The ad-hoc tweakable AES is produced from AES by adding 64-bit tweak T to the first two rows of the state of AES in each round (i.e. AddRoundKey is replaced by AddRoundKey & AddTweak).
- The tweakable block cipher provides 128-bit security (including related-key related-tweak attacks). The first mode greatly benefits from this as the security of the whole modes goes beyond birthday bound. The second might benefit as well (conjecture).
- Speed overhead compared to AES is minimal. The two modes are based on parallel calls of AES, thus are extremelly efficient in software.
- Easy to implement given AES code. Backwards compatible with AES (set tweak=0). Security reduction of the tweakable cipher to the security of AES.
The design is fast in software in general and very fast on the processors with AES-NI support.
|Intel Sandy Bridge||Intel Haswell|