User:Lwmarti/Sandbox2

In cryptography, a tweakable block cipher is one that uses an additional input called a "tweak" in addition to plaintext and a cryptographic key to add variability to the ciphertext. The tweak operates much like an initialization vector but has different security properties: an initialization vector needs to be random while a tweak does not. The function of the tweak is to provide variability of the ciphertext while the function of the key is to provide security against an adversary recovering the plaintext. It is not necessary to keep a tweak secret, and an tweakable block cipher needs to remain secure even if an adversary can control the tweak input into an encryption operation.

LRW tweaking
Moses Liskov, Ron Rivest and David Wagner (LRW) showed that if E is a secure block cipher then two different constructions are also secure. In one of these, an XOR operation is performed followed by an encryption operation followed by another XOR operation. Another alternative is to do an encryption operation followed by an XOR operation followed by another encyption operation.

Suppose that we have a block cipher E that operates on a message M∈{0,1}n, a key K∈{0,1}k to produce a ciphertext C∈{0,1}n and that we write the operation of this cipher as C = EK(M).

A tweakable block cipher is one that uses E to operate on a message M∈{0,1}n, a key K∈{0,1}k and a tweak T∈{0,1}t to produce a ciphertext C∈{0,1}n. We write the operation of such a cipher by C = EK(T,M).

XOR-encrypt-XOR tweaking


If E is a secure block cipher, then EK(T,M) = EK(M XOR H(T)) XOR H(T) is also a secure block cipher when H is an $$\epsilon$$-AXU2 hash function. This construction is shown in Figure 1.



Encrypt-XOR-encrypt tweaking
If E is a secure block cipher, then EK(T,M) = EK(T XOR EK(M) is also a secure block cipher. This construction is shown in Figure 2.

]

Rogaway's XEX construction
Phillip Rogaway showed that more general ways to implement tweaked block ciphers are also secure, and his way of doing this generalized the LRW xor-encrypt-xor construction. As above, Suppose that we have a block cipher E that operates on a message M∈{0,1}n, a key K∈{0,1}k to produce a ciphertext C∈{0,1}n and that we write the operation of this cipher as C = EK(M).

Suppose that N∈{0,1}n,α1,…,αk are elements of F*(2n), and that i1,…,ik are integers. Rogaway showed that if E is a secure block cipher then the construction EK(N,i1,…,ik,M) = EK(M XOR Δ) XOR Δ, where Δ = α(i1)α(i2)…α(ik)EK(N), is also a secure block cipher that uses the k+1 tweaks N and α1,…,αk. This construction is shown in Figure 3.



The XTS mode of AES that is defined in the IEEE P1619 Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices is based on Rogaway's XEX construction. The XTS mode limits the number of tweaks to two, which correspond to the sector and block number where data is stored.

Test Section
$$M \in \left \{ 0,1 \right \} ^n$$

$$K \in \left \{ 0,1 \right \} ^k$$

$$C \in \left \{ 0,1 \right \} ^n$$

$$C=E_K(M)$$

$$C=E_K(T,M)$$

$$E_K(T,M)=E_K(T \oplus E_K(M))$$

$$E_K(T,M)=E_K(M \oplus H(T)) \oplus H(T)$$

$$\alpha_1,\alpha_2,\ldots ,\alpha_k$$

$$\mathbb{F}^*(2^n)$$

$$i_1,i_2,\ldots ,i_k$$

$$E_K(N,i_1,i_2,\ldots ,i_k,M)=E_K(M \oplus \Delta) \oplus \Delta$$

$$\Delta=\alpha^{i_1}\alpha^{i_2},\ldots \alpha^{i_k} E_K(N)$$

$$\epsilon-\text{AXU}_2$$

This is a test of Wikipedia references. It is only a test.