Some simple questions about tweakable ciphers

Question

I have read a few papers on tweakable ciphers (didn't understand them well, though) and looked at many of the questions and answers on this exchange: What is a tweakable block cipher, Tweakable Block ciphers, Tweaking Even-Mansour Ciphers [video]. However, there are a few things I'd like cleared up.

1. Are the tweaks always just a string of bits? And are they usually shorter than the key?
2. It seems DES-X is a tweakable cipher where the tweaks are the pre- and post-whitening that use secret extra keys. Does this mean some tweaks are necessarily secret? The reason I am asking is that I got the impression from the papers I read that tweaks are always public.
3. In view of Q2, what other tweakable ciphers (if any) use secret tweaks or ones that may be secret if desired?
4. If a tweak is secret does this add strength to the cipher as well as variability?
5. If a tweak is appended to a key, does this mean to the session key or to each subkey? I am a little confused because I thought part of the idea of tweaks is that they are easier to change than producing new keys through a complex key schedule (for instance).
6. Perhaps this should be a separate question, but: the term permutation seems to mean two different things. 1) a bit-wise (say) permutation, i.e. excluding XORs, S-boxes, etc. and 2) a complete block cipher encryption that produces an apparently random permutation of the input, i.e. typically including XORs and substitutions, etc. In relevance to tweakable ciphers, when I look at some models I see the cipher is denoted by $E_n$ but when I look at models based on the Even-Mansour ciphers I see $P_n$. I assume the $E$ refers to an cipher that may include several operations (perms, s-boxes, etc. as for $DES$, $AES$, etc.) but the $P$ refers only to bit-wise permutations (or perhaps byte-wise). Is this assumption correct?

Much obliged to anyone who can help.

Answer 1

Suppose the tweakable cipher uses a secret key $k$ and a secret tweak $t$, then syntactically you can regard $K=(k, t)$ as the total secret key. So, in this case, the 'tweakable cipher' is just an ordinary block cipher, with a longer key. In order to get a notion different from the usual block cipher, you'll need the tweak to be non-secret.

Answer 2

Are the tweaks always just a string of bits?

There is no reason that it has to be. Some algorithm designer could put a restriction on tweaks beyond just how many bits it can have.

Are they usually shorter than the key?

It may be a challenge to design fast ciphers with very long tweaks. If a tweakable block cipher isn't faster than deriving a new key and doing key expansion then there isn't a reason to use it over non-tweakable ciphers. A KDF can accept arbitrary length inputs and produce new keys.

Does this mean some tweaks are necessarily secret?

It depends on your choice of definitions and conventions I guess. I prefer the definition where tweak means "secure even if public" which is the definition associated with, for example, Skein/ThreeFish. Disk encryption algorithms, for example, may use "tweak" to refer to secret data though.

If a tweak is secret does this add strength to the cipher?

It is safer to assume no than to assume yes. This is too general a question and the answer depends on specifics. Plus it's smarter to use a cipher that takes a larger key instead.

If a tweak is appended to a key, does this mean to the session key or to each subkey?

You tell us. Isn't this a "If hypothetical condition, then does that mean hypothetical A or hypothetical B" question? I don't know what you mean by session key in this context. I assume not the latter. If an algorithm XORs an n-bit word with an n-bit subkey, I don't see how it's possible to append to that sub key.

Perhaps this should be a separate question, but: the term permutation seems to mean two different things

Overly informal definition: Any bijective function where inputs and outputs are the same finite countable set is a permutation. Block ciphers are permutations because they are invertible and map a fixed number of input bits to the same number of output bits. P-boxes are permutations for the same reason. The function $F(n) = n$ is a permutation (if the domain and codomains fit the descruption), it just isn't helpful for pseudorandomness purposes.

$E$ is the typical single letter function name for block ciphers, similar to how $F$ is for functions in general and $H$ is for hash functions. $P$ and $\pi$ are common for pseudorandom permutations. These are just function names though. They don't mean that in the context they're used in that they necessarily refer to these types of functions.

A simple Even-Mansour cipher is actually usually defined as $E_{k_1,k_2}(X) = k_1 \oplus P(x \oplus k_2)$. $E$ is the Even-Mansour cipher. $P$ is an unkeyed publicly known pseudorandom permutation. $P$ is not a block cipher but $E$ is.