Parallelizable Encryption Mo de with Almost Free Message
Integrity
Charanjit S. Jutla
IBM T.J. Watson Research Center,
Yorktown Heights, NY 10598
In this do cument we prop ose a new mo de of op eration for symmetric key blo ck
cipher algorithms. The main feature distinguishing the prop osed mo de from existing
mo des is that along with providing con dentiality of the message, it also provides
message integrity. In other words, the new mo de is not just a mo de of op eration for
encryption, but a mo de of op eration for authenticated encryption. As the title of
the do cument suggests, the new mo de achieves the additional prop erty with little
extra overhead, as will b e explained b elow.
The new mo de is also highly parallelizable. In fact, it has critical path of only
two blo ck cipher invo cations. By one estimate, a hardware implementation of this
12
mo de on a single b oard housing 1000 blo ck cipher units achieves terabits/sec 10
bits/sec of authenticated encryption. Moreover, there is no p enalty for doing a serial
implementation of this mo de.
The new mo de also comes with pro ofs of security, assuming that the underlying
blo ck ciphers are secure. For con dentiality, the mo de achieves the same provable
security b ound as CBC. For authentication, the mo de achieves the same provable
security b ound as CBC-MAC.
The new parallelizable mo de removes chaining from the well known CBC mo de,
and instead do es an input whitening as well an output whitening with a pair-
wise indep endent sequence. Thus, it b ecomes similar to the ECB mo de. However,
with the input whitening with the pairwise indep endent sequence the new mo de
has provable security similar to CBC Note: ECB do es not have security guaran-
tees like CBC. Also, the output whitening with the pairwise indep endent sequence
guarantees message integrity.
The pairwise indep endent sequence can be generated with little overhead. In
fact, the input and output whitening sequence need only b e pairwise di erentially
uniform, whichisaweaker prop erty than pairwise indep endence, as explained in the
details b elow. The weaker pairwise di erentially uniform sequence can b e generated 1
with even lesser overhead.
The parallelizable mo de comes in two avors. These avors refer to how the
pairwise di erentially uniform sequence is generated. In one mo de, we just use
a pairwise indep endent sequence generated by a subset construction. In another
mo de, the pairwise di erentially uniform sequence is generated by a i mo dulo
a xed prime numb er. There will b e one standard prime number for each bit-size
64
blo ck cipher. Thus, for 64 bit blo ck ciphers the prime could b e 2 257. For 128
128
bit blo ck ciphers, the prime could b e 2 159.
The mo des are describ ed b elow in more detail. For pro ofs of security see pro ceed-
ings of Euro crypt 2001 also http://eprint.iacr.org/2000/039.ps.
We rst give de nitions of pairwise indep endence and related concepts. Then we
describ e the parallelizable mo de using the algebraic construction a i mo dulo a xed
prime. Finally,we describ e the mo de using only exclusive-or op erations.
1. De nitions
De nition 1 pair-wise indep endence A sequence of uniformly distributed n-bit
random numb ers s ;s ; :::; s , is called pair-wise independent if for every pair i; j; i 6=
1 2 m
j , and every pair of n bit constants c and c , probability that s = c and s = c
1 2 i 1 j 2