Modes of Operations for Wide-Block Encryption

Size: px

Start display at page:

Download "Modes of Operations for Wide-Block Encryption"

Belinda Hodges
5 years ago
Views:

1 Wide-Block Encryption p. 1/4 Modes of Operations for Wide-Block Encryption Palash Sarkar Indian Statistical Institute, Kolkata

2 Wide-Block Encryption p. 2/4 Structure of Presentation From block cipher to wide block encryption. Construction Ideas. Sketches of several constructions. Comparative study.

3 Wide-Block Encryption p. 3/4 Block Cipher Definition. E K : {0, 1} n {0, 1} n. K K; for each K, E K is a permutation of {0, 1} n ; good practical examples are known, e.g. AES.

4 Wide-Block Encryption p. 3/4 Block Cipher Definition. E K : {0, 1} n {0, 1} n. K K; for each K, E K is a permutation of {0, 1} n ; good practical examples are known, e.g. AES. Security. Resists known attacks. Confidence in security grows with time.

5 Wide-Block Encryption p. 3/4 Block Cipher Definition. E K : {0, 1} n {0, 1} n. K K; for each K, E K is a permutation of {0, 1} n ; good practical examples are known, e.g. AES. Security. Resists known attacks. Confidence in security grows with time. Formal model. A pseudo-random (unpredictable) permutation (Luby-Rackoff, 1985, 1988).

6 Wide-Block Encryption p. 4/4 Pseudo-Random Permutation E K π A

7 Wide-Block Encryption p. 4/4 Pseudo-Random Permutation E K π A Adv prp E (A) = Pr K [AE K 1] Pr[A π 1]. π

8 Wide-Block Encryption p. 5/4 Strong PRP -1 E K E K A π π -1

9 Wide-Block Encryption p. 5/4 Strong PRP -1 E K E K A π π -1 Adv ±prp E (A) = Pr K [AE K,E 1 K 1] Pr π [A π,π 1 1].

10 Wide-Block Encryption p. 6/4 Tweakable Block Cipher Liskov-Rivest-Wagner (2002).

11 Wide-Block Encryption p. 6/4 Tweakable Block Cipher Liskov-Rivest-Wagner (2002). E T K : {0, 1}n {0, 1} n. K is the secret key; T T is the tweak; for each (K,T) pair EK T {0, 1} n ; is a permutation of

12 Wide-Block Encryption p. 6/4 Tweakable Block Cipher Liskov-Rivest-Wagner (2002). E T K : {0, 1}n {0, 1} n. K is the secret key; T T is the tweak; for each (K,T) pair EK T {0, 1} n ; Tweakable (S)PRP. is a permutation of The tweak (unlike the key) is assumed to be known to the adversary. In its queries, the adversary can choose a tweak; reuse a tweak (with another message).

13 Wide-Block Encryption p. 7/4 Modes of Operations A block cipher can encrypt short and fixed length strings.

14 Wide-Block Encryption p. 7/4 Modes of Operations A block cipher can encrypt short and fixed length strings. Applications require the encryption of long strings of possibly different lengths.

15 Wide-Block Encryption p. 7/4 Modes of Operations A block cipher can encrypt short and fixed length strings. Applications require the encryption of long strings of possibly different lengths. Applications have different goals. Privacy. Authentication.

16 Wide-Block Encryption p. 7/4 Modes of Operations A block cipher can encrypt short and fixed length strings. Applications require the encryption of long strings of possibly different lengths. Applications have different goals. Privacy. Authentication. A mode of operation is used to extend the capabilities of a block cipher to achieve a desired goal.

17 Wide-Block Encryption p. 8/4 Length Preserving Encryption The set of messages M consists of strings of different lengths.

18 Wide-Block Encryption p. 8/4 Length Preserving Encryption The set of messages M consists of strings of different lengths. The length of the ciphertext should be equal to the length of the message.

19 Wide-Block Encryption p. 8/4 Length Preserving Encryption The set of messages M consists of strings of different lengths. The length of the ciphertext should be equal to the length of the message. Security: a natural extension of the notion of (S)PRP defined for a block cipher. Real oracle: is the actual encryption. Random oracle: is a uniform random length preserving permutation of M.

20 Wide-Block Encryption p. 9/4 Wide Block Encryption A length preserving mode of operation. Supports a tweak. Other names. Tweakable enciphering scheme. Tweakable strong pseudo-random permutation.

21 Wide-Block Encryption p. 9/4 Wide Block Encryption A length preserving mode of operation. Supports a tweak. Other names. Tweakable enciphering scheme. Tweakable strong pseudo-random permutation. Disk encryption. Encryption is done sector-wise. Sector address is the tweak.

22 Construction Ideas Wide-Block Encryption p. 10/4

23 Wide-Block Encryption p. 11/4 Types of Constructions Hash-Encrypt-Hash. Introduced by Naor-Reingold (1999); later work done by several other authors. Encrypt-Mix-Encrypt Introduced by Halevi-Rogaway (2003); followed up by Halevi-Rogaway (2004); and Halevi (2004).

24 Wide-Block Encryption p. 12/4 Hash-Encrypt-Hash Encryption layer is ECB. NRmode (Naor-Reingold 1999); PEP (Chakraborty-Sarkar 2005); TET (Halevi 2007); HEH (Sarkar 2007).

25 Wide-Block Encryption p. 13/4 Hash-Encrypt-Hash Encryption layer is Ctr. XCB (McGrew-Fluhrer 2004); HCTR (Wang-Feng-Wu 2005); HCH (Chakraborty-Sarkar 2006); ihch (Sarkar 2008).

26 Wide-Block Encryption p. 13/4 Hash-Encrypt-Hash Encryption layer is Ctr. XCB (McGrew-Fluhrer 2004); HCTR (Wang-Feng-Wu 2005); HCH (Chakraborty-Sarkar 2006); ihch (Sarkar 2008). Encryption layer is OFB. HOH (Sarkar 2008).

27 Wide-Block Encryption p. 14/4 Encrypt-Mix-Encrypt Encryption layers are CBC. CMC (Halevi-Rogaway 2003)

28 Wide-Block Encryption p. 14/4 Encrypt-Mix-Encrypt Encryption layers are CBC. CMC (Halevi-Rogaway 2003) Encryption layers are ECB. EME/EME + (Halevi-Rogaway 2004); EME (Halevi 2004) EMME (Sarkar 2008): generalises the masking operations of EME and its variants; no change in structure of the constructions.

29 Wide-Block Encryption p. 15/4 Overview of Constructions Assume that the block cipher is a uniform random permutation π;

30 Wide-Block Encryption p. 15/4 Overview of Constructions Assume that the block cipher is a uniform random permutation π; From π construct the mode of operation Π;

31 Wide-Block Encryption p. 15/4 Overview of Constructions Assume that the block cipher is a uniform random permutation π; From π construct the mode of operation Π; Prove that Π, Π 1 are indistinguishable from oracles which return uniform random strings.

32 Wide-Block Encryption p. 15/4 Overview of Constructions Assume that the block cipher is a uniform random permutation π; From π construct the mode of operation Π; Prove that Π, Π 1 are indistinguishable from oracles which return uniform random strings. Prove an upper bound on the advantage of the adversary.

33 Wide-Block Encryption p. 15/4 Overview of Constructions Assume that the block cipher is a uniform random permutation π; From π construct the mode of operation Π; Prove that Π, Π 1 are indistinguishable from oracles which return uniform random strings. Prove an upper bound on the advantage of the adversary. Analysis is information theoretic. Consequently, adversary can be assumed to be deterministic.

34 Wide-Block Encryption p. 15/4 Overview of Constructions Assume that the block cipher is a uniform random permutation π; From π construct the mode of operation Π; Prove that Π, Π 1 are indistinguishable from oracles which return uniform random strings. Prove an upper bound on the advantage of the adversary. Analysis is information theoretic. Consequently, adversary can be assumed to be deterministic. Time bounded probabilistic adversary and computational complexity theoretic analysis required to tackle the replacement of E K by π.

35 Wide-Block Encryption p. 16/4 Overview of Constructions If the inputs to π and π 1 are distinct, then their outputs are almost uniformly distributed.

36 Wide-Block Encryption p. 16/4 Overview of Constructions If the inputs to π and π 1 are distinct, then their outputs are almost uniformly distributed. Crux. Prove that with high probability the inputs to π and π 1 are distinct.

37 Wide-Block Encryption p. 16/4 Overview of Constructions If the inputs to π and π 1 are distinct, then their outputs are almost uniformly distributed. Crux. Prove that with high probability the inputs to π and π 1 are distinct. In the hash-encrypt-hash approach, a universal hash function is required to ensure this. In the encrypt-mix-encrypt approach, an implicit universal hash is built.

38 Wide-Block Encryption p. 17/4 Universal Hash Definition Function family. Fix integer m 1 and let IF be a finite field. F : K IF m IF.

39 Wide-Block Encryption p. 17/4 Universal Hash Definition Function family. Fix integer m 1 and let IF be a finite field. F : K IF m IF. ǫ-almost universal (ǫ-au): For x,x IF m, x x, Pr K [F K(x) = F K (x )] ǫ. In other words, the collision probabilities are small.

40 Wide-Block Encryption p. 18/4 Universal Hashing F K (P 1,...,P m ) = P m + KP m K m 1 P 1.

41 Wide-Block Encryption p. 18/4 Universal Hashing F K (P 1,...,P m ) = P m + KP m K m 1 P 1. Requires (m 1) multplications; m/ IF -AU; KF K satisfies XOR universality.

42 Wide-Block Encryption p. 18/4 Universal Hashing F K (P 1,...,P m ) = P m + KP m K m 1 P 1. Requires (m 1) multplications; m/ IF -AU; KF K satisfies XOR universality. Bernstein (2007): introduces a class of polynomials which builds upon earlier work by Rabin-Winograd;

43 Wide-Block Encryption p. 18/4 Universal Hashing F K (P 1,...,P m ) = P m + KP m K m 1 P 1. Requires (m 1) multplications; m/ IF -AU; KF K satisfies XOR universality. Bernstein (2007): introduces a class of polynomials which builds upon earlier work by Rabin-Winograd; BRW polynomials can be computed using m/2 multiplications; 2m/ IF -AU;

44 Wide-Block Encryption p. 18/4 Universal Hashing F K (P 1,...,P m ) = P m + KP m K m 1 P 1. Requires (m 1) multplications; m/ IF -AU; KF K satisfies XOR universality. Bernstein (2007): introduces a class of polynomials which builds upon earlier work by Rabin-Winograd; BRW polynomials can be computed using m/2 multiplications; 2m/ IF -AU; Sarkar (2008): universal hashing from word oriented LFSRs;

45 Wide-Block Encryption p. 18/4 Universal Hashing F K (P 1,...,P m ) = P m + KP m K m 1 P 1. Requires (m 1) multplications; m/ IF -AU; KF K satisfies XOR universality. Bernstein (2007): introduces a class of polynomials which builds upon earlier work by Rabin-Winograd; BRW polynomials can be computed using m/2 multiplications; 2m/ IF -AU; Sarkar (2008): universal hashing from word oriented LFSRs; no multiplications; bitwise processing slow in software; good for resource constrained devices.

46 Wide-Block Encryption p. 19/4 Invertible Blockwise Universal Fix integer m 1 and let IF be a finite field. F : K IF m IF m For each K K, F K is invertible. (x,i) (x,i ), 1 i,i m.

47 Wide-Block Encryption p. 19/4 Invertible Blockwise Universal Fix integer m 1 and let IF be a finite field. F : K IF m IF m For each K K, F K is invertible. (x,i) (x,i ), 1 i,i m. ǫ-bau. F K : (X 1,...,X m ) (Y 1,...,Y m ) F K : (X 1,...,X m) (Y 1,...,Y m) Pr K [Y i = Y i ] ǫ.

48 Wide-Block Encryption p. 20/4 Constructions (X 1,...,X m ) (X 1 u(y ),...,X m 1 u(y ),Y ) (φ β (0),...,φ β (m 1)) (NR 99) (X 1 Y,...,X m 1 Y,Y ) (φ β (0),...,φ β (m 1)) (Sarkar 08) Y = X m ψ τ (X 1,...,X m 1 ); φ, ψ and u are AXU;

49 Wide-Block Encryption p. 20/4 Constructions (X 1,...,X m ) (X 1 u(y ),...,X m 1 u(y ),Y ) (φ β (0),...,φ β (m 1)) (NR 99) (X 1 Y,...,X m 1 Y,Y ) (φ β (0),...,φ β (m 1)) (Sarkar 08) Y = X m ψ τ (X 1,...,X m 1 ); φ, ψ and u are AXU; (X 1,...,X m ) (X 1 Z,...,X m Z) (β,αβ,...,α m 1 β) (Halevi 07) Z = σ 1 (X 1 τ m X m 1 τ 2 X m τ); σ = 1 τ τ m.

50 Hash-ECB-Hash Constructions Wide-Block Encryption p. 21/4

51 Hash-ECB-Hash P 1 P 2 P 3 P 4 H K1 PP 1 PP PP PP E K E K E K E K CC CC CC CC ( 1) G K2 C C C C H and G are invertible blockwise universal hash functions. Wide-Block Encryption p. 22/4

52 Wide-Block Encryption p. 23/4 Hash-ECB-Hash Constructions NRmode. Predates the notion of tweaks; did not specify handling of partial blocks.

53 Wide-Block Encryption p. 23/4 Hash-ECB-Hash Constructions NRmode. Predates the notion of tweaks; did not specify handling of partial blocks. TET. Incorporates tweaks and handles partial blocks. But, more complicated and hence less efficient.

54 Wide-Block Encryption p. 23/4 Hash-ECB-Hash Constructions NRmode. Predates the notion of tweaks; did not specify handling of partial blocks. TET. Incorporates tweaks and handles partial blocks. But, more complicated and hence less efficient. HEH. Incorporates tweaks and handles partial blocks. Simplifies NRmode construction; more efficient than TET.

55 Wide-Block Encryption p. 23/4 Hash-ECB-Hash Constructions NRmode. Predates the notion of tweaks; did not specify handling of partial blocks. TET. Incorporates tweaks and handles partial blocks. But, more complicated and hence less efficient. HEH. Incorporates tweaks and handles partial blocks. Simplifies NRmode construction; more efficient than TET. Other less efficient constructions known.

56 Wide-Block Encryption p. 24/4 HEH (Full Blocks) H K1 = Ψ τ,β1, G K2 = Ψ τ,β2.

57 Wide-Block Encryption p. 24/4 HEH (Full Blocks) H K1 = Ψ τ,β1, G K2 = Ψ τ,β2. Ψ τ,β (X 1,...,X m ) = (X 1 Y,...,X m 1 Y,Y ) (φ β (1),...,φ β (m 1),φ β (0)) Y = X m ψ τ (X 1,...,X m 1 ).

58 Wide-Block Encryption p. 24/4 HEH (Full Blocks) H K1 = Ψ τ,β1, G K2 = Ψ τ,β2. Ψ τ,β (X 1,...,X m ) = (X 1 Y,...,X m 1 Y,Y ) (φ β (1),...,φ β (m 1),φ β (0)) Y = X m ψ τ (X 1,...,X m 1 ). φ β : i α i β; α is a primitive element of GF(2 n ).

59 Wide-Block Encryption p. 24/4 HEH (Full Blocks) H K1 = Ψ τ,β1, G K2 = Ψ τ,β2. Ψ τ,β (X 1,...,X m ) = (X 1 Y,...,X m 1 Y,Y ) (φ β (1),...,φ β (m 1),φ β (0)) Y = X m ψ τ (X 1,...,X m 1 ). φ β : i α i β; α is a primitive element of GF(2 n ). ψ τ can be instantiated using usual polynomial hashing; hashing using BRW polynomials; hashing using word oriented LFSRs.

60 Wide-Block Encryption p. 25/4 HEH (Partial Block) P 1 P 2 P 3 P 4 P 5 Φ τ,β 1 PP 1 PP PP PP E K E K E K E K E K CC CC CC CC Φ 1 τ,β 2 C C C Handling partial blocks. C 4 C 5

61 Wide-Block Encryption p. 26/4 HEH (Partial Block) Φ τ,β (X 1,...,X m 1,X m ) =(X 1 Y,...,X m 2 Y,Y,X m ) (φ β (1),...,φ β (m 2),φ β (0), 0 r ) Y = X m 1 ψ τ (X 1,...,X m 2,X m 0 n r ). Note. X m 1 is the last full block; φ β and ψ τ defined as for full blocks.

62 Definition of τ, β 1, β 2 KeyDef1 γ = E K (T); β 1 = E K (γ bin n (l)); β 2 = αβ 1 ; τ = γ. KeyDef2 γ = E K (T); β 1 = E K (γ bin n (l)); β 2 = αβ 1 ; choose τ randomly from GF(2 n ). KeyDef3 β 1 = E K (T); β 2 = αβ 1 ; choose τ randomly from GF(2 n ). KeyDef1: single key; no pre-comp; KeyDef2: separate hash key; allows pre-comp; KeyDef3: fixed length; saves one call. Wide-Block Encryption p. 27/4

63 Counter/OFB Based Constructions Wide-Block Encryption p. 28/4

64 Wide-Block Encryption p. 29/4 XCB Mode of Operation P P P 1 2 m E K0 T H K1 Ctr K 2 T C 2 C m H K3 E K4 1 C 1 C 2 C m

65 Wide-Block Encryption p. 30/4 HCtr Mode of Operation P P P 1 2 m H h T E K Ctr K T H h C 1 C 2 C m

66 Wide-Block Encryption p. 31/4 HCH Mode of Operation P P P 1 2 m H R,Q E K E K S Ctr K H R,xQ C 1 C 2 C m

67 Wide-Block Encryption p. 32/4 ihch/hoh Modes P 1 P 2 P m H τ,β1 M 1 E K S Mode,, K, β 1 S β 2 U 1 H τ,β2 C 1 C 2 C m

68 Wide-Block Encryption p. 33/4 ihch/hoh Modes H τ,β (X 1,...,X m ) = β X 1 ψ τ (X 2,...,X m ). Mode K,β1,β 2,S as Counter: Ctr K,β1,R(X 1,...,X m ) = ECB K (R 1,...,R m ) where R = S β 1 β 2, R i = φ β (i 1) R. Mode K,β1,β 2,S as OFB: OFB K,S (X 1,...,X m ) = (X 1,...,X m ) (S 1,...,S m ) where S i = E i K (S); β 1 and β 2 are not used.

69 Encrypt-Mix-Encrypt Constructions Wide-Block Encryption p. 34/4

70 Wide-Block Encryption p. 35/4 EME Mode of Operation L xl x 2 L x 3 L PP 1 PP 2 PP 3 PP 4 E K E K E K E K E K PPP PPP PPP PPP MP SP xm T x 2 M x 3 M MC SC T CCC1 CCC2 CCC3 CCC4 E K E K E K E K L CC1 CC2 CC3 CC4 xl x 2 L x 3 L C C C C SP = PPP 2 PPP 3 PPP 4 ; SC = CCC 2 CCC 3 CCC 4 ; M = MP MC.

71 EMME Mode of Operation L ψ(l) 2 3 ψ (L) ψ (L) PP 1 PP 2 PP 3 PP 4 E K E K E K E K SP T E K ψ(m) ψ (M) ψ (M) 2 3 SC T E K E K E K E K L CC1 CC2 CC3 CC4 ψ(l) 2 3 ψ (L) ψ (L) C C C C SP = PPP 2 PPP 3 PPP 4 ; SC = CCC 2 CCC 3 CCC 4 ; M = MP MC. Wide-Block Encryption p. 36/4

72 Wide-Block Encryption p. 37/4 EMME Mode of Operation EME: Multiplication by x : S xs mod τ(x) τ(x): primitive, degree n polynomial over GF(2).

73 Wide-Block Encryption p. 37/4 EMME Mode of Operation EME: Multiplication by x : S xs mod τ(x) τ(x): primitive, degree n polynomial over GF(2). EMME: Generalization: ψ : GF(2 n ) GF(2 n ); linear map whose minimal polynomial over GF(2) is primitive and of degree n.

74 Wide-Block Encryption p. 37/4 EMME Mode of Operation EME: Multiplication by x : S xs mod τ(x) τ(x): primitive, degree n polynomial over GF(2). EMME: Generalization: ψ : GF(2 n ) GF(2 n ); linear map whose minimal polynomial over GF(2) is primitive and of degree n. ψ can be instantiated using a tower field representation of GF(2 n ); word oriented LFSR ; software implementation is faster than multiplication by x.

75 Wide-Block Encryption p. 38/4 Comparison Issues Security: all modes provide the same security level. Efficiency: Number of block cipher calls.

76 Wide-Block Encryption p. 38/4 Comparison Issues Security: all modes provide the same security level. Efficiency: Number of block cipher calls. Number of multiplications (if any).

77 Wide-Block Encryption p. 38/4 Comparison Issues Security: all modes provide the same security level. Efficiency: Number of block cipher calls. Number of multiplications (if any). Number of block cipher keys.

78 Wide-Block Encryption p. 38/4 Comparison Issues Security: all modes provide the same security level. Efficiency: Number of block cipher calls. Number of multiplications (if any). Number of block cipher keys. Number of other key material (if any).

79 Wide-Block Encryption p. 38/4 Comparison Issues Security: all modes provide the same security level. Efficiency: Number of block cipher calls. Number of multiplications (if any). Number of block cipher keys. Number of other key material (if any). Use of pre-computed multiplication tables (if relevant).

80 Wide-Block Encryption p. 38/4 Comparison Issues Security: all modes provide the same security level. Efficiency: Number of block cipher calls. Number of multiplications (if any). Number of block cipher keys. Number of other key material (if any). Use of pre-computed multiplication tables (if relevant). Parallelism, simplicity,...

81 Wide-Block Encryption p. 38/4 Comparison Issues Security: all modes provide the same security level. Efficiency: Number of block cipher calls. Number of multiplications (if any). Number of block cipher keys. Number of other key material (if any). Use of pre-computed multiplication tables (if relevant). Parallelism, simplicity,... An important issue: Variable/arbitrary versus fixed length messages.

82 Wide-Block Encryption p. 39/4 Variable Length Efficiency Mode [BC] [M] [I] EME 2m + m/n + 1 XCB (m + 6) 2(m + 1) HCTR m 2(m + 1) HCH (m + 3) 2(m 1) TET 2ı + m + 2 ı(m 1) + 2m 1 XXX (m + 2) 2(m 1) XXX (m + 2) m (with BRW) XXX: HEH, ihch, HOH; for TET ı 1.

83 Wide-Block Encryption p. 40/4 Variable Length # Keys Mode # keys EME 1[BCK] + 2[AK] XCB 1[BCK] HCTR 1[BCK]+1[AK] HCH 1[BCK] TET 2[BCK] XXX 1[BCK] XXX: HEH, ihch, HOH.

84 Wide-Block Encryption p. 41/4 Fixed Length Messages Mode [BC] [M] [BCK] [AK] tab EME 2m+1+ m/n 1 2 XCB m + 1 2(m + 3) 3 2 yes HCTR m 2(m + 1) 1 1 yes HCH m + 2 2(m 1) 1 1 yes TET m + 1 2m 2 3 yes XXX m + 1 2(m 1) 1 1 yes XXX m + 1 m (BRW) 1 1 no XXX: HEH, ihch, HOH.

85 Wide-Block Encryption p. 42/4 Key Agility Mode comp. cost key sch. mult. tab. EME 1 XCB 5[BC] 3 2 HCTR 1 1 HCH 1 1 TET ı((m 1)[M] 2 1 2[BC])+ 1[BC]+1[I] XXX 1 1 XXX: HEH, ihch, HOH.

86 Wide-Block Encryption p. 43/4 Comparison Summary Software implementation: HOH will be the fastest: there are no masking operations; HEH, ihch are also good choices; so are HCTR and HCH; XCB has good efficiency but less efficient key agilitiy; TET: inefficient for variable lengths; bad key agility for fixed lengths. EME is good; EMME is sligtly better. No pre-computation: use BRW polynomials.

87 Wide-Block Encryption p. 43/4 Comparison Summary Software implementation: HOH will be the fastest: there are no masking operations; HEH, ihch are also good choices; so are HCTR and HCH; XCB has good efficiency but less efficient key agilitiy; TET: inefficient for variable lengths; bad key agility for fixed lengths. EME is good; EMME is sligtly better. No pre-computation: use BRW polynomials. Hardware implementation: Issues: chip size, memory,... HEH, ihch, HOH offer the best features.

88 Wide-Block Encryption p. 44/4 Patents and Standards Patented: EME/EME, XCB. Unpatented: NRmode, TET, HEH; HCtr, HCH, ihch (uses Ctr mode; as does XCB). HOH. IEEE P standard: decision (as of Nov 2008) to standardize EME2 (of the encrypt-mix-encrypt type) XCB (of the hash-encrypt-hash type)

89 Thank you for your attention! Wide-Block Encryption p. 45/4

Improving Upon the TET Mode of Operation

Improving Upon the TET Mode of Operation Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata India 700108. email: palash@isical.ac.in Abstract. Naor and Reingold