Paper 2009/217

Pseudo-Random Functions and Parallelizable Modes of Operations of a Block Cipher

Palash Sarkar

Abstract

This paper considers the construction and analysis of pseudo-random functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis of relevant PRFs to some probability calculations. In the first part of the paper, we revisit this result and use it to prove a general result on constructions which use a PRF with a ``small'' domain to build a PRF with a ``large'' domain. This result is used to analyse two new parallelizable PRFs which are suitable for use as MAC schemes. The first scheme, called {\iPMAC}, is based on a block cipher and improves upon the well-known PMAC algorithm. The improvements consist in faster masking operations and the removal of a design stage discrete logarithm computation. The second scheme, called {\VPMAC}, uses a keyed compression function rather than a block cipher. The only previously known compression function based parallelizable PRF is called the protected counter sum (PCS) and is due to Bernstein. {\VPMAC} improves upon PCS by requiring lesser number of calls to the compression function. The second part of the paper takes a new look at the construction and analysis of modes of operations for authenticated encryption (AE) and for authenticated encryption with associated data (AEAD). Usually, the most complicated part in the security analysis of such modes is the analysis of authentication security. Previous work by Liskov, Rivest and Wagner and later Rogaway had suggested that this analysis is simplified by using a primitive called a tweakable block cipher (TBC). In contrast, we take a direct approach. We prove a general result which shows that the authentication security of an AE scheme can be proved from the privacy of the scheme and by showing a certain associated function to be a PRF. Two new AE schemes \sym{PAE} and \sym{PAE}-1 are described and analysed using this approach. In particular, it is shown that the authentication security of \sym{PAE} follows easily from the security of {\iPMAC}. As a result, no separate extensive analysis of the authentication security of \sym{PAE} is required. An AEAD scheme can be obtained by combining an AE scheme and an authentication scheme and it has been suggested earlier that a TBC based approach simplifies the analysis. Again, in contrast to the TBC based approach, we take a direct approach based on a simple masking strategy. Our idea uses double encryption of a fixed string and achieves the same effect of mask separation as in the TBC based approach. Using this idea, two new AEAD schemes \sym{PAEAD} and \sym{PAEAD}-1 are described. An important application of AEAD schemes is in the encryption of IP packets. The new schemes offer certain advantages over previously well known schemes such as the offset codebook (OCB) mode. These improvements include providing a wider variety of easily reconfigurable family of schemes, a small speed-up, a smaller size decryption algorithm for hardware implementation and uniform processing of only full-block messages.

Note: This is a major revision. It includes new protocols for AE and AEAD and provides further details which were not present in the earlier version.