Cryptanalysis of methods for combining confidentiality and integrity.

Chris Mitchell, Royal Holloway, University of London

Monday February 28th, 3:30pm in K9509.

Traditionally, the recommended approach for using a block cipher to
provide both integrity and confidentiality protection for a message
has been to compute a CBC-MAC and also encrypt the data, using two
distinct block cipher keys.  This approach is rather unattractive
for some applications because it requires each block of data to be
processed twice.  This observation has given rise to a number of
proposals for combining encryption and integrity protection,
including a well-established family of encryption modes known as PCBC, 
dating back to the early 1980s, and a number of much more recent modes,
including OCB, EAX and CCM.  In this talk we examine two different
variants of PCBC.  We first examine a variant we call PCBC+, which
was one of the first ever proposals for a block cipher mode of
operation designed to provide both integrity and confidentiality
protection; despite the fact that it has been described in two
well known textbooks, this mode has never previously been attacked.
However, we show that this variant is subject to a known plaintext
attack, and hence does not provide adequate integrity protection.
We go on to show that a more recently proposed block cipher mode of
operation called MPCBC, which is also claimed to provide both
integrity and confidentiality protection, is also very weak.