# Difference between revisions of "Bart Mennink"

(Created page with "'''Title''': TBA '''Abstract''': TBA") |
|||

Line 1: | Line 1: | ||

− | '''Title''': | + | '''Title''': Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security |

− | '''Abstract''': | + | '''Abstract''': Two types of tweakable blockciphers based on classical blockciphers have been presented over the last years: non-tweak-rekeyable and tweak-rekeyable, depending on whether the tweak may influence the key input to the underlying blockcipher. In the former direction, the best possible security is conjectured to be 2^{sigma n/(sigma+1)}, where n is the size of the blockcipher and sigma is the number of blockcipher calls. In the latter direction, Mennink and Wang et al. presented optimally secure schemes, but only in the ideal cipher model. We investigate the possibility to construct a tweak-rekeyable cipher that achieves optimal security in the standard cipher model. As a first step, we note that all standard-model security results in literature implicitly rely on a generic standard-to-ideal transformation, that replaces all keyed blockcipher calls by random secret permutations, at the cost of the security of the blockcipher. Then, we prove that if this proof technique is adopted, tweak-rekeying will not help in achieving optimal security: if 2^{sigma n/(sigma+1)} is the best one can get without tweak-rekeying, optimal 2^n provable security with tweak-rekeying is impossible. |

## Latest revision as of 14:18, 13 January 2017

**Title**: Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

**Abstract**: Two types of tweakable blockciphers based on classical blockciphers have been presented over the last years: non-tweak-rekeyable and tweak-rekeyable, depending on whether the tweak may influence the key input to the underlying blockcipher. In the former direction, the best possible security is conjectured to be 2^{sigma n/(sigma+1)}, where n is the size of the blockcipher and sigma is the number of blockcipher calls. In the latter direction, Mennink and Wang et al. presented optimally secure schemes, but only in the ideal cipher model. We investigate the possibility to construct a tweak-rekeyable cipher that achieves optimal security in the standard cipher model. As a first step, we note that all standard-model security results in literature implicitly rely on a generic standard-to-ideal transformation, that replaces all keyed blockcipher calls by random secret permutations, at the cost of the security of the blockcipher. Then, we prove that if this proof technique is adopted, tweak-rekeying will not help in achieving optimal security: if 2^{sigma n/(sigma+1)} is the best one can get without tweak-rekeying, optimal 2^n provable security with tweak-rekeying is impossible.