Paper 2012/623

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes

David McGrew

Abstract

The block cipher modes of operation that are widely used (CBC, CTR, CFB) are secure up to the birthday bound; that is, if $w2^{w}$ or fewer bits of data are encrypted with a $w$-bit block cipher. However, the detailed security properties close to this bound are not widely appreciated, despite the fact that $64$-bit block ciphers are sometimes used in that domain. This work addresses the issue by analyzing plaintext-recovery attacks that are effective close to that bound. We describe possible-plaintext attacks, which can learn unknown plaintext values that are encrypted with CBC, CFB, or OFB. We also introduce \textit{impossible plaintext} cryptanalysis, which can recover information encrypted with CTR, and can improve attacks against the aforementioned modes as well. These attacks work at the birthday bound, or even slightly below that bound, when the target plaintext values are encrypted under a succession of keys.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
block cipherscryptanalysis
Contact author(s)
mcgrew @ cisco com
History
2012-11-20: revised
2012-11-05: received
See all versions
Short URL
https://ia.cr/2012/623
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2012/623,
      author = {David McGrew},
      title = {Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes},
      howpublished = {Cryptology {ePrint} Archive, Paper 2012/623},
      year = {2012},
      url = {https://eprint.iacr.org/2012/623}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.