Tweakable block ciphers

J. Cryptol. (2011) 24: 588–613 DOI: 10.1007/s00145-010-9073-y Tweakable Block Ciphers Moses Liskov Computer Science Department, The College of William and Mary, Williamsburg, VA 23187, USA mliskov@cs.wm.edu Ronald L. Rivest Computer Science and Artificial Intelligence Laboratory, Massachusetts Institute of Technology, Cambridge, MA 02139, USA rivest@mit.edu David Wagner University of California Berkeley, Soda Hall, Berkeley, CA 94720, USA daw@cs.berkeley.edu Communicated by Mihir Bellare Received 28 July 2005 Online publication 2 September 2010 Abstract. A common trend in applications of block ciphers over the past decades has been to employ block ciphers as one piece of a “mode of operation”—possibly, a way to make a secure symmetric-key cryptosystem, but more generally, any cryptographic application. Most of the time, these modes of operation use a wide variety of techniques to achieve a subgoal necessary for their main goal: instantiation of “essentially different” instances of the block cipher. We formalize a cryptographic primitive, the “tweakable block cipher.” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak.” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our abstraction brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable” is small, and (3) it is easier to design and prove the security of applications of block ciphers that need this variability using tweakable block ciphers. Key words. Block ciphers, Tweakable block ciphers, Initialization vector, Modes of operation, Pseudorandomness. 1. Introduction A conventional block cipher takes two inputs—a key K ∈ {0, 1}k and a message (or plaintext) M ∈ {0, 1}n —and produces a single output—a ciphertext C ∈ {0, 1}n . The © The Author(s) 2010. This article is published with open access at Springerlink.com Tweakable Block Ciphers 589 Fig. 1. (a) Standard block cipher encrypts a message M under control of a key K to yield a ciphertext C. (b) Tweakable block cipher encrypts a message M under control of not only a key K but also a “tweak” T to yield a ciphertext C. The “tweak” can be changed quickly and can even be public. (c) Another way of representing a tweakable block cipher; here the key K shown inside the box. signature for a block cipher is thus (see Fig. 1(a)): E : {0, 1}k × {0, 1}n → {0, 1}n . (1) The corresponding operators for variable-length symmetric-key encryption have a different signature. They take as input a key K ∈ {0, 1}k , an initialization vector (or nonce) V ∈ {0, 1}v , and a message M ∈ {0, 1}∗ of arbitrary length, and produce as output a ciphertext C ∈ {0, 1}∗ . The signature for a typical encryption mode is thus E : {0, 1}k × {0, 1}v × {0, 1}∗ → {0, 1}∗ . These operators are usually called “modes of operation” for a block cipher, but this terminology is confusing: these “modes of operation” are actually the encryption schemes (and other primitives) we really care about, and block ciphers are an underlying primitive. Block ciphers (pseudorandom permutations) are inherently deterministic: every encryption of a given message with a given key will be the same. Many modes of operation and other applications using block ciphers have a requirement for “essentially different” instances of the block cipher in order to prevent attacks that operate by, say, permuting blocks of the input. Attempts to resolve the conflict between keeping the same key for efficiency and yet achieving variability often results in a design that uses a fixed key, but which attempts to achieve variability by manipulating the input before encryption, the output after encryption, or both. Such designs seem inelegant—they are attempting to solve a problem with a primitive (a basic block cipher) that is not well suited for the problem at hand. It would be better to rethink what primitives are really ideal for such a problem. We propose to revise the notion of a block cipher so that it contains a mechanism for variability as well. The revised primitive, which we call a tweakable block cipher, has the signature  : {0, 1}k × {0, 1}t × {0, 1}n → {0, 1}n . E (2) For this operator, we call the new (second) input a “tweak” rather than a “nonce” or “initialization vector,” but the intent is similar. A tweakable block cipher thus takes 590 M. Liskov, R.L. Rivest, and D. Wagner three inputs—a key K ∈ {0, 1}k , a tweak T ∈ {0, 1}t , and a message (or plaintext) M ∈ {0, 1}n —and produces as output a ciphertext C ∈ {0, 1}n (see Fig. 1(b)). In designing a tweakable block cipher, we have certain goals. We want any tweakable block ciphers we design to be as efficient as possible. Furthermore, we expect tweaks to be changed frequently, so a tweakable block cipher should have the property that changing the tweak should be efficient. For tweakable block ciphers built from block ciphers, this means that changing the tweak should not make it necessary to rekey the block cipher. And, for any tweakable block cipher, changing the tweak should be less costly than changing the key.1 Some cryptographic modes of operation such as the Davies–Meyer hash function (see Menezes et al. [28, Sect. 9.4]) have fallen into disfavor because they have a feedback path into the key input of the block cipher. See, for example, the discussion by Rogaway et al. [33] explaining the design rationale for the OCB mode of operation, which uses the same cryptographic key throughout. A tweakable block cipher should also be secure, meaning that even if an adversary has control of the tweak input, we want the tweakable block cipher to remain secure. We will define what this means more precisely later on. Intuitively, each fixed setting of the tweak should give rise to a different, apparently independent, standard block cipher encryption operator. We wish to carefully distinguish between the function of the key, which is to provide uncertainty to the adversary, and the role of the tweak, which is to provide variability. The tweak is not intended to provide additional uncertainty to an adversary, and even keeping the tweak secret need not provide any greater cryptographic strength. The point of this paper is to suggest that by cleanly separating the roles of cryptographic key (which provides uncertainty to the adversary) from that of the tweak (which provides independent variability) we may have just the right tool for many cryptographic purposes. 1.1. Prior and Related Work We are not the first to propose adding an additional input to a block cipher for variability. Rich Schroeppel proposed the Hasty Pudding Cipher (HPC) [35] in the competition for the Advanced Encryption Standard; this cipher utilized a non-key parameter, called the “spice”, described as a “secondary key which need not be concealed,” and notes that “the spice can be changed very cheaply for each block encrypted.” Schroeppel discussed a number of motivations and potential advantages for such an additional input, such as the ability to perform parallel encryption of multiple blocks. To the best of our knowledge, HPC was the first block cipher to utilize such an auxiliary parameter. We note that the security requirements for a tweakable block cipher as proposed in this paper are stronger than the corresponding ones for HPC, since a tweakable block cipher should be secure against a “chosen tweak attack,” while Schroeppel cautions that security against a “chosen spice attack” is unknown. Paul Crowley later proposed the Mercy cipher [13] for disk sector encryption; this cipher includes a 128-bit randomizer or “spice” (he notes Schroeppel’s prior work and terminology). Crowley gives as a security goal for Mercy that “any procedure for distinguishing Mercy encryption from a sequence of 2128 independent random permutations 1 More precisely, it is a goal that after computing E K (T , M), it should be more efficient to compute K (T ′ , M ′ ) than to compute E K ′ (T , M ′ ). E Tweakable Block Ciphers 591 (for the 2128 possible spices) should show no more bias towards correctness than a key guessing attack with the same work factor.” His security requirement is thus very close to what is proposed in this paper for a basic tweakable block cipher; our definition of strong security for a tweakable block cipher extends this initial notion by giving the attacker access to a decryption oracle as well as an encryption oracle. Mercy was later broken [17]. On the application side, there are many examples of prior work that have apparent modules for variability in the constructions. The following are some key examples, but not an exhaustive list. One motivating example for the introduction of tweakable block ciphers is the DESX construction introduced by Rivest (unpublished). The reason for introducing DESX was to cheaply provide additional key information for DES. The security of DESX has been analyzed by Kilian and Rogaway [24]; they show that DESX with n-bit inputs (and tweaks) and k-bit keys has an effective key-length of k + n − 1 − lg m where the adversary is limited to m oracle calls. In the DESX construction secret pre- and postwhitening values were added as additional key information. In a similar vein, Biham and Biryukov [8] suggest strengthening DES against exhaustive search by (among other things) applying a DESX-like construction to each of DES’s S-boxes. Even and Mansour [16] have also investigated a similar construction where the inner encryption operator F is fixed and public, and encryption is performed by EK1 K2 (M) = K2 ⊕ F (K1 ⊕ M). They show (see also Daemen [14]) that the effective key length here is n − lg l − lg m where the adversary is allowed to make l calls to the encryption/decryption oracles and m calls to an oracle for F or F −1 . Similarly, if one looks at the internals of the recently proposed “offset codebook mode” (OCB mode) of Rogaway et al. [33] and the work of Jutla [23], one sees DESXlike modules that may also be viewed as instances of a tweakable block ciphers. That is, the pre- and post-whitening operations are essentially there to provide distinct families of encryption operators, i.e., they are “tweaked.” OCB mode was also a motivating example for us because of the complexity and difficulty of its proof of security [33]. Beyond the domain of block cipher design and analysis, it is worth noting the similarity of the tweakable block cipher idea to the idea of salts in the hashing of Unix passwords [30]; each distinct salt makes for an “essentially different” hash for each password. This work appeared in preliminary form in [26] and [25]. Since the initial publication, the notion of tweakable block ciphers has been applied to disk sector encryption [20–22]. Rogaway [32] describes XE and XEX modes, tweakable block ciphers that are highly efficient if sequential tweaks are used; some subsequent work extends this idea [12,29]. Bellare and Kohno [5] discuss the issue of creating tweakable block ciphers from block ciphers secure against related-key attacks. Black, Cochran, and Shrimpton [9] have presented work analyzing the security of the TCH hash function presented in our preliminary paper, and showing attacks for certain instantiations of the tweakable block cipher. Goldenberg et al. [18] discuss how to add tweaks to Luby–Rackoff block ciphers directly. 1.2. Roadmap In Sect. 2 we then discuss and formalize the notion of security for tweakable block ciphers. In Sect. 3 we suggest several ways of constructing tweakable block ciphers 592 M. Liskov, R.L. Rivest, and D. Wagner from existing block ciphers and prove that the existence of tweakable block ciphers is equivalent to the existence of block ciphers. Then in Sect. 4 we suggest several new modes of operation utilizing tweakable block ciphers and give simple proofs for some of them. Section 5 concludes with some discussion and open problems. 2. Definitions 2.1. Notation When A is a randomized algorithm, we write y ← A(x) to mean that y is a random variable with value determined by A on input x. When S is a finite set, we write x ← S to mean that x is a random variable chosen according to the uniform distribution on S. We write x1 ← X1 ; x2 ← X2 ; . . . ; xk ← Xk to mean that the values of variables x1 , . . . , xk are chosen in order, by first determining x1 , then x2 , and so on, until xk is determined. We write x1 ← X1 ; . . . ; xk ← Xk : P (x1 , . . . , xk ) to mean the event that P (x1 , . . . , xk ) evaluates to true, given the random choices of x1 , . . . , xk . We write AO1 ,...,Ok to mean the algorithm A with access to oracles O1 , . . . , Ok . We write u ◦ v to mean the concatenation of strings u and v. 2.2. Block Ciphers A block cipher is a pair of functions (E, D). E takes as input a k-bit key K and an n-bit message M and outputs an n-bit ciphertext C. D takes a k-bit key K and an n-bit ciphertext C as inputs, and outputs an n-bit plaintext M. E and D must both be efficient (polynomial time) to compute, deterministic, and such that for all K and all M, D(K, E(K, M)) = M. For convenience, we write EK to mean the function that takes M to E(K, M). The security of a block cipher E (e.g., parameterized as in (1)) can be quantified as ADVPRP (E, q, s), which represents the maximum advantage that an adversary can obtain when trying to distinguish EK (with a randomly chosen key K) from a random permutation Π with the same domain, when allowed q queries to an unknown oracle (which is either EK or Π ) and when allowed computation time s. This advantage is defined as the difference between the probability the adversary outputs 1 when given oracle access to EK and the probability the same adversary outputs 1 when given oracle access to Π . Definition 1. Define      ADVPRP (E, A) =  Pr b ← AΠ : b = 1 − Pr K ← {0, 1}k ; b ← AEK : b = 1 , and define ADVPRP (E, q, s) = max ADVPRP (E, A), A∈Aq,s where Aq,s is the set of all algorithms making at most q oracle queries and running in time at most s. Tweakable Block Ciphers 593 A stronger definition for a block cipher can be defined as the maximum advantage that an adversary can obtain when trying to distinguish the pair of oracles E(K, ·), D(K, ·) from the pair Π, Π −1 , when allowed q queries and computation time s. This advantage is defined as the difference between the probability the adversary outputs 1 when given oracle access to E, D and the probability the same adversary outputs 1 when given oracle access to Π, Π −1 . Definition 2. Define   ADVSPRP (E, A) =  Pr b ← AΠ,Π and define −1 :b=1    − Pr K ← {0, 1}k ; b ← AEK ,DK : b = 1 , ADVSPRP (E, q, s) = max ADVSPRP (E, A), A∈Aq,s where Aq,s is as in Definition 1. Such a block cipher is referred to as a “strong block cipher” or a “strong pseudorandom permutation.” 2.3. Tweakable Block Ciphers  D).  E  takes as input a k-bit key K, A tweakable block cipher is a pair of functions (E,  takes a a t-bit tweak T , and an n-bit message M and outputs an n-bit ciphertext C. D k-bit key K, a t-bit tweak T , and an n-bit ciphertext C as inputs and outputs an n-bit  and D  must both be efficient (polynomial time) to compute, determinplaintext M. E   istic, and such that for all K, T , and M, D(K, T , E(K, T , M)) = M. For convenience,   we write EK to mean the function that takes (T , M) to E(K, T , M). We may measure the security of a tweakable block cipher (or a tweakable pseudoran as the maximum advantage ADVTPRP (E,  q, s) an adversary can obdom permutation) E  , a family tain when trying to distinguish EK from a “tweakable random permutation” Π of independent random permutations parameterized by T . That is, for each T , we have  , ·) is an independent randomly chosen permutation of the message space. that Π(T  may be considered secure when ADVTPRP (E,  q, s) is sufA tweakable block cipher E ficiently small. Definition 3. Define         A) =  Pr b ← AΠ ADVTPRP (E, : b = 1 − Pr K ← {0, 1}k ; b ← AEK : b = 1 , and define ADVTPRP (E, q, s) = max ADVTPRP (E, A), A∈Aq,s where Aq,s is as in Definition 1. 594 M. Liskov, R.L. Rivest, and D. Wagner Note that the adversary is allowed to choose both the message and tweak for each oracle call.  q, s) as the maximum advantage an adversary can Similarly, we define ADVSTPRP (E, K , D K from Π,  Π −1 , when given obtain when trying to distinguish the pair of oracles E q queries and s time. We say that a tweakable block cipher is a strong tweakable block  q, s) is sufficiently small. cipher when ADVSTPRP (E, Definition 4. Define    −1  A) =  Pr b ← AΠ,Π ADVSTPRP (E, :b=1      − Pr K ← {0, 1}k ; b ← AEK ,DK : b = 1 , and define ADVSTPRP (E, q, s) = max ADVSTPRP (E, A), A∈Aq,s where Aq,s is as in Definition 1. 3. Constructions In this section, we show how to construct a secure tweakable block cipher and a strong tweakable block cipher, from simple underlying primitives we assume to be secure. 3.1. Unsuccessful Constructions First, we demonstrate some simple attempts at constructing tweakable block ciphers from block ciphers and show that these methods are not successful. As a first attempt, we might try applying the DESX construction K (T , M) = EK (M ⊕ T ) ⊕ T . E Here, an adversary making the two queries (T , M), (T ⊕ 1, M ⊕ 1) can distinguish.  but this is If C and C ′ are the respective outputs, C ⊕ C ′ = 1 will always be true for E, . very unlikely for Π Another natural idea is to make the tweak affect the key of the underlying block cipher. This is doubly wrong, as this clearly any change to the tweak will require rekeying, and furthermore, these approaches are not necessarily secure. Consider K (T , M) = EK◦T (M), E ′ K (T , M) = EK⊕T (M). E If secure block ciphers exist, it is trivial to construct a secure block cipher such that EK (M) = EK⊕1 (M) for all K, M.2 If such a block cipher were used in either of the ′ 2 For example, E ′ K◦b (M) = EK (M), where E is a secure block cipher. Tweakable Block Ciphers 595 above constructions, the resulting tweakable block cipher would be easily attackable, by querying (T , M) and (T ⊕ 1, M). Even if this type of overt flaw is not known to exist in E, related-key attacks [7] could apply. 3.2. A Tweakable Block Cipher Here, we give a first secure tweakable block cipher construction. We call this construction CMT mode, which stands for “CBC-MAC Tweaked.” Let E be a secure block cipher. CMT mode is defined by   K (T , M) = EK T ⊕ EK (M) E and   K (T , C) = DK T ⊕ DK (C) . D CMT mode is reasonably efficient. The following theorem proves its security. Theorem 1.  is a secure tweakable block cipher. Specifically, E  q, s) ≤ ADVPRP (E, 2q, s + q) + ADVTPRP (E, 17q 2 − q . 2n+1 Proof. This proof is adapted from a proof given by Bellare and Kohno [4].  , M) is just the CBC MAC of the message M ◦ T . Let R be a random Note that E(T function from t + n bits to n bits. Define     A) =  Pr b ← AR : b = 1 ADVPRF (E,    − Pr K ← {0, 1}k ; b ← AEK : b = 1 ,  A).  q, s) = maxA∈A ADVPRF (E, and let ADVPRF (E, q,s Bellare et al. [3] show that if A is an adversary that aims to distinguish a CBC MAC oracle from a random oracle, an adversary A′ can be constructed that aims to distinguish the block cipher from a random permutation, such that 4q 2  A) ≤ ADVPRP (E, A′ ) + , ADVPRF (E, 2n−1 where q is the number of queries made by A, where A′ makes 2q queries, and where A′ takes time s + q where s is the running time of A. The time overhead is due to  q, s) ≤ the need to make twice as many oracle queries. This proves that ADVPRF (E, 16q 2 ADVPRP (E, 2q, s + q) + 2n+1 .  only in that for any fixed T , R is a random function, Note that R differs from Π while Π is a random permutation. The output of a single random function and a single random permutation, each with n-bit outputs, are statistically close: if q queries are 2 −q made, the statistical difference is at most q2n+1 . Thus, the outputs of R and Π have 1 l 2 − q , where l is the number of distinct tweaks statistical difference at most 2n+1 q i i=1 i 596 M. Liskov, R.L. Rivest, and D. Wagner queried, and where qi is the number of queries involving the ith tweak. This difference is maximized when l = 1 and q1 = q. Therefore,  q, s) ≤ ADVPRF (E,  q, t) + ADVTPRP (E, q2 − q 2n+1 ≤ ADVPRP (E, 2q, s) + 17q 2 − q , 2n+1 as stated.  Theorem 2. The existence of secure block ciphers is equivalent to the existence of secure tweakable block ciphers. Proof of Theorem 2. One direction follows from Theorem 1. K (T , M) be a tweakable block cipher, and let EK (M) = For the other, let E t  EK (0 , M). Any distinguishing attack against E is clearly a distinguishing attack  in which every tweak is chosen to be 0t . Therefore, ADVPRP (E, q, s) = against E  q, s) for all q and s. ADVTPRP (E,  We leave it as an open problem to devise a construction with a tighter bound than Theorem 1. Efficiency The construction of Theorem 1 has an overall running time that is twice the running time of the underlying block cipher. For this construction, it can be significantly faster to change the tweak than to change K (T ′ , M ′ ) is the cost of K (T , M) has been computed, the cost to compute E the key. If E K ′ (T , M ′ ), however, is the cost two block cipher computations. The cost of computing E of two block cipher computations plus the cost of key scheduling for the block cipher. 3.3. A Strong Tweakable Block Cipher The construction of Sect. 3.2 is interesting as a simple example of a tweakable block cipher. However, it is not a strong tweakable block cipher, and its efficiency leaves room for improvement. Next we give a strong tweakable block cipher that is also more efficient. We call this construction LRW mode, after a later precedent in the literature [29]. A family H of functions with signature {0, 1}t → {0, 1}n is said to be an ǫ-almost 2-xor-universal hash function family (“ǫ-AXU2 hash function family”, for short) if Prh [h(x) ⊕ h(y) = z] ≤ ǫ holds for all x, y, z with x = y, where the probability is taken over h chosen uniformly at random from H. Let H be such a hash function family. The LRW mode tweakable block cipher uses a key (K, h) where K ← {0, 1}k and h ← H, and is given by K,h (T , M) = EK (M ⊕ h(T )) ⊕ h(T ), E K,h (T , C) = DK (M ⊕ h(T )) ⊕ h(T ). D Tweakable Block Ciphers 597 Theorem 3. If H is an ǫ-AXU2 hash function family with ǫ ≥ 2−n , and E is a strong  is a strong tweakable block cipher. Specifically, for pseudorandom permutation, then E n−1 all q ≤ 2 ,  q, s) ≤ ADVSPRP (E, q, s + q) + 3ǫq 2 . ADVSTPRP (E, ′ be Π used in LRW mode. We use Pr0 [·] First, we establish some notation. Let E h K,h , where to represent the probability measure in the case where A interacts with E k the probability is taken over the choice of K ∈ {0, 1} and h ∈ H uniformly and independently at random. Also, we let Pr1 [·] denote the measure where A interacts with ′ , where the probability is taken over the uniform random choice of h ∈ H. Let Pr2 [·] E h . In all three cases, we write O for A’s denote the measure when A interacts with Π oracle. We let the random variable Ti denote the tweak input on A’s ith oracle call, and we let Mi and Ci denote the plaintext and ciphertext corresponding to this call, so that O(Ti , Mi ) = Ci . In other words, if A’s ith oracle query is an encryption query (to O), then (Ti , Mi ) denotes the input and Ci the return value, whereas if A’s ith oracle query is a decryption query (to O−1 ), then the input is (Ti , Ci ), and the result of the query is Mi . Moreover, we define the random variables Ni , Bi by Ni = Mi ⊕ h(Ti ) and Bi = Ci ⊕ h(Ti ). Note that in probability measure Pr0 [·], we have EK (Ni ) = Bi , and in probability measure Pr1 [·], we have Π(Ni ) = Bi . We define the random variable τn by τn = (T1 , M1 , C1 ), . . . , (Tn , Mn , Cn ) , and we use τ = τq to represent the full transcript of interaction with the oracle. We fix an adversary A, and we assume without loss of generality that A does not make any repeated or redundant queries to its oracle. As a consequence of this assumption, the pairs (Ti , Mi ) are all distinct, or in other words, for all i = j , we have (Ti , Mi ) = (Tj , Mj ). Similarly, the pairs (Ti , Ci ) are also distinct, as are the (Ti , Ni )’s and the (Ti , Bi )’s. Also, the output of A can be viewed as a function of the transcript τ , so we sometimes write the output of A as A(τ ). Our proof is separated into two parts. In the information-theoretic part, we let Π ′ is a secure tweakdenote a permutation chosen uniformly at random and show that E h able block cipher. Then, in the computational part, we let E be arbitrary, and we show  will also be a secure that if EK and Π are computationally indistinguishable, then E tweakable block cipher. The information-theoretic part of the proof uses the following strategy. We define a bad event Bad. We show that when conditioning on the complement event (that is, when nothing bad happens), the probability measures Pr1 [·|Bad] and Pr2 [·|Bad] are in fact identical, that is, the adversary can only distinguish with probability 1/2. Then, we show that Pr1 [Bad] and Pr2 [Bad] are both small; thus, if we replace E with a random permutation, the adversary could only distinguish with a negligible advantage. In our arguments, we define Badn to be the event that, for some 1 ≤ i < j ≤ n, either Ni = Nj or Bi = Bj . Also, we let Bad = Badq . Lemma 1. Let Evτ be the event that τ is the transcript generated. Then Pr1 [Evτ |Bad] = Pr2 [Evτ |Bad]. 598 M. Liskov, R.L. Rivest, and D. Wagner Proof. We show this by induction on the length of the transcript, q. Consider the qth oracle query: it is either an encryption or a decryption query. Suppose first that the qth oracle query is an encryption query, with inputs (Tq , Mq ). By the inductive hypothesis, we can assume that the distribution of τq−1 is the same for both the Pr1 [·|Badq−1 ] and Pr2 [·|Badq−1 ] probability measures, hence the same is true of the distribution of (τq−1 , Tq , Mq ). Now fix any h such that Nq ∈ / {N1 , . . . , Nq−1 }, so that the only remaining random . When O = Π , Cq = Π(T  q , Mq ) is uniformly distributed on choice is over Π or Π the set S = {0, 1}n \ {Ci : Ti = Tq and 1 ≤ i < q} if we condition on Badq−1 (but ′ , we find something slightly different: before conditioning on Badq ). When O = E Bq = Π(Nq ) is uniformly distributed on the set {0, 1}n \ {B1 , . . . , Bq−1 } (conditioned on Badq−1 , but before conditioning on Badq ), hence Cq = Bq ⊕ h(Tq ) is uniformly distributed on the set S ′ = {0, 1}n \ {Ci ⊕ h(Ti ) ⊕ h(Tq ) : i = 1, . . . , q − 1}. In both cases, the probabilities are independent of the choice of h. Also, note that S ′ ⊆ S, since when Ti = Tq , we have Ci ⊕ h(Ti ) ⊕ h(Tq ) = Ci . Adding the condition Badq amounts to adding the condition that Bq ∈ {0, 1}n \ {B1 , . . . , Bq−1 }, i.e., that Cq ∈ S ′ . Thus, after conditioning on Badq , we see that Cq is uniformly distributed on S ′ and independent of the rest of the transcript, and hence the distribution of τ is the same for both the Pr1 [·|Badq ] and Pr2 [·|Badq ] probability measures. (Here we have used the following simple fact: if the random variable X is uniform on a set S and if S ′ is some subset of S, then after conditioning on the event X ∈ S ′ we find that the resulting random variable is uniform on S ′ .) This covers the case where the qth query is a chosen-plaintext query. The other case, where the qth query is a chosen-ciphertext query, is treated similarly. This concludes  the proof of Lemma 1. Lemma 2. If H is ǫ-AXU2 , then Pr2 [Badq ] ≤ ǫq(q − 1). , h is independent of the transcript τ . Hence, we can Proof. Note that, when O = Π defer the choice of h until after A completes all q of its queries and the values of Ti , Mi , Ci are fixed. Then, we find Pr 2 [Badq ] = Pr[∃i < j : Ni = Nj ∨ Bi = Bj ] h Pr[Ni = Nj ] + Pr[Bi = Bj ] ≤ 1≤i<j ≤q = 1≤i<j ≤q h h (3) (4)   Pr h(Ti ) ⊕ h(Tj ) = Mi ⊕ Mj h   + Pr h(Ti ) ⊕ h(Tj ) = Ci ⊕ Cj (5) 2ǫ = ǫq(q − 1). (6) h ≤ 1≤i<j ≤q Equation (3) is from the definition of Badq . Equation (4) follows by a union bound. Equation (5) follows from the definition of Ni and Bi . Finally, (6) follows by the defin- Tweakable Block Ciphers 599 ition of ǫ-AXU2 hash functions. Note that if Ti = Tj and i = j , then Mi ⊕ Mj = 0, and thus Pr[h(Ti ) ⊕ h(Tj ) = Mi ⊕ Mj ] = 0 ≤ ǫ; similarly for Ci ⊕ Cj = 0.  Lemma 3. If H is ǫ-AXU2 for ǫ ≥ 1/2n and if EK = Π and q ≤ 2n−1 , then Pr1 [Badq ] ≤ 1.5ǫq(q − 1). Proof. We will prove that Pr1 [Badq ] ≤ 1.5ǫq(q − 1) by induction on q. Let Ev denote that event that, for some i, we have Ni = Nq , and let Ev′ denote the event that, for some i, we have Bi = Bq . Note that Pr1 [Badq ] = Pr1 [Badq−1 ] + Pr1 [Badq |Badq−1 ] Pr1 [Badq−1 ]. By the inductive hypothesis, Pr1 [Badq−1 ] ≤ 1.5ǫ(q − 1)(q − 2). Also, Pr1 [Badq−1 ] ≤ 1. Hence all that remains is to bound the term Pr1 [Badq |Badq−1 ]. Applying a union bound shows that Pr1 [Badq |Badq−1 ] ≤ Pr1 [Ev|Badq−1 ] + Pr1 [Ev′ |Ev ∧ Badq−1 ]. We next bound each of these two terms in turn. By Lemma 1, and since H is ǫ-AXU2 , we see Pr1 [Ev|Badq−1 ] = Pr2 [Ev|Badq−1 ] ≤ ǫ(q − 1). Moreover, Pr1 [Ev′ |Ev ∧ Badq−1 ] = Pr1 [Π(Nq ) ∈ {B1 , . . . , Bq−1 }|Ev ∧ Badq−1 ] ≤ (q − 1)/(2n − q + 1) ≤ 2(q − 1)/2n ≤ 2ǫ(q − 1), since Π(Nq ) is uniformly distributed on a set of size at least 2n − q + 1 and since ǫ ≥ 1/2n . Finally, 1.5ǫ(q − 1)(q − 2) + ǫ(q − 1) + 2ǫ(q − 1) ≤ 1.5ǫq(q − 1). The statement of the lemma now follows.  We are now ready to prove the security theorem. ′ , q, s) ≤ 3ǫq(q − 1). For Proof of Theorem 3. First, we show that ADVSTPRP (E notational convenience, define p1 = Pr1 [A(τ ) = 1|Bad], p1′ = Pr1 [A(τ ) = 1|Bad], p2 = Pr2 [A(τ ) = 1|Bad], and p2′ = Pr2 [A(τ ) = 1|Bad]. We perform the following calculation:     ′ , A) =  Pr 1 A(τ ) = 1 − Pr 2 [A(τ ) = 1] ADVSTPRP (E   = p1 Pr 1 [Bad] + p1′ Pr 1 [Bad] − p2 Pr 1 [Bad] − p2′ Pr 2 [Bad]   ≤ p1 Pr 1 [Bad] − p2 Pr 2 [Bad]| + |p1′ Pr 1 [Bad] − p2′ Pr 2 [Bad] (7)   (8) ≤ p1 Pr 1 [Bad] − p2 Pr 2 [Bad] + 1.5ǫq(q − 1)   ≤ Pr[A(τ ) = 1|Bad] Pr 1 [Bad] − Pr 2 [Bad] + 1.5ǫq(q − 1) (9)   (10) ≤  Pr 2 [Bad] − Pr 1 [Bad] + 1.5ǫq(q − 1) ≤ 3ǫq(q − 1). (11) Line (7) follows by the triangle inequality. Lemmas 2 and 3 show that Pr[Bad] ≤ 1.5ǫq(q − 1), which justifies (8). Lemma 1 establishes that p1 = p2 = Pr[A(τ ) = 1|Bad], which justifies (9). We then note that | Pr1 [Bad] − Pr2 [Bad]| = | Pr2 [Bad] − Pr1 [Bad]| ≤ 1.5ǫq(q − 1), to arrive at (10) and then (11). Since the adversary A was ′ , q, s) ≤ 3ǫq(q − 1). arbitrary, it follows that ADVSTPRP (E  let A′ be the adversary attacking E as follows. A′ If A is an adversary attacking E, runs A in its attack but uses its own oracle in LRW mode to supply answers to A’s 600 M. Liskov, R.L. Rivest, and D. Wagner oracle queries. A′ outputs what A outputs. Note that if A makes q queries and runs in s time, then A′ makes q queries and runs in s + q time (the additional q accounts for the hash computations). Note that ADVSPRP (E, A′ ) = | Pr0 [A(τ ) = 1] − Pr1 [A(τ ) = 1]|, and therefore maxA∈Aq,s | Pr0 [A(τ ) = 1] − Pr1 [A(τ ) = 1]| ≤ ADVSPRP (E, q, s + q). The result then follows:       q, s) = max  Pr 0 A(τ ) = 1 − Pr 2 A(τ ) = 1  ADVSTPRP (E, A∈Aq,s      ≤ max  Pr 0 A(τ ) = 1 − Pr 1 A(τ ) = 1  A∈Aq,s      +  Pr 1 A(τ ) = 1 − Pr 2 A(τ ) = 1       ≤ max  Pr 0 A(τ ) = 1 − Pr 1 A(τ ) = 1  A∈Aq,s      + max  Pr 1 A(τ ) = 1 − Pr 2 A(τ ) = 1  A∈Aq,s ′ , q, s) = ADVSPRP (E, q, s + q) + ADVSTPRP (E ≤ ADVSPRP (E, q, s + q) + 3ǫq(q − 1). This completes the proof.  As there are plenty of known constructions of ǫ-AXU2 hash families with ǫ ≈ 1/2n , the security theorem shows that we can obtain a construction with good security against adaptive chosen-ciphertext attacks for up to the birthday bound, i.e., for q ≪ 2n/2 . Efficiency It is harder to estimate the efficiency of the LRW construction, because it is not clear how to compare the computational cost of the block cipher to the cost of the hash functions. However, we expect that LRW mode will be faster than CMT mode in practice. For instance, for t = n = 128, a generalized division hash runs in 300 cycles [36], UMAC/UHASH runs in 200 cycles [10], hash127 runs in 150 cycles [6], and a DFC-style decorrelation module should run in about 200 cycles [19].3 If we compare the best of these to AES, which runs in 237–333 cycles [2], we expect that a version of AES tweaked in this way will run about 45–63% slower than the plain AES. These estimates are conservative: the above hash functions are designed for large input strings, whereas no compression is necessary for this application. Indeed, subsequent work of Rogaway [32] shows that even better performance can be achieved with a more carefully designed hash function. In this construction, changing only the key requires that we rekey the cipher and compute the block cipher. Changing only the tweak requires that we recompute the hash function and the block cipher, but no rekeying is necessary. We expect that changing the tweak will generally be faster than changing the key. For AES, key expansion runs in 3 All estimates are based on a Pentium II class machine and are rough estimates based on speed benchmarks that are not directly comparable. Tweakable Block Ciphers 601 277–374 cycles [15]. Based on our estimates of the cost of hashing, changing the tweak should be faster by about 23–32%.4 Though LRW mode is likely to be faster than CMT mode, LRW mode does require a longer key. However, if a pseudorandom generator can be agreed upon in advance, we can simply use the key of length k as an input to the pseudorandom generator which will enable us to get a longer pseudorandom key that can be used to generate both K and h. This negatively impacts performance, but only when the key of the tweakable block cipher is changed. 3.4. Related Work There are similarities between our constructions and various results in the literature. As is discussed in the proof, the CMT construction is the CBC MAC of the two-block message M ◦ T . The LRW construction bears a similarity to the Luby–Rackoff construction [27] if we think of EK and h as different pseudorandom functions. Even more relevant is the recent work of Naor and Reingold [31], who showed that we can relax the Luby–Rackoff construction by using merely pairwise-independent functions in the first and last rounds and by using a single pseudorandom function (instead of two) in the intervening rounds (in the four-round Luby–Rackoff construction of strong PRPs). We can think of LRW mode as doing this on a message block made up of M and T together, except using a single middle round, but with a pseudorandom permutation instead of a pseudorandom function, and revealing only the second half of the output. It should be noted that in both of these cases what we do is actually slightly different, but they bear enough of a strong resemblance to these prior results that it is worth mentioning the relationship. In fact, it may be possible to view LRW mode as a strengthening of Naor and Reingold’s result. In a sense we modify the Feistel-type construction by outputting only one side of it, which we assume is accompanied by T , and yet show that this still gives a pseudorandom permutation. Both our constructions use an underlying block cipher in a black-box way. Thus, in a sense, we are providing a mechanism to take a random permutation oracle and create a pseudorandom permutation family oracle. In a way this is like getting many permutation oracles for the price of one: we simply think of the one permutation oracle as a random permutation and apply a tweakable block cipher general construction, and we get a whole family of pseudorandom permutations. This has been studied previously; for instance, Black and Rogaway [11] prove that having two independent random permutation oracles is indistinguishable from having Π(·) and Π(K ⊕ ·) where K is a secret value. Our work can be seen as an improvement that provides a whole family of independent random permutations from a single one. 4. Tweakable Modes of Operation We claim that it is easier to design and prove the security of applications using the tweakable block cipher abstraction. In evidence of this, we present three tweakable 4 Specifically, 23% for 192-bit keys (150 + 286 vs. 277 + 286 cycles), 29% for 128-bit keys (150 + 237 vs. 305 + 237 cycles), and 32% for 256-bit keys (150 + 333 vs. 374 + 333 cycles). 602 M. Liskov, R.L. Rivest, and D. Wagner modes of operation, with proofs of security for each. In all three cases, we do not suggest that the tweakable mode is superior to existing modes of operation. We stress that these modes should be taken primarily as a demonstration of the conceptual advantages gained by working with tweakable block ciphers. However, our third tweakable mode is of independent interest as it is a generalization of OCB mode [33] and because of its very tight reduction, relative to the tweakable block cipher it uses. 4.1. Tweak Chaining (TC) Tweak block chaining (TC) is a symmetric encryption mode modeled after cipher block chaining (CBC). An initial tweak T0 plays the role of the initialization vector (IV) for CBC. Each successive message block Mi is encrypted under the encryption key K and a tweak Ti−1 , where Ti = Ci for i > 0. The final ciphertext is (T0 , C1 ◦ · · · ◦ Cl ). See Fig. 2. K (T0 , C1 ) and Mi = D K (Ci−1 , Ci ) for i > 1. To decrypt, we compute M1 = D To handle messages whose length is greater than n but not a multiple of n, a variant of ciphertext-stealing [34] can be used; see Fig. 3. One can also adapt the TC construction to make a TC-MAC in the same manner that one can use the CBC construction to make a CBC-MAC, though these constructions still need a security analysis. Chosen-plaintext security for a symmetric encryption scheme is defined in terms of the maximum advantage an adversary can achieve in distinguishing one of two mes- Fig. 2. Tweak chaining: a symmetric encryption mode for a tweakable block cipher. Each ciphertext becomes the tweak for the next encryption. Note that to decipher a block, one needs only the key, Ci , and Ci−1 , so decryption can be done in parallel. Fig. 3. (a) Ciphertext stealing for tweak chaining handles messages whose length is at least n bits long but not a multiple of n. Let r denote the length of the last (short) block Mm of the message. Then |Cm | = |Mm | = r and |C ′ | = n − r. Here X denotes the rightmost n − r bits of Cm−2 (or of T0 if m = 2). (b) A similar technique is used to handle similar messages in tweak incrementation encryption mode. Tweakable Block Ciphers 603 sages, under a chosen plaintext attack. Formally, define  ADVIND-CPA (E, A) = Pr K ← {0, 1}k ; (m0 , m1 ) ← AEK ; b ← {0, 1};    1 b′ ← AEK EK (mb ) : b′ = b and |m0 | = |m1 | − 2 and define ADVIND-CPA (E, q, s) = max ADVIND-CPA (E, A), A∈Aq,s where Aq,s is the set of all algorithms A that make queries with at most q blocks of input and run in at most s time.  in TC mode, then Theorem 4. If E is the symmetric encryption system made from E  q, s) + ADVIND-CPA (E, q, s) ≤ ADVTPRP (E, q2 − q . 2n+1 Proof. Conceptually, the proof is very simple. If E were implemented with a random  then the adversary would be unable to get any adpermutation family instead of E, vantage unless some tweak is used more than once, which happens with probability q 2 −q . Thus, the maximum advantage is bounded by this probability plus the maximum 2n+1  from Π . advantage in distinguishing E ′  in TC mode. Then Let E be the symmetric encryption system made from Π ADVIND-CPA (E, q, s) = ADVIND-CPA (E ′ , q, s) + ADVIND-CPA (E, q, s) − ADVIND-CPA (E ′ , q, s)  ≤ ADVIND-CPA (E ′ , q, s) + ADVIND-CPA (E, q, s)  − ADVIND-CPA (E ′ , q, s)  q, s). ≤ ADVIND-CPA (E ′ , q, s) + ADVTPRP (E, This last step is due to the natural “simulating” reduction. Namely, if A is an adversary attacking the IND-CPA property of its target, we can construct an A′ that attempts  from Π . A′ runs A in its attack and answers queries by using its own to distinguish E oracle run in TC mode; A′ outputs whatever A outputs. A′ makes the same number of queries and runs in the same time as A. Thus, it remains only to determine ADVIND-CPA (E ′ , q, s). Let A be an adversary that attacks E ′ and makes queries with q total blocks. Define Bad to be the event that E ′ ever 2 −q  with some tweak more than once. We have Pr[Bad] ≤ q n+1 . Furthermore, invokes Π 2 note that A gets no advantage at all if Bad holds: since every tweak used is distinct, the ciphertext given to A is random and independent of b. Therefore, ADVIND-CPA (E ′ , q, s) ≤ q 2 −q , which proves the theorem.  2n+1 If making a tweakable block cipher requires even one extra XOR, the performance of CBC mode is the same or better than the performance of TC mode. Again, we stress 604 M. Liskov, R.L. Rivest, and D. Wagner that TC mode is given to illustrate the conceptual simplicity of proofs for tweakable modes of operation. 4.2. Tweak Incrementation Encryption (TIE) Another symmetric encryption scheme is “tweak incrementation encryption” mode (or TIE for short) which is meant to be similar to CTR mode for block ciphers [1,35,37]. In TIE mode, the message is divided into message blocks M0 , . . . , Mm . An initial tweak  + i, Mi ), IV is generated, and each ciphertext block is generated as follows: Ci = E(IV t where IV + i refers to simply adding i to IV modulo 2 . See Fig. 4. This mode was suggested by Schroeppel in his presentation of the Hasty Pudding Cipher. The proof that TIE mode is secure is extremely similar to the proof that TBC mode is secure, but even more simple. In “state-preserving” TIE mode, IV is chosen to be 0 for the first message, and subsequent IV values are chosen to be the next value that has not yet been used as the tweak. This requires the user to maintain a state that keeps track of which IV to use next.  in (state-preserving) Theorem 5. If E is the symmetric encryption system made from E TIE mode, then if q < 2t ,  q, s). ADVIND-CPA (E, q, s) ≤ ADVTPRP (E,  in TIE mode, then Proof. If E ′ is the symmetric encryption system made from Π ′  ADVIND-CPA (E, q, s) ≤ ADVIND-CPA (E , q, s) + ADVTPRP (E, q, s), as we established in our proof of Theorem 4.5 Furthermore, ADVIND-CPA (E ′ , q, s) = 0, because in the statepreserving version of TIE mode, no tweak is ever repeated if fewer than 2t total queries are made. Therefore, every block of output is an independent random string of length n, and the encryption of mb is random and independent of b.  In “non-state-preserving” TIE mode, IV is chosen randomly for each message. Fig. 4. Tweak incrementation encryption: a mode of operation for tweakable block ciphers to produce secure symmetric encryption. The initial tweak IV is chosen randomly (or sequentially) and incremented by 1 for each successive block. 5 We again use the natural simulating reduction; this time, A′ uses its oracle in state-preserving TIE mode. Again, A′ runs in s time and makes q queries. Tweakable Block Ciphers 605  in (non-stateTheorem 6. If E is the symmetric encryption system made from E t preserving) TIE mode, then if q < 2 ,  q, s) + ADVIND-CPA (E, q, s) ≤ ADVTPRP (E, q2 − q . 2n+1  q, s)+ Proof. The proof of Theorem 5 shows that ADVIND-CPA (E, q, s) ≤ ADVTPRP (E, Pr[Bad], where Bad is the event that the queries A makes cause E to use a tweak more than once. (For the state-preserving version of TIE mode, Pr[Bad] = 0.) 2 −q . Pr[Bad] is maximized when A queries E on one-block mesHere, Pr[Bad] ≤ q2n+1 sages. In that case, the ith block has at most an i − 1/2n chance of having a repeated tweak. If message blocks are longer, this probability is decreased for subsequent blocks, to i ′ /2n , where i ′ is the number of full messages (rather than message blocks) queried to E before the current query. 2 −q  q, s) + q n+1 Therefore, ADVIND-CPA (E, q, s) ≤ ADVTPRP (E, .  2 The advantages of TIE mode are similar to the advantages of CTR mode: for instance, blocks can be deciphered in parallel and online. Also, some work has been done by Rogaway in optimizing tweakable block ciphers when the tweak is changed in predictable ways [32]; such techniques may be applicable here. However, CTR mode allows the sender to precompute the keystream needed for encryption; TIE cannot support that optimization. Again, TIE mode is less efficient than CTR mode and is given as an example of a conceptually simple proof for a tweakable mode of operation. 4.3. Tweakable Authenticated Encryption (TAE) In this section we suggest an authenticated mode of encryption (TAE) based on the use of a tweakable block cipher. This mode can be viewed as a paraphrase or restatement of the architecture of the OCB (offset codebook) mode proposed by Rogaway et al. [33], modified to utilize tweakable block ciphers rather than DESX-like modules. The result is shown in Fig. 5. The OCB paper goes to considerable effort to analyze the probability that various encryption blocks all have distinct inputs. We feel that a tweakable mode such as TAE Fig. 5. TAE mode: Authenticated encryption based on a tweakable block cipher. 606 M. Liskov, R.L. Rivest, and D. Wagner should be much simpler to analyze, since the use of tweaks obviates this concern. We will give a fairly easy proof that a tweakable block cipher used in TAE mode gives all the security properties claimed for OCB mode. Following Rogaway et al., an authenticated encryption system involves two algorithms, AE and AD. AE (authenticated encryption) takes as input a key K of length k, a message M of length ≥ n, a nonce N , and a parameter 1 ≤ τ ≤ n, and outputs a ciphertext of length |M| and a tag of length τ . AD (verification and decryption) takes as input a key K of length k, a ciphertext C, a nonce N , and a tag tag, and outputs either a message M of length |C|, or ⊥, the latter signifying that the authentication check failed. As before, we refer to AE K and ADK for the sake of simplicity, when the key is fixed. Adversaries are assumed to be “nonce-respecting,” meaning that while the adversary has the ability to choose the nonce, the adversary does not make more than one query with the same nonce. Informally, the security requirements are [33]: – Pseudorandomness. To any adversary, the output of OCB mode is pseudorandom. In other words, no adversary can distinguish between an OCB mode oracle and a random oracle that outputs messages of the correct length. – Unforgeability. Any adversary, with the ability to obtain authenticated encryptions of chosen values from an oracle, can forge a new valid encryption with probability at worst negligibly greater than 2−τ . Formally, we define      ADVPRF (AE, A) =  Pr K ← {0, 1}k ; b ← AAE K : b = 1 − Pr b ← AR : b = 1  and ADVPRF (AE, q, q ′ , s) = max ADVPRF (E, A), A∈Aq,q ′ ,s where R is a function that on input (M, N, τ ) outputs a random string of length |M| + τ , and where Aq,q ′ ,s is the set of all nonce-respecting algorithms that run in s time and make at most q queries with a total of at most q ′ blocks. We also define  ADVFRG (AE, A, τ ) = Pr K ← {0, 1}k ; (C, N, tag) ← AAE K :  ADK (C, N, tag) =⊥ ∧|tag| ≥ τ ∧ (C, N) ∈ / Out − 2−τ and ADVFRG (AE, q, q ′ , s) = max A∈Aq,q ′ ,s ,1≤τ ≤n ADVFRG (AE, A, τ ), where Out is the list of pairs (C, N) for which some (C, N, tag) was an output of the EK oracle. TAE Mode Now we describe the methods of TAE mode. Algorithm AE(K, M, N, τ ): for i = 1 to m − 1 do Zi = N ◦ i ◦ 0 Tweakable Block Ciphers 607 K (Zi , Mi ) Ci = E Zm = N ◦ m ◦ 0 if |Mm | = n then K (Zm , Mm ) Cm = E else K (Zm , |Mm |) C=E Cm = (C||Mm | ) ⊕ Mm Z0 = N ◦ |M| ◦ 1 K (Z0 , M1 ⊕ · · · ⊕ Mm ) C0 = E tag = C0 |τ return (C1 ◦ · · · ◦ Cm , tag) Algorithm AD(K, C, N, tag): for i = 1 to m − 1 do Zi = N ◦ i ◦ 0 K (Zi , Ci ) Mi = E Zm = N ◦ m ◦ 0 if |Cm | = n then K (Zm , Cm ) Mm = E else K (Zm , |Cm |) C=E Mm = (C||Cm | ) ⊕ Cm Z0 = N ◦ |C| ◦ 1 K (Z0 , M1 ⊕ · · · ⊕ Mm ) C0 = E if tag == C0 ||tag| then return M1 ◦ · · · ◦ Mm else return ⊥ See Fig. 5 for further illustration. τ must be in the range 1 ≤ τ ≤ n. Here, M is assumed to be broken into m blocks M1 , . . . , Mm , of which the first m − 1 are all of size n, and the last is of size at most n but at least 1. C is likewise broken into blocks C1 , . . . , Cm . We use the notation A|k to denote the k least significant bits of A. When computing M1 ⊕ · · · ⊕ Mm , we presume that Mm , if less than n bits, will be padded with 0s. We now prove that TAE mode satisfies these properties.  used in TAE mode and if E  is a secure tweakable block cipher, Theorem 7. If AE is E then AE is pseudorandom, and  q + q ′ , s + q ′ ). ADVPRF (AE, q, q ′ , s) ≤ ADVTPRP (E,  in Proof. Let AE ′ refer to the authenticated encryption scheme we obtain by using Π TAE mode. 608 M. Liskov, R.L. Rivest, and D. Wagner To prove that TAE mode is pseudorandom, we note that no tweak is ever repeated when the adversary is nonce-respecting. Therefore, ADVPRF (AE ′ , q, q ′ , s) = 0: the output of each tweakable block cipher is independent and random, so the entirety of AE ′ is random, just as it would be for R. Therefore, ADVPRF (AE, q, q ′ , s) = ADVPRF (AE, q, q ′ , s) − ADVPRF (AE ′ , q, q ′ , s). If A is an adversary attacking the pseudorandomness of AE or AE ′ , we can construct an adversary A′ that attacks the underlying tweakable block cipher as follows. A′ runs A in its attack on TAE mode, but A′ responds to the oracle queries A makes by using its own oracle in TAE mode. A′ outputs whatever A outputs. When A makes q ′ total queries of q total blocks, A′ makes q + q ′ queries to its oracle: one for each block and an additional one per query for the tag. A′ runs in time s + q ′ , as A′ need only assemble and make the tweakable block cipher queries. Thus we have |ADVPRF (E, q, q ′ , s) −  q + q ′ , s + q ′ ). Thus, ADVPRF (E ′ , q, q ′ , s)| ≤ ADVTPRP (E, ADVPRF (E, q, q ′ , s) = ADVPRF (E, q, q ′ , s) − ADVPRF (E ′ , q, q ′ , s)   ≤ ADVPRF (E, q, q ′ , s) − ADVPRF (E ′ , q, q ′ , s) which completes the proof.  q + q ′ , s + q ′ ), ≤ ADVTPRP (E,   used in TAE mode and if E  is a strong tweakable block cipher, Theorem 8. If AE is E 6 then AE is unforgeable. Formally, 3  s + q + q ′ + 1, 2s + q ′ + 1) + . ADVFRG (AE, q, q ′ , s) ≤ ADVSTPRP (E, 2n+1 − 2  run in TAE mode. Proof. As before, AE ′ is defined to be Π Lemma 4. ADVFRG (AE ′ , q, q ′ , s) ≤ 2n+13 −2 . Proof. We define two types of forgeries. A type-1 forgery is a forgery for which either (1) A outputs (C, N, tag) where N is a nonce that A never used in a query, or (2) A outputs (C, N, tag) where N is a nonce used in a prior query (M ′ , N, τ ) made by A where |M ′ | = |C|. A type-2 forgery is a forgery for which A outputs (C, N, tag) where N is a nonce used in a prior query (M ′ , N, τ ) for which |M ′ | = |C| but for which the result of the prior query did not produce C as the ciphertext. Successful forgeries will always be of one of these two types. For type-1 forgeries, the value Z0 used to validate the adversary’s forgery will be a tweak value never used before. Therefore, the correct tag will be a random string of length τ , so the probability that the forgery is successful is 2−τ . For type-2 forgeries, there are two subcases. If (C, N, tag) is the adversary’s output, let M be the message C encrypts (that is, what AD would output if the tag were correct), 6 Note that in [26] we incorrectly claimed that TAE mode is secure without requiring that E  be strong. Thanks to Wang Peng for pointing out this error. Tweakable Block Ciphers 609 let M ′ be the message used in the prior query involving N , and let (C ′ , tag′ ) be the output of that query. We define an event Bad, which occurs when the adversary gives ′ = M ⊕ · · · ⊕ M . If Bad does not occur in a type-2 output in which M1′ ⊕ · · · ⊕ Mm 1 m n−τ a type-2 forgery, tag will be correct with probability at most 22n −1 . In such a case, the checksum is distinct, and therefore C0 is equally likely to be any value other than the value used to generate tag′ . At most 2n−τ values can lead to tag. Note that 2n−τ 2n −τ −τ − 2 −1 = 2 2n − 1 2n − 1 1 2n − 1 1 . ≤ n+1 2 −2 = 2−τ If Bad occurs, tag will be correct if tag = tag′ . However, the probability that Bad occurs in a type-2 forgery is very small. Since C = C ′ , let Ci be the last ciphertext block for which there is a difference. If i < m, the probability that the checksums collide is at most 2n1−1 : we can think of all the blocks Mj for i = j being calculated first, and then there are 2n − 1 equally likely results for Mi , each of which leads to a different checksum. If i = m, let Ci ′ be the second-last such block, and the same argument applies. If Cm is the only block that differs, the checksums cannot collide. Thus, the probability that Bad occurs for a type-2 forgery is at most 2n1−1 . Let Ev denote the event that the adversary creates a successful forgery. Let Ev1 denote the event that the adversary has a type-1 output, and let Ev2 denote the event that the adversary has a type-2 output. Then for any A, ADVFRG (AE ′ , A, τ ) = Pr[Ev] − 2−τ = Pr[Ev|Ev1 ] Pr[Ev1 ] + Pr[Ev|Ev2 ] Pr[Ev2 ] − 2−τ ≤ Pr[Ev|Ev1 ] Pr[Ev1 ] + Pr[Ev|Ev2 ] Pr[Ev2 ]   − 2−τ Pr[Ev1 ] + Pr[Ev2 ] = (Pr[Ev|Ev2 ] − 2−τ ) Pr[Ev2 ] ≤ Pr[Ev|Ev2 ] − 2−τ = Pr[Ev|Ev2 , Bad] Pr[Bad] + Pr[Ev|Ev2 , Bad] Pr[Bad] − 2−τ ≤ Pr[Ev|Ev2 , Bad] + Pr[Bad] − 2−τ = Pr[Ev|Ev2 , Bad] − 2−τ + Pr[Bad] 1 1 + 2n+1 − 2 2n − 1 3 , = n+1 2 −2 ≤ 610 M. Liskov, R.L. Rivest, and D. Wagner and therefore ADVFRG (AE ′ , q, q ′ , s) ≤ 3 . 2n+1 −2 This completes the proof of the lemma.  If A is a forging adversary, we can construct an adversary A′ that attacks the underlying tweakable block cipher as follows. A′ uses its (encryption) oracle in TAE mode to answer queries for A. When A returns an output, A′ uses its oracles to run the TAE decryption procedure on A’s output. If the result is ⊥, A outputs 1, otherwise A outputs 0. The number of queries made by A′ is q + q ′ + r + 1 where r is the number of blocks in the output of A. The time A′ takes to run is at most s + q ′ + r + 1. Since r ≤ s, we observe that A′ runs in time at most 2s + q ′ + 1 and makes at most s + q +  A′ ) = |ADVFRG (AE, A) − ADVFRG (AE ′ , A)|, q ′ + 1 queries. Note that ADVSTPRP (E, ′  and thus ADVSTPRP (E, s + q + q + 1, 2s + q ′ + 1) ≤ |ADVFRG (AE, q, q ′ , s) − ADVFRG (AE ′ , q, q ′ , s)|. Therefore, ADVFRG (AE, q, q ′ , s) = ADVFRG (AE ′ , q, q ′ , s) + (ADVFRG (AE, q, q ′ , s) − ADVFRG (AE ′ , q, q ′ , s) ≤ ADVFRG (AE ′ , q, q ′ , s)   + ADVFRG (AE, q, q ′ , s) − ADVFRG (AE ′ , q, q ′ , s) ≤ ADVFRG (AE ′ , q, q ′ , s)  s + q + q ′ + 1, 2s + q ′ + 1) + ADVSTPRP (E,  s + q + q ′ + 1, 2s + q ′ + 1) + ≤ ADVSTPRP (E, which completes the proof of Theorem 8. 3 , 2n+1 − 2  Remarks. It is interesting to note that the construction loses nothing in terms of its pseudorandomness advantage compared to the advantage of the tweakable block cipher. Furthermore, in terms of its forging advantage, TAE mode loses a negligible amount of advantage, regardless of the adversary’s power! This is somewhat remarkable and helps to emphasize our main point that tweakable block ciphers may be the most natural and useful construct for designing higher-level modes of operation. What is more, we note  TAE mode is very similar to OCB mode. One that if we use LRW mode to instantiate E, critical difference is that OCB mode (essentially) derives its choice of h from the key K, whereas our construction would require h to be additional key information (though, as we commented, we could derive h from K as part of that construction in order to reduce the key size). Also, OCB mode uses a Gray code to fine-tune efficiency, which we do not. However, our proof is significantly shorter and simpler than the original proof for OCB mode, which further strengthens our point that tweakable block ciphers are the right primitive for this kind of task. Indeed, Rogaway revisited OCB mode in his Asiacrypt 2004 paper [32]. In that result, among other improvements, the proof was much simpler, thanks in part to Rogaway’s use of the tweakable block cipher abstraction. Tweakable Block Ciphers 611 5. Conclusions The notion of tweakable block ciphers allows one to “repartition” many cryptographic design problems into two parts: designing good tweakable block ciphers and designing good modes of operation based on tweakable block ciphers. We feel that this repartitioning is likely to be more useful and fruitful than the usual structure, since certain issues (e.g., having to do with collisions, say) can be handled once and for all at the lower level and can then be ignored at the higher levels, instead of having to be dealt with repeatedly at the higher levels. We feel that the notions of a tweakable block cipher and modes of operation based upon on tweakable block ciphers are interesting and worthy of further study. One advantage of this framework is the new division of issues between design and analysis of the underlying primitive and the design and analysis of the higher-level modes of operation. We feel that the new primitive may result in a more fruitful partition. Acknowledgements We would like to thank Mihir Bellare, Burt Kaliski, Tadayoshi Kohno, Wang Peng, Zulfikar Ramzan, Matthew Robshaw, Rich Schroeppel, and the anonymous reviewers for helpful discussions and comments. David Wagner was supported by the National Science Foundation (NSF CCF-0424422). Open Access This article is distributed under the terms of the Creative Commons Attribution Noncommercial License which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited. References [1] American National Standards Institute (ANSI). American National Standard for Information Systems– Data Encryption Algorithm–Modes of Operation (1983) [2] K. Aoki, H. Lipmaa, Fast implementations of AES candidates, in Third AES Candidate Conference, April 2000 [3] M. Bellare, J. Killian, P. Rogaway, The security of cipher block chaining message authentication code. JCSS 61(3), 362–399 (2000) [4] M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. Full version, available at http://www-cse.ucsd.edu/users/mihir/papers/rka.html [5] M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, in Advances in Cryptology—EUROCRYPT 2003, ed. by E. Biham. Lecture Notes in Computer Science (Springer, Berlin, 2003), pp. 491–506 [6] D.J. Bernstein, Floating-point arithmetic and message authentication, March 2000. Unpublished manuscript. Available at http://cr.yp.to/papers.html#hash127 [7] E. Biham, New types of cryptanalytic attacks using related keys. J. Cryptol. 7(4), 229–246 (1994) [8] E. Biham, A. Biryukov, How to strengthen DES using existing hardware, in Proceedings ASIACRYPT ’94. Lecture Notes in Computer Science, vol. 917 (Springer, Berlin, 1994), pp. 398–412 [9] J. Black, M. Cochran, T. Shrimpton, On the impossibility of highly-efficient blockcipher-based hash functions, in Advances in Cryptology—EUROCRYPT 2005, ed. by R. Cramer. Lecture Notes in Computer Science (Springer, Berlin, 2005), pp. 526–541 612 M. Liskov, R.L. Rivest, and D. Wagner [10] J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway, UMAC: Fast and secure message authentication, in Proceedings CRYPTO ’99. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 216–233 [11] J. Black, P. Rogaway, CBC MACs for arbitrary-length messages: The three-key constructions. J. Cryptol. 18(2), 111–131 (2005) [12] D. Chakraborty, P. Sarkar, A general construction of tweakable block ciphers and different modes of operations, in Inscrypt 2006—Information Security and Cryptography, Second SKLOIS Conference. Lecture Notes in Computer Science, vol. 4318 (Springer, Berlin, 2006), pp. 88–102 [13] P. Crowley, Mercy: A fast large block cipher for disk sector encryption, in Fast Software Encryption: 7th International Workshop. Lecture Notes in Computer Science, vol. 1978 (Springer, Berlin, 2000), pp. 49–63. Also available at: www.ciphergoth.org/crypto/mercy [14] J. Daemen, Limitations of the Even–Mansour construction, in Proceedings ASIACRYPT ’91. Lecture Notes in Computer Science, LNCS, vol. 739 (Springer, Berlin, 1991), pp. 495–499 [15] J. Daemen, V. Rijmen, AES proposal: Rijndael. Available at http://www.nist.gov/aes. August (1998) [16] S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–161 (1997) [17] S. Fluhrer, Cryptanalysis of the Mercy block cipher, in Fast Software Encryption, 8th International Workshop, ed. by M. Matsui. Lecture Notes in Computer Science, vol. 2355 (Springer, Berlin, 2002), pp. 28–36 [18] D. Goldenberg, S. Hohenberger, M. Liskov, H. Seyalioglu, E.C. Schwartz, On tweaking Luby–Rackoff blockciphers, in Advances in Cryptology—ASIACRYPT 2007. Lecture Notes in Computer Science, vol. 4833 (Springer, Berlin, 2007), pp. 342–356 [19] L. Granboulan, P. Nguyen, F. Noilhan, S. Vaudenay, DFCv2, in Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 2012 (Springer, Berlin, 2001), pp. 57–71 [20] S. Halevi, EME*: Extending EME to Handle Arbitrary-Length Messages with Associated Data, in INDOCRYPT, ed. by A. Canteaut, K. Viswanathan. Lecture Notes in Computer Science, vol. 3348 (Springer, Berlin, 2004), pp. 315–327 [21] S. Halevi, P. Rogaway, A tweakable enciphering mode, in Advances in Cryptology: CRYPTO 2003, ed. by D. Boneh. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 482–429 [22] S. Halevi, P. Rogaway, A parallelizable enciphering mode, in Topics in Cryptology, CT-RSA 2004. LNCS, vol. 2964 (Springer, Berlin, 2004), pp. 292–304 [23] C. Jutla, Encryption modes with almost free message integrity, in Advances in Cryptology— EUROCRYPT 2001, ed. by B. Pfitzmann. Lecture Notes in Computer Science, vol. 2045 (Springer, Berlin, 2001) [24] J. Kilian, P. Rogaway, How to protect DES against exhaustive search (an analysis of DESX), in Proceedings CRYPTO ’96. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 252–267. See http://www.cs.ucdavis.edu/rogaway/papers/desx.ps for an updated version [25] M. Liskov, New tools in cryptography: Mutually independent commitment, tweakable block ciphers, and plaintext awareness via key registration. Ph.D. Thesis, MIT Laboratory for Computer Science (2004) [26] M. Liskov, R. Rivest, D. Wagner, Tweakable block ciphers, in Advances in Cryptology—CRYPTO 2002, ed. by M. Yung. Lecture Notes in Computer Science (Springer, Berlin, 2002), pp. 31–46 [27] M. Luby, C. Rackoff, How to construct pseudorandom permutations from pseudorandom functions, in Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing, Berkeley, California, 28–30 May 1986 [28] Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1997) [29] K. Minematsu, Improved security analysis of XEX and LRW modes, in Selected Areas in Cryptography—SAC 2006. Lecture Notes in Computer Science, vol. 4356 (Springer, Berlin, 2006), pp. 96–113 [30] R. Morris, K. Thompson, Password security: A case history. Commun. ACM 22(11), 594–597 (1979) [31] M. Naor, O. Reingold, On the construction of pseudo-random permutations: Luby-Rackoff revisited. J. Cryptol. 12, 29–66 (1999). Extended abstract in Proc. 29th Annual ACM STOC (1997), pp. 189–199 [32] P. Rogaway, Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC, in Advances in Cryptology—ASIACRYPT 2004, Jeju Island, Korea, 5–9 December 2004, ed. by P.J. Lee. Lecture Notes in Computer Science, vol. 3329 (Springer, Berlin, 2004) Tweakable Block Ciphers 613 [33] P. Rogaway, M. Bellare, J. Black, T. Krovetz, A block-cipher mode of operation for efficient authenticated encryption, in Eighth ACM Conference on Computer and Communications Security (CCS-8) (ACM, New York, 2001), pp. 196–205. See http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-doc.htm [34] B. Schneier, Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C (Wiley, New York, 1996) [35] R. Schroeppel, The Hasty Pudding Cipher. NIST AES proposal, available at http://www.cs.arizona.edu/ ~rcs/hpc/ (1998) [36] Victor Shoup, On fast and provably secure message authentication based on universal hashing, in Proceedings CRYPTO ’96. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 313– 328 [37] US Department of Commerce National Bureau of Standards. DES modes of operation (1980). Federal Information Processing Standards Publication 81