Journal of Cryptology

, Volume 21, Issue 4, pp 547–578 | Cite as

Encryption Modes with Almost Free Message Integrity

  • Charanjit S. JutlaEmail author


We define a new mode of operation for block ciphers which, in addition to providing confidentiality, also ensures message integrity. In contrast, previously for message integrity a separate pass was required to compute a cryptographic message authentication code (MAC). The new mode of operation, called Integrity Aware Parallelizable Mode (IAPM), requires a total of m+1 block cipher evaluations on a plain-text of length m blocks. For comparison, the well-known CBC (cipher block chaining) encryption mode requires m block cipher evaluations, and the second pass of computing the CBC-MAC essentially requires additional m+1 block cipher evaluations. As the name suggests, the new mode is also highly parallelizable.


Block ciphers Encryption Authentication Pairwise independent Parallelizable 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    Advanced Encryption Standard, National Institute of Standards and Technology, U.S. Department of Commerce, FIPS 197 (2001) Google Scholar
  2. [2]
    ANSI X3.106, American national standard for information systems—data encryption algorithm—modes of operation. In American National Standards Institute (1983) Google Scholar
  3. [3]
    M. Bellare, C. Namprempre, Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In Proc. Asiacrypt. LNCS, vol. 1976 (2000) Google Scholar
  4. [4]
    M. Bellare, C. Namprempre, Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In Proc. Asiacrypt 2000, ed. by T. Okamoto (Springer, Berlin, 2000) Google Scholar
  5. [5]
    M. Bellare, A. Desai, E. Jokipii, P. Rogaway, A concrete security treatment of symmetric encryption: analysis of the DES modes of operation. In Proc. 38th IEEE FOCS (1997) Google Scholar
  6. [6]
    M. Bellare, J. Kilian, P. Rogaway, The security of cipher block chaining. JCSS 61(3), 362–399 (2000) zbMATHMathSciNetGoogle Scholar
  7. [7]
    J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway, UMAC: Fast and secure message authentication. In Proc. Advances in Cryptology-CRYPTO 99. LNCS, vol. 1666 (1999) Google Scholar
  8. [8]
    J. Carter, M. Wegman, Universal classes of hash functions. JCSS 18, 143–154 (1979) zbMATHMathSciNetGoogle Scholar
  9. [9]
    V.D. Gligor, P. Donescu, Integrity aware PCBC encryption schemes. In Proc. 7th Intl. Work. on Security Protocols. LNCS, vol. 1796 (Cambridge, 1999), pp. 153–171 Google Scholar
  10. [10]
    V.D. Gligor, P. Donescu, Fast encryption authentication: XCBC encryption and XECB authentication modes.
  11. [11]
    O. Goldreich, H. Krawczyk, M. Luby, On the existence of pseudorandom generators. In Proc. FOCS (1988), pp. 12–14. Also in SIAM J. Comput. 22(6), 1163–1175 Google Scholar
  12. [12]
    S. Halevi, An observation regarding Jutla’s modes of operation.
  13. [13]
  14. [14]
    ISO/IEC 9797, Data cryptographic techniques—data integrity mechanism using a cryptographic check function employing a block cipher algorithm. In International Organization for Standardization, Geneva, Switzerland (1989) Google Scholar
  15. [15]
    C.S. Jutla, Encryption modes with almost free message integrity.
  16. [16]
    C.S. Jutla, Encryption modes with almost free message integrity. In Proc. Eurocrypt 2001. LNCS, vol. 2045 (2001) Google Scholar
  17. [17]
    C.S. Jutla, Tight lower bound on linear authenticated encryption. In Proc. Selected Areas in Cryptography 2003. LNCS, vol. 3006 (2003) Google Scholar
  18. [18]
    J. Katz, M. Yung, Unforgeable encryption and adaptively secure modes of operation. In Proc. Fast Software Encryption. LNCS, vol. 1978 (2000) Google Scholar
  19. [19]
    H. Krawczyk, LFSR-based hashing and authentication. In Proc. Crypto 94. LNCS, vol. 839 (1994) Google Scholar
  20. [20]
    H.W. Kuhn, Extensive games and the problem of information. In Contributions to the Theory of Games II, ed. by H.W. Kuhn, A.W. Tucker. Annals of Mathematical Studies, vol. 28 (Princeton Univ. Press, Princeton, 1950) Google Scholar
  21. [21]
    M. Luby, A simple parallel algorithm for the maximal independent set problem. SIAM J. Comput. 15(4), 1036–55 (1986) zbMATHCrossRefMathSciNetGoogle Scholar
  22. [22]
    M. Luby, Pseudorandomness and cryptographic applications. In Princeton Computer Science Notes (Princeton Univ. Press, Princeton, 1996) Google Scholar
  23. [23]
    C.H. Meyer, S.M. Matyas, Cryptography: A New Dimension in Computer Data Security (Wiley, New York, 1982) zbMATHGoogle Scholar
  24. [24]
    M. Naor, O. Reingold, On the construction of pseudo-random permutations: Luby–Rackoff revisited. In Proc. 29th ACM STOC (1997), pp. 189–199 Google Scholar
  25. [25]
    M. Naor, M. Yung, Universal Hash functions and their cryptographic applications. In Proc. STOC, (1989), pp. 33–43 Google Scholar
  26. [26]
    National Bureau of Standards, Data encryption standard, U.S. Department of Commerce, FIPS 46 (1977) Google Scholar
  27. [27]
    National Bureau of Standards, DES modes of operation, U.S. Department of Commerce, FIPS 81 (1980) Google Scholar
  28. [28]
    RFC 1510, The Kerberos network authentication service (V5), J. Kohl and B.C. Neuman (Sept. 1993) Google Scholar
  29. [29]
    RFC 2401, Security architecture for the Internet protocol.
  30. [30]
    RFC 2246, The TLS protocol.
  31. [31]
    P. Rogaway, M. Bellare, J. Black, T. Krovetz, OCB: A block-cipher mode of operation for efficient authenticated encryption. In Proc. 8th ACM Conf. Comp. and Comm. Security (CCS), ACM (2001) Google Scholar
  32. [32]
    S.G. Stubblebine, V.D. Gligor, On message integrity in cryptographic protocols. In Proc. 1992 IEEE Comp. Soc. Symp. on Research in Security and Privacy (1992) Google Scholar

Copyright information

© International Association for Cryptologic Research 2008

Authors and Affiliations

  1. 1.IBM T.J. Watson Research CenterYorktown HeightsUSA

Personalised recommendations