Attacks on single-pass confidentiality modes of operation

Abstract

The main contributions of this paper are efficient distinguishing attacks against block ciphers that are conventionally modeled as pseudorandom permutations (PRP). Formally, block ciphers operate on fixed-length blocks of n bits, for example, n = 128 for the Advanced Encryption Standard (AES). Our analysis takes place in the setting in which the messages are m bits long, representing the entire input plaintext, where m is variable and unrelated to n. We show distinguish-fromrandom attacks for any n-bit block cipher in the standard modes of operation for confidentiality: ECB, CBC, CFB, OFB, CTR and XTS. We demonstrate that in all these 1-pass modes any n-bit block cipher leaves 'footprints' that allows an adversary to efficiently (in time and memory) distinguish them from a random permutation. We claim that two passes (in opposite directions) over the m-bit message, with textdependent feedforward (chaining) and in streaming mode are sufficient to circumvent the presented attacks.