Conference ProceedingsOPEN ACCESS

The security of ciphertext stealing

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (2012) 7549 LNCS 180-195
DOI: 10.1007/978-3-642-34047-5_11
11Citations
Citations of this article
40Readers
Mendeley users who have this article in their library.
Get full text

Abstract

We prove the security of CBC encryption with ciphertext stealing. Our results cover all versions of ciphertext stealing recently recommended by NIST. The complexity assumption is that the underlying blockcipher is a good PRP, and the security notion achieved is the strongest one commonly considered for chosen-plaintext attacks, indistinguishability from random bits (ind$-security). We go on to generalize these results to show that, when intermediate outputs are slightly delayed, one achieves ind$-security in the sense of an online encryption scheme, a notion we formalize that focuses on what is delivered across an online API, generalizing prior notions of blockwise-adaptive attacks. Finally, we pair our positive results with the observation that the version of ciphertext stealing described in Meyer and Matyas's well-known book (1982) is not secure. © 2012 Springer-Verlag.

Author supplied keywords

Cite

CITATION STYLE

APA

Rogaway, P., Wooding, M., & Zhang, H. (2012). The security of ciphertext stealing. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 7549 LNCS, pp. 180–195). https://doi.org/10.1007/978-3-642-34047-5_11

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free