A Tweakable Enciphering Mode

  • Shai Halevi
  • Phillip Rogaway
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2729)


We describe a block-cipher mode of operation, CMC, that turns an n-bit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m ≥ 2. When the underlying block cipher is secure in the sense of a strong pseudorandom permutation (PRP), our scheme is secure in the sense of tweakable, strong PRP. Such an object can be used to encipher the sectors of a disk, in-place, offering security as good as can be obtained in this setting. CMC makes a pass of CBC encryption, xors in a mask, and then makes a pass of CBC decryption; no universal hashing, nor any other non-trivial operation beyond the block-cipher calls, is employed. Besides proving the security of CMC we initiate a more general investigation of tweakable enciphering schemes, considering issues like the non-malleability of these objects.


Block Cipher Message Space Short String Game NON2 Fast Software Encryption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Anderson, R., Biham, E.: Two practical and provably secure block ciphers: BEAR and LION. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 113–120. Springer, Heidelberg (1996),
  2. 2.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation. In: Proceedings of 38th Annual Symposium on Foundations of Computer Science, FOCS 1997 (1997)Google Scholar
  3. 3.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 232–249. Springer, Heidelberg (1998)Google Scholar
  4. 4.
    Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. Journal of Computer and System Sciences 61(3), 362–399 (2000), Google Scholar
  5. 5.
    Bellare, M., Rogaway, P.: On the construction of variable-input-length ciphers. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 231–244. Springer, Heidelberg (1999),
  6. 6.
    Bleichenbacher, D., Desai, A.: A construction of a super-pseudorandom cipher. Manuscript (February 1999)Google Scholar
  7. 7.
    Crowley, P.: Mercy: A fast large block cipher for disk sector encryption. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 49–63. Springer, Heidelberg (2001),
  8. 8.
    Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. SIAM Journal on Computing 30(2), 391–437 (2000); Earlier version in STOC 1991zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28, 270–299 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Halevi, S., Rogaway, P.: A tweakable enciphering mode. Manuscript, full version of this paper (May 2003),
  11. 11.
    Hughes, J.: Chair of the IEEE Security in Storage Working Group. Working group homepage at, Call for algorithms can be found at
  12. 12.
    Joux, A.: Cryptanalysis of the EMD mode of operation. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search. Journal of Cryptology 14(1), 17–35 (2001); Earlier version in CRYPTO 1996 Google Scholar
  14. 14.
    Liskov, M., Rivest, R., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 31. Springer, Heidelberg (2002)
  15. 15.
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. of Computation 17(2) (April 1988)Google Scholar
  16. 16.
    Meyer, C., Matyas, S.: Cryptography: A new dimension in computer security. John Wiley and Sons, Chichester (1982)zbMATHGoogle Scholar
  17. 17.
    Naor, M., Reingold, O.: A pseudo-random encryption mode. Manuscript, available from
  18. 18.
    Naor, M., Reingold, O.: On the construction of pseudo-random permutations: Luby-Rackoff revisited. Journal of Cryptology 12(1), 29–66 (1999);(Earlier version in STOC 1997), Available from Google Scholar
  19. 19.
    P. Rogaway. The EMD mode of operation (a tweaked, wide-blocksize, strong PRP). Cryptology ePrint Archive, Report 2002/148, Early (buggy) version of the CMC algorithm (October 2002),
  20. 20.
    Schroeppel, R.: The hasty pudding cipher. AES candidate submitted to NIST (1999),
  21. 21.
    Zheng, Y., Matsumoto, T., Imai, H.: On the construction of block ciphers provably secure and not relying on any unproved hypotheses. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 461–480. Springer, Heidelberg (1990)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Shai Halevi
    • 1
  • Phillip Rogaway
    • 2
    • 3
  1. 1.IBM T.J. Watson Research CenterYorktown-HeightsUSA
  2. 2.Dept. of Computer ScienceUniversity of CaliforniaDavisUSA
  3. 3.Dept. of Computer Science, Fac. of ScienceChiang Mai UniversityThailand

Personalised recommendations