User:Lwmarti/Sandbox2

In cryptography, a tweakable block cipher is one that uses an additional input called a "tweak" in addition to plaintext and a cryptographic key to add variability to the ciphertext. The tweak operates much like an initialization vector but has different security properties: an initialization vector needs to be random while a tweak does not. The function of the tweak is to provide variability of the ciphertext while the function of the key is to provide security against an adversary recovering the plaintext. It is not necessary to keep a tweak secret, and an tweakable block cipher needs to remain secure even if an adversary can control the tweak input into an encryption operation.

LRW tweaking[edit]

Moses Liskov, Ron Rivest and David Wagner (LRW) showed^[1] that if E is a secure block cipher then two different constructions are also secure. In one of these, an XOR operation is performed followed by an encryption operation followed by another XOR operation. Another alternative is to do an encryption operation followed by an XOR operation followed by another encyption operation.

Suppose that we have a block cipher E that operates on a message M∈{0,1}ⁿ, a key K∈{0,1}^k to produce a ciphertext C∈{0,1}ⁿ and that we write the operation of this cipher as C = E_K(M).

A tweakable block cipher is one that uses E to operate on a message M∈{0,1}ⁿ, a key K∈{0,1}^k and a tweak T∈{0,1}^t to produce a ciphertext C∈{0,1}ⁿ. We write the operation of such a cipher by C = E_K(T,M).

XOR-encrypt-XOR tweaking[edit]

Main article: xor-encrypt-xor

If E is a secure block cipher, then E_K(T,M) = E_K(M XOR H(T)) XOR H(T) is also a secure block cipher when H is an ${\displaystyle \epsilon }$-AXU₂ hash function.^[2] This construction is shown in Figure 1.

Encrypt-XOR-encrypt tweaking[edit]

If E is a secure block cipher, then E_K(T,M) = E_K(T XOR E_K(M) is also a secure block cipher. This construction is shown in Figure 2.

]

Rogaway's XEX construction[edit]

Phillip Rogaway showed that more general ways to implement tweaked block ciphers are also secure, and his way of doing this generalized the LRW xor-encrypt-xor construction. As above, Suppose that we have a block cipher E that operates on a message M∈{0,1}ⁿ, a key K∈{0,1}^k to produce a ciphertext C∈{0,1}ⁿ and that we write the operation of this cipher as C = E_K(M).

Suppose that N∈{0,1}ⁿ,α₁,…,α_k are elements of F^*(2ⁿ), and that i₁,…,i_k are integers. Rogaway showed that if E is a secure block cipher then the construction E_K(N,i₁,…,i_k,M) = E_K(M XOR Δ) XOR Δ, where Δ = α^(i₁)α^(i₂)…α^(i_k)E_K(N), is also a secure block cipher that uses the k+1 tweaks N and α₁,…,α_k. This construction is shown in Figure 3.

The XTS mode of AES that is defined in the IEEE P1619 Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices is based on Rogaway's XEX construction. The XTS mode limits the number of tweaks to two, which correspond to the sector and block number where data is stored.

Test Section[edit]

${\displaystyle M\in \left\{0,1\right\}^{n}}$

${\displaystyle K\in \left\{0,1\right\}^{k}}$

${\displaystyle C\in \left\{0,1\right\}^{n}}$

${\displaystyle C=E_{K}(M)}$

${\displaystyle C=E_{K}(T,M)}$

${\displaystyle E_{K}(T,M)=E_{K}(T\oplus E_{K}(M))}$

${\displaystyle E_{K}(T,M)=E_{K}(M\oplus H(T))\oplus H(T)}$

${\displaystyle \alpha _{1},\alpha _{2},\ldots ,\alpha _{k}}$

${\displaystyle \mathbb {F} ^{*}(2^{n})}$

${\displaystyle i_{1},i_{2},\ldots ,i_{k}}$

${\displaystyle E_{K}(N,i_{1},i_{2},\ldots ,i_{k},M)=E_{K}(M\oplus \Delta )\oplus \Delta }$

${\displaystyle \Delta =\alpha ^{i_{1}}\alpha ^{i_{2}},\ldots \alpha ^{i_{k}}E_{K}(N)}$

${\displaystyle \epsilon -{\text{AXU}}_{2}}$

This is a test of Wikipedia references. It is only a test.^[3]