Tweakable Block Ciphers
We propose a new cryptographic primitive, the “tweakable block cipher.” Such a cipher has not only the usual inputs — message and cryptographic key — but also a third input, the “tweak.” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable” is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers.
Keywordsblock ciphers tweakable block ciphers initialization vector modes of operation
- 1.Kazumaro Aoki and Helger Lipmaa. Fast implementations of AES candidates. In Third AES Candidate Conference, April 2000.Google Scholar
- 2.D.J. Bernstein. Floating-point arithmetic and message authentication, March 2000.Google Scholar
- 4.Eli Biham and Alex Biryukov. How to strengthen DES using existing hardware. In Proceedings ASIACRYPT’ 94, volume 917 of Lecture Notes in Computer Science, pages 398–412. Springer-Verlag, 1994. Also available at: http://www.citeseer.nj.nec.com/biham94how.html.
- 5.John Black, Shai Halevi, Hugo Krawczyk, Ted Krovetz, and Phillip Rogaway. UMAC: Fast and secure message authentication. In Proceedings CRYPTO’ 99, volume 1666 of Lecture Notes in Computer Science, pages 216–233. Springer-Verlag, 1999.Google Scholar
- 6.Paul Crowley. Mercy: A fast large block cipher for disk sector encryption. In Fast Software Encryption: 7th International Workshop, volume 1978 of Lecture Notes in Computer Science, pages 49–63. Springer-Verlag, 2000. Also available at: http://www.ciphergoth.org/crypto/mercy.
- 7.Joan Daemen. Limitations of the Even-Mansour construction. In Proceedings ASIACRYPT’ 91, volume 739 of Lecture Notes in Computer Science, pages 495–499. LNCS, Springer-Verlag, 1991. Also available at: http://www.citeseer.nj.nec.com/daemen92limitation.html.Google Scholar
- 8.Shimon Even and Yishay Mansour. A construction of a cipher from a single pseudorandom permutation. Journal of Cryptology, 10(3):151–161, Summer 1997. Also available at: http://www.citeseer.nj.nec.com/even91construction.html.zbMATHCrossRefMathSciNetGoogle Scholar
- 9.L. Granboulan, P. Nguyen, F. Noilhan, and S. Vaudenay. DFCv2. In Selected Areas in Cryptography, volume 2012 of Lecture Notes in Computer Science, pages 57–71. Springer-Verlag, 2001.Google Scholar
- 10.Joe Kilian and Phillip Rogaway. How to protect DES against exhaustive search (an analysis of DESX). In Proceedings CRYPTO’ 96, volume 1109 of Lecture Notes in Computer Science, pages 252–267. Springer, 1996. See http://www.cs.ucdavis.edu/~rogaway/papers/desx.ps for an updated version.
- 11.Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997.Google Scholar
- 12.Phillip Rogaway, Mihir Bellare, John Black, and Ted Krovetz. A block-cipher mode of operation for efficient authenticated encryption. In Eighth ACM Conference on Computer and Communications Security (CCS-8), pages 196–205. ACM Press, Aug 16 2001. See http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-doc.htm.
- 13.Bruce Schneier. Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C. John Wiley & Sons, New York, 1996.Google Scholar
- 14.Rich Schroeppel. The hasty pudding cipher. Available at http://www.cs.arizona.edu/~rcs/hpc/., 1999.
- 15.Victor Shoup. On fast and provably secure message authentication based on universal hashing. In Proceedings CRYPTO’ 96, volume 1109 of Lecture Notes in Computer Science, pages 313–328. Springer, 1996.Google Scholar
- 16.Serge Vaudenay. Provable security for block ciphers by decorrelation. In Proceedings STACS’ 98, volume 1373 of Lecture Notes in Computer Science, pages 249–275. Springer-Verlag, 1998.Google Scholar