## On-Line Ciphers and the Hash-CBC constructions (2001)

### Cached

### Download Links

Venue: | Advances in Cryptology - CRYPTO 2000. Lecture Notes in Computer Science |

Citations: | 16 - 2 self |

### BibTeX

@INPROCEEDINGS{Bellare01on-lineciphers,

author = {M. Bellare and A. Boldyreva and L. Knudsen and C. Namprempre},

title = {On-Line Ciphers and the Hash-CBC constructions},

booktitle = {Advances in Cryptology - CRYPTO 2000. Lecture Notes in Computer Science},

year = {2001},

pages = {292--309},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract We initiate a study of on-line ciphers. These are ciphers that can take input plaintexts oflarge and varying lengths and will output the ith block of the ciphertext after having processedonly the first i blocks of the plaintext. Such ciphers permit length-preserving encryption of adata stream with only a single pass through the data. We provide security definitions for this primitive and study its basic properties. We then provide attacks on some possible candidates,including CBC with fixed IV. We then provide two constructions, HCBC1 and HCBC2, basedon a given block cipher E and a family of computationally AXU functions. HCBC1 is provensecure against chosen-plaintext attacks assuming that E is a PRP secure against chosen-plaintextattacks, while HCBC2 is proven secure against chosen-ciphertext attacks assuming that E is aPRP secure against chosen-ciphertext attacks.

### Citations

662 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...(F ). Pseudorandomness of ciphers. A “secure” cipher is one that approximates a family of random permutations; the “better” the approximation, the more secure the cipher. This is formalized following =-=[6,9]-=-. A distinguisher is an algorithm that has access to one or more oracles and outputs a bit. Let F : Keys(F )×{0, 1} n → {0, 1} n be a family of functions with domain and range {0, 1} n . Let A1 be a d... |

371 | A Concrete Security Treatment of Symmetric Encryption: Analysis of the DES Modes of Operation
- Bellare, Desai, et al.
- 1997
(Show Context)
Citation Context ...ons of privacy and integrity for symmetric encryption. Definitions. Let SE = (K, E, D) be a symmetric encryption scheme, defined as usual via its key-generation, encryption, and decryption algorithms =-=[4]-=-. We use the IND-CPA notion of privacy, 1 The preliminary version of this paper proposed only this encoding construction, which, as we discuss below, is useful only for messages of equal length. 32spr... |

300 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
(Show Context)
Citation Context ... our results. 1.2 A notion of security for on-line ciphers A commonly accepted notion of security to target for a cipher is that it be a pseudorandom permutation (PRP), as defined by Luby and Rackoff =-=[17]-=-. Namely, for a cipher F to be a PRP, it should be computationally infeasible, given an oracle g, to have non-negligible advantage in distinguishing between the case where g is a random instance of F ... |

238 | Authenticated encryption: relations among notions and analysis of the generic composition paradigm
- Bellare, Namprempre
- 2000
(Show Context)
Citation Context ...Let M[2],...,M[l] beanyn-bit strings Let M1 =0 n M[2] ...M[l] and let M2 =1 n M[2] ...M[l] Let C1[1] ...C1[l] ← g(M1) and let C2[1] ...C2[l] ← g(M2) Let M3[2] = M[2]⊕C1[1]⊕C2[1] and let M3 =1 n M3[2]M=-=[3]-=- ...M[l] Let C3[1] ...C3[l] ← g(M3) If C3[2] = C1[2] then return 1 else return 0 Fig. 1. Attack on the CBC based on-line cipher. ABC as an on-line cipher. Knudsen in [7] proposes the Accumulated Block... |

208 | The security of the cipher block chaining message authentication code
- Bellare, Kilian, et al.
(Show Context)
Citation Context ...s. These constructs are all unconditionally secure. On the other hand, by Proposition 5.4, any PRF suffices. In particular, if m = n, a block cipher suffices, and if m = 2n, a 2-fold CBC MAC suffices =-=[5]-=-. These constructs are conditionally secure, the condition being that the block cipher is a PRP. 6 The HCBC1 cipher In this section, we provide a construction of an on-line cipher that we call HCBC1. ... |

134 |
LFSR-based Hashing and Authentication
- Krawczyk
(Show Context)
Citation Context ...secure. 5 (Computational) AXU families Our constructions utilize a block cipher and an auxiliary family H that meets a computational relaxation of the notion of AXU (Almost XOR Universal) of Krawczyk =-=[16]-=-. To detail this, let us begin by recalling the measure of [16]: Definition 5.1 Let m,n,hk ≥ 1 be integers, and let H: {0,1} hk × {0,1} m → Dn be a family of functions. Let Adv axu � � H = max Pr K x1... |

115 | The security of triple encryption and a framework for code-based game-playing proofs
- Bellare, Rogaway
- 2006
(Show Context)
Citation Context ...ry version was only secure for fixed-length data.) The proofs in the current version of our paper, as opposed to the ones from (the full version of) our Crypto 2001 paper, use code-based game playing =-=[8]-=-. This simplifies the proofs and also bypasses various conditional probability claims made in the prior analyses. (Some of these claims were pointed out by Nandi [19] to be false. However, the problem... |

75 | A tweakable enciphering mode
- Halevi, Rogaway
- 2003
(Show Context)
Citation Context ...they cannot be, since they achieve the stronger security notion of a PRP. Our construction, however, follows that of [20] in using hash functions in combination with block ciphers. Similarly, the CMC =-=[13]-=- and EME [14] enciphering modes are PRPs and not on-line. These constructs all incur latency that grows with the length of the message: the first bit of the output ciphertext is not produced until the... |

74 | On fast and provably secure message authentication based on universal hashing
- Shoup
- 1996
(Show Context)
Citation Context ...ipher that we discussed above, assuming that the underlying block cipher E is a PRP and that H is computationally AXU (Almost XOR Universal). The family H can be instantiated either via an AXU family =-=[16, 22, 21]-=- or a block cipher, with the latter again assumed to be a PRP. With the latter, we obtain a purely block-cipher based instantiation of HCBC1 that uses two block-cipher operations per block and has a k... |

67 | Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient encryption
- Bellare, Rogaway
- 2000
(Show Context)
Citation Context ...occurs when one is dealing with fixed packet formats, legacy code, or disk-sector encryption. However, an on-line cipher is more generally useful, via the “encode-then-encipher” paradigm discussed in =-=[7]-=-. This paradigm was presented for ciphers that are PRPs, and says that enciphering provides semantic security if the message space has enough entropy, and provides integrity if the message space conta... |

55 |
On the cryptographic applications of random functions", Crypto
- Goldreich, Goldwasser, et al.
(Show Context)
Citation Context ...m(F). Pseudorandomness of ciphers. A “secure” cipher is one that approximates a family of random permutations; the “better” the approximation, the more secure the cipher. This is formalized following =-=[12, 17]-=-. Let F: Keys(F) × Dn → Dn be a family of functions with domain and range Dn. Let A1 be an adversary (algorithm) that has access to one oracle and outputs a bit. Let � g $ ← F : A g � � 1 = 1 − Pr g $... |

52 |
Cryptography: a New Dimension in Computer Data Security; a Guide for the Design and Implementation
- Matyas, Meyer
- 1982
(Show Context)
Citation Context ...(A common choice, which we make, is to set the domain to Dd,n, the set of all strings having a length that is at most nd for some large number d.) Matyas and Meyer refer to these as “general” ciphers =-=[18]-=-. In this paper, we are interested in general ciphers that are computable in an on-line manner. Specifically, cipher F is said to be on-line if the following is true. View the input plaintext M = M[1]... |

48 | A parallelizable enciphering mode
- Halevi, Rogaway
- 2004
(Show Context)
Citation Context ...e, since they achieve the stronger security notion of a PRP. Our construction, however, follows that of [20] in using hash functions in combination with block ciphers. Similarly, the CMC [13] and EME =-=[14]-=- enciphering modes are PRPs and not on-line. These constructs all incur latency that grows with the length of the message: the first bit of the output ciphertext is not produced until the entire messa... |

30 | Software performance of universal hash functions
- Nevelsteen, Preneel
- 1999
(Show Context)
Citation Context ...ipher that we discussed above, assuming that the underlying block cipher E is a PRP and that H is computationally AXU (Almost XOR Universal). The family H can be instantiated either via an AXU family =-=[16, 22, 21]-=- or a block cipher, with the latter again assumed to be a PRP. With the latter, we obtain a purely block-cipher based instantiation of HCBC1 that uses two block-cipher operations per block and has a k... |

13 | A challenging but feasible blockwise-adaptive chosen-plaintext attack on SSL
- Bard
- 2006
(Show Context)
Citation Context ...Dd,n → Dn meeting the conditions of Definition 3.1. Let Mx = M ′ �x and My = M ′ �y. Applying f to Mx, we get Similarly, f(Mx) = f (1) (Mx)�f (2) (Mx)� · · · �f (i−1) (Mx)�f (i) (Mx) = X(M[1])�X(M[1]M=-=[2]-=-)� · · · �X(M[1]... M[i − 1])�X(Mx) . f(My) = X(M[1])�X(M[1]M[2])� · · · �X(M[1]... M[i − 1])�X(My) . By assumption x �= y, which implies Mx �= My. But f is a permutation, so it must be that f(Mx) �= ... |

10 |
Design and Specification of Cryptographic Capabilities
- Campbell
- 1978
(Show Context)
Citation Context ...are provided in Section 4. We then consider the Accumulated Block Chaining (ABC) mode proposed by Knudsen in [15], which is a generalization of the Infinite Garble Extension mode proposed by Campbell =-=[10]-=-. It was designed to have “infinite error propagation,” a property that intuitively seems necessary for a secure on-line cipher but which, as we will see, is not sufficient. In Section 4, we present a... |

7 | Block chaining modes of operation
- Knudsen
- 2000
(Show Context)
Citation Context ... can be easily distinguished from a random on-line permutation. Attacks demonstrating this are provided in Section 4. We then consider the Accumulated Block Chaining (ABC) mode proposed by Knudsen in =-=[15]-=-, which is a generalization of the Infinite Garble Extension mode proposed by Campbell [10]. It was designed to have “infinite error propagation,” a property that intuitively seems necessary for a sec... |

6 |
and Chanathip Namprempre. On-line Ciphers and the Hash-CBC Constructions
- Bellare, Boldyreva, et al.
(Show Context)
Citation Context ...t M1 = 0 n M[2]... M[l] and let M2 = 1 n M[2]... M[l] Let C1[1]... C1[l] ← g(M1) and let C2[1]... C2[l] ← g(M2) Let M3[2] = M[2] ⊕ C1[1] ⊕ C2[1] ⊕ h(0 n ⊕h(P[0])) ⊕ h(1 n ⊕h(P[0])) Let M3 = 1 n M3[2]M=-=[3]-=-... M[l] Let C3[1]... C3[l] ← g(M3) If C3[2] = C1[2]⊕1 n , then return 1 else return 0 Figure 4: Attack on the ABC based on-line cipher. We now define two versions of the ABC cipher. The first uses pu... |

6 | Blockwise Adversarial Model for On-line Ciphers and Symmetric Encryption Schemes
- Fouque, Joux, et al.
- 2004
(Show Context)
Citation Context ...ng and very large size, not merely twice the block size. Following the appearance of the preliminary version of our work [3], there has been further research on on-line ciphers and encryption schemes =-=[11, 9, 2]-=-. Our HCBC2 cipher was used by [1] to achieve efficiently searchable symmetric encryption. 1.8 Versions of this paper A preliminary version of this paper appeared in Crypto 2001 [3]. The current versi... |

5 |
A Simple and Unified Method of Proving Indistinguishability (2006
- Nandi
- 2006
(Show Context)
Citation Context ...paper, use code-based game playing [8]. This simplifies the proofs and also bypasses various conditional probability claims made in the prior analyses. (Some of these claims were pointed out by Nandi =-=[19]-=- to be false. However, the problems are minor, and as shown by our current proofs, easily resolved. Nandi [19] also provides his own proofs of security for HCBC1 and HCBC2.) 2 Definitions Notation. A ... |

5 |
O.Reingold: On the construction of pseudo-random permutations:Luby-Rackoff revisited
- Naor
- 1999
(Show Context)
Citation Context ...n-ciphertext attack. For a PRP this means that the adversary has an oracle not just for the challenge permutation, but also for its inverse. (An object secure in this sense was called a strong PRP in =-=[11]-=- and a super-PRP in [9].) This notion is easily adapted to yield a notion of on-line PRPs secure against chosenciphertext attack. We provide an attack showing that HCBC is not secure against chosen-ci... |

3 |
Boldyreva and Nut Taesombut. Online encryption schemes: New security notions and constructions
- Alexandra
- 2004
(Show Context)
Citation Context ...ng and very large size, not merely twice the block size. Following the appearance of the preliminary version of our work [3], there has been further research on on-line ciphers and encryption schemes =-=[11, 9, 2]-=-. Our HCBC2 cipher was used by [1] to achieve efficiently searchable symmetric encryption. 1.8 Versions of this paper A preliminary version of this paper appeared in Crypto 2001 [3]. The current versi... |

3 |
A new direction in Computer Data Security
- Meyer, Matyas
- 1982
(Show Context)
Citation Context ...ich we make, is to set the domain to Dd,n, the set of all strings having a length that is at most some large value d, and is also divisible by n.) Matyas and Meyer refer to these as “general” ciphers =-=[10]-=-. J. Kilian (Ed.): CRYPTO 2001, LNCS 2139, pp. 292–309, 2001. c○ Springer-Verlag Berlin Heidelberg 2001sOnline Ciphers and the Hash-CBC Construction 293 In this paper, we are interested in general cip... |

2 | New security models and provably-secure schemes for basic query support in outsourced databases
- Amanatidis, Boldyreva, et al.
- 2007
(Show Context)
Citation Context ...18]. In this paper, we are interested in general ciphers that are computable in an on-line manner. Specifically, cipher F is said to be on-line if the following is true. View the input plaintext M = M=-=[1]-=-... M[l] to an instance F(K, ·) of the cipher as a sequence of n-bit blocks, and similarly for the output ciphertext F(K,M) = C[1]...C[l]. Then, given the key K, for all i, it should be possible to co... |

1 |
On-line ciphers and the Hash-CBC construction. Full version of this paper, available via http://www-cse .ucsd.edu/users/mihir
- Bellare, Boldyreva, et al.
(Show Context)
Citation Context ... 293 In this paper, we are interested in general ciphers that are computable in an on-line manner. Specifically, cipher F is said to be on-line if the following is true. View the input plaintext M = M=-=[1]-=- ...M[l] to an instance F (K, ·) of the cipher as a sequence of n-bit blocks, and similarly for the output ciphertext F (K, M) =C[1] ...C[l]. Then, given the key K, for all i, it should be possible to... |

1 |
Block chaining modes of operation. Reports in
- Knudsen
- 2000
(Show Context)
Citation Context ... can be easily distinguished from a random on-line permutation. Attacks demonstrating this are provided in Section 4. We then consider the Accumulated Block Chaining (ABC) mode proposed by Knudsen in =-=[7]-=-, which is a generalization of the Infinite Garble Extension mode proposed by Campbell [5]. It was designed to have “infinite error propagation,” a property that intuitively seems necessary for a secu... |