Abstract. This work builds on earlier work by Rogaway at Asiacrypt 2004 on tweakable block cipher (TBC) and modes of operations. Our first contribution is to generalize Rogaway’s TBC construction by working over a ring R and by the use of a masking sequence of functions. The ring R can be instantiated as either GF (2 n) or as Z2 n. Further, over GF (2n), efficient instantiations of the masking sequence of functions can be done using either a binary Linear Feedback Shift Register (LFSR); a powering construction; a cellular automata map; or by using a word oriented LFSR. Rogaway’s TBC construction was built from the powering construction over GF (2 n). Our second contribution is to use the general TBC construction to instantiate constructions of various modes of operations including authenticated encryption (AE) and message authentication code (MAC). In particular, this gives rise to a family of efficient one-pass AE mode of operation. Out of these, the mode of operation obtained by the use of word oriented LFSR promises to provide a masking method which is more efficient than the one used in the well known AE protocol called OCB. 3 Keywords: tweakable block cipher, modes of operations, AE, MAC, AEAD. 1

Abstract. Tweakable blockciphers, first formalized by Liskov, Rivest, and Wagner [13], are blockciphers with an additional input, the tweak, which allows for variability. An open problem proposed by Liskov et al. is how to construct tweakable blockciphers without using a pre-existing blockcipher. This problem has yet to receive any significant study. There are many natural questions in this area: is it significantly more efficient to incorporate a tweak directly? How do direct constructions compare to existing techniques? Are these direct constructions optimal and for what levels of security? How large of a tweak can be securely added? In this work, we address these questions for Luby-Rackoff blockciphers. We show that tweakable blockciphers can be created directly from Feistel ciphers, and in some cases show that direct constructions of tweakable blockciphers are more efficient than previously known constructions. 1

ii To my best friend and my parents. iii Table of Contents Acknowledgments vi

Tweakable blockciphers, first formalized by Liskov, Rivest, and Wagner [17], are blockciphers with an additional input, the tweak, which provides an easy mechanism for obtaining multiple “essentially different ” permutations from a single key. Liskov et al. advocate an altered methodology for symmetric cryptography: instead of designing modes of operation using blockciphers directly, first design tweakable blockciphers, and then build modes of operation. Though this method has conceptual advantages, it can introduce an extra layer of analysis in which proof tightness can be lost. We consider the notion of security-preserving mid-level constructions, by which we mean constructions that do not introduce any loss of security. We give tweakable blockciphers that meet this goal in a limited sense (they are security-preserving for certain applications), and show that they can help us create tighter overall proofs of security. We also show the novelty of these constructions by demonstrating that all previously proposed generic tweakable blockciphers are not security preserving even in this limited sense. 1