A Mode of Operation with Partial Encryption and Message Integrity
A Mo de of Op eration with Partial Encryption
and Message Integrity PEMI
1 1
Philip Hawkes and Gregory G. Rose
QUALCOMM International Australia
Level 3, 230 Victoria Road, Gladesville NSW 2111 Australia
fphawkes,[email protected]
Abstract. At the recent AES Mo des of Op eration Conference, several
mo des of op eration were prop osed for using a blo ck cipher to provide
b oth con dentiality and authentication. These mo des require only a little
more work than the cost of encryption alone, and come with pro ofs of
security.However, these mo des require the entire message to b e sentin
encrypted form. This can cause problems in situations where some of the
message neeeds to b e sent in plaintext while still b eing authenticated.
This pap er describ es a simple variation that allows anychoice of message
blo cks to b e sent in plaintext form rather than in encrypted form. This
mo de, Partial Encryption with Message Integrity PEMI, is shown to
b e secure for message integrity and message secrecy.
1 Intro duction
In 2000 Jutla [2, 3] prop osed new mo des of op eration for symmetric blo ck ciphers:
IntegrityAware Cipher Bo ck Chaining IACBC mo de and Integrity-Aware Par-
allelizable IAPM Mo de. Provided the underlying blo ck cipher is secure, the
mo des are proven to provide secure encryption and secure message authentica-
tion. Other mo des with the same prop erties have since b een prop osed: XCBC
mo de, prop osed by Gligor and Donescu [1]; and OCB mo de, prop osed by Rog-
away, Bellare, Black and Krovetz [5]. These mo des IACBC, IAPM, XCBC and
OCB share a common dilemma: the entire message must b e sent in encrypted
form. In many situations, this is not an issue. However, some proto cols require
part of the message such as an IP address to b e sent as plaintext, and it would
b e desirable for this plaintext p ortion to b e authenticated along with the remain-
der of the message. This is not p ossible with the aforementioned mo des. This
pap er presents a mo de whereby part of the message can be sent as plaintext,
and this plaintext p ortion to b e authenticated along with the remainder of the
message. The mo de is called Partial Encryption with Message Integrity PEMI
mo de.
The pap er is arranged as follows. Section 2 contains a description of IAPM
and the new mo de. A short discussion on the eciency of PEMI follows in
Section 2.2. A pro of of message integrity is provided in Section 3. Section 3.1
discusses partial blo ck encryption, where part of a blo ckissent encrypted and
the remaining part of the blo ck is sent unencrypted.
2 Description
Let E denote encryption of an l -bit blo ckby a symmetric blo ck cipher using
K
the key K , and let D denote decryption by the symmetric blo ck cipher us-
K
ing K . Supp ose the message is m blo cks in length: P = P [1];:::;P[m], and the
sender and receiver have agreed on twokeys K 0;K1. The XOR version of IAPM
1
mo de is summarized b elow. This mo de requires the generation of a sequence
S [0];:::;S[m + 1] from the initial value IV using the key K 0. This sequence must
have the prop erty that S [i] S [j ] is uniformly distributed for 0 i< j m +1.
The metho d prop osed by Jutla [3] uses only only t = dlog m +3e encryp-
2
tions. This metho d is given in the App endix. IAPM encryption, decryption and
message integrityveri cation are computed as follows.
IAPM: Encryption with Authentication
Step 1 Cho ose a random l -bit initial value IV , set C [0] = IV .
Step 2 Generate S [0];:::;S[m + 1] from IV and K 0.
Step 3 For 1 i m, compute C [i]=S [i] E P [i] S [i].
K 1
Step 4 Form P [i +1]= P [1] P [m], and compute,
C [m +1]= S [0] E check sum S [m + 1]:
K 1
Transmit C =C [0];:::;C[m + 1].
IAPM: Decryption with Message Integrity Veri cation
Step 1 Extract IV = C [0].
Step 2 Generate S [0];:::;S[m + 1] from IV and K 0.
Step 3 For 1 i m compute P [i]= S [i] D C [i] S [i].
K 1
Step 4 Compute P [m +1]= S [m +1] D C [m +1] S [0].
K 1
Step 5 If P [m +1]= P [0] P [m], then the message integrityisveri ed,
and the message is P = P [1];:::;P[m].
[Note to referees: We can include a Figure describing IAPM here, but we are
currently pressed for time.]
As explained in Section 1, There is demand for a mo de in which part of
the message is sent in non-encrypted form. The mo de prop osed b elow, Partial
Encryption with Message Integrity PEMI, is a variation on IAPM. Supp ose
the message is m blo cks in length: P = P [1];:::;P[m], and the sender and
receiver have agreed on twokeys K 0;K1. The sender and receiver also agree on
a set U f1;:::;mg of blo ck indices for which the plaintext blo ck P [i] will b e
transmitted rather than the ciphertext C [i] when i 2 U .
1
There is a slight discrepancy b etween the description of IAPM in [2, 3]. This descrip-
tion follows [3].
PEMI: Encryption with Authentication
Step 1 Cho ose a random l -bit value IV , set C [0] = IV .
Step 2 Generate S [0];:::;S[m + 1] from IV and K 0asshown in the App endix.
Step 3 For 1 i m, p erform one of the following steps.
{ If i 2 U , then set C [i]=P [i] and compute Y [i]=S [i] D P [i] S [i].
K 1
{ If i=2 U , then compute C [i]=S [i] E P [i] S [i] and set Y [i]=P [i].
K 1
Step 4 Form P [m +1]= Y [1] Y [m], and compute
C [m +1]= S [0] E P [m +1] S [m + 1]:
K 1
Transmit C =C [0];:::;C[m + 1].
[Note to referees: We can include a Figure describing PEMI here, but we are
currently pressed for time.]
Example 1. Supp ose that the sender and receiver agree that the rst data blo ck
will b e transmitted in plaintext rather than ciphertext. Then
Y [1] = S [1] D P [1] S [1];
K 1
and Y [i]=P [i] for 2 i m. The tranmitted message app ears as
C [0];P[1];C[2];:::;C[m];C[m +1];
where C [2];:::;C[m] contain the encryptions of P [2];:::;P[m].
PEMI: Decryption with Message IntegrityVeri cation
Step 1 Extract IV = C [0].
Step 2 Generate S [0];:::;S[m + 1] from IV and K 0.
Step 3 For 1 i m p erform one of the following steps.
{ If i 2 U , then set P [i]=C [i] and compute Y [i]=S [i] D P [i] S [i].
K 1
{ If i=2 U , then compute P [i]=S [i] D C [i] S [i] and set Y [i]=P [i].
K 1
Step 4 Compute P [m +1]= S [m +1] D C [m +1] S [0].
K 1
Step 5 If P [m +1]= Y [1] Y [m], then the message integrityisveri ed,
and the message is P =P [1];:::;P[m].
Note that the message integrityveri cation for a PEMI ciphertext C is ex-
actly the same as the message integrityveri cation for an IAPM ciphertext C .
While IAPM used the \hidden" values P [1];:::;P[m] to compute the check-
sum, this PEMI mo de uses the hidden decrypted values of P [i], since P [i] is
transmitted.
2.1 Format
The format of a PEMI ciphertext is a description of which blo cks will b e sent
unencrypted and which blo cks will be sent encrypted. The message integrity
veri cation of PEMI is indep endent of which blo cks were sent encrypted and
which blo cks were sent unencrypted. That is, PEMI do es not verify the format
of the ciphertext. This op ens PEMI to the p ossibility of an attack in which the
claimed format of the ciphertext is changed. We do not consider this to be a
serious threat as there are several ways to resist this threat. One simple solution
is that the sender and receiver can agree a priori on the format. An alternative
solution is to de ne part of the unencrypted plaintext to include formatting data.
2.2 Performance
The same principles used in PEMI can be used to create other mo des that
provide partial encryption with message integrity. One example is the so-called
Hawkes-Rose HR variant of IAPM [4]. In the HR variant, the checksum is
P
de ned as P [m +1]= P [j ], with
j=2 U
X
C [m +1]= E P [m +1] S [m + 1] S [0] [S [i] E P [i] S [i]]:
K 1 K 1
j 2U
Here is a comparison of PEMI and the HR variant.
{ The HR variant encryption requires only blo ck cipher encryption. PEMI en-
cryption requires b oth blo ck cipher encryption and blo ck cipher decryption.
{ In the HR variant encryption, all blo ck cipher encryptions can b e p erformed
in parallel; there is no latency. In PEMI encryption, P [m + 1] can only b e
formed after the blo ck cipher decryptions of the unencrypted blo cks. Thusm
the computation of C [m + 1] cannot take place until after these decryptions.
Consequently, not all op erations in PEMI encryption can be p erformed in
parallel; there is a latency of one blo ck cipher encryption.
{ The HR variant decryption and message integrityveri cation requires b oth
blo ck cipher encryption and blo ck cipher decryption. PEMI decryption and
message integrityveri cation requires only blo ck cipher decryption.
{ In the HR variant decryption and message integrityveri cation, the blo ck
cipher encryptions of the unencrypted blo cks must b e p erformed to obtain
P
A = [S [i] E P [i] S [i]], b efore the receiver can decrypt to form
K 1
j 2U
P [m +1]= S [m +1] D C [m +1] S [0] A:
K 1
That is, the computation of P [m + 1] cannot take place until after these en-
cryptions. Consequently, not all op erations in the HR variant decryption and
message integrityveri cation can b e p erformed in parallel; there is a latency
of one blo ck cipher encryption. In PEMI decryption and message integrity
veri cation, all blo ck cipher decryptions can b e p erformed in parallel; there
is no latency.
All the designs that we considered for partial encryption with message integrity
app eared to require a mixture of blo ck cipher encryption and blo ck cipher de-
cryption either during encryption or during decryption and message integrity
veri cation. All the designs that we considered also required a latency of at
least one blo ck cipher encryption or decryption at some p oint: either during
encryption or during decryption and message integrityveri cation.
Performance-wise, there is little to di erentiate b etween PEMI and the HR
variant. Both schemes allow for signi cant parallelization, so they are very fast.
However, we prefer PEMI b ecause message veri cation for PEMI is identical to
message integrity for IAPM. This means that the security of PEMI for message
integrity can b e easily related to the security of IAPM for message integrity.As
the security pro of for IAPM already exists, this makes our work much easier.
3 Pro of of Message Integrity
A message integrity attack MIA on PEMI or IAPM is a two step pro cess. In
1 Z
the rst step, the adversary cho oses plaintexts P ;:::;P , and gets the sender
1 z
to reply C ;:::;C . Note that each plaintext and ciphertext consists of multiple
i i i i i
blo cks: C =C [0] :::;C [m + 1], where m is the length of the i-th plaintext.
0
In the second step, the adversary pro duces a new ciphertext C distinct from
k
the other ciphertexts C for which there is a non-negligible probability that it
is valid. There is a slight di erence b etween the MIA on PEMI and the MIA on
IAPM; the di erence is easier to express with some additional notation.
1. PEMI. Let Y [j ], 1 j m, b e de ned as ab ove for PEMI: if j 2 U , then
Y [j ]=P [j ]; otherwise
Y [j ]=S [j ] D P [j ] S [j ]:
K 1
For 0 j m de ne Z [j ]=C [j ], noting that Z [j ]=P [j ] for j 2 U . Also
de ne
Y [m +1]= Y [1] Y [m];
Z [m +1]= S [0] E Y [m +1] S [m + 1]:
K 1
i i
For the i-th plaintext message P , let U denote the set of indices for which
i
P [j ] is sent unencrypted.
2. IAPM. For 1 j m, de ne Y [j ] = P [j ] and Z [j ] = C [j ] = S [j ]
E Z [j ] S [j ]. Finally de ne
K 1
Y [m +1]= Y [1] Y [m];
Z [m +1]= S [0] E Y [m +1] S [m + 1]:
K 1
The di erences b etween an MIA on PEMI and an MIA on IAPM are in whether
i i
the values of Y [j ] and Z [j ] are known, unknown, chosen or uniformly dis-
tributed.
i
1. In an MIA on IAPM, the values of Y [j ], 1 i m +1, are chosen and
i i
thus known. In an MIA on PEMI, the values of Y [j ], j 2= U , are chosen
i i
and known but the values of Y [j ], j 2 U , are unknown and exp ected to b e
uniformly distributed.
i
2. In an MIA on IAPM, the values of Z [j ] are known and exp ected to be
i i
uniformly distributed. In an MIA on PEMI, the values of Z [j ], i 2= U , are
i
unknown and exp ected to b e uniformly distributed, but the values of Z [j ],
i i
i 2= U , are chosen. In an MIA on PEMI, the adversary gets to cho ose U
1 i 1 1 i 1
based on P ;:::;P , and C ;:::;C . This means that the adversary
i
gets to cho ose which values of Z [j ] will be plaintexts and for which the
i
adversary can cho ose the values and whichvalues of Z [j ] will b e unknown, uniformly distributed ciphertexts.
i i
We can translate the pro of for IAPM [3] into a pro of using Y [j ] and Z [j ] in
i i
the place of P [j ] and C [j ]. A pro of for PEMI results if the pro of for IAPM still
i
holds when some values of Z [j ] are chosen, while the corresp onding values of
i i
Y [j ] are unknown and uniformly distributed. The fact that some values of Y [j ]
are unknown and uniformly distributed cannot increase the success probability
i i
of the attack. The question is whether the fact that Z [j ], j 2 U , are chosen
increases the success probability.
In Jutla's calculations for b ounding the success probability of an MIA on
IAPM [3], the \un-predictability" of the ciphertexts has the following e ect.
To compute a probability where there are, say, t p ossible ciphertexts resulting
the initial value IV, Jutla sums the probabilities over the individual p ossible
ciphertexts and intro duces a factor of 1=t, seeing as the actual value for the
ciphertext is not known in advance. As only a b ound is required, we obtain a
b ound that holds for all t p ossible xed ciphertexts. We then see that the
P
b ound on the sum of the probabilities is =t = . That is, the b ound
ciphertexts
on the success probability do es not dep end on how many p ossible values there
are for the ciphertexts.
This means that in the same analysis of PEMI, the same b ounds would
apply even though the attacker has the opp ortunitytocho ose some p ortion of
the ciphertexts. Thus, an attack on the message integrity of PEMI has negligible
success probability; that is, PEMI remains secure for message integrity.
The pro of of privacy for PEMI remains the same as that for IAPM, except
of course that some of the plaintexts are transmitted in clear.
3.1 Partial Blo ck Encryption with Message Integrity
PEMI ab ove relies up on entire blo cks b eing either plaintext or ciphertext, which
is an undesirable re ection of the structure of the blo ck cipher. Since the AES
works on large blo cks of 16 bytes, this might b e seen to b e unduly restrictive. It
is desirable to handle, somehow, the case of partially encrypted blo cks. We call a
blo ck a \partial blo ck" when some of its contents are to b e sent encrypted, and
some of it is to b e sent clear. Again we assume that the format of the message,
in the sense of what part is to b e sent unencrypted, is agreed a priori b etween
the parties.
One way to solve this problem is to treat the partial blo ck as a blo cktobe
transmitted unencrypted for the purp oses of calculating the Message Integrity
ab ove. Since this ensures message integrity,we encrypt the desired part with an
additive cipher, e ectively in counter mo de. The IV was used in conjunction
with K 0 to generate the S [i]values, but K 1 is used to encrypt and decrypt the
actual data blo cks, so we can reuse the IV in this context.
Consider the i-th blo ck, and assume that wehave a bitwise mask M [i] that
de nes the bits to b e encrypted. M [i]won't b e all zeros, or the sender would just
send the plaintext; similarly it won't b e all ones, or the sender would just send
the ciphertext. Beyond that, there is no reason to further constrain which bits
are to b e encrypted, and which left unencrypted. The blo ck to b e transmitted
is calculated so:
P ar tial [i]= P [i] M [i] AND E IV i;
K 1
where AND denotes the bit-wise AND op eration. For each blo ck to b e partially
encrypted, an extra encryption op eration over the basic PEMI is required to
generate the counter-mo de mask. Since this extra op eration can also be done
in parallel with the data encryption or decryption op eration required by the
message integrity calculation or veri cation resp ectively the overall latency in
parallel mo de need not increase.
Security of the message integrity follows directly from that of PEMI. The
message integritywas already guaranteed when plaintext was sent, so obscuring
part of the plaintext cannot weaken the message integrity. Security of the privacy
of the data follows directly from the pro of of security of basic Counter Mo de
encryption, whichwe do not rep eat here. We only require that the two encryption
op erations needed are indep endent, to prove the security of this enhancement.
In one privacy op eration, we encrypt E IV i. In the other integrity
K 1
op eration, we encrypt E P [i] S [i]. These values are unrelated, except that
K 1
the S [i] are related to the IV through encryption with key K 0 not K 1. There-
fore, any dep endence b etween these two encryption op erations must result from
the attacker's ability to relate the input and output of encryption using the key
K 0, which would therefore imply his ability to break the underlying blo ck ci-
pher with an unknown key.Thus the partially encrypted blo cks are fully integrity
protected and partially encrypted as required.
4 Conclusion
Wehave prop osed a new mo de for symmetric blo ck ciphers that provides Partial
Encryption with Message Integrity, hence the name PEMI. Wehavesketched a
metho d in which a pro of of message integrity for PEMI can b e based on a pro of
of message integrity for IAPM. The same principles used in PEMI can b e used
to create other mo des that provide partial encryption with message integrity.
For example, a PEMI-likemodemay also b e constructed from OCB [5].
References
1. V. Gligor and P. Donescu. Fast encryption and authentica-
tion: XCBC encryption and XECB authenitcation mo des. See
http://csrc.nist.gov/encrypt ion/ modes /pro pose dmode s/xc bc/xc bc-s pec. pdf,
2001.
2. C. S. Jutla. Encryption mo des with almost free message integrity. See
http://csrc.nist.gov/encrypt ion/ modes /pro pose dmode s/ia cbc/i acbc -spe c.pdf ,
2001.
3. C. S. Jutla. Parallelizable encryption mo de with almost free message integrity. See
http://csrc.nist.gov/encrypt ion/ modes /pro pose dmode s/ia pm/ia pm-s pec. pdf, 2001.
4. C. S. Jutla. Hawkes-Rose variant of IAPM and mesage integrity. See
http://csrc.nist.gov/encrypt ion/ modes /pro pose dmode s/ia pm/va rian tpro od.pd f,
2001.
5. P. Rogaway, M. Bellare, J. Black, and T. Krovetz. OCB: A blo ck-
cipher mo de of op eration for ecient authenticated encryption. See
http://csrc.nist.gov/encrypt ion/ modes /pro pose dmode s/oc b/ocb -spe c.pd f,
2001.
5 App endix
This section describ es the metho d prop osed by Jutla [3] for generating the se-
quence S [0];:::;S[m + 1] from a key and an initial value IV . The sequence has
the prop erty that S [i] S [j ] is uniformly distributed for 0 i< j m +1.
This metho d requires t = dlog m +3e encryptions. This text is taken almost
2
verbatim from [3].
1. Set W = E IV , noting that IV = C [0].
0 K 0
2. Set S [0] = W .
0
3. For j =1 to m, p erform the following steps:
a Find the index k of the least signi cant non-zero bit in j + 1.
k
b If j +1=2 , then compute W = E W + k .
k K 0 0
c Set S [j ]=S [j +1] W . k