CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
A Generalized Birthday Problem
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
A Block-Cipher Mode of Operation for Parallelizable Message Authentication
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
On Some Weaknesses in the Disk Encryption Schemes EME and EME2
ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
On tweaking Luby-Rackoff blockciphers
ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
Symmetric nonce respecting security model and the MEM mode of operation
INDOCRYPT'06 Proceedings of the 7th international conference on Cryptology in India
Related-mode attacks on block cipher modes of operation
ICCSA'05 Proceedings of the 2005 international conference on Computational Science and Its Applications - Volume Part III
On the security bounds of CMC, EME, EME+ and EME* modes of operation
ICICS'05 Proceedings of the 7th international conference on Information and Communications Security
Hi-index | 0.01 |
In this paper, we study the security of the Encrypt-Mask-Decrypt mode of operation, also called EMD, which was recently proposed for applications such as disk-sector encryption. The EMD mode transforms an ordinary block cipher operating on n-bit blocks into a tweakable block cipher operating on large blocks of size nm bits. We first show that EMD is not a secure tweakable block cipher and then describe efficient attacks in the context of disk-sector encryption. We note that the parallelizable variant of EMD, called EME that was proposed at the same time is also subject to these attacks. In the course of developing one of the attacks, we revisit Wagner's generalized birthday algorithm and show that in some special cases it performs much more efficiently than in the general case. Due to the large scope of applicability of this algorithm, even when restricted to these special cases, we believe that this result is of independent interest.