A Pseudo-Random Encryption Mode

Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of the length of its input. This permutation is used for encryption while the inverse permutation is used for decryption. Using a length-preserving encryption scheme saves on memory and prevents wasting communication bandwidth. Furthermore, it enables the easy incorporation of the encryption scheme into existing protocols or hardware components. Often, block-ciphers have fixed (and relatively small) input length. This is especially true for hardware implementations. For example, the highly influential Data Encryption Standard (DES) has input length of 64 bits.1 In such a case, the block-cipher is used in some mode of operation that enables the encryption of longer messages. The standard modes of operation (proposed in the context of DES) are ECB, CBC, CFB and OFB. Unfortunately, all these modes reveal information on their inputs or on relations between different inputs. For instance, when using the CBC-mode, the encryptions of two messages with identical prefix will also have an identical prefix. The ECBmode reveals even more information (i.e., equalities between any pair of plain-text blocks). For some applications it is essential to have better security than that of the standard modes of operation. Such security is formalized by the concept of a pseudo-random permutation: Let f be a pseudo-random permutation, then if the encryption of a message M is f(M) then the only information this encryption leaks on M is whether or not M is equal to a previously encrypted message. For further discussion on the usage of pseudo-random permutations for encryption (and on the usage of length-preserving encryption in general) see [3, 5, 9]. This note describes a mode of operation for block-ciphers that achieves a strong notion of security: If the original block-cipher is a pseudo-random permutation then we get a pseudo-random permutation on the entire message (see a more quantitative statement below). The description is extracted from [9] where a framework for constructing and proving the security of pseudorandom permutations is introduced. In such a construction a pseudo-random permutation Π is defined to be the composition of three permutations: Π ≡ h−1 2 ◦A ◦h1. In general, h1 and h −1 2 are “lightweight,” and A is where most of the work is done. Intuitively, there are only a few bad inputs for A and the role of h1 and h −1 2 is to “filter” out these inputs.