Paper 2001/015

An observation regarding Jutla's modes of operation

Shai Halevi


Recently, Jutla suggested two new modes of operation for block ciphers. These modes build on traditional CBC and ECB modes, respectively, but add to them masking of the outputs and inputs. Jutla proved that these masking operations considerably strengthen CBC and ECB modes. In particular, together with a simple checksum, the modified modes ensure not only confidentiality, but also authenticity. Similar modes were also suggested by Gligor and Donsecu and by Rogaway. In Jutla's proposal (as well as in some of the other proposals), the masks themselves are derived from an IV via the same block cipher as used for the encryption (perhaps with a different key). In this work we note, however, that the function for deriving these masks need not be cryptographic at all. In particular, we prove that a universal hash function (a-la-Carter-Wegman) is sufficient for this purpose.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
block ciphersmodes of operation
Contact author(s)
shaih @ watson ibm com
2001-04-02: last of 2 revisions
2001-02-23: received
See all versions
Short URL
Creative Commons Attribution


      author = {Shai Halevi},
      title = {An observation regarding Jutla's modes of operation},
      howpublished = {Cryptology ePrint Archive, Paper 2001/015},
      year = {2001},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.