Information Processing Letters 109 (2008) 121–123

Contents lists available at ScienceDirect

Information Processing Letters

www.elsevier.com/locate/ipl

A general mixing strategy for the ECB-Mix-ECB mode of operation

Palash Sarkar

Applied Statistics Unit, Indian Statistical Institute, 203, B.T. Road, Kolkata, India 700108

a r t i c l e i n f o a b s t r a c t

Article history:Received 22 May 2008Received in revised form 7 August 2008Accepted 5 September 2008Available online 11 September 2008Communicated by D. Pointcheval

Keywords:Modes of operationsStrong pseudo-random permutationCryptography

EME is an important mode of operation of a block cipher. It converts an n-bit blockcipher into a strong pseudo-random permutation which works on longer length strings.In this short note, we generalize the mixing layer of EME. The generalization is doneusing a linear map ψ from F2n to itself, where n is the block size of the underlyingblock cipher. A possible instantiation of ψ is using word oriented LFSRs. For n = 128, thisimplementation of ψ results in the mixing layer being processed about twice as fast asthat in the original EME mode of operation.

© 2008 Elsevier B.V. All rights reserved.

1. Introduction

The theoretical model of a block cipher is that of astrong pseudo-random permutation (SPRP) [6]. This waslater studied in [7] who gave several constructions. Theseconstructions required universal hash functions. Halevi andRogaway [3] gave the first construction of a tweakableSPRP which uses two encryption layers with a light weightmixing layer in between. The same authors later [4] gavea construction where the encryption layers used the elec-tronic codebook (ECB) mode, giving rise to the so-calledECB-Mix-ECB (EME) mode of operation. An extension ofEME to arbitrary length strings was described in [2].

We revisit the mixing layer of the EME mode of op-eration. Used with an n-bit block cipher, the dominantoperation in this layer is “multiplication by x” modulo aprimitive polynomial of degree n over F2. This has beencalled the powering-up method [8]. The purpose of thisshort note is to point out that the “multiplication by x”operation can be generalized to a linear map ψ from F2n

to itself where the minimal polynomial of ψ over F2 isprimitive and of degree n. We call the general constructionEMME so as to distinguish it from EME which is a specialcase.

E-mail address: palash@isical.ac.in.

0020-0190/$ – see front matter © 2008 Elsevier B.V. All rights reserved.doi:10.1016/j.ipl.2008.09.012

A practical consequence of this generalization is thatother instantiations of the operator ψ are possible. For ex-ample, we show that for n = 128, it is possible to use alinear feedback shift register (LFSR) of length 4 over F232

to implement ψ . Such an LFSR is usually called a word-oriented LFSR and has previously been used in the de-sign of software efficient stream ciphers (see for exam-ple [1]). The speed of the mixing layer using the word-oriented LFSR is about twice as fast as the speed using thepowering-up method.

The generalization that we propose does not affect thesecurity proof of EME given in [4]. Two simple propertiesof the powering-up method are used in the security proof.We prove general versions of these properties using whichthe security proof of EME goes through for EMME.

2. The EMME mode of operation

Let n be the block length of the underlying block cipher.We will be working over the field F2n . Let ψ be a linearmap from F2n to itself such that the minimal polynomialof ψ over F2 is τ (x) which is of degree n and is primitiveover F2. Consequently, for any non-zero M ∈ F2n , the se-quence M,ψ(M),ψ2(M), . . . ,ψ2n−2(M) consists of all thenon-zero distinct elements of F2n .

122 P. Sarkar / Information Processing Letters 109 (2008) 121–123

Algorithm EMME.EncryptTK (P1, . . . , Pm).

1. (P P1, . . . , P Pm) = (P1, . . . , Pm) ⊕ bm;2. (P P P1, . . . , P P Pm) = ECBK (P P1, . . . , P Pm);3. M P = T ⊕ P P P1 ⊕ · · · ⊕ P P Pm ;4. MC = E K (M P ); M = M P ⊕ MC ;5. for i = 2 to m do CCCi = P P Pi ⊕ ψ i−1(M);6. CCC1 = T ⊕ MC ⊕ CCC2 ⊕ · · · ⊕ CCCm ;7. (CC1, . . . , CCm) = ECBK (CCC1, . . . , CCCm);8. (C1, . . . , Cm) = (CC1, . . . , CCm) ⊕ bm .end.

Algorithm EMME.DecryptK (C1, . . . , Cm).1. (CC1, . . . , CCm) = (C1, . . . , Cm) ⊕ bm;2. (CCC1, . . . , CCCm) = ECB−1

K (CC1, . . . , CCm);3. MC = T ⊕ CCC1 ⊕ · · · ⊕ CCCm ;4. M P = E−1

K (MC); M = M P ⊕ MC ;5. for i = 2 to m do P P Pi = CCCi ⊕ ψ i−1(M);6. P P P1 = T ⊕ M P ⊕ P P P2 ⊕ · · · ⊕ P P Pm ;7. (P P1, . . . , P Pm) = ECB−1

K (P P P1, . . . , P P Pm);8. (P1, . . . , Pm) = (P P1, . . . , P Pm) ⊕ bm .end.

Fig. 1. Encryption and decryption using EMME. The block cipher key is K ;T is an n-bit tweak; ECBK (X1, . . . , Xm) returns (E K (X1), . . . , E K (Xm)) andECB−1

K (Y1, . . . , Ym) returns (E−1K (Y1), . . . , E−1

K (Ym)); L = E K (0n); bm =(ψ(L),ψ2(L),ψ3(L), . . . ,ψm(L)).

The EMME construction is shown in Fig. 1. An n-bitblock cipher is used and ψ is a linear map from F2n toitself.

The EME mode of operation. This is obtained as a spe-cial case of Fig. 1 where ψ is defined as follows. Let F2n

be realised as F2/(τ (x)), where τ (x) is a primitive poly-nomial of degree n over F2. Then any element of F2n

can be written as a polynomial of degree less than n. Leta(x) ∈ F2n . The map ψ used in [4] is defined by a(x) �→xa(x) mod τ (x). This has been called the powering-up con-struction [8].

Word oriented LFSR. Another implementation of ψ can beobtained using the idea of tower fields. Let n = n1 ×n2 andlet ρ(α) be an irreducible polynomial of degree n1 whichis used to define F2n1 over F2, i.e., F2n1 = F2/(ρ(α)). Letμ(x) = xn2 ⊕ tn2−1xn2−1 ⊕· · ·⊕ t1x ⊕ t0, with tn2−1, . . . , t0 ∈F2n1 be a primitive polynomial over F2n1 which is used todefine F2n over F2n1 . The field F2n can be represented bythe polynomial basis {1, x, x2, . . . , xn2−1} with multiplica-tion done modulo μ(x). Using this representation, we canidentify F2n and F

n22n1 .

Define a map ψ : Fn22n1 → F

n22n1 , with (bn2−1, . . . ,b0) =

ψ(an2−1, . . . ,a0) as follows.

bi = ai+1if 0 � i � n2 − 2;

bn2−1 = t0an2−1 ⊕ · · · ⊕ tn2−1a0.

⎫⎬⎭ (1)

This defines an LFSR over F2n1 . See [5] for details. Theminimal polynomial τ (x) of this ψ over F2 is a primitivepolynomial of degree n and hence it is possible to apply ψ

in the construction given in Fig. 1.If n1 > 1, then the map ψ is usually called a word-

oriented LFSR. For n = 128 with n1 = 32 and n2 = 4, oneexample of an appropriate pair (ρ(α),μ(x)) is ρ(α) =α32 +α18 +α6 +α5 + 1 and μ(x) = x4 + x3 + x +α. A sim-ple ‘C’ code implementation of this example can be done

as follows. Four 32-bit words M0, M1, M2 and M3 consti-tute the 128-bit mask. Let val be a 2-element array withval[0] = 0 and val[1] = ((1�18)̂(1�6)̂(1�5)̂1).One application of ψ updates (M0,M1,M2,M3) in the fol-lowing manner:

tmp= (M3�1)̂(val[M3�31])̂ M0̂M2;M3= M2;M2= M1;M1= M0;M0= tmp.

Efficiency improvement over powering method. We im-plemented both the powering method and the word ori-ented LFSR method on Intel P4, 2 GHz machine runningUbuntu. The powering method requires about 0.76 cycles/byte while the word oriented LFSR method requires about0.39 cycles/byte, which is approximately twice as fast asthe powering method. For a 128-bit message block, thesavings per block comes to about 6 cycles. We must note,though, that this improvement is only for the mixing layer.The dominant cost per message block is two block ciphercalls and so the overall improvement will be small. Never-theless, any improvement, even if it is small, is worthwhile,especially since there is no associated trade-off and the al-gorithm is likely to be heavily used.

3. Security of EMME

Security definitions and the proof of security of EMEare given in details in [4]. Essentially the same proof goesthrough for EMME with some changes for the more gen-eral masking using the linear map ψ .

In EME, ψ is defined using the powering methoda(x) �→ xa(x) mod τ (x). The proof of security of EME usesthe following two algebraic facts about the poweringmethod.

Property P1. The polynomial τ (x) ∈ F2[x] is of degree nand is primitive over F2. As a consequence, for a uniformrandom L ∈ F2/(τ (x)), distinct i, j ∈ {0, . . . ,2n −2} and any� ∈ F2n ,

Prob[(

xi L mod τ (x)) ⊕ (

x j L mod τ (x)) = �

] = 1/2n.

Property P2. For any non-empty set I ⊆ {1, . . . ,n}, and anynon-zero element M ∈ F2/(τ (x)),

⊕i∈I

(xi M mod τ (x)

) =(⊕

i∈I

xi)

× M mod τ (x) = 0.

Consider the more general masking using ψ . Prop-erty P1 is taken care of by the fact that the minimal poly-nomial τ (x) of ψ over F2 is primitive and of degree n. Inparticular, we have the following result which correspondsto P1.

Lemma 1. Let ψ : F2n → F2n be a linear map whose minimalpolynomial over F2 is primitive and of degree n. Then for a uni-form random L ∈ F2n , distinct i, j ∈ {0, . . . ,2n − 2} and any� ∈ F2n , Prob[ψ i(L) ⊕ ψ j(L) = �] = 1/2n.

P. Sarkar / Information Processing Letters 109 (2008) 121–123 123

Proof. Define φi, j : F2n → F2n as φi, j(T ) = ψ i(T ) ⊕ ψ j(T ).The result will follow if we can show that φi, j is a bi-jection. For this, it is sufficient to show that φi, j is aninjection. So, suppose that T and T ′ are distinct elementsof F2n and let, if possible, φi, j(T ) = φi, j(T ′). Set S = T ⊕ T ′and note that since T = T ′ , we have S to be non-zero. Then

0 = φi, j(T ) ⊕ φi, j(T ′)

= ψ i(T ) ⊕ ψ j(T ) ⊕ ψ i(T ′) ⊕ ψ j(T ′)

= (ψ i ⊕ ψ j)(S). (2)

For any non-zero element β of F2n , define mβ(x) to bethe minimal degree polynomial such that (mβ(ψ))(β) = 0.Since τ (x) is the minimal polynomial of ψ it follows thatτ (ψ) = 0, i.e., τ (ψ) maps all elements of F2n to 0. As aresult, (τ (ψ))(β) = 0. By the minimality of mβ(x) it fol-lows that mβ(x) divides τ (x). But, τ (x) is irreducible andso mβ(x) = τ (x).

Consider the minimal polynomial mS(x) of S . Since Sis non-zero, by the above argument, we have mS(x) =τ (x). Also, from (2), it follows that τ (x) = mS(x) dividesxi ⊕ x j = xi(1 ⊕ x j−i) (assuming without loss of generalitythat i < j). Since τ (x) is primitive, it does not divide xi andso τ (x)|(1 ⊕ x j−i). It is well known that if τ (x) is a primi-tive polynomial of degree n, then it does not divide 1 ⊕ xi

for any i with 0 < i < 2n − 1 (see for example [5]). Since0 � i < j < 2n − 1, we have 0 < j − i < 2n−1 and hence,τ (x)|(1 ⊕ x j−i) contradicts the primitivity property of τ (x).This shows that φi, j is a injection. �

Property P2 is required in the proof of Claim 2 in [4];Claim 2 is in turn used in the proof of Claim 7 and otherclaims. We provide some more details about how P2 isused in [4]. Use the superscript r to denote quantities cor-responding the rth query made by the adversary, so, forexample, MCr is the value of MC in the rth query. For∅ = I ⊆ [1 . . .mr], the proof of Claim 2 in [4] obtains⊕i∈I

CCCri = β ⊕

(⊕i∈I

xi−1)

MCr .

P2 is now used to argue that the coefficient of MCr is non-zero. If the general map ψ is used instead of the poweringmap, then the relation in the proof of Claim 2 in [4] willturn out to be⊕i∈I

CCCri = β ⊕

⊕i∈I

ψ i(MCr).So, we should be able to prove that

⊕i∈I ψ i(MCr) = 0.

This is given by the following result. P2 can be obtained

from this result by noting that for the powering map,ψ i(M) = xi M mod τ (x).

Lemma 2. Let ψ be a linear map from F2n to itself such that theminimal polynomial τ (x) of ψ is of degree n and is irreducibleover F2 . Then for any non-empty set I ⊆ {1, . . . ,n}, and anynon-zero element M ∈ F2n ,⊕i∈I

ψ i(M) = 0.

Proof. Suppose⊕

i∈I ψ i(M) = 0. Let a(x) = ⊕i∈I xi−1.

Since τ (x) is the minimal polynomial of ψ , it followsthat τ (x) divides xa(x) and since τ (x) is irreducible, it di-vides a(x). By the condition on I , a(x) = 0 and deg(a(x)) isless than n. Since τ (x) is irreducible and of degree n, thiscontradicts the fact that τ (x) divides a(x). �

Using Lemma 2, the proof of Claim 2 in [4] goesthrough and in addition using Lemma 1, the whole secu-rity proof of EME also holds for EMME.

Extensions. Two extensions EME+ and EME∗ of EME havebeen defined. EME+ was defined in [4] itself and the ex-tension EME∗ was defined in [2]. Both were defined usingthe powering method. For both these extensions, the moregeneral masking strategy can be used.

References

[1] P. Ekdahl, T. Johansson, A new version of the stream cipher SNOW,in: K. Nyberg, H.M. Heys (Eds.), Selected Areas in Cryptography, in:Lecture Notes in Computer Science, vol. 2595, Springer, 2002, pp. 47–61.

[2] S. Halevi, EME*: Extending EME to handle arbitrary-length messageswith associated data, in: A. Canteaut, K. Viswanathan (Eds.), IN-DOCRYPT, in: Lecture Notes in Computer Science, vol. 3348, Springer,2004, pp. 315–327.

[3] S. Halevi, P. Rogaway, A tweakable enciphering mode, in: D. Boneh(Ed.), CRYPTO, in: Lecture Notes in Computer Science, vol. 2729,Springer, 2003, pp. 482–499.

[4] S. Halevi, P. Rogaway, A parallelizable enciphering mode, in: T.Okamoto (Ed.), CT-RSA, in: Lecture Notes in Computer Science,vol. 2964, Springer, 2004, pp. 292–304.

[5] R. Lidl, H. Niederreiter, Introduction to Finite Fields and Their Applica-tions, revised ed., Cambridge University Press, 1994.

[6] M. Luby, C. Rackoff, How to construct pseudorandom permutationsfrom pseudorandom functions, SIAM J. Comput. 17 (2) (1988) 373–386.

[7] M. Naor, O. Reingold, On the construction of pseudorandom permuta-tions: Luby–Rackoff revisited, J. Cryptology 12 (1) (1999) 29–66.

[8] P. Rogaway, Efficient instantiations of tweakable blockciphers and re-finements to modes OCB and PMAC, in: P.J. Lee (Ed.), ASIACRYPT, in:Lecture Notes in Computer Science, vol. 3329, Springer, 2004, pp. 16–31.