1

I have read a few papers on tweakable ciphers (didn't understand them well, though) and looked at many of the questions and answers on this exchange: What is a tweakable block cipher, Tweakable Block ciphers, Tweaking Even-Mansour Ciphers [video]. However, there are a few things I'd like cleared up.

  1. Are the tweaks always just a string of bits? And are they usually shorter than the key?
  2. It seems DES-X is a tweakable cipher where the tweaks are the pre- and post-whitening that use secret extra keys. Does this mean some tweaks are necessarily secret? The reason I am asking is that I got the impression from the papers I read that tweaks are always public.
  3. In view of Q2, what other tweakable ciphers (if any) use secret tweaks or ones that may be secret if desired?
  4. If a tweak is secret does this add strength to the cipher as well as variability?
  5. If a tweak is appended to a key, does this mean to the session key or to each subkey? I am a little confused because I thought part of the idea of tweaks is that they are easier to change than producing new keys through a complex key schedule (for instance).
  6. Perhaps this should be a separate question, but: the term permutation seems to mean two different things. 1) a bit-wise (say) permutation, i.e. excluding XORs, S-boxes, etc. and 2) a complete block cipher encryption that produces an apparently random permutation of the input, i.e. typically including XORs and substitutions, etc. In relevance to tweakable ciphers, when I look at some models I see the cipher is denoted by $E_n$ but when I look at models based on the Even-Mansour ciphers I see $P_n$. I assume the $E$ refers to an cipher that may include several operations (perms, s-boxes, etc. as for $DES$, $AES$, etc.) but the $P$ refers only to bit-wise permutations (or perhaps byte-wise). Is this assumption correct?

Much obliged to anyone who can help.

Red Book 1
  • 1,025
  • 10
  • 26
  • 1
    In most practical cases, the tweaks are shorter than the key, and non-secret (derived from sector numbers, e.g. in the case of full-disk encryption systems). – Henno Brandsma May 22 '18 at 05:11

2 Answers2

3

Suppose the tweakable cipher uses a secret key $k$ and a secret tweak $t$, then syntactically you can regard $K=(k, t)$ as the total secret key. So, in this case, the 'tweakable cipher' is just an ordinary block cipher, with a longer key. In order to get a notion different from the usual block cipher, you'll need the tweak to be non-secret.

AYun
  • 849
  • 7
  • 12
1

Are the tweaks always just a string of bits?

There is no reason that it has to be. Some algorithm designer could put a restriction on tweaks beyond just how many bits it can have.

Are they usually shorter than the key?

It may be a challenge to design fast ciphers with very long tweaks. If a tweakable block cipher isn't faster than deriving a new key and doing key expansion then there isn't a reason to use it over non-tweakable ciphers. A KDF can accept arbitrary length inputs and produce new keys.

Does this mean some tweaks are necessarily secret?

It depends on your choice of definitions and conventions I guess. I prefer the definition where tweak means "secure even if public" which is the definition associated with, for example, Skein/ThreeFish. Disk encryption algorithms, for example, may use "tweak" to refer to secret data though.

If a tweak is secret does this add strength to the cipher?

It is safer to assume no than to assume yes. This is too general a question and the answer depends on specifics. Plus it's smarter to use a cipher that takes a larger key instead.

If a tweak is appended to a key, does this mean to the session key or to each subkey?

You tell us. Isn't this a "If hypothetical condition, then does that mean hypothetical A or hypothetical B" question? I don't know what you mean by session key in this context. I assume not the latter. If an algorithm XORs an n-bit word with an n-bit subkey, I don't see how it's possible to append to that sub key.

Perhaps this should be a separate question, but: the term permutation seems to mean two different things

Overly informal definition: Any bijective function where inputs and outputs are the same finite countable set is a permutation. Block ciphers are permutations because they are invertible and map a fixed number of input bits to the same number of output bits. P-boxes are permutations for the same reason. The function $F(n) = n$ is a permutation (if the domain and codomains fit the descruption), it just isn't helpful for pseudorandomness purposes.

$E$ is the typical single letter function name for block ciphers, similar to how $F$ is for functions in general and $H$ is for hash functions. $P$ and $\pi$ are common for pseudorandom permutations. These are just function names though. They don't mean that in the context they're used in that they necessarily refer to these types of functions.

A simple Even-Mansour cipher is actually usually defined as $E_{k_1,k_2}(X) = k_1 \oplus P(x \oplus k_2)$. $E$ is the Even-Mansour cipher. $P$ is an unkeyed publicly known pseudorandom permutation. $P$ is not a block cipher but $E$ is.

Future Security
  • 3,313
  • 1
  • 8
  • 26
  • 1
    Just to be sure: In the Even-Mansour cipher, $P$ is indeed a random permutation on bits? And does not include substitutions or anything else? And DES-X is a tweakable cipher? – Red Book 1 May 22 '18 at 06:34
  • @RedBook1 Now I see. I may have misinterpreted your two ideas of permutations. If you're thinking of a "bitwise permutation" as in a rearrangement of bits, then no, that's not what $P$ is and it's not secure. It's not the same type of P permutation as in SPN. (Although the part of the that describes how bits get swapped IS a permutation function on the set of bit indices.) If all P did was shuffle bits then you could recover the key with one or two plain/ciphertext pairs. The P in an EM cipher is more like a 128 bit S-Box than this 3rd (from my prospective, 2nd from yours) kind of permutation. – Future Security May 22 '18 at 16:19
  • I would say DES-X should not be classified as tweakable because the purpose is to add security. DES-X is like the XEX mode for block ciphers. You can use XEX either for tweaking or key whitening. Using it for both at the same time is a bad idea. -- Also I think you should avoid actually using DES, DES-X, or XEX. And probably you should avoid using an EM cipher construct directly too. – Future Security May 22 '18 at 16:35
  • Well, that clears up my mistake in thinking $P$ was a bitwise permutation. But I am still not sure what it actually is. In $E = k_1 \oplus P(x \oplus k_2)$, could $P$ be both s-box and a bitwise permutation working together? Or just an s-box as I think you suggested. I am not sure what the limitations are on $P$. Clearly it cannot be a bitwise perm, but would you mind giving a couple of actual examples of what is might be and what it cannot be? It seems it is some function that operates on some input but does not need a key. – Red Book 1 May 23 '18 at 08:42
  • $P$ is a pseudorandom permutation (PRP). If you're a programmer, imagine creating an array p of 128 bit unsigned ints. The array is filled with numbers 0 through $2^{128}-1$. You use the Fisher-Yates shuffle algorithm on p. Evaluation of $P(x)$ corresponds pseudocode p[x]. In this sense a PRP is like an S-Box. It just isn't possible to store an array that big in real life, so you use an algorithm instead. (Hence the "pseudorandom" part.) The difference between $P$ and $E$ is that $P$ is a permutation known by everyone. $E$ (a block cipher) is a family of PRPs. $E_k$ is one of those PRPs. – Future Security May 23 '18 at 17:31
  • @RedBook1 It seems part 6 definitely should have been a separate post. An operation that shuffles the order of elements is one type of permutation, but the $P$ in an EM cipher isn't that. This operation may be defined with a small permutation function σ, but it instead does output[σ[i]] = input[i] for bit numbers i in {0, 1, 2, ...} The $P$ in an EM cipher is a permutation that substitutes an n-bit input with an n-bit output where n is the number of bits in the plaintext block, ciphertext block, k1, and k2. – Future Security May 23 '18 at 22:45
  • @RedBook1 This poster seems to have the same misunderstanding I think you had. https://crypto.stackexchange.com/q/25898/58680 If you still are confused then give some thought to what question you want answered and post a new question. I will do my best to answer there. Maybe your next question is along the lines of "How does an Even-Mansour cipher work" or "What is a pseudorandom permutation". – Future Security May 23 '18 at 22:51