The Security of All-or-Nothing Encryption: Protecting against Exhaustive Key Search

  • Anand Desai
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1880)


We investigate the all-or-nothing encryption paradigm which was introduced by Rivest as a new mode of operation for block ciphers. The paradigm involves composing an all-or-nothing transform (AONT) with an ordinary encryption mode. The goal is to have secure encryption modes with the additional property that exhaustive key-search attacks on them are slowed down by a factor equal to the number of blocks in the ciphertext. We give a new notion concerned with the privacy of keys that provably captures this key-search resistance property. We suggest a new characterization of AONTs and establish that the resulting all-or-nothing encryption paradigm yields secure encryption modes that also meet this notion of key privacy. A consequence of our new characterization is that we get more efficient ways of instantiating the all-or-nothing encryption paradigm. We describe a simple block-cipher-based AONT and prove it secure in the Shannon Model of a block cipher. We also give attacks against alternate paradigms that were believed to have the above keysearch resistance property.


Encryption Scheme Block Length Random Oracle Message Block Encryption Mode 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    W. Aiello, M. Bellare, G. Di Crescenzo and R. Venkatesan, “Security amplification by composition: The case of doubly-iterated, ideal ciphers,” Advances in Cryptology-Crypto’ 98, Lecture Notes in Computer Science Vol. 1462, H. Krawczyk ed., Springer-Verlag, 1998.Google Scholar
  2. 2.
    M. Bellare, A. Desai, E. Jokipii and P. Rogaway, “A concrete security treatment of symmetric encryption,” Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE, 1997.Google Scholar
  3. 3.
    M. Bellare, J. Kilian and P. Rogaway, “The security of cipher block chaining,” Advances in Cryptology-Crypto’ 94, Lecture Notes in Computer Science Vol. 839, Y. Desmedt ed., Springer-Verlag, 1994.Google Scholar
  4. 4.
    M. Bellare and C. Namprempre, “Authenticated encryption: Relations among notions and analysis of the generic composition paradigm,” Report 2000/025, Cryptology ePrint Archive,, May 2000.
  5. 5.
    M. Bellare and P. Rogaway, “Random oracles are practical: A paradigm for designing efficient protocols,” Proceedings of the 1st Annual Conference on Computer and Communications Security, ACM, 1993.Google Scholar
  6. 6.
    M. Bellare and P. Rogaway, “Optimal asymmetric encryption,” Advances in Cryptology-Eurocrypt’ 94, Lecture Notes in Computer Science Vol. 950, A. De Santis ed., Springer-Verlag, 1994Google Scholar
  7. 7.
    M. Bellare and P. Rogaway, “On the construction of variable-input-length ciphers,” Fast Software Encryption’ 99, Lecture Notes in Computer Science Vol. 1636, L. Knudsen ed., Springer-Verlag, 1999.CrossRefGoogle Scholar
  8. 8.
    M. Bellare and P. Rogaway, “Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography,” Manuscript, December 1998, available from authors.Google Scholar
  9. 9.
    D. Blichenbacher and A. Desai, “A construction of super-pseudorandom cipher,” Manuscript, May 1999, available from authors.Google Scholar
  10. 10.
    V. Boyko, “On the security properties of OAEP as an all-or-nothing transform, ” Advances in Cryptology-Crypto’ 99, Lecture Notes in Computer Science Vol. 1666, M. Wiener ed., Springer-Verlag, 1999.Google Scholar
  11. 11.
    A. Desai, “The security of all-or-nothing encryption,” Full version of this paper, available via:
  12. 12.
    R. Canetti, Y. Dodis, S. Halevi, E. Kushilevitz and A. Sahai, “Exposure-Resilient Cryptography: Constructions for the All-Or-Nothing Transform without Random Oracles,” Advances in Cryptology-Eurocrypt’ 00, Lecture Notes in Computer Science Vol. 1807, B. Preneel ed., Springer-Verlag, 2000.CrossRefGoogle Scholar
  13. 13.
    S. Goldwasser and S. Micali, “Probabilistic encryption,” J. of Computer and System Sciences, Vol. 28, April 1984, pp. 270–299.Google Scholar
  14. 14.
    M. Jakobsson, J. Stern and M. Yung, “Scramble All, Encrypt Small,” Fast Software Encryption’ 99, Lecture Notes in Computer Science Vol. 1636, L. Knudsen ed., Springer-Verlag, 1999.CrossRefGoogle Scholar
  15. 15.
    D. Johnson, S. Matyas, and M. Peyravian, “Encryption of long blocks using a short-block encryption procedure,” Submission to IEEE P1363a, available via:, Nov. 1996.
  16. 16.
    J. Katz and M. Yung, “Unforgeable Encryption and Adaptively Secure Modes of Operation,” Fast Software Encryption’ 00, Lecture Notes in Computer Science Vol. ??, B. Schneier ed., Springer-Verlag, 2000.Google Scholar
  17. 17.
    J. Kilian and P. Rogaway, “How to protect DES against exhaustive key search,” Advances in Cryptology-Crypto’ 96, Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996.CrossRefGoogle Scholar
  18. 18.
    National Bureau of Standards, NBS FIPS PUB 81, “DES modes of operation,” U.S Department of Commerce, 1980.Google Scholar
  19. 19.
    J.-J. Quisquater, Y. Desmedt and M. Davio, “The importance of “good” key scheduling schemes (how to make a secure DES scheme with = 48 bit keys),” Advances in Cryptology-Crypto’ 85, Lecture Notes in Computer Science Vol. 218, H. Williams ed., Springer-Verlag, 1985.Google Scholar
  20. 20.
    R. Rivest, “All-or-nothing encryption and the package transform,” Fast Software Encryption’ 97, Lecture Notes in Computer Science Vol. 1267, E. Biham ed., Springer-Verlag, 1997.CrossRefGoogle Scholar
  21. 21.
    C. Shannon, “Communication theory of secrecy systems,” Bell Systems Technical Journal, Vol. 28, No. 4, 1949, pp. 656–715.MathSciNetGoogle Scholar
  22. 22.
    D. Stinson, “Something about all-or-nothing (transforms),” Manuscript. Available from:, June 1999.

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Anand Desai
    • 1
  1. 1.Department of Computer Science & EngineeringUniversity of California at San DiegoLa JollaUSA

Personalised recommendations