A Parallelizable Enciphering Mode [chapter]

Shai Halevi, Phillip Rogaway
2004 Lecture Notes in Computer Science  
We describe a block-cipher mode of operation, EME, that turns an n-bit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m ∈ [1..n]. The mode is parallelizable, but as serial-efficient as the non-parallelizable mode CMC [6]. EME can be used to solve the disk-sector encryption problem. The algorithm entails two layers of ECB encryption and a "lightweight mixing" in between. We prove EME secure, in the reduction-based sense of modern cryptography. We motivate
more » ... some of the design choices in EME by showing that a few simple modifications of this mode are insecure. Introduction Tweakable enciphering schemes and their use. A tweakable enciphering scheme is a function E that maps a plaintext P into a ciphertext C = E T K (P ) under the control of a key K and tweak T . The ciphertext must have the same length as the plaintext and there must be an inverse D T K to E T K . We are interested in schemes that are secure in the sense of a tweakable, strong pseudorandom-permutation (± prp): an oracle that maps (T, P ) into E T K (P ) and maps (T, C) into D T K (C) must be indistinguishable (when the key K is random and secret) from an oracle that realizes a T -indexed family of random permutations and their inverses. A tweakable enciphering scheme that is secure in the ± prp-sense makes a desirable tool for solving the disk-sector encryption problem: one stores at disk-sector location T the ciphertext C = E T K (P ) for plaintext P . The IEEE Security in Storage Working Group [8] plans to standardize a ± prp-secure enciphering scheme. Our contribution. This paper specifies EME, which is a simple and parallelizable tweakable enciphering scheme. The scheme is built from a block cipher, such as AES. By making EME parallelizable we accommodate ultra-high-speed mass-storage devices to the maximal extent possible given our security goals. When based on a block cipher E: {0, 1} k × {0, 1} n → {0, 1} n our mode uses a k-bit key and 2m+1 block-cipher calls to encipher an mn-bit plaintext in a way that depends on an n-bit tweak. We require that m ∈ [1..n]. The name EME is meant to suggest ECB-Mix-ECB, as enciphering under EME involves ECBencrypting the plaintext, a lightweight mixing step, and another ECB-encryption. For a description of EME look ahead to Figures 1 and 2 . We prove that EME is secure, assuming that the underling block cipher is secure. The proof is in the standard, provable-security tradition: an attack on EME (as a ± prp with domain M = {0, 1} n ∪ {0, 1} 2n ∪ · · · ∪ {0, 1} n 2 ) is shown to imply an attack on the underlying block cipher (as a strong PRP with domain {0, 1} n ). We go on to motivate some of the choices made in EME by showing that other choices would result in insecure schemes. Finally, we suggest an extension to EME that operates on sectors that are longer than mn bits. CMC mode. The EME algorithm is follow-on work to the CMC method of Halevi and Rogaway [6]. Both modes are tweakable enciphering schemes built from a block cipher E: {0, 1} k × {0, 1} n → {0, 1} n . But CMC is inherently sequential, as it is built around CBC encryption and decryption. EME was designed to overcome this limitation, which was seen as potentially problematic for highspeed encryption devices. The change does not increase the serial complexity; both modes use 2m + 1 block-cipher calls (and little additional overhead) to act on an mn-bit messages. Further history. Naor and Reingold gave an elegant approach for making a strong PRP on N bits from a block cipher on n < N bits [14, 15]. Their approach involves a hashing step, a layer of ECB encryption (say), and another hashing step. They do not give a fully-specified mode, but they do show how to carry out the hashing step given an xor-universal hash-function that maps N bits to n bits [14]. In practice, instantiating this object is problematic: to compare well with CMC or EME one should find a construction that is simple and has a collision bound of about 2 −128 and is more efficient, in both hardware and software, than AES. No such construction is known. An early, unpublished version of the CMC paper contained buggy versions of the CMC and EME algorithms. Joux discovered the problem [9] and thereby played a key role in our arriving at a correct solution. CMC was easily fixed in response to Joux's attack, but EME did not admit a simple fix. (Indeed, Section 6.1 effectively proves that no "simple fix" is possible for the earlier buggy EME construction).
doi:10.1007/978-3-540-24660-2_23 fatcat:6dkqqvnmlfh2dmmjsfpdkew3au