Cryptology ePrint Archive: Report 2002/148

The EMD Mode of Operation (A Tweaked, Wide-Blocksize, Strong PRP)

Phillip Rogaway

Abstract: We describe a block-cipher mode of operation, EMD, that builds a strong pseudorandom permutation (PRP) on $nm$ bits ($m\ge2$) out of a strong PRP on $n$ bits (i.e., a block cipher). The constructed PRP is also tweaked (in the sense of [LRW02]): to determine the $nm$-bit ciphertext block $C=\E_K^T(P)$ one provides, besides the key $K$ and the $nm$-bit plaintext block $P$, an $n$-bit tweak $T$. The mode uses $2m$ block-cipher calls and no other complex or computationally expensive steps (such as universal hashing). Encryption and decryption are identical except that encryption uses the forward direction of the underlying block cipher and decryption uses the backwards direction. We suggest that EMD provides an attractive solution to the disk-sector encryption problem, where one wants to encipher the contents of an $nm$-bit disk sector in a way that depends on the sector index and is secure against chosen-plaintext/chosen-ciphertext attack.

Category / Keywords: secret-key cryptography / block-cipher usage, modes of operation

Date: received 26 Sep 2002, last revised 24 Feb 2003

Contact author: rogaway at cs ucdavis edu

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Version: 20030225:061204 (All versions of this report)

Short URL: ia.cr/2002/148

Discussion forum: Show discussion | Start new discussion