Improved Security Analysis of XEX and LRW Modes

  • Kazuhiko Minematsu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4356)


We study block cipher modes that turn a block cipher into a tweakable block cipher, which accepts an auxiliary variable called tweak in addition to the key and message. Liskov et al. first showed such a mode using two keys, where one is the block cipher’s key and the other is used for some non-cryptographic function. Later, Rogaway proposed the XEX mode to reduce these two keys to one key. In this paper, we propose a generalization of the Liskov et al.’s scheme with a concrete security proof. Using this, we provide an improved security proof of the XEX and some improvements to the LRW-AES, which is a straightforward AES-based instantiation of Liskov et al.’s scheme proposed by the IEEE Security in Storage Workgroup.


  1. 1.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A Concrete Security Treatment of Symmetric Encryption. In: FOCS 1997. Proceedings of the 38th Annual Symposium on Foundations of Computer Science, pp. 394–403 (1997)Google Scholar
  2. 2.
    Black, J.: Message Authentication Code. PhD dissertation (2000)Google Scholar
  3. 3.
    Goldreich, O.: Modern Cryptography, Probabilistic Proofs and Pseudorandomness. Springer, HeidelbergGoogle Scholar
  4. 4.
    Halevi, S., Rogaway, P.: A Tweakable Enciphering Mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003)Google Scholar
  5. 5.
    Halevi, S., Rogaway, P.: A Parallelizable Enciphering Mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004)Google Scholar
  6. 6.
    Iwata, T., Kurosawa, K.: On the Universal Hash Functions in Luby-Rackoff Cipher. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 226–236. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Iwata, T., Kurosawa, K.: OMAC: One-Key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003)Google Scholar
  8. 8.
    Keliher, L., Sui, J.: Exact Maximum Expected Differential and Linear Probability for 2-Round Advanced Encryption Standard (AES). IACR ePrint Archive 2005/321Google Scholar
  9. 9.
    Kilian, J., Rogaway, P.: How to Protect DES Against Exhaustive Key Search. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 252–267. Springer, Heidelberg (1996)Google Scholar
  10. 10.
    Liskov, M., Rivest, R., Wagner, D.: Tweakable Block Ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Maurer, U.: Indistinguishability of Random Systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Maurer, U., Pietrzak, K.: Composition of Random Systems: When Two Weak Make One Strong. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 410–427. Springer, Heidelberg (2004)Google Scholar
  13. 13.
    Minematsu, K., Tsunoo, Y.: Provably Secure MACs From Differentially-uniform Permutations and AES-based Implementations. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Naor, M., Reingold, O.: On the Construction of Pseudorandom Permutations: Luby-Rackoff Revisited. Journal of Cryptology 12(1), 29–66 (1999)MATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    Nyberg, K.: Differentially Uniform Mappings for Cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)Google Scholar
  16. 16.
    Pietrzak, K.: Composition Does Not Imply Adaptive Security. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 55–65. Springer, Heidelberg (2005)Google Scholar
  17. 17.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: ACM CCS 2001. ACM Conference on Computer and Communications Security, pp. 196–205 (2001)Google Scholar
  18. 18.
    Rogaway, P.: Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC (the early version of [19]),
  19. 19.
    Rogaway, P.: Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004)Google Scholar
  20. 20.
    Wegman, M., Carter, L.: New Hash Functions and Their Use in Authentication and Set Equality. Journal of Computer and System Sciences 22, 265–279 (1981)MATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Vaudenay, S.: On the Lai-Massey Scheme. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 9–19. Springer, Heidelberg (1999)Google Scholar
  22. 22.
  23. 23.
    Draft Proposal for Tweakable Narrow-block Encryption (2004),

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Kazuhiko Minematsu
    • 1
  1. 1.NEC Corporation, 1753 Shimonumabe, Nakahara-Ku, Kawasaki 211-8666Japan

Personalised recommendations