@Article{LRW11, author = { Moses Liskov and Ronald L. Rivest and David Wagner }, title = { Tweakable Block Ciphers }, pages = { 588--613 }, doi = { 10.1007/s00145-010-9073-y }, url = { http://www.springerlink.com/content/c4176k3475ur5310/fulltext.pdf }, journal = { Journal of Cryptology }, issn = { 0933-2790 }, date = { 2011 }, OPTyear = { 2011 }, volume = { 24 }, number = { 3 }, keywords = { Block ciphers, Tweakable block ciphers, Initialization vector, Modes of operation, Pseudorandomness }, abstract = { A common trend in applications of block ciphers over the past decades has been to employ block ciphers as one piece of a ``mode of operation''---possibly, a way to make a secure symmetric-key cryptosystem, but more generally, any cryptographic application. Most of the time, these modes of operation use a wide variety of techniques to achieve a subgoal necessary for their main goal: instantiation of ``essentially different'' instances of the block cipher. \par We formalize a cryptographic primitive, the ``tweakable block cipher.'' Such a cipher has not only the usual inputs---message and cryptographic key---but also a third input, the ``tweak.'' The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our abstraction brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher ``tweakable'' is small, and (3) it is easier to design and prove the security of applications of block ciphers that need this variability using tweakable block ciphers. }, }