The security of ciphertext stealing

Authors:
Phillip Rogaway;Mark Wooding;Haibin Zhang
Affiliations:
Dept. of Computer Science, University of California, Davis;Thales e-Security Ltd, UK;Dept. of Computer Science, University of California, Davis
Venue:
FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
Year:
2012

Citing 12
Cited 0

Applied cryptography (2nd ed.): protocols, algorithms, and source code in C

Applied cryptography (2nd ed.): protocols, algorithms, and source code in C
Blockwise-Adaptive Attackers: Revisiting the (In)Security of Some Provably Secure Encryption Models: CBC, GEM, IACBC

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
How to Sign Digital Streams

CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS ...

EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
A Concrete Security Treatment of Symmetric Encryption

FOCS '97 Proceedings of the 38th Annual Symposium on Foundations of Computer Science
OCB: A block-cipher mode of operation for efficient authenticated encryption

ACM Transactions on Information and System Security (TISSEC)
Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm

ACM Transactions on Information and System Security (TISSEC)
Blockwise-adaptive chosen-plaintext attack and online modes of encryption

Cryptography and Coding'07 Proceedings of the 11th IMA international conference on Cryptography and coding
Blockwise adversarial model for on-line ciphers and symmetric encryption schemes

SAC'04 Proceedings of the 11th international conference on Selected Areas in Cryptography
The security of triple encryption and a framework for code-based game-playing proofs

EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
SP 800-38A 2001 edition. Recommendation for Block Cipher Modes of Operation: Methods and Techniques

SP 800-38A 2001 edition. Recommendation for Block Cipher Modes of Operation: Methods and Techniques
SP 800-38A Addendum. Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode

SP 800-38A Addendum. Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode

Quantified Score

Hi-index	0.00

Visualization

Abstract

We prove the security of CBC encryption with ciphertext stealing. Our results cover all versions of ciphertext stealing recently recommended by NIST. The complexity assumption is that the underlying blockcipher is a good PRP, and the security notion achieved is the strongest one commonly considered for chosen-plaintext attacks, indistinguishability from random bits (ind$-security). We go on to generalize these results to show that, when intermediate outputs are slightly delayed, one achieves ind$-security in the sense of an online encryption scheme, a notion we formalize that focuses on what is delivered across an online API, generalizing prior notions of blockwise-adaptive attacks. Finally, we pair our positive results with the observation that the version of ciphertext stealing described in Meyer and Matyas's well-known book (1982) is not secure.