Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation

We find certain neglected issues in the study of private-key encryption schemes. For one, private-key encryption is generally held to the same standard of security as public-key encryption (i.e., indistinguishability) even though usage of the two is very different. Secondly, though the importance of secure encryption of single blocks is well known, the security of modes of encryption (used to encrypt multiple blocks) is often ignored. With this in mind, we present definitions of a new notion of security for private-key encryption called encryption unforgeability which captures an adversary's inability to generate valid ciphertexts. We show applications of this definition to authentication protocols and adaptive chosen ciphertext security. Additionally, we present and analyze a new mode of encryption, RPC (for Related Plaintext Chaining), which is unforgeable in the strongest sense of the above definition. This gives the first mode provably secure against chosen ciphertext attacks. Although RPC is slightly less efficient than, say, CBC mode (requiring about 33% more block cipher applications and having ciphertext expansion of the same amount when using a block cipher with 128-bit blocksize), it has highly parallelizable encryption and decryption operations.

[1]  Abraham Bookstein,et al.  Cryptography: A new dimension in computer data security ? and ?. Wiley-Interscience, New York (1982). xxi + 775 pp., $43.95. ISBN 0471-04892-5. , 1985 .

[2]  Cees J. A. Jansen,et al.  Modes of Blockcipher Algorithms and their Protection Against Active Eavesdropping , 1987, EUROCRYPT.

[3]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[4]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[5]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[6]  Vincent Rijmen,et al.  Cryptanalysis of the CFB Mode of the DES with a Reduced Number of Rounds , 1993, CRYPTO.

[7]  Mihir Bellare,et al.  Incremental cryptography and application to virus protection , 1995, STOC '95.

[8]  Radia J. Perlman,et al.  Network security - private communication in a public world , 2002, Prentice Hall series in computer networking and distributed systems.

[9]  Michael Luby,et al.  Pseudorandomness and cryptographic applications , 1996, Princeton computer science notes.

[10]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[11]  Mihir Bellare,et al.  A concrete security treatment of symmet-ric encryption: Analysis of the DES modes of operation , 1997, FOCS 1997.

[12]  Bart Preneel,et al.  Cryptographic Primitives for Information Authentication - State of the Art , 1997, State of the Art in Applied Cryptography.

[13]  Moni Naor,et al.  On the construction of pseudo-random permutations: Luby-Rackoff revisited (extended abstract) , 1997, STOC '97.

[14]  Eli Biham,et al.  Cryptanalysis of Multiple Modes of Operation , 1994, Journal of Cryptology.

[15]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[16]  Markus Jakobsson,et al.  Scramble All, Encrypt Small , 1999, FSE.

[17]  Mihir Bellare,et al.  On the Construction of Variable-Input-Length Ciphers , 1999, FSE.

[18]  Jonathan Katz,et al.  Complete characterization of security notions for probabilistic private-key encryption , 2000, STOC '00.

[19]  Jonathan Katz,et al.  A Chosen Ciphertext Attack Against Several E-Mail Encryption Protocols , 2000, USENIX Security Symposium.

[20]  Eli Biham,et al.  Cryptanalysis of the ANSI X9.52 CBCM mode , 2001, Journal of Cryptology.