## New paradigms for constructing symmetric encryption schemes secure against chosen ciphertext attack (2000)

Venue: | Advances in Cryptology - CRYPTO 2000 |

Citations: | 10 - 0 self |

### BibTeX

@INPROCEEDINGS{Desai00newparadigms,

author = {Anand Desai},

title = {New paradigms for constructing symmetric encryption schemes secure against chosen ciphertext attack},

booktitle = {Advances in Cryptology - CRYPTO 2000},

year = {2000},

pages = {394--412},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. The paradigms currently used to realize symmetric encryption schemes secure against adaptive chosen ciphertext attack (CCA) try to make it infeasible for an attacker to forge “valid ” ciphertexts. This is achieved by either encoding the plaintext with some redundancy before encrypting or by appending a MAC to the ciphertext. We suggest schemes which are provably secure against CCA, and yet every string is a “valid ” ciphertext. Consequently, our schemes have a smaller ciphertext expansion than any other scheme known to be secure against CCA. Our most efficient scheme is based on a novel use of “variable-length ” pseudorandom functions and can be efficiently implemented using block ciphers. We relate the difficulty of breaking our schemes to that of breaking the underlying primitives in a precise and quantitative way. 1

### Citations

1230 |
Probabilistic encryption
- Goldwasser, Micali
(Show Context)
Citation Context ... ensure that an adversary does not learn any useful information from the ciphertexts. The first rigorous formalizations of this goal were described for the public-key setting by Goldwasser and Micali =-=[14]-=-. Their goal of indistinguishability for public-key encryption has been considered under attacks of increasing severity: chosen-plaintext attack, and two kinds of chosen-ciphertext attacks [19, 22]. T... |

662 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...ily F is pseudorandom if the input-output behavior of F a is indistinguishable from the behavior of a random function of the same domain and range. This is formalized via the notion of distinguishers =-=[13]-=-. Our concrete security formalization is that of [4]. Definition 2 [PRF] Let F : K \Thetasf0; 1g l 7! f0; 1g l be a function. For a distinguisher A and b = 0; 1 define the experiment Experiment Exp pr... |

494 | Entity authentication and key distribution
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...Let s = FK1(r). (3) Let P be the first |M| bits of FK2(s + 1)�FK2(s + 2)�FK2(s + 3)� · · ·. (4) Let C = P ⊕M. (5) Let pad = 10 m such that m is the smallest integer making |C| + |pad| divisible by l.s=-=(6)-=- Parse C�pad as C1 . . . Cn such that |Ci| = l for all 1 ≤ i ≤ n. (7) Let C ′ 0 = 0 l , and let C ′ i = FK3(C ′ i−1 ⊕Ci) for all 1 ≤ i ≤ n − 1. (8) Let σ = r⊕FK4(C ′ n−1⊕Cn) (9) Return ciphertext C�σ.... |

470 | Relations Among Notions of Security for Public-Key Encryption Schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...ons for the publickey setting to the symmetric setting. Studies on relations among the various possible notions have established that IND-CCA implies all these other notions in the public-key setting =-=[3, 12]-=-, as well as, in the symmetric setting [15]. Symmetric encryption schemes are widely used in practice and form the basis of many security protocols used on the Internet. The use of schemes secure in t... |

470 | Non-malleable cryptography
- Dolev, Dwork, et al.
(Show Context)
Citation Context ...he combination of the goal of indistinguishability and CCA gives rise to a very strong notion of privacy, known as IND-CCA. A second goal, called non-malleability, introduced by Dolev, Dwork and Naor =-=[12]-=-, can also be considered in this framework. This goal formalizes the inability of an adversary given a challenge ciphertext to modify it into another, in such a way that the underlying plaintexts are ... |

371 | A Concrete Security Treatment of Symmetric Encryption: Analysis of the DES Modes of Operation
- Bellare, Desai, et al.
- 1997
(Show Context)
Citation Context ... underlying plaintexts are somehow "meaningfully related". The notion of indistinguishability under chosen-plaintext attack was adapted to the symmetric setting by Bellare, Desai, Jokipii and Rogaway =-=[2]-=-. Their paradigm of giving the adversary "encryption oracles" can be used to "lift" any of the notions for the publickey setting to the symmetric setting. Studies on relations among the various possib... |

358 |
Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack
- Rackoff, Simon
- 1991
(Show Context)
Citation Context ...Micali [14]. Their goal of indistinguishability for public-key encryption has been considered under attacks of increasing severity: chosen-plaintext attack, and two kinds of chosen-ciphertext attacks =-=[19, 22]-=-. The strongest of these attacks, due to Rackoff and Simon, is known as the adaptive chosen-ciphertext attack (referred to as CCA in this work). Under this attack, the adversary is given the ability t... |

300 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
(Show Context)
Citation Context ...tion (VI-SPRP). We show that with these meanings, the Encode-then2sEncipher paradigm yields symmetric encryption schemes that are secure against CCA. Note that a super-pseudorandom permutation (SPRP) =-=[17]-=- alone will not do since we need a permutation that can work with variable and arbitrary length inputs. Also, the very efficient constructions of Naor and Reingold [18] cannot be used here since they ... |

260 | Public key cryptosystems provable secure against chosen ciphertext attacks", STOC '90
- Naor, Yung
(Show Context)
Citation Context ...Micali [14]. Their goal of indistinguishability for public-key encryption has been considered under attacks of increasing severity: chosen-plaintext attack, and two kinds of chosen-ciphertext attacks =-=[19, 22]-=-. The strongest of these attacks, due to Rackoff and Simon, is known as the adaptive chosen-ciphertext attack (referred to as CCA in this work). Under this attack, the adversary is given the ability t... |

238 | Authenticated encryption: relations among notions and analysis of the generic composition paradigm
- Bellare, Namprempre
- 2000
(Show Context)
Citation Context ...d a generic symmetric encryption scheme, the one consisting of first encrypting the plaintext and then appending to the result a MAC of the result, is the only one that is secure in the IND-CCA sense =-=[5]-=-. Another approach is to add some known redundancy to the plaintext before encrypting. The idea is that most strings of the length of the ciphertext will be "invalid" and that they will be recognized ... |

216 | Optimal asymmetric encryption { How to encrypt with RSA
- Bellare, Rogaway
(Show Context)
Citation Context ...ur paradigm is illustrated in Figure 2. It is interesting that there is a similarity between our scheme and the "simple probabilistic encoding scheme" used by Bellare and Rogaway in their OAEP scheme =-=[7]-=-. Their encoding scheme is defined as: M \Phi G(r)kr\Phi H(M \Phi G(r)), where M is the message to be encrypted, r is a randomly chosen quantity, G is a "generator" random oracle and H is a "hash func... |

208 | The security of the cipher block chaining message authentication code
- Bellare, Kilian, et al.
(Show Context)
Citation Context ...Our first paradigm is described in terms of "variable-length" pseudorandom functions. These extend the notion of "fixed-length" pseudorandom functions (PRFs) introduced by Bellare, Kilian and Rogaway =-=[4]-=- so as to model block ciphers. A variable-length input pseudorandom function (VI-PRF) is a function that takes inputs of any pre-specified length or of variable length and produces an output of some f... |

101 | On the construction of pseudorandom permutations: LubyRackoff revisited
- Naor, Reingold
- 1999
(Show Context)
Citation Context ...pseudorandom permutation (SPRP) [17] alone will not do since we need a permutation that can work with variable and arbitrary length inputs. Also, the very efficient constructions of Naor and Reingold =-=[18]-=- cannot be used here since they are not "full-fledged" VI-SPRPs. The problem of constructing VI-SPRPs has been explored by Bleichenbacher and Desai [11] and Patel et al. [20]. See Section 4 for more d... |

96 | Pseudorandom functions revisited: The cascade construction and its concrete security," Proc. 37th Annual Symposium on the Foundations of Computer 2This section has not been discussed in the lectures
- Bellare, Canetti, et al.
- 1997
(Show Context)
Citation Context ...ficient than this one [10]. There are efficient variable-length input MAC constructions, such as the protected counter sum construction of Bernstein [9] and the cascade construction of Bellare et al. =-=[1]-=- that are not strictly VI-PRF due to their probabilistic nature, but which could be used in their place in our paradigm. Variable-Length Output Pseudorandom Functions. These are functions that can gen... |

67 | Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient encryption
- Bellare, Rogaway
- 2000
(Show Context)
Citation Context ... C to get a string oe. The ciphertext output is Ckoe. Encode-then-Encipher. This is a rather well-known (but not particularly well-understood) method of encrypting. Recent work by Bellare and Rogaway =-=[8]-=- has tried to remedy this by giving a precise treatment of this idea. Encryption, in this paradigm, is a process in which the plaintext is first "encoded" and then sent through a secret-keyed length-p... |

65 | Complete Characterization of Security Notions for Probabilistic Private-Key Encryption
- Katz, Yung
- 2006
(Show Context)
Citation Context ... setting. Studies on relations among the various possible notions have established that IND-CCA implies all these other notions in the public-key setting [3, 12], as well as, in the symmetric setting =-=[15]-=-. Symmetric encryption schemes are widely used in practice and form the basis of many security protocols used on the Internet. The use of schemes secure in the IND-CCA sense is often mandated by the w... |

24 |
Unforgeable encryption and adaptively secure modes of operation
- Katz, Yung
- 2000
(Show Context)
Citation Context ...hertext will be "invalid" and that they will be recognized as such, since their "decryption" will not have the expected redundancy. A recently suggested encryption mode, the RPC mode of Katz and Yung =-=[16]-=-, uses this idea. Yet another approach that uses this idea is to apply a VI-SPRP to plaintexts that are encoded with randomness and redundancy [8]. Comparisons. An unavoidable consequence of the parad... |

19 | How to stretch random functions: the security of protected counter sums
- BERNSTEIN
- 1999
(Show Context)
Citation Context ...uctions of VI-PRFs that are computationally more efficient than this one [10]. There are efficient variable-length input MAC constructions, such as the protected counter sum construction of Bernstein =-=[9]-=- and the cascade construction of Bellare et al. [1] that are not strictly VI-PRF due to their probabilistic nature, but which could be used in their place in our paradigm. Variable-Length Output Pseud... |

8 |
A Construction of a Super-Pseudorandom Cipher
- Bleichenbacher, Desai
- 1999
(Show Context)
Citation Context ...ry efficient constructions of Naor and Reingold [18] cannot be used here since they are not "full-fledged" VI-SPRPs. The problem of constructing VI-SPRPs has been explored by Bleichenbacher and Desai =-=[11]-=- and Patel et al. [20]. See Section 4 for more details. The encryption schemes resulting from this paradigm are quite practical, but given the current state-of-art, this approach does not match the Un... |

6 |
CBC MACs for arbitrary length messages: The three key constructions
- Black, Rogaway
(Show Context)
Citation Context ...fficient cryptographic primitives. Some efficient constructions of VI-PRFs based on PRFs are the CBC-MAC variant analyzed by Petrank and Rackoff [21] and the "three-key" variants of Black and Rogaway =-=[10]-=-. We give a simple and efficient construction of a VO-PRF from a PRF. See Figure 1. There could be many other ways of instantiating VO-PRFs using ideas from the constructions of VI-PRFs and "key-deriv... |

1 |
Efficient Variable-Input-Length Cryptographic Primitives
- Patel, Ramzan, et al.
- 2000
(Show Context)
Citation Context ...ions of Naor and Reingold [18] cannot be used here since they are not "full-fledged" VI-SPRPs. The problem of constructing VI-SPRPs has been explored by Bleichenbacher and Desai [11] and Patel et al. =-=[20]-=-. See Section 4 for more details. The encryption schemes resulting from this paradigm are quite practical, but given the current state-of-art, this approach does not match the Unbalanced Feistel parad... |

1 |
CBC MAC for Real-Time Data Sources," Dimacs
- Petrank, Rackoff
- 1997
(Show Context)
Citation Context ...interested in constructions that can be based on more efficient cryptographic primitives. Some efficient constructions of VI-PRFs based on PRFs are the CBC-MAC variant analyzed by Petrank and Rackoff =-=[21]-=- and the "three-key" variants of Black and Rogaway [10]. We give a simple and efficient construction of a VO-PRF from a PRF. See Figure 1. There could be many other ways of instantiating VO-PRFs using... |

1 |
Unforgeable Encryption and Adaptively
- Katz, Yung
- 2000
(Show Context)
Citation Context ...hertext will be “invalid” and that they will be recognized as such, since their “decryption” will not have the expected redundancy. A recently suggested encryption mode, the RPC mode of Katz and Yung =-=[17]-=-, uses this idea. Yet another approach that uses this idea is to apply a VI-SPRP to plaintexts that are encoded with randomness and redundancy [8]. Comparisons. An unavoidable consequence of the parad... |