J. Cryptol.

(2011) 24: 588–613

DOI: 10.1007/s00145-010-9073-y

Tweakable Block Ciphers

Moses Liskov
Computer Science Department, The College of William and Mary, Williamsburg, VA 23187, USA
[email protected]

Ronald L. Rivest
Computer Science and Artificial Intelligence Laboratory, Massachusetts Institute of Technology, Cambridge,
MA 02139, USA
[email protected]

David Wagner
University of California Berkeley, Soda Hall, Berkeley, CA 94720, USA
[email protected]

Communicated by Mihir Bellare

Received 28 July 2005

Online publication 2 September 2010

Abstract. A common trend in applications of block ciphers over the past decades has
been to employ block ciphers as one piece of a “mode of operation”—possibly, a way
to make a secure symmetric-key cryptosystem, but more generally, any cryptographic
application. Most of the time, these modes of operation use a wide variety of tech-
niques to achieve a subgoal necessary for their main goal: instantiation of “essentially
different” instances of the block cipher.
We formalize a cryptographic primitive, the “tweakable block cipher.” Such a cipher
has not only the usual inputs—message and cryptographic key—but also a third input,
the “tweak.” The tweak serves much the same purpose that an initialization vector does
for CBC mode or that a nonce does for OCB mode. Our abstraction brings this feature
down to the primitive block-cipher level, instead of incorporating it only at the higher
modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to
design, (2) the extra cost of making a block cipher “tweakable” is small, and (3) it is
easier to design and prove the security of applications of block ciphers that need this
variability using tweakable block ciphers.
Key words. Block ciphers, Tweakable block ciphers, Initialization vector, Modes of
operation, Pseudorandomness.

1. Introduction

A conventional block cipher takes two inputs—a key K ∈ {0, 1}k and a message (or
plaintext) M ∈ {0, 1}n —and produces a single output—a ciphertext C ∈ {0, 1}n . The

© The Author(s) 2010. This article is published with open access at Springerlink.com
Tweakable Block Ciphers 589

Fig. 1. (a) Standard block cipher encrypts a message M under control of a key K to yield a ciphertext C.
(b) Tweakable block cipher encrypts a message M under control of not only a key K but also a “tweak” T
to yield a ciphertext C. The “tweak” can be changed quickly and can even be public. (c) Another way of
representing a tweakable block cipher; here the key K shown inside the box.

signature for a block cipher is thus (see Fig. 1(a)):

E : {0, 1}k × {0, 1}n → {0, 1}n . (1)

The corresponding operators for variable-length symmetric-key encryption have a

different signature. They take as input a key K ∈ {0, 1}k , an initialization vector (or
nonce) V ∈ {0, 1}v , and a message M ∈ {0, 1}∗ of arbitrary length, and produce as out-
put a ciphertext C ∈ {0, 1}∗ . The signature for a typical encryption mode is thus

E : {0, 1}k × {0, 1}v × {0, 1}∗ → {0, 1}∗ .

These operators are usually called “modes of operation” for a block cipher, but
this terminology is confusing: these “modes of operation” are actually the encryption
schemes (and other primitives) we really care about, and block ciphers are an underlying
primitive.
Block ciphers (pseudorandom permutations) are inherently deterministic: every en-
cryption of a given message with a given key will be the same. Many modes of operation
and other applications using block ciphers have a requirement for “essentially different”
instances of the block cipher in order to prevent attacks that operate by, say, permuting
blocks of the input. Attempts to resolve the conflict between keeping the same key for
efficiency and yet achieving variability often results in a design that uses a fixed key,
but which attempts to achieve variability by manipulating the input before encryption,
the output after encryption, or both. Such designs seem inelegant—they are attempting
to solve a problem with a primitive (a basic block cipher) that is not well suited for the
problem at hand. It would be better to rethink what primitives are really ideal for such a
problem.
We propose to revise the notion of a block cipher so that it contains a mechanism for
variability as well. The revised primitive, which we call a tweakable block cipher, has
the signature
 : {0, 1}k × {0, 1}t × {0, 1}n → {0, 1}n .
E (2)
For this operator, we call the new (second) input a “tweak” rather than a “nonce” or
“initialization vector,” but the intent is similar. A tweakable block cipher thus takes
590 M. Liskov, R.L. Rivest, and D. Wagner

three inputs—a key K ∈ {0, 1}k , a tweak T ∈ {0, 1}t , and a message (or plaintext) M ∈
{0, 1}n —and produces as output a ciphertext C ∈ {0, 1}n (see Fig. 1(b)).
In designing a tweakable block cipher, we have certain goals. We want any tweakable
block ciphers we design to be as efficient as possible. Furthermore, we expect tweaks to
be changed frequently, so a tweakable block cipher should have the property that chang-
ing the tweak should be efficient. For tweakable block ciphers built from block ciphers,
this means that changing the tweak should not make it necessary to rekey the block ci-
pher. And, for any tweakable block cipher, changing the tweak should be less costly than
changing the key.1 Some cryptographic modes of operation such as the Davies–Meyer
hash function (see Menezes et al. [28, Sect. 9.4]) have fallen into disfavor because they
have a feedback path into the key input of the block cipher. See, for example, the dis-
cussion by Rogaway et al. [33] explaining the design rationale for the OCB mode of
operation, which uses the same cryptographic key throughout.
A tweakable block cipher should also be secure, meaning that even if an adversary
has control of the tweak input, we want the tweakable block cipher to remain secure.
We will define what this means more precisely later on. Intuitively, each fixed setting of
the tweak should give rise to a different, apparently independent, standard block cipher
encryption operator. We wish to carefully distinguish between the function of the key,
which is to provide uncertainty to the adversary, and the role of the tweak, which is
to provide variability. The tweak is not intended to provide additional uncertainty to an
adversary, and even keeping the tweak secret need not provide any greater cryptographic
strength.
The point of this paper is to suggest that by cleanly separating the roles of crypto-
graphic key (which provides uncertainty to the adversary) from that of the tweak (which
provides independent variability) we may have just the right tool for many cryptographic
purposes.

1.1. Prior and Related Work

We are not the first to propose adding an additional input to a block cipher for variability.
Rich Schroeppel proposed the Hasty Pudding Cipher (HPC) [35] in the competition for
the Advanced Encryption Standard; this cipher utilized a non-key parameter, called the
“spice”, described as a “secondary key which need not be concealed,” and notes that “the
spice can be changed very cheaply for each block encrypted.” Schroeppel discussed a
number of motivations and potential advantages for such an additional input, such as the
ability to perform parallel encryption of multiple blocks. To the best of our knowledge,
HPC was the first block cipher to utilize such an auxiliary parameter. We note that
the security requirements for a tweakable block cipher as proposed in this paper are
stronger than the corresponding ones for HPC, since a tweakable block cipher should be
secure against a “chosen tweak attack,” while Schroeppel cautions that security against
a “chosen spice attack” is unknown.
Paul Crowley later proposed the Mercy cipher [13] for disk sector encryption; this
cipher includes a 128-bit randomizer or “spice” (he notes Schroeppel’s prior work and
terminology). Crowley gives as a security goal for Mercy that “any procedure for distin-
guishing Mercy encryption from a sequence of 2128 independent random permutations
K (T , M), it should be more efficient to compute
1 More precisely, it is a goal that after computing E
K (T  , M  ) than to compute E
E K  (T , M  ).
Tweakable Block Ciphers 591

(for the 2128 possible spices) should show no more bias towards correctness than a key
guessing attack with the same work factor.” His security requirement is thus very close
to what is proposed in this paper for a basic tweakable block cipher; our definition of
strong security for a tweakable block cipher extends this initial notion by giving the
attacker access to a decryption oracle as well as an encryption oracle. Mercy was later
broken [17].
On the application side, there are many examples of prior work that have apparent
modules for variability in the constructions. The following are some key examples, but
not an exhaustive list.
One motivating example for the introduction of tweakable block ciphers is the DESX
construction introduced by Rivest (unpublished). The reason for introducing DESX was
to cheaply provide additional key information for DES. The security of DESX has been
analyzed by Kilian and Rogaway [24]; they show that DESX with n-bit inputs (and
tweaks) and k-bit keys has an effective key-length of k + n − 1 − lg m where the ad-
versary is limited to m oracle calls. In the DESX construction secret pre- and post-
whitening values were added as additional key information. In a similar vein, Biham
and Biryukov [8] suggest strengthening DES against exhaustive search by (among other
things) applying a DESX-like construction to each of DES’s S-boxes.
Even and Mansour [16] have also investigated a similar construction where the inner
encryption operator F is fixed and public, and encryption is performed by EK1 K2 (M) =
K2 ⊕ F (K1 ⊕ M). They show (see also Daemen [14]) that the effective key length
here is n − lg l − lg m where the adversary is allowed to make l calls to the encryp-
tion/decryption oracles and m calls to an oracle for F or F −1 .
Similarly, if one looks at the internals of the recently proposed “offset codebook
mode” (OCB mode) of Rogaway et al. [33] and the work of Jutla [23], one sees DESX-
like modules that may also be viewed as instances of a tweakable block ciphers. That is,
the pre- and post-whitening operations are essentially there to provide distinct families
of encryption operators, i.e., they are “tweaked.” OCB mode was also a motivating
example for us because of the complexity and difficulty of its proof of security [33].
Beyond the domain of block cipher design and analysis, it is worth noting the sim-
ilarity of the tweakable block cipher idea to the idea of salts in the hashing of Unix
passwords [30]; each distinct salt makes for an “essentially different” hash for each
password.
This work appeared in preliminary form in [26] and [25]. Since the initial publica-
tion, the notion of tweakable block ciphers has been applied to disk sector encryption
[20–22]. Rogaway [32] describes XE and XEX modes, tweakable block ciphers that are
highly efficient if sequential tweaks are used; some subsequent work extends this idea
[12,29]. Bellare and Kohno [5] discuss the issue of creating tweakable block ciphers
from block ciphers secure against related-key attacks. Black, Cochran, and Shrimp-
ton [9] have presented work analyzing the security of the TCH hash function presented
in our preliminary paper, and showing attacks for certain instantiations of the tweakable
block cipher. Goldenberg et al. [18] discuss how to add tweaks to Luby–Rackoff block
ciphers directly.
1.2. Roadmap
In Sect. 2 we then discuss and formalize the notion of security for tweakable block
ciphers. In Sect. 3 we suggest several ways of constructing tweakable block ciphers
592 M. Liskov, R.L. Rivest, and D. Wagner

from existing block ciphers and prove that the existence of tweakable block ciphers is
equivalent to the existence of block ciphers. Then in Sect. 4 we suggest several new
modes of operation utilizing tweakable block ciphers and give simple proofs for some
of them. Section 5 concludes with some discussion and open problems.

2. Definitions

2.1. Notation
When A is a randomized algorithm, we write y ← A(x) to mean that y is a random
variable with value determined by A on input x. When S is a finite set, we write x ← S
to mean that x is a random variable chosen according to the uniform distribution on S.
We write x1 ← X1 ; x2 ← X2 ; . . . ; xk ← Xk to mean that the values of variables
x1 , . . . , xk are chosen in order, by first determining x1 , then x2 , and so on, until xk
is determined. We write x1 ← X1 ; . . . ; xk ← Xk : P (x1 , . . . , xk ) to mean the event that
P (x1 , . . . , xk ) evaluates to true, given the random choices of x1 , . . . , xk .
We write AO1 ,...,Ok to mean the algorithm A with access to oracles O1 , . . . , Ok . We
write u ◦ v to mean the concatenation of strings u and v.

2.2. Block Ciphers

A block cipher is a pair of functions (E, D). E takes as input a k-bit key K and an
n-bit message M and outputs an n-bit ciphertext C. D takes a k-bit key K and an
n-bit ciphertext C as inputs, and outputs an n-bit plaintext M. E and D must both be
efficient (polynomial time) to compute, deterministic, and such that for all K and all M,
D(K, E(K, M)) = M. For convenience, we write EK to mean the function that takes
M to E(K, M).
The security of a block cipher E (e.g., parameterized as in (1)) can be quantified
as ADVPRP (E, q, s), which represents the maximum advantage that an adversary can
obtain when trying to distinguish EK (with a randomly chosen key K) from a random
permutation Π with the same domain, when allowed q queries to an unknown oracle
(which is either EK or Π ) and when allowed computation time s. This advantage is
defined as the difference between the probability the adversary outputs 1 when given
oracle access to EK and the probability the same adversary outputs 1 when given oracle
access to Π .

Definition 1. Define
    
ADVPRP (E, A) =  Pr b ← AΠ : b = 1 − Pr K ← {0, 1}k ; b ← AEK : b = 1 ,

and define
ADVPRP (E, q, s) = max ADVPRP (E, A),
A∈Aq,s

where Aq,s is the set of all algorithms making at most q oracle queries and running in
time at most s.
Tweakable Block Ciphers 593

A stronger definition for a block cipher can be defined as the maximum advantage that
an adversary can obtain when trying to distinguish the pair of oracles E(K, ·), D(K, ·)
from the pair Π, Π −1 , when allowed q queries and computation time s. This advantage
is defined as the difference between the probability the adversary outputs 1 when given
oracle access to E, D and the probability the same adversary outputs 1 when given
oracle access to Π, Π −1 .

Definition 2. Define
  −1 
ADVSPRP (E, A) =  Pr b ← AΠ,Π :b=1
 
− Pr K ← {0, 1}k ; b ← AEK ,DK : b = 1 ,

and define
ADVSPRP (E, q, s) = max ADVSPRP (E, A),
A∈Aq,s

where Aq,s is as in Definition 1.

Such a block cipher is referred to as a “strong block cipher” or a “strong pseudoran-

dom permutation.”

2.3. Tweakable Block Ciphers

 D).
A tweakable block cipher is a pair of functions (E,  E  takes as input a k-bit key K,
a t-bit tweak T , and an n-bit message M and outputs an n-bit ciphertext C. D  takes a
k-bit key K, a t-bit tweak T , and an n-bit ciphertext C as inputs and outputs an n-bit
plaintext M. E and D  must both be efficient (polynomial time) to compute, determin-

istic, and such that for all K, T , and M, D(K, 
T , E(K, T , M)) = M. For convenience,
 
we write EK to mean the function that takes (T , M) to E(K, T , M).
We may measure the security of a tweakable block cipher (or a tweakable pseudoran-
dom permutation) E  as the maximum advantage ADVTPRP (E,  q, s) an adversary can ob-

tain when trying to distinguish EK from a “tweakable random permutation” Π , a family
of independent random permutations parameterized by T . That is, for each T , we have
 , ·) is an independent randomly chosen permutation of the message space.
that Π(T
A tweakable block cipher E  may be considered secure when ADVTPRP (E,  q, s) is suf-
ficiently small.

Definition 3. Define
      
 A) =  Pr b ← AΠ
ADVTPRP (E, : b = 1 − Pr K ← {0, 1}k ; b ← AEK : b = 1 ,

and define
ADVTPRP (E, q, s) = max ADVTPRP (E, A),
A∈Aq,s

where Aq,s is as in Definition 1.

594 M. Liskov, R.L. Rivest, and D. Wagner

Note that the adversary is allowed to choose both the message and tweak for each
oracle call.
Similarly, we define ADVSTPRP (E, q, s) as the maximum advantage an adversary can
obtain when trying to distinguish the pair of oracles E K from Π,
K , D  Π−1 , when given
q queries and s time. We say that a tweakable block cipher is a strong tweakable block
cipher when ADVSTPRP (E,  q, s) is sufficiently small.

Definition 4. Define
   −1 
 A) =  Pr b ← AΠ,Π
ADVSTPRP (E, :b=1
   
− Pr K ← {0, 1}k ; b ← AEK ,DK : b = 1 ,

and define
ADVSTPRP (E, q, s) = max ADVSTPRP (E, A),
A∈Aq,s

where Aq,s is as in Definition 1.

3. Constructions

In this section, we show how to construct a secure tweakable block cipher and a strong
tweakable block cipher, from simple underlying primitives we assume to be secure.

3.1. Unsuccessful Constructions

First, we demonstrate some simple attempts at constructing tweakable block ciphers
from block ciphers and show that these methods are not successful.
As a first attempt, we might try applying the DESX construction
K (T , M) = EK (M ⊕ T ) ⊕ T .
E

Here, an adversary making the two queries (T , M), (T ⊕ 1, M ⊕ 1) can distinguish.

 but this is
If C and C  are the respective outputs, C ⊕ C  = 1 will always be true for E,
very unlikely for Π.
Another natural idea is to make the tweak affect the key of the underlying block ci-
pher. This is doubly wrong, as this clearly any change to the tweak will require rekeying,
and furthermore, these approaches are not necessarily secure.
Consider
K (T , M) = EK◦T (M),
E
 K (T , M) = EK⊕T (M).
E

If secure block ciphers exist, it is trivial to construct a secure block cipher such that
EK (M) = EK⊕1 (M) for all K, M.2 If such a block cipher were used in either of the
2 For example, E  
K◦b (M) = EK (M), where E is a secure block cipher.
Tweakable Block Ciphers 595

above constructions, the resulting tweakable block cipher would be easily attackable,
by querying (T , M) and (T ⊕ 1, M). Even if this type of overt flaw is not known to
exist in E, related-key attacks [7] could apply.

3.2. A Tweakable Block Cipher

Here, we give a first secure tweakable block cipher construction. We call this construc-
tion CMT mode, which stands for “CBC-MAC Tweaked.”
Let E be a secure block cipher. CMT mode is defined by
 
EK (T , M) = EK T ⊕ EK (M)

and
 
K (T , C) = DK T ⊕ DK (C) .
D
CMT mode is reasonably efficient. The following theorem proves its security.

Theorem 1.  is a secure tweakable block cipher. Specifically,

E

 q, s) ≤ ADVPRP (E, 2q, s + q) + 17q 2 − q

ADVTPRP (E, .
2n+1
Proof. This proof is adapted from a proof given by Bellare and Kohno [4].
 , M) is just the CBC MAC of the message M ◦ T . Let R be a random
Note that E(T
function from t + n bits to n bits. Define
  
ADVPRF (E, A) =  Pr b ← AR : b = 1
  
− Pr K ← {0, 1}k ; b ← AEK : b = 1 ,

and let ADVPRF (E, q, s) = maxA∈A ADVPRF (E,  A).

q,s
Bellare et al. [3] show that if A is an adversary that aims to distinguish a CBC MAC
oracle from a random oracle, an adversary A can be constructed that aims to distinguish
the block cipher from a random permutation, such that

 A) ≤ ADVPRP (E, A ) + 4q 2
ADVPRF (E, ,
2n−1
where q is the number of queries made by A, where A makes 2q queries, and where
A takes time s + q where s is the running time of A. The time overhead is due to
the need to make twice as many oracle queries. This proves that ADVPRF (E,  q, s) ≤
16q 2
ADVPRP (E, 2q, s + q) + 2n+1 .
Note that R differs from Π  only in that for any fixed T , R is a random function,
while Π is a random permutation. The output of a single random function and a single
random permutation, each with n-bit outputs, are statistically close: if q queries are
2 −q
made, the statistical difference is at most q2n+1 . Thus, the outputs of R and Π have
1 l 2 − q , where l is the number of distinct tweaks
statistical difference at most 2n+1 q
i=1 i i
596 M. Liskov, R.L. Rivest, and D. Wagner

queried, and where qi is the number of queries involving the ith tweak. This difference
is maximized when l = 1 and q1 = q. Therefore,

 q, s) ≤ ADVPRF (E,
 q, t) + q2 − q
ADVTPRP (E,
2n+1
17q 2 − q
≤ ADVPRP (E, 2q, s) + ,
2n+1
as stated. 

Theorem 2. The existence of secure block ciphers is equivalent to the existence of

secure tweakable block ciphers.

Proof of Theorem 2. One direction follows from Theorem 1.

For the other, let E K (T , M) be a tweakable block cipher, and let EK (M) =
 t
EK (0 , M). Any distinguishing attack against E is clearly a distinguishing attack
 in which every tweak is chosen to be 0t . Therefore, ADVPRP (E, q, s) =
against E
 q, s) for all q and s.
ADVTPRP (E, 

We leave it as an open problem to devise a construction with a tighter bound than

Theorem 1.

Efficiency The construction of Theorem 1 has an overall running time that is twice the
running time of the underlying block cipher.
For this construction, it can be significantly faster to change the tweak than to change
K (T , M) has been computed, the cost to compute E
the key. If E K (T  , M  ) is the cost of
two block cipher computations. The cost of computing E K  (T , M  ), however, is the cost
of two block cipher computations plus the cost of key scheduling for the block cipher.

3.3. A Strong Tweakable Block Cipher

The construction of Sect. 3.2 is interesting as a simple example of a tweakable block
cipher. However, it is not a strong tweakable block cipher, and its efficiency leaves room
for improvement. Next we give a strong tweakable block cipher that is also more effi-
cient. We call this construction LRW mode, after a later precedent in the literature [29].
A family H of functions with signature {0, 1}t → {0, 1}n is said to be an -almost
2-xor-universal hash function family (“-AXU2 hash function family”, for short) if
Prh [h(x) ⊕ h(y) = z] ≤  holds for all x, y, z with x
= y, where the probability is
taken over h chosen uniformly at random from H.
Let H be such a hash function family. The LRW mode tweakable block cipher uses a
key (K, h) where K ← {0, 1}k and h ← H, and is given by

K,h (T , M) = EK (M ⊕ h(T )) ⊕ h(T ),

E
K,h (T , C) = DK (M ⊕ h(T )) ⊕ h(T ).
D
Tweakable Block Ciphers 597

Theorem 3. If H is an -AXU2 hash function family with  ≥ 2−n , and E is a strong

 is a strong tweakable block cipher. Specifically, for
pseudorandom permutation, then E
all q ≤ 2 ,
n−1

 q, s) ≤ ADVSPRP (E, q, s + q) + 3q 2 .

ADVSTPRP (E,

First, we establish some notation. Let E  be Π used in LRW mode. We use Pr0 [·]
h
to represent the probability measure in the case where A interacts with E K,h , where
the probability is taken over the choice of K ∈ {0, 1} and h ∈ H uniformly and in-
k

dependently at random. Also, we let Pr1 [·] denote the measure where A interacts with
 , where the probability is taken over the uniform random choice of h ∈ H. Let Pr2 [·]
E h
denote the measure when A interacts with Π . In all three cases, we write O for A’s
oracle.
We let the random variable Ti denote the tweak input on A’s ith oracle call, and
we let Mi and Ci denote the plaintext and ciphertext corresponding to this call, so
that O(Ti , Mi ) = Ci . In other words, if A’s ith oracle query is an encryption query
(to O), then (Ti , Mi ) denotes the input and Ci the return value, whereas if A’s ith
oracle query is a decryption query (to O−1 ), then the input is (Ti , Ci ), and the result of
the query is Mi . Moreover, we define the random variables Ni , Bi by Ni = Mi ⊕ h(Ti )
and Bi = Ci ⊕ h(Ti ). Note that in probability measure Pr0 [·], we have EK (Ni ) = Bi ,
and in probability measure Pr1 [·], we have Π(Ni ) = Bi . We define the random variable
τn by τn = (T1 , M1 , C1 ), . . . , (Tn , Mn , Cn ) , and we use τ = τq to represent the full
transcript of interaction with the oracle.
We fix an adversary A, and we assume without loss of generality that A does not make
any repeated or redundant queries to its oracle. As a consequence of this assumption,
the pairs (Ti , Mi ) are all distinct, or in other words, for all i
= j , we have (Ti , Mi )
=
(Tj , Mj ). Similarly, the pairs (Ti , Ci ) are also distinct, as are the (Ti , Ni )’s and the
(Ti , Bi )’s. Also, the output of A can be viewed as a function of the transcript τ , so we
sometimes write the output of A as A(τ ).
Our proof is separated into two parts. In the information-theoretic part, we let Π
denote a permutation chosen uniformly at random and show that E  is a secure tweak-
h
able block cipher. Then, in the computational part, we let E be arbitrary, and we show
that if EK and Π are computationally indistinguishable, then E  will also be a secure
tweakable block cipher.
The information-theoretic part of the proof uses the following strategy. We define
a bad event Bad. We show that when conditioning on the complement event (that is,
when nothing bad happens), the probability measures Pr1 [·|Bad] and Pr2 [·|Bad] are in
fact identical, that is, the adversary can only distinguish with probability 1/2. Then, we
show that Pr1 [Bad] and Pr2 [Bad] are both small; thus, if we replace E with a random
permutation, the adversary could only distinguish with a negligible advantage.
In our arguments, we define Badn to be the event that, for some 1 ≤ i < j ≤ n, either
Ni = Nj or Bi = Bj . Also, we let Bad = Badq .

Lemma 1. Let Evτ be the event that τ is the transcript generated. Then
Pr1 [Evτ |Bad] = Pr2 [Evτ |Bad].
598 M. Liskov, R.L. Rivest, and D. Wagner

Proof. We show this by induction on the length of the transcript, q. Consider the qth
oracle query: it is either an encryption or a decryption query. Suppose first that the qth
oracle query is an encryption query, with inputs (Tq , Mq ). By the inductive hypothesis,
we can assume that the distribution of τq−1 is the same for both the Pr1 [·|Badq−1 ]
and Pr2 [·|Badq−1 ] probability measures, hence the same is true of the distribution of
(τq−1 , Tq , Mq ).
Now fix any h such that Nq ∈ / {N1 , . . . , Nq−1 }, so that the only remaining random
choice is over Π or Π . When O = Π , Cq = Π(T  q , Mq ) is uniformly distributed on
the set S = {0, 1}n \ {Ci : Ti = Tq and 1 ≤ i < q} if we condition on Badq−1 (but
before conditioning on Badq ). When O = E  , we find something slightly different:
Bq = Π(Nq ) is uniformly distributed on the set {0, 1}n \ {B1 , . . . , Bq−1 } (conditioned
on Badq−1 , but before conditioning on Badq ), hence Cq = Bq ⊕ h(Tq ) is uniformly
distributed on the set S  = {0, 1}n \ {Ci ⊕ h(Ti ) ⊕ h(Tq ) : i = 1, . . . , q − 1}. In both
cases, the probabilities are independent of the choice of h. Also, note that S  ⊆ S, since
when Ti = Tq , we have Ci ⊕ h(Ti ) ⊕ h(Tq ) = Ci . Adding the condition Badq amounts
to adding the condition that Bq ∈ {0, 1}n \ {B1 , . . . , Bq−1 }, i.e., that Cq ∈ S  . Thus, after
conditioning on Badq , we see that Cq is uniformly distributed on S  and independent
of the rest of the transcript, and hence the distribution of τ is the same for both the
Pr1 [·|Badq ] and Pr2 [·|Badq ] probability measures. (Here we have used the following
simple fact: if the random variable X is uniform on a set S and if S  is some subset of S,
then after conditioning on the event X ∈ S  we find that the resulting random variable is
uniform on S  .)
This covers the case where the qth query is a chosen-plaintext query. The other case,
where the qth query is a chosen-ciphertext query, is treated similarly. This concludes
the proof of Lemma 1. 

Lemma 2. If H is -AXU2 , then Pr2 [Badq ] ≤ q(q − 1).

Proof. Note that, when O = Π , h is independent of the transcript τ . Hence, we can

defer the choice of h until after A completes all q of its queries and the values of
Ti , Mi , Ci are fixed. Then, we find
Pr 2 [Badq ] = Pr[∃i < j : Ni = Nj ∨ Bi = Bj ] (3)
h

≤ Pr[Ni = Nj ] + Pr[Bi = Bj ] (4)
h h
1≤i<j ≤q
 
= Pr h(Ti ) ⊕ h(Tj ) = Mi ⊕ Mj
h
1≤i<j ≤q
 
+ Pr h(Ti ) ⊕ h(Tj ) = Ci ⊕ Cj (5)
h

≤ 2 = q(q − 1). (6)
1≤i<j ≤q

Equation (3) is from the definition of Badq . Equation (4) follows by a union bound.
Equation (5) follows from the definition of Ni and Bi . Finally, (6) follows by the defin-
Tweakable Block Ciphers 599

ition of -AXU2 hash functions. Note that if Ti = Tj and i

= j , then Mi ⊕ Mj
= 0, and
thus Pr[h(Ti ) ⊕ h(Tj ) = Mi ⊕ Mj ] = 0 ≤ ; similarly for Ci ⊕ Cj
= 0. 

Lemma 3. If H is -AXU2 for  ≥ 1/2n and if EK = Π and q ≤ 2n−1 , then

Pr1 [Badq ] ≤ 1.5q(q − 1).

Proof. We will prove that Pr1 [Badq ] ≤ 1.5q(q − 1) by induction on q. Let Ev

denote that event that, for some i, we have Ni = Nq , and let Ev denote the
event that, for some i, we have Bi = Bq . Note that Pr1 [Badq ] = Pr1 [Badq−1 ] +
Pr1 [Badq |Badq−1 ] Pr1 [Badq−1 ]. By the inductive hypothesis, Pr1 [Badq−1 ] ≤ 1.5(q −
1)(q − 2). Also, Pr1 [Badq−1 ] ≤ 1. Hence all that remains is to bound the term
Pr1 [Badq |Badq−1 ].
Applying a union bound shows that Pr1 [Badq |Badq−1 ] ≤ Pr1 [Ev|Badq−1 ] + Pr1 [Ev
|Ev ∧ Badq−1 ]. We next bound each of these two terms in turn. By Lemma 1, and
since H is -AXU2 , we see Pr1 [Ev|Badq−1 ] = Pr2 [Ev|Badq−1 ] ≤ (q − 1). Moreover,
Pr1 [Ev |Ev ∧ Badq−1 ] = Pr1 [Π(Nq ) ∈ {B1 , . . . , Bq−1 }|Ev ∧ Badq−1 ] ≤ (q − 1)/(2n −
q + 1) ≤ 2(q − 1)/2n ≤ 2(q − 1), since Π(Nq ) is uniformly distributed on a set of
size at least 2n − q + 1 and since  ≥ 1/2n . Finally, 1.5(q − 1)(q − 2) + (q − 1) +
2(q − 1) ≤ 1.5q(q − 1). The statement of the lemma now follows. 

We are now ready to prove the security theorem.

Proof of Theorem 3. First, we show that ADVSTPRP (E  , q, s) ≤ 3q(q − 1). For

notational convenience, define p1 = Pr1 [A(τ ) = 1|Bad], p1 = Pr1 [A(τ ) = 1|Bad],
p2 = Pr2 [A(τ ) = 1|Bad], and p2 = Pr2 [A(τ ) = 1|Bad].
We perform the following calculation:
   
ADVSTPRP (E , A) =  Pr 1 A(τ ) = 1 − Pr 2 [A(τ ) = 1]
 
= p1 Pr 1 [Bad] + p1 Pr 1 [Bad] − p2 Pr 1 [Bad] − p2 Pr 2 [Bad]
 
≤ p1 Pr 1 [Bad] − p2 Pr 2 [Bad]| + |p1 Pr 1 [Bad] − p2 Pr 2 [Bad] (7)
 
≤ p1 Pr 1 [Bad] − p2 Pr 2 [Bad] + 1.5q(q − 1) (8)
 
≤ Pr[A(τ ) = 1|Bad] Pr 1 [Bad] − Pr 2 [Bad] + 1.5q(q − 1) (9)
 
≤  Pr 2 [Bad] − Pr 1 [Bad] + 1.5q(q − 1) (10)

≤ 3q(q − 1). (11)

Line (7) follows by the triangle inequality. Lemmas 2 and 3 show that Pr[Bad] ≤
1.5q(q − 1), which justifies (8). Lemma 1 establishes that p1 = p2 = Pr[A(τ ) =
1|Bad], which justifies (9). We then note that | Pr1 [Bad] − Pr2 [Bad]| = | Pr2 [Bad] −
Pr1 [Bad]| ≤ 1.5q(q − 1), to arrive at (10) and then (11). Since the adversary A was
 , q, s) ≤ 3q(q − 1).
arbitrary, it follows that ADVSTPRP (E
 let A be the adversary attacking E as follows. A
If A is an adversary attacking E,
runs A in its attack but uses its own oracle in LRW mode to supply answers to A’s
600 M. Liskov, R.L. Rivest, and D. Wagner

oracle queries. A outputs what A outputs. Note that if A makes q queries and runs in
s time, then A makes q queries and runs in s + q time (the additional q accounts for
the hash computations). Note that ADVSPRP (E, A ) = | Pr0 [A(τ ) = 1] − Pr1 [A(τ ) = 1]|,
and therefore maxA∈Aq,s | Pr0 [A(τ ) = 1] − Pr1 [A(τ ) = 1]| ≤ ADVSPRP (E, q, s + q).
The result then follows:
    
ADVSTPRP (E,  q, s) = max  Pr 0 A(τ ) = 1 − Pr 2 A(τ ) = 1 
A∈Aq,s
    
≤ max  Pr 0 A(τ ) = 1 − Pr 1 A(τ ) = 1 
A∈Aq,s
    
+  Pr 1 A(τ ) = 1 − Pr 2 A(τ ) = 1 
    
≤ max  Pr 0 A(τ ) = 1 − Pr 1 A(τ ) = 1 
A∈Aq,s
    
+ max  Pr 1 A(τ ) = 1 − Pr 2 A(τ ) = 1 
A∈Aq,s

 , q, s)
= ADVSPRP (E, q, s + q) + ADVSTPRP (E

≤ ADVSPRP (E, q, s + q) + 3q(q − 1).

This completes the proof. 

As there are plenty of known constructions of -AXU2 hash families with  ≈ 1/2n ,
the security theorem shows that we can obtain a construction with good security against
adaptive chosen-ciphertext attacks for up to the birthday bound, i.e., for q  2n/2 .

Efficiency It is harder to estimate the efficiency of the LRW construction, because it is

not clear how to compare the computational cost of the block cipher to the cost of the
hash functions. However, we expect that LRW mode will be faster than CMT mode in
practice. For instance, for t = n = 128, a generalized division hash runs in 300 cycles
[36], UMAC/UHASH runs in 200 cycles [10], hash127 runs in 150 cycles [6], and a
DFC-style decorrelation module should run in about 200 cycles [19].3 If we compare
the best of these to AES, which runs in 237–333 cycles [2], we expect that a version
of AES tweaked in this way will run about 45–63% slower than the plain AES. These
estimates are conservative: the above hash functions are designed for large input strings,
whereas no compression is necessary for this application. Indeed, subsequent work of
Rogaway [32] shows that even better performance can be achieved with a more carefully
designed hash function.
In this construction, changing only the key requires that we rekey the cipher and
compute the block cipher. Changing only the tweak requires that we recompute the hash
function and the block cipher, but no rekeying is necessary. We expect that changing the
tweak will generally be faster than changing the key. For AES, key expansion runs in
3 All estimates are based on a Pentium II class machine and are rough estimates based on speed bench-
marks that are not directly comparable.
Tweakable Block Ciphers 601

277–374 cycles [15]. Based on our estimates of the cost of hashing, changing the tweak
should be faster by about 23–32%.4
Though LRW mode is likely to be faster than CMT mode, LRW mode does require a
longer key. However, if a pseudorandom generator can be agreed upon in advance, we
can simply use the key of length k as an input to the pseudorandom generator which
will enable us to get a longer pseudorandom key that can be used to generate both K
and h. This negatively impacts performance, but only when the key of the tweakable
block cipher is changed.

3.4. Related Work

There are similarities between our constructions and various results in the literature.
As is discussed in the proof, the CMT construction is the CBC MAC of the two-block
message M ◦ T .
The LRW construction bears a similarity to the Luby–Rackoff construction [27] if we
think of EK and h as different pseudorandom functions. Even more relevant is the recent
work of Naor and Reingold [31], who showed that we can relax the Luby–Rackoff
construction by using merely pairwise-independent functions in the first and last rounds
and by using a single pseudorandom function (instead of two) in the intervening rounds
(in the four-round Luby–Rackoff construction of strong PRPs). We can think of LRW
mode as doing this on a message block made up of M and T together, except using a
single middle round, but with a pseudorandom permutation instead of a pseudorandom
function, and revealing only the second half of the output.
It should be noted that in both of these cases what we do is actually slightly different,
but they bear enough of a strong resemblance to these prior results that it is worth
mentioning the relationship.
In fact, it may be possible to view LRW mode as a strengthening of Naor and Rein-
gold’s result. In a sense we modify the Feistel-type construction by outputting only one
side of it, which we assume is accompanied by T , and yet show that this still gives a
pseudorandom permutation.
Both our constructions use an underlying block cipher in a black-box way. Thus, in
a sense, we are providing a mechanism to take a random permutation oracle and create
a pseudorandom permutation family oracle. In a way this is like getting many permu-
tation oracles for the price of one: we simply think of the one permutation oracle as a
random permutation and apply a tweakable block cipher general construction, and we
get a whole family of pseudorandom permutations. This has been studied previously;
for instance, Black and Rogaway [11] prove that having two independent random per-
mutation oracles is indistinguishable from having Π(·) and Π(K ⊕ ·) where K is a
secret value. Our work can be seen as an improvement that provides a whole family of
independent random permutations from a single one.

4. Tweakable Modes of Operation

We claim that it is easier to design and prove the security of applications using the
tweakable block cipher abstraction. In evidence of this, we present three tweakable
4 Specifically, 23% for 192-bit keys (150 + 286 vs. 277 + 286 cycles), 29% for 128-bit keys (150 + 237
vs. 305 + 237 cycles), and 32% for 256-bit keys (150 + 333 vs. 374 + 333 cycles).
602 M. Liskov, R.L. Rivest, and D. Wagner

modes of operation, with proofs of security for each. In all three cases, we do not sug-
gest that the tweakable mode is superior to existing modes of operation. We stress that
these modes should be taken primarily as a demonstration of the conceptual advantages
gained by working with tweakable block ciphers.
However, our third tweakable mode is of independent interest as it is a generalization
of OCB mode [33] and because of its very tight reduction, relative to the tweakable
block cipher it uses.

4.1. Tweak Chaining (TC)

Tweak block chaining (TC) is a symmetric encryption mode modeled after cipher block
chaining (CBC). An initial tweak T0 plays the role of the initialization vector (IV) for
CBC. Each successive message block Mi is encrypted under the encryption key K and
a tweak Ti−1 , where Ti = Ci for i > 0. The final ciphertext is (T0 , C1 ◦ · · · ◦ Cl ). See
Fig. 2.
To decrypt, we compute M1 = D K (T0 , C1 ) and Mi = D
K (Ci−1 , Ci ) for i > 1.
To handle messages whose length is greater than n but not a multiple of n, a variant of
ciphertext-stealing [34] can be used; see Fig. 3. One can also adapt the TC construction
to make a TC-MAC in the same manner that one can use the CBC construction to make
a CBC-MAC, though these constructions still need a security analysis.
Chosen-plaintext security for a symmetric encryption scheme is defined in terms of
the maximum advantage an adversary can achieve in distinguishing one of two mes-

Fig. 2. Tweak chaining: a symmetric encryption mode for a tweakable block cipher. Each ciphertext be-
comes the tweak for the next encryption. Note that to decipher a block, one needs only the key, Ci , and Ci−1 ,
so decryption can be done in parallel.

Fig. 3. (a) Ciphertext stealing for tweak chaining handles messages whose length is at least n bits long
but not a multiple of n. Let r denote the length of the last (short) block Mm of the message. Then
|Cm | = |Mm | = r and |C  | = n − r. Here X denotes the rightmost n − r bits of Cm−2 (or of T0 if m = 2).
(b) A similar technique is used to handle similar messages in tweak incrementation encryption mode.
Tweakable Block Ciphers 603

sages, under a chosen plaintext attack. Formally, define


ADVIND-CPA (E, A) = Pr K ← {0, 1}k ; (m0 , m1 ) ← AEK ; b ← {0, 1};
   1
b ← AEK EK (mb ) : b = b and |m0 | = |m1 | −
2
and define
ADVIND-CPA (E, q, s) = max ADVIND-CPA (E, A),
A∈Aq,s

where Aq,s is the set of all algorithms A that make queries with at most q blocks of
input and run in at most s time.

 in TC mode, then
Theorem 4. If E is the symmetric encryption system made from E

 q, s) + q2 − q
ADVIND-CPA (E, q, s) ≤ ADVTPRP (E, .
2n+1
Proof. Conceptually, the proof is very simple. If E were implemented with a random
 then the adversary would be unable to get any ad-
permutation family instead of E,
vantage unless some tweak is used more than once, which happens with probability
q 2 −q
2n+1
. Thus, the maximum advantage is bounded by this probability plus the maximum
 from Π
advantage in distinguishing E .

Let E be the symmetric encryption system made from Π  in TC mode. Then

ADVIND-CPA (E, q, s) = ADVIND-CPA (E  , q, s) + ADVIND-CPA (E, q, s)

− ADVIND-CPA (E  , q, s)

≤ ADVIND-CPA (E  , q, s) + ADVIND-CPA (E, q, s)

− ADVIND-CPA (E  , q, s)
 q, s).
≤ ADVIND-CPA (E  , q, s) + ADVTPRP (E,

This last step is due to the natural “simulating” reduction. Namely, if A is an adver-
sary attacking the IND-CPA property of its target, we can construct an A that attempts
to distinguish E  from Π . A runs A in its attack and answers queries by using its own
oracle run in TC mode; A outputs whatever A outputs. A makes the same number of
queries and runs in the same time as A.
Thus, it remains only to determine ADVIND-CPA (E  , q, s). Let A be an adversary that
attacks E  and makes queries with q total blocks. Define Bad to be the event that E  ever
2 −q
invokes Π  with some tweak more than once. We have Pr[Bad] ≤ q n+1 . Furthermore,
2
note that A gets no advantage at all if Bad holds: since every tweak used is distinct, the
ciphertext given to A is random and independent of b. Therefore, ADVIND-CPA (E  , q, s) ≤
q 2 −q
2n+1
, which proves the theorem. 

If making a tweakable block cipher requires even one extra XOR, the performance
of CBC mode is the same or better than the performance of TC mode. Again, we stress
604 M. Liskov, R.L. Rivest, and D. Wagner

that TC mode is given to illustrate the conceptual simplicity of proofs for tweakable
modes of operation.

4.2. Tweak Incrementation Encryption (TIE)

Another symmetric encryption scheme is “tweak incrementation encryption” mode (or
TIE for short) which is meant to be similar to CTR mode for block ciphers [1,35,37]. In
TIE mode, the message is divided into message blocks M0 , . . . , Mm . An initial tweak
 + i, Mi ),
IV is generated, and each ciphertext block is generated as follows: Ci = E(IV
where IV + i refers to simply adding i to IV modulo 2 . See Fig. 4. This mode was
t

suggested by Schroeppel in his presentation of the Hasty Pudding Cipher.

The proof that TIE mode is secure is extremely similar to the proof that TBC mode
is secure, but even more simple.
In “state-preserving” TIE mode, IV is chosen to be 0 for the first message, and subse-
quent IV values are chosen to be the next value that has not yet been used as the tweak.
This requires the user to maintain a state that keeps track of which IV to use next.

 in (state-preserving)
Theorem 5. If E is the symmetric encryption system made from E
TIE mode, then if q < 2t ,

 q, s).
ADVIND-CPA (E, q, s) ≤ ADVTPRP (E,

Proof. If E  is the symmetric encryption system made from Π  in TIE mode, then
 
ADVIND-CPA (E, q, s) ≤ ADVIND-CPA (E , q, s) + ADVTPRP (E, q, s), as we established in
our proof of Theorem 4.5 Furthermore, ADVIND-CPA (E  , q, s) = 0, because in the state-
preserving version of TIE mode, no tweak is ever repeated if fewer than 2t total queries
are made. Therefore, every block of output is an independent random string of length n,
and the encryption of mb is random and independent of b. 

In “non-state-preserving” TIE mode, IV is chosen randomly for each message.

Fig. 4. Tweak incrementation encryption: a mode of operation for tweakable block ciphers to produce secure
symmetric encryption. The initial tweak IV is chosen randomly (or sequentially) and incremented by 1 for
each successive block.

5 We again use the natural simulating reduction; this time, A uses its oracle in state-preserving TIE mode.
Again, A runs in s time and makes q queries.
Tweakable Block Ciphers 605

 in (non-state-
Theorem 6. If E is the symmetric encryption system made from E
t
preserving) TIE mode, then if q < 2 ,

 q, s) + q2 − q
ADVIND-CPA (E, q, s) ≤ ADVTPRP (E, .
2n+1

Proof. The proof of Theorem 5 shows that ADVIND-CPA (E, q, s) ≤ ADVTPRP (E,  q, s)+
Pr[Bad], where Bad is the event that the queries A makes cause E to use a tweak more
than once. (For the state-preserving version of TIE mode, Pr[Bad] = 0.)
2 −q
Here, Pr[Bad] ≤ q2n+1 . Pr[Bad] is maximized when A queries E on one-block mes-
sages. In that case, the ith block has at most an i − 1/2n chance of having a repeated
tweak. If message blocks are longer, this probability is decreased for subsequent blocks,
to i  /2n , where i  is the number of full messages (rather than message blocks) queried
to E before the current query.
2 −q
Therefore, ADVIND-CPA (E, q, s) ≤ ADVTPRP (E,  q, s) + q n+1 . 
2

The advantages of TIE mode are similar to the advantages of CTR mode: for instance,
blocks can be deciphered in parallel and online. Also, some work has been done by Ro-
gaway in optimizing tweakable block ciphers when the tweak is changed in predictable
ways [32]; such techniques may be applicable here. However, CTR mode allows the
sender to precompute the keystream needed for encryption; TIE cannot support that
optimization.
Again, TIE mode is less efficient than CTR mode and is given as an example of a
conceptually simple proof for a tweakable mode of operation.

4.3. Tweakable Authenticated Encryption (TAE)

In this section we suggest an authenticated mode of encryption (TAE) based on the use
of a tweakable block cipher. This mode can be viewed as a paraphrase or restatement of
the architecture of the OCB (offset codebook) mode proposed by Rogaway et al. [33],
modified to utilize tweakable block ciphers rather than DESX-like modules. The result
is shown in Fig. 5.
The OCB paper goes to considerable effort to analyze the probability that various
encryption blocks all have distinct inputs. We feel that a tweakable mode such as TAE

Fig. 5. TAE mode: Authenticated encryption based on a tweakable block cipher.

606 M. Liskov, R.L. Rivest, and D. Wagner

should be much simpler to analyze, since the use of tweaks obviates this concern. We
will give a fairly easy proof that a tweakable block cipher used in TAE mode gives all
the security properties claimed for OCB mode.
Following Rogaway et al., an authenticated encryption system involves two algo-
rithms, AE and AD. AE (authenticated encryption) takes as input a key K of length
k, a message M of length ≥ n, a nonce N , and a parameter 1 ≤ τ ≤ n, and outputs a
ciphertext of length |M| and a tag of length τ . AD (verification and decryption) takes as
input a key K of length k, a ciphertext C, a nonce N , and a tag tag, and outputs either a
message M of length |C|, or ⊥, the latter signifying that the authentication check failed.
As before, we refer to AE K and ADK for the sake of simplicity, when the key is fixed.
Adversaries are assumed to be “nonce-respecting,” meaning that while the adversary
has the ability to choose the nonce, the adversary does not make more than one query
with the same nonce. Informally, the security requirements are [33]:
– Pseudorandomness. To any adversary, the output of OCB mode is pseudorandom.
In other words, no adversary can distinguish between an OCB mode oracle and a
random oracle that outputs messages of the correct length.
– Unforgeability. Any adversary, with the ability to obtain authenticated encryptions
of chosen values from an oracle, can forge a new valid encryption with probability
at worst negligibly greater than 2−τ .
Formally, we define
    
ADVPRF (AE, A) =  Pr K ← {0, 1}k ; b ← AAE K : b = 1 − Pr b ← AR : b = 1 

and
ADVPRF (AE, q, q  , s) = max ADVPRF (E, A),
A∈Aq,q  ,s

where R is a function that on input (M, N, τ ) outputs a random string of length |M| + τ ,
and where Aq,q  ,s is the set of all nonce-respecting algorithms that run in s time and
make at most q queries with a total of at most q  blocks. We also define

ADVFRG (AE, A, τ ) = Pr K ← {0, 1}k ; (C, N, tag) ← AAE K :

ADK (C, N, tag)
=⊥ ∧|tag| ≥ τ ∧ (C, N ) ∈ / Out − 2−τ

and
ADVFRG (AE, q, q  , s) = max ADVFRG (AE, A, τ ),
A∈Aq,q  ,s ,1≤τ ≤n

where Out is the list of pairs (C, N ) for which some (C, N, tag) was an output of the
EK oracle.

TAE Mode Now we describe the methods of TAE mode.

Algorithm AE(K, M, N, τ ):
for i = 1 to m − 1 do
Zi = N ◦ i ◦ 0
Tweakable Block Ciphers 607

Ci = EK (Zi , Mi )
Zm = N ◦ m ◦ 0
if |Mm | = n then
Cm = E K (Zm , Mm )
else
C=E K (Zm , |Mm |)
Cm = (C||Mm | ) ⊕ Mm
Z0 = N ◦ |M| ◦ 1
C0 = EK (Z0 , M1 ⊕ · · · ⊕ Mm )
tag = C0 |τ
return (C1 ◦ · · · ◦ Cm , tag)

Algorithm AD(K, C, N, tag):

for i = 1 to m − 1 do
Zi = N ◦ i ◦ 0
Mi = EK (Zi , Ci )
Zm = N ◦ m ◦ 0
if |Cm | = n then
Mm = E K (Zm , Cm )
else
C=E K (Zm , |Cm |)
Mm = (C||Cm | ) ⊕ Cm
Z0 = N ◦ |C| ◦ 1
C0 = E K (Z0 , M1 ⊕ · · · ⊕ Mm )
if tag == C0 ||tag| then
return M1 ◦ · · · ◦ Mm
else
return ⊥

See Fig. 5 for further illustration. τ must be in the range 1 ≤ τ ≤ n. Here, M is

assumed to be broken into m blocks M1 , . . . , Mm , of which the first m − 1 are all of
size n, and the last is of size at most n but at least 1. C is likewise broken into blocks
C1 , . . . , Cm . We use the notation A|k to denote the k least significant bits of A. When
computing M1 ⊕ · · · ⊕ Mm , we presume that Mm , if less than n bits, will be padded
with 0s.
We now prove that TAE mode satisfies these properties.

Theorem 7. If AE is E used in TAE mode and if E

 is a secure tweakable block cipher,
then AE is pseudorandom, and

 q + q  , s + q  ).
ADVPRF (AE, q, q  , s) ≤ ADVTPRP (E,

 in
Proof. Let AE  refer to the authenticated encryption scheme we obtain by using Π
TAE mode.
608 M. Liskov, R.L. Rivest, and D. Wagner

To prove that TAE mode is pseudorandom, we note that no tweak is ever repeated
when the adversary is nonce-respecting. Therefore, ADVPRF (AE  , q, q  , s) = 0: the out-
put of each tweakable block cipher is independent and random, so the entirety of AE 
is random, just as it would be for R. Therefore,

ADVPRF (AE, q, q  , s) = ADVPRF (AE, q, q  , s) − ADVPRF (AE  , q, q  , s).

If A is an adversary attacking the pseudorandomness of AE or AE  , we can construct

an adversary A that attacks the underlying tweakable block cipher as follows. A runs
A in its attack on TAE mode, but A responds to the oracle queries A makes by using
its own oracle in TAE mode. A outputs whatever A outputs. When A makes q  total
queries of q total blocks, A makes q + q  queries to its oracle: one for each block and
an additional one per query for the tag. A runs in time s + q  , as A need only assemble
and make the tweakable block cipher queries. Thus we have |ADVPRF (E, q, q  , s) −
 q + q  , s + q  ). Thus,
ADVPRF (E  , q, q  , s)| ≤ ADVTPRP (E,

ADVPRF (E, q, q  , s) = ADVPRF (E, q, q  , s) − ADVPRF (E  , q, q  , s)

 
≤ ADVPRF (E, q, q  , s) − ADVPRF (E  , q, q  , s)
 q + q  , s + q  ),
≤ ADVTPRP (E,

which completes the proof. 

Theorem 8. If AE is E  used in TAE mode and if E

 is a strong tweakable block cipher,
then AE is unforgeable. Formally,
6

 s + q + q  + 1, 2s + q  + 1) + 3
ADVFRG (AE, q, q  , s) ≤ ADVSTPRP (E, .
2n+1 − 2

 run in TAE mode.

Proof. As before, AE  is defined to be Π

Lemma 4. ADVFRG (AE  , q, q  , s) ≤ 2n+13 −2 .

Proof. We define two types of forgeries. A type-1 forgery is a forgery for which either
(1) A outputs (C, N, tag) where N is a nonce that A never used in a query, or (2) A
outputs (C, N, tag) where N is a nonce used in a prior query (M  , N, τ ) made by A
where |M  |
= |C|. A type-2 forgery is a forgery for which A outputs (C, N, tag) where
N is a nonce used in a prior query (M  , N, τ ) for which |M  | = |C| but for which the
result of the prior query did not produce C as the ciphertext. Successful forgeries will
always be of one of these two types.
For type-1 forgeries, the value Z0 used to validate the adversary’s forgery will be a
tweak value never used before. Therefore, the correct tag will be a random string of
length τ , so the probability that the forgery is successful is 2−τ .
For type-2 forgeries, there are two subcases. If (C, N, tag) is the adversary’s output,
let M be the message C encrypts (that is, what AD would output if the tag were correct),
 be strong.
6 Note that in [26] we incorrectly claimed that TAE mode is secure without requiring that E
Thanks to Wang Peng for pointing out this error.
Tweakable Block Ciphers 609

let M  be the message used in the prior query involving N , and let (C  , tag ) be the
output of that query. We define an event Bad, which occurs when the adversary gives
a type-2 output in which M1 ⊕ · · · ⊕ Mm = M ⊕ · · · ⊕ M . If Bad does not occur in
1 m
n−τ
a type-2 forgery, tag will be correct with probability at most 22n −1 . In such a case, the
checksum is distinct, and therefore C0 is equally likely to be any value other than the
value used to generate tag . At most 2n−τ values can lead to tag. Note that

n 
2n−τ −τ −τ 2
−2 =2 −1
2n − 1 2n − 1
1
= 2−τ
2n − 1
1
≤ n+1 .
2 −2

If Bad occurs, tag will be correct if tag = tag . However, the probability that Bad oc-
curs in a type-2 forgery is very small. Since C
= C  , let Ci be the last ciphertext block
for which there is a difference. If i < m, the probability that the checksums collide is at
most 2n1−1 : we can think of all the blocks Mj for i
= j being calculated first, and then
there are 2n − 1 equally likely results for Mi , each of which leads to a different check-
sum. If i = m, let Ci  be the second-last such block, and the same argument applies. If
Cm is the only block that differs, the checksums cannot collide. Thus, the probability
that Bad occurs for a type-2 forgery is at most 2n1−1 .
Let Ev denote the event that the adversary creates a successful forgery. Let Ev1 denote
the event that the adversary has a type-1 output, and let Ev2 denote the event that the
adversary has a type-2 output. Then for any A,

ADVFRG (AE  , A, τ ) = Pr[Ev] − 2−τ

= Pr[Ev|Ev1 ] Pr[Ev1 ] + Pr[Ev|Ev2 ] Pr[Ev2 ] − 2−τ

≤ Pr[Ev|Ev1 ] Pr[Ev1 ] + Pr[Ev|Ev2 ] Pr[Ev2 ]
 
− 2−τ Pr[Ev1 ] + Pr[Ev2 ]
= (Pr[Ev|Ev2 ] − 2−τ ) Pr[Ev2 ]
≤ Pr[Ev|Ev2 ] − 2−τ
= Pr[Ev|Ev2 , Bad] Pr[Bad] + Pr[Ev|Ev2 , Bad] Pr[Bad] − 2−τ
≤ Pr[Ev|Ev2 , Bad] + Pr[Bad] − 2−τ
= Pr[Ev|Ev2 , Bad] − 2−τ + Pr[Bad]
1 1
≤ +
2n+1 − 2 2n − 1
3
= n+1 ,
2 −2
610 M. Liskov, R.L. Rivest, and D. Wagner

and therefore ADVFRG (AE  , q, q  , s) ≤ 3

2n+1 −2
. This completes the proof of the lemma.


If A is a forging adversary, we can construct an adversary A that attacks the under-

lying tweakable block cipher as follows. A uses its (encryption) oracle in TAE mode to
answer queries for A. When A returns an output, A uses its oracles to run the TAE de-
cryption procedure on A’s output. If the result is ⊥, A outputs 1, otherwise A outputs 0.
The number of queries made by A is q + q  + r + 1 where r is the number of
blocks in the output of A. The time A takes to run is at most s + q  + r + 1. Since
r ≤ s, we observe that A runs in time at most 2s + q  + 1 and makes at most s + q +
q  + 1 queries. Note that ADVSTPRP (E,  A ) = |ADVFRG (AE, A) − ADVFRG (AE  , A)|,

and thus ADVSTPRP (E, s + q + q + 1, 2s + q  + 1) ≤ |ADVFRG (AE, q, q  , s) −


ADVFRG (AE  , q, q  , s)|.

Therefore,

ADVFRG (AE, q, q  , s) = ADVFRG (AE  , q, q  , s)

+ (ADVFRG (AE, q, q  , s) − ADVFRG (AE  , q, q  , s)

≤ ADVFRG (AE  , q, q  , s)
 
+ ADVFRG (AE, q, q  , s) − ADVFRG (AE  , q, q  , s)
≤ ADVFRG (AE  , q, q  , s)
 s + q + q  + 1, 2s + q  + 1)
+ ADVSTPRP (E,

 s + q + q  + 1, 2s + q  + 1) + 3
≤ ADVSTPRP (E, ,
2n+1 − 2

which completes the proof of Theorem 8. 

Remarks. It is interesting to note that the construction loses nothing in terms of its
pseudorandomness advantage compared to the advantage of the tweakable block cipher.
Furthermore, in terms of its forging advantage, TAE mode loses a negligible amount of
advantage, regardless of the adversary’s power! This is somewhat remarkable and helps
to emphasize our main point that tweakable block ciphers may be the most natural and
useful construct for designing higher-level modes of operation. What is more, we note
that if we use LRW mode to instantiate E, TAE mode is very similar to OCB mode. One
critical difference is that OCB mode (essentially) derives its choice of h from the key
K, whereas our construction would require h to be additional key information (though,
as we commented, we could derive h from K as part of that construction in order to re-
duce the key size). Also, OCB mode uses a Gray code to fine-tune efficiency, which we
do not. However, our proof is significantly shorter and simpler than the original proof
for OCB mode, which further strengthens our point that tweakable block ciphers are the
right primitive for this kind of task. Indeed, Rogaway revisited OCB mode in his Asi-
acrypt 2004 paper [32]. In that result, among other improvements, the proof was much
simpler, thanks in part to Rogaway’s use of the tweakable block cipher abstraction.
Tweakable Block Ciphers 611

5. Conclusions

The notion of tweakable block ciphers allows one to “repartition” many cryptographic
design problems into two parts: designing good tweakable block ciphers and designing
good modes of operation based on tweakable block ciphers. We feel that this reparti-
tioning is likely to be more useful and fruitful than the usual structure, since certain
issues (e.g., having to do with collisions, say) can be handled once and for all at the
lower level and can then be ignored at the higher levels, instead of having to be dealt
with repeatedly at the higher levels.
We feel that the notions of a tweakable block cipher and modes of operation based
upon on tweakable block ciphers are interesting and worthy of further study.
One advantage of this framework is the new division of issues between design and
analysis of the underlying primitive and the design and analysis of the higher-level
modes of operation. We feel that the new primitive may result in a more fruitful parti-
tion.

Acknowledgements

We would like to thank Mihir Bellare, Burt Kaliski, Tadayoshi Kohno, Wang Peng,
Zulfikar Ramzan, Matthew Robshaw, Rich Schroeppel, and the anonymous reviewers
for helpful discussions and comments. David Wagner was supported by the National
Science Foundation (NSF CCF-0424422).

Open Access This article is distributed under the terms of the Creative Commons Attribution Noncommer-
cial License which permits any noncommercial use, distribution, and reproduction in any medium, provided
the original author(s) and source are credited.

References

[1] American National Standards Institute (ANSI). American National Standard for Information Systems–
Data Encryption Algorithm–Modes of Operation (1983)
[2] K. Aoki, H. Lipmaa, Fast implementations of AES candidates, in Third AES Candidate Conference,
April 2000
[3] M. Bellare, J. Killian, P. Rogaway, The security of cipher block chaining message authentication code.
JCSS 61(3), 362–399 (2000)
[4] M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and ap-
plications. Full version, available at http://www-cse.ucsd.edu/users/mihir/papers/rka.html
[5] M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and appli-
cations, in Advances in Cryptology—EUROCRYPT 2003, ed. by E. Biham. Lecture Notes in Computer
Science (Springer, Berlin, 2003), pp. 491–506
[6] D.J. Bernstein, Floating-point arithmetic and message authentication, March 2000. Unpublished manu-
script. Available at http://cr.yp.to/papers.html#hash127
[7] E. Biham, New types of cryptanalytic attacks using related keys. J. Cryptol. 7(4), 229–246 (1994)
[8] E. Biham, A. Biryukov, How to strengthen DES using existing hardware, in Proceedings ASIACRYPT
’94. Lecture Notes in Computer Science, vol. 917 (Springer, Berlin, 1994), pp. 398–412
[9] J. Black, M. Cochran, T. Shrimpton, On the impossibility of highly-efficient blockcipher-based hash
functions, in Advances in Cryptology—EUROCRYPT 2005, ed. by R. Cramer. Lecture Notes in Com-
puter Science (Springer, Berlin, 2005), pp. 526–541
612 M. Liskov, R.L. Rivest, and D. Wagner

[10] J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway, UMAC: Fast and secure message authenti-
cation, in Proceedings CRYPTO ’99. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin,
1999), pp. 216–233
[11] J. Black, P. Rogaway, CBC MACs for arbitrary-length messages: The three-key constructions. J. Cryp-
tol. 18(2), 111–131 (2005)
[12] D. Chakraborty, P. Sarkar, A general construction of tweakable block ciphers and different modes of
operations, in Inscrypt 2006—Information Security and Cryptography, Second SKLOIS Conference.
Lecture Notes in Computer Science, vol. 4318 (Springer, Berlin, 2006), pp. 88–102
[13] P. Crowley, Mercy: A fast large block cipher for disk sector encryption, in Fast Software Encryption:
7th International Workshop. Lecture Notes in Computer Science, vol. 1978 (Springer, Berlin, 2000),
pp. 49–63. Also available at: www.ciphergoth.org/crypto/mercy
[14] J. Daemen, Limitations of the Even–Mansour construction, in Proceedings ASIACRYPT ’91. Lecture
Notes in Computer Science, LNCS, vol. 739 (Springer, Berlin, 1991), pp. 495–499
[15] J. Daemen, V. Rijmen, AES proposal: Rijndael. Available at http://www.nist.gov/aes. August (1998)
[16] S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation. J. Cryptol.
10(3), 151–161 (1997)
[17] S. Fluhrer, Cryptanalysis of the Mercy block cipher, in Fast Software Encryption, 8th International
Workshop, ed. by M. Matsui. Lecture Notes in Computer Science, vol. 2355 (Springer, Berlin, 2002),
pp. 28–36
[18] D. Goldenberg, S. Hohenberger, M. Liskov, H. Seyalioglu, E.C. Schwartz, On tweaking Luby–Rackoff
blockciphers, in Advances in Cryptology—ASIACRYPT 2007. Lecture Notes in Computer Science,
vol. 4833 (Springer, Berlin, 2007), pp. 342–356
[19] L. Granboulan, P. Nguyen, F. Noilhan, S. Vaudenay, DFCv2, in Selected Areas in Cryptography. Lecture
Notes in Computer Science, vol. 2012 (Springer, Berlin, 2001), pp. 57–71
[20] S. Halevi, EME*: Extending EME to Handle Arbitrary-Length Messages with Associated Data, in
INDOCRYPT, ed. by A. Canteaut, K. Viswanathan. Lecture Notes in Computer Science, vol. 3348
(Springer, Berlin, 2004), pp. 315–327
[21] S. Halevi, P. Rogaway, A tweakable enciphering mode, in Advances in Cryptology: CRYPTO 2003, ed.
by D. Boneh. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 482–429
[22] S. Halevi, P. Rogaway, A parallelizable enciphering mode, in Topics in Cryptology, CT-RSA 2004.
LNCS, vol. 2964 (Springer, Berlin, 2004), pp. 292–304
[23] C. Jutla, Encryption modes with almost free message integrity, in Advances in Cryptology—
EUROCRYPT 2001, ed. by B. Pfitzmann. Lecture Notes in Computer Science, vol. 2045 (Springer,
Berlin, 2001)
[24] J. Kilian, P. Rogaway, How to protect DES against exhaustive search (an analysis of DESX), in Proceed-
ings CRYPTO ’96. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 252–267.
See http://www.cs.ucdavis.edu/rogaway/papers/desx.ps for an updated version
[25] M. Liskov, New tools in cryptography: Mutually independent commitment, tweakable block ciphers,
and plaintext awareness via key registration. Ph.D. Thesis, MIT Laboratory for Computer Science
(2004)
[26] M. Liskov, R. Rivest, D. Wagner, Tweakable block ciphers, in Advances in Cryptology—CRYPTO 2002,
ed. by M. Yung. Lecture Notes in Computer Science (Springer, Berlin, 2002), pp. 31–46
[27] M. Luby, C. Rackoff, How to construct pseudorandom permutations from pseudorandom functions, in
Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing, Berkeley, California,
28–30 May 1986
[28] Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone, Handbook of Applied Cryptography (CRC
Press, Boca Raton, 1997)
[29] K. Minematsu, Improved security analysis of XEX and LRW modes, in Selected Areas in
Cryptography—SAC 2006. Lecture Notes in Computer Science, vol. 4356 (Springer, Berlin, 2006),
pp. 96–113
[30] R. Morris, K. Thompson, Password security: A case history. Commun. ACM 22(11), 594–597 (1979)
[31] M. Naor, O. Reingold, On the construction of pseudo-random permutations: Luby-Rackoff revisited.
J. Cryptol. 12, 29–66 (1999). Extended abstract in Proc. 29th Annual ACM STOC (1997), pp. 189–199
[32] P. Rogaway, Efficient instantiations of tweakable blockciphers and refinements to modes OCB and
PMAC, in Advances in Cryptology—ASIACRYPT 2004, Jeju Island, Korea, 5–9 December 2004, ed. by
P.J. Lee. Lecture Notes in Computer Science, vol. 3329 (Springer, Berlin, 2004)
Tweakable Block Ciphers 613

[33] P. Rogaway, M. Bellare, J. Black, T. Krovetz, A block-cipher mode of operation for efficient authen-
ticated encryption, in Eighth ACM Conference on Computer and Communications Security (CCS-8)
(ACM, New York, 2001), pp. 196–205. See http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-doc.htm
[34] B. Schneier, Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C (Wi-
ley, New York, 1996)
[35] R. Schroeppel, The Hasty Pudding Cipher. NIST AES proposal, available at http://www.cs.arizona.edu/
~rcs/hpc/ (1998)
[36] Victor Shoup, On fast and provably secure message authentication based on universal hashing, in Pro-
ceedings CRYPTO ’96. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 313–
328
[37] US Department of Commerce National Bureau of Standards. DES modes of operation (1980). Federal
Information Processing Standards Publication 81