Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC

  • Phillip Rogaway
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3329)


We describe highly efficient constructions, XE and XEX, that turn a blockcipher \(E: \mathcal{K} \times \{0, 1 \}^{n} \rightarrow \{0, 1 \}^{n}\) into a tweakable blockcipher \({E}: \mathcal{K} \times \mathcal{T} \times \{0, 1 \}^{n} \rightarrow \{0, 1 \}^{n}\) having tweak space \(\mathcal{T} = \{0, 1 \}^{n} \times \mathbb{I}\) where \(\mathbb{I}\) is a set of tuples of integers such as \(\mathbb{I} = [..2^{n/2}] \times [0..10]\). When tweak T is obtained from tweak S by incrementing one if its numerical components, the cost to compute \({E}^{T}_{K}(M)\) having already computed some \({E}^{S}_{K}(M')\) is one blockcipher call plus a small and constant number of elementary machine operations. Our constructions work by associating to the i th coordinate of \(\mathbb{I}\) an element \(\alpha_{i} \epsilon \mathbb{F}^{*}_{2}n\) and multiplying by α i when one increments that component of the tweak. We illustrate the use of this approach by refining the authenticated-encryption scheme OCB and the message authentication code PMAC, yielding variants of these algorithms that are simpler and faster than the original schemes, and yet have simpler proofs. Our results bolster the thesis of Liskov, Rivest, and Wagner [10] that a desirable approach for designing modes of operation is to start from a tweakable blockcipher. We elaborate on their idea, suggesting the kind of tweak space, usage-discipline, and blockcipher-based instantiations that give rise to simple and efficient modes.


Unique Representation Block Cipher Message Authentication Code Oracle Query Primitive Polynomial 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation. In: Symposium on Foundations of Computer Science, FOCS 1997, pp. 394–403. IEEE Computer Society, Los Alamitos (1997)Google Scholar
  2. 2.
    Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. Journal of Computer and System Sciences 61(3) (December 2000); Earlier version in CRYPTO 1994 Google Scholar
  3. 3.
    Bellare, M., Rogaway, P., Wagner, D.: The EAX Mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Gligor, V., Donescu, P.: Fast encryption and authentication: XCBC encryption and XECB authentication modes. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 92–108. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28, 270–299 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  8. 8.
    Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search (an analysis of DESX). J. of Cryptology 14(1), 17–35 (2001)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Jutla, C.: Encryption modes with almost free message integrity. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 529–544. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Liskov, M., Rivest, R., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Pohlig, S., Hellman, M.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Transactions on Information Theory 24, 106–110 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Pollard, J.: Monte Carlo methods for index computation (mod p). Mathematics of Computation 32, 918–924 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Rogaway, P.: Authenticated-encryption with associated-data. In: ACM Conference on Computer and Communications Security 2002, CCS 2002, pp. 98–107. ACM Press, New York (2002)CrossRefGoogle Scholar
  14. 14.
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC (manuscript 2004); Full version of this paper, available from the author’s web pageGoogle Scholar
  15. 15.
    Rogaway, P., Bellare, M., Black, J.: OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM Transactions on Information and System Security 6(3), 365–403 (2003); Earlier version, with T. Krovetz, in CCS 2001 CrossRefGoogle Scholar
  16. 16.
    Schroeppel, R.: The hasty pudding cipher. AES candidate submitted to NIST (1998)Google Scholar
  17. 17.
    Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). Network Working Group RFC 3610. The Internet Society (September 2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Phillip Rogaway
    • 1
    • 2
  1. 1.Dept.of Computer ScienceUniversity of CaliforniaDavisUSA
  2. 2.Dept.of Computer ScienceChiang Mai UniversityChiang MaiThailand

Personalised recommendations