Optimally Secure Tweakable Block Ciphers with a Large Tweak from n-bit Block Ciphers

We consider the design of a tweakable block cipher from a block cipher whose inputs and outputs are of size n bits. The main goal is to achieve 2n security with a large tweak (i.e., more than n bits). Previously, Mennink at FSE'15 and Wang et al. at Asiacrypt'16 proposed constructions that can achieve 2n security. Yet, these constructions can have a tweak size up to n-bit only. As evident from recent research, a tweakable block cipher with a large tweak is generally helpful as a building block for modes of operation, typical applications including MACs, authenticated encryption, leakage-resistant cryptography and full-disk encryption. We begin with how to design a tweakable block cipher with 2n-bit tweak and n-bit security from two block cipher calls. For this purpose, we do an exhaustive search for tweakable block ciphers with 2n-bit tweaks from two block cipher calls, and show that all of them suffer from birthday-bound attacks. Next, we investigate the possibility to design a tweakable block cipher with 2n-bit tweak and n-bit security from three block cipher calls. We start with some conditions to build such a tweakable block cipher and propose a natural construction, called Ge1, that likely meets them. After inspection, we find a weakness in Ge1 which leads to a birthday-bound attack. Based on Ge1, we then propose another construction, called Ge2, that can avoid this weakness. We finally prove that Ge2 can achieve n-bit security with 2n-bit tweak.