A generic method to design modes of operation beyond the birthday bound

Abstract

Given a PRP defined over {0, 1}″, we describe a new generic and efficient method to obtain modes of operation with a security level beyond the birthday bound 2n/2. These new modes, named NEMO (for New Encryption Modes of Operation), are based on a new contribution to the problem of transforming a PRP into a PRF. According to our approach, any generator matrix of a linear code of minimal distance d, d ≥ 1, can be used to design a PRF with a security of order 2dn/(d+1). Such PRFs can be used to obtain NEMO, the security level of which is of the same order (2dn/(d+1)). In particular, the well-known counter mode becomes a particular case when considering the identity linear code (of minimal distance d = 1) and the mode of operation CENC [7] corresponds to the case of the the parity check linear code of minimal distance d = 2. Any other generator matrix leads to a new PRF and a new mode of operation. We give an illustrative example using d = 4 which reaches the security level 24n/5 with a computation overhead less than 4% in comparison to the counter mode. © Springer-Verlag Berlin Heidelberg 2007.