The Security of All-or-Nothing Encryption: Protecting against Exhaustive Key Search
We investigate the all-or-nothing encryption paradigm which was introduced by Rivest as a new mode of operation for block ciphers. The paradigm involves composing an all-or-nothing transform (AONT) with an ordinary encryption mode. The goal is to have secure encryption modes with the additional property that exhaustive key-search attacks on them are slowed down by a factor equal to the number of blocks in the ciphertext. We give a new notion concerned with the privacy of keys that provably captures this key-search resistance property. We suggest a new characterization of AONTs and establish that the resulting all-or-nothing encryption paradigm yields secure encryption modes that also meet this notion of key privacy. A consequence of our new characterization is that we get more efficient ways of instantiating the all-or-nothing encryption paradigm. We describe a simple block-cipher-based AONT and prove it secure in the Shannon Model of a block cipher. We also give attacks against alternate paradigms that were believed to have the above keysearch resistance property.
KeywordsEncryption Scheme Block Length Random Oracle Message Block Encryption Mode
- 1.W. Aiello, M. Bellare, G. Di Crescenzo and R. Venkatesan, “Security amplification by composition: The case of doubly-iterated, ideal ciphers,” Advances in Cryptology-Crypto’ 98, Lecture Notes in Computer Science Vol. 1462, H. Krawczyk ed., Springer-Verlag, 1998.Google Scholar
- 2.M. Bellare, A. Desai, E. Jokipii and P. Rogaway, “A concrete security treatment of symmetric encryption,” Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE, 1997.Google Scholar
- 3.M. Bellare, J. Kilian and P. Rogaway, “The security of cipher block chaining,” Advances in Cryptology-Crypto’ 94, Lecture Notes in Computer Science Vol. 839, Y. Desmedt ed., Springer-Verlag, 1994.Google Scholar
- 4.M. Bellare and C. Namprempre, “Authenticated encryption: Relations among notions and analysis of the generic composition paradigm,” Report 2000/025, Cryptology ePrint Archive, http://eprint.iacr.org/, May 2000.
- 5.M. Bellare and P. Rogaway, “Random oracles are practical: A paradigm for designing efficient protocols,” Proceedings of the 1st Annual Conference on Computer and Communications Security, ACM, 1993.Google Scholar
- 6.M. Bellare and P. Rogaway, “Optimal asymmetric encryption,” Advances in Cryptology-Eurocrypt’ 94, Lecture Notes in Computer Science Vol. 950, A. De Santis ed., Springer-Verlag, 1994Google Scholar
- 8.M. Bellare and P. Rogaway, “Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography,” Manuscript, December 1998, available from authors.Google Scholar
- 9.D. Blichenbacher and A. Desai, “A construction of super-pseudorandom cipher,” Manuscript, May 1999, available from authors.Google Scholar
- 10.V. Boyko, “On the security properties of OAEP as an all-or-nothing transform, ” Advances in Cryptology-Crypto’ 99, Lecture Notes in Computer Science Vol. 1666, M. Wiener ed., Springer-Verlag, 1999.Google Scholar
- 11.A. Desai, “The security of all-or-nothing encryption,” Full version of this paper, available via: http://www-cse.ucsd.edu/users/adesai/.
- 12.R. Canetti, Y. Dodis, S. Halevi, E. Kushilevitz and A. Sahai, “Exposure-Resilient Cryptography: Constructions for the All-Or-Nothing Transform without Random Oracles,” Advances in Cryptology-Eurocrypt’ 00, Lecture Notes in Computer Science Vol. 1807, B. Preneel ed., Springer-Verlag, 2000.CrossRefGoogle Scholar
- 13.S. Goldwasser and S. Micali, “Probabilistic encryption,” J. of Computer and System Sciences, Vol. 28, April 1984, pp. 270–299.Google Scholar
- 15.D. Johnson, S. Matyas, and M. Peyravian, “Encryption of long blocks using a short-block encryption procedure,” Submission to IEEE P1363a, available via: http://grouper.ieee.org/groups/1363/contributions/peyrav.ps, Nov. 1996.
- 16.J. Katz and M. Yung, “Unforgeable Encryption and Adaptively Secure Modes of Operation,” Fast Software Encryption’ 00, Lecture Notes in Computer Science Vol. ??, B. Schneier ed., Springer-Verlag, 2000.Google Scholar
- 18.National Bureau of Standards, NBS FIPS PUB 81, “DES modes of operation,” U.S Department of Commerce, 1980.Google Scholar
- 19.J.-J. Quisquater, Y. Desmedt and M. Davio, “The importance of “good” key scheduling schemes (how to make a secure DES scheme with = 48 bit keys),” Advances in Cryptology-Crypto’ 85, Lecture Notes in Computer Science Vol. 218, H. Williams ed., Springer-Verlag, 1985.Google Scholar
- 22.D. Stinson, “Something about all-or-nothing (transforms),” Manuscript. Available from: http://www.cacr.math.uwaterloo.ca/dstinson/, June 1999.