EFFICIENT ALL-OR-NOTHING ENCRYPTION
USING CTR MODE
Robert P. McEvoy and Colin C. Murphy
Department of Electrical & Electronic Engineering,
University College Cork, Ireland.
Keywords:
All-or-Nothing Transforms, CTRT, CTR Mode, Efficient Symmetric-Key Encryption, MANETs.
Abstract:
All-or-Nothing Encryption is a useful technique which can heighten the security of block ciphers. It can
also be used to design faster symmetric-key cryptosystems, by decreasing the number of required encryption
operations at run-time. An open problem in the literature regards the speed of all-or-nothing encryption, which
we address in this paper by combining two techniques from the literature, forming a new all-or-nothing mode
of operation. Trade-offs in the implementation of this design are considered, and theoretical proofs of security
are provided.
1 INTRODUCTION
All-or-Nothing Transforms were originally proposed
by Rivest, as a method to hinder brute-force key
search attacks on block ciphers such as DES (Rivest,
1997). Essentially, All-or-Nothing Encryption con-
sists of two stages. By applying an All-or-Nothing
Transform (AONT) to a plaintext message, a ‘pseudo-
message’ is formed. This pre-processing stage is
not considered encryption, however, as the AONT
does not utilise a secret key. An All-or-Nothing En-
cryption (AONE) mode is formed when the AONT
output is encrypted using a symmetric block cipher.
The resulting cryptosystem has the property that a
brute-force attacker must decrypt all of the ciphertext
blocks when testing each key. Hence, an exhaustive
key-search attack on an AONE mode is slowed, in
proportion to the number of blocks in the ciphertext.
However, modern symmetric-key cryptosystems
are based on block ciphers with longer key lengths
than DES, such as AES (minimum 128 bits). An at-
tack on AES-128 is beyond the capability of mod-
ern computers, and it is believed that 128-bit sym-
metric keys will be secure until after the year
2030 (ECRYPT, 2006).
A second, more currently relevant application of
AONTs relates to increasing the efficiency of block-
cipher based encryption schemes (Johnson et al.,
1996). In this scheme, an AONT is applied to a
plaintext message as above, but only some (as op-
posed to all) of the pseudo-message blocks are sub-
sequently encrypted. The AONT mixes the plaintext
in such a way that all of the pseudo-message blocks
are required in order to invert the transform and regain
the plaintext. Therefore, fewer secret-key encryptions
and decryptions are required.
In order for this ‘efficient encryption’ application
of AONTs to be worthwhile, the AONT used must it-
self be quickly and efficiently computable. In (Rivest,
1997), an AONE mode was presented where the time
penalty for encryption was a factor of 3 greater than
standard CBC mode encryption, along with an open
question as to whether this latency could be improved.
Desai (Desai, 2000) proposed an AONT construction
which reduced the relative penalty to a factor of 2.
In this paper, a new AONE mode is considered for
the first time, combining Desai’s AONT and the well-
known CTR mode of encryption. We show that when
our design is used, the penalty for AONE can, un-
der certain circumstances, be reduced to the negligi-
ble cost of just one xor operation.
The rest of this paper is organised as follows. The
following section defines AONTs, and surveys related
work. In Section 3 we present the new all-or-nothing
encryption mode, analyse its efficiency, and consider
some applications where it would be beneficial. Sec-
tion 4 focuses on the provable security of the scheme,
and conclusions are given in Section 5.
2 ALL-OR-NOTHING
TRANSFORMS
2.1 Definitions
Informally, an all-or-nothing transform f maps
a sequence of plaintext blocks x
1
, x
2
, . . . , x
n
to
a sequence of pseudo-message blocks, denoted
237
P. McEvoy R. and C. Murphy C. (2006).
EFFICIENT ALL-OR-NOTHING ENCRYPTION USING CTR MODE.
In Proceedings of the International Conference on Security and Cryptography, pages 237-245
DOI: 10.5220/0002098902370245
Copyright
c
SciTePress
y
1
, y
2
, . . . , y
m
. As put forward in (Rivest, 1997),
AONTs should possess four properties:
Given the sequence of pseudo-message blocks, one
can invert the transform to retrieve the plaintext
blocks.
Both the AONT and its inverse should be efficiently
computable.
All AONTs should be randomised, in order to avoid
chosen-message and known-message attacks.
Most importantly, if any one of the pseudo-
message blocks is unknown, it should be computa-
tionally infeasible to invert the AONT, or determine
any function of any plaintext block.
Since the original proposal, several other authors
have published formal AONT definitions in the lit-
erature. The definitions differ in the strength of the
security notions which each author uses.
Desai (Desai, 2000) defined a new notion of se-
curity for AONTs, called ‘non-separability of keys’,
which captures the requirement for an adversary to
decrypt every block of ciphertext before gaining any
information about the underlying key. In addition,
Desai required his AONTs to be secure in the ‘indis-
tinguishability of encryptions’ sense, which is a no-
tion defined in (Bellare et al., 1997). Furthermore,
the AONT pseudo-message should be indistinguish-
able from a random string. We adopt these notions of
security in our constructions.
2.2 Applications
In this paper, we focus on the use of AONTs for
efficient encryption in symmetric-key block cipher
cryptosystems. This is discussed further in Sec-
tion 3. Another application of AONTs has already
been mentioned in Section 1, namely the original ap-
plication of impeding brute-force key search attacks.
In their respective theses, Boyko (Boyko, 2000) and
Dodis (Dodis, 2000) both give excellent surveys of
potential AONT applications. These include remotely
keyed encryption, gap secret sharing and protecting
against partial key exposure. Subsequent publications
have proposed the use of AONTs in electronic voting
protocols (Kiong and Samsudin, 2003), ‘multiple en-
cryption’ schemes (Zhang et al., 2004b), and secure
file deletion schemes (Peterson et al., 2005).
2.3 Constructions
This paper deals specifically with the CTR-Transform
(CTRT) of (Desai, 2000), which is described in Sec-
tion 3, where it is used in our proposed efficient
symmetric-key AON encryption scheme. Several
other candidate constructions for AONTs have been
proposed in the literature. These are listed below, with
references for the interested reader.
Package Transform (Rivest, 1997)
OAEP (Boyko, 2000)
Exposure-Resilient Function-based Trans-
forms (Dodis et al., 2001)
Quasigroup-based AONTs (Marnas et al., 2003)
‘Extended-Indistinguishable’ AONTs (Zhang
et al., 2004a)
Error-Correcting Code-based AONTs (Byers et al.,
2006)
3 CTRT-CTR ENCRYPTION
This section introduces our new mode of all-or-
nothing encryption, which we call ‘CTRT-CTR’. In
essence, it combines Desai’s CTRT AONT (Desai,
2000) with the popular CTR mode of block cipher en-
cryption (Lipmaa et al., 2000). Indeed, it is surprising
that this mode has not been suggested already in the
literature. We show that CTRT-CTR affords fast AON
encryption, that is not attainable with other AONTs or
encryption modes discussed in the literature to date.
3.1 Package Transform
Before examining the CTR Transform, it is instruc-
tive to first consider Rivest’s original AONT proposal,
the ‘Package Transform’ (Rivest, 1997). Since the
package transform is based on a block cipher F , the
plaintext message x being processed is broken up into
fixed-sized blocks of data, labelled x
1
, x
2
, . . . , x
n
. A
random key K
is chosen for the AONT, from a large
enough keyspace to deter a brute force attack. Note
that this key is not a ‘secret key’, and it does not
have to be shared explicitly with the recipient of the
message via public-key cryptography. The pseudo-
message y is calculated as follows:
y
i
= x
i
F
K
(i) (1)
for i = 1, . . . , n, where F
K
(·) denotes encryption
with the block cipher F using the key K
, and de-
notes bit-wise xor. To complete the package trans-
form, a further pseudo-message block y
n+1
is added:
y
n+1
= K
h
1
h
2
· · · h
n
(2)
where
h
i
= F
K
0
(y
i
i) (3)
for i = 1, . . . , n, and K
0
is a fixed, publically
known key. In effect, the final pseudo-message block
comprises a hash of all the previous pseudo-message
blocks, xored with the random key K
. To invert the
SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY
238
transform, the receiver simply calculates the random
key, and uses it to decrypt the first n pseudo-message
blocks:
K
= y
n+1
h
1
· · · h
n
(4)
x
i
= y
i
F
K
(i) (5)
for i = 1, . . . , n. Rivest observed that if the pack-
age transform was combined with an ordinary encryp-
tion mode such as CBC, the time to encrypt would in-
crease threefold, as three passes through the block ci-
pher encryption would be required. Rivest set the task
of reducing this latency as an open problem, which
Desai solved using the CTR transform.
3.2 CTR Transform
In the CTR Transform, as in the case of the package
transform, a random key K
is chosen, and the plain-
text is transformed via:
y
i
= x
i
F
K
(i) (6)
The final pseudo-message block is given by:
y
n+1
= K
y
1
y
2
· · · y
n
(7)
Clearly, CTRT operates in the same fashion as the
package transform, with one block cipher encryption
stage omitted. In fact, Equations (6) and (7) are equiv-
alent to Equations (1) and (2) with h
i
= y
i
. The fi-
nal pseudo-message block is composed of the random
key K
xored with all of the previous pseudo-message
blocks. Intuitively, this may seem less secure than
the package transform, yet it is proven secure within
the model and definitions used in (Desai, 2000). Us-
ing CTRT, Desai reduced the cost of all-or-nothing
encryption to just a factor of two greater than CBC
mode, hence answering the open problem of (Rivest,
1997).
3.3 CTRT-CTR Mode
In the CTR mode of encryption (Lipmaa et al., 2000),
the sender maintains an l-bit counter ctr, where l is
the block length of the underlying cipher F . The
value of ctr can be transmitted in the clear to the
receiver when sending the ciphertext. A plaintext
x
1
, x
2
, . . . , x
n
is encrypted with a shared secret key
K to a ciphertext z
1
, z
2
, . . . , z
n
according to:
z
i
= x
i
F
K
(ctr + i) (8)
for i = 1, . . . , n. Decryption is performed on the re-
ceiver side according to:
x
i
= z
i
F
K
(ctr + i) (9)
for i = 1, . . . , n.
ctr
x
i
z
F
1
K’
i
K
ctr+i
+1 +1
F
i
Figure 1: CTRT-CTR Mode Encryption, Equation (11).
Here we propose combining the CTR mode of en-
cryption with the CTRT transform, via:
z
i
= y
i
F
K
(ctr + i) (10)
= x
i
F
K
(i) F
K
(ctr + i) (11)
for i = 1, . . . , n. For the final ciphertext block:
z
n+1
= K
y
1
· · · y
n
F
K
(ctr + n + 1) (12)
To decrypt a message encrypted with CTRT-CTR,
the receiver first calculates pseudo-message blocks:
y
i
= z
i
F
K
(ctr + i) (13)
for i = 1, . . . , n, and uses their xor to uncover the
random key K
:
K
= z
n+1
F
K
(ctr + n + 1)
M
n
i=1
y
i
(14)
A second pass is then required, where K
is used to
retrieve the plaintext message blocks x
i
:
x
i
= y
i
F
K
(i) (15)
CTRT-CTR encryption is illustrated for block i
(i 6= n + 1) in Figure 1.
3.4 Latency Considerations
The attraction of CTR-CTRT lies in its suitability for
pre-calculation and parallelisation. With reference to
Equation (11), it can be seen that all of the variables
to be encrypted by F are potentially known by the
sender before the plaintext block x
i
becomes avail-
able. Therefore, the sender can use idle clock cycles
to pre-compute F
K
(i) F
K
(ctr + i). When x
i
be-
comes available, it can be quickly encrypted on-the-
fly using a single l-bit xor. Therefore, given the nec-
essary processing/memory resources, CTRT-CTR can
acutely reduce the run-time cost of AON encryption.
This saving is possible because the CTRT and CTR
mode do not operate directly on the plaintext blocks
(other than with xor), and each ciphertext block is in-
dependent of the others. To the best of our knowl-
edge, no other AONT or block cipher encryption
mode in the literature possesses this property. Of
course, not all implementations of AONE systems
will have the capacity for full pre-calculation and stor-
age of the F
K
(i) F
K
(ctr + i) ‘one-time pad’. Be-
low we present four implementation scenarios, begin-
ning with the fastest. These are summarised in Fig-
ure 2.
EFFICIENT ALL-OR-NOTHING ENCRYPTION USING CTR MODE
239
(1) Full pre-processing: In this scenario, we assume
that the sender A has knowledge of the secret key
K before the plaintext x becomes available. A
computes F
K
(i) and F
K
(ctr+i) during idle clock
cycles, requiring l(2n + 1) bits of memory storage.
The run-time latency for encryption is negligible
(i.e. one l-bit xor).
(2) Partial pre-processing: Here we assume that A
does not know K before x becomes available. Be-
cause A chooses K
, the F
K
(i) values (i.e. the
AONT part) can be calculated in advance, but the
F
K
(ctr + i) must be computed during run-time.
The latency in this scenario is the same as for ordi-
nary CBC mode encryption, and nl bits of storage
are required.
(3) Online parallel processing: In this case, A has
no capability (or perhaps desire) for storage, but
has two block cipher encryption engines at its dis-
posal. These may be dedicated hardware cores,
or microprocessors configured to perform F effi-
ciently. This scheme runs at the same speed as or-
dinary CBC encryption, but requires no storage.
(4) Online processing: In this worst case, A per-
forms no pre-processing, and has one F -processor
available to it. Then the cost is the same as De-
sai’s proposed CTRT-ECB scheme, i.e. twice that
of CBC encryption. Memory of nl bits is also re-
quired to store intermediate results.
We note that the savings from using CTRT-CTR
mode are forthcoming only on the transmission side.
Receiver B must perform decryption in two stages, as
described in Equations (13)-(15) (Equation (14) can
be calculated cumulatively to save memory). This
penalty is no worse than that for a receiver decrypt-
ing Desai’s CTRT-ECB mode, however.
3.5 Efficient All-or-Nothing
Encryption
CTRT-CTR mode can be further enhanced using the
‘efficient encryption’ method (United States Patent
5,870,470) introduced in Section 1, and pioneered
in (Johnson et al., 1996). This technique takes ad-
vantage of the fact that an AONT cannot be inverted
unless all of the pseudo-message blocks are known.
Knowledge of some of the pseudo-message blocks
should not reveal any information about the plain-
text. Therefore, it should be possible to encrypt only
a subset (as opposed to all) of the pseudo-message
blocks, and still maintain the same level of security.
The provable security of this remarkable scheme is
investigated in Section 4.
The efficient CTRT-CTR encryption scheme would
proceed as follows. Sender A applies the CTRT to the
plaintext, as described by Equations (6) and (7). A
3xCBC
2xCBC
CBC
0
0
nl
2nl
(Rivest)
(4)
(Desai)
(3) (7)
(2)
(6)
(5)
(1)
Intermediate Memory (bits)
Run-time latency
Figure 2: Performance Trade-offs with AONE.
then chooses a subset of the pseudo-message blocks
to encrypt, whose indices are given by S, where
#S = r, 1 r n. Of course, S must be made
public so that receiver B can decrypt the ciphertext.
To form the ciphertext z, A computes:
z
i
=
y
i
F
K
(ctr + i) for i S
y
i
for i / S
(16)
The efficient encryption method allows even faster
implementations of CTRT-CTR. Assuming r = 1 (i.e.
just one pseudo-message block is encrypted), the sce-
narios described in Section 3.4 become:
(5) Full pre-processing: Run-time latency of one
xor (negligible), l(n + 1) bits of memory.
(6) Partial pre-processing: Run-time latency of one
xor and one encryption, nl bits of memory.
(7) Online processing: Run-time latency approxi-
mately that of ordinary CBC encryption (as r <<
n), regardless of multiple processors. No extra
memory required.
Figure 2 summarises the latency/memory trade-off
associated with implementing CTRT-CTR in software
or hardware. Fast, efficient all-or-nothing encryp-
tion is clearly attainable if the application justifies the
added processing and storage costs. The best results
are obtained by combining CTRT-CTR (or CTRT in
any encryption mode) with the efficient encryption
system of (Johnson et al., 1996). Fewer encryption
operations are necessary, therefore the system power
consumption is lower. However, the performance
bonus must be traded off against the costs associated
with using this patented method.
3.6 Applications
CTRT-CTR encryption would clearly be beneficial in
applications where fast on-the-fly AON encryption is
required, such as secure mobile telecommunications
networks or MANETs (Mobile Ad-Hoc NETworks).
MANETs are mainly used in highly mobile and hos-
tile environments, where data confidentiality is im-
portant. Typical examples of nodes in a MANET in-
clude units where processing power and battery life
SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY
240
are limited, such as backpack radios, handheld de-
vices, and vehicle computers (Berman, 2005). Con-
strained environments such as these are well suited
to secure, efficient all-or-nothing encryption schemes
such as CTRT-CTR.
CTRT-CTR is also especially useful in proto-
cols where the existing encryption mechanism is a
block cipher (e.g. AES), as the encryption soft-
ware/hardware can be re-used to perform the AONT,
deeming implementation of additional algorithms un-
necessary.
4 PROOFS OF SECURITY
The provable security of the proposed CTRT-CTR
scheme is now considered. We also analyse how
the security changes when we incorporate CTRT-CTR
and Johnson et al.s efficient encryption technique.
For convenience, the definitions and notation used in
our theorems rely heavily on those used by (Desai,
2000). In particular, we employ the framework used
in Theorem 3 and Lemma 14 of that work, and extend
those results.
4.1 Existing Security Results
Desai proved his results in the Shannon model (‘ideal
model’) of a block cipher (Shannon, 1949). In
essence, the Shannon model states that each new key
to the block cipher defines an independent random
permutation F
k
(·). Desai defined a notion of security
for AONTs, based on indistinguishability from a
random string. The experiment (or ‘game’) used to
capture this notion is as follows:
AONT Let Π
= (E
, D
) be an AONT of block length
l. For adversary A and bit b = 0 or 1 define Exp
aon
Π
(A, b) as:
01 (x, s) A(find);
02 y
0
E
(x); \\ All-or-nothing Transform
03 y
1
{0, 1}
|y
0
|
; \\ Random |y
0
|-bit string
04 d A
Y
(guess, s);
05 return d.
The advantage function of Π
is defined as:
Adv
aon
Π
(t, m) = max
A
{Pr[Exp
aon
Π
(A, 0) = 0]
Pr[Exp
aon
Π
(A, 1) = 0] }
(17)
where A runs with time complexity t, and
|y
0
| = |y
1
| = ml (i.e. m l-bit blocks). The nota-
tion A
Y
means that A has access to an oracle Y, taking
an index j {1, . . . , m} and returning y
b
[j], where
y
b
= y
b
[1], . . . , y
b
[m]. At most m queries are allowed
to Y during the guess stage. In addition, s denotes state
information generated by the results of As queries.
Based on any m 1 blocks of the challenge,
adversary A has to decide whether the challenge is
a real AONT output, or a randomly chosen string.
Equation (17) measures As maximum probability of
success in this game, which should be negligible.
Indistinguishability of encryptions (Bellare
et al., 1997) is an important security notion for block
cipher encryption schemes, described below:
IND Let Π = (K, E, D) be an encryption mode. For
adversary A and bit b = 0 or 1 define Exp
ind
Π
(A, b) as:
01 F BC(k, l); \\ Choose block cipher at random
02 a K(1
k
); \\ Choose key of length k
03 (x
0
, x
1
, s) A
F,F
1
,E
F
a
,F
1
a
(find);
04 y E
F
a
,F
1
a
(x
b
); \\ Apply encryption mode
05 d A
F,F
1
,E
F
a
,F
1
a
(guess, y, s);
06 return d.
The advantage function of Π is defined as:
Adv
ind
Π
(t, m, p, q, µ) = max
A
{Pr[Exp
ind
Π
(A, 1) = 1]
Pr[Exp
ind
Π
(A, 0) = 1] }
(18)
where A runs with time complexity t, p is the maximum
number of queries allowed to F /F
1
, |y| = ml, and q is
the maximum number of queries allowed to E
F
a
,F
1
a
, these
totalling at most µ bits.
In this game, A is given a ciphertext, and must
determine which of two plaintexts it corresponds to.
If the encryption mode is secure in the IND sense, As
success probability should be negligible. Theorem 3
of (Desai, 2000) quantifies this success probability
when the encryption mode is an all-or-nothing ECB
mode. He proved that if n 2:
Adv
ind
Π
(t, m, p, q, µ) 2m Adv
aon
Π
(t
, m)+
2mp
2
k
+
2m
2
l
(19)
where n is the number of l-bit plaintext blocks,
t
= t + (
µ
l
+ m 1).T + O(ml + pl + µ), and
T is the time taken to decode a ml-bit string using D
.
In the specific case where the AONT is CTRT,
Desai also proved that for k l and m + p 2
k1
,
then:
Adv
aon
CTRT
(t, m, p)
m
2
+ 8p
2
k
(20)
where k is the key length of the underlying block ci-
pher, and t, m and p are as defined above.
4.2 Security of AONT-CTR
Encryption
We extend the result of Equation (19) to evaluate
the IND-security of the CTR mode of all-or-nothing
encryption. Note that all m pseudo-message blocks
are encrypted using CTR mode in this case. The
security of the ‘efficient AON encryption’ scheme of
EFFICIENT ALL-OR-NOTHING ENCRYPTION USING CTR MODE
241
Section 3.5 is considered in Section 4.3.
Theorem 1 Let Π = (K, E, D) be an all-or-
nothing CTR mode in the Shannon model, using
AONT Π
= (E
, D
). Then for n 2:
Adv
ind
Π
(t, m, p, q, µ) 2m Adv
aon
Π
(t
, m)+
2p
2
k
+
2m
2
l
(21)
where t
= t + (
µ
l
+ m 1).T + O(ml + pl + µ)
and all other variables are as defined in Section 4.1.
Proof A new game COLL is defined as follows:
COLL Let Π = (K, E, D) be an AONT-CTR mode.
For adversary A define Exp
coll
Π
(A) as:
01 a K(1
k
); \\ Choose key of length k
02 (x, s, Elist
F
) A
F,F
1
,E
F
a
,F
1
a
(find);
03 y E
F
a
,F
1
a
(x); \\ Apply AONT-CTR
04 Elist
G
A
F,F
1
,E
F
a
,F
1
a
(guess, y, s);
05 for i, j [m] {
06 if(i 6= j y[i] = y[j]) (y[i] Elist
F
Elist
G
)
07 then d 1, else d 0; }
08 return d.
The success function of Π is defined as:
Succ
coll
Π
(t, m, p, q, µ) = max
A
{Pr[Exp
coll
Π
(A) = 1]} (22)
where A runs with time complexity t, [m] denotes the
set {1, . . . , m}, and all other variables are as defined
in Section 4.1. and denote logical AND and OR,
respectively. Elist
F
and Elist
G
(‘Encryption lists’) contain
the answers to As E
F
a
,F
1
a
queries during the find and
guess stages.
This COLL experiment measures the probabil-
ity of collision between ciphertext blocks, across
queries. We proceed to relate Succ
coll
Π
to Adv
aon
Π
by a
contradiction argument. Later, we will relate Succ
coll
Π
to Adv
ind
Π
, and arrive at the theorem statement by
substitution.
Consider an AONT adversary A, built using a
COLL adversary B. Because A has no oracles other
than Y, it must simulate Bs oracles. The A(find)
algorithm (i.e. AONT line 01) becomes:
A(find) :
01 a K(1
k
); \\ Choose key of length k
02 T list {}; \\ Initialise Tlist
03 (x, s) B(find);
04 s
(s, x, a, Tlist);
05 return (x, s
).
where Tlist is similar to Bs Elist, except that it
holds the pseudo-message blocks returned from
queries to E
F
a
,F
1
a
, and the corresponding block
indices. A
Y
(guess, s) (i.e. AONT line 04) becomes:
A
Y
(guess, (s, x, a, Tlist)) :
01 j [m]; \\ Choose index j at random
02 for i [m] i 6= j {
03 y[i] Y(i); \\ Retrieve challenge block i
04 Tlist Tlist ∪{(y[i], i)};
05 z[i] y[i] F
a
(ctr + i); }
06 for i [| Tlist |]{
07 (block, index) Tlist[i];
08 Elist[i] block F
a
(ctr + index); }
09 z[j] {0, 1}
l
\ Elist;
10 Tlist Tlist B(guess, z, s);
11 for i [| Tlist |]{
12 y[j] Tlist[i];
13 x
i
D
(y); \\ Inverse AONT
14 if (x
i
== x){d 0; return d}}
15 d 1; return d.
In lines 01 to 05, A
Y
(guess) forms all but one
block of Bs challenge ciphertext z, based on the
m 1 blocks of its own challenge y that it receives
from Y. For the missing block z[j], A must choose
a random string, but has to ensure that B has not
seen this block already in its find stage, otherwise
a collision would be guaranteed. This requirement
is met by lines 06 to 09. Finally in lines 11 to 15,
A searches incrementally through Tlist, inserting a
block from Tlist in place of its missing y[i] block,
and inverting. If the result of the transform inversion
equals the original plaintext message x, then A
concludes that the challenge y was real (as opposed
to random).
We now calculate Adv
aon
Π
(A). For simplicity, we
use Pr
b
[A = 0] to denote Pr[Exp
aon
Π
(A, b) = 0].
Adv
aon
Π
(A) = Pr
0
[A = 0] Pr
1
[A = 0] (23)
Define the event C to be the event that the missing
pseudo-message block y[j] is on the Tlist. Expanding
the first term in Equation (23):
Pr
0
[A = 0] =Pr
0
[A = 0|C].Pr
0
[C]+
Pr
0
[A = 0|
¯
C].Pr
0
[
¯
C]
(24)
From the description of A
Y
(guess), Pr
0
[A = 0|C]
is clearly equal to unity. This implies:
Pr
0
[A = 0] 1.Pr
0
[C] (25)
Intuitively, one would expect Pr
0
[C] to be lower
bounded by Succ
coll
Π
(B) via:
Pr
0
[C]
1
m
Succ
coll
Π
(B)
since Succ
coll
Π
(B) gives the probability of collision
with one of the blocks of y, and C implies collision
with y[j]. However, we must also take into account
that As challenge to B is incorrectly formed, as block
z[j] is randomly chosen. There is a chance that B,
through its queries to F/F
1
, will realise this, caus-
ing it to abort the game. It is in evaluating this proba-
bility that our proof differs from that of Desai.
SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY
242
We now examine how B could discover the anom-
aly. Consider the case where B queries F with a
block of its choice, key k
1
and index j, and receives
the block z[j] in return. B can then test key k
1
on
some known plaintext/ciphertext, but since k
1
6= a,
the known plaintext encrypted under k
1
will not equal
the known ciphertext. B will realise that z[j] was not
the result of an encryption with key a, and abort the
game.
The number of different block cipher permutations
in CTR mode is m.2
k
. For each permutation, there
exists some string that will encrypt to give z[j], which
would cause B to abort. Therefore, the maximum
probability of B choosing one such query (and choos-
ing index = j) is
p
m.2
k
(recall p is the maximum num-
ber of queries allowed to F/F
1
). Taking this into
account, Pr
0
[C] is lower bounded by:
Pr
0
[C]
1
m
Succ
coll
Π
(B)
p
m.2
k
(26)
Combining Equations (25) and (26):
Pr
0
[A = 0]
1
m
Succ
coll
Π
(B)
p
m.2
k
(27)
The next step is to upper bound the second term in
Equation (23), Pr
1
[A = 0]. This is the ‘false proba-
bility’ of success, i.e. the probability that A will re-
turn d = 0 when the challenge y was, in fact, random.
From the code for A(guess), it is clear that this can
only occur if there is (at least) one other AONT out-
put y
1
which also decodes to x. The probability of
this event is independent of the encryption mode in
which the AONT mode is used, therefore we can re-
use Desai’s result:
Pr
1
[A = 0]
1
2
l
(28)
for n 2. Substituting Equations (27) and (28) into
Equation (23), and rearranging, gives:
Adv
coll
Π
(t, m, p, q, µ) m Adv
aon
Π
(t
, m)+
p/2
k
+ m/2
l
(29)
where t
= t + (
µ
l
+ m 1).T + O(ml + pl + µ),
which is the complexity of running A.
The penultimate step is to consider an adversary
A in the IND sense, and relate Adv
ind
Π
(A) to
Succ
coll
Π
(A). Due to space restrictions, we do not
present the argument here, but note that it is the same
as that of (Desai, 2000), as it is mode-independent.
We state:
Adv
ind
Π
(A) 2. Succ
coll
Π
(A) (30)
Finally, combining Equations (29) and (30) gives
Equation (21), the theorem result.
Comparing the result of Theorem 1 with Equa-
tion (19), it can be seen that AONT-ECB mode and
AONT-CTR mode achieve similar levels of security,
in the indistinguishability of encryptions sense. The
adversarial advantage is, in fact, smaller in AONT-
CTR mode, due to the larger set of permutations
opened up by the inclusion of the block index in the
encryption operation. Therefore, AONT-CTR is more
secure than AONT-ECB, although neither is insecure.
4.3 Security of Efficient AONT-CTR
Encryption
We now consider the scenario where an AONT is
applied to the plaintext, and r out of the m pseudo-
message blocks are encrypted. Intuitively, one would
assume that this scheme would somehow be less
secure than if all the blocks were encrypted, but we
show that this is not the case.
Theorem 2 Let Π = (K, E, D) be an efficient
all-or-nothing CTR mode in the Shannon model,
using AONT Π
= (E
, D
), and encrypting r blocks
of the pseudo-message. Then, for n 2:
Adv
ind
Π
(t, m, p, q, µ) 2m Adv
aon
Π
(t
, m)+
(
r
m
)
2p
2
k
+
2m
2
l
(31)
where t
= t + (
µ
l
+ m 1).T + O(ml + pl + µ)
and all other variables are as defined in Section 4.1.
A publically known set S holds the indices of the
pseudo-message blocks that are encrypted.
Proof We use framework of Theorem 1, with
the algorithms suitably modified. Specifically, lines
05 and 08 of A(guess) must be modified to:
04 · · ·
05a if i S
05b z[i] y[i] F
a
(ctr + i);
05c else
05d z[i] y[i];
06 · · ·
07 · · ·
08a if index S
08b Elist[i] block F
a
(ctr + index);
08c else
08d Elist[i] block;
09 · · ·
The proof continues in a similar manner, but
Pr
0
[C] must be re-evaluated, where C is the event
that the missing pseudo-message block y[j] is on Bs
Tlist. We argue that:
Pr
0
[C]
1
m
Succ
coll
Π
(B) (
r
m
)
p
m.2
k
(32)
Recall that the p/(m.2
k
) term arose in Theorem 1 as
the probability that B would realise that block z[j]
had been fabricated. B can only come to this con-
clusion if z[j] is one of the encrypted blocks, i.e. if
j S. If j / S, B cannot perform the same check,
as z[j] is an AONT output block, and is not related to
EFFICIENT ALL-OR-NOTHING ENCRYPTION USING CTR MODE
243
the other challenge blocks by the hidden key a. There-
fore, the probability of z[j] S and B aborting is
(r/m)(p/m.2
k
), since index j is chosen at random.
Combining Equations (23), (25), (32), (28)
and (30) gives Equation (31), the theorem re-
sult.
Note that when r = m, Equation (31) re-
duces to the result of Theorem 1, as expected. As
r 1, the upper bound on the adversary’s IND
advantage gets smaller. This seems counter-intuitive,
as encrypting fewer blocks would suggest a less
secure scheme. However, we note that the r/m term
in the theorem results from algorithm B realising that
the challenge block z[j] is incorrectly formed, and
that this realisation should indeed be less likely when
there are fewer encrypted blocks against which to
compare. As r 1, the scheme’s security becomes
closer to the security of the AONT.
A similar encryption scheme was considered
in (Bellare and Boldyreva, 2000), whereby an AONT
is applied to a message, and the first pseudo-message
block is encrypted via ‘chaffing and winnowing’. The
authors proved that this scheme is semantically se-
cure, if the underlying cipher is semantically secure.
This paper provides an different proof, where we
work in the Shannon model of the block cipher, en-
crypt using CTR-mode, and allow the number of en-
crypted blocks r to vary.
5 CONCLUSIONS
In this paper, we proposed a new mode of all-or-
nothing encryption, called CTRT-CTR. In doing so,
we answered an open problem from the literature re-
garding the speed of all-or-nothing encryption. We
proposed using CTRT-CTR in an efficient AON en-
cryption mode, to further reduce power and mem-
ory overheads. Trade-offs between on-line encryp-
tion speed and memory were identified. The scheme
would be beneficial in applications such as MANETs
where low-power, secure run-time encryption is re-
quired. The proposed schemes were proven secure in
the Shannon model of a block cipher.
Future work will investigate if it is possible to
achieve secure all-or-nothing encryption with a lower
total workload (both on-line and off-line) than CTRT-
CTR, whilst still maintaining low latency.
ACKNOWLEDGEMENTS
The authors would like to thank Emanuel Popovici
for his helpful discussions regarding the proofs of se-
curity. This research was supported by the Embark
Initiative, operated by the Irish Research Council for
Science, Engineering and Technology (IRCSET).
REFERENCES
Bellare, M. and Boldyreva, A. (2000). The Security of
Chaffing and Winnowing. In ASIACRYPT’00, volume
1976 of Lecture Notes in Computer Science, pages
517–530. Springer.
Bellare, M., Desai, A., Jokipii, E., and Rogaway, P. (1997).
A Concrete Security Treatment of Symmetric Encryp-
tion. In FOCS’97, pages 394–403.
Berman, V. (2005). Enhancing Data Security in Mobile Ad
Hoc Networks via Multipath Routing and Directional
Transmission. Master’s thesis, University of Califor-
nia, Davis.
Boyko, V. (2000). On All-or-Nothing Transforms and Pass-
word Authenticated Key Exchange Protocols. PhD
thesis, Massachusetts Institute of Technology.
Byers, J., Considine, J., Itkis, G., Cheng, M. C., and Ye-
ung, A. (2006). Securing bulk content almost for free.
Journal of Computer Communications, Special Issue
on Internet Security, 29:290–290.
Desai, A. (2000). The Security of All-or-Nothing En-
cryption (Extended Abstract). In CRYPTO’00, vol-
ume 1880 of Lecture Notes in Computer Science,
pages 359-375. Springer. Full version retrieved on-
line, June 2006. http://www.cs.ucsd.edu/
users/adesai/.
Dodis, Y. (2000). Exposure-Resilient Cryptography. PhD
thesis, Massachusetts Institute of Technology.
Dodis, Y., Sahai, A., and Smith, A. (2001). On Perfect
and Adaptive Security in Exposure-Resilient Cryptog-
raphy. In EUROCRYPT’01, volume 2045 of Lecture
Notes in Computer Science, pages 301–324. Springer.
ECRYPT (2006). ECRYPT Yearly Report on Algorithms
and Keysizes (2005). http://www.ecrypt.eu.org.
Johnson, D., Matyas, S., and Peyravian, M. (1996). En-
cryption of Long Blocks Using a Short-Block Encryp-
tion Procedure. Submitted for inclusion in the IEEE
P1363a standard.
Kiong, N. C. and Samsudin, A. (2003). A Concrete Security
Treatment of Symmetric Encryption. In APCC’03,
volume 2, pages 838–843.
Lipmaa, H., Rogaway, P., and Wagner, D. (2000). CTR-
Mode Encryption. Comments to NIST concerning
AES Modes of Operation.
Marnas, S. I., Angelis, L., and Bleris, G. L. (2003). All-
Or-Nothing Transforms Using Quasigroups. In Proc.
of 1st Balkan Conference on Informatics, pages 183–
191.
Peterson, Z. N. J., Burns, R. C., Herring, J., Stubblefield,
A., and Rubin, A. D. (2005). Secure Deletion for a
Versioning File System. In FAST’05. USENIX.
SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY
244
Rivest, R. (1997). All-or-Nothing Encryption and The
Package Transform. In FSE’97, 4th International
Workshop on Fast Software Encryption. Springer.
Shannon, C. E. (1949). Communication theory of secrecy
systems. Bell Systems Technical Journal, 28(4):656–
715.
Zhang, R., Hanaoka, G., and Imai, H. (2004a). On the Secu-
rity of Cryptosystems with All-or-Nothing Transform.
In ACNS’04, volume 3089 of Lecture Notes in Com-
puter Science, pages 76–90. Springer.
Zhang, R., Hanaoka, G., Shikata, J., and Imai, H. (2004b).
On the Security of Multiple Encryption or CCA-
security+CCA-security=CCA-security? In PKC ’04,
volume 2947 of Lecture Notes in Computer Science,
pages 360–374. Springer.
EFFICIENT ALL-OR-NOTHING ENCRYPTION USING CTR MODE
245