[P1619-2] Proposed text for standard
Hello 1619.2,
Shai Halevi and I have each put together separate specifications of the EME2
and XCB algorithms, respectively. We also need to write some front matter
text that will be common to both algorithms. The text below is probably a
good start; it describes what the algorithms do, in an abstract way,
outlines their security goals, gives some usage guidance, and describes the
disk-block encryption as a special case. (A bit more text will need to be
written in order to map this definition to the disk-block encryption
application.) Comments welcome.
Best regards,
David
--
Introduction
The purpose of this standard is to specify Strong Pseudo-Random Permutation
with Associated Data (SPRP-AD) methods that are suitable for the encryption
of data at rest.
An SPRP-AD method consists of an encryption operation and a decryption
operation. The encryption operation accepts three inputs: a secret key, a
plaintext, and the associated data. It returns a single ciphertext value.
Each of these inputs is regarded as an octet string.
The secret key must be unpredictable to the adversary. Each SPRP-AD
algorithm accepts a key of a fixed length, but different algorithms may have
keys of different lengths.
The plaintext input contains the data to be encrypted. The length of the
plaintext may vary across different invocations of the encryption operation,
for a particular key. An SPRP-AD method defines the range of admissible
plaintext lengths.
The associated data input contains data that is associated with the
plaintext, but which does not need to be encrypted. The choice of data for
this input is described in more detail below. The associated data input may
vary in
The ciphertext returned by the encryption operation is the same length as
the plaintext.
The decryption operation takes three inputs: a secret key, a ciphertext, and
an associated data value. It returns a single plaintext value. These
values are as defined above, but with roles of the ciphertext and plaintext
reversed.
The decryption operation is the reverse of the encryption operation; more
specifically, if the encryption of the plaintext P with the key K and the
associated data A results in the ciphertext C, then the decryption of C with
the key K and the associated data A will result in the plaintext P.
This value of associated data must be known at the time of encryption and
the time of decryption, so it should contain only information that is
available, in plaintext form, at the time of both operations.
The associated data input should characterize the plaintext, and it should
be as fine-grained as possible. This is because whenever the same plaintext
is encrypted two different times using the same key but with distinct
associated data values, the result is two distinct ciphertext values. Thus
the use of distinct associated data values hides the equality of the
plaintexts from an attacker.
Using an SPRP-AD to protect an array of data blocks
An SPRP-AD can be used to protect an array of data blocks, such as those in
a data-storage disk. To do this, the associated data input to the
encryption and decryption operations should contain the logical index of
block on which the operation is acting. If multiple disks are being
protected with a single key, then the associated data input should contain
both the logical index of the block and an additional distinguishing
parameter that is unique to each of the disks.