Skip to main content

Tweakable Block Ciphers


A common trend in applications of block ciphers over the past decades has been to employ block ciphers as one piece of a “mode of operation”—possibly, a way to make a secure symmetric-key cryptosystem, but more generally, any cryptographic application. Most of the time, these modes of operation use a wide variety of techniques to achieve a subgoal necessary for their main goal: instantiation of “essentially different” instances of the block cipher.

We formalize a cryptographic primitive, the “tweakable block cipher.” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak.” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our abstraction brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable” is small, and (3) it is easier to design and prove the security of applications of block ciphers that need this variability using tweakable block ciphers.


  1. [1]

    American National Standards Institute (ANSI). American National Standard for Information Systems–Data Encryption Algorithm–Modes of Operation (1983)

  2. [2]

    K. Aoki, H. Lipmaa, Fast implementations of AES candidates, in Third AES Candidate Conference, April 2000

  3. [3]

    M. Bellare, J. Killian, P. Rogaway, The security of cipher block chaining message authentication code. JCSS 61(3), 362–399 (2000)

    MATH  Google Scholar 

  4. [4]

    M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. Full version, available at

  5. [5]

    M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, in Advances in Cryptology—EUROCRYPT 2003, ed. by E. Biham. Lecture Notes in Computer Science (Springer, Berlin, 2003), pp. 491–506

    Chapter  Google Scholar 

  6. [6]

    D.J. Bernstein, Floating-point arithmetic and message authentication, March 2000. Unpublished manuscript. Available at

  7. [7]

    E. Biham, New types of cryptanalytic attacks using related keys. J. Cryptol. 7(4), 229–246 (1994)

    Article  MATH  Google Scholar 

  8. [8]

    E. Biham, A. Biryukov, How to strengthen DES using existing hardware, in Proceedings ASIACRYPT ’94. Lecture Notes in Computer Science, vol. 917 (Springer, Berlin, 1994), pp. 398–412

    Google Scholar 

  9. [9]

    J. Black, M. Cochran, T. Shrimpton, On the impossibility of highly-efficient blockcipher-based hash functions, in Advances in Cryptology—EUROCRYPT 2005, ed. by R. Cramer. Lecture Notes in Computer Science (Springer, Berlin, 2005), pp. 526–541

    Chapter  Google Scholar 

  10. [10]

    J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway, UMAC: Fast and secure message authentication, in Proceedings CRYPTO ’99. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 216–233

    Google Scholar 

  11. [11]

    J. Black, P. Rogaway, CBC MACs for arbitrary-length messages: The three-key constructions. J. Cryptol. 18(2), 111–131 (2005)

    Article  MATH  MathSciNet  Google Scholar 

  12. [12]

    D. Chakraborty, P. Sarkar, A general construction of tweakable block ciphers and different modes of operations, in Inscrypt 2006—Information Security and Cryptography, Second SKLOIS Conference. Lecture Notes in Computer Science, vol. 4318 (Springer, Berlin, 2006), pp. 88–102

    Google Scholar 

  13. [13]

    P. Crowley, Mercy: A fast large block cipher for disk sector encryption, in Fast Software Encryption: 7th International Workshop. Lecture Notes in Computer Science, vol. 1978 (Springer, Berlin, 2000), pp. 49–63. Also available at:

    Chapter  Google Scholar 

  14. [14]

    J. Daemen, Limitations of the Even–Mansour construction, in Proceedings ASIACRYPT ’91. Lecture Notes in Computer Science, LNCS, vol. 739 (Springer, Berlin, 1991), pp. 495–499

    Google Scholar 

  15. [15]

    J. Daemen, V. Rijmen, AES proposal: Rijndael. Available at August (1998)

  16. [16]

    S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–161 (1997)

    Article  MATH  MathSciNet  Google Scholar 

  17. [17]

    S. Fluhrer, Cryptanalysis of the Mercy block cipher, in Fast Software Encryption, 8th International Workshop, ed. by M. Matsui. Lecture Notes in Computer Science, vol. 2355 (Springer, Berlin, 2002), pp. 28–36

    Chapter  Google Scholar 

  18. [18]

    D. Goldenberg, S. Hohenberger, M. Liskov, H. Seyalioglu, E.C. Schwartz, On tweaking Luby–Rackoff blockciphers, in Advances in Cryptology—ASIACRYPT 2007. Lecture Notes in Computer Science, vol. 4833 (Springer, Berlin, 2007), pp. 342–356

    Chapter  Google Scholar 

  19. [19]

    L. Granboulan, P. Nguyen, F. Noilhan, S. Vaudenay, DFCv2, in Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 2012 (Springer, Berlin, 2001), pp. 57–71

    Chapter  Google Scholar 

  20. [20]

    S. Halevi, EME*: Extending EME to Handle Arbitrary-Length Messages with Associated Data, in INDOCRYPT, ed. by A. Canteaut, K. Viswanathan. Lecture Notes in Computer Science, vol. 3348 (Springer, Berlin, 2004), pp. 315–327

    Chapter  Google Scholar 

  21. [21]

    S. Halevi, P. Rogaway, A tweakable enciphering mode, in Advances in Cryptology: CRYPTO 2003, ed. by D. Boneh. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 482–429

    Chapter  Google Scholar 

  22. [22]

    S. Halevi, P. Rogaway, A parallelizable enciphering mode, in Topics in Cryptology, CT-RSA 2004. LNCS, vol. 2964 (Springer, Berlin, 2004), pp. 292–304

    Chapter  Google Scholar 

  23. [23]

    C. Jutla, Encryption modes with almost free message integrity, in Advances in Cryptology—EUROCRYPT 2001, ed. by B. Pfitzmann. Lecture Notes in Computer Science, vol. 2045 (Springer, Berlin, 2001)

    Google Scholar 

  24. [24]

    J. Kilian, P. Rogaway, How to protect DES against exhaustive search (an analysis of DESX), in Proceedings CRYPTO ’96. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 252–267. See for an updated version

    Google Scholar 

  25. [25]

    M. Liskov, New tools in cryptography: Mutually independent commitment, tweakable block ciphers, and plaintext awareness via key registration. Ph.D. Thesis, MIT Laboratory for Computer Science (2004)

  26. [26]

    M. Liskov, R. Rivest, D. Wagner, Tweakable block ciphers, in Advances in Cryptology—CRYPTO 2002, ed. by M. Yung. Lecture Notes in Computer Science (Springer, Berlin, 2002), pp. 31–46

    Chapter  Google Scholar 

  27. [27]

    M. Luby, C. Rackoff, How to construct pseudorandom permutations from pseudorandom functions, in Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing, Berkeley, California, 28–30 May 1986

  28. [28]

    Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1997)

    MATH  Google Scholar 

  29. [29]

    K. Minematsu, Improved security analysis of XEX and LRW modes, in Selected Areas in Cryptography—SAC 2006. Lecture Notes in Computer Science, vol. 4356 (Springer, Berlin, 2006), pp. 96–113

    Chapter  Google Scholar 

  30. [30]

    R. Morris, K. Thompson, Password security: A case history. Commun. ACM 22(11), 594–597 (1979)

    Article  Google Scholar 

  31. [31]

    M. Naor, O. Reingold, On the construction of pseudo-random permutations: Luby-Rackoff revisited. J. Cryptol. 12, 29–66 (1999). Extended abstract in Proc. 29th Annual ACM STOC (1997), pp. 189–199

    Article  MATH  MathSciNet  Google Scholar 

  32. [32]

    P. Rogaway, Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC, in Advances in Cryptology—ASIACRYPT 2004, Jeju Island, Korea, 5–9 December 2004, ed. by P.J. Lee. Lecture Notes in Computer Science, vol. 3329 (Springer, Berlin, 2004)

    Google Scholar 

  33. [33]

    P. Rogaway, M. Bellare, J. Black, T. Krovetz, A block-cipher mode of operation for efficient authenticated encryption, in Eighth ACM Conference on Computer and Communications Security (CCS-8) (ACM, New York, 2001), pp. 196–205. See

    Chapter  Google Scholar 

  34. [34]

    B. Schneier, Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C (Wiley, New York, 1996)

    Google Scholar 

  35. [35]

    R. Schroeppel, The Hasty Pudding Cipher. NIST AES proposal, available at (1998)

  36. [36]

    Victor Shoup, On fast and provably secure message authentication based on universal hashing, in Proceedings CRYPTO ’96. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 313–328

    Google Scholar 

  37. [37]

    US Department of Commerce National Bureau of Standards. DES modes of operation (1980). Federal Information Processing Standards Publication 81

Download references

Author information



Corresponding author

Correspondence to Moses Liskov.

Additional information

Communicated by Mihir Bellare

Rights and permissions

Open Access This is an open access article distributed under the terms of the Creative Commons Attribution Noncommercial License (, which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.

Reprints and Permissions

About this article

Cite this article

Liskov, M., Rivest, R.L. & Wagner, D. Tweakable Block Ciphers. J Cryptol 24, 588–613 (2011).

Download citation

Key words

  • Block ciphers
  • Tweakable block ciphers
  • Initialization vector
  • Modes of operation
  • Pseudorandomness