sign in sign up
<<
Home , BEAR and LION ciphers, Mihir Bellare

AllOrNothing and The Package

Transform

Ronald L Rivest

MIT Lab oratory for Computer Science

Technology Cambridge Mass

rivesttheorylcsmitedu

Abstract We a new mo de of encryption for blo ck ciphers

which we call al lornothing encryption This mo de has the interesting

dening prop erty that one must decrypt the entire b efore

one can determine even one message blo ck This means that bruteforce

searches against allornothing encryption are slowed down by a factor

equal to the numb er of blo cks in the ciphertext We give a sp ecic way

of implementing allornothing encryption using a package transform

as a prepro cessing step to an ordinary encryption mo de A package

transform followed by ordinary co deb o ok encryption also has the inter

esting prop erty that it is very eciently implemented in parallel Allor

nothing encryption can also provide protection against chosenplaintex t

and relatedmessage attacks

Intro duction

One way in which a may b e attacked is by bruteforce search an

adversary tries decrypting an intercepted ciphertext with all p ossible keys until

the plaintext makes sense or until it matches a known target plaintext Our

primary motivation is to devise means to make bruteforce search more dicult

by appropriately prepro cessing a message b efore encrypting it

In this pap er we assume that the cipher under discussion is a blo ck cipher

with xedlength inputoutput blo cks although our remarks generalize to other

kinds of ciphers An encryption mo de is used to extend the encryption function

to arbitrary length messages see for example Schneier and Biham

In general the work required to search for an unknown k bit to a known

k k 1

blo ck cipher is in the worstcase or on the average Here and through

out this pap er we measure the work by the numb er of elementary decryptions

attempted where an elementary decryption is a decryption of one blo ck of ci

phertext For example in the electronic co deb o ok encryption mo de the ad

versary needs to decrypt only the rst blo ck of ciphertext to obtain the rst

blo ck of plaintext this is usually sucient to identify the correct key If not

the second blo ck can b e decrypted as well

Sometimes the size of the key space for ones encryption algorithm is xed

marginal and cant b e improved For example one can argue that a bit

DES key is marginal see Blaze et al Or one may b e encumb ered by exp ort

regulations that restrict one to a bit secret key The question p osed here

is is there any way to signicantly increase the diculty for an adversary of

performing a bruteforce search while keeping the the same and not

overly burdening the legitimate communicants

We show that the answer to the question is yes

Strongly nonseparable encryption

The problem with most p opular encryption mo des is that the adversary can

obtain one blo ck of plaintext by decrypting just one blo ck of ciphertext

We illustrate this p oint with cipherblo ck chaining CBC mo de Let the s

blo cks of the message b e denoted m m m The CBC mo de utilizes

1 2 s

an IV and a key K The algorithm pro duces as output

ciphertext c for i s where

i

c IV

1

and

c E K c m for i s

i+1 i i

Thus

m c D K c for i s

i i i+1

and so any one of the s message blo cks can b e obtained with the decryption

of just one ciphertext blo ck This makes the adversarys keysearch problem

relatively easy since decrypting a single ciphertext blo ck is generally enough to

test a candidate key

Let us say that an encryption mo de for a blo ck cipher is separable if it has the

prop erty that an adversary can determine one blo ck of plaintext by decrypting

just one blo ck of ciphertext Thus CBC mo de is separable

We wish to design nonseparable encryption mo des More precisely we wish

to design strongly nonseparable mo des dened as follows

Denition Supp ose that a blo ck cipher encryption mo de transforms a sequence

m m m

1 2 s

of s message blo cks into a sequence

c c c

1 2 t

of t ciphertext blo cks for some t t s We say that the encryption mo de is

strongly nonseparable if it is infeasible to determine even one message blo ck

m or any prop erty of a particular message blo ck m without decrypting al l t

i i

ciphertext blo cks

AllOrNothing Transforms

We prop ose to achieve strongly nonseparable mo des as follows

Transform the message sequence m m m into a pseudomessage

1 2 s

0 0 0 0

sequence m m m for some s s with an allornothing trans

0

1 2

s

form and

Encrypt the pseudomessage with an ordinary encryption mo de eg co de

b o ok mo de with the given cryptographic key K to obtain the ciphertext

sequence c c c

1 2 t

We call encryption mo des of this typ e allornothing encryption mo des A

sp ecic instance of this mo de would b e allornothing co deb o ok mo de when

the encryption mo de used is co deb o ok mo de or allornothing CBC mo de

etc

To make this work the allornothing transform has to have certain prop er

ties

Denition A transformation f mapping a message sequence m m m

1 2 s

0 0 0

into a pseudomessage sequence m m m is said to b e an al lornothing

0

1 2

s

transform if

The transformation f is reversible given the pseudomessage sequence one

can obtain the original message sequence

Both the transformation f and its inverse are eciently computable that

is computable in p olynomial time

It is computationally infeasible to compute any function of any message

blo ck if any one of the pseudomessage blo cks is unknown

We note that an allornothing transformation must really b e randomized so

that a chosen or known message attack do es not yield a known pseudomessage

and so that a deterministic function which computes the rst pseudomessage

blo ck is not available as a function to contradict the last requirement ab ove

We note that the allornothing transformation is not itself encryption

since it makes no use of any secret key information It is merely an invertible pre

pro cessing step that has certain interesting prop erties The actual encryption

in an allornothing encryption mo de is the op eration that encrypts the pseudo

message resulting from the allornothing transform An allornothing transform

is a xed public transform that anyone can p erform on the message to obtain

the pseudomessage or invert given the pseudomessage to obtain the message

Theorem An al lornothing encryption mode is strongly nonseparable

Pro of We assume that the underlying encryption mo de is such that all

ciphertext blo cks must b e decrypted in order to obtain all pseudomessage blo cks

If this were not the case the encryption mo de would not b e ecient and a more

ecient reduced mo de could b e derived from it Thus all ciphertext blo cks must

b e decrypted in order to determine any prop erty of any message blo ck ut

The Package Transform

The allornothing scheme we prop ose here the package transform is quite

ecient particularly when the message is long the cost of an allornothing

transform is approximately twice the cost of the actual encryption We shall

also see that allornothing encryption admits fast parallel implementations

The legitimate communicants thus pay a p enalty of approximately a factor

of three in the time it takes them to encrypt or decrypt in allornothing mo de

compared to an ordinary separable encryption mo de However an adversary

attempting a bruteforce attack pays a p enalty of a factor of t where t is the

numb er of blo cks in the ciphertext

As an example if I send you a eightmegabyte message encrypted in allor

nothing CBC mo de with a bit DES key the adversary must decrypt the entire

eightmegabyte le in order to test a single candidate bit key This expands

the workfactor by a factor of onemillion compared to breaking ordinary CBC

20

mo de Since one million is approximately to the adversary this feels like

having to break a bit key instead of a bit key

Using this scheme it can clearly b e advantageous for the communicants to

pad the message with random data as it makes the adversarys job harder

We prop ose here a particular allornothing transform which we call the

package transform We note that while it uses a blo ck cipher itself as a prim

itive no secret keys are used Instead a randomly chosen key is used and this

key can b e easily determined from the pseudomessage sequence The blo ck ci

pher used in the package transform need not b e the same as the blo ck cipher used

to encipher the pseudomessage the package transform output although it may

b e If it is the same encryption algorithm note that we assume b elow that the

key space for the package transform blo ck cipher is suciently large that brute

force search is infeasible while the motivation for the use of an allornothing

encryption mo de was that the key space for the outer encryption algorithm was

marginal This situation can arise for variablekeylength blo ck ciphers such as

RC For concreteness the reader may imagine that we are working with RC

for b oth the package transform encryption algorithm and the outer encryption

algorithm with bit inputoutput blo cks a bit encryption key for the

package transform and a bit key for the outer encryption transform

For this exp osition then we assume that the key size of the package trans

form blo ck cipher is the same as its blo ck size this assumption can easily b e

removed and is made here only for convenience in exp osition We also assume

that the key space for the package transform blo ck cipher is suciently large

that bruteforce searching for a key is infeasible The scheme also uses a xed

publicallyknown key K for the package transform blo ck cipher

0

Here is the package transform

Let the input message b e m m m

1 2 s

0

Cho ose at random a key K for the package transform blo ck cipher

0 0 0 0

Compute the output sequence m m m for s s as follows

0

1 2

s

0 0

Let m m E K i for i s

i i

Let

0 0

m K h h h

0

1 2 s

s

where

0

h E K m i for i s

i 0

i

where K is a xed publicallyknown encryption key

0

0

The intent here is that the key K b e chosen from a large space for example

0 0

chose K as a bit RC key Since K is not a secret shared key it is disclosed

in the pseudomessage it is not restricted by the limitations of the following

encryption mo de

The package transformation is similar to encrypting in counter mo de except

that the key is randomly chosen rather than xed and the last pseudomessage

blo ck is the exclusiveor of the key and a hash of all previous pseudomessage

blo cks computed as the exclusiveor of the of variants of these blo cks

under a xed key where the ith variant is computed as the exclusiveor of i and

the blo ck This technique ensures that simple mo dications to the ciphertext

such as p ermuting the order of two blo cks or duplicating a blo cks is highly likely

0

to change the key K computed by the receiver

One could also dene variant package transforms based on blo ckchaining

techniques instead of counter mo de

It is easy to see that the package transform is invertible

0 0

K m h h h

0

1 2 s

s

0 0

E K i for i s m m

i

i

We also note that if any blo ck of the pseudomessage sequence is unknown

0

then K can not b e computed and so it is infeasible to compute any message

0

blo ck Formal pro of omitted here but we recall that the key K is assumed to

b e drawn from an infeasibly large set so that for example a meetinthemiddle

attack is not more ecient than decrypting all the ciphertext blo cks

Discussion

A related wellknown approach towards getting more security out of xed num

b er of key bits is to use encryption techniques that have a long setup time

see Quisquater et al or Schneiers Blowsh algorithm This p enalizes

the legitimate user whenever he p erforms a keychange whereas allornothing

encryption incurs a xed p enalty for each blo ck encrypted While this may seem

to favor the increased setup time approach we note that

An allornothing transform is merely a prepro cessing step and so it can b e

used with alreadyexisting encryption devices and software without chang ing the encryption algorithm

Increasing the setup time may still yield an algorithm that is eciently im

plemented with a sp ecialpurp ose bruteforce chip since there may b e little

need for interchip communications On the other hand the twopass nature

of allornothing encryption may necessitate large amounts of inputoutput

something that usually slows down op erations considerably

In any case the approaches are complementary and can easily b e combined

We note that allornothing encryption mo des are only dened here when

the message to b e encrypted is a nite sequence an innitely long message can

not b e encrypted in an allornothing mo de whereas other mo des such as CBC

work p erfectly well in this case Allornothing encryption mo des work very well

in cases such as for encrypting packets in a network

We observe however that one can b egin encrypting in package CBC mo de

or package co deb o ok mo de b efore one knows the end of message sequence

since the inner package op eration and the outer CBC or co deb o ok encryption

mo des can b oth b e implemented in a sequential manner However decrypting

a package mo de ciphertext moreorless requires two passes andor having the

entire ciphertext available at once

Package co deb o ok mo de is particularly interesting since the outer co deb o ok

decryption and the inner package transformation can b oth b e p erformed e

ciently in parallel I dont mean that they are p erformed at the same time but

that each one separately admits an ecient parallel implementation With a

sucient numb er of encryption units a message of length s can b e encrypted or

decrypted in time O log s This may b e an advantage for the legitimate commu

nicants in a highsp eed communications scenario Note that the same advantage

is available to the adversaryalthough he has to decrypt the entire ciphertext he

can also do it in parallel However for the adversary this advantage is probably

meaningless since it is the total search time that is imp ortant to him not the

latency for p erforming a single decryption Thus package co deb o ok mo de has

much to recommend it from a p erformance p ersp ective

We note that allornothing encryption mo des can provide protection against

dierential attacks and other forms of attack that dep end on chosen plaintext

since a randomized allornothing transformation can eectively destroy any pat

terns in the actual input the pseudomessage to the underlying encryption

op eration

In addition an allornothing transformation can b e useful b efore RSA en

cryption as it prevents various kinds of related message or other attacks eg

those of Copp ersmith et al Indeed the package transform describ ed here

can b e viewed as a sp ecial case of the simple emb edding scheme prop osed by

Bellare and Rogaway in their optimal asymmetric encryption prepro cesing

scheme used b efore applying RSA encryption

x Gr jj r H x Gr

Here x is the message to b e encrypted like our message m r is a randomly

0

chosen quantity like our key K Gr is a pseudorandom output like our

0 0

E K E K and H is a hash function like our h h h

1 2 s

0 0

The corresp ondence would b e closer if we had prop osed using m K

0

s

0 0

MD m m which would also give some improved eciency but we

1 s

wished to conne ourselves to just using the blo ck cipher as a primitive op era

tion We are applying these ideas to symmetric blo ck cipher mo des of op eration

rather than asymmetric encryption but the principles are essentially the same

However it may also b e the case that a rather dierent approach can b e applied

to achieve our goals with substantially greater eciency than the approach sug

gested here or by Bellare and Rogaways approach in general

There are many approaches one might take towards devising allornothing

transforms One might consider computing the pseudomessage as the concatena

tion of a description of a hash function h chosen randomly from a universal family

of hash functions with a suitably large range followed by the application of h

to the message Another approach that may work well is to use a scheme based

on an FFTlike arrangement of randomized multip ermutations see Schnorr et

al

Or one can base an approach on secretsharing schemes Actually the pack

0 0

age transform can b e viewed as a s out of s secretsharing threshold scheme

0

each of the s pseudomessage blo cks can b e viewed as one share of the under

0

lying message Decrypting so as to obtain fewer than s pseudomessage blo cks

yields no information at all ab out the underlying message This is computa

tional secret sharing see since the shares are shorter than the message itself

Indeed one can design allornothing schemes based on Krawczyks prop osals

An entirely dierent approach is given by Anderson and Biham who

design blo ck ciphers such as BEAR and LION from scratch that seem to have

an allornothing prop erty Their approach is dierent b ecause they design

blo ck ciphers with variablelength blo cks to accomo date messages of varying

lengths whereas our fo cus is on designing an encryption mo de for xedlength

blo ck ciphers that provide an allornothing prop erty Nonetheless their schemes

may b e the metho d of choice in some situations

We note that allornothing encryption has terrible errorpropagation prop

erties if any ciphertext blo ck is damaged then it is likely that every message

blo ck will b e damaged Thus ciphertext should b e transp orted with reliable

transmission means One could interp ose an errorcorrection phase b etween the

allornothing transformation and the encryption this could help handle errors

while only mo destly decreasing nonseparability

Using this errorpropagation prop erty to ones advantage one can extend

allornothing mo de by app ending a suitable blo ck of redundancy such a blo ck

of all zeros or the sum of all the previous message blo cks to the message b efore

applying the allornothing transformation This redundancy can b e veried and

removed up on decryption This helps to detect corrupted ciphertext

As a variation on the idea of the previous paragraph the redundancy blo ck

may b e computed as the sum of previous message blo cks and a secret value

that is known only to the two parties communicating this provides a form of

message authentication The redundancy blo ck could of course also b e computed

with more conventional keyed hashing techniques

The preceding paragraphs touch up on an imp ortant issue that an encryption

mo de should provide integrity as well as condentiality Mao and Boyd make

this p oint well Bellare and Rogaway prove that their simple emb edding scheme

provides nonmalleability for example

Conclusion

We have presented an encryption mo dethe allornothing encryption mo de

and a sp ecic means of implementing it using the package transform Other

forms of allornothing encryption are presumably yet to b e devised

We leave it as an op en problem to devise an allornothing encryption mo de

that is substantially more ecient than the scheme presented here Is it p ossible

for example to reduce the cost of implementing an allornothing mo de from a

factor of three greater than CBC to just a factor of two greater

Acknowledgments

I would like to thank Don Copp ersmith Sha Goldwasser

Mihir Bellare Burt Kaliski and the referees for helpful comments and conver

sations deserves sp ecial thanks for suggesting the term allor

nothing David Wagner deserves thanks for p ointing out signicant bugs in

earlier versions of this pap er and for p ointing out the relationship b etween this

work and the BellareRogaway work on optimal asymmetric encryption And

thanks to Mihir Bellare for noting the relationship with secretsharing schemes

References

Ross Anderson and Two practical and probably secure blo ck ciphers

BEAR and LION In Dieter Gollman editor Fast Software Encryption pages

Springer Pro ceedings Third International Workshop Feb

Cambridge UK

Mihir Bellare and Optimal asymmetric encryptionhow to en

crypt with RSA In EUROCRYPT

Eli Biham of multiple mo des of op eration PrePro ceedings

of ASIACRYPT Submitted to J Cryptology

Matt Blaze Whiteld Die Ronald L Rivest Bruce Schneier Tsutomu Shi

momura Eric Thompson and Michael Wiener Minimal key lengths for sym

metric ciphers to provide adequate commercial security A rep ort by an ad ho c

group of cryptographers and computer scientists January Available at

httpwwwbsaorg

Don Copp ersmith Matthew Franklin Jacques Patarin and Michael Reiter Low

exp onent RSA with related messages Technical Rep ort IBM RC IBM TJ

Watson Research Lab Decemb er To app ear in Euro crypt

Hugo Krawczyk Secret sharing made short In Douglas R Stinson editor Proc

CRYPTO pages SpringVerlag

Wenb o Mao and Colin Boyd Classication of cryptographic techniques in authen

tication proto cols In Proceedings Workshop on Selected Areas in Cryptogra

phy May Kingston Ontario Canada

JJ Quisquater Yvo Desmedt and Marc Davio The imp ortance of go o d key

scheduling schemes how to make a secure DES scheme with  bit keys In

H C Williams editor Proc CRYPTO pages Springer Lecture

Notes in Computer Science No

Bruce Schneier Applied Second Edition John Wiley Sons

C P Schnorr and S Vaudenay Black b ox cryptanalysis of hash networks based

on multip ermutations In EUROCRYPT

a

This article was pro cessed using the L T X macro package with LLNCS style E