Cryptanalysis of methods for combining confidentiality and integrity.
Chris Mitchell, Royal Holloway, University of London
Abstract: Traditionally, the recommended approach for using a block cipher to provide both integrity and confidentiality protection for a message has been to compute a CBC-MAC and also encrypt the data, using two distinct block cipher keys. This approach is rather unattractive for some applications because it requires each block of data to be processed twice. This observation has given rise to a number of proposals for combining encryption and integrity protection, including a well-established family of encryption modes known as PCBC, dating back to the early 1980s, and a number of much more recent modes, including OCB, EAX and CCM. In this talk we examine two different variants of PCBC. We first examine a variant we call PCBC+, which was one of the first ever proposals for a block cipher mode of operation designed to provide both integrity and confidentiality protection; despite the fact that it has been described in two well known textbooks, this mode has never previously been attacked. However, we show that this variant is subject to a known plaintext attack, and hence does not provide adequate integrity protection. We go on to show that a more recently proposed block cipher mode of operation called MPCBC, which is also claimed to provide both integrity and confidentiality protection, is also very weak.