Nonce-Based Symmetric Encryption

  • Phillip Rogaway
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3017)


Symmetric encryption schemes are usually formalized so as to make the encryption operation a probabilistic or state-dependent function ε of the message M and the key K: the user supplies M and K and the encryption process does the rest, flipping coins or modifying internal state in order to produce a ciphertext C. Here we investigate an alternative syntax for an encryption scheme, where the encryption process ε is a deterministic function that surfaces an initialization vector (IV). The user supplies a message M, key K, and initialization vector N, getting back the (one and only) associated ciphertext \(C=\cal E_K^N(M)\). We concentrate on the case where the IV is guaranteed to be a nonce—something that takes on a new value with every message one encrypts. We explore definitions, constructions, and properties for nonce-based encryption. Symmetric encryption with a surfaced IV more directly captures real-word constructions like CBC mode, and encryption schemes constructed to be secure under nonce-based security notions may be less prone to misuse.


Initialization vector modes of operation nonces provable security symmetric encryption 


  1. 1.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation. In: Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 1997). IEEE, Los Alamitos (1997)Google Scholar
  2. 2.
    Bellare, M., Namprempre, C.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 531. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 317. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Black, J., Rogaway, P.: CBC MACs for arbitrary-length messages: The threekey constructions. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 197–215. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. SIAM J. Computing 30(2), 391–437 (2000)MATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Katz, J., Yung, M.: Unforgeable encryption and chosen ciphertext secure modes of operation. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28, 270–299 (1984)MATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Iwata, T., Kurosawa, K.: One-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003) (to appear)CrossRefGoogle Scholar
  9. 9.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: A block-cipher mode of operation for efficient authenticated encryption. In: Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS 2001), pp. 196–205. ACM Press, New York (2001)CrossRefGoogle Scholar
  10. 10.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), pp. 98–107. ACM Press, New York (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Phillip Rogaway
    • 1
    • 2
  1. 1.Dept. of Computer ScienceUniversity of CaliforniaDavisUSA
  2. 2.Dept.of Computer Science, Faculty of ScienceChiang Mai UniversityChiang MaiThailand

Personalised recommendations