166:, which is given as one input to the cipher, defines the mapping between plaintext and ciphertext. If data of arbitrary length is to be encrypted, a simple strategy is to split the data into blocks each matching the cipher's block size, and encrypt each block separately using the same key. This method is not secure as equal plaintext blocks get transformed into equal ciphertexts, and a third party observing the encrypted data may easily determine its content even when not knowing the encryption key.
590:(OFB mode), the IV must be unique. In particular, the (previously) common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure (for example, this method was used by SSL 2.0). If an attacker knows the IV (or the previous block of ciphertext) before he specifies the next plaintext, he can check his guess about plaintext of some block that was encrypted with the same key before. This is known as the TLS CBC IV attack, also called the
2626:
197:(CBC) mode requires an unpredictable value, of size equal to the cipher's block size, as additional input. This unpredictable value is added to the first plaintext block before subsequent encryption. In turn, the ciphertext produced in the first encryption step is added to the second plaintext block, and so on. The ultimate goal for encryption schemes is to provide
189:(ECB) mode. In contrast, each of the other modes describe a process where ciphertext from one block encryption step gets intermixed with the data from the next encryption step. To initiate this process, an additional input value is required to be mixed with the first block, and which is referred to as an
542:
In stream ciphers, IVs are loaded into the keyed internal secret state of the cipher, after which a number of cipher rounds are executed prior to releasing the first bit of output. For performance reasons, designers of stream ciphers try to keep that number of rounds as small as possible, but because
369:
Consider a scenario where a legitimate party called Alice encrypts messages using the cipher-block chaining mode. Consider further that there is an adversary called Eve that can observe these encryptions and is able to forward plaintext messages to Alice for encryption (in other words, Eve is capable
90:. This is because an IV need not be explicitly forwarded to a recipient but may be derived from a common state updated at both sender and receiver side. (In practice, a short nonce is still transmitted along with the message to consider message loss.) An example of stateful encryption schemes is the
101:
The IV size depends on the cryptographic primitive used; for block ciphers it is generally the cipher's block-size. In encryption schemes, the unpredictable part of the IV has at best the same size as the key to compensate for time/memory/data tradeoff attacks. When the IV is chosen at random, the
586:(CBC mode), the IV need not be secret, but must be unpredictable (In particular, for any given plaintext, it must not be possible to predict the IV that will be associated to the plaintext in advance of the generation of the IV.) at encryption time. Additionally for the
201:: by this property, it is practically impossible for an attacker to draw any knowledge from observed ciphertext. It can be shown that each of the three additional modes specified by the NIST are semantically secure under so-called
547:
loss, unique to each cipher construction, related-IVs and other IV-related attacks are a known security issue for stream ciphers, which makes IV loading in stream ciphers a serious concern and a subject of ongoing research.
514:. While randomized schemes always require the IV chosen by a sender to be forwarded to receivers, stateful schemes allow sender and receiver to share a common IV state, which is updated in a predefined way at both sides.
217:, which means that no IV may be reused under the same key. For block ciphers, repeated IV values devolve the encryption scheme into electronic codebook mode: equal IV and equal plaintext result in equal ciphertext. In
110:
do not support an explicit IV as input, and a custom solution for incorporating an IV into the cipher's key or internal state is needed. Some designs realized in practice are known to be insecure; the
123:
185:, each describing a different solution for encrypting a set of input blocks. The first mode implements the simple strategy described above, and was specified as the
74:
Some cryptographic primitives require the IV only to be non-repeating, and the required randomness is derived internally. In this case, the IV is commonly called a
703:
Biryukov, Alex; Mukhopadhyay, Sourav; Sarkar, Palash (2005). "Improved Time-Memory Trade-Offs with
Multiple Data". In Preneel, Bart; Tavares, Stafford E. (eds.).
2606:
2436:
530:
modes. While encryption and authenticated encryption modes usually take an IV matching the cipher's block size, authentication modes are commonly realized as
174:
2289:
1907:
1846:
927:
583:
705:
Selected Areas in
Cryptography, 12th International Workshop, SAC 2005, Kingston, ON, Canada, August 11-12, 2005, Revised Selected Papers
169:
To hide patterns in encrypted data while avoiding the re-issuing of a new key after each block cipher invocation, a method is needed to
2152:
2654:
522:
Block cipher processing of data is usually described as a mode of operation. Modes are primarily defined for encryption as well as
1673:
1029:
178:
543:
determining the minimal secure number of rounds for stream ciphers is not a trivial task, and considering other issues such as
1663:
1157:
888:
869:
722:
1826:
1800:
1668:
1564:
1641:
63:
does not allow an attacker to infer relationships between (potentially similar) segments of the encrypted message. For
824:
2282:
2214:
1900:
1810:
920:
587:
574:
allowed for WEP to be cracked in times as short as several seconds. This ultimately led to the deprecation of WEP.
360:
must be considered. As for the uniqueness requirement, a predictable IV may allow recovery of (partial) plaintext.
79:
1689:
506:
Depending on whether the IV for a cryptographic scheme must be random or only unique the scheme is either called
413:
of the next message she will be able to test her guess by forwarding a plaintext message to Alice starting with (
805:
591:
2485:
2209:
2199:
1867:
623:
182:
68:
2275:
1893:
957:
570:) used a short, 24-bit IV, leading to reused IVs with the same key, which led to it being easily cracked.
151:
2601:
2556:
2369:
1753:
913:
2480:
2183:
2042:
1770:
1680:
1658:
971:
859:
2596:
1775:
1631:
1584:
1059:
147:
2586:
2576:
2431:
2178:
1841:
1723:
1598:
967:
567:
527:
341:
111:
406:
be Eve's guess for the first plaintext block. Now, if Eve can determine the initialization vector
146:. However, by itself, it can only be used to encode a data block of a predefined size, called the
2581:
2571:
2374:
2334:
2327:
2317:
2312:
1780:
1569:
940:
531:
371:
202:
139:
36:
221:
encryption uniqueness is crucially important as plaintext may be trivially recovered otherwise.
2322:
1872:
1748:
1743:
1695:
608:
2659:
2629:
2475:
2421:
2250:
2077:
1685:
1544:
1122:
194:
2591:
2515:
2245:
1765:
1648:
1574:
1257:
1237:
8:
2354:
2173:
1728:
1705:
1024:
618:
603:
544:
353:
186:
127:
75:
2460:
2444:
2391:
2240:
1713:
1621:
1333:
1262:
1232:
1177:
2520:
2510:
2381:
1433:
1132:
1092:
1087:
1054:
1014:
962:
884:
865:
781:
718:
198:
163:
60:
56:
739:
213:
Properties of an IV depend on the cryptographic scheme used. A basic requirement is
2455:
2022:
1805:
1700:
1579:
1438:
1318:
1287:
981:
708:
571:
374:). Now assume that Alice has sent a message consisting of an initialization vector
357:
103:
2142:
2137:
2112:
1986:
1652:
1636:
1625:
1559:
1518:
1483:
1413:
1393:
1267:
1147:
1142:
1097:
777:
757:
707:. Lecture Notes in Computer Science. Vol. 3897. Springer. pp. 110–127.
95:
1940:
2530:
2450:
2411:
2359:
2344:
2204:
2057:
2012:
1790:
1738:
1549:
1534:
1473:
1468:
1353:
1102:
855:
769:
526:, though newer designs exist that combine both security solutions in so-called
523:
2648:
2611:
2566:
2525:
2505:
2401:
2364:
2339:
2157:
2117:
2097:
2087:
2052:
1916:
1785:
1733:
1612:
1594:
1383:
1358:
1348:
1172:
1162:
1009:
807:
NIST Recommendation for Block Cipher Modes of
Operation; Chapters 6.2 and 6.4
737:
349:
218:
170:
48:
830:
39:
being used to provide the initial state. The IV is typically required to be
2561:
2406:
2396:
2386:
2349:
2298:
1718:
1539:
1503:
1368:
1247:
1202:
1034:
986:
936:
773:
135:
91:
64:
44:
20:
2540:
2092:
1950:
1328:
1323:
1207:
650:
Information technology — Security techniques — Modes of operation for an
628:
613:
2500:
2470:
2465:
2426:
2219:
1760:
1478:
1418:
1302:
1297:
1242:
1112:
975:
713:
560:
434:); if her guess was correct this plaintext block will get encrypted to
159:
143:
52:
2490:
2132:
2062:
1996:
1493:
1488:
1378:
1292:
1187:
1167:
826:
563:
155:
2535:
2495:
1945:
1831:
1795:
1589:
1252:
1127:
1107:
1019:
762:
741:
Comments on the
Rediscovery of Time/Memory/Data Trade-off Algorithm
114:
protocol is a notable example, and is prone to related-IV attacks.
685:
666:
272:
both encrypted with the same key and IV. Then knowledge of either
1991:
1965:
1498:
1448:
1408:
1398:
1343:
1338:
1182:
991:
59:, a property whereby repeated usage of the scheme under the same
47:, but sometimes an IV only needs to be unpredictable or unique.
2416:
2082:
2047:
2017:
1981:
1836:
1458:
1453:
1388:
1373:
1363:
1308:
1282:
1277:
1272:
1152:
1137:
557:
441:
by Alice. This is because of the following simple observation:
345:
106:
must be taken into account. Traditional stream ciphers such as
40:
2107:
2102:
782:"Intercepting Mobile Communications: The Insecurity of 802.11"
2127:
1554:
1513:
1463:
1443:
1428:
1217:
1197:
1117:
1082:
2147:
2122:
2072:
2067:
1935:
1930:
1403:
1312:
1227:
1222:
1212:
1192:
1064:
1049:
738:
Christophe De Cannière; Joseph Lano; Bart
Preneel (2005).
702:
122:
1955:
1508:
1423:
1044:
1039:
395:
denote the first plaintext block of Alice's message, let
107:
534:, and the IV is set to zero or some other fixed value.
2437:
Cryptographically secure pseudorandom number generator
747:(Technical report). ECRYPT Stream Cipher Project. 40.
683:
935:
897:
258:. Assume that an attacker has observed two messages
78:(a number used only once), and the primitives (e.g.
352:. In such schemes, the chance of a duplicate IV is
177:published a national standard document designated
768:
2646:
878:
126:Insecure encryption of an image as a result of
803:
181:(FIPS) PUB 81, which specified four so-called
142:in cryptography, and frequently used for data
2283:
1901:
921:
667:"Some Thoughts on Time-Memory-Data Tradeoffs"
664:
758:CWE-329: Not Using a Random IV with CBC Mode
2290:
2276:
1908:
1894:
928:
914:
822:
344:. This is effected by selecting the IV at
150:. For example, a single invocation of the
712:
854:
121:
179:Federal Information Processing Standard
67:, the use of an IV is described by the
2647:
686:"Rediscovery of Time Memory Tradeoffs"
242:from a given key and IV and computing
2271:
1889:
909:
731:
381:and starting with a ciphertext block
102:probability of collisions due to the
879:Ferguson, N.; Schneier, B. (2003).
13:
1915:
848:
336:Many schemes require the IV to be
286:reveals the other plaintext since
16:Input to a cryptographic primitive
14:
2671:
864:(2nd ed.). New York: Wiley.
537:
230:Stream ciphers encrypt plaintext
2625:
2624:
2297:
684:Jin Hong; Palash Sarkar (2005).
517:
2655:Block cipher modes of operation
624:Block cipher modes of operation
183:block cipher modes of operation
162:block of 128 bits in size. The
154:algorithm transforms a 128-bit
2486:Information-theoretic security
816:
797:
751:
696:
677:
658:
642:
1:
635:
577:
208:
173:the input data. In 1980, the
117:
2200:block ciphers in stream mode
7:
2602:Message authentication code
2557:Cryptographic hash function
2370:Cryptographic hash function
823:B. Moeller (May 20, 2004),
597:
399:denote encryption, and let
10:
2678:
2481:Harvest now, decrypt later
2184:alternating step generator
584:cipher-block chaining mode
94:of operation, which has a
2620:
2597:Post-quantum cryptography
2549:
2305:
2267:
2233:
2192:
2166:
2035:
2005:
1974:
1964:
1923:
1885:
1855:
1819:
1811:Time/memory/data tradeoff
1608:
1527:
1073:
1000:
948:
905:
901:
551:
238:by deriving a key stream
138:is one of the most basic
2587:Quantum key distribution
2577:Authenticated encryption
2432:Random number generation
2179:self-shrinking generator
1599:Whitening transformation
568:Wired Equivalent Privacy
532:deterministic algorithms
528:authenticated encryption
356:, but the effect of the
203:chosen-plaintext attacks
2582:Public-key cryptography
2572:Symmetric-key algorithm
2375:Key derivation function
2335:Cryptographic primitive
2328:Authentication protocol
2318:Outline of cryptography
2313:History of cryptography
1570:Confusion and diffusion
804:Morris Dworkin (2001),
372:chosen-plaintext attack
37:cryptographic primitive
2323:Cryptographic protocol
881:Practical Cryptography
665:Alex Biryukov (2005).
609:Padding (cryptography)
566:called WEP (short for
131:
2476:End-to-end encryption
2422:Cryptojacking malware
2251:stream cipher attacks
1863:Initialization vector
195:cipher-block chaining
191:initialization vector
125:
25:initialization vector
2592:Quantum cryptography
2516:Trusted timestamping
2246:correlation immunity
1642:3-subset MITM attack
1258:Intel Cascade Cipher
1238:Hasty Pudding cipher
861:Applied Cryptography
588:output feedback mode
51:is crucial for some
2355:Cryptographic nonce
2174:shrinking generator
1924:Widely used ciphers
1681:Differential-linear
883:. New York: Wiley.
690:IACR ePrint Archive
671:IACR ePrint Archive
648:ISO/IEC 10116:2006
619:Salt (cryptography)
604:Cryptographic nonce
193:. For example, the
187:electronic codebook
128:electronic codebook
55:schemes to achieve
2461:Subliminal channel
2445:Pseudorandom noise
2392:Key (cryptography)
2241:correlation attack
1754:Differential-fault
972:internal mechanics
714:10.1007/11693383_8
132:
69:modes of operation
2642:
2641:
2638:
2637:
2521:Key-based routing
2511:Trapdoor function
2382:Digital signature
2263:
2262:
2259:
2258:
2031:
2030:
1881:
1880:
1868:Mode of operation
1545:Lai–Massey scheme
890:978-0-471-22894-3
871:978-0-471-12845-8
724:978-3-540-33108-7
654:-bit block cipher
199:semantic security
82:) are considered
57:semantic security
35:is an input to a
33:starting variable
2667:
2628:
2627:
2456:Insecure channel
2292:
2285:
2278:
2269:
2268:
1972:
1971:
1910:
1903:
1896:
1887:
1886:
1739:Power-monitoring
1580:Avalanche effect
1288:Khufu and Khafre
941:security summary
930:
923:
916:
907:
906:
903:
902:
899:
898:
894:
875:
842:
841:
840:
838:
833:on June 30, 2012
829:, archived from
820:
814:
813:
812:
801:
795:
794:
792:
791:
786:
766:
760:
755:
749:
748:
746:
735:
729:
728:
716:
700:
694:
693:
681:
675:
674:
662:
656:
646:
572:Packet injection
358:birthday problem
104:birthday problem
2677:
2676:
2670:
2669:
2668:
2666:
2665:
2664:
2645:
2644:
2643:
2634:
2616:
2545:
2301:
2296:
2255:
2229:
2188:
2162:
2027:
2001:
1960:
1919:
1914:
1877:
1851:
1820:Standardization
1815:
1744:Electromagnetic
1696:Integral/Square
1653:Piling-up lemma
1637:Biclique attack
1626:EFF DES cracker
1610:
1604:
1535:Feistel network
1523:
1148:CIPHERUNICORN-E
1143:CIPHERUNICORN-A
1075:
1069:
1002:
996:
950:
944:
934:
891:
872:
851:
849:Further reading
846:
845:
836:
834:
821:
817:
810:
802:
798:
789:
787:
784:
770:Borisov, Nikita
767:
763:
756:
752:
744:
736:
732:
725:
701:
697:
682:
678:
663:
659:
647:
643:
638:
600:
580:
554:
540:
520:
498:
492:
485:
478:
466:
460:
448:
439:
432:
426:
419:
412:
404:
393:
386:
380:
350:pseudo-randomly
329:
322:
315:
308:
301:
294:
285:
278:
271:
264:
211:
120:
96:sequence number
17:
12:
11:
5:
2675:
2674:
2663:
2662:
2657:
2640:
2639:
2636:
2635:
2633:
2632:
2621:
2618:
2617:
2615:
2614:
2609:
2607:Random numbers
2604:
2599:
2594:
2589:
2584:
2579:
2574:
2569:
2564:
2559:
2553:
2551:
2547:
2546:
2544:
2543:
2538:
2533:
2531:Garlic routing
2528:
2523:
2518:
2513:
2508:
2503:
2498:
2493:
2488:
2483:
2478:
2473:
2468:
2463:
2458:
2453:
2451:Secure channel
2448:
2442:
2441:
2440:
2429:
2424:
2419:
2414:
2412:Key stretching
2409:
2404:
2399:
2394:
2389:
2384:
2379:
2378:
2377:
2372:
2362:
2360:Cryptovirology
2357:
2352:
2347:
2345:Cryptocurrency
2342:
2337:
2332:
2331:
2330:
2320:
2315:
2309:
2307:
2303:
2302:
2295:
2294:
2287:
2280:
2272:
2265:
2264:
2261:
2260:
2257:
2256:
2254:
2253:
2248:
2243:
2237:
2235:
2231:
2230:
2228:
2227:
2222:
2217:
2212:
2207:
2205:shift register
2202:
2196:
2194:
2190:
2189:
2187:
2186:
2181:
2176:
2170:
2168:
2164:
2163:
2161:
2160:
2155:
2150:
2145:
2140:
2135:
2130:
2125:
2120:
2115:
2110:
2105:
2100:
2095:
2090:
2085:
2080:
2075:
2070:
2065:
2060:
2055:
2050:
2045:
2039:
2037:
2033:
2032:
2029:
2028:
2026:
2025:
2020:
2015:
2009:
2007:
2003:
2002:
2000:
1999:
1994:
1989:
1984:
1978:
1976:
1969:
1962:
1961:
1959:
1958:
1953:
1948:
1943:
1938:
1933:
1927:
1925:
1921:
1920:
1917:Stream ciphers
1913:
1912:
1905:
1898:
1890:
1883:
1882:
1879:
1878:
1876:
1875:
1870:
1865:
1859:
1857:
1853:
1852:
1850:
1849:
1844:
1839:
1834:
1829:
1823:
1821:
1817:
1816:
1814:
1813:
1808:
1803:
1798:
1793:
1788:
1783:
1778:
1773:
1768:
1763:
1758:
1757:
1756:
1751:
1746:
1741:
1736:
1726:
1721:
1716:
1711:
1703:
1698:
1693:
1686:Distinguishing
1683:
1678:
1677:
1676:
1671:
1666:
1656:
1646:
1645:
1644:
1639:
1629:
1618:
1616:
1606:
1605:
1603:
1602:
1592:
1587:
1582:
1577:
1572:
1567:
1562:
1557:
1552:
1550:Product cipher
1547:
1542:
1537:
1531:
1529:
1525:
1524:
1522:
1521:
1516:
1511:
1506:
1501:
1496:
1491:
1486:
1481:
1476:
1471:
1466:
1461:
1456:
1451:
1446:
1441:
1436:
1431:
1426:
1421:
1416:
1411:
1406:
1401:
1396:
1391:
1386:
1381:
1376:
1371:
1366:
1361:
1356:
1351:
1346:
1341:
1336:
1331:
1326:
1321:
1316:
1305:
1300:
1295:
1290:
1285:
1280:
1275:
1270:
1265:
1260:
1255:
1250:
1245:
1240:
1235:
1230:
1225:
1220:
1215:
1210:
1205:
1200:
1195:
1190:
1185:
1180:
1178:Cryptomeria/C2
1175:
1170:
1165:
1160:
1155:
1150:
1145:
1140:
1135:
1130:
1125:
1120:
1115:
1110:
1105:
1100:
1095:
1090:
1085:
1079:
1077:
1071:
1070:
1068:
1067:
1062:
1057:
1052:
1047:
1042:
1037:
1032:
1027:
1022:
1017:
1012:
1006:
1004:
998:
997:
995:
994:
989:
984:
979:
965:
960:
954:
952:
946:
945:
933:
932:
925:
918:
910:
896:
895:
889:
876:
870:
850:
847:
844:
843:
815:
796:
761:
750:
730:
723:
695:
676:
657:
640:
639:
637:
634:
633:
632:
626:
621:
616:
611:
606:
599:
596:
579:
576:
553:
550:
539:
538:Stream ciphers
536:
524:authentication
519:
516:
504:
503:
502:
501:
496:
490:
483:
476:
464:
458:
446:
437:
430:
424:
417:
410:
402:
391:
388:. Let further
384:
378:
334:
333:
332:
331:
327:
320:
313:
306:
299:
292:
283:
276:
269:
262:
234:to ciphertext
210:
207:
130:mode encoding.
119:
116:
15:
9:
6:
4:
3:
2:
2673:
2672:
2661:
2658:
2656:
2653:
2652:
2650:
2631:
2623:
2622:
2619:
2613:
2612:Steganography
2610:
2608:
2605:
2603:
2600:
2598:
2595:
2593:
2590:
2588:
2585:
2583:
2580:
2578:
2575:
2573:
2570:
2568:
2567:Stream cipher
2565:
2563:
2560:
2558:
2555:
2554:
2552:
2548:
2542:
2539:
2537:
2534:
2532:
2529:
2527:
2526:Onion routing
2524:
2522:
2519:
2517:
2514:
2512:
2509:
2507:
2506:Shared secret
2504:
2502:
2499:
2497:
2494:
2492:
2489:
2487:
2484:
2482:
2479:
2477:
2474:
2472:
2469:
2467:
2464:
2462:
2459:
2457:
2454:
2452:
2449:
2446:
2443:
2438:
2435:
2434:
2433:
2430:
2428:
2425:
2423:
2420:
2418:
2415:
2413:
2410:
2408:
2405:
2403:
2402:Key generator
2400:
2398:
2395:
2393:
2390:
2388:
2385:
2383:
2380:
2376:
2373:
2371:
2368:
2367:
2366:
2365:Hash function
2363:
2361:
2358:
2356:
2353:
2351:
2348:
2346:
2343:
2341:
2340:Cryptanalysis
2338:
2336:
2333:
2329:
2326:
2325:
2324:
2321:
2319:
2316:
2314:
2311:
2310:
2308:
2304:
2300:
2293:
2288:
2286:
2281:
2279:
2274:
2273:
2270:
2266:
2252:
2249:
2247:
2244:
2242:
2239:
2238:
2236:
2232:
2226:
2223:
2221:
2218:
2216:
2213:
2211:
2208:
2206:
2203:
2201:
2198:
2197:
2195:
2191:
2185:
2182:
2180:
2177:
2175:
2172:
2171:
2169:
2165:
2159:
2156:
2154:
2151:
2149:
2146:
2144:
2141:
2139:
2136:
2134:
2131:
2129:
2126:
2124:
2121:
2119:
2116:
2114:
2111:
2109:
2106:
2104:
2101:
2099:
2096:
2094:
2091:
2089:
2086:
2084:
2081:
2079:
2076:
2074:
2071:
2069:
2066:
2064:
2061:
2059:
2056:
2054:
2051:
2049:
2046:
2044:
2041:
2040:
2038:
2036:Other ciphers
2034:
2024:
2021:
2019:
2016:
2014:
2011:
2010:
2008:
2004:
1998:
1995:
1993:
1990:
1988:
1985:
1983:
1980:
1979:
1977:
1973:
1970:
1967:
1963:
1957:
1954:
1952:
1949:
1947:
1944:
1942:
1939:
1937:
1934:
1932:
1929:
1928:
1926:
1922:
1918:
1911:
1906:
1904:
1899:
1897:
1892:
1891:
1888:
1884:
1874:
1871:
1869:
1866:
1864:
1861:
1860:
1858:
1854:
1848:
1845:
1843:
1840:
1838:
1835:
1833:
1830:
1828:
1825:
1824:
1822:
1818:
1812:
1809:
1807:
1804:
1802:
1799:
1797:
1794:
1792:
1789:
1787:
1784:
1782:
1779:
1777:
1774:
1772:
1769:
1767:
1766:Interpolation
1764:
1762:
1759:
1755:
1752:
1750:
1747:
1745:
1742:
1740:
1737:
1735:
1732:
1731:
1730:
1727:
1725:
1722:
1720:
1717:
1715:
1712:
1710:
1709:
1704:
1702:
1699:
1697:
1694:
1691:
1687:
1684:
1682:
1679:
1675:
1672:
1670:
1667:
1665:
1662:
1661:
1660:
1657:
1654:
1650:
1647:
1643:
1640:
1638:
1635:
1634:
1633:
1630:
1627:
1623:
1620:
1619:
1617:
1614:
1613:cryptanalysis
1607:
1600:
1596:
1595:Key whitening
1593:
1591:
1588:
1586:
1583:
1581:
1578:
1576:
1573:
1571:
1568:
1566:
1563:
1561:
1558:
1556:
1553:
1551:
1548:
1546:
1543:
1541:
1538:
1536:
1533:
1532:
1530:
1526:
1520:
1517:
1515:
1512:
1510:
1507:
1505:
1502:
1500:
1497:
1495:
1492:
1490:
1487:
1485:
1482:
1480:
1477:
1475:
1472:
1470:
1467:
1465:
1462:
1460:
1457:
1455:
1452:
1450:
1447:
1445:
1442:
1440:
1437:
1435:
1432:
1430:
1427:
1425:
1422:
1420:
1417:
1415:
1412:
1410:
1407:
1405:
1402:
1400:
1397:
1395:
1392:
1390:
1387:
1385:
1384:New Data Seal
1382:
1380:
1377:
1375:
1372:
1370:
1367:
1365:
1362:
1360:
1357:
1355:
1352:
1350:
1347:
1345:
1342:
1340:
1337:
1335:
1332:
1330:
1327:
1325:
1322:
1320:
1317:
1314:
1310:
1306:
1304:
1301:
1299:
1296:
1294:
1291:
1289:
1286:
1284:
1281:
1279:
1276:
1274:
1271:
1269:
1266:
1264:
1261:
1259:
1256:
1254:
1251:
1249:
1246:
1244:
1241:
1239:
1236:
1234:
1231:
1229:
1226:
1224:
1221:
1219:
1216:
1214:
1211:
1209:
1206:
1204:
1201:
1199:
1196:
1194:
1191:
1189:
1186:
1184:
1181:
1179:
1176:
1174:
1171:
1169:
1166:
1164:
1161:
1159:
1156:
1154:
1151:
1149:
1146:
1144:
1141:
1139:
1136:
1134:
1131:
1129:
1126:
1124:
1123:BEAR and LION
1121:
1119:
1116:
1114:
1111:
1109:
1106:
1104:
1101:
1099:
1096:
1094:
1091:
1089:
1086:
1084:
1081:
1080:
1078:
1072:
1066:
1063:
1061:
1058:
1056:
1053:
1051:
1048:
1046:
1043:
1041:
1038:
1036:
1033:
1031:
1028:
1026:
1023:
1021:
1018:
1016:
1013:
1011:
1008:
1007:
1005:
999:
993:
990:
988:
985:
983:
980:
977:
973:
969:
966:
964:
961:
959:
956:
955:
953:
947:
942:
938:
937:Block ciphers
931:
926:
924:
919:
917:
912:
911:
908:
904:
900:
892:
886:
882:
877:
873:
867:
863:
862:
857:
853:
852:
832:
828:
827:
819:
809:
808:
800:
783:
779:
778:Wagner, David
775:
774:Goldberg, Ian
771:
765:
759:
754:
743:
742:
734:
726:
720:
715:
710:
706:
699:
691:
687:
680:
672:
668:
661:
655:
651:
645:
641:
631:(RC4 with IV)
630:
627:
625:
622:
620:
617:
615:
612:
610:
607:
605:
602:
601:
595:
593:
589:
585:
575:
573:
569:
565:
562:
559:
549:
546:
535:
533:
529:
525:
518:Block ciphers
515:
513:
509:
499:
489:
482:
475:
471:
467:
457:
453:
449:
443:
442:
440:
433:
423:
416:
409:
405:
398:
394:
387:
377:
373:
368:
367:
363:
362:
361:
359:
355:
351:
347:
343:
339:
338:unpredictable
326:
319:
312:
305:
298:
291:
288:
287:
282:
275:
268:
261:
257:
253:
249:
245:
241:
237:
233:
229:
228:
224:
223:
222:
220:
219:stream cipher
216:
206:
204:
200:
196:
192:
188:
184:
180:
176:
172:
167:
165:
161:
158:block into a
157:
153:
149:
145:
141:
137:
129:
124:
115:
113:
109:
105:
99:
98:for a nonce.
97:
93:
89:
85:
81:
77:
72:
70:
66:
65:block ciphers
62:
58:
54:
50:
49:Randomization
46:
42:
38:
34:
30:
26:
22:
2660:Cryptography
2562:Block cipher
2407:Key schedule
2397:Key exchange
2387:Kleptography
2350:Cryptosystem
2299:Cryptography
2224:
1862:
1771:Partitioning
1729:Side-channel
1707:
1674:Higher-order
1659:Differential
1540:Key schedule
880:
860:
856:Schneier, B.
837:September 1,
835:, retrieved
831:the original
825:
818:
806:
799:
788:. Retrieved
764:
753:
740:
733:
704:
698:
689:
679:
670:
660:
653:
649:
644:
592:BEAST attack
581:
555:
541:
521:
511:
507:
505:
494:
487:
480:
473:
469:
462:
455:
451:
444:
435:
428:
421:
414:
407:
400:
396:
389:
382:
375:
365:
364:
337:
335:
324:
317:
310:
309:xor K) xor (
303:
296:
289:
280:
273:
266:
259:
255:
251:
247:
243:
239:
235:
231:
226:
225:
214:
212:
190:
168:
136:block cipher
133:
100:
92:counter mode
87:
86:rather than
83:
73:
45:pseudorandom
32:
28:
24:
21:cryptography
18:
2550:Mathematics
2541:Mix network
1856:Utilization
1842:NSA Suite B
1827:AES process
1776:Rubber-hose
1714:Related-key
1622:Brute-force
1001:Less common
629:CipherSaber
614:Random seed
2649:Categories
2501:Ciphertext
2471:Decryption
2466:Encryption
2427:Ransomware
2220:T-function
2167:Generators
2043:Achterbahn
1806:Chi-square
1724:Rotational
1664:Impossible
1585:Block size
1479:Spectr-H64
1303:Ladder-DES
1298:Kuznyechik
1243:Hierocrypt
1113:BassOmatic
1076:algorithms
1003:algorithms
976:Triple DES
951:algorithms
790:2006-09-12
636:References
578:SSL 2.0 IV
561:encryption
508:randomized
354:negligible
215:uniqueness
209:Properties
160:ciphertext
148:block size
144:encryption
140:primitives
118:Motivation
88:randomized
53:encryption
2491:Plaintext
2133:SOBER-128
2063:KCipher-2
1997:SOSEMANUK
1968:Portfolio
1781:Black-bag
1701:Boomerang
1690:Known-key
1669:Truncated
1494:Threefish
1489:SXAL/MBAL
1379:MultiSwap
1334:MacGuffin
1293:KN-Cipher
1233:Grand Cru
1188:CS-Cipher
1168:COCONUT98
564:algorithm
342:adversary
316:xor K) =
171:randomize
156:plaintext
2630:Category
2536:Kademlia
2496:Codetext
2439:(CSPRNG)
2006:Hardware
1975:Software
1946:Crypto-1
1832:CRYPTREC
1796:Weak key
1749:Acoustic
1590:Key size
1434:Red Pike
1253:IDEA NXT
1133:Chiasmus
1128:CAST-256
1108:BaseKing
1093:Akelarre
1088:Adiantum
1055:Skipjack
1020:CAST-128
1015:Camellia
963:Blowfish
858:(1996).
598:See also
512:stateful
366:Example:
227:Example:
84:stateful
2306:General
2234:Attacks
2023:Trivium
1992:Salsa20
1966:eSTREAM
1873:Padding
1791:Rebound
1499:Treyfer
1449:SAVILLE
1409:PRESENT
1399:NOEKEON
1344:MAGENTA
1339:Madryga
1319:Lucifer
1183:CRYPTON
992:Twofish
982:Serpent
545:entropy
2417:Keygen
2193:Theory
2143:Turing
2138:Spritz
2113:Scream
2083:Phelix
2078:Panama
2048:F-FCSR
2018:MICKEY
1987:Rabbit
1982:HC-128
1941:ChaCha
1837:NESSIE
1786:Davies
1734:Timing
1649:Linear
1609:Attack
1528:Design
1519:Zodiac
1484:Square
1459:SHACAL
1454:SC2000
1414:Prince
1394:Nimbus
1389:NewDES
1374:MULTI2
1364:MISTY1
1307:LOKI (
1283:KHAZAD
1278:KeeLoq
1273:KASUMI
1268:Kalyna
1153:CLEFIA
1138:CIKS-1
1098:Anubis
949:Common
887:
868:
721:
558:802.11
552:WEP IV
346:random
340:by an
41:random
2447:(PRN)
2215:NLFSR
2128:SOBER
2058:ISAAC
2013:Grain
1719:Slide
1575:Round
1560:P-box
1555:S-box
1514:XXTEA
1474:Speck
1469:Simon
1464:SHARK
1444:SAFER
1429:REDOC
1354:Mercy
1313:89/91
1263:Iraqi
1228:G-DES
1218:FEA-M
1198:DES-X
1163:Cobra
1118:BATON
1103:Ascon
1083:3-Way
1074:Other
811:(PDF)
785:(PDF)
745:(PDF)
497:Alice
479:xor (
465:Alice
447:Alice
438:Alice
392:Alice
385:Alice
370:of a
76:nonce
31:) or
23:, an
2210:LFSR
2158:WAKE
2153:VMPC
2148:VEST
2123:SNOW
2118:SEAL
2108:RC4A
2103:RC4+
2098:QUAD
2088:Pike
2073:ORYX
2068:MUGI
2053:FISH
1936:A5/2
1931:A5/1
1847:CNSA
1706:Mod
1632:MITM
1404:NUSH
1359:MESH
1349:MARS
1223:FROG
1213:FEAL
1193:DEAL
1173:Crab
1158:CMEA
1065:XTEA
1050:SEED
1030:IDEA
1025:GOST
1010:ARIA
885:ISBN
866:ISBN
839:2014
719:ISBN
556:The
493:xor
486:xor
468:) =
461:xor
427:xor
420:xor
323:xor
295:xor
265:and
254:xor
175:NIST
1956:RC4
1801:Tau
1761:XSL
1565:SPN
1509:xmx
1504:UES
1439:S-1
1424:RC2
1369:MMB
1248:ICE
1203:DFC
1060:TEA
1045:RC6
1040:RC5
1035:LEA
987:SM4
968:DES
958:AES
709:doi
582:In
510:or
500:)).
431:Eve
403:Eve
348:or
302:= (
279:or
246:as
164:key
152:AES
112:WEP
108:RC4
80:CBC
61:key
43:or
19:In
2651::
2225:IV
2093:Py
1951:E0
1329:M8
1324:M6
1311:,
1309:97
1208:E2
974:,
780:.
776:;
772:;
717:.
688:.
669:.
594:.
488:IV
481:IV
474:IV
456:IV
450:=
422:IV
415:IV
408:IV
376:IV
250:=
205:.
134:A
71:.
29:IV
2291:e
2284:t
2277:v
1909:e
1902:t
1895:v
1708:n
1692:)
1688:(
1655:)
1651:(
1628:)
1624:(
1615:)
1611:(
1601:)
1597:(
1419:Q
1315:)
978:)
970:(
943:)
939:(
929:e
922:t
915:v
893:.
874:.
793:.
727:.
711::
692:.
673:.
652:n
495:P
491:1
484:2
477:2
472:(
470:E
463:P
459:1
454:(
452:E
445:C
436:C
429:P
425:1
418:2
411:2
401:P
397:E
390:P
383:C
379:1
330:.
328:2
325:P
321:1
318:P
314:2
311:P
307:1
304:P
300:2
297:C
293:1
290:C
284:2
281:P
277:1
274:P
270:2
267:C
263:1
260:C
256:K
252:P
248:C
244:C
240:K
236:C
232:P
27:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.