As discussed prior, a wide block cipher can be constructed as follows:
This mode has the following properties:
This mode is reasonably efficient given all of the features that it offers; but still, it requires two read passes plus one write pass over the data.
What happens if we strip off the last round of the wide block cipher mode? We'd lose resistance against the release of unverified plaintext but keep the "no explicit redundancy" property.
Note that because this mode does not provide resistance against the release of unverified plaintext, the decipher oracle requires access to verifiable redundancy. In fact, the verifiable redundancy must be present in the left branch: because we stripped off the last round, we cannot trust the contents of the right branch in the decipherment direction. Note that I intentionally made the left branch one block in width to maximize performance; in fact, this mode performs only one read pass plus one write pass over the data!
What happens if we strip off the first round instead? We keep the resistance against the release of unverified plaintext but at the cost of requiring 2s explicit redundancy. We obtain rWBC mode.
Note that because we cannot trust the right branch in the encipherment direction, it must be fixed to 0s and in fact becomes the authentication tag on the output side. The amortized costs of the WBC and rWBC modes are identical, and because we have 2s explicit redundancy in rWBC mode, I tend to recommend just using WBC instead.
What happens if we strip off the last round as well? We lose resistance against the release of unverified plaintext. Instead, the left branch can no longer be trusted in the decipherment direction. We obtain the nonce reuse resistant mode described prior, sometimes also referred to as SIV mode.
The decipher oracle must validate redundancy in the right branch before releasing any plaintext, which simply means it must validate the tag.
To summarize the features offered by each mode, including Deck-PLAIN for completeness:
|Mode||Diversifier reuse resistance||Private diversifier||Early rejection||RUP resistance||Explicit redundancy||Min. ciphertext length||I/O passes|
|WBC||✔||✔||✔||✔||4s||2i + o|
|WBCv||✔||✔||4s||i + o|
|rWBC||✔||✔||✔||2s||2s||2i + o|
|rWBCv||✔||✔||2s||2s||i + o|
|PLAIN||✔||s||s||i + o|
The first round protects the left branch against chosen plaintext attacks (CPA), and the last round protects the right branch against chosen ciphertext attacks (CCA). By protecting the left branch against CPA, we gain the feature of less explicit redundancy. By protecting the right branch against CCA, we gain the feature of resistance against the release of unverified plaintext. This line of reasoning also nicely explains why we're able to output only a single block for the first and last rounds; the purpose of the outer two rounds is different than the inner two rounds.