Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes
We present the eXtended Ciphertext Block Chaining (XCBC) and the eXtended Electronic Codebook (XECB) encryption schemes or modes of encryption that can detect encrypted-message forgeries with high probability even when used with typical non-cryptographic Manipulation Detection Code (MDC) functions (e.g., bitwise exclusive-or and cyclic redundancy code (CRC) functions). These modes detect encrypted-message forgeries at low cost in performance, power, and implementation, and preserve both message secrecy and integrity in a single pass over the message data. Their performance and security scale directly with those of the underlying block cipher function. We also present the XECB message authentication (XECB-MAC) modes that have all the operational properties of the XOR-MAC modes (e.g., fully parallel and pipelined operation, incremental updates, and out-of-order verification), and have better performance. They are intended for use either stand-alone or with encryption modes that have similar properties (e.g., counter-based XOR encryption). However, the XECB-MAC modes have higher upper bounds on the probability of adversary’s success in producing a forgery than the XOR-MAC modes.
KeywordsBlock Cipher Message Authentication Pseudorandom Function Encryption Mode Extra Block
- 1.M. Bellare, A. Desai, E. Jokipii, and P. Rogaway, “A Concrete Security Treatment of Symmetric Encryption,” Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE, 1997, (394–403). A full version of this paper is available at http://www-cse.ucsd.edu/users/mihir.
- 2.M. Bellare, R. Guerin, and P. Rogaway, “XOR MACs: New methods for message authentication using finite pseudo-random functions”, Advances in Cryptology-CRYPTO’ 95 (LNCS 963), 15–28, 1995.(Also U.S. Patent No. 5,757,913, May 1998, and U.S. Patent No. 5,673,318, Sept. 1997.)Google Scholar
- 3.M. Bellare and C. Namprempre, “Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm,” manuscript, May 26, 2000. http://eprint.iacr.org/2000.025.ps.
- 4.E. Buonanno, J. Katz and M. Yung, “Incremental Unforgeable Encryption, ” Proc. Fast Software Encryption 2001, M. Matsui (ed.) (to appear in Springer-Verlag, LNCS).Google Scholar
- 5.C.M. Campbell, “Design and Specification of Cryptographic Capabilities,” in Computer Security and the Data Encryption Standard, (D.K. Brandstad (ed.)) National Bureau of Standards Special Publications 500-27, U.S. Department of Commerce, February 1978, pp. 54–66.Google Scholar
- 6.Open Software Foundation, “OSF-Distributed Computing Environment (DCE), Remote Procedure Call Mechanisms,” Code Snapshot 3, Release, 1.0, March 17, 1991.Google Scholar
- 7.V.D. Gligor and B. G. Lindsay, “Object Migration and Authentication,” IEEE-Transactions on Software Engineering, SE-5 Vol. 6, November 1979. (Also IBM-Research Report RJ 2298 (3l04), August 1978.)Google Scholar
- 8.V.D. Gligor, and P. Donescu, “Integrity-Aware PCBC Schemes,” in Proc. of the 7th Int’l Workshop on Security Protocols, (B. Christianson, B. Crispo, and M. Roe (eds.)), Cambridge, U.K., LNCS 1796, April 2000.Google Scholar
- 9.R.R. Juneman, S.M. Mathias, and C.H. Meyer, ”Message Authentication with Manipulation Detection Codes,” Proc. of the IEEE Symp. on Security and Privacy, Oakland, CA., April 1983, pp. 33–54.Google Scholar
- 10.J. Katz and M. Yung, “Complete characterization of security notions for probabilistic private-key encryption,” Proc. of the 32nd Annual Symp. on the Theory of Computing, ACM 2000.Google Scholar
- 11.J. Katz and M. Yung, “Unforgeable Encryption and Adaptively Secure Modes of Operation,” Proc. Fast Software Encryption 2000, B. Schneir (ed.) (to appear in Springer-Verlag, LNCS).Google Scholar
- 12.D.E. Knuth, “The Art of Computer Programming-Volume 2: Seminumerical Algorithms,” Addison-Wesley, 1981 (second edition), Chapter 3.Google Scholar
- 13.J.T. Kohl, “The use of encryption in Kerberos for network authentication”, Advances in Cryptology-CRYPTO’ 89 (LNCS 435), 35–43, 1990.Google Scholar
- 15.M Luby and C. Rackoff, “How to construct pseudorandom permutations from pseudorandom functions”, SIAM J. Computing, Vol. 17, No. 2, April 1988.Google Scholar
- 18.RFC 1510, “The Kerberos network authentication service (V5)”, Internet Request for Comments 1510, J. Kohl and B.C. Neuman, September 1993.Google Scholar
- 19.P. Rogaway, “The Security of DESX,” RSA Laboratories Cryptobytes, Vol. 2, No. 2, Summer 1996.Google Scholar
- 20.P. Rogaway, “OCB Mode: Parallelizable Authenticated Encryption”, Preliminary Draft, October 16, 2000, available at http://csrc.nist.gov/encryption/aes/modes/rogaway-ocb1.pdf.
- 21.P. Rogaway, “PMAC: A Parallelizable Message Authentication Mode,” Preliminary Draft, October 16, 2000, available at http://csrc.nist.gov/encryption/aes/modes/rogaway-pmac1.pdf.
- 22.S. G. Stubblebine and V. D. Gligor, “On message integrity in cryptographic protocols”, Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy, 85–104, 1992.Google Scholar