exploit the linear property of F (·), it might be use-
ful to replace it by an efﬁcient computable nonlinear
function.
Usually, the security of a block cipher against stan-
dard attacks like differential and linear cryptanalysis
is higher than required. For example, by the wide-trail
design principle of AES (Daemon, 2002), the maxi-
mum differential characteristic probability of AES is
(4/256)
25
= 2
−150
for 4 rounds, (4/256)
50
= 2
−300
for 8 rounds and (4/256)
75
= 2
−450
for 12 rounds.
However, we just need the characteristic differential
probability to be smaller than 2
−128
for protection
against differential attack. A similar estimate holds
for the strength of AES against linear cryptanalysis.
In that case, we can afford to reduce the block ci-
pher by one round and let F (·) be an unkeyed round
of the block cipher. E.g., for AES-256, we can reduce
it to 13 rounds and let F (·) be an AES round with-
out XORing with a subkey. The performance is still
equivalent to one block encryption per iteration be-
cause we are taking one round out of the block cipher
to form the function F (·). Therefore the overall efﬁ-
ciency of IO-CBC is one encryption more than CBC
where the extra work is for encrypting the IV.
As in the analysis of Section 4, this variant will sat-
isfy equation (1). Because F (·) is a nonlinear func-
tion, equation (1) cannot be simpliﬁed and F (O[i−1])
is an increasingly complex function of the secret
O[0] = E
k
(IV ) as i increases. Thus it is more dif-
ﬁcult for the adversary to deduce F (O[i − 1]) and
control the input I[i] to force a collision by choosing
M[i].
With respect to Joux’s FTG attack in (Joux, 2002)
or Sung’s key recovery attack in (Sung, 2003), it may
be difﬁcult to ﬁnd a linear combination of the output
mask F (O[i − 1]) which sums to a known value be-
cause the recursion of F (·) in equation (1) will result
in a complex highly nonlinear function.
7 CONCLUSION AND FUTURE
WORK
In this paper, we have introduced a new CBC-type
mode of operation called IO-CBC. We have shown
that it is as efﬁcient as CBC mode and provides pro-
tection against various adaptive chosen plaintext at-
tacks introduced in (Joux, 2002; Sung, 2003). It
also makes differential and linear cryptanalysis harder
than other modes of operation like ECB, CBC and
OCB. Tbe IO-CBC mode has inﬁnite error propa-
gation which makes it suitable for applications that
needs to detect occurence of any errors during trans-
mission. From section 4.4, we get a provable security
similar to OCB given that the linear function is simi-
lar to OCB. A useful problem for future research is to
establish the provable security of IO-CBC and a wider
class of linear function F (·).
Having conﬁdence that a variant of IO-CBC is iso-
morphic to OCB in section 4.4, another problem for
future research is to extend IO-CBC to a provable
variant, like IACBC and OCB, that does both conﬁ-
dentiality and authentication. Together with the inﬁ-
nite propagation property, tampering with transmitted
ciphertext will be easily detected.
REFERENCES
Alkassar, A., Geraldy, A., Pﬁtzmann, B. and Sadeghi, A. R.
(2001). Optimized Self-Synchronizing Mode of Op-
eration. LNCS 2335, Fast Software Encryption 2001.
Springer-Verlag.
Bellare, M., Desai, A., Jokipii, E. and Rogaway, P. (1997).
A Concrete Security Treatment of Symmetric Encryp-
tion. Proceedings of Foundations of Computer Sci-
ence’97. IEEE Press, 1997.
Biham, E. and Shamir, A. Differential Cryptanalysis of
the Full 16-Round DES. LNCS 740, Crypto ’92,
Springer-Verlag, 1993.
Daemon, J. and Rijmen, V. The Design of Rijndael: AES -
The Advanced Encryption Standard, Springer, 2002.
Golomb, S.W. Shift Register Sequences, Revised Edition,
Agean Park Press, 1982.
Joux, A., Martinet, G. and Valette, F. Blockwise Adaptive
Attackers: Revisiting the (In)Security in some Prov-
ably Secure Encryption Modes: CBC, GEM, IACBC.
LNCS 2442, Crypto 2002, pp. 17-30, Springer-Verlag,
2002.
Jutla, C. Encryption Modes with Almost Free Message In-
tegrity. LNCS 2045, Eurocrypt 2001, pp. 529-544,
Springer-Verlag, 2001.
Knudsen, L. Block Chaining Modes of Operation. Techni-
cal Report, Department of Informatics, University of
Bergen, 2000.
Matsui, M. The First Experimental Cryptanalysis of the
Data Encryption Standard. LNCS 839, Crypto ’94,
pp. 1-11, Springer-Verlag, 1994.
Matyas, M. and Matyas, S. Cryptography: A New Dimen-
sion in Computer Data Security, John Wiley and Sons,
New York, 1982.
Preneel, B., Nuttin, M., Rijmen, V. and Buelens, J. Crypt-
analysis of DES in the CFB mode. LNCS 773, Crypto
’93, pp. 212-223, Springer-Verlag, 1994.
Rogaway, P., Bellare, M., Black, J. and Krovetz, T. OCB: A
block-cipher mode of operation for efﬁcient authen-
ticated encryption. http://www.cs.ucdavis.edu/ rog-
away, 2001.
Jaechul Sung, Deukjo Hong and Sangjin Lee Key Recovery
Attacks on RMAC, TMAC, and IACBC LNCS 2727,
pp. 265-273, 2003.
SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY
140