Cryptanalysis of the EMD Mode of Operation
In this paper, we study the security of the Encrypt-Mask-Decrypt mode of operation, also called EMD, which was recently proposed for applications such as disk-sector encryption. The EMD mode transforms an ordinary block cipher operating on n-bit blocks into a tweakable block cipher operating on large blocks of size nm bits. We first show that EMD is not a secure tweakable block cipher and then describe efficient attacks in the context of disk-sector encryption. We note that the parallelizable variant of EMD, called EME that was proposed at the same time is also subject to these attacks.
In the course of developing one of the attacks, we revisit Wagner’s generalized birthday algorithm and show that in some special cases it performs much more efficiently than in the general case. Due to the large scope of applicability of this algorithm, even when restricted to these special cases, we believe that this result is of independent interest.
KeywordsBlock Cipher Malicious User Sector Number Blind Signature Scheme Heuristic Analysis
- 1.J. Black and P. Rogaway. A block-cipher mode of operation for parallelizable message authentication. In L. Knudsen, editor, Advances in Cryptology — Eurocrypt’2002, volume 2332 of Lectures Notes in Computer Science, pages 384–397. Springer, 2002.Google Scholar
- 2.S. Halevi. An Observation regarding Jutla’s modes of operation. Crytology ePrint archive, Report 2001/015, available at http://eprint.iacr.org.
- 3.C. Jutla. Encryption modes with almost free message integrity. In B. Pfitzmann, editor, Advances in Cryptology — Eurocrypt’01, volume 2045 of Lectures Notes in Computer Science. Springer-Verlag, 2001.Google Scholar
- 4.M. Liskov, R. Rivest, and D. Wagner. Tweakable block ciphers. In M. Yung, editor, Advances in Cryptology — Crypto’2002, volume 2442 of Lectures Notes in Computer Science, pages 31–46. Springer, 2002.Google Scholar
- 5.P. Rogaway. The EMD mode of operation (a tweaked, wide-blocksize, strong PRP), September 26th, 2002. Crytology ePrint archive, Report 2002/148, available at http://eprint.iacr.org.
- 6.D. Wagner. A generalized birthday problem. In M. Yung, editor, Advances in Cryptology — Crypto’2002, volume 2442 of Lectures Notes in Computer Science, pages 288–303. Springer, 2002.Google Scholar