Paper 2002/148

The EMD Mode of Operation (A Tweaked, Wide-Blocksize, Strong PRP)

Phillip Rogaway

Abstract

We describe a block-cipher mode of operation, EMD, that builds a strong pseudorandom permutation (PRP) on $nm$ bits ($m\ge2$) out of a strong PRP on $n$ bits (i.e., a block cipher). The constructed PRP is also tweaked (in the sense of [LRW02]): to determine the $nm$-bit ciphertext block $C=\E_K^T(P)$ one provides, besides the key $K$ and the $nm$-bit plaintext block $P$, an $n$-bit tweak $T$. The mode uses $2m$ block-cipher calls and no other complex or computationally expensive steps (such as universal hashing). Encryption and decryption are identical except that encryption uses the forward direction of the underlying block cipher and decryption uses the backwards direction. We suggest that EMD provides an attractive solution to the disk-sector encryption problem, where one wants to encipher the contents of an $nm$-bit disk sector in a way that depends on the sector index and is secure against chosen-plaintext/chosen-ciphertext attack.

Metadata
Available format(s)
PDF PS
Category
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
block-cipher usagemodes of operation
Contact author(s)
rogaway @ cs ucdavis edu
History
2003-02-25: last of 3 revisions
2002-09-27: received
See all versions
Short URL
https://ia.cr/2002/148
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2002/148,
      author = {Phillip Rogaway},
      title = {The EMD Mode of Operation (A Tweaked, Wide-Blocksize, Strong PRP)},
      howpublished = {Cryptology ePrint Archive, Paper 2002/148},
      year = {2002},
      note = {\url{https://eprint.iacr.org/2002/148}},
      url = {https://eprint.iacr.org/2002/148}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.