Cryptanalysis of the EMD mode of operation

Authors:
Antoine Joux
Affiliations:
DCSSI Crypto Lab, Paris, SP, France
Venue:
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
Year:
2003

Citing 3
Cited 5

Tweakable Block Ciphers

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
A Generalized Birthday Problem

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
A Block-Cipher Mode of Operation for Parallelizable Message Authentication

EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology

On Some Weaknesses in the Disk Encryption Schemes EME and EME2

ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
On tweaking Luby-Rackoff blockciphers

ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
Symmetric nonce respecting security model and the MEM mode of operation

INDOCRYPT'06 Proceedings of the 7th international conference on Cryptology in India
Related-mode attacks on block cipher modes of operation

ICCSA'05 Proceedings of the 2005 international conference on Computational Science and Its Applications - Volume Part III
On the security bounds of CMC, EME, EME+ and EME* modes of operation

ICICS'05 Proceedings of the 7th international conference on Information and Communications Security

Quantified Score

Hi-index	0.01

Visualization

Abstract

In this paper, we study the security of the Encrypt-Mask-Decrypt mode of operation, also called EMD, which was recently proposed for applications such as disk-sector encryption. The EMD mode transforms an ordinary block cipher operating on n-bit blocks into a tweakable block cipher operating on large blocks of size nm bits. We first show that EMD is not a secure tweakable block cipher and then describe efficient attacks in the context of disk-sector encryption. We note that the parallelizable variant of EMD, called EME that was proposed at the same time is also subject to these attacks. In the course of developing one of the attacks, we revisit Wagner's generalized birthday algorithm and show that in some special cases it performs much more efficiently than in the general case. Due to the large scope of applicability of this algorithm, even when restricted to these special cases, we believe that this result is of independent interest.