AESMixCBC a fast wide block encryption mode

Transcription

1 AESMixCBC a fast wide block encryption mode Submitted to the 2013 Fast Software Encryption call for papers Nov Abstract We describe a wide block cipher encryption algorithm AESMixCBC, which is a combination of a standard CBC encryption mode and a pseudo-random permutation of the plaintext, AESMix. This mode allows efficient optimization in software and hardware. The AESMix can be implemented with only the XOR and table lookup operations. The AESMixCBC mode upgrades the security of popular narrow block modes, such as XTS, to the wide block security without performance penalty that is incurred by other wide block modes, such as EME. The overhead of our wide block encryption when compared with the CBC encryption is 10% when measured against the standard AES-128-CBC, and even lower for the standard AES-256-CBC. Keywords Wide block-cipher, AESMix, CBC, efficient plaintext mixer, tweakable block cipher. I. INTRODUCTION The narrow block encryption modes, such as XTS, CBC, and PGP CFB2, are more widely used encryption algorithms than the wide block encryption algorithms, such as [EME]. One of the reasons why the the wide block encryption mode has not gained acceptance in the whole disk encryption product category is a noticeable performance penalty it incurs against the baseline encryption, which we assume to be the Cipher Block Chaining mode with an AES as the block cipher (AES-CBC. We designed a wide block encryption mode that is very close to the performance of the CBC encryption and is identical in the performance to the popular narrow block disk encryption modes. When implemented on an x86 CPU, our performance goal is assisted by the widely available AESNI instruction set as the basic building block of the algorithm, in particular, the aesenc and aesdec instructions. In general, all performance-critical CPU operations of the algorithm can be implemented with the table lookups and XORs, therefore, the algorithm should be well-suited for any architecture that can execute the AES-128 encryption algorithm. Because the algorithm is built from the same building blocks that are used in the AES implementation, the AESMixCBC maximizes the investments already made in the research, hardware, and software implementations of the AES algorithm. II. NOTATIONS The AESMixCBC mode is defined for the wide cipher block, which byte size is l = 16 n, where n is an integer multiple of 4 and n 8. In practical applications the l 512, is a power of two, and is usually a fixed value for a given operating system and disk firmware. AESMixCBC works with any underlying block cipher that has 16 byte block size, such as AES-128-CBC or AES-256-CBC. Thus, each wide block P, C is represented by n 16 byte blocks, which are denoted as P i,c i i {0,n 1}. P i denotes the block of the plaintext such that P=P 0 P 1... P n 1, while C i is the result of the application of the AESMix algorithm. P 0 refers to the block of the P that occupies the lowest 16 bytes of the memory range in which the P resides. This is known a little-endian notation 1. (As will be described later, the order of the iteration in AESMix algorithms is inverse: from the P n 1 down to the P 0. AESMix is a secret key permutation. Each key k i that is used with the AESMix is 16 bytes long. Given that the AESMix operates on 16 byte plaintext blocks, the index correspondence is the 1:1 relationship of the key k i and the block P i or C i. All additions between the 16 byte blocks in this paper are XOR operations, for which we use the operator. Cycles used to describe the algorithm loops use all-inclusive index notation. For example, the body of the following loop is executed for P 1 and P 0 : 1The indexing follows the C or Java programming language notation for array indexing.

2 for i=1 to 0 some_operation (P i end for III. SPECIFICATION OF THE AESMIXCBC AESMixCBC mode assumes that the AESMix will be complemented by the 16 byte symmetric algorithm used in the CBC mode. For example, it can be the AES-128-CBC 2. Encryption C = AESMix( P, block_number_iv C = Encrypt_CBC( C, IV Decryption C = Decrypt_CBC( C, IV P = AESUnMix( C, block_number_iv TABLE I: AESMIXCBC OVERVIEW It follows that the security of the AESMixCBC is at the minimum equals that of the standard CBC mode. From the point of view of the CBC mode, AESMix performs a permutation of the plaintext into another plaintext. The rest of the paper mostly focuses on the properties of the AESMix and its inverse, the AESUnMix. These are the operations that transform the CBC mode into a wide block encryption mode. AESMix is a secret permutation of P=P 0 P 1... P n 1 that consists of the underlying secret permutations performed on n 16 byte blocks P i. We use the term encryption and decryption here to refer to the AESMix secret permutation of the plaintext and AESUnMix secret permutation of the modified plaintext. Note, however, that these terms have no relationship with the encryption and the decryption of the CBC mode other than the requirement for the matching alignment on the 16 byte boundary. AESMix operation relies on 3 lower-level operations that operate on one or four 16 byte blocks at a time: the XOR of two 16 byte blocks (or GF (2 polynomial field addition The ROUND LAST operation of the AES algorithm (or AESENC1 for short and its inverse The SWEEP64 operation Generally speaking, the SWEEP64 operation largely relies on the AESENC1 operation, making the AESENC1 the only complex operation of the AESMix algorithm 3. A. Building blocks of AESMix: ROUNDLAST and SWEEP64 1 ROUNDLAST (or AESENC1 operation M i (x In 5.1 Cipher section of the [AES], Figure 5, the AES algorithm is defined as a sequence of 1..Nr-1 rounds in the body of the loop, followed by a slightly simpler transformation of the state after the loop. The body of the loop corresponds to the ROUND and the sequence of transformations after the loop to the LAST. Permutation M i (x is a sequential application of ROUND and LAST, where: ROUND SubBytes(state ShiftRows(state MixColumns(state AddRoundKey(state, k i LAST SubBytes(state ShiftRows(state AddRoundKey(state, zero TABLE II: DEFINITION OF ROUND AND LAST k i is a key at index i {0, n} and zero is 16 zero bytes. The ROUND and LAST are standard operations of the [AES], other than that the keys k i and zero are used instead of the subkeys of the AES key schedule. Simplifying the above, the following table compares the encryption and decryption steps. The inverse operation reverses the ROUNDLAST steps and we use the AESDEC1 to refer to the inverse of the AESENC1. 2Other similar chaining modes, such as CFB mode, are equally suitable, but not considered here. 3AESENC1, in turn, consists of 2 internal building blocks of the standard AES algorithm, commonly available in hardware

3 ROUNDLAST SubBytes(state ShiftRows(state MixColumns(state AddRoundKey(state, k i SubBytes(state ShiftRows(state Inverse of ROUNDLAST InvSubBytes(state InvShiftRows(state InvMixColumns(state AddRoundKey(state, InvShiftRows(state InvSubBytes(state TABLE III: AESENC1 AND AESDEC1 DEFINITION k i 1 2 SWEEP64 i (t 0, t 1, t 2, t 3 operation SWEEP64 i (t 0, t 1, t 2, t 3 operates on 4 16 byte blocks {t 0, t 1, t 2, t 3 } as follows: Each SWEEP64 i (t 0, t 1, t 2, t 3 =M i ( Perm 0 (t 0 Perm 1 (t 1 Perm 2 (t 2 Perm 3 (t 3 Perm i ( X is a fixed permutation that changes positions of every one of the 16 bytes of x, as defined by the following permutation tables. Assume that X =x 0 x 1... x 15 and Y i =Perm i ( X, where x 0 and y 0 are the bytes at the lowest memory address, respectively. / x i Y i x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 13 x 14 x 15 Y 1 x 11 x 15 x 7 x 14 x 5 x 10 x 13 x 3 x 6 x 1 x 0 x 2 x 4 x 8 x 9 Y 2 x 8 x 11 x 7 x 5 x 13 x 6 x 1 x 0 x 4 x 9 x 15 x 14 x 10 x 3 x 2 Y 3 x 9 x 4 x 1 x 0 x 6 x 13 x 5 x 7 x 11 x 8 x 2 x 3 x 10 x 14 x 15 Y 3 x 7 x 15 x 6 x 11 x 3 x 9 x 8 x 10 x 4 x 5 x 2 x 14 x 1 x 0 TABLE IV: PERMUTATIONS 1, 2, 3, AND 4 The table for the permutations is generated using a simple algorithm provided in the Appendix A.. The main purpose of the SWEEP64 i (t 0, t 1, t 2, t 3 permutation is to reduce the number of more expensive M i (x permutations from 4 to 1. 3 The IV calculation of the AESMix and AESUnMix The IV of the AESMix algorithm is a 16 byte value that is calculated from the caller-supplied 64 bit input IV 0. In case of a storage encryption application the IV 0 is expected to be a 64 byte integer that identifies a data chunk, such as a disk sector number. IV 0 =0 64 IV 0 ( perform little-endian zero-padding to make a 16 byte block from the 8 byte IV 0 IV=SWEEP64 n (IV 0, M n (IV 0, 0,0; The IV calculation is the same for the AESMix and AESUnMix. B. The key schedule of the AESMix and AESUnMix 1 There are n encryption keys k i, n decryption keys k i, and one encryption key k n used to derive the IV. Each key is 16 bytes. Its important that the keys k i are uniformly random because they serve the purpose of binding 1 the operation on each block P i to the index i. Decryption key k i is derived from the encryption key k i using the standard procedure as documented in the section 5.3 of [AES]. This paper defines one method to derive the keys k i,i [0, n], but alternative methods can be defined in the future (for example, based on [SP ]

4 Input: K is the key used with the CBC encryption mode Return: n1 keys k i for i=0 to n k i = Encrypt K (i1 end for TABLE V: THE KEY DERIVATION METHOD Encrypt K (x is the encryption of the 16 byte value x that returns the 16 byte result, i.e. this is an ECB encryption mode. The value i1 that is passed to the Encrypt K (x is the loop counter in the big endian representation formatted to fit the 16 bytes by padding the counter with zero bytes. In other words, the 16 bytes passed to the first Encrypt K (x as x are 15 bytes with the value 0 and 1 byte, residing at highest memory address, with the value 1. C. The AESMix algorithm The AESMix algorithm is a two-pass algorithm; the passes are called the MIX and the SWEEP. Both passes operate on the 16 byte blocks using the 3 lower-level operations defined above. Both passes sequentially read every 16 byte block of the wide block. The MIX pass modifies every 16 byte block of the wide block, while the SWEEP pass only the first one. Both passes process the 16 byte blocks from the block at the highest memory address down to the first 16 bytes of the wide block. This order of the processing is inverse to the order of the CBC encryption. 1 The MIX pass Input: P=P 0 P 1... P n 1, IV Return: C=MIX ( P =M n 1 ( P n 1 IV for i=n 2 to 0 C i =M i ( P i P i 1 end for = C 0 // XOR the first 16 bytes into the last 16 bytes 2 The SWEEP pass TABLE VI: THE MIX PASS Input: Return: P=P 0 P 1... P n 1 C=SWEEP (P T =0 ; for k =n/ 4 to 2 T =T SWEEP64 k 4 4 (P k 4 4, P k 4 3, P k 4 2, P k 4 1 end for T =M 0 (T SWEEP64 0 (0, P 1, P 2, P 3 C 0 =P 0 T // XOR the checksum into the first 16 bytes C i =P i i [1,n 1] // the rest stays unchanged TABLE VII: THE SWEEP PASS The first used key is k n 4, accessed in SWEEP64 n 1 (..., the next key is k n 8, and the last key is k 0. The SWEEP algorithm is exactly the same for AESMix and AESUnMix, in particular, the keys k i are the encryption keys. D. The AESUnMix algorithm The AESUnMix algorithm is the inverse of the AESMix algorithm. It consists of the UNMIX step and the same SWEEP step as defined for the AESMix algorithm.

5 E. Performance Input: C=C 0 C 1..., IV Return: P=UNMIX (C // XOR the first 16 bytes and the IV into the last 16 bytes, decrypt: P n 1 =M n 1 1 (C n 1 C 0 IV for i=n 2 to 0 P i =M i 1 (C i P i1 end for TABLE VIII: THE UNMIX PASS The following numbers show that the AESMix introduces approximately 10% performance penalty over the CBC encryption mode. The following measurements were performed on an Intel Core i GHz, Linux x86_64, compiled with the gcc 4.6.3: Operation Absolute performance (Mb/sec Ratio Repeated AES-128-CBC on 256 bytes % (baseline Repeated AESMixCBC on 512 bytes, l=512 byte wide block % Repeated AESMix on 512 bytes,, l=512 byte wide block 7, % TABLE IX: AESMIXCBC PEFORMANCE These performance numbers dont include any multi-wide-block parallelism discussed bellow. Assuming the use of the AES- CBC algorithm for encryption, the AESMixCBC guarantees the same performance penalty against the standard AES-CBC performance on any architecture, with or without the hardware support for AES, because AESMix executes essentially the subset of the AES algorithm. For comparison, another wide block encryption algorithm was described in [BL] and was able to reach only the 50% performance penalty (30 cycles v.s. 20 of AES-CBC, the ratio that the AESMix should be able to reliably improve. F. Parallelism We expect that the proposed wide block encryption method is beneficial for the applications and protocols with the following properties: random read/write access to individual wide blocks more than one wide block is processed in the same request on average This environment is typical for the bulk encryption product category, which includes the whole disk encryption or encrypted file products. This model is compatible with how the storage subsystem is organized in modern operating systems. Next we explain why the degree to which the parallelism is facilitated by the wide block algorithm itself is not a main concern under the above assumptions. When each protocol request contains more than one wide block (of l bytes each on average, it is possible to parallelize the implementation by viewing the operation on l bytes at a time as a unit of encryption (there are multiple l byte wide blocks available and the result of each wide blocks processing is independent from others. We call this parallelism basic. It essentially means that when there are multiple CPU cores available to process multiple l byte blocks, this can always be done under our assumptions. The other CPU capability enabling parallelism is per-cpu pipelining. The pipelining is a feature limited to a single CPU, that allows parallel execution of multiple instruction on a single CPU core. Its a lower-granularity parallelism that is only possible for instructions without data interdependencies. Under our assumptions of processing multiple wide blocks on average the AESMixCBC can take advantage of the pipelining with an extra implementation effort as follows. Using 4-factor pipelining parallelism as an example, first observe that the standard CBC encryption can be pipelined by implementing a x 4 mode when the implementation processes 4 l byte blocks at a time (whenever possible by combing 16 byte block from each of the 4 wide blocks in parallel, v.s. a simpler sequential implementation that processes the first one of the 4 wide blocks completely, followed by the second, and so on. The same method can be used to take advantage of the pipeline parallelism with the AESMix algorithm. We summarize the parallel capability of the AESMixCBC and its inverse in the following table:

6 Mode CBC encrypt CBC decrypt AESMix AESUnMix Parallelism multi-wide-block unlimited unlimited multi-wide-block G. Security 3 Overview TABLE X: PARALLEL CAPABILITY OF AESMIXCBC AND AESUNMIXCBC The security of the AESMixCBC algorithm depends on the property that each 16 byte block used in the CBC encryption is aligned with the block boundary used in the AESMix/AESUnMix. The AESMix algorithm consists of two passes, followed by the CBC encryption, which makes the final mode more difficult to analyse than, for example, the [LRW] tweakable block cipher construction. Here we give the initial steps of the analysis. In this section we widen the review and look at the CBC and AESMix operations together. We start from the encryption. The result of inner block encryption is E k (C i 1 M (P i P i1, which is the CBC operation after the plaintext substitution P i cbc =M (P i P i1 Observe the enhanced symmetry v.s. the standard CBC encryption: the CBC mode adds the ciphertext from the left ( C i 1 to ensure the error propagation in the encryption direction, while the AESMix adds the plaintext from the right ( P i1 to ensure the error propagation in the decryption direction. The plaintext in the center is permuted. Likewise for the decryption direction, the AESMixCBC on each individual block translates into P i =M i 1 (P i1 E k 1 (C i C i 1, which is a CBC decryption for P i cbc after the following plaintext substitution: P i cbc =E k 1 (C i C i 1 cbc In the canonical CBC decryption the P i =P i. The presence of the extra P i1 adds the error propagation to the CBC mode in the decryption direction. Consider an attack in which the block j is modified with the goal to affect the block i, i j. There are two cases here: j<i and j>i, and in both these cases the change to the block j affects the cbc P n 1 cbc P n 1 through the operation of SWEEP. It can be shown by induction that eventually affects the P i in the UNMIX pass. M i ( is a secret permutation that mitigates the malleability property that is caused by the XOR of the C i with the plaintext, makes sure that the P i1 doesnt collide with the plaintext in block i, and mitigates the cut and paste attacks. There is no direct oracle access available to the functionality of the secret permutation M i (P i or its inverse. AESENC1 can be alternatively defined to fully integrate and MIX pass into a unified definition. This is shown next to show the high similarity of such an alternative definition of AESENC1MIX algorithm with the standard AES algorithm. Consider an attack that modifies the ciphertext at the block i1 of the AESMixCBC algorithm. Decryption of the block with the chosen block cipher will result in a plaintext P cbc i1, which will be processed to produce the P i1. We can think of the P i1 as some unknown uniformly distributed 16 byte value seen by the attacker, just like the key k i is. Recall that the AESUnMix step for the block i is the following step P i =M 1 i (P i1 P cbc i, which is mapped to the following alternative definition of AESENC1 and AESDEC1 operations:

7 ROUNDLASTMIX AddRoundKey(state, zero Inverse of ROUNDLASTUNMIX AddRoundKey(state, P i1 SubBytes(state ShiftRows(state MixColumns(state AddRoundKey(state, k i InvSubBytes(state InvShiftRows(state InvMixColumns(state AddRoundKey(state, k i 1 SubBytes(state ShiftRows(state AddRoundKey(state, P i1 InvShiftRows(state InvSubBytes(state AddRoundKey(state, zero TABLE XI: ALTERNATIVE AESMIX/AESUNMIX DEFINITION WITH THE INTEGRATED MIX/UNMIX PASS Note that the alternative AESENC1 and AESDEC1 that include the MIX and UNMIX operations remain exactly the 2-round AES, except the use of the alternative key scheduling that includes k i and P i1 subkey. 4 Select statements about the AESMixCBC as the 2 subkeys and zero pre-whitening The following facts are stated for the AESMix/AESUnMix algorithm without the CBC step. Fact 1. A single bit change of an encrypted wide block changes every one of the n plaintext blocks with the probability at least This follows from the chained nature of the two passes of the AESMix algorithm and that the 16 byte block operations are permutations. Note that the SWEEP uses two nested M i (x permutations. For a one byte differential this means that every one of the 16 bytes of the SWEEP output is active. Fact 2. No two blocks of any of the n blocks can be swapped or copied with the probability of detection lower than This follows from the binding effect of the unique subkey associated with every 16 byte block of the wide block. Fact 3. A single bit change in a wide block plaintext changes at least one byte of the first 16 bytes of the wide block with the probability This behaviour has the effect of tweaking the IV value of the CBC algorithm based on the value of each byte of the plaintext of the wide block. The SWEEP operation is responsible for this. Fact 4. There is an advantage available to the attacker if the attacker compensates the single bit change in Fact 1 with an additional bit change in the wide block. The SWEEP operation includes a step of {0,1} {0,1} 16 8 mapping for each group of 4 16 byte blocks (512 bits total, which is trivial to forge within the said 512 bit block. To do this the change in any byte of the 512 bit block can be compensated with a corresponding change at another index, per Table IV, such that the XOR result of the two changes is cancelled out. A more involved collision is the change in two separate 512 bit blocks to the bytes at the same offset in respect to their 512 bit blocks. One byte AES ROUND differential results in the 4 byte change on the output of the round. The probability that no other byte change in any of the s blocks will mask the single byte change is Prob(s=( s (s 1/ 2, where s=n /4 1. We eliminate the first 512 bits due to their special handling. For a typical 512 byte wide block s=7 and Prob(7> For non-adjacent blocks this will cause the in-between blocks k (i, j to change, while leaving the preceding and following blocks unchanged. Note, however, that these two attacks on the SWEEP step were assuming an ability of the attacker to change a single byte of the plaintext by changing the ciphertext for the two cipher blocks. This probability exceeds the security of the corresponding block cipher, because it essentially depends on the ability to perform a two byte plaintext modification in a 16*2 byte double-block ciphertext. Fact 5. Each of the n blocks is processed at least twice by the AESENC1 operation or its inverse. This follows from the algorithm description. Fact 6. AESMixCBC resists the chosen plaintext attacks.

8 Consider the MIX pass of the AESMix algorithm with the assumption of an attacker who controls the input and sees the output. It would be possible to employ the following algorithm that explores the byte-to-four-bytes differential of the M i ( to try to recover the subkey as follows. Given a wide plaintext block, consider 3 changes to two adjacent plaintext blocks as follows: Plaintext: P i, P i1 P i, P i1 D 1 P i D 2, P i1 D 1 Result after the ROUND pass: M i (P i P i1,c i1 M i (P i P i1 D 1, C i1 M i (P i D 2 P i1 D 1, C i1 The goal is to vary the D 1 and D 2 so that the change in M i (P i D 2 due to D 2 is cancelled by D 1, i.e. the attacker has an encryption oracle. An example of this is 1 byte D 2, resulting in 4 byte change in M i (P i D 2, which can be compensated by a 4 byte D 1. This attack, is mitigated by the SWEEP pass. First, note that C i 1 will change as well. The three-block change will affect the results of the SWEEP pass, which will change the first block of the wide block. The change of the first block has the effect of changing the IV in the CBC step, which, in turn, will likely change the ciphertext of the entire wide block. IV. CONCLUSIONS AESMixCBC is a fast wide encryption mode suitable for high-performance applications on a broad range of platforms. The algorithm portion that is responsible for the wide block behavior is built from the subset of functionality of the AES algorithm. When AESMixCBC is used with the AES-CBC as an external block cipher, the most likely case today, the design of AESMixCBC offers the deterministic performance penalty assessment in terms of the external block cipher performance. Our implementation achieves the 0.1 factor performance penalty against the AES-CBC. Many well-studies encryption methods include the concept of a random permutation as a building block. We showed that constructing an encryption algorithm with the help of an imperfect permutation under the protection of a block cipher is a useful tool that can provide performance benefits. V. APPENDIX A The method to build the Table 3 is provided bellow. It can be used to build a permutation table on the fly for the constrained devices or to study the property of the permutation. Each index is treated as an element in the GF (16 with the primitive polynomial x 4 x 3 1. In the following algorithm this is represented as an integer 0x19 in the little-endian format, where 1 stands for 1, 2 for x, etc. This field has 2, 4, 6, and 7 as first generators, which are used to build each Perm i ( X, respectively. Input: i [0,3] is the index of the permutation G i ={2,4, 6,7} Return: Perm i for {0,1,2,3...15} Perm i ={G 1 i,g 2 i,g 3 i,...,g 14 1 i,0}mod 0x19 // G 0 Perm i is Perm i rotated left by 4 ((i1mod 4 positions corresponds to input index 0 TABLE XII: Perm i ( X CALCULATION

9 VI. APPENDIX B. MIX AND UNMIX QUICK REFERENCE P 0... P n 3 P n 2 P n 1 M 0 (P 0 M n 3 (P n 3 M n 2 (P n 2 M n 1 (P n 1 IV C 0 C n 3 C n 2 =C 0 C 0... C n 3 C n 2 M 0 1 (C 0 M 1 n 3 (C n 3 M 1 n 2 (C n 2 M 1 n 1 ( IV P 0 P n 3 P n 2 P n 1

10 VII. APPENDIX C. SWEEP QUICK REFERENCE P 0 P 1 P 2 P 3... P 12 P 11 P 10 P 9 P n 8 P n 7 P n 6 P n 5 P n 4 P n 3 P n 2 P n 1... SWEEP64(P n 5, P n 6, P n 7, P n 8 SWEEP64 0 (0, P 1, P 2, P 3 SWEEP64(P n 12, P n 11, P n 10, P n 9 SWEEP64(P n 4,P n 3, P n 2, P n 1 M 0 ( C i =P i i!=n C 0 =P 0 M n ( SWEEP64 k 4 4 (P k 4 4, P k 4 3, P k 4 2, P k 4 1 SWEEP64 0 (0, P 0, P 1,P 2 k=n/ 4 =P n 1 4 SWEEP64 k ( p 4, p 3, p 2, p 1 =M k ( (Perm i ( p i, where 1 Perm i ( pis a permutation of 16 bytes p={p [0],..., p[ j],... p [15]}, such that each p [ j]appears at the position k : i= 1 j= 0 k= IV=SWEEP64 n (IV 0, M n (IV 0, 0,0;

11 VIII. BIBLIOGRAPHY [1] EME: S. Halevi and P. Rogaway, A Parallelizable Enciphering Mode, 2003 [2] AES: NIST, ADVANCED ENCRYPTION STANDARD (AES, Nov 26, 2001 [3] SP : Lily Chen, Recommendation for Key Derivation Using Pseudorandom Functions, October 2009 [4] BL: Niels Ferguson, AES-CBC Elephant diffuser. A Disk Encryption Algorithm for Windows Vista, Aug 2006 [5] LRW: Moses Liskov, Ronald L. Rivest, and David Wagner, Tweakable Block Ciphers, 2002