Journal of Cryptology

, Volume 24, Issue 3, pp 588–613 | Cite as

Tweakable Block Ciphers

  • Moses LiskovEmail author
  • Ronald L. Rivest
  • David Wagner
Open Access


A common trend in applications of block ciphers over the past decades has been to employ block ciphers as one piece of a “mode of operation”—possibly, a way to make a secure symmetric-key cryptosystem, but more generally, any cryptographic application. Most of the time, these modes of operation use a wide variety of techniques to achieve a subgoal necessary for their main goal: instantiation of “essentially different” instances of the block cipher.

We formalize a cryptographic primitive, the “tweakable block cipher.” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak.” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our abstraction brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable” is small, and (3) it is easier to design and prove the security of applications of block ciphers that need this variability using tweakable block ciphers.

Key words

Block ciphers Tweakable block ciphers Initialization vector Modes of operation Pseudorandomness 


  1. [1]
    American National Standards Institute (ANSI). American National Standard for Information Systems–Data Encryption Algorithm–Modes of Operation (1983) Google Scholar
  2. [2]
    K. Aoki, H. Lipmaa, Fast implementations of AES candidates, in Third AES Candidate Conference, April 2000 Google Scholar
  3. [3]
    M. Bellare, J. Killian, P. Rogaway, The security of cipher block chaining message authentication code. JCSS 61(3), 362–399 (2000) zbMATHGoogle Scholar
  4. [4]
    M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. Full version, available at
  5. [5]
    M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, in Advances in Cryptology—EUROCRYPT 2003, ed. by E. Biham. Lecture Notes in Computer Science (Springer, Berlin, 2003), pp. 491–506 CrossRefGoogle Scholar
  6. [6]
    D.J. Bernstein, Floating-point arithmetic and message authentication, March 2000. Unpublished manuscript. Available at
  7. [7]
    E. Biham, New types of cryptanalytic attacks using related keys. J. Cryptol. 7(4), 229–246 (1994) CrossRefzbMATHGoogle Scholar
  8. [8]
    E. Biham, A. Biryukov, How to strengthen DES using existing hardware, in Proceedings ASIACRYPT ’94. Lecture Notes in Computer Science, vol. 917 (Springer, Berlin, 1994), pp. 398–412 Google Scholar
  9. [9]
    J. Black, M. Cochran, T. Shrimpton, On the impossibility of highly-efficient blockcipher-based hash functions, in Advances in Cryptology—EUROCRYPT 2005, ed. by R. Cramer. Lecture Notes in Computer Science (Springer, Berlin, 2005), pp. 526–541 CrossRefGoogle Scholar
  10. [10]
    J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway, UMAC: Fast and secure message authentication, in Proceedings CRYPTO ’99. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 216–233 Google Scholar
  11. [11]
    J. Black, P. Rogaway, CBC MACs for arbitrary-length messages: The three-key constructions. J. Cryptol. 18(2), 111–131 (2005) CrossRefzbMATHMathSciNetGoogle Scholar
  12. [12]
    D. Chakraborty, P. Sarkar, A general construction of tweakable block ciphers and different modes of operations, in Inscrypt 2006—Information Security and Cryptography, Second SKLOIS Conference. Lecture Notes in Computer Science, vol. 4318 (Springer, Berlin, 2006), pp. 88–102 Google Scholar
  13. [13]
    P. Crowley, Mercy: A fast large block cipher for disk sector encryption, in Fast Software Encryption: 7th International Workshop. Lecture Notes in Computer Science, vol. 1978 (Springer, Berlin, 2000), pp. 49–63. Also available at: CrossRefGoogle Scholar
  14. [14]
    J. Daemen, Limitations of the Even–Mansour construction, in Proceedings ASIACRYPT ’91. Lecture Notes in Computer Science, LNCS, vol. 739 (Springer, Berlin, 1991), pp. 495–499 Google Scholar
  15. [15]
    J. Daemen, V. Rijmen, AES proposal: Rijndael. Available at August (1998)
  16. [16]
    S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–161 (1997) CrossRefzbMATHMathSciNetGoogle Scholar
  17. [17]
    S. Fluhrer, Cryptanalysis of the Mercy block cipher, in Fast Software Encryption, 8th International Workshop, ed. by M. Matsui. Lecture Notes in Computer Science, vol. 2355 (Springer, Berlin, 2002), pp. 28–36 CrossRefGoogle Scholar
  18. [18]
    D. Goldenberg, S. Hohenberger, M. Liskov, H. Seyalioglu, E.C. Schwartz, On tweaking Luby–Rackoff blockciphers, in Advances in Cryptology—ASIACRYPT 2007. Lecture Notes in Computer Science, vol. 4833 (Springer, Berlin, 2007), pp. 342–356 CrossRefGoogle Scholar
  19. [19]
    L. Granboulan, P. Nguyen, F. Noilhan, S. Vaudenay, DFCv2, in Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 2012 (Springer, Berlin, 2001), pp. 57–71 CrossRefGoogle Scholar
  20. [20]
    S. Halevi, EME*: Extending EME to Handle Arbitrary-Length Messages with Associated Data, in INDOCRYPT, ed. by A. Canteaut, K. Viswanathan. Lecture Notes in Computer Science, vol. 3348 (Springer, Berlin, 2004), pp. 315–327 CrossRefGoogle Scholar
  21. [21]
    S. Halevi, P. Rogaway, A tweakable enciphering mode, in Advances in Cryptology: CRYPTO 2003, ed. by D. Boneh. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 482–429 CrossRefGoogle Scholar
  22. [22]
    S. Halevi, P. Rogaway, A parallelizable enciphering mode, in Topics in Cryptology, CT-RSA 2004. LNCS, vol. 2964 (Springer, Berlin, 2004), pp. 292–304 CrossRefGoogle Scholar
  23. [23]
    C. Jutla, Encryption modes with almost free message integrity, in Advances in Cryptology—EUROCRYPT 2001, ed. by B. Pfitzmann. Lecture Notes in Computer Science, vol. 2045 (Springer, Berlin, 2001) Google Scholar
  24. [24]
    J. Kilian, P. Rogaway, How to protect DES against exhaustive search (an analysis of DESX), in Proceedings CRYPTO ’96. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 252–267. See for an updated version Google Scholar
  25. [25]
    M. Liskov, New tools in cryptography: Mutually independent commitment, tweakable block ciphers, and plaintext awareness via key registration. Ph.D. Thesis, MIT Laboratory for Computer Science (2004) Google Scholar
  26. [26]
    M. Liskov, R. Rivest, D. Wagner, Tweakable block ciphers, in Advances in Cryptology—CRYPTO 2002, ed. by M. Yung. Lecture Notes in Computer Science (Springer, Berlin, 2002), pp. 31–46 CrossRefGoogle Scholar
  27. [27]
    M. Luby, C. Rackoff, How to construct pseudorandom permutations from pseudorandom functions, in Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing, Berkeley, California, 28–30 May 1986 Google Scholar
  28. [28]
    Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1997) zbMATHGoogle Scholar
  29. [29]
    K. Minematsu, Improved security analysis of XEX and LRW modes, in Selected Areas in Cryptography—SAC 2006. Lecture Notes in Computer Science, vol. 4356 (Springer, Berlin, 2006), pp. 96–113 CrossRefGoogle Scholar
  30. [30]
    R. Morris, K. Thompson, Password security: A case history. Commun. ACM 22(11), 594–597 (1979) CrossRefGoogle Scholar
  31. [31]
    M. Naor, O. Reingold, On the construction of pseudo-random permutations: Luby-Rackoff revisited. J. Cryptol. 12, 29–66 (1999). Extended abstract in Proc. 29th Annual ACM STOC (1997), pp. 189–199 CrossRefzbMATHMathSciNetGoogle Scholar
  32. [32]
    P. Rogaway, Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC, in Advances in Cryptology—ASIACRYPT 2004, Jeju Island, Korea, 5–9 December 2004, ed. by P.J. Lee. Lecture Notes in Computer Science, vol. 3329 (Springer, Berlin, 2004) Google Scholar
  33. [33]
    P. Rogaway, M. Bellare, J. Black, T. Krovetz, A block-cipher mode of operation for efficient authenticated encryption, in Eighth ACM Conference on Computer and Communications Security (CCS-8) (ACM, New York, 2001), pp. 196–205. See CrossRefGoogle Scholar
  34. [34]
    B. Schneier, Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C (Wiley, New York, 1996) Google Scholar
  35. [35]
    R. Schroeppel, The Hasty Pudding Cipher. NIST AES proposal, available at (1998)
  36. [36]
    Victor Shoup, On fast and provably secure message authentication based on universal hashing, in Proceedings CRYPTO ’96. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 313–328 Google Scholar
  37. [37]
    US Department of Commerce National Bureau of Standards. DES modes of operation (1980). Federal Information Processing Standards Publication 81 Google Scholar

Copyright information

© The Author(s) 2010

Authors and Affiliations

  1. 1.Computer Science DepartmentThe College of William and MaryWilliamsburgUSA
  2. 2.Computer Science and Artificial Intelligence LaboratoryMassachusetts Institute of TechnologyCambridgeUSA
  3. 3.University of California BerkeleyBerkeleyUSA

Personalised recommendations