The Security of ”One-Block-to-Many” Modes of Operation

  • Henri Gilbert
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2887)


In this paper, we investigate the security, in the Luby-Rackoff security paradigm, of blockcipher modes of operation allowing to expand a one-block input into a longer t-block output under the control of a secret key K. Such ”one-block-to-many” modes of operation are of frequent use in cryptology. They can be used for stream cipher encryption purposes, and for authentication and key distribution purposes in contexts such as mobile communications. We show that although the expansion functions resulting from modes of operation of blockciphers such as the counter mode or the output feedback mode are not pseudorandom, slight modifications of these two modes provide pseudorandom expansion functions. The main result of this paper is a detailed proof, in the Luby-Rackoff security model, that the expansion function used in the construction of the third generation mobile (UMTS) example authentication and key agreement algorithm MILENAGE is pseudorandom.


Random Function Stream Cipher Expansion Function Counter Mode Authentication Response 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [BDJR97]
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A Concrete Security Treatment of Symmetric Encryption: Analysis of the DES Modes of Operation. In: Proceedings of 38th Annual Symposium on Foundations of Computer Science. IEEE, Los Alamitos (1997)Google Scholar
  2. [BKR94]
    Bellare, M., Kilian, J., Rogaway, P.: The Security of Cipher Block Chaining. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, p. 341. Springer, Heidelberg (1994)Google Scholar
  3. [BM84]
    Blum, M., Micali, S.: How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits. SIAM J. Comput. 13(4), 850–864 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  4. [BR00]
    Black, J., Rogaway, P.: A Block-Cipher Mode of Operation for Parallelizable Message Authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. [DHY02]
    Desai, A., Hevia, A., Yin, Y.: A Practice-Oriented Treatment of Pseudorandom Number Generators. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 368. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. [EJ02]
    Ekdahl, P., Johansson, T.: A new version of the stream cipher SNOW. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 47–61. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. [GL89]
    Goldreich, O., Levin, L.: A hard-core predicate for all one-way functions. In: Proc. ACM Symp. on Theory of Computing, pp. 25–32 (1989)Google Scholar
  8. [HCCJ02]
    Halevi, S., Coppersmith, D., Jutla, C.S.: Scream: A Software-Efficient Stream Cipher. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 195–209. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. [HN00]
    Hastad, J., Näslund, M.: BMGL: Synchronous Key-stream Generator with Provable security, Revision 1, March 6 (2001) and A Generalized Interface for the NESSIE Submission BGML, March 15 (2002), Available at
  10. [JJV02]
    Jaulmes, E., Joux, A., Valette, F.: On the Security of Randomized CBCMAC Beyond the Birthday Paradox Limit: A New Construction. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 237–251. Springer, Heidelberg (2002)Google Scholar
  11. [Ka00]
    3rd Generation Partnership Project - Specification of the 3GPP confidentiality and integrity algorithms; Document 2 (TS 35.202): KASUMI algorithm specification; Document 1:TS 35.201 f8 and f9 specifications; Docment TR 33.904: Report on the Evaluation of 3GPP Standard Confidentiality and Integrity Algorithms, Available at
  12. [LR88]
    Luby, M., Rackoff, C.: How to Construct Pseudorandom Permutations from Pseudorandom Function. Siam Journal on Computing 17, 373 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  13. [Ma92]
    Maurer, U.: A Simplified and generalised treatment of Luby-Rackoff Pseudo-random Permutation Generators. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, p. 239. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  14. [Mi00]
    3rd Generation Partnership Project - Specification of the MILENAGE algorithm set: An example algorithm Set for the 3GPP Authentication and Key Generation functions f1, f1*, f2, f3, f4, f5 and f5* - Document 2 (TS 35.206): Algorithm specification; Document 5 (TR 35.909): Summary and results of design and evaluation, Available at
  15. [Pa91]
    Patarin, J.: Etude de Générateurs de Permutation Basés sur le Schéma du D.E.S., Phd. Thesis, University of Paris VI (1991)Google Scholar
  16. [Pa92]
    Patarin, J.: How to Construct Pseudorandom and Super Pseudorandom Permutations from One Single Pseudorandom Function. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, p. 256. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  17. [PR00]
    Petrank, E., Rackoff, C.: CBC MAC for Real-Time Data Sources. Journal of Cryptology 13(3), 315–338 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  18. [RC98]
    Rogaway, P., Coppersmith, D.: A Software-Optimized Encryption Algorithm. Journal of Cryptology 11(4), 273–287 (1998)zbMATHCrossRefGoogle Scholar
  19. [Va98]
    Vaudenay, S.: Provable Security for Block Ciphers by Decorrelation. In: Meinel, C., Morvan, M. (eds.) STACS 1998. LNCS, vol. 1373, pp. 249–275. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  20. [Va99]
    Vaudenay, S.: On Provable Security for Conventional Cryptography. In: Song, J.S. (ed.) ICISC 1999. LNCS, vol. 1787. Springer, Heidelberg (2000) (invited lecture)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Henri Gilbert
    • 1
  1. 1.France Télécom R&D 

Personalised recommendations