# A concrete security treatment of symmet-ric encryption: Analysis of the DES modes of operation

@inproceedings{Bellare1997ACS, title={A concrete security treatment of symmet-ric encryption: Analysis of the DES modes of operation}, author={Mihir Bellare and Anand Desai and E. Jokipii and Phillip Rogaway}, booktitle={FOCS 1997}, year={1997} }

We study notions and schemes for symmetric (ie. [... ] Key Method Next we provide concrete security analyses of methods to encrypt using a block cipher, including the most popular encryption method, CBC. We establish tight bounds (meaning matching upper bounds and attacks) on the success of adversaries as a function of their resources. Dept. of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093, USA. E-Mail: fmihir; adesai; ejg@cs.ucsd.edu. URL: http… Expand

## Figures from this paper

## 174 Citations

Complete characterization of security notions for probabilistic private-key encryption

- Computer Science, MathematicsSTOC '00
- 2000

This work investigates the relation between notions of security for symmetric (private) key encryption and constructs a complete hierarchy of private-key security notions indicating equivalences, separations, and incomparabilities.

Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation

- Computer Science, MathematicsFSE
- 2000

This work presents definitions of a new notion of security for private-key encryption called encryption unforgeability which captures an adversary's inability to generate valid ciphertexts and presents and analyzes a new mode of encryption, RPC, which is unforgeable in the strongest sense.

Notions and relations for RKA-secure permutation and function families

- Computer Science, MathematicsDes. Codes Cryptogr.
- 2011

The first part of the paper shows that secure tweakable permutation families in the sense of strong pseudorandom permutation (SPRP) can be transformed into secure permutations families inThe sense of SPRP against some classes of RKA (SP RP–RKA) and other security notions for RKA-secure block ciphers are defined.

Relations among Notions of Security for Public-Key Encryption Schemes

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 1998

The goals of privacy and non-malleability are considered, each under chosen plaintext attack and two kinds of chosen ciphertext attack, and a new definition of non-Malleability is proposed which the author believes is simpler than the previous one.

Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2006

It is suggested that key-wrap's goal is security in the sense of deterministic authenticated-encryption (DAE), and it is shown that a DAE scheme with a vector-valued header, such as SIV, directly realizes this goal.

Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption

- Computer Science, MathematicsUSENIX Security Symposium
- 2002

It is argued that the best way to prevent all of these attacks is to insist on integrity of ciphertexts in addition to semantic security as the “proper” notion of privacy for symmetric encryption schemes.

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm

- Computer Science, MathematicsJournal of Cryptology
- 2008

This work considers two possible notions of authenticity for authenticated encryption schemes, namely integrity of plaintexts and integrity of ciphertexts, and relates them to the standard notions of privacy IND-CCA and NM-CPA by presenting implications and separations between all notions considered.

Constructing VIL-MACsfrom FIL-MACs: Message Authentication under Weakened Assumptions

- Computer Science, MathematicsCRYPTO
- 1999

This paper considers the design of iterated MACs under the (minimal) assumption that the given FIL primitive is itself a MAC, and looks at three popular transforms, namely CBC, Feistel and the Merkle-Damgard method, and shows that each preserves unforgeability.

Security Analysis of Signcryption Scheme from q-Di ffi e-Hellman Problems ∗

- Computer Science, Mathematics
- 2005

The Libert-Quisquater’s q-DH signcryption scheme proposed in SCN’2004 is analysed and it is shown that the semantically secure symmetric encryption scheme defined in their paper is not sufficient to guarantee their signc encryption scheme to be secure against adaptive chosen ciphertext attacks.

Stateful public-key cryptosystems: how to encrypt with one 160-bit exponentiation

- Computer Science, MathematicsCCS '06
- 2006

This work presents stateful versions of the DHIES and Kurosawa-Desmedt schemes that each use only 1 exponentiation to encrypt, yielding the fastest discrete-log based public-key encryption schemes known in the random-oracle and standard models respectively.

## References

SHOWING 1-10 OF 25 REFERENCES

Optimal Asymmetric Encryption-How to Encrypt with RSA

- Computer Science, Mathematics
- 1995

A slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which the adversary knows the corresponding plaintexts, and is not only semantically secure but also non-malleable and secure against chosen-ciphertext attack.

The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin

- Computer Science, MathematicsEUROCRYPT
- 1996

An RSA-based signing scheme which combines essentially optimal efficiency with attractive security properties and a second scheme which maintains all of the above features and in addition provides message recovery is provided.

An Efficient Probabilistic Public-Key Encryption Scheme Which Hides All Partial Information

- Computer ScienceCRYPTO
- 1984

This paper introduces the first probabilistic public-key encryption scheme which combines the following two properties: perfect secrecy with respect to polynomial time eavesdroppers and effectiveness in both encoding and decoding time and bandwidth expansion.

Pubic Randomness in Cryptography

- Computer Science, MathematicsCRYPTO
- 1992

The main contribution of this paper is the introduction of a formal notion of public randomness in the context of cryptography. We show how this notion affects the definition of the security of a…

Advances in cryptology--CRYPTO '91 : proceedings

- Computer Science, Mathematics
- 1992

This work focuses on the design and analysis of protocols for access control in distributed systems, and the shared generation of authenticators and signatures in public Cryptosystems.

The Security of Cipher Block Chaining

- Computer Science, MathematicsCRYPTO
- 1994

This work provides its first formal justification, showing the following general lemma: that cipher block chaining a pseudorandom function gives a Pseudo-Cipher Block Chaining function.

XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions

- Computer Science, MathematicsCRYPTO
- 1995

We describe a new approach for authenticating a message using a finite pseudorandom function (PRF). Our "XOR MACs" have several nice features, including parallelisability, incrementality, and…

Public-key cryptosystems provably secure against chosen ciphertext attacks

- Computer Science, MathematicsSTOC '90
- 1990

We show how to construct a public-key cryptosystem (as originally defined by DiNe and Hellman) secure against chosen ciphertezt attacks, given a public-key cryptosystern secure against passive…

Pseudorandom functions revisited: the cascade construction and its concrete security

- Computer Science, MathematicsProceedings of 37th Conference on Foundations of Computer Science
- 1996

The authors investigate new ways of designing pseudorandom function families, and propose the cascade construction, and provide a concrete security analysis which relates the strength of the cascade to that of the underlying finite pseudOrandom function family in a precise and quantitative way.

Security preserving amplification of hardness

- Computer Science, MathematicsProceedings [1990] 31st Annual Symposium on Foundations of Computer Science
- 1990

The task of transforming a weak one-way function (which may be easily inverted on all but a polynomial fraction of the range) into a strong one-way function (which can be easily inverted only on a…