## A general construction of tweakable block ciphers and different modes of operations (2006)

Venue: | In Helger Lipmaa, Moti Yung, and Dongdai Lin, editors, Inscrypt, volume 4318 of Lecture Notes in Computer Science |

Citations: | 11 - 6 self |

### BibTeX

@INPROCEEDINGS{Chakraborty06ageneral,

author = {Debrup Chakraborty and Palash Sarkar},

title = {A general construction of tweakable block ciphers and different modes of operations},

booktitle = {In Helger Lipmaa, Moti Yung, and Dongdai Lin, editors, Inscrypt, volume 4318 of Lecture Notes in Computer Science},

year = {2006},

pages = {88--102},

publisher = {Springer}

}

### OpenURL

### Abstract

Abstract. This work builds on earlier work by Rogaway at Asiacrypt 2004 on tweakable block cipher (TBC) and modes of operations. Our first contribution is to generalize Rogaway’s TBC construction by working over a ring R and by the use of a masking sequence of functions. The ring R can be instantiated as either GF (2 n) or as Z2 n. Further, over GF (2n), efficient instantiations of the masking sequence of functions can be done using either a binary Linear Feedback Shift Register (LFSR); a powering construction; a cellular automata map; or by using a word oriented LFSR. Rogaway’s TBC construction was built from the powering construction over GF (2 n). Our second contribution is to use the general TBC construction to instantiate constructions of various modes of operations including authenticated encryption (AE) and message authentication code (MAC). In particular, this gives rise to a family of efficient one-pass AE mode of operation. Out of these, the mode of operation obtained by the use of word oriented LFSR promises to provide a masking method which is more efficient than the one used in the well known AE protocol called OCB. 3 Keywords: tweakable block cipher, modes of operations, AE, MAC, AEAD. 1

### Citations

406 |
Introduction to finite fields and their applications
- Lidl, Neiderreiter
- 1994
(Show Context)
Citation Context ...). Since τ(x) does not divide x t , we have τ(x)|(x s−t − 1). It is well known that if τ(x) is a primitive polynomial of degree n, then it does not divide x i − 1 for any i < 2 n − 1 (see for example =-=[11]-=-). Since 0 ≤ t < s ≤ 2 n − 2, the fact that τ(x)|(x s−t − 1) contradicts the above property of τ(x). Hence, we must have β = 0 and N = N ′ . This shows that ψs,t() is an injection. Since it is a map f... |

137 | OCB: A block-cipher mode of operation for efficient authenticated encryption
- Rogaway, Bellare, et al.
- 2003
(Show Context)
Citation Context ...fully parallelizable protocol. Independent work due to Gligor and Donescu [7] also proposed single-pass AE protocols. A refinement and extension of Jutla’s parallelizable protocol was done by Rogaway =-=[19]-=- and was called the OCB. In a separate development, the notion of TBCs and their application to modes of operations was proposed by Liskov, Rivest and Wagner [12]. The construction of TBC in [12] was ... |

106 | Encryption modes with almost free message integrity
- Jutla
- 2001
(Show Context)
Citation Context ...AE which requires one invocation per block of the message. This yields an efficiency improvement by a factor of two over conventional approaches. The known one-pass proposals are IACBC, IAPM by Jutla =-=[9]-=-; XCBC, XECB by Gligor-Donescu [7]; and OCB, OCB1 by Rogaway [18]. All these proposals are patented. This has prevented their adoption in NIST standards. In fact, NIST [1] has standardised a two-pass ... |

102 | Tweakable block ciphers
- Liskov, Rivest, et al.
- 2002
(Show Context)
Citation Context ...n appropriate mode of operation for performing such encryption. Thus, designing efficient and secure modes of operations is as important as developing a secure block cipher. Liskov, Rivest and Wagner =-=[12]-=- introduced the concept of tweakable block cipher, which is a block cipher with an additional input called a tweak. The tweak is meant to provide variability and not security. They also showed that it... |

61 | Characterization of security notions for probabilistic privatekey encryption
- Katz, Yung
(Show Context)
Citation Context ...ing sequence and the generalized versions of the XE and the XEX constructions will be of more interest. 1.3 Previous and Related Work The formal model of security for AE was independently proposed by =-=[10]-=- and [2]. Jutla [9] proposed constructions for single-pass AE, including one fully parallelizable protocol. Independent work due to Gligor and Donescu [7] also proposed single-pass AE protocols. A ref... |

58 | A block-cipher mode of operation for parallelizable message authentication
- Black, Rogaway
(Show Context)
Citation Context ...chniques. In this section, we describe a MAC construction which is different from that in [18] and an AEAD protocol based on it. The MAC construction that we describe is closer to the construction in =-=[4]-=-. The algorithm is described in Figure 2. It requires the masks ∆3, ∆4, . . . , ∆m+1 and either ∆1 or ∆2. Defining these masks from the f-functions is easy. For i ≥ 1, define ∆i = fi(N ) where N = EK(... |

53 |
The EAX mode of operation
- Bellare, Rogaway, et al.
- 2004
(Show Context)
Citation Context ...uence is an (n, m, µ) masking sequence if the following properties hold for a fixed element α of {0, 1} n . (1) Prob[fs(N ) = α] ≤ 1 µ , for 1 ≤ s ≤ m. (2) Prob[fs(N ) = N + α] ≤ 1 µ , for 1 ≤ s ≤ m. =-=(3)-=- Prob[fs(N ) = ft(N ) + α] ≤ 1 µ , for 1 ≤ s, t ≤ m and s �= t. (4) Prob[fs(N ) = ft(N ′ ) + α] ≤ 1 µ , for 1 ≤ s, t ≤ m. Here the operation “+” is over R. The probabilities are taken over independent... |

40 | MMH: Software message authentication in the Gbit/second rates
- Halevi, Krawczyk
- 1997
(Show Context)
Citation Context ... contains the integers 0, . . . , 2 n − 1. For i ≥ 1, we define fi(N ) = ((i + 1) × N mod p) mod 2 n . (7) This idea of embedding the ring Z2 n into a field Zp has been earlier used in the literature =-=[8, 21]-=-. However, it has not been used in the context that we have used and to the best of our knowledge, the following result has not appeared earlier. Proposition 2. The sequence f1, f2, . . . , f2 n −2 de... |

40 | Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC
- Rogaway
- 2004
(Show Context)
Citation Context ...rior (N, M) query. Formally, Adv auth Π (A) = Prob[K $ ← K : A E(·,·) forges]. The result on the security of the AE protocol of Figure 1 is stated below and is a minor modification of Corollary 14 of =-=[16]-=-. Theorem 2. Let AE[ � E, τ] be constructed as in Figure 1. Let � E be instantiated by a block cipher E : K × {0, 1} n → {0, 1} n . Then – Adv priv AE[E,τ] (t, σn) ≤ Adv prp E (t′ , σn) + 5q2 2n+1 + 4... |

38 | The security and performance of the galois/counter mode (gcm) of operation
- McGrew, Viega
- 2004
(Show Context)
Citation Context ...ortance. There has been a lot of research on the security model and design of these protocols [4, 17]. A separate line of research has consisted of developing two-pass AE protocols (some examples are =-=[14, 3, 13]-=-). The work [13] presents an AE protocol which is somewhere between one and two pass protocols. In a recent work, Minematsu [15] revisits the work on TBC appearing in [12] and [18]. The work [15] prov... |

34 | Decorrelation: a theory for block cipher security
- Vaudenay
(Show Context)
Citation Context ... contains the integers 0, . . . , 2 n − 1. For i ≥ 1, we define fi(N ) = ((i + 1) × N mod p) mod 2 n . (7) This idea of embedding the ring Z2 n into a field Zp has been earlier used in the literature =-=[8, 21]-=-. However, it has not been used in the context that we have used and to the best of our knowledge, the following result has not appeared earlier. Proposition 2. The sequence f1, f2, . . . , f2 n −2 de... |

33 | Authenticated-encryption with associated-data
- Rogaway
- 2002
(Show Context)
Citation Context ...ur work is a development on the work of [18]. Construction of MAC and AEAD protocols are also of equal importance. There has been a lot of research on the security model and design of these protocols =-=[4, 17]-=-. A separate line of research has consisted of developing two-pass AE protocols (some examples are [14, 3, 13]). The work [13] presents an AE protocol which is somewhere between one and two pass proto... |

28 | A New Version of the Stream Cipher SNOW
- Ekdahl, Johansson
(Show Context)
Citation Context ...elds is not new. This idea is well known to the stream cipher community. Many stream ciphers have been proposed which use word oriented LFSRs. For example, SNOW 1.0 uses the following parameters (see =-=[6]-=-): n = 512, n1 = 32 and n2 = 16, τ1(x) = x 32 ⊕x 29 ⊕x 20 ⊕x 15 ⊕x 10 ⊕x⊕1 and τ2(x) = x 16 ⊕x 13 ⊕x 7 ⊕α −1 , where τ1(α) = 0. The polynomial τ1(x) is irreducible over GF (2) and τ2(x) is primitive o... |

10 |
The two-pass authenticated encryption faster than generic composition
- Lucks
- 2005
(Show Context)
Citation Context ...abridged version of this paper appears as [5].salgorithm for achieving AE. Another undesirable effect of the patent claims is that this has led to some researchers proposing new two-pass AE protocols =-=[3, 13]-=-. An important practical aspect of our work is to uncover a new family of efficient one-pass AE modes of operations. This provides a designer with a greater choice of algorithms. 1.1 Our Contributions... |

8 |
Gligor and Pompiliu Donescu. Fast encryption and authentication: XCBC encryption and XECB authentication modes
- Virgil
- 2001
(Show Context)
Citation Context ...er block of the message. This yields an efficiency improvement by a factor of two over conventional approaches. The known one-pass proposals are IACBC, IAPM by Jutla [9]; XCBC, XECB by Gligor-Donescu =-=[7]-=-; and OCB, OCB1 by Rogaway [18]. All these proposals are patented. This has prevented their adoption in NIST standards. In fact, NIST [1] has standardised a two-pass 3 An abridged version of this pape... |

8 |
A method of designing cellular automata as pseudorandom number generators for built-in self-test for VLSI
- Tezuka, Fushimi
- 1994
(Show Context)
Citation Context ... 1, if |i − j| = 1; Gi,j = 0 or 1, if i = j; and Gi,j = 0 otherwise. The diagonal entries of G can be obtained from the polynomial τ(x) using a tri-diagonalization procedure due to Tezuka and Fushimi =-=[20]-=-. Efficiency: All the above three methods are equally efficient to implement in both hardware and software. Thus, the LFSR and the CA based methods should be seen as comparable rather than better alte... |

4 |
Improved Security Analysis of XEX and LRW Modes
- Minematsu
- 2006
(Show Context)
Citation Context ...consisted of developing two-pass AE protocols (some examples are [14, 3, 13]). The work [13] presents an AE protocol which is somewhere between one and two pass protocols. In a recent work, Minematsu =-=[15]-=- revisits the work on TBC appearing in [12] and [18]. The work [15] provides some improvements to the construction given in [12]. The XEX construction in [18] is presented in a more general form than ... |