On rate-1 and beyond-the-birthday bound secure online ciphers using tweakable block ciphers

Recently, Andreeva et al. showed that online ciphers are actually equivalent to arbitrary tweak length (ATL) tweakable block ciphers (TBCs). Within this result they gave a security preserving generic conversion from ATL TBCs to online ciphers. XTX by Minematsu and Iwata is a nice way of extending the tweak space of any fixed tweak length (FTL) TBC using a pAXU hash function. By combining the previous two methods one can get a FTL TBC based online cipher with security in the order of σ 2 ε where σ is the total number of blocks in all queries, and ε is the pAXU bound of the underlying hash function. In this paper we show that there are genuine practical issues which render it almost impossible to get full security using this approach. We then observe that a recent online enciphering scheme called POEx by Forler et al. is actually an implicit example of this approach. We show a flaw in the analysis of POEx which results in a birthday bound attack and invalidates the beyond-the-birthday bound OSPRP security claim. We take a slightly different approach then the one just mentioned and propose XTC which achieves OSPRP security of O (max( n σ 2 − n , σ 2 2 −( n + t ) )) where t is the tweak size and n is the block size. While doing so we present an impossibility result for t > n which can be of independent interest.