Parallelizable Encryption Mo de with Almost Free Message

Integrity

Charanjit S. Jutla

IBM T.J. Watson Research Center,

Yorktown Heights, NY 10598

In this do cument we prop ose a new mo de of op eration for symmetric key blo ck

cipher algorithms. The main feature distinguishing the prop osed mo de from existing

mo des is that along with providing con dentiality of the message, it also provides

message integrity. In other words, the new mo de is not just a mo de of op eration for

encryption, but a mo de of op eration for authenticated encryption. As the title of

the do cument suggests, the new mo de achieves the additional prop erty with little

extra overhead, as will b e explained b elow.

The new mo de is also highly parallelizable. In fact, it has critical path of only

two blo ck cipher invo cations. By one estimate, a hardware implementation of this

12

mo de on a single b oard housing 1000 blo ck cipher units achieves terabits/sec 10

bits/sec of authenticated encryption. Moreover, there is no p enalty for doing a serial

implementation of this mo de.

The new mo de also comes with pro ofs of security, assuming that the underlying

blo ck ciphers are secure. For con dentiality, the mo de achieves the same provable

security b ound as CBC. For authentication, the mo de achieves the same provable

security b ound as CBC-MAC.

The new parallelizable mo de removes chaining from the well known CBC mo de,

and instead do es an input whitening as well an output whitening with a pair-

wise indep endent sequence. Thus, it b ecomes similar to the ECB mo de. However,

with the input whitening with the pairwise indep endent sequence the new mo de

has provable security similar to CBC Note: ECB do es not have security guaran-

tees like CBC. Also, the output whitening with the pairwise indep endent sequence

guarantees message integrity.

The pairwise indep endent sequence can be generated with little overhead. In

fact, the input and output whitening sequence need only b e pairwise di erentially

uniform, whichisaweaker prop erty than pairwise indep endence, as explained in the

details b elow. The weaker pairwise di erentially uniform sequence can b e generated 1

with even lesser overhead.

The parallelizable mo de comes in two avors. These avors refer to how the

pairwise di erentially uniform sequence is generated. In one mo de, we just use

a pairwise indep endent sequence generated by a subset construction. In another

mo de, the pairwise di erentially uniform sequence is generated by a  i mo dulo

a xed prime numb er. There will b e one standard prime number for each bit-size

64

blo ck cipher. Thus, for 64 bit blo ck ciphers the prime could b e 2 257. For 128

128

bit blo ck ciphers, the prime could b e 2 159.

The mo des are describ ed b elow in more detail. For pro ofs of security see pro ceed-

ings of Euro crypt 2001 also http://eprint.iacr.org/2000/039.ps.

We rst give de nitions of pairwise indep endence and related concepts. Then we

describ e the parallelizable mo de using the algebraic construction a  i mo dulo a xed

prime. Finally,we describ e the mo de using only exclusive-or op erations.

1. De nitions

De nition 1 pair-wise indep endence A sequence of uniformly distributed n-bit

random numb ers s ;s ; :::; s , is called pair-wise independent if for every pair i; j; i 6=

1 2 m

j , and every pair of n bit constants c and c , probability that s = c and s = c

1 2 i 1 j 2

2n

is 2 .

De nition 2 pair-wise di erentially-uniform A sequence of uniformly distributed

n-bit random numb ers s ;s ; :::; s , is called pair-wise di erential ly-uniform if for

1 2 m

n

every pair i; j; i 6= j , and every n bit constant c, probability that s  s is c is 2 .

i j

It is a fact that a pair-wise indep endent uniformly distributed sequence is also

pair-wise di erentially uniform.

De nition 3 pair-wise di erentially-uniform in GFp A sequence of random num-

b ers s ;s ; :::; s uniformly distributed in GFp, is called pair-wise di erential ly-

1 2 m

uniform in GFp if for every pair i; j; i 6= j , and every constant c in GFp, probability

that s s modpisc is 1=p.

i j

A sequence of m pair-wise indep endentnumb ers can b e generated from ab out log m

indep endent random numb ers by a subset construction. The subset construction

only involves exclusive-or op erations.

A pair-wise indep endent sequence can also b e generated by an algebraic construc-

tion in GFp, by using two indep endent random numb ers a and b in GFp. The

sequence is given by s =a + i  bmodp.

i 2

A pair-wise di erentially uniform in GFp sequence can be generated from only a

single random number a in GFp by de ning s =i  amodp.

i

These de nitions have b een given here only to explain the general principles. In

the following description of the new mo de, the sequence used is a subtle variation

of de nition 3. For pro ofs of security, see the aforementioned references.

2. Integrity Aware Parallelizable Mo de IAPM using a prime number

Let n b e the blo ck size of the underlying blo ck cipher. We will restrict our attention

to n = 128 in this pap er. If the blo ck cipher requires keys of length k , then this

mo de requires two indep endentkeys of length k . Let these keys be called K 0 and

K 1. From now on, we will use f to denote the encryption function under key K .

K

The message to b e encrypted P , is divided into blo cks of length n each. Let these

blo cks be P ;P ; :::; P . As in CBC, a random initial vector r of length n bits

1 2 m1

is chosen. The vector r need not be chosen randomly, as long as it is unique for

each message. This random vector is used to generate a new random vector a using

the blo ck cipher and key K0, which in turn is used to prepare m +1 new pairwise

di erentially uniform vectors S ;S ; :::; S .

0 1 m

128

Let p = 2 159. The number p is known to be a prime. This prime will be

xed for all invo cations of this mo de using blo ck ciphers of blo ck size 128 bit. For

64

64-bit ciphers p =2 257 is recommended.

Now, the sequence S ;S ; :::S is generated by the following pro cedure:

0 1 m

procedure pairwise di uniform sequencein r;m;K0; out S 

f

a = f r 

K 0

128 128

if a  2 159 a =a + 159 mo d 2

S = a

0

for i =1 to m do

128

S =S + amod2

i i1

if a>S  S = S + 159

i i i

end for

g

The condition a > S  is equivalent to 128-bit integer addition over ow in the

i

128

previous step. Note that we do not reduce mo dulo p if S + a < 2 , but we

i1

128

do comp ensate by 159 if S + a  2 , as in the latter case, S + a mo d p

i1 i1

128 128

= S + a 2 159 = S + a 2  + 159.

i1 i1 3 P r r P1 2 Pm−1 checksum S S S S 1 2 m−1 m M M M 1 2 m

f f f ..... K0 f f K1 K1 K1 K1

N N N m a 1 2 S S S S 1 2 m−1 0 mod p constr. C C C Cm 0 1 C2 m−1 S S ...... S

0 1 m

Figure 1: IntegrityAware Parallelizable Mo de IAPM

In this mo de, the input and output whitening is done by 128-bit integer addition.

The ciphertext message C = is generated as follows see g 1:

0 1 m

C = r

0

for i =1 to m 1do

128

M =P + S mod2

i i i

N = f M 

i K 1 i

128

C =N + S mod2

i i i

end for

checksum = P  P  :::  P

1 2 m1

128

M =checksum + S mod2

m m

N = f M 

m K 1 m

128

C =N + S mod2

m m 0

128

Note that for computing the checksum we use xor instead of addition mo dulo 2 .

128

The scheme is secure even if the checksum is computed by a mo dulo 2 sum, but

for the standard we prefer that the checksum be computed by an xor-sum. Note

that S is used in the last step.

0

The ab ovescheme is invertible. The inversion pro cess yields blo cks P ;P ; :::; P .

1 2 m

The decrypted plaintext is < P ;P ; :::; P >. Message integrity is veri ed by

1 2 m1 4

checking

P = P  P  :::  P

m 1 2 m1

Here is the pseudo-co de for decryption:

r = C

0

invoke pairwise di uniform sequencer;m;K0;S;

for i =1 to m 1do

128

N =C S mod2

i i i

1

N  M = f

i i

K 1

128

P =M S mod2

i i i

end for

checksum = P  P  :::  P

1 2 m1

128

N =C S mod2

m m 0

1

N  M = f

m m

K 1

128

P =M S mod2

m m m

Integrity P == checksum 

m

3. IAPM with only xor op erations

The mo de describ ed ab ove uses integer addition. Wenow describ e a similar mo de

in which the only op erations are blo ck cipher invo cations and exclusive-or op era-

tions. In particular, the pairwise di erentially uniform sequence is generated using

a subset construction. Actually, this sequence has the stronger prop erty of pair-

wise indep endence. The subset construction is also optimized using Gray co de

http://hissa.nist.gov/dads/HTML/grayco de.html. The p enalty one has to payin

this mo de is that instead of generating one extra vector a as describ ed in the previ-

ous section, one now generates ab out log m new vectors, where m is the number of

blo cks in the message to b e encrypted.

As b efore the message P to b e encrypted, is divided into blo cks of length n each.

Let these blo cks be P ;P ; :::; P . The initial vector r is used to generate t =

1 2 m1

dlog m +2e new vectors, which in turn are used to prepare m +1 new pairwise

indep endentvectors S ;S ; :::; S .

0 1 m

The following pseudo-co de is the prop osed metho d of generating the sequence S . 5 r P P P checksum rW+ 1 W +t−1 1 2 m−1 0 0 S S S S 1 2 m−1 m M M M 1 2 m

f f f f f ..... K0 K0 ... K0 f f K1 K1 K1 K1

Nm N1 N2 S S S S m−1 1 2 0 WW W 01 t−1 C C C 0 C1 C2 m−1 m

SUBSET CONSTRUCTION

S S

0 1 ....Sm

Figure 2: IAPM with only xor op erations

procedure pairwise indep endent sequencein r;m;K0; out S 

f

W = f r ;

0 K 0

S = W ;

0 0

for i =1 to m do

j = i +1;

k =0;

/* nd the index if the least signi cant ON bit in i +1*/

while j &1 == 0 do

k = k +1; j = j>>1; /* increment k and right shift */

end while

if j  1 == 0 /* if i +1isapower of 2 */

W = f W + k ;

K 0 0

k

S = S  W ;

i i1

k

end for

g

Note that S is obtained from S in just one XOR. The inner while lo op condition

i i1

is checked two times on average. 6

The ciphertext message C = is generated as follows see g 2:

0 1 m

C = r

0

for i =1 to m 1do

M =P  S 

i i i

N = f M 

i K 1 i

C =N  S 

i i i

end for

checksum = P  P  :::  P

1 2 m1

M =checksum  S 

m m

N = f M 

m K 1 m

C =N  S 

m m 0

Again, note that S is used in the last step. This pseudo-co de is same as the

0

one in the previous section except that all integer additions have b een replaced by

exclusive or op erations.

Here is the pseudo-co de for decryption:

r = C

0

invoke pairwise indep endent sequencer;m;K0;S;

for i =1 to m 1do

N =C  S 

i i i

1

M = f N 

i i

K 1

P =M  S 

i i i

end for

checksum = P  P  :::  P

1 2 m1

N =C  S 

m m 0

1

M = f N 

m m

K 1

P =M  S 

m m m

Integrity P == checksum 

m

4. Performance

The IAPM scheme was implemented for DES on IBM PowerPC 200MHz. For

messages of size 1024 64-bit blo cks the IAPM scheme with the prime numb er con-

struction yielded throughput of 34 Mbits/sec. In comparison, the CBC scheme i.e.

just encryption ran at 35.5 Mbits/sec.

5. Patents

IBM has led a U.S. patent on all these schemes. 7