Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable ” is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers.

. In a paper cryptanalyzing many triple modes of operation, Biham proposed four new triple modes and five new quadruple modes of operation for DES. It was conjectured that the complexity (in a particular threat model) of breaking the triple modes is at least 2 112 and that the quadruple modes are more secure than any triple mode. We present new attacks on all but one of the proposed modes. We can break all but two of Biham's proposed modes with at most 2 56 off-line trial encryptions and between 2 and 2 32 (depending upon the mode) chosen-IV chosen texts; another mode can be broken with somewhat more work. This raises questions about the suitability of the proposed modes, and provides further evidence for the fragility of inner chaining; however, we emphasize that our results do not disprove Biham's conjectures, as we rely on an extended attack model which admits more powerful adversaries who can mount chosen-IV queries, a capability denied to them in Biham's model. 1 Introductio...

. The DES has reached the end of its lifetime due to its too short key length and block length (56 and 64 bits respectively). As we are awaiting the new AES, triple (and double) encryption are the common solution. However, several authors have shown that these multiple modes are much less secure than anticipated. The general belief is that these schemes should not be used, as they are not resistant against attacks requiring 2 64 chosen plaintexts. This paper extends the analysis by considering some more realistic attack models. It also presents an improved attack on multiple modes that contain an OFB mode and discusses practical solutions that take into account realistic constraints. 1 Introduction Ever since the Data Encryption Standard [?] was adopted in the mid 1970s, the issue of its small key size has been raised. Nowadays a 56-bit key is clearly within the range of a dedicated exhaustive search machine [?,?]. Already in 1979, Tuchman proposed the use of triple-DES with two or ...

Abstract approved:

DES and triple-DES are two well-known and popular encryption algorithms, but they both have the same drawback: their block size is limited to 64 bits. While the cryptographic community is working hard to select and evaluate candidates and finalists for the AES (Advanced Encryption Standard) contest launched by NIST in 1997, it might be of interest to propose a secure and simple double block-length encryption algorithm. More than in terms of key length and block size, our Universal Encryption Standard is a new construction that remains totally compliant with DES and triple-DES specifications as well as with AES requirements.