Tweakable Block Ciphers

  • Moses Liskov
  • Ronald L. Rivest
  • David Wagner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2442)


We propose a new cryptographic primitive, the “tweakable block cipher.” Such a cipher has not only the usual inputs — message and cryptographic key — but also a third input, the “tweak.” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable” is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers.


block ciphers tweakable block ciphers initialization vector modes of operation 


  1. 1.
    Kazumaro Aoki and Helger Lipmaa. Fast implementations of AES candidates. In Third AES Candidate Conference, April 2000.Google Scholar
  2. 2.
    D.J. Bernstein. Floating-point arithmetic and message authentication, March 2000.Google Scholar
  3. 3.
    Eli Biham. New types of cryptanalytic attacks using related keys. Journal of Cryptology, 7(4):229–246, Fall 1994. Also available at: Scholar
  4. 4.
    Eli Biham and Alex Biryukov. How to strengthen DES using existing hardware. In Proceedings ASIACRYPT’ 94, volume 917 of Lecture Notes in Computer Science, pages 398–412. Springer-Verlag, 1994. Also available at:
  5. 5.
    John Black, Shai Halevi, Hugo Krawczyk, Ted Krovetz, and Phillip Rogaway. UMAC: Fast and secure message authentication. In Proceedings CRYPTO’ 99, volume 1666 of Lecture Notes in Computer Science, pages 216–233. Springer-Verlag, 1999.Google Scholar
  6. 6.
    Paul Crowley. Mercy: A fast large block cipher for disk sector encryption. In Fast Software Encryption: 7th International Workshop, volume 1978 of Lecture Notes in Computer Science, pages 49–63. Springer-Verlag, 2000. Also available at:
  7. 7.
    Joan Daemen. Limitations of the Even-Mansour construction. In Proceedings ASIACRYPT’ 91, volume 739 of Lecture Notes in Computer Science, pages 495–499. LNCS, Springer-Verlag, 1991. Also available at: Scholar
  8. 8.
    Shimon Even and Yishay Mansour. A construction of a cipher from a single pseudorandom permutation. Journal of Cryptology, 10(3):151–161, Summer 1997. Also available at: Scholar
  9. 9.
    L. Granboulan, P. Nguyen, F. Noilhan, and S. Vaudenay. DFCv2. In Selected Areas in Cryptography, volume 2012 of Lecture Notes in Computer Science, pages 57–71. Springer-Verlag, 2001.Google Scholar
  10. 10.
    Joe Kilian and Phillip Rogaway. How to protect DES against exhaustive search (an analysis of DESX). In Proceedings CRYPTO’ 96, volume 1109 of Lecture Notes in Computer Science, pages 252–267. Springer, 1996. See for an updated version.
  11. 11.
    Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997.Google Scholar
  12. 12.
    Phillip Rogaway, Mihir Bellare, John Black, and Ted Krovetz. A block-cipher mode of operation for efficient authenticated encryption. In Eighth ACM Conference on Computer and Communications Security (CCS-8), pages 196–205. ACM Press, Aug 16 2001. See
  13. 13.
    Bruce Schneier. Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C. John Wiley & Sons, New York, 1996.Google Scholar
  14. 14.
    Rich Schroeppel. The hasty pudding cipher. Available at, 1999.
  15. 15.
    Victor Shoup. On fast and provably secure message authentication based on universal hashing. In Proceedings CRYPTO’ 96, volume 1109 of Lecture Notes in Computer Science, pages 313–328. Springer, 1996.Google Scholar
  16. 16.
    Serge Vaudenay. Provable security for block ciphers by decorrelation. In Proceedings STACS’ 98, volume 1373 of Lecture Notes in Computer Science, pages 249–275. Springer-Verlag, 1998.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Moses Liskov
    • 1
  • Ronald L. Rivest
    • 1
  • David Wagner
    • 2
  1. 1.Laboratory for Computer ScienceMassachusetts Institute of TechnologyCambridgeUSA
  2. 2.University of California BerkeleyBerkeleyUSA

Personalised recommendations