EFFICIENT ALL-OR-NOTHING ENCRYPTION

USING CTR MODE

Robert P. McEvoy and Colin C. Murphy

Department of Electrical & Electronic Engineering,

University College Cork, Ireland.

Keywords:

All-or-Nothing Transforms, CTRT, CTR Mode, Efﬁcient Symmetric-Key Encryption, MANETs.

Abstract:

All-or-Nothing Encryption is a useful technique which can heighten the security of block ciphers. It can

also be used to design faster symmetric-key cryptosystems, by decreasing the number of required encryption

operations at run-time. An open problem in the literature regards the speed of all-or-nothing encryption, which

we address in this paper by combining two techniques from the literature, forming a new all-or-nothing mode

of operation. Trade-offs in the implementation of this design are considered, and theoretical proofs of security

are provided.

1 INTRODUCTION

All-or-Nothing Transforms were originally proposed

by Rivest, as a method to hinder brute-force key

search attacks on block ciphers such as DES (Rivest,

1997). Essentially, All-or-Nothing Encryption con-

sists of two stages. By applying an All-or-Nothing

Transform (AONT) to a plaintext message, a ‘pseudo-

message’ is formed. This pre-processing stage is

not considered encryption, however, as the AONT

does not utilise a secret key. An All-or-Nothing En-

cryption (AONE) mode is formed when the AONT

output is encrypted using a symmetric block cipher.

The resulting cryptosystem has the property that a

brute-force attacker must decrypt all of the ciphertext

blocks when testing each key. Hence, an exhaustive

key-search attack on an AONE mode is slowed, in

proportion to the number of blocks in the ciphertext.

However, modern symmetric-key cryptosystems

are based on block ciphers with longer key lengths

than DES, such as AES (minimum 128 bits). An at-

tack on AES-128 is beyond the capability of mod-

ern computers, and it is believed that 128-bit sym-

metric keys will be secure until after the year

2030 (ECRYPT, 2006).

A second, more currently relevant application of

AONTs relates to increasing the efﬁciency of block-

cipher based encryption schemes (Johnson et al.,

1996). In this scheme, an AONT is applied to a

plaintext message as above, but only some (as op-

posed to all) of the pseudo-message blocks are sub-

sequently encrypted. The AONT mixes the plaintext

in such a way that all of the pseudo-message blocks

are required in order to invert the transform and regain

the plaintext. Therefore, fewer secret-key encryptions

and decryptions are required.

In order for this ‘efﬁcient encryption’ application

of AONTs to be worthwhile, the AONT used must it-

self be quickly and efﬁciently computable. In (Rivest,

1997), an AONE mode was presented where the time

penalty for encryption was a factor of 3 greater than

standard CBC mode encryption, along with an open

question as to whether this latency could be improved.

Desai (Desai, 2000) proposed an AONT construction

which reduced the relative penalty to a factor of 2.

In this paper, a new AONE mode is considered for

the ﬁrst time, combining Desai’s AONT and the well-

known CTR mode of encryption. We show that when

our design is used, the penalty for AONE can, un-

der certain circumstances, be reduced to the negligi-

ble cost of just one xor operation.

The rest of this paper is organised as follows. The

following section deﬁnes AONTs, and surveys related

work. In Section 3 we present the new all-or-nothing

encryption mode, analyse its efﬁciency, and consider

some applications where it would be beneﬁcial. Sec-

tion 4 focuses on the provable security of the scheme,

and conclusions are given in Section 5.

2 ALL-OR-NOTHING

TRANSFORMS

2.1 Deﬁnitions

Informally, an all-or-nothing transform f maps

a sequence of plaintext blocks x

, x

, . . . , x

a sequence of pseudo-message blocks, denoted

237

P. McEvoy R. and C. Murphy C. (2006).

EFFICIENT ALL-OR-NOTHING ENCRYPTION USING CTR MODE.

In Proceedings of the International Conference on Security and Cryptography, pages 237-245

DOI: 10.5220/0002098902370245

 SciTePress

, y

, . . . , y

. As put forward in (Rivest, 1997),

AONTs should possess four properties:

• Given the sequence of pseudo-message blocks, one

can invert the transform to retrieve the plaintext

blocks.

• Both the AONT and its inverse should be efﬁciently

computable.

• All AONTs should be randomised, in order to avoid

chosen-message and known-message attacks.

• Most importantly, if any one of the pseudo-

message blocks is unknown, it should be computa-

tionally infeasible to invert the AONT, or determine

any function of any plaintext block.

Since the original proposal, several other authors

have published formal AONT deﬁnitions in the lit-

erature. The deﬁnitions differ in the strength of the

security notions which each author uses.

Desai (Desai, 2000) deﬁned a new notion of se-

curity for AONTs, called ‘non-separability of keys’,

which captures the requirement for an adversary to

decrypt every block of ciphertext before gaining any

information about the underlying key. In addition,

Desai required his AONTs to be secure in the ‘indis-

tinguishability of encryptions’ sense, which is a no-

tion deﬁned in (Bellare et al., 1997). Furthermore,

the AONT pseudo-message should be indistinguish-

able from a random string. We adopt these notions of

security in our constructions.

2.2 Applications

In this paper, we focus on the use of AONTs for

efﬁcient encryption in symmetric-key block cipher

cryptosystems. This is discussed further in Sec-

tion 3. Another application of AONTs has already

been mentioned in Section 1, namely the original ap-

plication of impeding brute-force key search attacks.

In their respective theses, Boyko (Boyko, 2000) and

Dodis (Dodis, 2000) both give excellent surveys of

potential AONT applications. These include remotely

keyed encryption, gap secret sharing and protecting

against partial key exposure. Subsequent publications

have proposed the use of AONTs in electronic voting

protocols (Kiong and Samsudin, 2003), ‘multiple en-

cryption’ schemes (Zhang et al., 2004b), and secure

ﬁle deletion schemes (Peterson et al., 2005).

2.3 Constructions

This paper deals speciﬁcally with the CTR-Transform

(CTRT) of (Desai, 2000), which is described in Sec-

tion 3, where it is used in our proposed efﬁcient

symmetric-key AON encryption scheme. Several

other candidate constructions for AONTs have been

proposed in the literature. These are listed below, with

references for the interested reader.

• Package Transform (Rivest, 1997)

• OAEP (Boyko, 2000)

• Exposure-Resilient Function-based Trans-

forms (Dodis et al., 2001)

• Quasigroup-based AONTs (Marnas et al., 2003)

• ‘Extended-Indistinguishable’ AONTs (Zhang

et al., 2004a)

• Error-Correcting Code-based AONTs (Byers et al.,

2006)

3 CTRT-CTR ENCRYPTION

This section introduces our new mode of all-or-

nothing encryption, which we call ‘CTRT-CTR’. In

essence, it combines Desai’s CTRT AONT (Desai,

2000) with the popular CTR mode of block cipher en-

cryption (Lipmaa et al., 2000). Indeed, it is surprising

that this mode has not been suggested already in the

literature. We show that CTRT-CTR affords fast AON

encryption, that is not attainable with other AONTs or

encryption modes discussed in the literature to date.

3.1 Package Transform

Before examining the CTR Transform, it is instruc-

tive to ﬁrst consider Rivest’s original AONT proposal,

the ‘Package Transform’ (Rivest, 1997). Since the

package transform is based on a block cipher F , the

plaintext message x being processed is broken up into

ﬁxed-sized blocks of data, labelled x

, x

, . . . , x

. A

random key K

′

is chosen for the AONT, from a large

enough keyspace to deter a brute force attack. Note

that this key is not a ‘secret key’, and it does not

have to be shared explicitly with the recipient of the

message via public-key cryptography. The pseudo-

message y is calculated as follows:

= x

⊕ F

′

(i) (1)

for i = 1, . . . , n, where F

′

(·) denotes encryption

with the block cipher F using the key K

′

, and ⊕ de-

notes bit-wise xor. To complete the package trans-

form, a further pseudo-message block y

n+1

is added:

n+1

= K

′

⊕ h

⊕ · · · ⊕ h

(2)

where

= F

⊕ i) (3)

for i = 1, . . . , n, and K

is a ﬁxed, publically

known key. In effect, the ﬁnal pseudo-message block

comprises a hash of all the previous pseudo-message

blocks, xored with the random key K

′

. To invert the

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

238

transform, the receiver simply calculates the random

key, and uses it to decrypt the ﬁrst n pseudo-message

blocks:

′

= y

n+1

⊕ h

⊕ · · · ⊕ h

(4)

= y

⊕ F

′

(i) (5)

for i = 1, . . . , n. Rivest observed that if the pack-

age transform was combined with an ordinary encryp-

tion mode such as CBC, the time to encrypt would in-

crease threefold, as three passes through the block ci-

pher encryption would be required. Rivest set the task

of reducing this latency as an open problem, which

Desai solved using the CTR transform.

3.2 CTR Transform

In the CTR Transform, as in the case of the package

transform, a random key K

′

is chosen, and the plain-

text is transformed via:

= x

⊕ F

′

(i) (6)

The ﬁnal pseudo-message block is given by:

n+1

= K

′

⊕ y

⊕ · · · ⊕ y

(7)

Clearly, CTRT operates in the same fashion as the

package transform, with one block cipher encryption

stage omitted. In fact, Equations (6) and (7) are equiv-

alent to Equations (1) and (2) with h

= y

. The ﬁ-

nal pseudo-message block is composed of the random

key K

′

xored with all of the previous pseudo-message

blocks. Intuitively, this may seem less secure than

the package transform, yet it is proven secure within

the model and deﬁnitions used in (Desai, 2000). Us-

ing CTRT, Desai reduced the cost of all-or-nothing

encryption to just a factor of two greater than CBC

mode, hence answering the open problem of (Rivest,

1997).

3.3 CTRT-CTR Mode

In the CTR mode of encryption (Lipmaa et al., 2000),

the sender maintains an l-bit counter ctr, where l is

the block length of the underlying cipher F . The

value of ctr can be transmitted in the clear to the

receiver when sending the ciphertext. A plaintext

, x

, . . . , x

is encrypted with a shared secret key

K to a ciphertext z

, z

, . . . , z

according to:

= x

⊕ F

(ctr + i) (8)

for i = 1, . . . , n. Decryption is performed on the re-

ceiver side according to:

= z

⊕ F

(ctr + i) (9)

for i = 1, . . . , n.

ctr

K’

ctr+i

+1 +1

Figure 1: CTRT-CTR Mode Encryption, Equation (11).

Here we propose combining the CTR mode of en-

cryption with the CTRT transform, via:

= y

⊕ F

(ctr + i) (10)

= x

⊕ F

′

(i) ⊕ F

(ctr + i) (11)

for i = 1, . . . , n. For the ﬁnal ciphertext block:

n+1

= K

′

⊕ y

⊕ · · · ⊕ y

⊕ F

(ctr + n + 1) (12)

To decrypt a message encrypted with CTRT-CTR,

the receiver ﬁrst calculates pseudo-message blocks:

= z

⊕ F

(ctr + i) (13)

for i = 1, . . . , n, and uses their xor to uncover the

random key K

′

= z

n+1

⊕ F

(ctr + n + 1) ⊕

i=1

(14)

A second pass is then required, where K

′

is used to

retrieve the plaintext message blocks x

= y

⊕ F

′

(i) (15)

CTRT-CTR encryption is illustrated for block i

(i 6= n + 1) in Figure 1.

3.4 Latency Considerations

The attraction of CTR-CTRT lies in its suitability for

pre-calculation and parallelisation. With reference to

Equation (11), it can be seen that all of the variables

to be encrypted by F are potentially known by the

sender before the plaintext block x

becomes avail-

able. Therefore, the sender can use idle clock cycles

to pre-compute F

′

(i) ⊕ F

(ctr + i). When x

be-

comes available, it can be quickly encrypted on-the-

ﬂy using a single l-bit xor. Therefore, given the nec-

essary processing/memory resources, CTRT-CTR can

acutely reduce the run-time cost of AON encryption.

This saving is possible because the CTRT and CTR

mode do not operate directly on the plaintext blocks

(other than with xor), and each ciphertext block is in-

dependent of the others. To the best of our knowl-

edge, no other AONT or block cipher encryption

mode in the literature possesses this property. Of

course, not all implementations of AONE systems

will have the capacity for full pre-calculation and stor-

age of the F

′

(i)⊕ F

(ctr + i) ‘one-time pad’. Be-

low we present four implementation scenarios, begin-

ning with the fastest. These are summarised in Fig-

ure 2.

EFFICIENT ALL-OR-NOTHING ENCRYPTION USING CTR MODE

239

(1) Full pre-processing: In this scenario, we assume

that the sender A has knowledge of the secret key

K before the plaintext x becomes available. A

computes F

′

(i) and F

(ctr+i) during idle clock

cycles, requiring l(2n + 1) bits of memory storage.

The run-time latency for encryption is negligible

(i.e. one l-bit xor).

(2) Partial pre-processing: Here we assume that A

does not know K before x becomes available. Be-

cause A chooses K

′

, the F

′

(i) values (i.e. the

AONT part) can be calculated in advance, but the

(ctr + i) must be computed during run-time.

The latency in this scenario is the same as for ordi-

nary CBC mode encryption, and nl bits of storage

are required.

(3) Online parallel processing: In this case, A has

no capability (or perhaps desire) for storage, but

has two block cipher encryption engines at its dis-

posal. These may be dedicated hardware cores,

or microprocessors conﬁgured to perform F efﬁ-

ciently. This scheme runs at the same speed as or-

dinary CBC encryption, but requires no storage.

(4) Online processing: In this worst case, A per-

forms no pre-processing, and has one F -processor

available to it. Then the cost is the same as De-

sai’s proposed CTRT-ECB scheme, i.e. twice that

of CBC encryption. Memory of nl bits is also re-

quired to store intermediate results.

We note that the savings from using CTRT-CTR

mode are forthcoming only on the transmission side.

Receiver B must perform decryption in two stages, as

described in Equations (13)-(15) (Equation (14) can

be calculated cumulatively to save memory). This

penalty is no worse than that for a receiver decrypt-

ing Desai’s CTRT-ECB mode, however.

3.5 Efﬁcient All-or-Nothing

Encryption

CTRT-CTR mode can be further enhanced using the

‘efﬁcient encryption’ method (United States Patent

5,870,470) introduced in Section 1, and pioneered

in (Johnson et al., 1996). This technique takes ad-

vantage of the fact that an AONT cannot be inverted

unless all of the pseudo-message blocks are known.

Knowledge of some of the pseudo-message blocks

should not reveal any information about the plain-

text. Therefore, it should be possible to encrypt only

a subset (as opposed to all) of the pseudo-message

blocks, and still maintain the same level of security.

The provable security of this remarkable scheme is

investigated in Section 4.

The efﬁcient CTRT-CTR encryption scheme would

proceed as follows. Sender A applies the CTRT to the

plaintext, as described by Equations (6) and (7). A

3xCBC

2xCBC

CBC

2nl

(Rivest)

(4)

(Desai)

(3) (7)

(2)

(6)

(5)

(1)

Intermediate Memory (bits)

Run-time latency

Figure 2: Performance Trade-offs with AONE.

then chooses a subset of the pseudo-message blocks

to encrypt, whose indices are given by S, where

#S = r, 1 ≤ r ≤ n. Of course, S must be made

public so that receiver B can decrypt the ciphertext.

To form the ciphertext z, A computes:



⊕ F

(ctr + i) for i ∈ S

for i /∈ S

(16)

The efﬁcient encryption method allows even faster

implementations of CTRT-CTR. Assuming r = 1 (i.e.

just one pseudo-message block is encrypted), the sce-

narios described in Section 3.4 become:

(5) Full pre-processing: Run-time latency of one

xor (negligible), l(n + 1) bits of memory.

(6) Partial pre-processing: Run-time latency of one

xor and one encryption, nl bits of memory.

(7) Online processing: Run-time latency approxi-

mately that of ordinary CBC encryption (as r <<

n), regardless of multiple processors. No extra

memory required.

Figure 2 summarises the latency/memory trade-off

associated with implementing CTRT-CTR in software

or hardware. Fast, efﬁcient all-or-nothing encryp-

tion is clearly attainable if the application justiﬁes the

added processing and storage costs. The best results

are obtained by combining CTRT-CTR (or CTRT in

any encryption mode) with the efﬁcient encryption

system of (Johnson et al., 1996). Fewer encryption

operations are necessary, therefore the system power

consumption is lower. However, the performance

bonus must be traded off against the costs associated

with using this patented method.

3.6 Applications

CTRT-CTR encryption would clearly be beneﬁcial in

applications where fast on-the-ﬂy AON encryption is

required, such as secure mobile telecommunications

networks or MANETs (Mobile Ad-Hoc NETworks).

MANETs are mainly used in highly mobile and hos-

tile environments, where data conﬁdentiality is im-

portant. Typical examples of nodes in a MANET in-

clude units where processing power and battery life

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

240

are limited, such as backpack radios, handheld de-

vices, and vehicle computers (Berman, 2005). Con-

strained environments such as these are well suited

to secure, efﬁcient all-or-nothing encryption schemes

such as CTRT-CTR.

CTRT-CTR is also especially useful in proto-

cols where the existing encryption mechanism is a

block cipher (e.g. AES), as the encryption soft-

ware/hardware can be re-used to perform the AONT,

deeming implementation of additional algorithms un-

necessary.

4 PROOFS OF SECURITY

The provable security of the proposed CTRT-CTR

scheme is now considered. We also analyse how

the security changes when we incorporate CTRT-CTR

and Johnson et al.’s efﬁcient encryption technique.

For convenience, the deﬁnitions and notation used in

our theorems rely heavily on those used by (Desai,

2000). In particular, we employ the framework used

in Theorem 3 and Lemma 14 of that work, and extend

those results.

4.1 Existing Security Results

Desai proved his results in the Shannon model (‘ideal

model’) of a block cipher (Shannon, 1949). In

essence, the Shannon model states that each new key

to the block cipher deﬁnes an independent random

permutation F

(·). Desai deﬁned a notion of security

for AONTs, based on indistinguishability from a

random string. The experiment (or ‘game’) used to

capture this notion is as follows:

AONT Let Π

′

= (E

′

, D

′

) be an AONT of block length

l. For adversary A and bit b = 0 or 1 deﬁne Exp

aon

′

(A, b) as:

01 (x, s) ← A(ﬁnd);

02 y

← E

′

(x); \\ All-or-nothing Transform

03 y

← {0, 1}

; \\ Random |y

|-bit string

04 d ← A

(guess, s);

05 return d.

The advantage function of Π

′

is deﬁned as:

Adv

aon

′

(t, m) = max

{Pr[Exp

aon

′

(A, 0) = 0]−

Pr[Exp

aon

′

(A, 1) = 0] }

(17)

where A runs with time complexity t, and

| = |y

| = ml (i.e. m l-bit blocks). The nota-

tion A

means that A has access to an oracle Y, taking

an index j ∈ {1, . . . , m} and returning y

[j], where

= y

[1], . . . , y

[m]. At most m queries are allowed

to Y during the guess stage. In addition, s denotes state

information generated by the results of A’s queries.

Based on any m − 1 blocks of the challenge,

adversary A has to decide whether the challenge is

a real AONT output, or a randomly chosen string.

Equation (17) measures A’s maximum probability of

success in this game, which should be negligible.

Indistinguishability of encryptions (Bellare

et al., 1997) is an important security notion for block

cipher encryption schemes, described below:

IND Let Π = (K, E, D) be an encryption mode. For

adversary A and bit b = 0 or 1 deﬁne Exp

ind

(A, b) as:

01 F ← BC(k, l); \\ Choose block cipher at random

02 a ← K(1

); \\ Choose key of length k

03 (x

, x

, s) ← A

F,F

−1

(ﬁnd);

04 y ← E

−1

); \\ Apply encryption mode

05 d ← A

F,F

−1

(guess, y, s);

06 return d.

The advantage function of Π is deﬁned as:

Adv

ind

(t, m, p, q, µ) = max

{Pr[Exp

ind

(A, 1) = 1]−

Pr[Exp

ind

(A, 0) = 1] }

(18)

where A runs with time complexity t, p is the maximum

number of queries allowed to F /F

−1

, |y| = ml, and q is

the maximum number of queries allowed to E

−1

, these

totalling at most µ bits.

In this game, A is given a ciphertext, and must

determine which of two plaintexts it corresponds to.

If the encryption mode is secure in the IND sense, A’s

success probability should be negligible. Theorem 3

of (Desai, 2000) quantiﬁes this success probability

when the encryption mode is an all-or-nothing ECB

mode. He proved that if n ≥ 2:

Adv

ind

(t, m, p, q, µ) ≤ 2m Adv

aon

′

, m)+

2mp

(19)

where n is the number of l-bit plaintext blocks,

′

= t + (

+ m − 1).T + O(ml + pl + µ), and

T is the time taken to decode a ml-bit string using D

′

In the speciﬁc case where the AONT is CTRT,

Desai also proved that for k ≤ l and m + p ≤ 2

k−1

then:

Adv

aon

CTRT

(t, m, p) ≤

+ 8p

(20)

where k is the key length of the underlying block ci-

pher, and t, m and p are as deﬁned above.

4.2 Security of AONT-CTR

Encryption

We extend the result of Equation (19) to evaluate

the IND-security of the CTR mode of all-or-nothing

encryption. Note that all m pseudo-message blocks

are encrypted using CTR mode in this case. The

security of the ‘efﬁcient AON encryption’ scheme of

EFFICIENT ALL-OR-NOTHING ENCRYPTION USING CTR MODE

241

Section 3.5 is considered in Section 4.3.

Theorem 1 Let Π = (K, E, D) be an all-or-

nothing CTR mode in the Shannon model, using

AONT Π

′

= (E

′

, D

′

). Then for n ≥ 2:

Adv

ind

(t, m, p, q, µ) ≤ 2m Adv

aon

′

, m)+

(21)

where t

′

= t + (

+ m − 1).T + O(ml + pl + µ)

and all other variables are as deﬁned in Section 4.1.

Proof A new game COLL is deﬁned as follows:

COLL Let Π = (K, E, D) be an AONT-CTR mode.

For adversary A deﬁne Exp

coll

(A) as:

01 a ← K(1

); \\ Choose key of length k

02 (x, s, Elist

) ← A

F,F

−1

(ﬁnd);

03 y ← E

−1

(x); \\ Apply AONT-CTR

04 Elist

← A

F,F

−1

(guess, y, s);

05 for i, j ∈ [m] {

06 if(i 6= j ∧ y[i] = y[j]) ∨ (y[i] ∈ Elist

∪ Elist

)

07 then d ← 1, else d ← 0; }

08 return d.

The success function of Π is deﬁned as:

Succ

coll

(t, m, p, q, µ) = max

{Pr[Exp

coll

(A) = 1]} (22)

where A runs with time complexity t, [m] denotes the

set {1, . . . , m}, and all other variables are as deﬁned

in Section 4.1. ∧ and ∨ denote logical AND and OR,

respectively. Elist

and Elist

(‘Encryption lists’) contain

the answers to A’s E

−1

queries during the ﬁnd and

guess stages.

This COLL experiment measures the probabil-

ity of collision between ciphertext blocks, across

queries. We proceed to relate Succ

coll

to Adv

aon

′

by a

contradiction argument. Later, we will relate Succ

coll

to Adv

ind

, and arrive at the theorem statement by

substitution.

Consider an AONT adversary A, built using a

COLL adversary B. Because A has no oracles other

than Y, it must simulate B’s oracles. The A(ﬁnd)

algorithm (i.e. AONT line 01) becomes:

A(ﬁnd) :

01 a ← K(1

); \\ Choose key of length k

02 T list ← {}; \\ Initialise Tlist

03 (x, s) ← B(ﬁnd);

04 s

′

← (s, x, a, Tlist);

05 return (x, s

′

where Tlist is similar to B’s Elist, except that it

holds the pseudo-message blocks returned from

queries to E

−1

, and the corresponding block

indices. A

(guess, s) (i.e. AONT line 04) becomes:

(guess, (s, x, a, Tlist)) :

01 j ← [m]; \\ Choose index j at random

02 for i ∈ [m] ∧ i 6= j {

03 y[i] ← Y(i); \\ Retrieve challenge block i

04 Tlist ← Tlist ∪{(y[i], i)};

05 z[i] ← y[i] ⊕ F

(ctr + i); }

06 for i ∈ [| Tlist |]{

07 (block, index) ← Tlist[i];

08 Elist[i] ← block ⊕ F

(ctr + index); }

09 z[j] ← {0, 1}

\ Elist;

10 Tlist ← Tlist ∪B(guess, z, s);

11 for i ∈ [| Tlist |]{

12 y[j] ← Tlist[i];

13 x

← D

′

(y); \\ Inverse AONT

14 if (x

== x){d ← 0; return d}}

15 d ← 1; return d.

In lines 01 to 05, A

(guess) forms all but one

block of B’s challenge ciphertext z, based on the

m − 1 blocks of its own challenge y that it receives

from Y. For the missing block z[j], A must choose

a random string, but has to ensure that B has not

seen this block already in its ﬁnd stage, otherwise

a collision would be guaranteed. This requirement

is met by lines 06 to 09. Finally in lines 11 to 15,

A searches incrementally through Tlist, inserting a

block from Tlist in place of its missing y[i] block,

and inverting. If the result of the transform inversion

equals the original plaintext message x, then A

concludes that the challenge y was real (as opposed

to random).

We now calculate Adv

aon

′

(A). For simplicity, we

use Pr

[A = 0] to denote Pr[Exp

aon

′

(A, b) = 0].

Adv

aon

′

(A) = Pr

[A = 0] − Pr

[A = 0] (23)

Deﬁne the event C to be the event that the missing

pseudo-message block y[j] is on the Tlist. Expanding

the ﬁrst term in Equation (23):

[A = 0] =Pr

[A = 0|C].Pr

[C]+

[A = 0|

C].Pr

[

(24)

From the description of A

(guess), Pr

[A = 0|C]

is clearly equal to unity. This implies:

[A = 0] ≥ 1.Pr

[C] (25)

Intuitively, one would expect Pr

[C] to be lower

bounded by Succ

coll

(B) via:

[C] ≥

Succ

coll

(B)

since Succ

coll

(B) gives the probability of collision

with one of the blocks of y, and C implies collision

with y[j]. However, we must also take into account

that A’s challenge to B is incorrectly formed, as block

z[j] is randomly chosen. There is a chance that B,

through its queries to F/F

−1

, will realise this, caus-

ing it to abort the game. It is in evaluating this proba-

bility that our proof differs from that of Desai.

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

242

We now examine how B could discover the anom-

aly. Consider the case where B queries F with a

block of its choice, key k

and index j, and receives

the block z[j] in return. B can then test key k

some known plaintext/ciphertext, but since k

6= a,

the known plaintext encrypted under k

will not equal

the known ciphertext. B will realise that z[j] was not

the result of an encryption with key a, and abort the

game.

The number of different block cipher permutations

in CTR mode is m.2

. For each permutation, there

exists some string that will encrypt to give z[j], which

would cause B to abort. Therefore, the maximum

probability of B choosing one such query (and choos-

ing index = j) is

m.2

(recall p is the maximum num-

ber of queries allowed to F/F

−1

). Taking this into

account, Pr

[C] is lower bounded by:

[C] ≥

Succ

coll

(B) −

m.2

(26)

Combining Equations (25) and (26):

[A = 0] ≥

Succ

coll

(B) −

m.2

(27)

The next step is to upper bound the second term in

Equation (23), Pr

[A = 0]. This is the ‘false proba-

bility’ of success, i.e. the probability that A will re-

turn d = 0 when the challenge y was, in fact, random.

From the code for A(guess), it is clear that this can

only occur if there is (at least) one other AONT out-

put y

which also decodes to x. The probability of

this event is independent of the encryption mode in

which the AONT mode is used, therefore we can re-

use Desai’s result:

[A = 0] ≤

(28)

for n ≥ 2. Substituting Equations (27) and (28) into

Equation (23), and rearranging, gives:

Adv

coll

(t, m, p, q, µ) ≤ m Adv

aon

′

, m)+

p/2

+ m/2

(29)

where t

′

= t + (

+ m − 1).T + O(ml + pl + µ),

which is the complexity of running A.

The penultimate step is to consider an adversary

A in the IND sense, and relate Adv

ind

(A) to

Succ

coll

(A). Due to space restrictions, we do not

present the argument here, but note that it is the same

as that of (Desai, 2000), as it is mode-independent.

We state:

Adv

ind

(A) ≤ 2. Succ

coll

(A) (30)

Finally, combining Equations (29) and (30) gives

Equation (21), the theorem result. 

Comparing the result of Theorem 1 with Equa-

tion (19), it can be seen that AONT-ECB mode and

AONT-CTR mode achieve similar levels of security,

in the indistinguishability of encryptions sense. The

adversarial advantage is, in fact, smaller in AONT-

CTR mode, due to the larger set of permutations

opened up by the inclusion of the block index in the

encryption operation. Therefore, AONT-CTR is more

secure than AONT-ECB, although neither is insecure.

4.3 Security of Efﬁcient AONT-CTR

Encryption

We now consider the scenario where an AONT is

applied to the plaintext, and r out of the m pseudo-

message blocks are encrypted. Intuitively, one would

assume that this scheme would somehow be less

secure than if all the blocks were encrypted, but we

show that this is not the case.

Theorem 2 Let Π = (K, E, D) be an efﬁcient

all-or-nothing CTR mode in the Shannon model,

using AONT Π

′

= (E

′

, D

′

), and encrypting r blocks

of the pseudo-message. Then, for n ≥ 2:

Adv

ind

(t, m, p, q, µ) ≤ 2m Adv

aon

′

, m)+

(

)

(31)

where t

′

= t + (

+ m − 1).T + O(ml + pl + µ)

and all other variables are as deﬁned in Section 4.1.

A publically known set S holds the indices of the

pseudo-message blocks that are encrypted.

Proof We use framework of Theorem 1, with

the algorithms suitably modiﬁed. Speciﬁcally, lines

05 and 08 of A(guess) must be modiﬁed to:

04 · · ·

05a if i ∈ S

05b z[i] ← y[i] ⊕ F

(ctr + i);

05c else

05d z[i] ← y[i];

06 · · ·

07 · · ·

08a if index ∈ S

08b Elist[i] ← block ⊕ F

(ctr + index);

08c else

08d Elist[i] ← block;

09 · · ·

The proof continues in a similar manner, but

[C] must be re-evaluated, where C is the event

that the missing pseudo-message block y[j] is on B’s

Tlist. We argue that:

[C] ≥

Succ

coll

(B) − (

)

m.2

(32)

Recall that the p/(m.2

) term arose in Theorem 1 as

the probability that B would realise that block z[j]

had been fabricated. B can only come to this con-

clusion if z[j] is one of the encrypted blocks, i.e. if

j ∈ S. If j /∈ S, B cannot perform the same check,

as z[j] is an AONT output block, and is not related to

EFFICIENT ALL-OR-NOTHING ENCRYPTION USING CTR MODE

243

the other challenge blocks by the hidden key a. There-

fore, the probability of z[j] ∈ S and B aborting is

(r/m)(p/m.2

), since index j is chosen at random.

Combining Equations (23), (25), (32), (28)

and (30) gives Equation (31), the theorem re-

sult. 

Note that when r = m, Equation (31) re-

duces to the result of Theorem 1, as expected. As

r → 1, the upper bound on the adversary’s IND

advantage gets smaller. This seems counter-intuitive,

as encrypting fewer blocks would suggest a less

secure scheme. However, we note that the r/m term

in the theorem results from algorithm B realising that

the challenge block z[j] is incorrectly formed, and

that this realisation should indeed be less likely when

there are fewer encrypted blocks against which to

compare. As r → 1, the scheme’s security becomes

closer to the security of the AONT.

A similar encryption scheme was considered

in (Bellare and Boldyreva, 2000), whereby an AONT

is applied to a message, and the ﬁrst pseudo-message

block is encrypted via ‘chafﬁng and winnowing’. The

authors proved that this scheme is semantically se-

cure, if the underlying cipher is semantically secure.

This paper provides an different proof, where we

work in the Shannon model of the block cipher, en-

crypt using CTR-mode, and allow the number of en-

crypted blocks r to vary.

5 CONCLUSIONS

In this paper, we proposed a new mode of all-or-

nothing encryption, called CTRT-CTR. In doing so,

we answered an open problem from the literature re-

garding the speed of all-or-nothing encryption. We

proposed using CTRT-CTR in an efﬁcient AON en-

cryption mode, to further reduce power and mem-

ory overheads. Trade-offs between on-line encryp-

tion speed and memory were identiﬁed. The scheme

would be beneﬁcial in applications such as MANETs

where low-power, secure run-time encryption is re-

quired. The proposed schemes were proven secure in

the Shannon model of a block cipher.

Future work will investigate if it is possible to

achieve secure all-or-nothing encryption with a lower

total workload (both on-line and off-line) than CTRT-

CTR, whilst still maintaining low latency.

ACKNOWLEDGEMENTS

The authors would like to thank Emanuel Popovici

for his helpful discussions regarding the proofs of se-

curity. This research was supported by the Embark

Initiative, operated by the Irish Research Council for

Science, Engineering and Technology (IRCSET).

REFERENCES

Bellare, M. and Boldyreva, A. (2000). The Security of

Chafﬁng and Winnowing. In ASIACRYPT’00, volume

1976 of Lecture Notes in Computer Science, pages

517–530. Springer.

Bellare, M., Desai, A., Jokipii, E., and Rogaway, P. (1997).

A Concrete Security Treatment of Symmetric Encryp-

tion. In FOCS’97, pages 394–403.

Berman, V. (2005). Enhancing Data Security in Mobile Ad

Hoc Networks via Multipath Routing and Directional

Transmission. Master’s thesis, University of Califor-

nia, Davis.

Boyko, V. (2000). On All-or-Nothing Transforms and Pass-

word Authenticated Key Exchange Protocols. PhD

thesis, Massachusetts Institute of Technology.

Byers, J., Considine, J., Itkis, G., Cheng, M. C., and Ye-

ung, A. (2006). Securing bulk content almost for free.

Journal of Computer Communications, Special Issue

on Internet Security, 29:290–290.

Desai, A. (2000). The Security of All-or-Nothing En-

cryption (Extended Abstract). In CRYPTO’00, vol-

ume 1880 of Lecture Notes in Computer Science,

pages 359-375. Springer. Full version retrieved on-

line, June 2006. http://www.cs.ucsd.edu/

users/adesai/.

Dodis, Y. (2000). Exposure-Resilient Cryptography. PhD

thesis, Massachusetts Institute of Technology.

Dodis, Y., Sahai, A., and Smith, A. (2001). On Perfect

and Adaptive Security in Exposure-Resilient Cryptog-

raphy. In EUROCRYPT’01, volume 2045 of Lecture

Notes in Computer Science, pages 301–324. Springer.

ECRYPT (2006). ECRYPT Yearly Report on Algorithms

and Keysizes (2005). http://www.ecrypt.eu.org.

Johnson, D., Matyas, S., and Peyravian, M. (1996). En-

cryption of Long Blocks Using a Short-Block Encryp-

tion Procedure. Submitted for inclusion in the IEEE

P1363a standard.

Kiong, N. C. and Samsudin, A. (2003). A Concrete Security

Treatment of Symmetric Encryption. In APCC’03,

volume 2, pages 838–843.

Lipmaa, H., Rogaway, P., and Wagner, D. (2000). CTR-

Mode Encryption. Comments to NIST concerning

AES Modes of Operation.

Marnas, S. I., Angelis, L., and Bleris, G. L. (2003). All-

Or-Nothing Transforms Using Quasigroups. In Proc.

of 1st Balkan Conference on Informatics, pages 183–

191.

Peterson, Z. N. J., Burns, R. C., Herring, J., Stubbleﬁeld,

A., and Rubin, A. D. (2005). Secure Deletion for a

Versioning File System. In FAST’05. USENIX.

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

244

Rivest, R. (1997). All-or-Nothing Encryption and The

Package Transform. In FSE’97, 4th International

Workshop on Fast Software Encryption. Springer.

Shannon, C. E. (1949). Communication theory of secrecy

systems. Bell Systems Technical Journal, 28(4):656–

715.

Zhang, R., Hanaoka, G., and Imai, H. (2004a). On the Secu-

rity of Cryptosystems with All-or-Nothing Transform.

In ACNS’04, volume 3089 of Lecture Notes in Com-

puter Science, pages 76–90. Springer.

Zhang, R., Hanaoka, G., Shikata, J., and Imai, H. (2004b).

On the Security of Multiple Encryption or CCA-

security+CCA-security=CCA-security? In PKC ’04,

volume 2947 of Lecture Notes in Computer Science,

pages 360–374. Springer.

EFFICIENT ALL-OR-NOTHING ENCRYPTION USING CTR MODE

245