Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation

  • Jonathan Katz
  • Moti Yung
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1978)


We find certain neglected issues in the study of private-key encryption schemes. For one, private-key encryption is generally held to the same standard of security as public-key encryption (i.e., indistinguishability) even though usage of the two is very different. Secondly, though the importance of secure encryption of single blocks is well known, the security of modes of encryption (used to encrypt multiple blocks) is often ignored. With this in mind, we present definitions of a new notion of security for private-key encryption called encryption unforgeability which captures an adversary’s inability to generate valid ciphertexts. We show applications of this definition to authentication protocols and adaptive chosen ciphertext security.

Additionally, we present and analyze a new mode of encryption, RPC (for Related Plaintext Chaining), which is unforgeable in the strongest sense of the above definition. This gives the first mode provably secure against chosen ciphertext attacks. Although RPC is slightly less efficient than, say, CBC mode (requiring about 33% more block cipher applications and having ciphertext expansion of the same amount when using a block cipher with 128-bit blocksize), it has highly parallelizable encryption and decryption operations.


Encryption Scheme Block Cipher Oracle Query Challenge Ciphertext Decryption Oracle 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    ANSI X3.106, “American National Standard for Information Systems—Data Encryption Algorithm—Modes of Operation,” American National Standards Institute, 1983.Google Scholar
  2. 2.
    M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A Concrete Security Treatment of Symmetric Encryption: Analysis of the DES Modes of Operation. FOCS 1997.Google Scholar
  3. 3.
    M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations Among Notions of Security for Public-Key Encryption Schemes. CRYPTO 1998.Google Scholar
  4. 4.
    M. Bellare, O. Goldreich, and S. Goldwasser. Incremental Cryptography and Application to Virus Protection. STOC 1995.Google Scholar
  5. 5.
    M. Bellare and P. Rogaway. On the Construction of Variable-Input-Length Ciphers. FSE 1999.Google Scholar
  6. 6.
    E. Biham. Cryptanalysis of Multiple Modes of Operation. J. of Cryptology 1998.Google Scholar
  7. 7.
    E. Biham and L.K. Knudsen. Cryptanalysis of the ANSI X9.52 CBCM Mode. EUROCRYPT 1998.Google Scholar
  8. 8.
    D. Bleichenbacher and A. Desai. A Construction of a Super-Pseudorandom Cipher. Manuscript, February 1999.Google Scholar
  9. 9.
    D. Dolev, C. Dwork, and M. Naor. Non-malleable Cryptography. SIAM J. Computing, to appear; a preliminary version appears in STOC 1991.Google Scholar
  10. 10.
    S. Goldwasser and S. Micali. Probabilistic Encryption. JCSS, 28: 270–299, 1984.zbMATHMathSciNetGoogle Scholar
  11. 11.
    ISO 8372, “Information Processing—Modes of Operation for a 64-bit Block Cipher Algorithm,” International Organization for Standardization, Geneva, Switzerland, 1987.Google Scholar
  12. 12.
    M. Jakobsson, J.P. Stern, and M. Yung. Scramble All, Encrypt Small. FSE 1999.Google Scholar
  13. 13.
    C.J.A. Jansen and D.E. Boekee. Modes of Blockcipher Algorithms and Their Protection Against Active Eavesdropping. EUROCRYPT 1987.Google Scholar
  14. 14.
    C. Kaufman, R. Perlman, and M. Speciner. “Network Security: Private Communication in a Public World,” Prentice Hall, New Jersey, 1995, pp. 89–92.Google Scholar
  15. 15.
    J. Katz and B. Schneier. A Chosen Ciphertext Attack Against Several E-mail Encryption Protocols. 9th USENIX Security Symposium, to appear.Google Scholar
  16. 16.
    J. Katz and M. Yung. Complete Characterization of Security Notions for Probabilistic Private-Key Encryption. STOC 2000.Google Scholar
  17. 17.
    J. Katz and M. Yung. Chosen-Ciphertext Secure Incremental Encryption. Manuscript, February 2000.Google Scholar
  18. 18.
    M. Luby. Chapter 14, “Pseudorandomness and Cryptographic Applications,” Princeton University Press, 1996.Google Scholar
  19. 19.
    C.H. Meyer and S.M. Matyas. “Cryptography: A New Dimension in Computer Data Security,” John Wiley & Sons, New York, 1982.zbMATHGoogle Scholar
  20. 20.
    M. Naor and O. Reingold. On the Construction of Pseudorandom Permutations: Luby-Rackoff Revisited. STOC 1997; also: personal communication, December 1999.Google Scholar
  21. 21.
    M. Naor and M. Yung. Public-Key Cryptosystems Provably Secure Against Chosen Ciphertext Attacks. STOC 1990.Google Scholar
  22. 22.
    National Bureau of Standards, NBS FIPS PUB 81, “DES Modes of Operation,” U.S. Department of Commerce, 1980.Google Scholar
  23. 23.
    B. Preneel. Cryptographic Primitives for Information Authentication—State of the Art. State of the Art in Applied Cryptography, 1997.Google Scholar
  24. 24.
    B. Preneel, M. Nuttin, V. Rijmen, and J. Buelens. Cryptanalysis of the CFB Mode of the DES with a Reduced Number of Rounds. CRYPTO 1993.Google Scholar
  25. 25.
    C. Rackoff and D. Simon. Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. CRYPTO 1991.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Jonathan Katz
    • 1
  • Moti Yung
    • 2
  1. 1.Department of Computer ScienceColumbia UniversityColumbia
  2. 2.CertCoNYUSA

Personalised recommendations