Nonce-Based Symmetric Encryption
Symmetric encryption schemes are usually formalized so as to make the encryption operation a probabilistic or state-dependent function ε of the message M and the key K: the user supplies M and K and the encryption process does the rest, flipping coins or modifying internal state in order to produce a ciphertext C. Here we investigate an alternative syntax for an encryption scheme, where the encryption process ε is a deterministic function that surfaces an initialization vector (IV). The user supplies a message M, key K, and initialization vector N, getting back the (one and only) associated ciphertext \(C=\cal E_K^N(M)\). We concentrate on the case where the IV is guaranteed to be a nonce—something that takes on a new value with every message one encrypts. We explore definitions, constructions, and properties for nonce-based encryption. Symmetric encryption with a surfaced IV more directly captures real-word constructions like CBC mode, and encryption schemes constructed to be secure under nonce-based security notions may be less prone to misuse.
KeywordsInitialization vector modes of operation nonces provable security symmetric encryption
- 1.Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation. In: Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 1997). IEEE, Los Alamitos (1997)Google Scholar