Journal of Cryptology

, Volume 24, Issue 3, pp 588-613

First online:

Open Access This content is freely available online to anyone, anywhere at any time.

Tweakable Block Ciphers

  • Moses LiskovAffiliated withComputer Science Department, The College of William and Mary Email author 
  • , Ronald L. RivestAffiliated withComputer Science and Artificial Intelligence Laboratory, Massachusetts Institute of Technology
  • , David WagnerAffiliated withUniversity of California Berkeley


A common trend in applications of block ciphers over the past decades has been to employ block ciphers as one piece of a “mode of operation”—possibly, a way to make a secure symmetric-key cryptosystem, but more generally, any cryptographic application. Most of the time, these modes of operation use a wide variety of techniques to achieve a subgoal necessary for their main goal: instantiation of “essentially different” instances of the block cipher.

We formalize a cryptographic primitive, the “tweakable block cipher.” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak.” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our abstraction brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable” is small, and (3) it is easier to design and prove the security of applications of block ciphers that need this variability using tweakable block ciphers.

Key words

Block ciphers Tweakable block ciphers Initialization vector Modes of operation Pseudorandomness