Parallelizable Encryption Mo de with Almost
Free Message Integrity
Charanjit S. Jutla
IBM T. J. Watson Research Center,
Yorktown Heights, NY 10598-704
1 Intro duction
In this do cument we prop ose a new mo de of op eration for symmetric key blo ck
cipher algorithms. The main feature distinguishing the prop osed mo de from
existing mo des is that along with providing confdentiality of the message, it
also provides message integrity. In other words, the new mo de is not just a
mo de of op eration for encryption, but a mo de of op eration for authenticated
encryption. As the title of the do cument suggests, the new mo de achieves the
additional prop erty with little extra overhead, as will b e explained b elow.
The new mo de is also highly parallelizable. In fact, it has critical path of only
two blo ck cipher invocations. By one estimate, a hardware implementation of this
mo de on a single b oard (housing 1000 blo ck cipher units) achieves terabits/sec
12
(10 bits/sec) of authenticated encryption. Moreover, there is no p enalty for
doing a serial implementation of this mo de.
The new mo de also comes with pro ofs of security, assuming that the under-
lying blo ck ciphers are secure. For confdentiality, the mo de achieves the same
provable security b ound as CBC. For authentication, the mo de achieves the same
provable security b ound as CBC-MAC.
The new parallelizable mo de removes chaining from the well known CBC
mo de, and instead do es an input whitening (as well an output whitening) with
a pairwise indep endent sequence. Thus, it b ecomes similar to the ECB mo de.
However, with the input whitening with the pairwise indep endent sequence the
new mo de has provable security similar to CBC (Note: ECB do es not have
security guarantees like CBC). Also, the output whitening with the pairwise
indep endent sequence guarantees message integrity.
The pairwise indep endent sequence can b e generated with little overhead. In
fact, the input and output whitening sequence need only b e pairwise diferentially
uniform, which is a weaker prop erty than pairwise indep endence, as explained
in the details b elow. The weaker pairwise diferentially uniform sequence can b e
generated with even lesser overhead.
The parallelizable mo de comes in two favors. These favors refer to how the
pairwise diferentially uniform sequence is generated. In one mo de, we just use
a pairwise indep endent sequence generated by a subset construction. In another
mo de, the pairwise diferentially uniform sequence is generated by (a * i) mo dulo
a fxed prime numb er. There will b e one standard prime numb er for each bit-size
64
blo ck cipher. Thus, for 64 bit blo ck ciphers the prime could b e 2 ; 257. For
128
128 bit blo ck ciphers, the prime could b e 2 ; 159.
The mo des are describ ed b elow in more detail.
We frst give defnitions of pairwise indep endence and related concepts. Then
we describ e the parallelizable mo de using the algebraic construction a * i mo dulo
a fxed prime. Next, we describ e the mo de using only exclusive-or op erations. In
section 5, the diferent notions of security are defned. In section 6, we prove that
the IAPM construction is secure for message integrity. We frst start by proving
the theorem for the construction in Fig 2 with t=1. In section 6.1 we give an
alternative pro of of this theorem inspired by Johan Haastad. In section 6.2 we
extend the pro of to arbitrary t. Then, in section 6.3 we prove the theorem for
the construction in Fig 1, i.e.the IAPM mo de using GFp. Finally, in section 7
we prove that the IAPM scheme is secure for message secrecy as well.
2 Defnitions
Defnition 1 (pair-wise indep endence) A sequence of uniformly distributed n-
bit random numbers s , s , :::, s , is called pair-wise independent if for every pair
1 2 m
i, j, i =6 j , and every pair of n bit constants c and c , probability that s = c
1 2 i 1
;2n
and s = c is 2 .
j 2
Defnition 2 (pair-wise diferentially-uniform) A sequence of uniformly dis-
tributed n-bit random numb ers s , s , :::, s , is called pair-wise diferentially-
1 2 m
uniform if for every pair i, j, i 6= j , and every n bit constant c, probability that
;n
s E s is c is 2 .
i j
It is a fact that a pair-wise indep endent uniformly distributed sequence is
also pair-wise diferentially uniform.
Defnition 3 (pair-wise diferentially-uniform in GFp) A sequence of random
numb ers s , s , :::, s uniformly distributed in GFp, is called pair-wise diferentially-
1 2 m
uniform in GFp if for every pair i, j, i =6 j , and every constant c in GFp, proba-
bility that (s ; s ) mo d p is c is 1/p.
i j
A sequence of m pair-wise indep endent numbers can b e generated from ab out
log m indep endent random numb ers by a subset construction. The subset con-
struction only involves exclusive-or op erations.
A pair-wise indep endent sequence can also b e generated by an algebraic
construction in GFp, by using two indep endent random numb ers a and b in
GFp. The sequence is given by s = (a + i * b) mo d p.
i
A pair-wise diferentially uniform in GFp sequence can b e generated from
only a single random numb er a in GFp by defning s = (i * a) mo d p.
i
3 Integrity Aware Parallelizable Mo de (IAPM) using a
prime numb er
Let n b e the blo ck size of the underlying blo ck cipher. We will restrict our
attention to n = 128 in this pap er. If the blo ck cipher requires keys of length
k , then this mo de requires two indep endent keys of length k . Let these keys
b e called K 0 and K 1. From now on, we will use f to denote the encryption
K
function under key K .
The message to b e encrypted P , is divided into blo cks of length n each. Let
these blo cks b e P , P , :::, P . As in CBC, a random initial vector r of length n
1 2 m;1
bits is chosen. The vector r need not b e chosen randomly, as long as it is unique
for each message. This random vector is used to generate a new random vector
a using the blo ck cipher and key K0, which in turn is used to prepare m + 1 new
pairwise diferentially uniform vectors S , S , :::, S .
0 1 m
128
Let p = 2 ; 159. The numb er p is known to b e a prime. This prime will
b e fxed for all invocations of this mo de using blo ck ciphers of blo ck size 128 bit.
64
For 64-bit ciphers p = 2 ; 257 is recommended.
Now, the sequence S , S , :::S is generated by the following pro cedure:
m 0 1
dif uniform sequence(in r, m, K 0; out S ) procedure pairwise
f
a = f (r )
K 0
128 128
if (a 2 (2 ; 159)) a = (a + 159) mo d 2
S = a
0
for j = 1 to m do
128
S = (S + a) mo d 2
j j ;1
if (a > S ) S = S + 159
j j j
end for
g
The condition (a > S ) is equivalent to 128-bit integer addition overfow in
j
128
the previous step. Note that we do not reduce mo dulo p if (S + a) < 2 , but
j ;1
128
we do comp ensate by 159 if (S + a) 2 2 , as in the latter case, (S + a)
j ;1 j ;1
128 128
mo d p = S + a ; (2 ; 159) = (S + a ; 2 ) + 159.
j ;1 j ;1
In this mo de, the input and output whitening is done by 128-bit integer addition.
The ciphertext message C =< C , C , :::, C > is generated as follows (see fg
0 1 m
1):
C = r
0
for i = 1 to m ; 1 do
128
M = (P + S ) mo d 2
i i i
N = f (M )
i K 1 i
128
C = (N + S ) mo d 2
i i i
end for
checksum = P E P E ::: E P
1 2 m;1
128
M = (checksum + S ) mo d 2
m m
N = f (M )
m K 1 m
128
C = (N + S ) mo d 2
m m 0
Note that for computing the checksum we use xor instead of addition mo dulo
128 128
2 . The scheme is secure even if the checksum is computed by a mo dulo 2
sum, but for the standard we prefer that the checksum b e computed by an
xor-sum. Note that S is used in the last step.
0
The ab ove scheme is invertible. The inversion pro cess yields blo cks P , P , :::, P .
1 2 m r P P r 1 2 Pm−1 checksum S S S S 1 2 m−1 m M M M 1 2 m
f f f ..... K0 f f f K1 K1 K1 K1 K1
N N N m a 1 2 S S S S 1 2 m−1 0 mod p constr. C C C Cm 0 1 C2 m−1 S S ...... S
0 1 m
Fig. 1. Integrity Aware Parallelizable Mo de (IAPM)
The decrypted plaintext is < P , P , :::, P >. Message integrity is verifed by
1 2 m;1
checking
P = P E P E ::: E P
m 1 2 m;1
Here is the pseudo-co de for decryption:
r = C
0
invoke pairwise dif uniform sequence(r, m, K 0, S );
for i = 1 to m ; 1 do
128
N = (C ; S ) mo d 2
i i i
;1
M = f (N )
i i
K 1
128
P = (M ; S ) mo d 2
i i i
end for
checksum = P E P E ::: E P
1 2 m;1
128
N = (C ; S ) mo d 2
m m 0
;1
M = f (N )
m m
K 1
128
P = (M ; S ) mo d 2
m m m
Integrity = (P == checksum)
m
4 IAPM with only xor op erations
The mo de describ ed ab ove uses integer addition. We now describ e a similar mo de
in which the only op erations are blo ck cipher invocations and exclusive-or op-
erations. In particular, the pairwise diferentially uniform sequence is generated
using a subset construction. Actually, this sequence has the stronger prop erty
of pairwise indep endence. The subset construction is also optimized using Gray
co de (http://hissa.nist.gov/dads/HTML/graycode.html). The p enalty one has
to pay in this mo de is that instead of generating one extra vector a as describ ed
in the previous section, one now generates ab out log m new vectors, where m is
the numb er of blo cks in the message to b e encrypted.
As b efore the message P to b e encrypted, is divided into blo cks of length n
each. Let these blo cks b e P , P , :::, P . The initial vector r is used to generate
1 2 m;1
t = dlog(m + 2)e new vectors, which in turn are used to prepare m + 1 new
pairwise indep endent vectors S , S , :::, S .
0 1 m
The following pseudo-co de is the prop osed metho d of generating the sequence
S .
indep endent sequence(in r, m, K 0; out S ) procedure pairwise
f
W = f (r );
0 K 0
S = W ;
0 0
for i = 1 to m do
j = i + 1;
k = 0;
/* fnd the index of the least signifcant ON bit in (i + 1) */
while ((j &1) == 0) do
k = k + 1; j = j >> 1; /* increment k and right shift */
end while
if ((j E 1) == 0) /* if (i + 1) is a p ower of 2 */
W = f (W + k );
k K 0 0
S = S E W ;
i i;1 k
end for
g
Note that S is obtained from S in just one XOR. The inner while lo op
i i;1
condition is checked two times on average.
The ciphertext message C =< C , C , :::, C > is generated as follows (see
0 1 m
fg 2):
C = r
0
for i = 1 to m ; 1 do
M = (P E S )
i i i
N = f (M )
i K 1 i
C = (N E S )
i i i
end for
checksum = P E P E ::: E P
1 2 m;1
M = (checksum E S )
m m
N = f (M )
m K 1 m
C = (N E S )
m m 0
Again, note that S is used in the last step. This pseudo-co de is same as the
0
one in the previous section except that all integer additions have b een replaced
by exclusive or op erations. r P P P checksum r W + 1 W +t−1 1 2 m−1 0 0 S S S S 1 2 m−1 m M M M 1 2 m
f f f f f ..... f f K0 K0 ... K0 f f K1 K1 K1 K1 K1
N m N1 N2 S S S S 1 2 m−1 0 W W W t−1 C C C 0 1 0 C1 C2 m−1 m
SUBSET CONSTRUCTION
S S
0 1 ....Sm
Fig. 2. IAPM with only xor op erations
Here is the pseudo-co de for decryption:
r = C
0
invoke pairwise indep endent sequence(r, m, K 0, S );
for i = 1 to m ; 1 do
N = (C E S )
i i i
;1
M = f (N )
i i
K 1
P = (M E S )
i i i
end for
checksum = P E P E ::: E P
1 2 m;1
N = (C E S )
m m 0
;1
M = f (N )
m m
K 1
P = (M E S )
m m m
Integrity = (P == checksum)
m
5 Encryption Schemes: Message Security with Integrity
Awareness
We give defnitions of schemes which explicitly defne the notion of secrecy of
the input message.
In addition, we also defne the notion of message integrity. Moreover, we allow
arbitrary length input messages (upto a certain b ound).
O (n)
Let Coins b e the set of infnite binary strings. Let l (n) = 2 , and w (n) =
O (n). Let N b e the natural numb ers.
Defnition A (probabilistic, symmetric, stateless) encryption scheme with mes-
sage integrity consists of the following:
{ initialization: All parties exchange information over private lines to estab-
n
lish a private key x 2 f0, 1g . All parties store x in their resp ective private
memories, and jxj = n is the security parameter.
{ message sending with integrity:
l(n) l(n)
n
Let E : f0, 1g X Coins X N X f0, 1g ! f0, 1g X N
l(n) l(n)
n
D : f0, 1g X N X f0, 1g ! f0, 1g X N
l(n) w (n)
MDC : N X f0, 1g ! f0, 1g
b e p olynomial-times function ensembles. In E , the third argument is sup-
p osed to b e the length of the plain-text, and E pro duces a pair consisting of
cipher-text and its length. Similarly, in D the second argument is the length of
the cipher-text. We will drop the length arguments when it is clear from con-
n
text. The functions E and D have the prop erty that for all x 2 f0, 1g , for all
l(n)
P 2 f0, 1g , c 2 Coins
D (E (c, P )) = P kMDC(P )
x x
We will usually drop the random argument to E as well, and just think of E
as a probabilistic function ensemble.It is also conceivable that MDC may dep end
on Coins, cipher-text.
Defnition (Security under Find-then-Guess [8], [2])
Let
l(n) l(n)
A1 : N X Coins X f0, 1g !f0, 1g
l(n) l(n) l(n)
A2 : Coins X f0, 1g !f0, 1g X f0, 1g
l(n) l(n) l(n)
A3 : N X Coins X f0, 1g X f0, 1g !f0, 1g
l(n)
!f0, 1g A : Coins X f0, 1g
b e adversaries.
The chosen plaintext attack works as follows:
(choose a private key) Randomly cho ose a private key x.
(chosen plaintext attack-I) Cho ose R 2 Coins. For j 2 [1::l (n)], phase j
U
works as follows. Let
1 j ;1
C = (E (P ), :::, E (P ))
x x
b e the concatenation of the encryptions of the frst j ; 1 message blo cks (ap-
j
propriately padded with zero es). Then P = A1(j, R, C ). At the end of at most
1 p
p : l (n) phases, let P = hP , :::, P i b e all the message blo cks pro duced by A1,
1 p
and let C = hE (P ), :::, E (P )i b e the encryption of P .
x x
00 01
(choose a private message blo ck) Let hP , P i = A2(R, C ) b e the pair
00 01
of message blo cks pro duced by A2. It is required that neither P nor P is
00 01
among the message blo cks in P . Also P and P should b e of the same length.
0 0b
Cho ose b2 f0, 1g privately, let P = P b e the privately chosen message, and
U
0 0 0
let C = E (P ) b e the encryption of P .
x
(chosen plaintext attack-I I) the chosen plaintext attack is continued as in
part I, resulting in another encrypted sequence D of an adaptively chosen plain-
0
00 p+2 p+1+p
text sequence P = hP , :::, P i. We will extend C to denote the complete
0
1 p 0 p+2 p+1+p
encrypted sequence C = hE (P ), :::, E (P ), E (P ), E (P ), :::, E (P )i.
x x x x x
(predict the bit) The advantage of the adversary is
Adv = jPr [A(R, C ) = b] ; 1/2j
A
An encryption scheme is said to b e (t, q , {, c)-secure against chosen plaintext
attack if for any adversary A (including A1, A2, A3) which runs in time at most
t and asks at most q queries of E , these totaling at most { blo cks, its advantage
x
is at most c.
The following notion of security is also called integrity of ciphertext ([4]).
Defnition (Message Integrity): Consider an adversary A running in two stages.
In the frst stage (fnd) A asks r queries of the oracle E . Let the oracle replies
x
1 r 0 i
b e C , :::C . Subsequently, A pro duces a cipher-text C , diferent from each C ,
i 2 [1::r ]. Since D has length of the cipher-text as a parameter, the breakup of
0 0 00 00
D (C ) as P kP , where jP j = w (n), is well defned. The adversary's success
x
probability is given by
def
0 00
Succ = P r [MDC (P ) = P ]
An encryption scheme is secure for message integrity if for any adversary A, A's
success probability is negligible.
6 Message Integrity
In this section we show that the mo de of op eration IAPM in Fig 2 guarantees
message integrity with high probability. We frst restrict to the case where only
one W is generated , i.e. W , as that brings out the main idea of the pro of. In
0
the next subsection we show how the pro of easily generalizes to arbitrarily many
W's. Finally, we show how these pro ofs also generalize to the mo d p construction
of Fig 1 (in which case only one W is generated anyway).
In the following theorem, we will assume that the blo ck cipher (under a key
K 1) is a a random p ermutation F . We also assume that the t W 's are generated
using an indep endent random p ermutation G (for instance, using a diferent key
K 2 in a blo ck cipher).
1 2 z 1
Let the adversary's queries in the frst stage b e p , P , :::P . We write p
1
in lower case, as for each adversary p is fxed. All random variables will b e
1 z
denoted by upp er case letters. Let the corresp onding ciphertexts b e C , :::, C .
1 z
We will use C to denote the sequence of ciphertext messages C , :::, C . For all
random variables corresp onding to a blo ck, we will use sup erscripts to denote
the message number, and subscripts to denote blo cks in a particular message.
i
Thus C will b e the random variable representing the j th blo ck in ciphertext
j
i
message i. More precisely, this variable should b e written C (F , G), as it is a
j
function of the two p ermutations. However, we will drop the arguments when it
is clear from context.
0
Let the adversary's query in the second stage b e cipher-text C , diferent
from all ciphertexts in the frst stage. We will use primed variables to denote the
variables in the second stage.
i
We will use W to denote the set of variables fW : i 2 [1::z ], j 2 [1::t]g [
j
0 i 0
fW , j 2 [1::t]g. We will use S (S ) to denote masks or \whitening" blo cks
j
i 0 i
generated using W (W resp). Any metho d can b e used to generate S from
i i
W , as long as S are pairwise diferentially uniform. For a particular adversary,
j
i
S is a function of p ermutation G and the initial vector, and hence should (more
j
i i i
precisely) b e written as S (G, C (F , G)) (C (F , G) b eing the IV used to generate
0 0
j
i
W ). But, we will drop the arguments as it will b e clear from context. For any
1
i i
constant r , we will denote by S (r ) the random variable S (G, r ).
j j
i i i
The variables M and N are as in Fig 2. For example, M = P E S .
j j j
We start with some informal observations to aid the reader in the eventual
0
formal pro of. Since the new ciphertext C is diferent from all old ciphertexts,
i
it must difer from each old ciphertext C in a least blo ck numb er, say d(i).
i k
For each C (except at most one C ), the blo ck numb er d(i) = 0, with high
0
probability. In Lemma 3 we show that with high probability N is diferent
d(k )
i 0
from all old N , and all other new N blo cks (except for a sp ecial case). Thus,
j
0
is random. Then it follows (Theorem 1) that in either case the checksum M
d(k )
is unlikely to validate.
We frst prove the theorem for schemes in which the pairwise diferentially
uniform sequence is generated using only one W , i.e. t = 1. The general case is
addressed in a later subsection.
Theorem 1. Let A be an adversary attacking the message integrity of IAPM
(t = 1) with random permutations F and G. Let A make at most z queries in
the frst stage, totaling at most { blocks. Let u = { + z . Let v be the maximum
number of blocks in the second stage. Then for adversary A,
2 2 2 ;n
S ucc < (2 * u + z + (z + 1) + u + v + 2 + o(1)) * 2
Pro of:
In the frst stage the adversary makes queries with a total of at most m plain-
text messages (chosen adaptively). W.l.o.g. assume that the adversary actually
i
makes exactly m total message queries in the frst stage. Let L b e the random
i
variable representing the length of ciphertext C (i.e. the checksum blo ck has
i 0 0
index L ; 1). Similarly, L will denote the length of C .
We prove that either the adversary forces the following event E0, or the event
E1 happ ens with high probability. In either case the checksum validates with low
probability.
The frst event E0 is called deletion attempt, as the adversary in this case
just truncates an original ciphertext, but retains the last blo ck.
0 i
Event E0 (deletion attempt): There is an i 2 [1::z ], such that 2 : L < L ,
and
0 0 i
(i) 8j 2 [0::L ; 2] : C = C
j j
0 i
and (ii) C = C
0
i
L ;1
L ;1
0
Event E1 says that there is a blo ck in the new ciphertext C , such that its
N variable is diferent from all previous N s (i.e. from original ciphertexts from
the frst stage), and also diferent from all other new N s.
0
Event E1: there is an x 2 [1::L ; 1] such that
s 0 s
(i) 8s 2 [1::z ]8j 2 [1::L ; 1] : N 6= N
x j
0 0 0
and (ii) 8j 2 [1::L ; 1], j 6= x : N 6= N
x j
We next show that in b oth cases (i.e E0 or E1) the checksum validates with
low probability.
0 i 0 i
For the case that E0 happ ens, we have (since S = S and N = N ),
0
i
L ;1
L ;1
0
L ;1
X
0
( P = 0) ^ E0
j
j #1
0
L ;2
X
i i i
) (P ) + M + S = 0
0
i
j L ;1
L ;1
j #1
0 i
L ;2 L ;2
X X
i i i i
= (P ) + (P ) + S + S = 0
0
i
j j L ;1
L ;1
j #1 j #1
i i i
Note that r can b e chosen after P has b een determined (as P is a deterministic
1 i;1 i i
function of C , : : : , C ), and hence the S s are indep endent of P . Since the
i 0 i
S s are pairwise diferentially uniform and L < L , the ab ove event happ ens
;n
with probability at most 2 .
For the case E1, by Lemma 2, the checksum validates with probability at
n
most 1/(2 ; u ; v )
Thus the adversary's success probability is upp er b ounded by
1 1
Pr[:(E 0 _ E 1)] + +
n n
2 ; (u + v ) 2
which by Lemma 3 is at most
2 2 ;n 2 2 ;n ;2n
(u + z + u + v + 2) * 2 + (u + (z + 1) ) * 2 + O (u + v ) * 2
2
0
P
L ;1
1
0
= 0 j E 1] : Lemma 2. Pr[ P
n
j
j #1
2 ;(u+v )
;1 0
Proof: F b eing a random p ermutation, under E1, F (N ) can not take values
x
;1 s s ;1 0
already assigned to F (N ), s 2 [1::z ], j 2 [1::L ; 1]. Also, F (N ) can
x
j
;1 0
b e chosen after F (N ) have b een assigned values (j 6= x). Thus, under the
j
0 ;1 0
condition that event E1 has happ ened we have that M = F (N ) can take
x x
0
any of the other values, i.e. excluding the following (at most) ({ + z ) + L ; 2
0 i
values, with equal probability (indep endently of C , C , r , i 2 [1::z ], G, and
hence indep endently of W , and indep endent of E1 itself ):
s s
{ values already taken by M , :::, M , for each s, and
s
1
L ;1
0 0
{ the values to b e taken (or already fxed) by M , j 2 [1::L ; 1], j 6= x.
j
0
P
L ;1
0
Now, P = 0 if
j
j #1
0
L ;1
X
;1 0 0 0 0 0
F (N ) = M = (M E S ) E S
x x j j x
j #1,j 6#x
n
Given any value of the RHS, since the LHS can take (at least) 2 ; (u + v ; 2)
n
values, the probability of LHS b eing equal to RHS is at most 1/(2 ; (u + v )).
2
Lemma 3. Let events E0,E1 be as in Theorem 1. Then,
2 2 ;n 2 2 ;n
Prob[:(E0 _ E1)] < (u + z + u + v ) * 2 + (u + (z + 1) ) * 2
Proof: We frst calculate the probability of event (E 0 _ E 1) happ ening under the
assumption that F and G are random functions (instead of random p ermuta-
tions). Since F (and G) is invoked only u times ((z + 1) times resp.), a standard
argument shows that the error introduced in calculating the probability of event
2 ;n 2
(E0 _ E1) is at most (u + (z + 1) 2 ) * .
We now consider an event, which says that all the M variables are diferent.
The goal is to claim indep endence of the corresp onding N variables, and hence
the C variables. However, the situation is complicated by the fact that the con-
i
dition that all the M variables for some i are diferent, may cause the variables
j
0
i 0
C , for i < i, to b e no more indep endent. However, a weaker statement can b e
j
proved by induction. To this end, consider the event E2(y ), for y : z :
0 0
0 0 i 0 i 0 0 i i
8i, i 2 [1::y ], 8j, j , j 2 [1::L ; 1], j 2 [1::L ; 1], (i, j ) 6= (i , j ) : (M =6 M )
0
j j
Event E2(z ) will also b e denoted by E2.
i
We also predicate on the event that all the initial variables C are diferent.
0
Let E 3 b e the event that
j
i
8i, j 2 [1::z ], i 6= j : C =6 C
0
0
1 z i
;! !;
For r = r , :::, r , all r diferent, let E 3( r ) b e the event that for all i 2 [1::z ],
i i
C = r .
0
Let l () b e the length of the frst ciphertext (determined by the adversary). We
i
will use constant c to denote strings of arbitrary blo ck length. We will use c to
1 z
denote the sequence c , :::, c . The function j j is used b elow to represent length
1 i
of a message in blo cks. Given a sequence of ciphertext messages c , :::, c , i : z ,
1 i
let l (c , :::, c ) b e the length of the (i + 1)th ciphertext (which is determined by
1 i
the adversary, and therefore is a deterministic function of c , :::c ). Recall that
i i
;!
each ciphertext includes the blo ck C , which is just r under E 3( r ). Also, since
0
0 1 z
C is a deterministic function of C , given c , :::, c let the ciphertext in the second
0 0
stage b e c with length l . We have
X X
!;
Pr [:(E 0 _ E 1) ^ E 2 j E 3( r ) ] = ::: :::
1 1
i i i;1 1
c : jc j#l() c : jc j#l(c ,:::,c )
X ^
i i
!;
::: Pr [:(E 0 _ E 1) ^ C = c ^ E 2 j E 3( r ) ] (1)
z m;1 z 1
i
c : jc j#l(c ,:::,c )
i i
In this sum, if for some i, c =6 r , then the inside expression is zero. Also, if
0
0
event E0 holds for c (which determines c ), then the inside expression ab ove for
that c is zero. So, from now on, we will assume that E0 do es not hold for C = c.
Then, the inside expression ab ove b ecomes:
^
i i
!;
Pr [:(E 0 _ E 1) ^ C = c ^ E 2 j E 3( r )]
i
�
X ^
0 s i i
!;
0
: m in Pr [(N = N ) ^ C = c ^ E 2 j E 3( r )]
x2[1::l ;1]
x j
s
i
s2[1::z ],j 2[1::jc j;1]
�
X ^
0 0 i i
!;
+ Pr [(N = N ) ^ C = c ^ E 2 j E 3( r )]
x j
0
i
j 2[1::l ;1],j #6 x
0 s 0 s 0 s 0 s
For each s, j , we have (N = N ) if (S E S ) = (C E C ), where S , S
. .
. .
x x x x
j j j j
*
are the masks that are used for these ciphertext blo cks. That is, j = j if
s * * 0 *
j < jc j ; 1 and j = 0 otherwise, and similarly x = x if x < l ; 1 and x = 0
0 0 0 0 0 0
otherwise (Similarly for j =6 x we have (N = N ) if (S E S ) = (C E C )).
.
.
x x x
j j j
Since each of the summands in the expression ab ove has a conjunct C = c
0
for some constant string c (and since the forged ciphertext C is a function of
C ), it follows that each of the summands in the frst sum can b e written as
0 0 s s 0 s 0 0
!;
Pr[(S (c ) E S (c ) = c E c ) ^ C = c ^ E 2 j E 3( r )]. Note that S (c ) E
. .
.
x 0 0 x x 0
j j
s s
(c ) can in some cases b e identically zero. As c is some constant string, then S
.
0
j
0 s
c E c is also constant, and recall that the variables S (c ) dep end only on the
0
x
j
0 0 s s
choice of G. Thus, each of these summands (if S (c ) E S (c ) is not identically
.
.
x 0 0
j
zero) can b e b ounded by
0 0 s s 0 s
!;
Pr[S (c ) E S (c ) = c E c ^ C = c ^ E 2 j E 3( r )]
. .
x 0 j 0 x j
0 0 s s 0 s
!;
= Pr[C = c ^ E 2 j S (c ) E S (c ) = c E c ^ E 3( r )]
. .
x 0 j 0 x j
0 0 s s 0 s
!;
* Pr[S (c ) E S (c ) = c E c j E 3( r )]
. .
x 0 j 0 x j
;n f 0 0 s s 0 s
; !
E 3( )] : (2 ) * Pr[S (c ) E S (c ) = c E c j r
. .
x 0 j 0 x j
P
i;1 1
where the last inequality follows by Claim 5 with { = (l (c , : : : , c ) ;
i2[1::z ]
0
1). A similar inequality holds for the summands in the second sum (i.e. N =
x
0
N case). Thus, by Claim 4, the inside expression in equation (1) is at most
j
;nf ;n nf
2 * (u + v ) * 2 . Since we have 2 summands, it follows that
;n
!;
Pr[:(E 0 _ E 1) ^ E 2 j E 3( r )] : (u + v ) * 2
Finally, we calculate Pr[:(E 0 _ E 1)]
Pr [:(E 0 _ E 1)]
: Pr [:(E 0 _ E 1) ^ E 2 j E 3] + Pr [:E 2 j E 3] + Pr [:E 3]
: Pr [:E 3] +
X
!; !; !;
((Pr [:(E 0 _ E 1) ^ E 2 jE 3( r )] + Pr [:E 2 jE 3( r )]) * Pr [E 3( r )jE 3])
1 z
r ,:::,r
2 ;n ;n 2 ;n
: z * 2 + (u + v ) * 2 + (u) * 2
where the last inequality follows by Claim 6. 2
0
Claim 4: For each constant c (and its corresp onding c ) for which event E0 do es
0
;!
not hold, and constant r with distinct values, there is an x 2 [1::l ; 1] such
that
s
(i) 8s 2 [1::z ]8j 2 [1::jc j ; 1]:
0 0 s s 0 s
if S (c ) E S (c ) is identically zero then c E c 6= 0, otherwise
.
.
x 0 0 x
j j
0 0 s s 0 s ;n
; !
(c ) = c E c j E 3( r )] : , Pr[S (c ) E S 2
. .
x 0 j 0 x j
0
(ii) 8j 2 [1::jl ; 1], j 6= x,:
;n 0 0 0 s 0 0
!;
Pr[S (c ) E S (c ) = c E c j E 3( r )] : 2
. .
x 0 j 0 x j
s 0
Proof: These are the diferent cases (we will drop the argument from S and S
as it will b e clear from context):
0 i
(a) (New IV) If for all i 2 [1::z ], c 6= r , then we cho ose x = 1. In that case
0
0 0 0 0 0 0 * 0
N = N is same as C E C = S E S , where j = j if j =6 (l ; 1), and
.
1 1 1
j j j
* 0 0
j = 0 otherwise. Thus, for j 2 [1::l ; 1], j =6 x, since S is pairwise diferentially
0 0 0 0 ;n
!;
uniform, probability of (S E S = c E c ) is 2 (even under E 3( r )).
.
1 1
j j
0 s 0 s 0 s * s
Similarly, N = N is same as C E C = S E S , where j = j if j =6 jc j ; 1,
.
1 1 1
j j j
* 0
!;
and j = 0 otherwise. Under event E 3( r ), and the fact that c is diferent from
0
i 0 s
is uniformly distributed. all r , we have that S E S
.
1
j
0 k 0
(b) There exists a k , k 2 [1::z ] such that c = r . For all other k 2 [1::z ],
0
0 k 0 k
c 6= r . Thus S = S . We have several cases:
0
0 k 0
(b1) (truncation attempt) If c is a truncation of c , then we let x = l ; 1 which
0
is the index of the last blo ck of c .
0 k k
, then we let x = jc j ; 1 which (b2) (extension attempt) If c is an extension of c
k
is the index of the last blo ck of c .
0 k
(b3) Otherwise, let x b e the least index in which c and c are diferent.
In all the cases (b1), (b2) and (b3), conjunct (ii) is handled as in (a).
0 s 0 k s s *
In case (b1), N = N is same as C E S = C E S , where j = j if
.
0
x 0
j j j
l ;1
s * * 0 s
j 6= jc j ; 1, and j = 0 otherwise. Now, for s = k , j = 0 (in which case S E S
0
j
0 s 0 k
is identically zero), we have c E c = c E c . This quantity is not zero,
0
k
x
j
l ;1
jc j;1
0 s k s
E S since E0 (the deletion attempt) do esn't hold for c. Otherwise, S E S = S
.
0 0
j j
is uniformly distributed.
0 s 0 k s s *
, where j = j In case (b2), N = N is same as C E S = C E S
.
k k
x
j j j
jc j;1 jc j;1
s * * k
if j 6= jc j ; 1, and j = 0 otherwise. When s = k , j is never jc j ; 1, and hence
k s
S E S is uniformly distributed.
.
k
j
jc j;1
0 s 0 k s s *
In case (b3), N = N is same as C E S = C E S , where j = j if
.
.
x x x
j j j
s * * 0 *
j 6= jc j ; 1, and j = 0 otherwise, and x = x if x 6= (l ; 1), and x = 0
* * * *
otherwise. If s = k , and j = x , then either j = x = 0, or j = x. In the
0 s 0 k 0
latter case, c E c = c E c , which is non-zero as x is the index in which c
x x x
j
k k 0
and c difer. In the former case, j = jc j ; 1, and x = (l ; 1). In this case,
0 s 0 k 0
c E c = c E c . If this quantity is zero, then since x (= (l ; 1)) was the
0
k
x
j
l ;1
jc j;1
k 0
least index in which c and c difered, event E0 would hold for c, leading to a
k s
contradiction. In other cases, S E S is uniformly distributed. 2
.
.
x
j
i
;! ;!
Recall that E 3( r ) is the event that all C are distinct (and set to r ).
0
Claim 5: Let l b e the length of the frst ciphertext. Let y : z . For any constant
1
i i
lengths l (i 2 [2::y ]) and constant strings c , (i 2 [1::y ], jc j = l ), and any
i i
function G indep endent of F ,
^
i i ;n f
;!
Pr [ C = c ^ E 2(y ) j G ^ E 3( r )] : (2 )
i2[1::y ]
i
where { = 2 (l ; 1).
i2[1::y ]
i 1 i;1
Proof: The ab ove probability is zero unless for all i 2 [2::y ], l = l (c , :::, c ).
i
From now on, we will assume that the l are indeed such.
We do induction over y , with base case y = 0.
The base case is vacuously true, as { = 0 and conditional probability of TRUE
is 1.
Now assume that the lemma is true for y . We prove the lemma for y + 1. The
explanation for the inequalities is given b elow the sequence of inequalities.
^
i i
!;
Pr [ C = c ^ E 2(y + 1) j G ^ E 3( r )]
i2[1::y +1]
^
y +1 y +1 i i
!;
: Pr [C = c j C = c ^ E 2(y + 1) ^ G ^ E 3( r )]
i2[1::y ]
^
i i
!;
* Pr [ C = c ^ E 2(y + 1) j G ^ E 3( r )]
i2[1::y ]
^
y +1
;n l ;1 i i
!;
: (2 ) * Pr [ C = c ^ E 2(y ) j G ^ E 3( r )]
i2[1::y ]
i
;n E (l ;1)
i2[1::y ]
: (2 )
The second inequality follows b ecause under the condition E 2(y + 1), all the
y +1
M are diferent from the previous M , and hence the sequence of variables,
j
y +1
y +1
y +1 n (L ;1)
for all j 2 [1::L ; 1], F (M ) can take all p ossible (2 ) values,
j
�y
indep endently of G, and F (M ), and hence also all ciphertext messages till
j
y +1 y +1 y +1
index t. Hence, the sequence C = F (M ) E S can take all p ossible
j j j
y +1 1 y y +1
values. Moreover, L = l (c , :::, c ) = l .
The last inequality follows by induction. 2
;!
Claim 6: For every fxed r with distinct values,
2 ;n
; !
P r [:E 2 j E 3( r )] < u * 2
Proof: Recall that Event E2 is
0 0
0 0 i 0 i 0 0 i i
8i, i 2 [1::z ], 8j, j , j 2 [1::L ], j 2 [1::L ], (i, j ) 6= (i , j ) : (M =6 M )
0
j j
;!
Under E 3( r ), we have
i
(a) The set of variables fW g, i 2 [1::z ], are uniformly random and indep endent
1
variables.
0
i i
(b) For each i, the variable W is indep endent of all ciphertext messages C ,
1
0
0 i 0 i
i < i, and hence all plaintext messages P , i : i. This follows b ecause W can
1
0
i 0
b e chosen after C , i < i have b een chosen.
;!
Given E 3( r ), the probability that event E2 do es not happ en is at most
i 2 ;n 2 ;n
(2 L ) * 2 , which is at most u * 2 . This is seen as follows:
i2[1::z ]
0 0 0 0 0
i i i i i i i i i i
Pr [M = M ] = Pr [P E S = P E S ] = Pr [S = S E P E P ]
0 0 0 0 0
j j j j j j j j j j
0
Without loss of generality, let i 2 i . Then from (b) ab ove it follows that this
;n 0
probability is at most 2 (if i = i , then we also use the fact that the sequence
S is pairwise diferentially uniform). 2
6.1 Alternate Pro of Sketch
In this section we give an alternate pro of of Theorem 1 which was suggested by
Johan Haastad.
We frst expand the notation, and generalize event E2 to E6 as follows. Given
C = c, and G = g , where c is a constant sequence of ciphertexts and g is
i i i
a constant p ermutation the M values are fxed, b ecause M = P E S . The
j j j
i i i
variable P is completely fxed by c, and S is fxed by g (c )'s. We will write
0
j j
i i i
M (c, g ) for this value of M . Similarly, for N . So, for any c and g , and y : z ,
j j j
defne E6(y , c, g ) to b e
0
0 0 i 0 i 0 0
8i, i 2 [1::y ], 8j, j , j 2 [1::l ; 1], j 2 [1::l ; 1], (i, j ) =6 (i , j ) :
0 0
i i i i
(M (c, g ) =6 M (c, g )) ^ (N (c, g ) 6= N (c, g ))
0 0
j j j j
Note that E 2 as in the previous section, and C = c and G = g implies
E6(z , c, g ) as F is a p ermutation.
In the following lemma we assume that F and G are random p ermutations.
This is diferent from lemma 3 in the previous section, where we had to frst
assume F to b e a random function, and then add the error probability.
Lemma 4. For every constant c, and for any permutation g such that E 6(z , c, g ),
Pr [G = g ]
P r [G = g jC = c ^ E 6(z , c, G)] =
P r [E 6(z , c, G)]
Proof: Let U b e the universe of G. Under the condition C = c and E6(z , c, G)
we show that every g such that E6(z , c, g ) holds, is equally likely to b e G. Since
c is fxed, fxing G to g , fxes the N variables to a single value (with all N 's
diferent, for otherwise E6(z , c, g ) wouldn't hold). This value of the N variables
is not ruled out as all the M variables are diferent (by E6(z , c, G)), and F is a
random p ermutation. Thus,
Pr [G = g jC = c ^ E 6(z , c, G)]
1
=
#g : E 6(z , c, g )
1
=
jU j * Pr [E 6(z , c, G)]
Pr [G = g ]
=
Pr [E 6(z , c, G)]
2
The pro of of lemma 3 in the previous section now changes where we b ound
the value of
0 0 s s 0 s
!;
Pr[S (c ) E S (c ) = c E c ^ C = c ^ E 6 j E 3( r )]
. .
x 0 j 0 x j
This can now b e written as
0 0 s s 0 s
!;
Pr[S (c ) E S (c ) = c E c j C = c ^ E 6(z , c, G) ^ E 3( r )]
. .
x 0 j 0 x j
!;
* Pr[C = c ^ E 6(z , c, G) j E 3( r )]
;n
The frst factor is upp er b ounded by 2 / Pr[E 6(z , c, G)] by using the ab ove
lemma (all the diferent cases are handled as in claim 4). From equation (1), we
then get
;n
!;
Pr[:(E 0 _ E 1) ^ E 6 j E 3( r )] : (u + v ) * 2
2 ;n
!;
Lemma 3 then follows by proving that Pr[:E 6j E 3( r )] < u * 2 as in claim 6.
Rest of theorem 1 is as b efore, with a slightly b etter b ound as there is no error
term corresp onding to assuming F and G to b e random functions.
6.2 General Case
We now prove the scheme IAPM (t 2 1) secure for message integrity. Here F
and G are indep endent random p ermutations.
Theorem 5. Let A be an adversary attacking the message integrity of IAPM
(t 2 1) with random permutations F and G. Let A make at most z queries in
the frst stage, totaling at most { blocks. Let u = { + z . Let v be the maximum
number of blocks in the second stage. Then for adversary A,
2 2 2 2 ;n
S ucc < (2 * u + 2tz + tm + t (z + 1) + 3t(2z + 1)(u + v ) + 2 + o(1)) * 2
Proof Sketch: We frst calculate the adversary's success probability assuming
that G is a random function. Then, the error intro duced in the probability
2 ;n
b ecause of this approximation is at most ((t(z + 1)) * 2 ).
The diferences in the pro of from that of Theorem 1 are (i) we can not assume
i
!;
a priori, that the sequence S is pairwise diferentially uniform, (ii) E3( r ) as
i j
defned in Lemma 3 do es not imply that S is indep endent of S , for i 6= j , (iii) in
i
pro of of Theorem 1, the case of event E0 requires S to b e pairwise diferentially
0 0
uniform, and (iv) in claim 4 case (a), S (c ) is not necessarily indep endent of all
0
i i
S (r ).
To this end, Event E3 is now defned to b e the event that all entries in the
following (multi-) set are diferent:
i i
fC , i 2 [1::z ]g [ fG(C ) + j ; 1, i 2 [1::z ], j 2 [1::t ; 1]g
0 0
1 z i
;! !;
For r = r , :::, r , all r diferent, let E3( r ) b e the event E3 and that for all
i i
i 2 [1::z ], C = r .
0
1 z i 2 ;n
;! !;
For r =r , :::, r , all r diferent, Pr[: E3( r )] : (2tz + tm) * 2
i
Under event E3, for all i 2 [1::z ], the sequence S is pairwise diferentially
j
uniform, and is indep endent of S (j 2 [1::z ], j =6 i). Now (in Theorem 1) the
;!
case of event E0 is also handled under the condition E 3( r ).
0 0 0
In Claim 4, case (a) (i.e. New IV) now requires showing that S (c ) (with c
0 0
i i i
diferent from all r ) is indep endent of all S (r ) (i 2 [1::z ]).
i i
Consider the following events (note that W = G(r )):
1
0 i
Event E 4 : 8i 2 [1::z ], 8j 2 [1::t ; 1] : c =6 W + j ; 1
0 1
0 i 0 i 0 0
Event E5:8i 2 [1::z ] : jG(c ) ; W j > t ^ jG(c ) ; r j > t ^ jG(c ) ; c j > t
0 1 0 0 0
0 k
Now given that, for all k 2 [1::z ], c =6 r , and under event E4, it is the case
0
0
;!
that c has never b een an oracle query to G, and thus Pr[:E5 j E4 ^ E3( r )]
0
;n ;n
!;
< 2t(2z + 1) * 2 . Also, Pr[: E4 j E3( r )] : z t * 2 .
0 i 0 0
!;
Under events E4, E5 and E3( r ), and c diferent from all r , S (c ) is indeed
0 0
i i
indep endent of previous S (r ), and is also pairwise diferentially uniform. 2
6.3 Mo des using GFp
We now prove theorem 1 for the IAPM scheme as in Fig 1, i.e using the mo d p
construction.
i i 0
Note that a = f (r ) translates to a = G(C ) for all i 2 [1::z ], and a =
K 0
0
0
G(C ), under the assumption that f is mo deled as a random function (the
K 0
0
error introduced by considering G as a random function instead of a random
p ermutation is as b efore). We now predicate our whole analysis on the condition
i 0
that for all i 2 [1::z ], G(C ) < p, and G(C ) < p. The probability of this not
0 0
n
happ ening is at most (z + 1) * (2 ; p)/p.
i 0
Given this condition, it follows that for all i, a , and also a are uniformly
distributed in GFp (as G is a random function).
i
We next show that for each i, j , S is uniformly distributed in GFp.
j
*
From now on we will drop i from the sup erscript. We will denote by S the
j
*
intermediate value after execution of the frst step in the for-lo op, i.e. S =
j
n * * n *
(S + a) mod 2 . Thus, if a > S then S = S + (2 ; p), else S = S .
j ;1 j j
j j j
*
First we prove that there is no overfow in the last step of the for-lo op (S =
j
n
S + 159), i.e. while adding (2 ; p).
j
n n
If (S =)a < (2 ; p), then let t b e the least j such that S 2 (2 ; p),
0 j
*
other-wise t = 0. Clearly, for j : t, the condition (a > S ) could not have b een
j
n n;1
satisfed, as (2 ; p) is much smaller than 2 .
n
We next show by induction that for j 2 t, S 2 (2 ; p). Clearly, for j = t it
j
*
is true by defnition of t. If for some j > t, (a : S ), then S = S + a, hence
j j ;1
j
n * * n
by induction S 2 (2 ; p). If for some j > t, (a > S ), then S = S + a ; 2 ,
j j ;1
j j
which is less than p, as a < p by design. Thus, there is no overfow while adding
n n
(2 ; p), and hence S > (2 ; p).
j
i
Claim 7: For every i, j , S is uniformly distributed in GFp.
j
i i
Proof: Indeed, S = a * (j + 1) mod p. Clearly, this is true for j = 0. Supp ose
j
i i
it is true for j ; 1, then we show that S = a * (j + 1) mod p. Now, (a > S )
j
j
i n i n i i i i i
) < 2 , then S = S + a , ) 2 2 . So, supp ose (S + a holds if (S + a
j ;1 j ;1 j j ;1
i i i i n
and hence S = a * (j + 1) mod p, by induction. If (S + a ) 2 2 then,
j j ;1
i i n i n n
S = (S + a ) ; 2 + (2 ; p), since there is no overfow while adding (2 ; p),
j j ;1
and the claim follows. 2
i
Claim 8: For each i, the sequence S is pairwise-diferentially uniform in GFp.
j
i i i i 0 i i
Proof: Since, S = a * (j + 1) mod p, and S = a * (j + 1) mod p, S ; S =
0 0
j j
j j
i 0
a * (j ; j ) mod p, and hence the claim follows. 2
n n
Claim 9: For any constant c 2 [0::2 ; 1], Pr[S ; S = c mod 2 ] : 2/p.
i j
Proof:
n
Note that S ; S = c mod 2 and S 2 S implies S ; S = c mod p. On the
i j i j i j
n n
other hand, S ; S = c mod 2 and S < S implies S ; S = c ; 2 , and hence
i j i j i j
n
S ; S = c ; 2 mod p.
i j
Thus,
n
] Pr [S ; S = c mod 2
i j
n n
= Pr [S ; S = c mod 2 ^ S 2 S ] + Pr [S ; S = c mod 2 ^ S < S ]
i j i j i j i j
n
: Pr [S ; S = c mod p] + Pr [S ; S = c ; 2 mod p]
i j i j
: 2/p
where the last inequality follows by the previous claim. 2
For mo des of practical interest, the term (z +1)* O (n) in the following theorem
128
is really (z + 1) * 2n. For example, for 128 bit blo ck ciphers, since p = 2 ; 159,
this term is (z + 1) * 159.
Theorem 6. Let A be an adversary attacking the message integrity of IAPM
(t = 1) with the GFp construction (fg 1), with random permutations F and G.
Let A make at most z queries in the frst stage, totaling at most { blocks. Let
u = { + z . Let v be the maximum number of blocks in the second stage. Then for
adversary A,
2 2 2 ;n
S ucc < (2 * u + z + (z + 1) + u + v + 2 + o(1) + (z + 1) * O (n)) * 2
Proof: The pro of is the same as the pro of of theorem 1 except for a few difer-
ences. Firstly, as said earlier we predicate on the condition that for all i 2 [1::z ],
i 0
G(C ) 2 p, and G(C ) 2 p. The probability of this not happ ening is at most
0 0
n
(z + 1) * (2 ; p)/p, and that is an extra additive factor in the adversary's success
probability.
We will use the following notation: (X ) will stand for X reduced mo dulo y ,
y
i.e. (X ) is the unique numb er in [0::y ; 1] such that X = (X ) mod y . Next
y y
in the pro of of theorem 1, the case where E0 happ ens, now b ecomes (the big
summations are xor-sums)
0
L ;1
X
0
( P = 0) ^ E0
j
j #1
0
L ;2
X
i i i
n
) (P ) E (M ; S ) = 0
0
i
2
j L ;1
L ;1
j #1
0 i
L ;2 L ;2
X X
i i i i
n
= 0 = (P ) E ( (P ) + S ; S )
0
i
2
j j L ;1
L ;1
j #1 j #1
0 i
L ;2 L ;2
X X
i i i i n
= (S ; S = (P ) ; (P )) mod 2
0
i
L ;1 j j
L ;1
j #1 j #1
This event happ ens with probability at most 2/p by claim 9.
0
P
L ;1
0
Similarly lemma 2 now mo difes as follows: P = 0 if
j
j #1
0
L ;1
X
0 0 0 0
n n
(M ; S ) = (M ; S )
2 2
x x j j
j #1,j 6#x
or
0
L ;1
X
0 0 0 0 n
n
(M = S + (M ; S ) ) mod 2
2
x x j j
j #1,j 6#x
The probability in lemma 2 remains as b efore.
0 s 0 s 0
In lemma 3, for each s, j , we now have (N = N ) if (S ; S ) = (C ;
.
.
x x x
j j
s n
C ) mod 2 , and thus by Claim 9 the probability b ounds in claim 4 are in terms
j
;n 2
of 2/p instead of 2 . Similarly, the b ound in claim 6 is now u * 2/p.
Thus,
2 2 2 ;n 2 n
S ucc < (u + z + (z + 1) + 1 + o(1)) * 2 + (u + u + v + 1) * 2/p + (z + 1) * (2 ; p)/p
n n ;n ;2n
However, since 2 ; p � n, or 2 ; p = O (n), we have that 1/p < 2 + 2n * 2 .
;n
Thus replacing 2 by 1/p only adds a second order term to adversary's success
probability.
2
7 Message Secrecy
We now prove security in the fnd-then-guess mo del, which implies that the
IAPM scheme (b oth for fg 1 and fg 2) is secure for message secrecy.
Theorem 7. Let A be a chosen plaintext attack adversary of the encryption
scheme IAPM with random permutations F and G, making at most z queries,
these totaling at most u blocks. Then
1
2 2
Adv : (3u /2 + z )
A
n
2
Proof:
We will calculate the probability of the adversary's success under the as-
sumption that F and G are random functions. A standard argument shows that
2 2 ;n;1
the error introduced in calculating the probability is at most (u + z ) * 2 .
As in the previous theorem, we will use subscripts to denote particular blo cks
i 0 i
in a message. We will use constants c , c , d to denote strings of arbitrary blo ck
length. Let the z queries b e divided into p queries in the frst phase, one query
0 0
in the \cho ose" phase, and p queries in the second phase. Thus z = p + 1 + p .
1 z
We will use c to denote the sequence c , :::, c .
Let l () b e the length of the frst ciphertext (determined by the adversary).
The function j j is used b elow to represent length of a message in blo cks. Given
1 i 1 i
a sequence of ciphertext messages c , :::, c , i : z , let l (c , :::, c ) b e the length of
the (i + 1)th ciphertext (which is determined by the adversary, and therefore is
1 i
a deterministic function of c , :::c ).
As in lemma 3, we consider the event E2, under which all the M variables are
diferent. Similarly, we also predicate on the event that all the initial variables
are diferent (event E3). Recall that the event E2(y ) is that all the variables in
the following multi-set are diferent:
i i
fM , i 2 [1::y ], j 2 [1::L ; 1]g
j
Event E2(z ) is also written as just E2. The event E3 now requires that all initial
variables are diferent:
i 0 i 0
fC , i 2 [1::p]g [ fC g [ fC , i 2 [p + 2::p + 1 + p ]g
0 0 0
p+1 0
Note that C is another name for C .
We have,
X X
!;
Pr [A(R, C ) = b ^ E 2 j E 3( r ) ] = ::: :::
1 1
i i i;1 1
c : jc j#l() c : jc j#l(c ,:::,c )
X
!;
::: Pr [A(R, C ) = b ^ C = c ^ E 2 j E 3( r ) ]
z z m;1 1
c : jc j#l(c ,:::,c )
i i
If for some i, c =6 r , then the inside expression is zero.
0
The inside expression can b e written as
!;
Pr [A(R, C ) = b ^ C = c ^ E 2 j E 3( r ) ]
^
i i
!;
= Pr [A(R, c) = 0 ^ C = c : ^b = 0 ^ E 2 j E 3( r ) ] +
i2[1::z ]
^
i i
!;
Pr [A(R, c) = 1 ^ C = c : ^b = 1 ^ E 2 j E 3( r ) ]
i2[1::z ]
p+1 0 00
where when b = 0, C = C is the encryption of P , and when b = 1 it is the
01
encryption of P . Let's concentrate on the frst summand.
^
i i
!;
Pr [A(R, c) = 0 ^ C = c ^ b = 0 ^ E 2 j E 3( r ) ]
i2[1::z ]
^
i i
!;
= Pr [A(R, c) = 0 j C = c ^ b = 0 ^ E 2 ^ E 3( r ) ] *
i2[1::z ]
^
i i
!;
Pr [ C = c ^ E 2 j b = 0 ^ E 3( r ) ] * P r [b = 0]
i2[1::z ]
^
i i
!;
= Pr [A(R, c) = 0] * Pr [ C = c ^ E 2 j b = 0 ^ E 3( r ) ] * P r [b = 0]
i2[1::z ]
This quantity is upp er b ounded by
1
;n f
* (2 ) * Pr [A(R, c) = 0]
2
by Claim 5, and lower b ounded by
1
;n ;n f
* (1 ; {({ ; 1)/2 * 2 ) * (2 ) * Pr [A(R, c) = 0]
2
i
by Claim 10 b elow, where { = 2 (l ; 1). Note that, b oth Claim 5 and
i2[1::z ]
Claim 10 hold regardless of whether b = 0 or b = 1.
Thus,
1 1
f ;n ;n ;n f
!;
) *(1;{({;1)/2*2 )*(2 : Pr [A(R, C ) = b^C = c^E 2 j E 3( r )] : *(2 )
2 2
and hence,
1 1
;n
!;
2 * (1 ; {({ ; 1)/2 * ) : Pr [A(R, C ) = b ^ E 2 j E 3( r )] :
2 2
2 ;n;1
Thus by Claim 6, and Pr[: E3] : z * 2 , we have
1
2 2 ;n
jPr [A(R, C ) = b] ; j : (u + z /2) * 2
2
2
Claim 10: Let l b e the length of the frst ciphertext. Let y : z , and j 2 [0, 1].
1
i i
For any constant lengths l (i 2 [2::y ]) and constant strings c , (i 2 [1::y ], jc j =
i
i 1 i;1
l ), such that for all i 2 [2::y ], l = l (c , :::, c ),
i
^
;n ;n f i i
!;
Pr [ C = c ^ E 2(y ) jb = j ^ E 3( r )] 2 (1 ; {({ ; 1)/2 * 2 ) * (2 )
i2[1::y ]
i
where { = 2 (l ; 1).
i2[1::y ]
Proof:
We do induction over y , with base case y = 0.
The base case is vacuously true, as { = 0 and conditional probability of TRUE
is 1.
Now assume that the lemma is true for y . We prove the lemma for y + 1. The
explanation for the inequalities is given b elow the sequence of inequalities.
^
i i
!;
Pr [ C = c ^ E 2(y + 1) j b = j ^ E 3( r )]
i2[1::y +1]
^
y +1 y +1 i i
! ;
= Pr [C = c j C = c ^ E 2(y + 1) ^ b = j ^ E 3( r )]
i2[1::y ]
^
i i
!;
* Pr [ C = c ^ E 2(y + 1) j b = j ^ E 3( r )]
i2[1::y ]
^
y +1
l ;n ;1 i i
; !
r )] * Pr [ C = c ^ E 2(y ) j b = j ^ E 3( = (2 )
i2[1::y ]
^
i i
!;
* Pr [E 2(y + 1) j C = c ^ E 2(y ) ^ b = j ^ E 3( r )]
i2[1::y ]
^
y +1
;n l ;1 i i
!;
2 (2 ) * Pr [ C = c ^ E 2(y ) j b = j ^ E 3( r )]
i2[1::y ]
y +1 y +1 y +1 i ;n
* (1 ; [(l ; 1)(l ; 2)/2 + (l ; 1) * (2 (l ; 1))] * 2 )
i2[1::y ]
and the claim follows by induction. The last inequality is seen as follows. Given
y y +1
the ciphertexts upto C , the plaintexts upto P are fxed. Also, given E2(y ),
E2(y + 1) is just the M values in message y + 1 b eing diferent from each other and
also diferent from all earlier M values. Given that S are pair-wise diferentially
uniform, the b ound then follows by upp er-b ounding :E2(y + 1).
y +1 y +1
The probability of C = c is calculated as in Claim 5. 2
8 Acknowledgments
The author is extremely grateful to Shai Halevi and Panka j Rohatgi for help with
the pro of of message integrity. The author also thanks J. Haastad for suggesting
an alternative pro of of message integrity.
References
1. ANSI X3.106, \American National Standard for Information Systems - Data En-
cryption Algorithm - Mo des of Op eration", American National Standards Institute,
1983.
2. M. Bellare, A. Desai, E. Jokiph, P. Rogaway, \A Concrete Security Treatment
of Symmetric Encryption: Analysis of the DES Mo des of OPeration", 38th IEEE
FOCS, 1997
3. M. Bellare, J. Kilian, P. Rogaway, \The Security of Cipher Blo ck Chaining",
CRYPTO 94, LNCS 839, 1994
4. M. Bellare, C. Namprempre, \Authenticated Encryption: Relations among no-
tions and analysis of the generic comp osition paradigm", Pro c. Asiacrypt 2000, T.
Okamoto ed., Springer Verlag 2000
5. Hugo Krawczyk, \LFSR-based Hashing and Authentication", Pro c. Crypto 94.
LNCS 839, 1994
6. ISO 8372, \ Information pro cessing - Mo des of op eration for a 64-bit blo ck cipher
algorithm", International Organization for Standardization, Geneva, Switzerland,
1987
7. ISO/IEC 9797, \Data cryptographic techniques - Data integrity mechanism using
a cryptographic check function employing a blo ck cipher algorithm", 1989
8. M. Luby, \Pseudorandomness and Cryptographic Applications", Princeton Com-
puter Science Notes, Princeton Univ. Press, 1996
9. C.H. Meyer, S. M. Matyas, \Cryptography: A New Dimension in Computer Data
Security", John Wiley and Sons, New York, 1982
10. National Bureau of Standards, NBS FIPS PUB 81, \DES mo des of op eration",
U.S. Department of Commerce, 1980.
11. National Bureau of Standards, Data Encryption Standard, U.S. Department of
Commerce, FIPS 46 (1977)
12. RFC 1510,"The Kerb eros network authentication service (V5)", J. Kohl and B.C.
Neuman, Sept 1993
13. Security Architecture for the Internet Proto col, RFC 2401,
http://www.ietf.org/rfc/rfc2401. txt
14. The TLS Proto col, RFC2246, http://www.ietf.org/rfc/rfc2246. txt
A
This article was pro cessed using the L T X macro package with LLNCS style E