OCB: a block-cipher mode of operation for efficient authenticated encryption
CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
Online Ciphers and the Hash-CBC Construction
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
A Practice-Oriented Treatment of Pseudorandom Number Generators
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm
ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation
FSE '00 Proceedings of the 7th International Workshop on Fast Software Encryption
Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes
FSE '01 Revised Papers from the 8th International Workshop on Fast Software Encryption
Optimal Chosen-Ciphertext Secure Encryption of Arbitrary-Length Messages
PKC '02 Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography
Encryption Modes with Almost Free Message Integrity
EUROCRYPT '01 Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
A Concrete Security Treatment of Symmetric Encryption
FOCS '97 Proceedings of the 38th Annual Symposium on Foundations of Computer Science
On the Impossibility of Strong Encryption Over $\aleph_0$
IWCC '09 Proceedings of the 2nd International Workshop on Coding and Cryptology
Key recovery attacks on the RMAC, TMAC, and IACBC
ACISP'03 Proceedings of the 8th Australasian conference on Information security and privacy
Blockwise-adaptive chosen-plaintext attack and online modes of encryption
Cryptography and Coding'07 Proceedings of the 11th IMA international conference on Cryptography and coding
On the security of blockwise secure modes of operation beyond the birthday bound
IEEE Transactions on Information Theory
Adaptive chosen-message side-channel attacks
ACNS'10 Proceedings of the 8th international conference on Applied cryptography and network security
Online ciphers from tweakable blockciphers
CT-RSA'11 Proceedings of the 11th international conference on Topics in cryptology: CT-RSA 2011
Blockwise adversarial model for on-line ciphers and symmetric encryption schemes
SAC'04 Proceedings of the 11th international conference on Selected Areas in Cryptography
WWIC'10 Proceedings of the 8th international conference on Wired/Wireless Internet Communications
Threshold and proactive pseudo-random permutations
TCC'06 Proceedings of the Third conference on Theory of Cryptography
Security of symmetric encryption in the presence of ciphertext fragmentation
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
The security of ciphertext stealing
FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
| Hi-index | 0.06 |
In this paper, we show that the natural and most common way of implementing modes of operation for cryptographic primitives often leads to insecure implementations. We illustrate this problem by attacking several modes of operation that were proved to be semantically secure against either chosen plaintext or chosen ciphertext attacks.The problem stems from the simple following fact: in the definition and proofs of semantic security, messages are considered as atomic objects that cannot be split; however, in most practical implementations, messages are subdivided into smaller chunks than can be easily manipulated. Depending on the implementation, each chunk may consist of one or several blocks of the underlying primitive. The key point here is that upon reception of a processed chunk, the attacker can now adapt his choice for the next chunk. Since the possibility of adapting within a single message is not taken into account in the current security models, this leaves room for unexpected attacks.We illustrate this new paradigm by attacking three symmetric and hybrid encryption schemes based on the chaining mode in spite of their security proofs.