Journal of Cryptology

, Volume 24, Issue 3, pp 588–613

Tweakable Block Ciphers

Open AccessArticle

DOI: 10.1007/s00145-010-9073-y

Cite this article as:
Liskov, M., Rivest, R.L. & Wagner, D. J Cryptol (2011) 24: 588. doi:10.1007/s00145-010-9073-y


A common trend in applications of block ciphers over the past decades has been to employ block ciphers as one piece of a “mode of operation”—possibly, a way to make a secure symmetric-key cryptosystem, but more generally, any cryptographic application. Most of the time, these modes of operation use a wide variety of techniques to achieve a subgoal necessary for their main goal: instantiation of “essentially different” instances of the block cipher.

We formalize a cryptographic primitive, the “tweakable block cipher.” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak.” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our abstraction brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable” is small, and (3) it is easier to design and prove the security of applications of block ciphers that need this variability using tweakable block ciphers.

Key words

Block ciphersTweakable block ciphersInitialization vectorModes of operationPseudorandomness
Download to read the full article text

Copyright information

© The Author(s) 2010

Authors and Affiliations

  1. 1.Computer Science DepartmentThe College of William and MaryWilliamsburgUSA
  2. 2.Computer Science and Artificial Intelligence LaboratoryMassachusetts Institute of TechnologyCambridgeUSA
  3. 3.University of California BerkeleyBerkeleyUSA