v_1),(u'_1,v'_1)\in \mathcal {Q}_{P_1}\) such that \(x\oplus h_1(t)=u_1\), \(x'\oplus h_1(t')=u'_1\) and \(v_1\oplus h_1(t)\oplus h_2(t) = v'_1\oplus h_1(t')\oplus h_2(t')\);

  10. (C-10)

    there exists \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\), \((u_2,v_2),(u'_2,v'_2)\in \mathcal {Q}_{P_2}\) such that \(y\oplus h_2(t)=v_2\), \(y'\oplus h_2(t')=v'_2\) and \(u_2\oplus h_1(t)\oplus h_2(t) = u'_2\oplus h_1(t')\oplus h_2(t')\);

  11. (C-11)

    \(\alpha _1 \ge \sqrt{q_c}\);

  12. (C-12)

    \(\alpha _2 \ge \sqrt{q_c}\);

  13. (C-13)

    \(\beta _1 \ge \sqrt{q_c}\);

  14. (C-14)

    \(\beta _2 \ge \sqrt{q_c}\).

Otherwise we say that \(\tau \) is good. We denote \(\varTheta _\mathrm{good}\), resp. \(\varTheta _\mathrm{bad}\) the set of good, resp. bad transcripts. \(\Diamond \)

Fig. 2.
figure 2

The ten “collision” conditions characterizing a bad transcript. Black dots correspond to pairs \((u_1,v_1)\in \mathcal {Q}_{P_1}\) or \((u_2,v_2)\in \mathcal {Q}_{P_2}\). Note that for (C-4) one might have \((t',x')=(t'',x'')\), for (C-9) one might have \((u_1,v_1)=(u'_1,v'_1)\), and for (C-10) one might have \((u_2,v_2)=(u'_2,v'_2)\).

Full size image

We start by upper bounding the probability to get a bad transcript in the ideal world.

Lemma 2

For any integers \(q_c\) and \(q_p\), one has

$$ \Pr [T_\mathrm{id}\in \varTheta _\mathrm{bad}]\le \frac{3q_cq_p^2}{N^2}+2\varepsilon ^2 q_c^3+\frac{\varepsilon q_c^2 q_p}{N} +\frac{2\sqrt{q_c}q_p}{N}+2\varepsilon q_c^{3/2}. $$

Proof

Let \((\mathcal {Q}_C,\mathcal {Q}_{P_1},\mathcal {Q}_{P_2})\) be any attainable queries transcript. Recall that in the ideal world, \((h_1,h_2)\) is drawn independently from the queries transcript. We upper bound the probabilities of the fourteen conditions in turn. We denote \(\varTheta _i\) the set of attainable transcripts fulfilling condition (C-i).

Conditions (C-1), (C-2), and (C-3). Consider condition (C-1). For any \((t,x,y)\in \mathcal {Q}_C\), \(u_1\in U_1\), and \(v_2\in V_2\), one has, by the uniformity of \(\mathcal {H}\) and since \(h_1\) and \(h_2\) are independently drawn,

$$ \Pr \left[ \big (h_1(t)=x\oplus u_1\big ) \wedge \big (h_2(t)=y\oplus v_2\big ) \right] =\frac{1}{N^2}. $$

Hence, summing over the \(q_cq_p^2\) possibilities for (txy), \(u_1\), and \(v_1\) yields

$$ \Pr [T_\mathrm{id}\in \varTheta _1]\le \frac{q_c q_p^2}{N^2}. $$

Similarly, for (C-2) and (C-3), one obtains

$$\begin{aligned} \Pr \left[ T_\mathrm{id}\in \varTheta _2 \right]&\le \frac{q_c q_p^2}{N^2},&\Pr \left[ T_\mathrm{id}\in \varTheta _3 \right]&\le \frac{q_c q_p^2}{N^2}. \end{aligned}$$

Condition (C-4). For any \((t,x,y),(t',x',y'),(t'',x'',y'')\in \mathcal {Q}_C\) with (txy) distinct from \((t',x',y')\) and from \((t'',x'',y'')\), one has, by the \(\varepsilon \text {-AXU}\) property of \(\mathcal {H}\) and since \(h_1\) and \(h_2\) are drawn independently,

$$ \Pr \left[ \big (h_1(t)\oplus h_1(t')=x\oplus x'\big ) \wedge \big (h_2(t)\oplus h_2(t'')=y\oplus y''\big ) \right] \le \varepsilon ^2. $$

Note that this also holds when \(t=t'\) (resp. \(t=t''\)) since in that case necessarily \(x\ne x'\) (resp. \(y\ne y''\)) by the assumption that \(\mathcal {D}\) never makes pointless queries. Hence, summing over the (at most) \(q_c^3\) possibilities for (txy), \((t',x',y')\), \((t'',x'',y'')\), one obtains

$$ \Pr \left[ T_\mathrm{id}\in \varTheta _4 \right] \le \varepsilon ^2 q_c^3. $$

Conditions (C-5) and (C-6). For any two distinct queries \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\), one has, by the \(\varepsilon \text {-AXU}\) property of \(\mathcal {H}\) and since \(h_1\) and \(h_2\) are drawn independently,

$$ \Pr \left[ \big (h_1(t)\oplus h_1(t')=x\oplus x'\big ) \wedge \big (h_2(t)\oplus h_2(t')=h_1(t)\oplus h_1(t')\big ) \right] \le \varepsilon ^2. $$

Hence, summing over the \(q_c(q_c-1)/2\) possible pairs of distinct queries, we get

$$\begin{aligned} \Pr \left[ T_\mathrm{id}\in \varTheta _5 \right]&\le \frac{\varepsilon ^2 q_c^2}{2},&\text {and similarly } \Pr \left[ T_\mathrm{id}\in \varTheta _6 \right]&\le \frac{\varepsilon ^2 q_c^2}{2}. \end{aligned}$$

Conditions (C-7) and (C-8). For any two distinct queries \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\) and any \(u_1\in U_1\), one has, by the \(\varepsilon \text {-AXU}\) property and uniformity of \(\mathcal {H}\) and since \(h_1\) and \(h_2\) are drawn independently,

$$ \Pr \left[ \big (h_2(t)\oplus h_2(t')=y\oplus y'\big ) \wedge \big (h_1(t)=x\oplus u_1\big ) \right] \le \frac{\varepsilon }{N}. $$

Then, summing over \((t,x,y)\ne (t',x',y')\) and \(u_1\),

$$\begin{aligned} \Pr [T_\mathrm{id}\in \varTheta _7]&\le \frac{\varepsilon q_c^2 q_p}{2N},&\text {and similarly }\Pr [T_\mathrm{id}\in \varTheta _8]&\le \frac{\varepsilon q_c^2 q_p}{2N}. \end{aligned}$$

Conditions (C-9), (C-10), (C-11), and (C-12). We will deal with conditions (C-9) and (C-11) together, using the fact that

$$ \Pr \left[ T_\mathrm{id}\in \varTheta _{9}\cup \varTheta _{11} \right] =\Pr \left[ T_\mathrm{id}\in \varTheta _{11} \right] +\Pr \left[ T_\mathrm{id}\in \varTheta _{9}\setminus \varTheta _{11} \right] . $$

To upper bound \(\Pr \left[ T_\mathrm{id}\in \varTheta _{11} \right] \), we see \(\alpha _1\) as a random variable over the random choice of \(h_1\) (since \(\alpha _1\) does not depend on \(h_2\)). First, note that by the uniformity of \(\mathcal {H}\),

$$ \mathbb {E}[\alpha _1] =\sum _{(t,x,y)\in \mathcal {Q}_C}\sum _{u_1\in U_1}\Pr \left[ x\oplus h_1(t)=u_1 \right] =\frac{q_c q_p}{N}, $$

so that by Markov’s inequality,

$$\begin{aligned} \Pr \left[ T_\mathrm{id}\in \varTheta _{11} \right]&\le \frac{\sqrt{q_c} q_p}{N}. \end{aligned}$$

Fix any \(h'_1\in \mathcal {H}\) such that, when \(h_1=h'_1\), \(\alpha _1<\sqrt{q_c}\), and fix any queries \((t,x,y)\ne (t',x',y')\in \mathcal {Q}_C\), \((u_1,v_1),(u'_1,v'_1)\in \mathcal {Q}_{P_1}\) such that \(x\oplus h_1(t)=u_1\) and \(x'\oplus h_1(t')=u'_1\). Note that since \(\alpha _1<\sqrt{q_c}\), there are at most \(\frac{q_c}{2}\) such tuple of queries. Then

$$\begin{aligned} \Pr \left[ \big (h_1=h'_1\big ) \wedge \big (h_2(t)\oplus h_2(t')=v_1\oplus h_1(t)\oplus v'_1 \oplus h_1(t')\big ) \right] \le \frac{\varepsilon }{|\mathcal {H}|}, \end{aligned}$$

and, by summing over every \(h_1\) such that \(\alpha _1<\sqrt{q_c}\) and every such tuple of queries, one has

$$ \Pr \left[ T_\mathrm{id}\in \varTheta _{9}\setminus \varTheta _{11} \right] \le \frac{\varepsilon q_c}{2}. $$

Finally,

$$ \Pr \left[ T_\mathrm{id}\in \varTheta _{9}\cup \varTheta _{11} \right] \le \frac{\sqrt{q_c} q_p}{N}+\frac{\varepsilon q_c}{2}. $$

Similarly,

$$ \Pr \left[ T_\mathrm{id}\in \varTheta _{10}\cup \varTheta _{12} \right] \le \frac{\sqrt{q_c} q_p}{N}+\frac{\varepsilon q_c}{2}. $$

Conditions (C-13) and (C-14). For every \(u \in \{0,1\}^n\), we see \(|X_u|\) as a random variable over the random choice of \(h_1\). We also introduce the random variable

$$ C=|\{((t,x,y),(t',x',y'))\in \mathcal {Q}_C^2, (t,x,y)\ne (t',x',y'): x \oplus h_1(t)=x'\oplus h_1(t')\}|. $$

Then, by definition of \(\beta _1\),

$$\begin{aligned} \beta _1=|\{(t,x,y)\in \mathcal {Q}_C:\exists (t',x',y')\ne (t,x,y), x \oplus h_1(t)=x'\oplus h_1(t')\}| \le C. \end{aligned}$$

Hence, \(\Pr \left[ T_\mathrm{id}\in \varTheta _{13} \right] \le \Pr \left[ C\ge \sqrt{q_c} \right] \). Note that

$$\begin{aligned} \mathbb {E}[C]&=\sum _{(t,x,y)\ne (t',x',y')}\Pr \left[ x \oplus h_1(t)=x'\oplus h_1(t') \right] \le \frac{\varepsilon q_c^2}{2}. \end{aligned}$$

By Markov’s inequality,

$$\begin{aligned} \Pr \left[ T_\mathrm{id}\in \varTheta _{13} \right]&\le \frac{\varepsilon q_c^{3/2}}{2},&\text {and similarly } \Pr \left[ T_\mathrm{id}\in \varTheta _{14} \right]&\le \frac{\varepsilon q_c^{3/2}}{2}. \end{aligned}$$

The result follows by an union bound over all conditions.    \(\square \)

Analysis of Good Transcripts. Next, we have to study good transcripts.

Lemma 3

Let \(q_c\) and \(q_p\) be integers such that \(q_p+3q_c\le N/2\). Then for any good transcript \(\tau \), one has

$$ \frac{\Pr \left[ T_\mathrm{re}=\tau \right] }{\Pr \left[ T_\mathrm{id}=\tau \right] }\ge 1- \left( \frac{4q_c(q_p+2q_c)^2}{N^2}+\frac{14q_c^{3/2}+4\sqrt{q_c}q_p}{N}\right) . $$

Proof

Deferred to the full version of the paper [8] for reasons of space.   \(\square \)

Concluding the Proof of Theorem 2. We are now ready to prove Theorem 2. Combining Lemmas 1, 2, and 3, one has

$$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {TEM}[n,2,\mathcal {H}]}(q_c,q_p)&\le \frac{3q_cq_p^2}{N^2}+2\varepsilon ^2 q_c^3+\frac{\varepsilon q_c^2 q_p}{N} +\frac{2\sqrt{q_c}q_p}{N}+2\varepsilon q_c^{3/2}\\&\quad +\frac{4q_c(q_p+2q_c)^2}{N^2}+\frac{14q_c^{3/2}+4\sqrt{q_c}q_p}{N}\\&= \frac{7q_cq_p^2}{N^2}+\frac{16q_c^2q_p}{N^2}+\frac{6\sqrt{q_c}q_p}{N}+\frac{\varepsilon q_c^2q_p}{N}+2\varepsilon ^2q_c^3+2\varepsilon q_c^{3/2}\\&\quad +\frac{16q_c^3}{N^2}+\frac{14q_c^{3/2}}{N}\\&\le \frac{7q_cq_p^2}{N^2}+\frac{16q_c^2q_p}{N^2}+\frac{6\sqrt{q_c}q_p}{N}+\frac{\varepsilon q_c^2q_p}{N}+4\varepsilon q_c^{3/2}+\frac{30q_c^{3/2}}{N}, \end{aligned}$$

where for the last inequality we used the assumption that \(q_c\le \min \{N^{2/3},\varepsilon ^{-2/3}\}\). Since the result holds trivially when \(q_cq_p^2>N^2\), we can assume that \(q_cq_p^2\le N^2\), so that \(q_cq_p^2/N^2\le \sqrt{q_c}q_p/N\). Moreover, since \(q_c\le N^{2/3}\), one has \(q_c^2/N^2\le \sqrt{q_c}/N\) and \(q_c^2/N\le \sqrt{q_c}\), which concludes the proof of Theorem 2.

4 Asymptotic Bounds via the Coupling Technique

When the number of rounds r of the TEM construction grows, one has the following result.

Theorem 3

Let r be an even integer and \(r'=r/2\). Let \(q_c,q_p\) be positive integers, and \(\mathcal {H}\) be a uniform \(\varepsilon \text {-AXU}\) family of functions from \(\mathcal {T}\) to \(\{0,1\}^n\). Then:

$$ \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {TEM}[n,r,\mathcal {H}]}(q_c,q_p)\le \sqrt{2^{r'+4}\frac{q_c(N\varepsilon q_c+q_p)^{r'}}{N^{r'}}}. $$

For odd r, we have \(\mathbf{Adv }^{\mathrm {cca}}_{\mathsf {TEM}[n,r,\mathcal {H}]}\le \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {TEM}[n,r-1,\mathcal {H}]}\), so that we can use the above bound with \(r-1\). Using an \(\varepsilon \text {-AXU}\) function family with \(\varepsilon \simeq 2^{-n}\), we see that the iterated tweakable Even-Mansour cipher with an even number r of rounds achieves CCA-security up to roughly \(2^{\frac{rn}{r+2}}\) adversarial queries.

The proof relies on the coupling technique. Since it combines in a rather straightforward way the approach of [21, 23], the proof is entirely deferred to the full version of the paper [8].