All-or-nothing encryption and the package transform

  • Ronald L. Rivest
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1267)


We present a new mode of encryption for block ciphers, which we call all-or-nothing encryption. This mode has the interesting defining property that one must decrypt the entire ciphertext before one can determine even one message block. This means that brute-force searches against all-or-nothing encryption are slowed down by a factor equal to the number of blocks in the ciphertext. We give a specific way of implementing all-or-nothing encryption using a “package transform≓ as a pre-processing step to an ordinary encryption mode. A package transform followed by ordinary codebook encryption also has the interesting property that it is very efficiently implemented in parallel. All-or-nothing encryption can also provide protection against chosen-plaintext and related-message attacks.


  1. 1.
    Ross Anderson and Eli Biham. Two practical and probably secure block ciphers: BEAR and LION. In Dieter Gollman, editor, Fast Software Encryption, pages 114–120. Springer, 1996. (Proceedings Third International Workshop, Feb. 1996, Cambridge, UK).Google Scholar
  2. 2.
    Mihir Bellare and Phillip Rogaway. Optimal asymmetric encryption—how to encrypt with RSA. In EUROCRYPT94, 1994.Google Scholar
  3. 3.
    Eli Biham. Cryptanalysis of multiple modes of operation. 1995. Pre-Proceedings of ASIACRYPT ’94. Submitted to J. Cryptology.Google Scholar
  4. 4.
    Matt Blaze, Whitfield Diffie, Ronald L. Rivest, Bruce Schneier, Tsutomu Shimomura, Eric Thompson, and Michael Wiener. Minimal key lengths for symmetric ciphers to provide adequate commercial security: A report by an ad hoc group of cryptographers and computer scientists, January 1996. Available at Scholar
  5. 5.
    Don Coppersmith, Matthew Franklin, Jacques Patarin, and Michael Reiter. Low-exponent RSA with related messages. Technical Report IBM RC 20318, IBM T.J. Watson Research Lab, December 27, 1995. (To appear in Eurocrypt ’96).Google Scholar
  6. 6.
    Hugo Krawczyk. Secret sharing made short. In Douglas R. Stinson, editor, Proc. CRYPTO 93, pages 136–146. Spring-Verlag, 1993.Google Scholar
  7. 7.
    Wenbo Mao and Colin Boyd. Classification of cryptographic techniques in authentication protocols. In Proceedings 1994 Workshop on Selected Areas in Cryptography, May 1994. (Kingston, Ontario, Canada).Google Scholar
  8. 8.
    J.-J. Quisquater, Yvo Desmedt, and Marc Davio. The importance of “good≓ key scheduling schemes (how to make a secure DES scheme with ≤ 48 bit keys). In H. C. Williams, editor, Proc. CRYPTO 85, pages 537–542. Springer, 1986. Lecture Notes in Computer Science No. 218.Google Scholar
  9. 9.
    Bruce Schneier. Applied Cryptography (Second Edition). John Wiley & Sons, 1996.Google Scholar
  10. 10.
    C. P. Schnorr and S. Vaudenay. Black box cryptanalysis of hash networks based on multipermutations. In EUROCRYPT94, 1994.Google Scholar

Copyright information

© Springer-Verlag 1997

Authors and Affiliations

  • Ronald L. Rivest
    • 1
  1. 1.MIT Laboratory for Computer ScienceCambridge

Personalised recommendations