Integrity-protecting block cipher modes -- Untangling a tangled web
Chris J Mitchell
TL;DR
This paper re-evaluates three closely related authenticated-encryption block-cipher modes—PES-PCBC, IOBC, and EPBC—and demonstrates that each contains exploitable defects. Through synthesis of prior cryptanalysis and the introduction of new attacks, it shows that PES-PCBC and IOBC permit forgery and that EPBC's security status is not settled, with new methods achieving high forgery success at submittal costs below $2^{n/2}$. It also discusses general forgery techniques and IV-management pitfalls that apply across this design space, including chosen-plaintext and cross-message attacks. The findings argue strongly against adopting these modes in practice and underscore the availability of alternative, provably secure authenticated-encryption schemes.
Abstract
This paper re-examines the security of three related block cipher modes of operation designed to provide authenticated encryption. These modes, known as PES-PCBC, IOBC and EPBC, were all proposed in the mid-1990s. However, analyses of security of the latter two modes were published more recently. In each case one or more papers describing security issues with the schemes were eventually published, although a flaw in one of these analyses (of EPBC) was subsequently discovered - this means that until now EPBC had no known major issues. This paper establishes that, despite this, all three schemes possess defects which should prevent their use - especially as there are a number of efficient alternative schemes possessing proofs of security.