Questions tagged [tweakable-cipher]

A block cipher is a family of permutations where the key selects a particular permutation from that family. With a tweakable blockcipher both key and tweak are used to select a permutation. So tweak and key are related.

A block cipher is a family of permutations where the key selects a particular permutation from that family. With a tweakable block cipher both key and tweak are used to select a permutation. Tweak and key are related concepts.

The main difference are the security and performance requirements for a tweak:

Changing a key can be expensive, changing a tweak must be cheap.
Being secure when using attacker chosen keys, or related keys, are not primary security properties of a block cipher. Typically they're analyzed assuming a randomly chosen secret key. Related key attacks are rather academic. For example AES is still considered secure despite related key attacks against it.
Related or attacker chosen tweaks must still be secure. The tweak is often a counter, so tweaks are often related.

One application of tweakable block ciphers is disk encryption. You encrypt each block with the same key, but a tweak that corresponds to the block index. Currently we usually don't use a tweakable block cipher for this, but rather XTS mode, which turns a normal block cipher into a tweakable block cipher.

Thank you to CodesInChaos for providing this excellent, simple explanation.

42 questions

votes

1 answer

What is a tweakable block cipher?

Pretty simple question - but I can't seem to find much information about it. What exactly is a tweakable block cipher? How do they differ from traditional block ciphers? What is the 'tweak'? Is it just a sequence of bytes? Does it have any special…

symmetric tweakable-cipher threefish

asked Jan 31 '13 at 16:35

hunter

4,051
6
29
42

votes

1 answer

Difference between Tweak and nonce

What are diffrences between tweak and nonce? I only know that nonce is used only once but tweak can be used for more than one time.but still by this diffrence I can't diffrentiate tweak and nonce

authenticated-encryption nonce tweakable-cipher

asked Jun 21 '17 at 05:51

Dumb Scientist

votes

1 answer

Is it problematic to use PBKDF2-HMAC-SHA256 to derive a 512-bit XTS key?

PBKDF2 should only be used to generate a larger output than the hash function it uses if the output is used in such a way that it has a flat keyspace. As far as I am aware, XTS does not have a flat keyspace, and the first half of the input is far…

key-derivation sha-256 pbkdf-2 xts tweakable-cipher

asked May 24 '18 at 03:17

forest

15,626
2
49
103

votes

2 answers

Adding tweak to a block cipher

I know there are XEX, XTS and other ways to add tweak to block cipher without modifying cipher itself. However they are quite slow and/or complex. If we assume we have a secure block cipher round function (like AES) with pseudo-independent round…

block-cipher tweakable-cipher

asked Oct 13 '14 at 19:02

LightBit

1,741
14
28

votes

0 answers

Tweakable Even-Mansour scheme where the block size is twice the key size?

We have the functions $E(K, T, X)$ and $D(K, T, X)$ where for both it is the case that $\{0, 1\}^{\ell_{K}} \times \{0, 1\}^{\ell_{T}} \times \{0, 1\}^{\ell_{X}} \rightarrow \{0, 1\}^{\ell_{X}}$. The value of $\ell_{X}$ is twice that of $\ell_{K}$.…

tweakable-cipher

asked Dec 11 '17 at 05:04

Melab

4,178
4
24
49

votes

2 answers

what are the uses of tweaks in block ciphers?

Few block cipher modes has additional parameter , tweaks , especially the ones that are format preserving . Now the comments section of this blog entry says such tweaks can be used for BIN numbers, expiration dates etc of credit card numbers. How…

block-cipher format-preserving tweakable-cipher

asked Oct 09 '13 at 12:45

sashank

6,234
4
36
68

votes

1 answer

Backdoor Designer Key Recovery in LowMC-M

The paper https://eprint.iacr.org/2020/986.pdf proposed a framework for embedding a malicious backdoor in LowMC cipher, that will later help the designer to recover the secret key in the known-plaintext attack setting. As the framework is scalable,…

cryptanalysis block-cipher differential-analysis backdoors tweakable-cipher

asked Mar 06 '21 at 14:19

Eddy

votes

1 answer

Is tweakable block-cipher based on the Merkle-Damgård construction secure if $F$ is a PRP

Assume $F$ is a pseudo-random permutation (PRP) then the tweakable block-cipher based on the Merkle-Damgård construction (take this as the way I understand, here is the equation): $F_k[t](m) := F_{F_k(t)}(m)$ is a secure tweakable block cipher. This…

pseudo-random-permutation merkle-damgaard tweakable-cipher

asked Dec 10 '18 at 15:07

user1868607

1,243
12
29

votes

0 answers

Does XEX mode specify how the whitening value is generated?

When the term "XEX" or the phrase "XOR-encrypt-XOR" is used, does it refer only to the scheme $CT = E_{K}(PT \oplus T) \oplus T$/$PT = E_{K}(CT \oplus T) \oplus T$ (where $T$ is the whitening/tweak value), leaving out how the value of $T$ is changed…

modes-of-operation birthday-attack tweakable-cipher

asked Dec 01 '17 at 00:10

Melab

4,178
4
24
49

votes

2 answers

Can I build a secure tweakable block cipher from a normal one by adding key and tweak?

Let (E,D) be a secure block cipher. Consider the following tweakable block cipher: E'(k,t,x) = E( (k+t) mod |K|, x) D'(k,t,c) = D( (k+t) mod |K|, c) Is (E',D') secure?

cryptanalysis block-cipher semantic-security tweakable-cipher

asked Jul 23 '12 at 21:43

Andrew Tomazos

votes

1 answer

How to select a 'tweak' used in FE1 mode format preserving encryption?

I'm experimenting with this library Botan which includes a module for format preserving encryption based on FE1 mode. The parameters for the Encrypt method are as follows ///

/// Generic Z_n FPE encryption, FE1 scheme ///…

format-preserving tweakable-cipher

asked May 01 '15 at 14:56

erotavlas

votes

2 answers

Tweakable encryption algorithms vs Key wrapping

I have read many articles about Key wrapping and tweakable cipher modes. However, I don't understand the main difference between them? What you recommend for Key storage and Key Archive.

terminology tweakable-cipher key-wrap

asked Mar 05 '14 at 14:06

Gev_sedrakyan

votes

2 answers

What are advantages/disadvantages of an invertible tweak schedule in a tweakable block cipher?

I have been doing research on a tweakable block cipher called BipBip. This is a rather niche cipher so I'll give a few facts about it for background before asking my question: The structure is based on the decryptor. This is because BipBip's main…

block-cipher permutation key-schedule tweakable-cipher

asked Jun 20 '24 at 20:56

Tw1ZZLER

votes

1 answer

Can the Threefish tweak block cipher have its fixed 128 bit tweak size extended to match the block size (256/512/1024)

The Threefish tweak block cipher has a fixed size tweak (128 bits) and three different possible key/block sizes (256/512/1024 bits). The MCOE on-line authenticated encryption mode presents three different implementations, one of which requires a…

authenticated-encryption tweakable-cipher threefish

asked Jun 07 '24 at 23:42

cookiecipher

votes

1 answer

Why doesn't ChaCha use a 512bit key and xor parameters into it?

ChaCha has clear delineations between key, nonce, counter and constants. What is the reason for not using a XEX-like ($k=0$) approach such that the ChaCha key is 512 bits and all the other things are XOR'ed with the key, and only the key is XOR'ed…

permutation chacha tweakable-cipher

asked Oct 08 '23 at 03:16

Loraine Toorla

2 3 Next