**Pseudo-Random Functions and Parallelizable Modes of Operations of a Block Cipher**

*Palash Sarkar*

**Abstract: **This paper considers the construction and analysis of pseudo-random functions (PRFs) with
specific reference to modes of operations of a block cipher. In the context of message
authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how
to reduce the analysis of relevant PRFs to some probability calculations. In the first part of
the paper, we revisit this result and use it to prove a general result on constructions
which use a PRF with a ``small'' domain to build a PRF with a ``large'' domain. This result
is used to analyse two new parallelizable PRFs which are suitable for use as MAC schemes. The
first scheme, called {\iPMAC}, is based on a block cipher and improves upon the well-known PMAC
algorithm. The improvements consist in faster masking operations and the removal of a design
stage discrete logarithm computation. The second scheme, called {\VPMAC}, uses a keyed
compression function rather than a block cipher. The only previously known compression function
based parallelizable PRF is called the protected counter sum (PCS) and is due to Bernstein.
{\VPMAC} improves upon PCS by requiring lesser number of calls to the compression function.

The second part of the paper takes a new look at the construction and analysis of modes of operations for authenticated encryption (AE) and for authenticated encryption with associated data (AEAD). Usually, the most complicated part in the security analysis of such modes is the analysis of authentication security. Previous work by Liskov, Rivest and Wagner and later Rogaway had suggested that this analysis is simplified by using a primitive called a tweakable block cipher (TBC). In contrast, we take a direct approach. We prove a general result which shows that the authentication security of an AE scheme can be proved from the privacy of the scheme and by showing a certain associated function to be a PRF. Two new AE schemes \sym{PAE} and \sym{PAE}-1 are described and analysed using this approach. In particular, it is shown that the authentication security of \sym{PAE} follows easily from the security of {\iPMAC}. As a result, no separate extensive analysis of the authentication security of \sym{PAE} is required.

An AEAD scheme can be obtained by combining an AE scheme and an authentication scheme and it has been suggested earlier that a TBC based approach simplifies the analysis. Again, in contrast to the TBC based approach, we take a direct approach based on a simple masking strategy. Our idea uses double encryption of a fixed string and achieves the same effect of mask separation as in the TBC based approach. Using this idea, two new AEAD schemes \sym{PAEAD} and \sym{PAEAD}-1 are described. An important application of AEAD schemes is in the encryption of IP packets. The new schemes offer certain advantages over previously well known schemes such as the offset codebook (OCB) mode. These improvements include providing a wider variety of easily reconfigurable family of schemes, a small speed-up, a smaller size decryption algorithm for hardware implementation and uniform processing of only full-block messages.

**Category / Keywords: **pseudo-random function, message authentication, protected counter sum, PMAC, encryption, authentication, authenticated encryption, authenticated encryption with associated data, OCB

**Date: **received 17 May 2009, last revised 7 Sep 2009

**Contact author: **palash at isical ac in

**Available format(s): **PDF | BibTeX Citation

**Note: **This is a major revision. It includes new protocols for AE and AEAD and provides further details which were not present in the earlier version.

**Version: **20090907:120831 (All versions of this report)

**Short URL: **ia.cr/2009/217

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]