Would this method allow fast authenticated encryption using only a single encryption and RNG operation per block?

Question

The most promising of the 4 approaches described here (version 4) has been posted as a separate question. This post should be considered for archiving and historical purposes only.

Disclaimer: the algorithms I present here (and in other messages) are used as a hands-on way to learn about developing crypto algorithms, (and might also be of interest for other curious people), not for practical use (at least not after dozens of iterations and peer-review). I understand some people vote down not just because it seems unproved and speculative, and possibly flawed, but also perhaps because I'm not necessarily presenting it this way. This is just a manner of speech. Most of this *is* probably flawed, but that's the whole point here!

The most plausible approach so far is no. 4 so if you're interested jump right into it and try to see if you can find any flaws or attacks. The previous ones are only kept for historical reference (@J.D.'s answer was given for No. 1).

Version 1:

[This was modified from the original version to use a seed as $Key \oplus IV$ instead of just the key, $E(Key \oplus IV)$ and $H(Key \oplus IV)$ are other options]

Assume $E$ is a block cipher, $P_0 = IV$

(Consider both cases where the IV is in plaintext or encrypted)

Encryption:

1. Add an additional block to the message and store the key in it, ie. $P_n=Key$.
2. Seed a random number generator with $Key \oplus IV$.
3. Encrypt all non-final plaintext blocks $P_k, 0<k<n$ in the following way: $C_k=P_k \oplus E(P_{k−1} \oplus Random())$
4. Encrypt the final plaintext block $P_n$ (containing the key) in the following way:
   $C_n = E(P_n \oplus E(P_{n−1} \oplus Random()))$

Decryption:

1. Seed a random number generator with $Key \oplus IV$.
2. Decrypt all non-final ciphertext blocks:
   $P_k = C_k \oplus E(P_{k−1} \oplus Random())$
3. Decrypt the final ciphertext block:
   $P_n = D(C_k) \oplus E(P_{n−1} \oplus Random())$

Authentication:

1. Verify $P_n=Key$

Note the number of encryption operations is actually $n+1$, so the title is slightly inaccurate. Also, it may not be completely essential to store the key in the final block - A non-secret value might work, but I'm being cautious for now..

I'm also not sure if a cryptographically secure RNG is needed here? what do you think? If not, (and of course assuming it may actually is correct and secure), it might execute very fast in practice.

Please try be constructive, as even if this is flawed in its current state it might be possible to fix it without adding a significant amount of expensive operations.

---

Version 2:

An alternative (which is probably what I had in mind when I wrote this but I didn't describe it precisely)

Assume $E$ is a block cipher, $P_0 = IV$

(Consider both cases where the IV is in plaintext or encrypted)

Encryption:

1. Add an additional block to the message and store the key in it, ie. $P_n=Key$.
2. Seed a random number generator with $Key \oplus IV$.
3. XOR with the output of the RNG (this could be done incrementally)
4. Encrypt all non-final (modified) plaintext blocks $P'_k, 0<k<n$ in the following way: $C_k=P'_k \oplus E(P'_{0} \oplus P'_{1} .. \oplus P'_{k−1})$
5. Encrypt the final plaintext block $P_n$ (containing the key) in the following way:
   $C_n = E(P_n \oplus E(P'_{0} \oplus P'_{1} \oplus .. \oplus P'_{n−1}))$

Decryption:

1. Decrypt all non-final ciphertext blocks:
   $P_k = C_k \oplus E(P'_{0} \oplus P'_{1} \oplus .. \oplus P'_{k−1})$
2. Decrypt the final ciphertext block:
   $P_n = D(C_k) \oplus E(P'_{0} \oplus P'_{1} \oplus .. \oplus P'_{n−1})$
3. Seed a random number generator with $Key \oplus IV$.
4. XOR non-final blocks with the output of the RNG (could be done incrementally to a different copy)

Authentication:

1. Verify $P_n=Key$

---

Version 3: (an attempt to overcome flaws pointed out by @SOJPM)

Assume $E$ is a block cipher, $P_0 = IV$

(Consider both cases where the IV is in plaintext or encrypted)

Encryption:

1. Add an additional block to the message and store the key in it, ie. $P_n=Key$.
2. Seed a random number generator with $Key \oplus IV$.
3. XOR with the output of the RNG (this could be done incrementally)
4. Encrypt all non-final (modified) plaintext blocks $P'_k, 0<k<n$ in the following way: $C_k=P'_k \oplus (E(P'_{0}) \oplus E(P'_{0} \oplus P'_{1}) \oplus .. \oplus E(P'_{0} \oplus P'_{1} .. \oplus P'_{k−1}))$
5. Encrypt the final plaintext block $P_n$ (containing the key) in the following way:
   $C_n = E(P_n \oplus E(E(P'_{0}) \oplus E(P'_{0} \oplus P'_{1}) \oplus .. \oplus E(P'_{0} \oplus P'_{1} .. \oplus P'_{k−1})))$

Decryption:

1. Decrypt all non-final ciphertext blocks:
   $P_k = C_k \oplus E(P'_{0}) \oplus E(P'_{0} \oplus P'_{1}) \oplus .. \oplus E(P'_{0} \oplus P'_{1} .. \oplus P'_{k−1})$
2. Decrypt the final ciphertext block:
   $P_n = D(C_k) \oplus (E(P'_{0}) \oplus E(P'_{0} \oplus P'_{1}) \oplus .. \oplus E(P'_{0} \oplus P'_{1} .. \oplus P'_{k−1}))$
3. Seed a random number generator with $Key \oplus IV$.
4. XOR non-final blocks with the output of the RNG (could be done incrementally to a different copy)

Authentication:

1. Verify $P_n=Key$

---

Version 4: (using nested encryption)

Assume $E$ is a block cipher, $P_0 = IV$

(Consider both cases where the IV is in plaintext or encrypted)

Encryption:

1. Add an additional block to the message and store the key in it, ie. $P_n=Key$.
2. Seed a random number generator with $Key \oplus IV$.
3. XOR with the output of the RNG (this could be done incrementally)
4. Encrypt all non-final (modified) plaintext blocks $P'_k, 0<k<n$ in the following way: $C_k = P'_k \oplus ..E(E(E(P'_{0}) \oplus P'_{0} \oplus P'_{1}) \oplus P'_{0} \oplus P'_{1} \oplus P'_{2}))..$ (up to $P'_{k-1}$)
5. Encrypt the final plaintext block $P_n$ (containing the key) in the following way:
   $C_n = E(P_n \oplus ..E(E(E(P'_{0}) \oplus P'_{0} \oplus P'_{1}) \oplus P'_{0} \oplus P'_{1} \oplus P'_{2}))..)$ (up to $P'_{n-1}$)

Decryption:

1. Decrypt all non-final ciphertext blocks:
   $P_k = C_k \oplus ..E(E(E(P'_{0}) \oplus P'_{0} \oplus P'_{1}) \oplus P'_{0} \oplus P'_{1} \oplus P'_{2}))..$ (up to $P'_{k-1}$)
2. Decrypt the final ciphertext block:
   $P_n = D(C_k) \oplus ..E(E(E(P'_{0}) \oplus P'_{0} \oplus P'_{1}) \oplus P'_{0} \oplus P'_{1} \oplus P'_{2}))..$ (up to $P'_{n-1}$)
3. Seed a random number generator with $Key \oplus IV$.
4. XOR non-final blocks with the output of the RNG (could be done incrementally to a different copy)

Authentication:

1. Verify $P_n=Key$

Note: the nested encryptions are calculated incrementally. First $E(P'_{0})$ then $E(E(P'_{0}) \oplus P'_{0} \oplus P'_{1})$ then $E(E(E(P'_{0}) \oplus P'_{0} \oplus P'_{1}) \oplus P'_{0} \oplus P'_{1} \oplus P'_{2}))$. It's an incremental process - only a single encryption operation is performed per block (the inner encryption results are saved)

Note: I'm not sure if it's needed to XOR with all the previous $P'$ or just the latest one in the nested encryption.

In this case (assuming it actually works ?!) it looks more reasonable to ask if a crypto RNG is needed? That's probably why I asked in the first place..

[sorry for the trial and error approach but I find this process extremely effective!].

Answer 1

Anon2000 - as currently constructed your mode is fatally flawed. Given two known messages encrypted with the same key (i.e. where the attacker knows the plaintexts) that are each at least two blocks in length (not counting the IV or final validation block), the attacker can trivially forge at least two other 'valid' messages (and many more than that if the 2 known messages are long or he knows more messages), regardless of whether the RNG is cryptographically secure or not. Rather than spell it out for you, I think you would learn more by trying to figure out for yourself why such forgeries are trivial. As a hint, consider what happens to a message that is (say) 4 blocks long when you flip a single bit in the plaintext of the second block.

Again, I can't recommend enough that you take some time to understand provable security, and more generally try to think like an attacker. Without that skill-set, any 'fixes' you might make in your mode design are like someone who doesn't know aerodynamics trying to design an airplane -- even if you constantly go back and forth to aeronautical engineers with proposed trial-and-error 'fixes', your plane still won't fly, you will have learned much less than had you sat down with an aerodynamics textbook, and you will eventually piss off the engineers.