AUTHENTICATED ENCRYPTION MODE WITH BLOCKS SKIPPING

Block symmetric ciphers are one of the most important components of modern information security systems. At the same time, in addition to the structure of the applied block symmetric cipher, the cryptographic strength and performance of the information protection system is largely determined by the applied encryption mode. In addition to high performance and high-quality destruction of block statistics, modern encryption modes should also protect encrypted information from oc‐ curred or intentionally introduced errors. In this paper, we have developed an encryption mode with blocks skipping and using a pseudorandom key sequence generator, which allows checking the integrity of encrypted information with accurate detection of the place where an error was introduced. In this case, the error detection accuracy is determined by the adjust‐ able parameter of the macroblock size and can be set depending on the level of importance of the protected information. The developed encryption mode is characterized by the following key advantages: reducing the number of required encryption operations by half, while providing a high level of cryptographic quality; more effective destruction of macroblock statistics due to the use of an additional generator of pseudorandom key sequences, the impossibility of propagation of the occurred (intentionally introduced) error outside the macroblock, as well as higher values of the number of protection levels due to the possibility of classifying the initial states of the applied generators of pseudorandom key sequences. As proposed in this paper, the mode of authenticated encryption with blocks skipping can be recommended for use on mobile platforms that are demanding both in terms of the quality and reliability of the protected information and are limited in terms of computing and power resources.


Introduction and statement of the problem
One of the most important places in modern complex information protection systems is occupied by the cryptographic subsystem, which ensures the impossibility of obtaining the confidential information without knowing the secret key. At the same time, in practice, asymmetric cryptographic algorithms are usually used at the stage of key exchange, while block symmetric cryptographic algorithms are used to encrypt the large amounts of information, and are characterized by much higher performance and reliability.
The development of cryptanalysis methods, as well as progress in the theory of cryptographic strength leads to the need for further improvement of modern block symmetric ciphers [1], as well as the use of more strong cryptographic primitives [2,3] to increase their performance while maintaining a high level of cryptographic strength.
However, we note that in addition to the structure of the cryptographic algorithm itself and the cryptographic primitives that are used in it, the mode in which the selected cryptographic algorithm is applied to the data has a significant impact on the quality of the cryptographic transformation and its performance.
Encryption mode is a method of using of a block symmetric cipher that allows you to convert a sequence of blocks of open data into a sequence of blocks of an encrypted data [4].
In this case, data from another block can be used to encrypt current block.
The simplest known encryption mode is the Electronic Codebook (ECB) mode, which simply replaces plaintext blocks with ciphertext blocks. It is known [4] that the use of even the most robust block symmetric ciphers in the ECB encryption mode leads to the preservation of block statistics in the original message, which leads to the possibility of partial recovery of encrypted information from the cryptogram. This circumstance makes it impossible to apply the ECB mode in practice.
Today there are a lot of encryption modes that have been created that provide reliable destruction of statistics in encrypted data. These modes include the following: Cipher Block Chaining (CBC), Propagating Cipher Block Chaining (РСВС), Cipher Feedback (CFB), Output Feedback (OFB). All these modes are based on the principle of concatenation of blocks to be encrypted with already encrypted ones.
A significant disadvantage of these modes with block coupling is their instability to the occurrence of occurred or intentionally introduced errors. So, if an error occurs during the transfer of one of the blocks, this error is propagated to all blocks following this during decryption.
Note also that recently, encryption modes with authentication have become widely used, allowing simultaneous verification of the integrity of encrypted data in the process of their decryption. At the same time, the use of such modes guarantees protection both from errors arising from natural reasons and from errors that were intentionally introduced into the transmitted information. Most of the authenticated encryption schemes used today are designed for use in Internet protocols such as IPsec and TLS, which encrypts only one block (packet) and are practically equivalent to the use of ECB encryption mode. This encryption mode is known to be invalid at the level of encryption of whole files.
Another trend in modern cryptography is the creation of new encryption modes that allow a significant acceleration of the operation of block symmetric ciphers. These new encryption modes include the encryption mode proposed in [5] with blocks skipping and using a pseudorandom key sequence generator, which allows to reduce the number of blocks encrypted by a block symmetric cryptographic algorithm by 2 times due to the use of a much faster construction as a pseudo-random key sequence generator (PRKSG). Nevertheless, the encryption mode developed in [5] is not devoid of such a significant drawback as the lack of the ability to check the integrity of messages encrypted in this mode.
It is promising to combine the advantages of the blocks skipping encryption mode and the use of the PRKSG together with encryption modes involving authentication.
The purpose of this paper is to develop an encryption mode with blocks skipping and the use of the PRKSG, which allows checking the integrity of encrypted information with accurate detection of the place where the error was introduced.

Encryption Mode with blocks skipping and using of PRKSG
Note that in [5], there are two encryption modes proposed, which lead to an increase in the performance of block symmetric ciphers using: with blocks skipping, and also with blocks skipping and use of the PRKSG. These encryption modes are designed for their use on platforms that are sensitive to the consumption of computing resources, primarily on mobile platforms.
It was found that when using a block chaining mechanism (for example, CBC, PCBC, CFB, or OFB encryption modes), it is possible to skip encryption of some blocks while maintaining the correspondence of the output cryptogram to the NIST stochastic quality tests [6]. However, the number of such skipped blocks is insignificant and does not exceed 5 % of the total number of encrypted blocks.
For further increase in the performance of the encryption operation in [5] it is proposed to combine the advantages of using block and stream cryptographic algorithms by developing an encryption mode with blocks skipping and using a pseudo-random key sequence generator.
For completeness of the presentation of the material of this paper, we will briefly consider the essence of the encryption mode developed in [5] with blocks skipping, as well as use the PRKSG.
To implement this scheme, such a cryptographic primitive as a pseudo-random key sequence generator (PRKSG) is used. Today there are many effective cryptographically robust pseudo-random key sequence generators [7 … 9]. In [5], it was proposed to use the schemes [10] or [11]. At the same time, the performance of these cryptographic primitives significantly exceeds the performance of block symmetric cryptographic algorithms [11].
Before the start of the encryption operation, the selected PRKSG scheme is initialized using an additional key fragment. In this encryption mode, parameters M and C are entered. At the beginning of the encryption procedure, the variable i is initialized by 0 value. Before applying the block encryption, the condition mod {0,1,..., } i M C ∈ is checked and, if the condition is false, instead of encrypting of this block, it is gammed using the next gamma segment obtained using the PRKSG. When the block encryption is finished, the value of the variable i is incremented by 1. Empirical research performed in [5] showed that the scheme shown in Fig. 1 provides a high level of cryptographic quality of the resulting cryptograms for the values 2 M = and 0 C = , i. e. when skipping encryption of every second block of encrypted text.

Authenticated encryption mode
with block skipping and use of the PRKSG Today, there are three main approaches for constructing modes with block authentication [12]. Let's take a quick look at each of these approaches.
The first Encrypt-then-MAC approach assumes that the original block of data is encrypted first, after which a hash function is applied to it (which, in general, can be a single-key cryptographic algorithm). The resulting message is a combination of the encrypted message and the hash value of the encrypted message, which certifies its integrity. In general, the cryptographic algorithm key and the hash function key do not match.
The second Encrypt-and-MAC approach assumes simultaneous encryption and hashing of the original data. The resulting message is a combination of the encrypted message and the hash value of the original message. In this case, the same key is used for the cryptographic algorithm and hash function.
The third MAC-then-Encrypt approach involves finding the hash value of the original message, which is appended to the original message, after which this sequence is encrypted. Thus, the resulting message is the encrypted original message and the value of its hash function. In this Fig. 1 -CBC encryption mode with block skipping and application of the PRKSG case, the same key is used for the hash function and the cryptographic algorithm.
Note that, in principle, each of the listed approaches can be combined with an encryption mode with blocks skipping and using the PRKSG. However, in the following we describe the new Authenticated Block Skip Encryption Mode with the use of the Encrypt-and-MAC approach.
Let's describe the operation of the proposed encryption mode in the form of specific steps.
Step 1. The original file of length N is divided into N k blocks, where k is the block length of the applied cryptographic algorithm.
Step 2. Before the start of encryption, the length µ of the macroblock is set, the counter of the number of the encrypted block is initialized 0 i = , the counter of the values of the hash function of the macroblocks is initialized 0 l = , and two cryptographically strong PRKSG are initialized: 1 PRKSG and 2 PRKSG . In this case, the initial states of the PRKSG are part of the secret key.
Step 3. Using the generator 1 PRKSG , a gamma fragment G µ of the length k is generated, which is the initialization vector of this macroblock.
Step 4. Assign a value G µ to the initialization vector IV .
Step 5. Perform addition modulo 2 of the initialization vector IV with the plaintext block, and further the value of the resulting block is assigned to a variable a .
Step 6. If i is even, the block a is encrypted. Otherwise, we generate the next gamma fragment of the length k using 2 PRKSG and perform its summation modulo 2 with the block a . The result of the above actions is assigned to a ciphertext variable i C .
Step 7. Save the next fragment of the ciphertext i C . We assign a value i C to the initialization vector IV . We increment the counter of the encrypted block number -(end of file is reached) we calculate the value of the hash function of the block i C and write it to a memory cell l H . END. Otherwise, go to Step 9.
Step 9. If mod 0 i µ ≡ (the last block of the macroblock was processed): calculate the value of the hash function of the block i C and write it to the memory cell l H . We increment the counter of macroblock hash function values 1 l l = + . Go to Step 3. Otherwise, go to Step 5.
In Fig. 2 we show an encryption scheme that implements the developed algorithm.
In this case, the decryption scheme is built similarly to the encryption scheme (Fig. 2).
Further, similar to the encryption procedure, we describe the decryption procedure for the proposed encryption mode in the form of specific steps.
Step 1. The encrypted file of length N is divided into N k blocks, where k is the block length of the applied cryptographic algorithm.
Step 2. Before decryption begins, the length µ of the macroblock is set (this value must be agreed with the party who performed the encryption), the counter of the encrypted block number is initialized 0 i = , the counter of the hash function values of the macroblocks is initialized 0 l = , and two cryptographically strong PRKSG are initialized: 1 PRKSG and 2 PRKSG . In this case, the initial states of the PRKSG are part of the secret key and must correspond to those used for encryption.
Step 3. Using the 1 PRKSG generator, generate a gamma fragment G µ of the length k , which is the initialization vector for this macroblock.
Step 4. Assign a value G µ to the initialization vector IV .
Step 5. If i is even, the block i C is decrypted. Otherwise, we generate the next gamma fragment of the length k using 2 PRKSG and perform its summation modulo 2 with the block . i C The result of the above actions is assigned to a variable a .
Step 6. The addition modulo 2 of the initialization vector IV with the block of decrypted text is performed, as a result of which the value of the resulting block is assigned to a variable a .
Step 7. Save the next fragment of the decrypted text a . We assign a value i C to the initialization vector IV . We increment the counter of the encrypted block number -(end of file is reached) we calculate the value of the hash function of the block i C and compare it with the value l H saved during encryption. END. Otherwise, go to Step 9.
Step 9. If mod 0 i µ ≡ (the last block of the macroblock was processed): calculate the value of the hash function of the block i C and compare it with the value l H saved during encryption. Increment the counter of macroblock hash function values 1 l l = + . Go to Step 3. Otherwise, go to Step 5. The proposed scheme (Fig. 2) of the authenticated encryption mode with blocks skipping and using the PRKSG allows us to obtain the following advantages over the scheme with blocks skipping and using the PRKSG, as well as the classical encryption scheme with authentication: a. the proposed mode allows not only to detect intentional and / or unintentional violation of the integrity of information, but to precisely determine its position with an accuracy up to the size of the macroblock length µ ; b. by varying the value of the macroblock length µ , it is possible to set the accuracy of the location of the integrity violation that occurred, however, smaller values of the macroblock lengths lead to an increase in the size of the vector of values of hash functions of macroblocks, which leads to the need to transfer large amounts of information. Thus, the proposed encryption mode is adaptable due to the change in value of µ depending on the properties of the transmission channel (storage device) of information and the value of the information itself; c. in contrast to the traditional encryption modes with block chaining, in the event of an error, its propagation will be limited to the limits of the macroblock; d. the proposed scheme for the dynamic generation of new values of the initialization vectors for each macroblock makes it possible to destroy the statistical relationships between macroblocks much more efficiently.
Note also that the number of protection levels of the presented scheme exceeds the number of protection levels of the AES block symmetric cipher used in it due to the additional use of two PRKSG. For example, when using PRKSG based on dual couples of bent-sequences, the number of protection levels of which is equal to 165 2 , the number of protection levels of the entire encryption scheme is determined as 256 165 165 586

Conclusion
We note the main results of the research performed: 1. we proposed a new authenticated encryption mode based on a blocks skipping encryption mode using a pseudo-random key sequence generator. In addition to the possibility of skipping of the encryption operation of every second encrypted block while maintaining full compliance of the cryptogram with the NIST stochastic quality tests, the developed mode provides information authentication during decryption. When decrypting the file, it is possible to localize the occurred (intentionally introduced) error with a predetermined accuracy, which depends on the selected macroblock length. At the same time, in the developed encryption mode with authentication, in contrast to traditional encryption modes with block chaining, an error that occurs during decryption is propagated only within one macroblock; 2. the developed encryption mode provides a more efficient destruction of macroblock statistics due to the use of an additional PRKSG to generate individual initialization vectors for each macroblock, as well as a higher number of protection levels due to the possibility of using the initial states of the PRKSG as an additional key; 3. the developed encryption mode with authentication and blocks skipping can be recommended for practical use on mobile platforms, which, on the one hand, are sensitive to occurred (intentionally introduced) errors in the encrypted data, and on the other hand, are demanding on computational and energy resources.