AllOrNothing Encryption and The Package Transform Ronald L Rivest MIT Lab oratory for Computer Science Technology Square Cambridge Mass rivesttheorylcsmitedu Abstract We present a new mo de of encryption for blo ck ciphers which we call al lornothing encryption This mo de has the interesting dening prop erty that one must decrypt the entire ciphertext b efore one can determine even one message blo ck This means that bruteforce searches against allornothing encryption are slowed down by a factor equal to the numb er of blo cks in the ciphertext We give a sp ecic way of implementing allornothing encryption using a package transform as a prepro cessing step to an ordinary encryption mo de A package transform followed by ordinary co deb o ok encryption also has the inter esting prop erty that it is very eciently implemented in parallel Allor nothing encryption can also provide protection against chosenplaintex t and relatedmessage attacks Intro duction One way in which a cryptosystem may b e attacked is by bruteforce search an adversary tries decrypting an intercepted ciphertext with all p ossible keys until the plaintext makes sense or until it matches a known target plaintext Our primary motivation is to devise means to make bruteforce search more dicult by appropriately prepro cessing a message b efore encrypting it In this pap er we assume that the cipher under discussion is a blo ck cipher with xedlength inputoutput blo cks although our remarks generalize to other kinds of ciphers An encryption mo de is used to extend the encryption function to arbitrary length messages see for example Schneier and Biham In general the work required to search for an unknown k bit key to a known k k 1 blo ck cipher is in the worstcase or on the average Here and through out this pap er we measure the work by the numb er of elementary decryptions attempted where an elementary decryption is a decryption of one blo ck of ci phertext For example in the electronic co deb o ok encryption mo de the ad versary needs to decrypt only the rst blo ck of ciphertext to obtain the rst blo ck of plaintext this is usually sucient to identify the correct key If not the second blo ck can b e decrypted as well Sometimes the size of the key space for ones encryption algorithm is xed marginal and cant b e improved For example one can argue that a bit DES key is marginal see Blaze et al Or one may b e encumb ered by exp ort regulations that restrict one to a bit secret key The question p osed here is is there any way to signicantly increase the diculty for an adversary of performing a bruteforce search while keeping the key size the same and not overly burdening the legitimate communicants We show that the answer to the question is yes Strongly nonseparable encryption The problem with most p opular encryption mo des is that the adversary can obtain one blo ck of plaintext by decrypting just one blo ck of ciphertext We illustrate this p oint with cipherblo ck chaining CBC mo de Let the s blo cks of the message b e denoted m m m The CBC mo de utilizes 1 2 s an initialization vector IV and a key K The algorithm pro duces as output ciphertext c for i s where i c IV 1 and c E K c m for i s i+1 i i Thus m c D K c for i s i i i+1 and so any one of the s message blo cks can b e obtained with the decryption of just one ciphertext blo ck This makes the adversarys keysearch problem relatively easy since decrypting a single ciphertext blo ck is generally enough to test a candidate key Let us say that an encryption mo de for a blo ck cipher is separable if it has the prop erty that an adversary can determine one blo ck of plaintext by decrypting just one blo ck of ciphertext Thus CBC mo de is separable We wish to design nonseparable encryption mo des More precisely we wish to design strongly nonseparable mo des dened as follows Denition Supp ose that a blo ck cipher encryption mo de transforms a sequence m m m 1 2 s of s message blo cks into a sequence c c c 1 2 t of t ciphertext blo cks for some t t s We say that the encryption mo de is strongly nonseparable if it is infeasible to determine even one message blo ck m or any prop erty of a particular message blo ck m without decrypting al l t i i ciphertext blo cks AllOrNothing Transforms We prop ose to achieve strongly nonseparable mo des as follows Transform the message sequence m m m into a pseudomessage 1 2 s 0 0 0 0 sequence m m m for some s s with an allornothing trans 0 1 2 s form and Encrypt the pseudomessage with an ordinary encryption mo de eg co de b o ok mo de with the given cryptographic key K to obtain the ciphertext sequence c c c 1 2 t We call encryption mo des of this typ e allornothing encryption mo des A sp ecic instance of this mo de would b e allornothing co deb o ok mo de when the encryption mo de used is co deb o ok mo de or allornothing CBC mo de etc To make this work the allornothing transform has to have certain prop er ties Denition A transformation f mapping a message sequence m m m 1 2 s 0 0 0 into a pseudomessage sequence m m m is said to b e an al lornothing 0 1 2 s transform if The transformation f is reversible given the pseudomessage sequence one can obtain the original message sequence Both the transformation f and its inverse are eciently computable that is computable in p olynomial time It is computationally infeasible to compute any function of any message blo ck if any one of the pseudomessage blo cks is unknown We note that an allornothing transformation must really b e randomized so that a chosen or known message attack do es not yield a known pseudomessage and so that a deterministic function which computes the rst pseudomessage blo ck is not available as a function to contradict the last requirement ab ove We note that the allornothing transformation is not itself encryption since it makes no use of any secret key information It is merely an invertible pre pro cessing step that has certain interesting prop erties The actual encryption in an allornothing encryption mo de is the op eration that encrypts the pseudo message resulting from the allornothing transform An allornothing transform is a xed public transform that anyone can p erform on the message to obtain the pseudomessage or invert given the pseudomessage to obtain the message Theorem An al lornothing encryption mode is strongly nonseparable Pro of We assume that the underlying encryption mo de is such that all ciphertext blo cks must b e decrypted in order to obtain all pseudomessage blo cks If this were not the case the encryption mo de would not b e ecient and a more ecient reduced mo de could b e derived from it Thus all ciphertext blo cks must b e decrypted in order to determine any prop erty of any message blo ck ut The Package Transform The allornothing scheme we prop ose here the package transform is quite ecient particularly when the message is long the cost of an allornothing transform is approximately twice the cost of the actual encryption We shall also see that allornothing encryption admits fast parallel implementations The legitimate communicants thus pay a p enalty of approximately a factor of three in the time it takes them to encrypt or decrypt in allornothing mo de compared to an ordinary separable encryption mo de However an adversary attempting a bruteforce attack pays a p enalty of a factor of t where t is the numb er of blo cks in the ciphertext As an example if I send you a eightmegabyte message encrypted in allor nothing CBC mo de with a bit DES key the adversary must decrypt the entire eightmegabyte le in order to test a single candidate bit key This expands the workfactor by a factor of onemillion compared to breaking ordinary CBC 20 mo de Since one million is approximately to the adversary this feels like having to break a bit key instead of a bit key Using this scheme it can clearly b e advantageous for the communicants to pad the message with random data as it makes the adversarys job harder We prop ose here a particular allornothing transform which we call the package transform We note that while it uses a blo ck cipher itself as a prim itive no secret keys are used Instead a randomly chosen key is used and this key can b e easily determined from the pseudomessage sequence The blo ck ci pher used in the package transform need not b e the same as the blo ck cipher used to encipher the pseudomessage the package transform output although it may b e If it is the same encryption algorithm note that we assume b elow that the key space for the package transform blo ck cipher is suciently large that brute force search is infeasible while the motivation for the use of an allornothing encryption mo de was that the key space for the outer encryption algorithm was marginal This situation can arise for variablekeylength blo ck ciphers such as RC For concreteness the reader may imagine that we are working with RC for b oth the package transform encryption algorithm and the outer encryption algorithm with bit inputoutput blo cks a bit encryption key for the package transform and a bit key for the outer encryption transform For this exp osition then we assume that the key size of the package trans form blo ck cipher is the same as its blo ck size this assumption can easily b e removed and is made here only for convenience in exp osition We also assume that the key space for the package transform blo ck cipher is suciently large that bruteforce searching for a key is infeasible The scheme also uses a xed publicallyknown