Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC

Abstract

We describe highly efficient constructions, XE and XEX, that turn a blockcipher E: K x{0, 1}n → {0, 1}n into a tweakable blockcipher Ẽ: K x T x {0, 1}n → {0, 1}n having tweak space T = {0,1}n II where II is a set of tuples of integers such as II = [1.. 2n/2] X [0.. 10]. When tweak T is obtained from tweak S by incrementing one if its numerical components, the cost to compute ẼTK (M) having already computed some ẼSK(M′) is one blockcipher call plus a small and constant number of elementary machine operations. Our constructions work by associating to the ith coordinate of II an element αi ∈ F*2n and multiplying by αi when one increments that component of the tweak. We illustrate the use of this approach by refining the authenticated-encryption scheme OCB and the message authentication code PMAC, yielding variants of these algorithms that are simpler and faster than the original schemes, and yet have simpler proofs. Our results bolster the thesis of Liskov, Rivest, and Wagner [10] that a desirable approach for designing modes of operation is to start from a tweakable blockcipher. We elaborate on their idea, suggesting the kind of tweak space, usage-discipline, and blockcipher-based instantiations that give rise to simple and efficient modes. © International Association for Cryptologic Research 2004.