Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC

We describe highly efficient constructions, XE and XEX, that turn a blockcipher (E) over tilde: K x {0, 1}(n) --> {0, 1}(n) into a tweakable blockcipher (E) over tilde $: K x T x {0, 1}(n -->){0, 1}(n) having tweak space T = {0, 1}(n) x I where I is a set of tuples of integers such as I = [1.. 2(n/2)] x [0..10]. When tweak T is obtained from tweak S by incrementing one if its numerical components, the cost to compute (E) over tilde (T)(k) (M) having already computed some K (E) over tilde (S)(K) (M') is one blockcipher call plus a small and constant number of elementary machine operations. Our constructions work by associating to the i(th) coordinate of I an element alpha(i) is an element of F-2n(*) and multiplying by alpha(i) when one increments that component of the tweak. We illustrate the use of this approach by refining the authenticated-encryption scheme OCB and the message authentication code PMAC, yielding variants of these algorithms that are simpler and faster than the original schemes, and yet have simpler proofs. Our results bolster the thesis of Liskov, Rivest, and Wagner [10] that a desirable approach for designing modes of operation is to start from a tweakable blockcipher. We elaborate on their idea, suggesting the kind of tweak space, usage-discipline, and blockcipher-based instantiations that give rise to simple and efficient modes.