Improved XKX-based AEAD scheme: Removing the birthday terms

Abstract

Naito [ToSC 2017, Issue 2] proposed XKX, a tweakable blockcipher (TBC) based on a blockcipher (BC). It offers efficient authenticated encryption with associated data (AEAD) schemes with beyond-birthday-bound (BBB) security, by combining with efficient TBC-based AEAD schemes such as ΘCB3. In the resultant schemes, for each data block, a BC is called once. The security bound is roughly (Formula Presented), where n is the block size of the BC in bits, l is the number of BC calls by a query, q is the number of queries, σA is the number of BC calls handing associated data by encryption queries, and σD is the number of BC calls by decryption queries. Hence, assuming (Formula Presented), the AEAD schemes achieve BBB security. However, the birthday terms (Formula Presented) might become dominant, for example, when n is small such as n=64 and when DoS attacks are performed. The birthday terms are introduced due to the modular proof via the XKX's security proof. In this paper, in order to remove the birthday terms, we slightly modify ΘCB3 called ΘCB3†, and directly prove the security of ΘCB3† with XKX. We show that the security bound becomes roughly l2 q/2n.