Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC

We describe highly efficient constructions, XE and XEX, that turn a blockcipher E: K ×{0, 1} → {0, 1} into a tweakable blockcipher Ẽ: K × T × {0, 1} → {0, 1} having tweakspace T = {0, 1} × I where I is a set of tuples of integers such as I = [1 .. 2] × [0 .. 10].When tweak T is obtained from tweak S by incrementing one if its numerical components,the cost to compute ẼK(M) having already computed some Ẽ SK(M ′) is one blockcipher callplus a small and constant number of elementary machine operations. Our constructions workby associating to the i coordinate of I a “small” element αi ∈F2n and multiplying by αiwhen one increments that component of the tweak. We illustrate the use of this approach byrefining the authenticated-encryption scheme OCB and the message authentication code PMAC,yielding variants of these algorithms, OCB1 and PMAC1, that are simpler and faster than theoriginal schemes, and yet have simpler proofs. Our results bolster the thesis of Liskov, Rivest,and Wagner [12] that a desirable approach for designing modes of operation is to start from atweakable blockcipher. We elaborate on their idea, suggesting the kind of tweak space, usage-discipline, and blockcipher-based instantiations that give rise to simple and efficient modes ofoperation of a conventional blockciphers.