## On the Construction of Variable-Input-Length Ciphers (1998)

### Cached

### Download Links

- [www-cse.ucsd.edu]
- [www-cse.ucsd.edu]
- [www-cse.ucsd.edu]
- [cseweb.ucsd.edu]
- [charlotte.ucsd.edu]
- [cseweb.ucsd.edu]
- [www.mathmagic.cn]
- DBLP

### Other Repositories/Bibliography

Venue: | In Fast Software Encryption |

Citations: | 19 - 6 self |

### BibTeX

@INPROCEEDINGS{Bellare98onthe,

author = {Mihir Bellare and Giovanni Di Crescenzo and Phillip Rogaway},

title = {On the Construction of Variable-Input-Length Ciphers},

booktitle = {In Fast Software Encryption},

year = {1998},

pages = {231--244},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

We invesitgate how to construct ciphers which operate on messages of various (and effectively arbitrary) lengths. In particular, lengths not necessarily a multiple of some block length. (By a "cipher" we mean a key-indexed family of length-preserving permutations, with a "good" cipher being one that resembles a family of random length-preserving permutations.) Oddly enough, this question seems not to have been investiaged. We show how to construct variableinput -length ciphers starting from any block cipher (ie, a cipher which operates on strings of some fixed length n). We do this by giving a general method starting from a particular kind of pseudorandom function and a particular kind of encryption scheme, and then we give example ways to realize these tools from a block cipher. All of our constructions are proven sound, in the provable-security sense of contemporary cryptography. Variable-input-length ciphers can be used to encrypt in the presence of the constraint that the ciphertex...

### Citations

1255 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ... our community has long recognized that encryption realized this way, being deterministic, cannot possibly achieve the strong privacy guarantees (semantic security and beyond) that one would hope for =-=[6, 2]-=-. (For example, if the same message is enciphered twice, an adversary will detect this.) The advantage of enciphering over encrypting is a shorter ciphertext: secure encryption is inherently length-in... |

867 | Communication theory of secrecy systems - Shannon - 1948 |

668 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...ndom function ands/ Perm(\Delta) is used to choose random permutation. The arguments are used to indicate the domain and range you desire. Security of PRFs and ciphers. We follow the formalization of =-=[5]-=-, adapted to concrete security as in [3]. A distinguisher is a (possibly probabilistic) algorithm A with access to an oracle O. Let A be a distinguisher and let F = fFK j K 2 Kg be a PRF with key spac... |

379 | P.: A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation
- BELLARE, —JOKIPII
- 1997
(Show Context)
Citation Context ...itives. The latter can serve to guide the former. For example, attacks and proofs of security which identified the birthday threshold as the security bottleneck for the CBC MAC and for CBC encryption =-=[3, 2, 17] have lead-=- designers to increase the block length (not just the key length) of new ciphers. Similarly, the AES has the explicit design requirement that the block cipher be "pseudorandom," to some exte... |

303 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
- 1988
(Show Context)
Citation Context ...te by n. There are various constructions that will extend a given block cipher to a cipher on inputs of length `n for certain integers `s1. These are the constructions of "pseudo-random permutati=-=ons" [8, 9, 16, 14, 20, 11]-=-. (They require ` to be even.) If we need to encipher an input of length not a multiple of n, the only way to do it would be to pad the input and then apply the cipher, resulting in a ciphertext that ... |

159 | The security of cipher block chaining
- Bellare, Kilian, et al.
- 1994
(Show Context)
Citation Context ...itives. The latter can serve to guide the former. For example, attacks and proofs of security which identified the birthday threshold as the security bottleneck for the CBC MAC and for CBC encryption =-=[3, 2, 17] have lead-=- designers to increase the block length (not just the key length) of new ciphers. Similarly, the AES has the explicit design requirement that the block cipher be "pseudorandom," to some exte... |

115 | Cryptographic Message Syntax
- Housley
- 2009
(Show Context)
Citation Context ... which are intended to operate on blocks of various lengths have been constructed from scratch. The CMEA (attacked by [24]) is an example. A \forward-then-backwards" mode of operation is described in =-=[8]-=-, under the names \TripleDES Key Wrap" and \RC2 Key Wrap." While not length-preserving, a length-preserving variant is possible, and it might be a good cipher across messages of assorted lengths. See ... |

101 | On the construction of pseudo-random permutations: Luby-Racko® revisited
- Naor, Reingold
- 1999
(Show Context)
Citation Context ...te by n. There are various constructions that will extend a given block cipher to a cipher on inputs of length `n for certain integers `s1. These are the constructions of "pseudo-random permutati=-=ons" [8, 9, 16, 14, 20, 11]-=-. (They require ` to be even.) If we need to encipher an input of length not a multiple of n, the only way to do it would be to pad the input and then apply the cipher, resulting in a ciphertext that ... |

98 | All-or-nothing encryption and the package transform
- Rivest
- 1997
(Show Context)
Citation Context ...cipher of N = 2ni bits, for any desired is0. It is again unclear how to use their construction for arbitrary N and across assorted lengths. Rivest puts forward the idea of "all-or-nothing" e=-=ncryption [18]-=-, wherein an adversary, guessing the key, should have to invest \Theta(jC j) time before obtaining information useful to verify her guess. Enciphering the message as we do here would achieve the this ... |

88 | The notion of security for probabilistic cryptosystems - Micali, Racko®, et al. - 1988 |

71 |
Two Practical and Provably Secure Block Ciphers
- Anderson, Biham
- 1996
(Show Context)
Citation Context ... starting with a PRF of r bits to ` bits and another of ` bits to r bits where r + ` = N. Of course this requires the availability of the latter primitives for given values of r;`. Anderson and Biham =-=[1]-=- provide two constructions for a block cipher (BEAR and LION) which use a hash function and a stream cipher. This too is an unbalanced Feistel network. Some ciphers which are intended to operate on bl... |

42 | High Bandwidth Encryption with low-bandwidth smartcards - Blaze - 1996 |

33 | A simplified and Generalized Treatment of Luby-Rackoff Pseudorandom Permutation Generators
- Maurer
- 1992
(Show Context)
Citation Context ...te by n. There are various constructions that will extend a given block cipher to a cipher on inputs of length `n for certain integers `s1. These are the constructions of "pseudo-random permutati=-=ons" [8, 9, 16, 14, 20, 11]-=-. (They require ` to be even.) If we need to encipher an input of length not a multiple of n, the only way to do it would be to pad the input and then apply the cipher, resulting in a ciphertext that ... |

25 | Matyas,\Cryptography: a new dimension in data security - Meyer, M - 1982 |

23 | Faster Luby-Rackoff ciphers
- Lucks
- 1996
(Show Context)
Citation Context ...tion yields a cipher on N = ni bits for any i ≥ 1 [18]. It is unclear how to use these constructions for arbitrary N (meaning not necessarily a multiple of n) and across assorted input lengths. Lucks =-=[11]-=- generalizes Luby-Rackoff to consider a three round unbalanced Feistel network, using hash functions for round functions. This yields a block cipher on any given length N by starting with a PRF of r b... |

22 |
Information technology - security techniques - data integrity mechanism using a cryptographic check function employing a block cipher algorithm", International Organization for Standardization
- ISOIEC
- 1994
(Show Context)
Citation Context ...ome fixed size. We will need a PRF that works across input of any lengh. The CBC MAC can be generalized to work for more than fixed-length strings. Methods are described in various standards, such as =-=[7]-=-. One such generalization is provided and proven correct in [15]. It works across strings of an arbitrary number of blocks, What we would like is a bit more still: a good PRF across all message length... |

19 | Cryptanalysis of the Cellular Message Encryption Algorithm
- Wagner, Schneier, et al.
- 1997
(Show Context)
Citation Context ...ction and a stream cipher. This too is an unbalanced Feistel network. Some ciphers which are intended to operate on blocks of various lengths have been constructed from scratch. The CMEA (attacked by =-=[24]-=-) is an example. A \forward-then-backwards" mode of operation is described in [8], under the names \TripleDES Key Wrap" and \RC2 Key Wrap." While not length-preserving, a length-preserving variant is ... |

12 |
How to construct pseudorandom permutations from single pseudorandom functions
- Pieprzyk
- 1990
(Show Context)
Citation Context |

12 |
Oorschot, "MD-x MAC and building fast MACs from hash functions
- Preneel, van
- 1995
(Show Context)
Citation Context ...itives. The latter can serve to guide the former. For example, attacks and proofs of security which identified the birthday threshold as the security bottleneck for the CBC MAC and for CBC encryption =-=[3, 2, 17] have lead-=- designers to increase the block length (not just the key length) of new ciphers. Similarly, the AES has the explicit design requirement that the block cipher be "pseudorandom," to some exte... |

12 |
About Feistel schemes with six (or more) rounds
- Patarin
- 1998
(Show Context)
Citation Context ...bit block cipher. They show that three rounds of the Feistel construction su ces for this purpose, and that four rounds su ce to obtain a \super" PRP from a PRF. The paper has spawned much work, with =-=[12, 22, 19, 20, 25]-=- to name a few. Naor and Reingold [15] provide a construction which extends a block cipher on n-bits to a block cipher on N = 2ni bits, for any desired i 1. A variation on their construction yields a ... |

11 |
Improved security bounds for pseudorandom permutations, 4th ACM Conference on Computer and Communications Security, 142�150
- Patarin
- 1997
(Show Context)
Citation Context |

11 | Towards making Luby-Rackoff ciphers optimal and practical
- Patel, Ramzan, et al.
- 1999
(Show Context)
Citation Context ...] provide a construction which extends a block cipher on n-bits to a block cipher on N =2ni bits, for any desired i ≥ 1. A variation on their construction yields a cipher on N = ni bits for any i ≥ 1 =-=[18]-=-. It is unclear how to use these constructions for arbitrary N (meaning not necessarily a multiple of n) and across assorted input lengths. Lucks [11] generalizes Luby-Rackoff to consider a three roun... |

8 |
A Construction of a Super-Pseudorandom Cipher
- Bleichenbacher, Desai
- 1999
(Show Context)
Citation Context ...This question has been investigated by Bleichenbacher and Desai, who point out that our VIL construction is not a super variable-input-length cipher, and they propose a construction for such a cipher =-=[5]-=-. We have focussed on the case in which the message length is at least the blocklength n of the underlying block cipher. For shorter messages of even length 2` one can proceed as follows. First map th... |

8 |
Faster Luby-Racko� ciphers
- Lucks
- 1996
(Show Context)
Citation Context ...uction yields a cipher on N = ni bits for any i 1 [18]. It is unclear how to use these constructions for arbitrary N (meaning not necessarily a multiple of n) and across assorted input lengths. Lucks =-=[11]-=- generalizes Luby-Racko to consider a three round unbalanced Feistel network, using hash functions for round functions. This yields a block cipher on any given length N by starting with a PRF of r bit... |

7 |
Block Cipher Mode of Operation for Secure, Length-Preserving Encryption
- Bellare, Rogaway
- 1997
(Show Context)
Citation Context ...ongly non-separable" encryption [23] and that variableinput-length enciphering provides one mechanism to achieve that goal. The VIL mode of operation was invented in 1994 when the authors were at IBM =-=[2]-=-. No security analysis was provided at that time. 2 VIL Mode Example In this section we describe one particular instantiation of VIL mode enciphering. For concreteness, let us start from DES, a map DE... |

6 |
Mortgage practices in
- Flaming, Anderson
- 1993
(Show Context)
Citation Context ...of even length, proceed as follow. First map the underlying enciphering key K into subkeys (K enc ; K prf ; K 1 ; K 2 ; : : : ; K bn=2c ) using standard key-separation techniques. Each key K i = (K i =-=[1]-=-; : : : ; K i [r]), where rs3 is a constant and each K i [t] 2 K Now when jM jsn, proceed as we have described above, using keys K enc and K prf to encipher M . But when jM j ! n then encipher M using... |

5 |
Towards making Luby-Racko ciphers optimal and practical
- Patel, Ramzan, et al.
- 1999
(Show Context)
Citation Context ...[15] provide a construction which extends a block cipher on n-bits to a block cipher on N = 2ni bits, for any desired i 1. A variation on their construction yields a cipher on N = ni bits for any i 1 =-=[18]-=-. It is unclear how to use these constructions for arbitrary N (meaning not necessarily a multiple of n) and across assorted input lengths. Lucks [11] generalizes Luby-Racko to consider a three round ... |

4 |
CBC MAC for real-time data sources, manuscript
- PETRANK, RACKOFF
- 1997
(Show Context)
Citation Context ...proof of correctness is made much simpler by the added generality: what is irrelevant is out of sight, and what is relevant can be singled out and separately proved, in part by invoking known results =-=[4,21,3]-=-. Related work. There is a quite a lot of work on constructing block ciphers of one blocklength given block ciphers of another blocklength. Luby and Rackoff [10] consider the question of how to turn a... |

3 |
A simpli ed and generalized treatment of Luby-Racko pseudorandom permutation generators
- Maurer
- 1992
(Show Context)
Citation Context ...bit block cipher. They show that three rounds of the Feistel construction su ces for this purpose, and that four rounds su ce to obtain a \super" PRP from a PRF. The paper has spawned much work, with =-=[12, 22, 19, 20, 25]-=- to name a few. Naor and Reingold [15] provide a construction which extends a block cipher on n-bits to a block cipher on N = 2ni bits, for any desired i 1. A variation on their construction yields a ... |

2 |
CBC MAC for real-time data sources." Manuscript, available at http://philby.ucsd.edu/cryptolib.html
- Petrank, Rackoff
- 1997
(Show Context)
Citation Context ...ut M . In the first pass we compute what is essentially the CBC MAC of M . Actually an extension of the CBC MAC must be used ---such as re-enciphering the final ciphertext block using a different key =-=[15]--- in ord-=-er to correctly handle messages of varying input lengths. This gives as an n-bit MAC. Now use this MAC as the initial value of a "counter" to encrypt in counter 3 mode a prefix of M consisti... |

2 |
Impossibility results and optimality results on constructing pseudorandom permutations
- Zheng, Matsumoto, et al.
- 1989
(Show Context)
Citation Context |

1 |
Cryptographic message syntax.” S/MIME Working
- Housley
- 1999
(Show Context)
Citation Context ... which are intended to operate on blocks of various lengths have been constructed from scratch. The CMEA (attacked by [24]) is an example. A “forward-then-backwards” mode of operation is described in =-=[8]-=-, under the names “Triple-DES Key Wrap” and “RC2 Key Wrap.” While not lengthpreserving, a length-preserving variant is possible, and it might be a good cipher across messages of assorted lengths. See ... |