The Security of Ciphertext Stealing

  • Phillip Rogaway
  • Mark Wooding
  • Haibin Zhang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7549)


We prove the security of CBC encryption with ciphertext stealing. Our results cover all versions of ciphertext stealing recently recommended by NIST. The complexity assumption is that the underlying blockcipher is a good PRP, and the security notion achieved is the strongest one commonly considered for chosen-plaintext attacks, indistinguishability from random bits (ind$-security). We go on to generalize these results to show that, when intermediate outputs are slightly delayed, one achieves ind$-security in the sense of an online encryption scheme, a notion we formalize that focuses on what is delivered across an online API, generalizing prior notions of blockwise-adaptive attacks. Finally, we pair our positive results with the observation that the version of ciphertext stealing described in Meyer and Matyas’s well-known book (1982) is not secure.


blockwise-adaptive attacks CBC ciphertext stealing cryptographic standards modes of operation provable security 


  1. 1.
    Ball, M.: Follow-up to NIST’s consideration of XTS-AES as standardized by IEEE Std 1619-2007. Public comments to NIST (2008),
  2. 2.
    Bard, G.V.: Blockwise-Adaptive Chosen-Plaintext Attack and Online Modes of Encryption. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 129–151. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption: analysis of the DES modes of operation. In: FOCS 1997, pp. 394–403. IEEE Press (1997)Google Scholar
  4. 4.
    Bellare, M., Kohno, T., Namprempre, C.: Breaking and provably repairing the SSH authenticated encryption scheme: a case study of the encode-then-encrypt-and-MAC paradigm. ACM Transactions on Information and System Security (TISSEC) 7(2), 206–241 (2004); Earlier version from CCS 2002CrossRefzbMATHGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Boldyreva, A., Taesombut, N.: Online encryption schemes: New security notions and constructions. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 1–14. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. 7.
    Dworkin, M.: Recommendation for block cipher modes of operation: method and techniques. NIST Special Publication 800-38A, 2001 Edition (December 2001)Google Scholar
  8. 8.
    Dworkin, M.: Recommendation for block cipher modes of operation: three variants of ciphertext stealing for CBC mode. Addendum to NIST Special Publication 800–38A (October 2010)Google Scholar
  9. 9.
    Fouque, P., Joux, A., Martinet, G., Valette, F.: Authenticated On-line Encryption. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 145–159. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Fouque, P., Joux, A., Poupard, G.: Blockwise Adversarial Model for On-line Ciphers and Symmetric Encryption Schemes. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 212–226. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. 11.
    Fouque, P., Martinet, G., Poupard, G.: Practical Symmetric On-Line Encryption. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 362–375. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Gennaro, R., Rohatgi, P.: How to Sign Digital Streams. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 180–197. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  13. 13.
    Joux, A., Martinet, G., Valette, F.: Blockwise-Adaptive Attackers Revisiting the (In)Security of Some Provably Secure Encryption Modes: CBC, GEM, IACBC. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 17–30. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. 14.
    Meyer, C., Matyas, M.: Cryptography: a new dimension in data security. John Wiley & Sons, New York (1982)Google Scholar
  15. 15.
    NIST. Proposal to extend CBC mode by “ciphertext stealing.” Anonymous draft (May 6, 2007), Available from NIST’s websiteGoogle Scholar
  16. 16.
    Rogaway, P., Bellare, M., Black, J.: OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM Transactions on Information and System Security 6(3), 365–403 (2003); Earlier version, with Krovetz, T.: ACM CCS 2001CrossRefGoogle Scholar
  17. 17.
    Schneier, B.: Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd edn. Wiley, New York (1996)zbMATHGoogle Scholar
  18. 18.
    Shoup, V.: Sequences of games: a tool for taming complexity. ePrint archive 2004/332 Revised (2006)Google Scholar
  19. 19.
    Vaudenay, S.: Security Flaws Induced by CBC Padding – Applications to SSL, IPSEC, WTLS.. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Phillip Rogaway
    • 1
  • Mark Wooding
    • 2
  • Haibin Zhang
    • 1
  1. 1.Dept. of Computer ScienceUniversity of CaliforniaDavisUSA
  2. 2.Thales e-Security LtdUK

Personalised recommendations