A Generic Method to Design Modes of Operation Beyond the Birthday Bound

Abstract

Given a PRP defined over {0,1}n, we describe a new generic and efficient method to obtain modes of operation with a security level beyond the birthday bound 2n/2. These new modes, named NAME (for New Encryption Modes of Operation), are based on a new contribution to the problem of transforming a PRP into a PRF. According to our approach, any generator matrix of a linear code of minimal distance d, d ≥ 1, can be used to design a PRF with a security of order 2dn/(d + 1). Such PRFs can be used to obtain NAME, the security level of which is of the same order (2dn/(d + 1)). In particular, the well-known counter mode becomes a particular case when considering the identity linear code (of minimal distance d = 1) and the mode of operation CENC [7] corresponds to the case of the the parity check linear code of minimal distance d = 2. Any other generator matrix leads to a new PRF and a new mode of operation. We give an illustrative example using d = 4 which reaches the security level 24n/5 with a computation overhead less than 4% in comparison to the counter mode.Keywordssymmetric encryptionmodes of operationPRPPRFbirthday boundcounter modeCENC