Blockwise-Adaptive Attackers Revisiting the (In)Security of Some Provably Secure Encryption Modes: CBC, GEM, IACBC

  • Antoine Joux
  • Gwenaëlle Martinet
  • Frédéric Valette
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2442)


In this paper, we show that the natural and most common way of implementing modes of operation for cryptographic primitives often leads to insecure implementations. We illustrate this problem by attacking several modes of operation that were proved to be semantically secure against either chosen plaintext or chosen ciphertext attacks.

The problem stems from the simple following fact: in the definition and proofs of semantic security, messages are considered as atomic objects that cannot be split; however, in most practical implementations, messages are subdivided into smaller chunks than can be easily manipulated. Depending on the implementation, each chunk may consist of one or several blocks of the underlying primitive. The key point here is that upon reception of a processed chunk, the attacker can now adapt his choice for the next chunk. Since the possibility of adapting within a single message is not taken into account in the current security models, this leaves room for unexpected attacks.

We illustrate this new paradigm by attacking three symmetric and hybrid encryption schemes based on the chaining mode in spite of their security proofs.


Smart Card Block Cipher Security Proof Message Block Encryption Mode 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bellare, A. Boldyreva, L. Knudsen, and C. Namprempre. On-Line Ciphers and the Hash-CBC Construction. In J. Kilian, editor, Advances in Cryptology — Crypto’01, volume 2139 of Lecture Notes in Computer Science, pages 292–309. Springer-Verlag, Berlin, 2001.Google Scholar
  2. 2.
    M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A Concrete Security Treatment of Symmetric Encryption. In Proceedings of the 38th Symposium of Fundations of Computer Science. IEEE, 1997.Google Scholar
  3. 3.
    M. Bellare and C. Namprempre. Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm. In T. Okamoto, editor, Advances in Cryptology — Asiacrypt’00, volume 1976 of Lecture Notes in Computer Science. Springer-Verlag, Berlin, 2000.Google Scholar
  4. 4.
    V.D. Gligor and P. Donescu. Fast Encryption and Authentication: XCBC and XECB Authentication Modes. In Fast Software Encryption, Lecture Notes in Computer Science. Springer-Verlag, Berlin, 2001.Google Scholar
  5. 5.
    J.S Coron, H. Handshuh, M. Joye, P. Paillier, D. Pointcheval, and C. Tymen. Reallife Chosen-Ciphertext Secure Encryption of Arbitrary-Length Messages. In D. Naccache, editor, PKC’2002, volume 2274 of Lecture Notes in Computer Science, pages 17–33. Springer-Verlag, Berlin, 2002.Google Scholar
  6. 6.
    A. Desai, A. Hevia, and Y.L Yin. A Practice-Oriented Treatment of Pseudorandom Number Generators. In L. Knudsen, editor, Advances in Cryptology — Eurocrypt 2002, volume 2332 of Lecture Notes in Computer Science. Springer-Verlag, Berlin, 2002.CrossRefGoogle Scholar
  7. 7.
    R. Gennaro and P. Rohatgi. How to Sign Digital Streams. In Burt Kaliski, editor, Advances in Cryptology — Crypto’97, volume 1294 of Lecture Notes in Computer Science, pages 180–197. Springer-Verlag, Berlin, 1997.CrossRefGoogle Scholar
  8. 8.
    S. Halevi. An Observation regarding Jutla’s modes of operation. Crytology ePrint archive, Report 2001/015, available at
  9. 9.
    C. Jutla. Encryption modes with almost free message integrity. Cryptology ePrint archive, Report 2000/039, available at
  10. 10.
    C. Jutla. Encryption modes with almost free message integrity. In B. Ptzmann, editor, Advances in Cryptology — Eurocrypt’01, volume 2045 of Lecture Notes in Computer Science. Springer-Verlag, Berlin, 2001.Google Scholar
  11. 11.
    J. Katz and M. Yung. Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation. In Bruce Schneier, editor, Fast Software Encryption, volume 1978 of Lectures Notes in Computer Science. Springer-Verlag Berlin, 2000.Google Scholar
  12. 12.
    L. Knudsen. Block chaining modes of operation. Technical report, Department of Informatics, University of Bergen, 2000.Google Scholar
  13. 13.
    P. Rogaway, M. Bellare, J. Black, and T. Krovetz. OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption. In Eighth ACM conference on Computer and Communications Security. ACM Press, 2001.Google Scholar
  14. 14.
    T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen. SSH Transport Layer Protocol, Network Working Group. January 2002. Internet-Draft available at

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Antoine Joux
    • 1
  • Gwenaëlle Martinet
    • 1
  • Frédéric Valette
    • 1
  1. 1.DCSSI Crypto LabIssy-les-Moulineaux

Personalised recommendations