A Mode of Operation with Partial Encryption and Message Integrity

A Mo de of Op eration with Partial Encryption

and Message Integrity PEMI

1 1

Philip Hawkes and Gregory G. Rose

QUALCOMM International Australia

Level 3, 230 Victoria Road, Gladesville NSW 2111 Australia

fphawkes,[email protected]

Abstract. At the recent AES Mo des of Op eration Conference, several

mo des of op eration were prop osed for using a blo ck cipher to provide

b oth con dentiality and authentication. These mo des require only a little

more work than the cost of encryption alone, and come with pro ofs of

security.However, these mo des require the entire message to b e sentin

encrypted form. This can cause problems in situations where some of the

message neeeds to b e sent in plaintext while still b eing authenticated.

This pap er describ es a simple variation that allows anychoice of message

blo cks to b e sent in plaintext form rather than in encrypted form. This

mo de, Partial Encryption with Message Integrity PEMI, is shown to

b e secure for message integrity and message secrecy.

1 Intro duction

In 2000 Jutla [2, 3] prop osed new mo des of op eration for symmetric blo ck ciphers:

IntegrityAware Cipher Bo ck Chaining IACBC mo de and Integrity-Aware Par-

allelizable IAPM Mo de. Provided the underlying blo ck cipher is secure, the

mo des are proven to provide secure encryption and secure message authentica-

tion. Other mo des with the same prop erties have since b een prop osed: XCBC

mo de, prop osed by Gligor and Donescu [1]; and OCB mo de, prop osed by Rog-

away, Bellare, Black and Krovetz [5]. These mo des IACBC, IAPM, XCBC and

OCB share a common dilemma: the entire message must b e sent in encrypted

form. In many situations, this is not an issue. However, some proto cols require

part of the message such as an IP address to b e sent as plaintext, and it would

b e desirable for this plaintext p ortion to b e authenticated along with the remain-

der of the message. This is not p ossible with the aforementioned mo des. This

pap er presents a mo de whereby part of the message can be sent as plaintext,

and this plaintext p ortion to b e authenticated along with the remainder of the

message. The mo de is called Partial Encryption with Message Integrity PEMI

mo de.

The pap er is arranged as follows. Section 2 contains a description of IAPM

and the new mo de. A short discussion on the eciency of PEMI follows in

Section 2.2. A pro of of message integrity is provided in Section 3. Section 3.1

discusses partial blo ck encryption, where part of a blo ckissent encrypted and

the remaining part of the blo ck is sent unencrypted.

2 Description

Let E denote encryption of an l -bit blo ckby a symmetric blo ck cipher using

the key K , and let D denote decryption by the symmetric blo ck cipher us-

ing K . Supp ose the message is m blo cks in length: P = P [1];:::;P[m], and the

sender and receiver have agreed on twokeys K 0;K1. The XOR version of IAPM

mo de is summarized b elow. This mo de requires the generation of a sequence

S [0];:::;S[m + 1] from the initial value IV using the key K 0. This sequence must

have the prop erty that S [i] S [j ] is uniformly distributed for 0 i< j m +1.

The metho d prop osed by Jutla [3] uses only only t = dlog m +3e encryp-

tions. This metho d is given in the App endix. IAPM encryption, decryption and

message integrityveri cation are computed as follows.

IAPM: Encryption with Authentication

Step 1 Cho ose a random l -bit initial value IV , set C [0] = IV .

Step 2 Generate S [0];:::;S[m + 1] from IV and K 0.

Step 3 For 1 i m, compute C [i]=S [i] E P [i] S [i].

K 1

Step 4 Form P [i +1]= P [1] P [m], and compute,

C [m +1]= S [0] E check sum S [m + 1]:

K 1

Transmit C =C [0];:::;C[m + 1].

IAPM: Decryption with Message Integrity Veri cation

Step 1 Extract IV = C [0].

Step 2 Generate S [0];:::;S[m + 1] from IV and K 0.

Step 3 For 1 i m compute P [i]= S [i] D C [i] S [i].

K 1

Step 4 Compute P [m +1]= S [m +1] D C [m +1] S [0].

K 1

Step 5 If P [m +1]= P [0] P [m], then the message integrityisveri ed,

and the message is P = P [1];:::;P[m].

[Note to referees: We can include a Figure describing IAPM here, but we are

currently pressed for time.]

As explained in Section 1, There is demand for a mo de in which part of

the message is sent in non-encrypted form. The mo de prop osed b elow, Partial

Encryption with Message Integrity PEMI, is a variation on IAPM. Supp ose

the message is m blo cks in length: P = P [1];:::;P[m], and the sender and

receiver have agreed on twokeys K 0;K1. The sender and receiver also agree on

a set U f1;:::;mg of blo ck indices for which the plaintext blo ck P [i] will b e

transmitted rather than the ciphertext C [i] when i 2 U .

There is a slight discrepancy b etween the description of IAPM in [2, 3]. This descrip-

tion follows [3].

PEMI: Encryption with Authentication

Step 1 Cho ose a random l -bit value IV , set C [0] = IV .

Step 2 Generate S [0];:::;S[m + 1] from IV and K 0asshown in the App endix.

Step 3 For 1 i m, p erform one of the following steps.

{ If i 2 U , then set C [i]=P [i] and compute Y [i]=S [i] D P [i] S [i].

K 1

{ If i=2 U , then compute C [i]=S [i] E P [i] S [i] and set Y [i]=P [i].

K 1

Step 4 Form P [m +1]= Y [1] Y [m], and compute

C [m +1]= S [0] E P [m +1] S [m + 1]:

K 1

Transmit C =C [0];:::;C[m + 1].

[Note to referees: We can include a Figure describing PEMI here, but we are

currently pressed for time.]

Example 1. Supp ose that the sender and receiver agree that the rst data blo ck

will b e transmitted in plaintext rather than ciphertext. Then

Y [1] = S [1] D P [1] S [1];

K 1

and Y [i]=P [i] for 2 i m. The tranmitted message app ears as

C [0];P[1];C[2];:::;C[m];C[m +1];

where C [2];:::;C[m] contain the encryptions of P [2];:::;P[m].

PEMI: Decryption with Message IntegrityVeri cation

Step 1 Extract IV = C [0].

Step 2 Generate S [0];:::;S[m + 1] from IV and K 0.

Step 3 For 1 i m p erform one of the following steps.

{ If i 2 U , then set P [i]=C [i] and compute Y [i]=S [i] D P [i] S [i].

K 1

{ If i=2 U , then compute P [i]=S [i] D C [i] S [i] and set Y [i]=P [i].

K 1

Step 4 Compute P [m +1]= S [m +1] D C [m +1] S [0].

K 1

Step 5 If P [m +1]= Y [1] Y [m], then the message integrityisveri ed,

and the message is P =P [1];:::;P[m].

Note that the message integrityveri cation for a PEMI ciphertext C is ex-

actly the same as the message integrityveri cation for an IAPM ciphertext C .

While IAPM used the \hidden" values P [1];:::;P[m] to compute the check-

sum, this PEMI mo de uses the hidden decrypted values of P [i], since P [i] is

transmitted.

2.1 Format

The format of a PEMI ciphertext is a description of which blo cks will b e sent

unencrypted and which blo cks will be sent encrypted. The message integrity

veri cation of PEMI is indep endent of which blo cks were sent encrypted and

which blo cks were sent unencrypted. That is, PEMI do es not verify the format

of the ciphertext. This op ens PEMI to the p ossibility of an attack in which the

claimed format of the ciphertext is changed. We do not consider this to be a

serious threat as there are several ways to resist this threat. One simple solution

is that the sender and receiver can agree a priori on the format. An alternative

solution is to de ne part of the unencrypted plaintext to include formatting data.

2.2 Performance

The same principles used in PEMI can be used to create other mo des that

provide partial encryption with message integrity. One example is the so-called

Hawkes-Rose HR variant of IAPM [4]. In the HR variant, the checksum is

de ned as P [m +1]= P [j ], with

j=2 U

C [m +1]= E P [m +1] S [m + 1] S [0] [S [i] E P [i] S [i]]:

K 1 K 1

j 2U

Here is a comparison of PEMI and the HR variant.

{ The HR variant encryption requires only blo ck cipher encryption. PEMI en-

cryption requires b oth blo ck cipher encryption and blo ck cipher decryption.

{ In the HR variant encryption, all blo ck cipher encryptions can b e p erformed

in parallel; there is no latency. In PEMI encryption, P [m + 1] can only b e

formed after the blo ck cipher decryptions of the unencrypted blo cks. Thusm

the computation of C [m + 1] cannot take place until after these decryptions.

Consequently, not all op erations in PEMI encryption can be p erformed in

parallel; there is a latency of one blo ck cipher encryption.

{ The HR variant decryption and message integrityveri cation requires b oth

blo ck cipher encryption and blo ck cipher decryption. PEMI decryption and

message integrityveri cation requires only blo ck cipher decryption.

{ In the HR variant decryption and message integrityveri cation, the blo ck

cipher encryptions of the unencrypted blo cks must b e p erformed to obtain

A = [S [i] E P [i] S [i]], b efore the receiver can decrypt to form

K 1

j 2U

P [m +1]= S [m +1] D C [m +1] S [0] A:

K 1

That is, the computation of P [m + 1] cannot take place until after these en-

cryptions. Consequently, not all op erations in the HR variant decryption and

message integrityveri cation can b e p erformed in parallel; there is a latency

of one blo ck cipher encryption. In PEMI decryption and message integrity

veri cation, all blo ck cipher decryptions can b e p erformed in parallel; there

is no latency.

All the designs that we considered for partial encryption with message integrity

app eared to require a mixture of blo ck cipher encryption and blo ck cipher de-

cryption either during encryption or during decryption and message integrity

veri cation. All the designs that we considered also required a latency of at

least one blo ck cipher encryption or decryption at some p oint: either during

encryption or during decryption and message integrityveri cation.

Performance-wise, there is little to di erentiate b etween PEMI and the HR

variant. Both schemes allow for signi cant parallelization, so they are very fast.

However, we prefer PEMI b ecause message veri cation for PEMI is identical to

message integrity for IAPM. This means that the security of PEMI for message

integrity can b e easily related to the security of IAPM for message integrity.As

the security pro of for IAPM already exists, this makes our work much easier.

3 Pro of of Message Integrity

A message integrity attack MIA on PEMI or IAPM is a two step pro cess. In

1 Z

the rst step, the adversary cho oses plaintexts P ;:::;P , and gets the sender

1 z

to reply C ;:::;C . Note that each plaintext and ciphertext consists of multiple

i i i i i

blo cks: C =C [0] :::;C [m + 1], where m is the length of the i-th plaintext.

In the second step, the adversary pro duces a new ciphertext C distinct from

the other ciphertexts C for which there is a non-negligible probability that it

is valid. There is a slight di erence b etween the MIA on PEMI and the MIA on

IAPM; the di erence is easier to express with some additional notation.

1. PEMI. Let Y [j ], 1 j m, b e de ned as ab ove for PEMI: if j 2 U , then

Y [j ]=P [j ]; otherwise

Y [j ]=S [j ] D P [j ] S [j ]:

K 1

For 0 j m de ne Z [j ]=C [j ], noting that Z [j ]=P [j ] for j 2 U . Also

de ne

Y [m +1]= Y [1] Y [m];

Z [m +1]= S [0] E Y [m +1] S [m + 1]:

K 1

i i

For the i-th plaintext message P , let U denote the set of indices for which

P [j ] is sent unencrypted.

2. IAPM. For 1 j m, de ne Y [j ] = P [j ] and Z [j ] = C [j ] = S [j ]

E Z [j ] S [j ]. Finally de ne

K 1

Y [m +1]= Y [1] Y [m];

Z [m +1]= S [0] E Y [m +1] S [m + 1]:

K 1

The di erences b etween an MIA on PEMI and an MIA on IAPM are in whether

i i

the values of Y [j ] and Z [j ] are known, unknown, chosen or uniformly dis-

tributed.

1. In an MIA on IAPM, the values of Y [j ], 1 i m +1, are chosen and

i i

thus known. In an MIA on PEMI, the values of Y [j ], j 2= U , are chosen

i i

and known but the values of Y [j ], j 2 U , are unknown and exp ected to b e

uniformly distributed.

2. In an MIA on IAPM, the values of Z [j ] are known and exp ected to be

i i

uniformly distributed. In an MIA on PEMI, the values of Z [j ], i 2= U , are

unknown and exp ected to b e uniformly distributed, but the values of Z [j ],

i i

i 2= U , are chosen. In an MIA on PEMI, the adversary gets to cho ose U

1 i1 1 i1

based on P ;:::;P , and C ;:::;C . This means that the adversary

gets to cho ose which values of Z [j ] will be plaintexts and for which the

adversary can cho ose the values and whichvalues of Z [j ] will b e unknown, uniformly distributed ciphertexts.

i i

We can translate the pro of for IAPM [3] into a pro of using Y [j ] and Z [j ] in

i i

the place of P [j ] and C [j ]. A pro of for PEMI results if the pro of for IAPM still

holds when some values of Z [j ] are chosen, while the corresp onding values of

i i

Y [j ] are unknown and uniformly distributed. The fact that some values of Y [j ]

are unknown and uniformly distributed cannot increase the success probability

i i

of the attack. The question is whether the fact that Z [j ], j 2 U , are chosen

increases the success probability.

In Jutla's calculations for b ounding the success probability of an MIA on

IAPM [3], the \un-predictability" of the ciphertexts has the following e ect.

To compute a probability where there are, say, t p ossible ciphertexts resulting

the initial value IV, Jutla sums the probabilities over the individual p ossible

ciphertexts and intro duces a factor of 1=t, seeing as the actual value for the

ciphertext is not known in advance. As only a b ound is required, we obtain a

b ound that holds for all t p ossible xed ciphertexts. We then see that the

b ound on the sum of the probabilities is =t = . That is, the b ound

ciphertexts

on the success probability do es not dep end on how many p ossible values there

are for the ciphertexts.

This means that in the same analysis of PEMI, the same b ounds would

apply even though the attacker has the opp ortunitytocho ose some p ortion of

the ciphertexts. Thus, an attack on the message integrity of PEMI has negligible

success probability; that is, PEMI remains secure for message integrity.

The pro of of privacy for PEMI remains the same as that for IAPM, except

of course that some of the plaintexts are transmitted in clear.

3.1 Partial Blo ck Encryption with Message Integrity

PEMI ab ove relies up on entire blo cks b eing either plaintext or ciphertext, which

is an undesirable re ection of the structure of the blo ck cipher. Since the AES

works on large blo cks of 16 bytes, this might b e seen to b e unduly restrictive. It

is desirable to handle, somehow, the case of partially encrypted blo cks. We call a

blo ck a \partial blo ck" when some of its contents are to b e sent encrypted, and

some of it is to b e sent clear. Again we assume that the format of the message,

in the sense of what part is to b e sent unencrypted, is agreed a priori b etween

the parties.

One way to solve this problem is to treat the partial blo ck as a blo cktobe

transmitted unencrypted for the purp oses of calculating the Message Integrity

ab ove. Since this ensures message integrity,we encrypt the desired part with an

additive cipher, e ectively in counter mo de. The IV was used in conjunction

with K 0 to generate the S [i]values, but K 1 is used to encrypt and decrypt the

actual data blo cks, so we can reuse the IV in this context.

Consider the i-th blo ck, and assume that wehave a bitwise mask M [i] that

de nes the bits to b e encrypted. M [i]won't b e all zeros, or the sender would just

send the plaintext; similarly it won't b e all ones, or the sender would just send

the ciphertext. Beyond that, there is no reason to further constrain which bits

are to b e encrypted, and which left unencrypted. The blo ck to b e transmitted

is calculated so:

P ar tial [i]= P [i] M [i] AND E IV i;

K 1

where AND denotes the bit-wise AND op eration. For each blo ck to b e partially

encrypted, an extra encryption op eration over the basic PEMI is required to

generate the counter-mo de mask. Since this extra op eration can also be done

in parallel with the data encryption or decryption op eration required by the

message integrity calculation or veri cation resp ectively the overall latency in

parallel mo de need not increase.

Security of the message integrity follows directly from that of PEMI. The

message integritywas already guaranteed when plaintext was sent, so obscuring

part of the plaintext cannot weaken the message integrity. Security of the privacy

of the data follows directly from the pro of of security of basic Counter Mo de

encryption, whichwe do not rep eat here. We only require that the two encryption

op erations needed are indep endent, to prove the security of this enhancement.

In one privacy op eration, we encrypt E IV i. In the other integrity

K 1

op eration, we encrypt E P [i] S [i]. These values are unrelated, except that

K 1

the S [i] are related to the IV through encryption with key K 0 not K 1. There-

fore, any dep endence b etween these two encryption op erations must result from

the attacker's ability to relate the input and output of encryption using the key

K 0, which would therefore imply his ability to break the underlying blo ck ci-

pher with an unknown key.Thus the partially encrypted blo cks are fully integrity

protected and partially encrypted as required.

4 Conclusion

Wehave prop osed a new mo de for symmetric blo ck ciphers that provides Partial

Encryption with Message Integrity, hence the name PEMI. Wehavesketched a

metho d in which a pro of of message integrity for PEMI can b e based on a pro of

of message integrity for IAPM. The same principles used in PEMI can b e used

to create other mo des that provide partial encryption with message integrity.

For example, a PEMI-likemodemay also b e constructed from OCB [5].

References

1. V. Gligor and P. Donescu. Fast encryption and authentica-

tion: XCBC encryption and XECB authenitcation mo des. See

http://csrc.nist.gov/encrypt ion/ modes /pro pose dmode s/xc bc/xc bc-s pec. pdf,

2001.

2. C. S. Jutla. Encryption mo des with almost free message integrity. See

http://csrc.nist.gov/encrypt ion/ modes /pro pose dmode s/ia cbc/i acbc -spe c.pdf ,

2001.

3. C. S. Jutla. Parallelizable encryption mo de with almost free message integrity. See

http://csrc.nist.gov/encrypt ion/ modes /pro pose dmode s/ia pm/ia pm-s pec. pdf, 2001.

4. C. S. Jutla. Hawkes-Rose variant of IAPM and mesage integrity. See

http://csrc.nist.gov/encrypt ion/ modes /pro pose dmode s/ia pm/va rian tpro od.pd f,

2001.

5. P. Rogaway, M. Bellare, J. Black, and T. Krovetz. OCB: A blo ck-

cipher mo de of op eration for ecient authenticated encryption. See

http://csrc.nist.gov/encrypt ion/ modes /pro pose dmode s/oc b/ocb -spe c.pd f,

2001.

5 App endix

This section describ es the metho d prop osed by Jutla [3] for generating the se-

quence S [0];:::;S[m + 1] from a key and an initial value IV . The sequence has

the prop erty that S [i] S [j ] is uniformly distributed for 0 i< j m +1.

This metho d requires t = dlog m +3e encryptions. This text is taken almost

verbatim from [3].

1. Set W = E IV , noting that IV = C [0].

0 K 0

2. Set S [0] = W .

3. For j =1 to m, p erform the following steps:

a Find the index k of the least signi cant non-zero bit in j + 1.

b If j +1=2 , then compute W = E W + k .

k K 0 0

c Set S [j ]=S [j +1] W . k