The Security of Ciphertext Stealing

  • Phillip Rogaway
  • Mark Wooding
  • Haibin Zhang
Conference paper

DOI: 10.1007/978-3-642-34047-5_11

Part of the Lecture Notes in Computer Science book series (LNCS, volume 7549)
Cite this paper as:
Rogaway P., Wooding M., Zhang H. (2012) The Security of Ciphertext Stealing. In: Canteaut A. (eds) Fast Software Encryption. Lecture Notes in Computer Science, vol 7549. Springer, Berlin, Heidelberg

Abstract

We prove the security of CBC encryption with ciphertext stealing. Our results cover all versions of ciphertext stealing recently recommended by NIST. The complexity assumption is that the underlying blockcipher is a good PRP, and the security notion achieved is the strongest one commonly considered for chosen-plaintext attacks, indistinguishability from random bits (ind$-security). We go on to generalize these results to show that, when intermediate outputs are slightly delayed, one achieves ind$-security in the sense of an online encryption scheme, a notion we formalize that focuses on what is delivered across an online API, generalizing prior notions of blockwise-adaptive attacks. Finally, we pair our positive results with the observation that the version of ciphertext stealing described in Meyer and Matyas’s well-known book (1982) is not secure.

Keywords

blockwise-adaptive attacks CBC ciphertext stealing cryptographic standards modes of operation provable security 

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Phillip Rogaway
    • 1
  • Mark Wooding
    • 2
  • Haibin Zhang
    • 1
  1. 1.Dept. of Computer ScienceUniversity of CaliforniaDavisUSA
  2. 2.Thales e-Security LtdUK

Personalised recommendations