Journal of Cryptology

, Volume 24, Issue 3, pp 588–613

Tweakable Block Ciphers

Authors

    • Computer Science DepartmentThe College of William and Mary
  • Ronald L. Rivest
    • Computer Science and Artificial Intelligence LaboratoryMassachusetts Institute of Technology
  • David Wagner
    • University of California Berkeley
Open AccessArticle

DOI: 10.1007/s00145-010-9073-y

Cite this article as:
Liskov, M., Rivest, R.L. & Wagner, D. J Cryptol (2011) 24: 588. doi:10.1007/s00145-010-9073-y

Abstract

A common trend in applications of block ciphers over the past decades has been to employ block ciphers as one piece of a “mode of operation”—possibly, a way to make a secure symmetric-key cryptosystem, but more generally, any cryptographic application. Most of the time, these modes of operation use a wide variety of techniques to achieve a subgoal necessary for their main goal: instantiation of “essentially different” instances of the block cipher.

We formalize a cryptographic primitive, the “tweakable block cipher.” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak.” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our abstraction brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable” is small, and (3) it is easier to design and prove the security of applications of block ciphers that need this variability using tweakable block ciphers.

Key words

Block ciphers Tweakable block ciphers Initialization vector Modes of operation Pseudorandomness

Copyright information

© The Author(s) 2010