The EMD Mode of Operation (A Tweaked, Wide-Blocksize, Strong PRP)

We describe a block-cipher mode of operation, EMD, that builds a strong pseudorandom per-mutation (PRP) on nm bits (m ≥ 2) out of a strong PRP on n bits (i.e., a block cipher). Theconstructed PRP is also tweaked (in the sense of [10]): to determine the nm-bit ciphertext blockC =EK(P ) one provides, besides the key K and the nm-bit plaintext block P , an n-bit tweak T . Themode uses 2m block-cipher calls and no other complex or computationally expensive steps (such asuniversal hashing). Encryption and decryption are identical except that encryption uses the forwarddirection of the underlying block cipher and decryption uses the backwards direction. We suggestthat EMD provides an attractive solution to the disk-sector encryption problem, where one wantsto encipher the contents of an nm-bit disk sector in a way that depends on the sector index and issecure against chosen-plaintext/chosen-ciphertext attack.