From fb439f817e3b8e53a422217083ba28790dce4f3e Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Wed, 1 Mar 2006 13:10:38 +0000
Subject: [PATCH] Check stuff in.

---
 Makefile  |   18 +
 modes.tex | 2259 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 2277 insertions(+)
 create mode 100644 Makefile
 create mode 100644 modes.tex

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..1d444b0
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,18 @@
+all: modes.ps modes.pdf modes.dvi
+
+modes.dvi: modes.tex
+	latex modes.tex
+	bibtex modes.aux
+	latex modes.tex
+	latex modes.tex
+
+modes.ps: modes.dvi
+	dvips -o $@.new $<
+	mv $@.new $@
+
+modes.pdf: modes.ps
+	gs -sDEVICE=pdfwrite -sOutputFile=$@.new -q -dBATCH -dNOPAUSE $<
+	mv $@.new $@
+
+clean: 
+	rm -f *.aux *.toc *.blg *.bbl *.dvi *.ps *.pdf *.lof *.lot *.log
diff --git a/modes.tex b/modes.tex
new file mode 100644
index 0000000..94e57b1
--- /dev/null
+++ b/modes.tex
@@ -0,0 +1,2259 @@
+%%% -*-latex-*-
+%%%
+%%% $Id$
+%%%
+%%% Standard block cipher modes of operation
+%%%
+%%% (c) 2003 Mark Wooding
+%%%
+
+\newif\iffancystyle\fancystylefalse
+\fancystyletrue
+\errorcontextlines=\maxdimen
+\showboxdepth=\maxdimen
+\showboxbreadth=\maxdimen
+
+\iffancystyle
+  \documentclass
+    [a4paper, article, 10pt, numbering, noherefloats, notitlepage]
+    {strayman}
+  \usepackage[T1]{fontenc}
+  \usepackage[palatino, helvetica, courier, maths=cmr]{mdwfonts}
+  \usepackage[within = subsection, mdwmargin]{mdwthm}
+  \usepackage{mdwlist}
+  \usepackage{sverb}
+  \PassOptionsToPackage{dvips}{xy}
+\else
+  \documentclass[a4paper]{llncs}
+  \usepackage{a4wide}
+\fi
+
+\PassOptionsToPackage{show}{slowbox}
+%\PassOptionsToPackage{hide}{slowbox}
+\usepackage{mdwtab, mathenv, mdwmath, crypto}
+\usepackage{slowbox}
+\usepackage{amssymb, amstext}
+\usepackage{url, multicol}
+\DeclareUrlCommand\email{\urlstyle{tt}}
+\ifslowboxshow
+  \usepackage[all]{xy}
+  \turnradius{4pt}
+\fi
+
+\title{New proofs for old modes}
+\iffancystyle
+  \author{Mark Wooding \\ \email{mdw@distorted.org.uk}}
+\else
+  \author{Mark Wooding}
+  \institute{\email{mdw@distorted.org.uk}}
+\fi
+
+\iffancystyle
+  \bibliographystyle{mdwalpha}
+  \let\epsilon\varepsilon
+  \let\emptyset\varnothing
+  \let\le\leqslant\let\leq\le
+  \let\ge\geqslant\let\geq\ge
+  \numberwithin{table}{section}
+  \numberwithin{figure}{section}
+\else
+  \bibliographystyle{plain}
+  \expandafter\let\csname claim*\endcsname\claim
+  \expandafter\let\csname endclaim*\endcsname\endclaim
+\fi
+
+%%\newcommand{\Nupto}[1]{\N_{<{#1}}}
+\newcommand{\Nupto}[1]{\{0, 1, \ldots, #1 - 1\}}
+\let\Bin\Sigma
+\let\emptystring\lambda
+\edef\Pr{\expandafter\noexpand\Pr\nolimits}
+\newcommand{\bitsto}{\mathbin{..}}
+\newcommand{\shift}[1]{\lsl_{#1}}
+\newcommand{\E}{{\mathcal{E}}}
+\newcommand{\M}{{\mathcal{M}}}
+\iffancystyle
+  \def\description{%
+    \basedescript{%
+      \let\makelabel\textit%
+      \desclabelstyle\multilinelabel%
+      \desclabelwidth{1in}%
+    }%
+  }
+\fi
+\def\fixme{\marginpar{FIXME}}
+
+\newslowboxenv{cgraph}{\par$$}{\begin{graph}}{\end{graph}}{$$\par}
+\newslowboxenv{vgraph}
+  {\hfil$\vcenter\bgroup\hbox\bgroup}
+  {\begin{graph}}
+  {\end{graph}}
+  {\egroup\egroup$}
+\newenvironment{vgraphs}{\hbox to\hsize\bgroup}{\hfil\egroup}
+    
+\begin{document}
+
+%%%--------------------------------------------------------------------------
+
+\maketitle
+
+\begin{abstract}
+  We study the standard block cipher modes of operation: CBC, CFB, OFB, and
+  CBCMAC and analyse their security.  We don't look at ECB other than briefly
+  to note its insecurity, and we have no new results on counter mode.  Our
+  results improve over those previously published in that (a) our bounds are
+  better, (b) our proofs are shorter and easier, (c) the proofs correct
+  errors we discovered in previous work, or some combination of these.  We
+  provide a new security notion for symmetric encryption which turns out to
+  be rather useful when analysing block cipher modes.  Finally, we define a
+  new, condition for initialization vectors, introducing the concept of a
+  `generalized counter', and proving that generalized suffice for security in
+  (full-width) CFB and OFB modes and that generalized counters encrypted
+  using the block cipher (with the same key) suffice for all the encryption
+  modes we study.
+\end{abstract}
+
+\iffancystyle
+\newpage
+\columnsep=2em \columnseprule=0pt
+\tableofcontents[\begin{multicols}{2}\raggedright][\end{multicols}]
+\listoffigures[\begin{multicols}{2}\raggedright][\end{multicols}]
+\listoftables[\begin{multicols}{2}\raggedright][\end{multicols}]
+\newpage
+\fi
+
+%%%--------------------------------------------------------------------------
+
+\section{Introduction}
+\label{sec:intro}
+
+\subsection{Block cipher modes}
+
+Block ciphers -- keyed pseudorandom permutations -- are essential
+cryptographic tools, widely used for bulk data encryption and to an
+increasing extent for message authentication.  Because the efficient block
+ciphers we have operate on fixed and relatively small strings of bits -- 64
+or 128 bits at a time, one needs a `mode of operation' to explain how to
+process longer messages.
+
+A collection of encryption modes, named ECB, CBC, CFB and OFB, were defined
+in \cite{FIPS81}.  Of these, ECB -- simply divide the message into blocks and
+process them independently with the block cipher -- is just insecure and not
+to be recommended for anything much.  We describe the other three, and
+analyse their security using the standard quantitative provable-security
+approach.  All three require an `initialization vector' or `IV' which
+diversifies the output making it hard to correlate ciphertexts with
+plaintexts.  We investigate which conditions on these IVs suffice for secure
+encryption.
+
+We also examine the CBC-MAC message-authentication scheme, because it's
+intimately related to the CBC encryption scheme and the same techniques we
+used in the analysis of the latter apply to the former.
+
+\subsection{Previous work}
+
+The first quantitative security proof for a block cipher mode is the analysis
+of CBCMAC of \cite{Bellare:1994:SCB}.  Security proofs for the encryption
+modes CBC and CTR appeared in \cite{Bellare:2000:CST}, which also defines and
+relates the standard security notions of symmetric encryption.  The authors
+of \cite{Alkassar:2001:OSS} offer a proof of CFB mode, though we believe it
+to be flawed in a number of respects.
+
+\subsection{Our contribution}
+
+We introduce a new security notion for symmetric encryption, named
+`result-or-garbage', or `ROG-CPA', which generalizes the `real-or-random'
+notion of \cite{Bellare:2000:CST} and the `random-string' notion of
+\cite{Rogaway:2001:OCB}.  Put simply, it states that an encryption scheme is
+secure if an adversary has difficulty distinguishing true ciphertexts from
+strings chosen by an algorithm which is given only the \emph{length} of the
+adversary's plaintext.  This turns out to be just the right tool for
+analysing our encryption modes.  We relate this notion to the standard
+`left-or-right' notion and, thereby, all the others.
+
+Our bound for CBC mode improves over the `tight' bound proven in
+\cite{Bellare:2000:CST} by almost a factor of two.  The difference comes
+because they analyse the construction as if it were built from a PRF and add
+in a `PRP-used-as-a-PRF' correction term: our analysis considers the effect
+of a permutation directly.  We prove that CBC mode is still secure if an
+encrypted counter is used in place of a random string as the IV for each
+message.  Finally, we show that the `ciphertext stealing' technique is
+secure.
+
+For CFB, we first discuss the work of \cite{Alkassar:2001:OSS}, who offer a
+proof for both CFB mode and an optimized variant which enhances the
+error-recovery properties of standard CFB.  We believe that their proof is
+defective in a number of ways.  We then offer our own proof.  Our bound is a
+factor of two worse than theirs; however, we believe that fixing their proof
+introduces this missing factor of two: that is, that our `poorer' bound
+reflects the true security of CFB mode more accurately.  We show that
+full-width CFB is secure if the IV is any `generalized counter', and that
+both full-width and truncated $t$-bit CFB are secure if the IV is an
+encrypted counter.  We also show that, unlike CBC mode, it is safe to `carry
+over' the final shift-register value from the previous message as the IV for
+the next message.
+
+OFB mode is in fact a simple modification to CFB mode, and we prove the
+security of OFB by relating it to CFB.
+
+Finally, for CBCMAC, we analyse it using \emph{both} pseudorandom functions
+\emph{and} pseudorandom permutations, showing that, in fact, using a block
+cipher rather than a PRF reduces the security hardly at all.  Also, we
+improve on the (groundbreaking) work of \cite{Bellare:1994:SCB} firstly by
+improving the security bound by a factor of almost four, and secondly by
+extending the message space from a space of fixed-length messages to
+\emph{any} prefix-free set of strings.
+
+As a convenient guide, our security bounds are summarized in
+table~\ref{tab:summary}.
+
+\begin{table}
+  \def\lower#1{%
+    \vbox to\baselineskip{\vskip\baselineskip\vskip2pt\hbox{#1}\vss}}
+  \def\none{\multicolumn{1}{c|}{---}}
+  \let\hack=\relax
+  \begin{tabular}[C]
+    {| c | ?>{\hack}c | c | >{\displaystyle} Mc | >{\displaystyle} Mc |}
+                                                           \hlx{hv[4]}
+    \multicolumn{1}{|c|}{\lower{\bfseries Mode}} &
+    \multicolumn{1}{c|}{\lower{\bfseries Section}} &
+    \multicolumn{1}{c|}{\lower{\bfseries Notion}} &
+    \multicolumn{2}{c|}{\bfseries Security with}        \\ \hlx{v[4]zc{4-5}v}
+    & & &
+    \multicolumn{1}{c|}{\bfseries $(t, q, \epsilon)$-PRF} &
+    \multicolumn{1}{c|}{\bfseries $(t, q, \epsilon)$-PRP}
+                                                        \\ \hlx{vhvv}
+    CBC & \ref{sec:cbc} & LOR-CPA &
+      \none &
+      2\epsilon + \frac{q (q - 1)}{2^\ell - q}          \\ \hlx{vvhvv}
+    CFB & \ref{sec:cfb} & LOR-CPA &
+      2 \epsilon + \frac{q (q - 1)}{2^\ell} &
+      2 \epsilon + \frac{q (q - 1)}{2^{\ell-1}}         \\ \hlx{vvhvv}
+    OFB & \ref{sec:ofb} & LOR-CPA &
+      2 \epsilon + \frac{q (q - 1)}{2^\ell} &
+      2 \epsilon + \frac{q (q - 1)}{2^{\ell-1}}         \\ \hlx{vvhvv}
+    CBCMAC & \ref{sec:cbcmac} & SUF-CMA &
+      \epsilon + \frac{q (q - 1) + 2 q_V}{2^{\ell+1}} &
+      \epsilon +
+        \frac{q (q - 1)}{2 \cdot (2^\ell - q)} +
+        \frac{q_V}{2^\ell - q_T}                        \\ \hlx{vvh}
+  \end{tabular}
+
+  \caption[Summary of our results]
+    {Summary of our results.  In all cases, $q$ is the number of block
+    cipher applications used in the game.}
+  \label{tab:summary}
+\end{table}
+
+\subsection{The rest of the paper}
+
+In section~\ref{sec:prelim} we define the various bits of notation and
+terminology we'll need in the rest of the paper.  The formal definitions are
+given for our new `result-or-garbage' security notion, and for our
+generalized counters.  In section~\ref{sec:cbc} we study CBC mode, and
+ciphertext stealing.  In section~\ref{sec:cfb} we study CFB mode.  In
+section~\ref{sec:ofb} we study OFB mode.  In section~\ref{sec:cbcmac} we
+study the CBCMAC message authentication scheme. 
+
+%%%--------------------------------------------------------------------------
+
+\section{Notation and definitions}
+\label{sec:prelim}
+
+\subsection{Bit strings}
+\label{sec:bitstrings}
+
+Most of our notation for bit strings is standard.  The main thing to note is
+that everything is zero-indexed.
+
+\begin{itemize}
+\item We write $\Bin = \{0, 1\}$ for the set of binary digits.  Then $\Bin^n$
+  is the set of $n$-bit strings, and $\Bin^*$ is the set of all (finite) bit
+  strings.
+\item If $x$ is a bit string then $|x|$ is the length of $x$.  If $x \in
+  \Bin^n$ then $|x| = n$.
+\item If $x, y \in \Bin^n$ are strings of bits of the same length then $x
+  \xor y \in \Bin^n$ is their bitwise XOR.
+\item If $x$ is a bit string and $i$ is an integer satisfying $0 \le i < |x|$
+  then $x[i]$ is the $i$th bit of $x$.  If $a$ and $b$ are integers
+  satisfying $0 \le a \le b \le |x|$ then $x[a \bitsto b]$ is the substring
+  of $x$ beginning with bit $a$ and ending just \emph{before} bit $b$.  We
+  have $|x[i]| = 1$ and $|x[a \bitsto b]| = b - a$; if $y = x[a \bitsto b]$
+  then $y[i] = x[a + i]$.
+\item If $x$ and $y$ are bit strings then $x y$ is the result of
+  concatenating $y$ to $x$.  If $z = x y$ then $|z| = |x| + |y|$; $z[i] =
+  x[i]$ if $0 \le i < |x|$ and $z[i] = y[i - |x|]$ if $|x| \le i < |x| +
+  |y|$.  Sometimes, for clarity (e.g., to distinguish from integer
+  multiplication) we write $x \cat y$ instead of $x y$.
+\item The empty string is denoted $\emptystring$.  We have $|\emptystring| =
+  0$, and $x = x \emptystring = \emptystring x$ for all strings $x
+  \in \Bin^*$.
+\item If $x$ is a bit string and $n$ is a natural number then $x^n$ is the
+  result of concatenating $x$ to itself $n$ times.  We have $x^0 =
+  \emptystring$ and if $n > 0$ then $x^n = x^{n-1} \cat x = x \cat x^{n-1}$.
+\item If $x$ and $y$ are bit strings, $|x| = \ell$, and $|y| = t$, then we
+  define $x \shift{t} y$ as:
+  \[ x \shift{t} y = (x y)[t \bitsto t + \ell] = \begin{cases}
+       x[t \bitsto \ell] \cat y  & if $t < \ell$, or \\
+       y[t - \ell \bitsto t]     & if $t \ge \ell$.
+  \end{cases} \]
+  Observe that, if $z = x \shift{t} y$ then $|z| = |x| = \ell$ and
+  \[ z[i] = (x y)[i + t] = \begin{cases}
+       x[i + t]  & if $0 \le i < \ell - t$, or \\
+       y[i + t - \ell] & if $\min(0, \ell - t) \le i < \ell$.
+  \end{cases} \]
+  Obviously $x \shift{0} \emptystring = x$, and if $|x| = |y| = t$ then $x
+  \shift{t} y = y$.  Finally, if $|y| = t$ and $|z| = t'$ then $(x \shift{t}
+  y) \shift{t'} z = x \shift{t + t'} (y z)$.
+\end{itemize}
+
+\subsection{Other notation}
+\label{sec:miscnotation}
+
+\begin{itemize}
+\iffalse
+\item If $n$ is any natural number, then $\Nupto{n}$ is the set $\{\, i \in
+  \Z \mid 0 \le i < n \,\} = \{ 0, 1, \ldots, n \}$.
+\fi
+\item The symbol $\bot$ (`bottom') is a value different from every bit
+  string.
+\item We write $\Func{l}{L}$ as the set of all functions from $\Bin^l$ to
+  $\Bin^L$, and $\Perm{l}$ as the set of all permutations on $\Bin^l$.
+\end{itemize}
+
+\subsection{Algorithm descriptions}
+\label{sec:algorithms}
+
+An \emph{adversary} is a probabilistic algorithm which attempts (possibly) to
+`break' a cryptographic scheme.  We will often provide adversaries with
+oracles which compute values with secret data.  The \emph{running time} of an
+adversary conventionally includes the size of the adversary's description:
+this is an attempt to `charge' the adversary for having large precomputed
+tables.
+
+Most of the notation used in the algorithm descriptions should be obvious.
+We briefly note a few features which may be unfamiliar.
+\begin{itemize}
+\item The notation $a \gets x$ denotes the action of assigning the value $x$
+  to the variable $a$.
+\item We write oracles as superscripts, with dots marking where inputs to
+  the oracle go, e.g., $A^{O(\cdot)}$.
+\item The notation $a \getsr X$, where $X$ is a finite set, denotes the
+  action of assigning to $a$ a random value $x \in X$ according to the
+  uniform probability distribution on $X$; i.e., following $a \getsr X$, we
+  have $\Pr[a = x] = 1/|X|$ for any $x \in X$.
+\end{itemize}
+The notation is generally quite sloppy about types and scopes.  We don't
+think these informalities cause much confusion, and they greatly simplify the
+presentation of the algorithms.
+
+\subsection{Pseudorandom functions and permutations}
+\label{sec:prfs-and-prps}
+
+Our definitions of pseudorandom functions and permutations are standard.  We
+provide them for the sake of completeness.
+
+\begin{definition}[Pseudorandom function family]
+  \label{def:prf}
+  A \emph{pseudorandom function family (PRF)} $F = \{F_K\}_K$ is a collection
+  of functions $F_K\colon \Bin^\ell \to \Bin^L$ indexed by a \emph{key} $K
+  \in \keys F$.  If $A$ is any adversary, we define $A$'s \emph{advantage in
+  distinguishing $F$ from a random function} to be
+  \[ \Adv{prf}{F}(A) =
+       \Pr[K \getsr \keys F: A^{F_K(\cdot)} = 1] -
+       \Pr[R \getsr \Func{\ell}{L}: A^{R(\cdot)} = 1]
+  \]
+  where the probability is taken over all choices of keys, random functions,
+  and the internal coin-tosses of $A$.  The \emph{insecurity of $F$} is given
+  by
+  \[ \InSec{prf}(F; t, q) = \max_A \Adv{prf}{F}(A) \]
+  where the maximum is taken over all adversaries which run in time~$t$ and
+  issue at most $q$ oracle queries.  If $\InSec{prf}(F; t, q) \le \epsilon$
+  then we say that $F$ is a $(t, q, \epsilon)$-PRF.
+\end{definition}
+
+\begin{definition}[Pseudorandom permutation family]
+  \label{def:prp}
+  A \emph{pseudorandom permutation family (PRP)} $E = \{E_K\}_K$ is a
+  collection of permutations $E_K\colon \Bin^\ell \to \Bin^\ell$ indexed by a
+  \emph{key} $K \in \keys E$.  If $A$ is any adversary, we define $A$'s
+  \emph{advantage in distinguishing $E$ from a random permutation} to be
+  \[ \Adv{prp}{F}(A) =
+       \Pr[K \getsr \keys E: A^{E_K(\cdot)} = 1] -
+       \Pr[P \getsr \Perm{\ell}: A^{P(\cdot)} = 1]
+  \]
+  where the probability is taken over all choices of keys, random
+  permutations, and the internal coin-tosses of $A$.  Note that the adversary
+  is not allowed to query the inverse permutation $E^{-1}_K(\cdot)$ or
+  $P^{-1}(\cdot)$.  The \emph{insecurity of $E$} is given by
+  \[ \InSec{prp}(E; t, q) = \max_A \Adv{prf}{E}(A) \]
+  where the maximum is taken over all adversaries which run in time~$t$ and
+  issue at most $q$ oracle queries.  If $\InSec{prp}(E; t, q) \le \epsilon$
+  then we say that $E$ is a $(t, q, \epsilon)$-PRP.
+\end{definition}
+
+The following result is standard; we shall require it for the security proofs
+of CFB and OFB modes.  The proof is given as an introduction to our general
+approach.
+
+\begin{proposition}
+  \label{prop:prps-are-prfs}
+  Suppose $E$ is a PRP over $\Bin^\ell$.  Then
+  \[ \InSec{prf}(E; t, q)
+     \le \InSec{prp}(E; t, q) + \frac{q (q - 1)}{2^{\ell+1}}.
+  \]
+\end{proposition}
+\begin{proof}
+  We claim
+  \[ \InSec{prf}(\Perm{\ell}; t, q) \le \frac{q (q - 1)}{2^{\ell+1}}, \]
+  i.e., that a \emph{perfect} $\ell$-bit random permutation is a PRF with the
+  stated bounds.  The proposition follows immediately from this claim and the
+  definition of a PRP.
+  
+  We now prove the claim.  Consider any adversary~$A$.  Let $x_i$ be $A$'s
+  queries, and let $y_i$ be the responses, for $0 \le i < q$.  Assume,
+  without loss of generality, that the $x_i$ are distinct.  Let $C_n$ be the
+  event in the random-function game $\Expt{prf-$0$}{\Perm{\ell}}(A)$ that
+  $y_i = y_j$ for some $i$ and $j$ where $0 \le i < j < n$.  Then
+  \begin{equation}
+    \Pr[C_n] \le \sum_{0\le i<n} \frac{i}{2^\ell}
+             = \frac{n (n - 1)}{2^{\ell+1}}.
+  \end{equation}
+  It's clear that the two games proceed identically if $C_q$ doesn't occur in
+  the random-function game.  The claim follows.
+\end{proof}
+
+\subsection{Symmetric encryption}
+\label{sec:sym-enc}
+
+We begin with a purely syntactic description of a symmetric encryption
+scheme, and then define our two notions of security.
+
+\begin{definition}[Symmetric encryption]
+  \label{def:symm-enc}
+  A \emph{symmetric encryption scheme} is a triple of algorithms $\E = (G, E,
+  D)$, with three (implicitly) associated sets: a keyspace, a plaintext
+  space, and a ciphertext space.
+  \begin{itemize}
+  \item $G$ is a probabilistic \emph{key-generation algorithm}.  It is
+    invoked with no arguments, and returns a key $K$ which can be used with
+    the other two algorithms.  We write $K \gets G()$.
+  \item $E$ is a probabilistic \emph{encryption algorithm}.  It is invoked
+    with a key $K$ and a \emph{plaintext} $x$ in the plaintext space, and it
+    returns a \emph{ciphertext} $y$ in the ciphertext space.  We write $y
+    \gets E_K(x)$.
+  \item $D$ is a deterministic \emph{decryption algorithm}.  It is invoked
+    with a key $K$ and a ciphertext $y$, and it returns either a plaintext
+    $x$ or the distinguished symbol $\bot$.  We write $x \gets D_K(y)$.
+  \end{itemize}
+  For correctness, we require that whenever $y$ is a possible result of
+  computing $E_K(x)$, then $x = D_K(y)$.
+\end{definition}
+
+Our primary notion of security is \emph{left-or-right indistinguishability
+under chosen-plaintext attack} (LOR-CPA), since it offers the best reductions
+to the other common notions.  (We can't acheive security against chosen
+ciphertext attack using any of our modes, so we don't even try.)  See
+\cite{Bellare:2000:CST} for a complete discussion of LOR-CPA, and how it
+relates to other security notions for symmetric encryption.
+
+\begin{definition}[Left-or-right indistinguishability]
+  \label{def:lor-cpa}
+  Let $\E = (G, E, D)$ be a symmetric encryption scheme.  Define the function
+  $\id{lr}(b, x_0, x_1) = x_b$.  Then for any adversary $A$, we define $A$'s
+  \emph{advantage against the LOR-CPA security of $\E$} as
+  \[ \Adv{lor-cpa}{\E}(A) =
+       \Pr[K \gets G(): A^{E_K(\id{lr}(1, \cdot, \cdot))} = 1] -
+       \Pr[K \gets G(): A^{E_K(\id{lr}(0, \cdot, \cdot))} = 1].
+  \]
+  We define the \emph{LOR-CPA insecurity of $\E$} to be
+  \[ \InSec{lor-cpa}(\E; t, q_E, \mu_E) =
+       \max_A \Adv{lor-cpa}{\E}(A)
+  \]
+  where the maximum is taken over all adversaries which run in time~$t$ and
+  issue at most $q_E$ encryption queries totalling at most $\mu_E$ bits.  If
+  $\InSec{lor-cpa}(\E; t, q_E, \mu_E) \le \epsilon$ then we say that $\E$ is
+  $(t, q_E, \mu_E, \epsilon)$-LOR-CPA.
+\end{definition}
+
+Our second notion is named \emph{result-or-garbage} and abbreviated ROG-CPA.
+It is related to the notion used by \cite{Rogaway:2001:OCB}, though different
+in important ways: for example, there are reductions both ways between
+ROG-CPA and LOR-CPA (and hence the other standard notions of security for
+symmetric encryption), whereas the notion of \cite{Rogaway:2001:OCB} is
+strictly stronger than LOR-CPA.  Our idea is that an encryption scheme is
+secure if ciphertexts of given plaintexts -- \emph{results} -- hard to
+distinguish from strings constructed independently of any plaintexts --
+\emph{garbage}.  We formalize this notion in terms of a
+\emph{garbage-emission algorithm} $W$ which is given only the length of the
+plaintext.  The algorithm $W$ will usually be probabilistic, and may maintain
+state.  Unlike \cite{Rogaway:2001:OCB}, we don't require that $W$'s output
+`look random' in any way, just that it be chosen independently of the
+adversary's plaintext selection.
+
+\begin{definition}[Result-or-garbage indistinguishability]
+  \label{def:rog-cpa}
+  Let $\E = (G, E, D)$ be a symmetric encryption scheme, and let $W$ be a
+  possibly-stateful, possibly-probabilistic \emph{garbage-emission}
+  algorithm.  Then for any adversary $A$, we define $A$'s \emph{advantage
+  against the ROG-CPA-$W$ security of $\E$} as
+  \[ \Adv{rog-cpa-$W$}{\E}(A) =
+       \Pr[K \gets G(): A^{E_K(\cdot)} = 1] - \Pr[A^{W(|\cdot|)} = 1]. \]
+  We define the \emph{ROG-CPA insecurity of $\E$} to be
+  \[ \InSec{lor-cpa}(\E; t, q_E, \mu_E) =
+       \max_A \Adv{lor-cpa}{\E}(A) \]
+  where the maximum is taken over all adversaries which run in time~$t$ and
+  issue at most $q_E$ encryption queries totalling at most $\mu_E$ bits.  If
+  $\InSec{rog-cpa-$W$}(\E; t, q_E, \mu_E) \le \epsilon$ for some $W$ then we
+  say that $\E$ is $(t, q_E, \mu_E, \epsilon)$-ROG-CPA. 
+\end{definition}
+
+The following proposition relates our new notion to the existing known
+notions of security.
+
+\begin{proposition}[ROG $\Leftrightarrow$ LOR]
+  \label{prop:rog-and-lor}
+  Let $\E$ be a symmetric encryption scheme.  Then,
+  \begin{enumerate}
+  \item for all garbage-emission algorithms $W$,
+    \[ \InSec{lor-cpa}(\E; t, q_E, \mu_E)
+       \le 2 \cdot
+         \InSec{rog-cpa-$W$}(\E; t + t_E \mu_E, q_E, \mu_E)
+    \]
+    and
+  \item there exists a garbage-emission algorithm $W$ for which
+    \[ \InSec{rog-cpa-$W$}(\E; t, q_E, \mu_E)
+       \le \InSec{lor-cpa}(\E; t + t_E \mu_E, q_E, \mu_E)
+    \]
+  \end{enumerate}
+  for some fairly small constant $t_E$.
+\end{proposition}
+\begin{proof}
+  \begin{enumerate}
+  \item Let $W$ and $\E$ be given, and let $A$ be an adversary attacking the
+    LOR-CPA security of $\E$.  Consider adversary $B$ attacking $\E$'s
+    ROG-CPA-$W$ security.
+    \begin{program}
+      Adversary $B^E(\cdot)$: \+ \\
+        $b^* \getsr \Bin$; \\
+        $b \gets A^{E(\id{lr}(b^*, \cdot, \cdot))}$; \\
+        \IF $b = b^*$ \THEN \RETURN $1$ \ELSE \RETURN $0$;
+    \next
+      Function $\id{lr}(b, x_0, x_1)$: \+ \\
+        \IF $b = 0$ \THEN \RETURN $x_0$ \ELSE \RETURN $x_1$;
+    \end{program}
+    If $E(\cdot)$ is the `result' encryption oracle, then $B$ simulates the
+    left-or-right game for the benefit of $A$, and therefore returns $1$ with
+    probability $(\Adv{lor-cpa}{\E}(A) + 1)/2$.  On the other hand, if
+    $E(\cdot)$ returns `garbage' then the oracle responses are entirely
+    independent of $b^*$.  This follows because $A$ is constrained to query
+    only on pairs of plaintexts with equal lengths, and the responses are
+    dependent only on these (common) lengths and any internal state and coin
+    tosses of $W$.  So $b$ is independent of $b^*$ and $\Pr[b = b^*] =
+    \frac{1}{2}$.  The result follows.
+  \item Let $\E = (G, E, D)$ be given.  Our garbage emitter simulates the
+    real-or-random game of \cite{Bellare:2000:CST}.  Let $K_W = \bot$
+    initially: we define our emitter $W$ thus:
+    \begin{program}
+      Garbage emitter $W(n)$: \+ \\
+        \IF $K_W = \bot$ \THEN $K_W \gets G()$; \\
+        $x \getsr \Bin^n$; \\
+        \RETURN $E_K(x)$;
+    \end{program}
+    We now show that $\InSec{rog-cpa-$W$}(\E; t, q_E, \mu_E) \le
+    \InSec{lor-cpa}(\E; t + t_E \mu_E, q_E, \mu_E)$ for our $W$.  Let $A$ be
+    an adversary attacking the ROG-CPA-$W$ security of $\E$.  Consider
+    adversary $B$ attacking $\E$'s LOR-CPA security:
+    \begin{program}
+      Adversary $B^{E(\cdot, \cdot)}$: \+ \\
+        $b \gets A^{\id{lorify}(\cdot)}$; \\
+        \RETURN $b$;
+    \next
+      Function $\id{lorify}(x)$: \+ \\
+        $x' \getsr \Bin^{|x|}$; \\
+        \RETURN $E(x', x)$;
+    \end{program}
+    The adversary simulates the ROG-CPA-$W$ games perfectly for our chosen
+    $W$, since the game has chosen the random $K_W$ for us already: the
+    `left' game returns only the results of encrypting random `garbage'
+    plaintexts $x'$, while the right game returns correct results of
+    encrypting the given plaintexts $x$.  The result follows.
+  \qed
+  \end{enumerate}
+\end{proof}
+
+
+
+\subsection{Message authentication}
+\label{sec:mac}
+
+Our definitions for message authentication are standard; little needs to be
+said of them.  As with symmetric encryption, we begin with a syntactic
+definition, and then describe our notion of security.
+
+\begin{definition}[Message authentication code]
+  \label{def:mac}
+  A \emph{message authentication code (MAC)} is a triple of algorithms $\M =
+  (G, T, V)$ with three (implicitly) associated sets: a keyspace, a message
+  space, and a tag space.
+  \begin{itemize}
+  \item $G$ is a probabilistic \emph{key-generation algorithm}.  It is
+    invoked with no arguments, and returns a key $K$ which can be used with
+    the other two algorithms.  We write $K \gets G()$.
+  \item $T$ is a probabilistic \emph{tagging algorithm}.  It is invoked with
+    a key $K$ and a \emph{message} $x$ in the message space, and it returns a
+    \emph{tag} $\tau$ in the tag space.  We write $\tau \gets T_K(x)$.
+  \item $V$ is a deterministic \emph{verification algorithm}.  It is invoked
+    with a key $K$, a message $x$ and a tag $\tau$, and returns a bit $b \in
+    \Bin$.  We write $b \gets V_K(x, \tau)$.
+  \end{itemize}
+  For correctness, we require that whenever $\tau$ is a possible result of
+  computing $T_K(x)$, then $V_K(x, \tau) = 1$.
+\end{definition}
+
+Our notion of security is the strong unforgeability of
+\cite{Abdalla:2001:DHIES,Bellare:2000:AER}.
+
+\begin{definition}[Strong unforgeability]
+  Let $\M = (G, T, V)$ be a message authentication code, and let $A$
+  be an adversary.  We perform the following experiment.
+  \begin{program}
+    Experiment $\Expt{suf-cma}{\M}(A)$: \+ \\
+      $K \gets G()$; \\
+      $\Xid{T}{list} \gets \emptyset$; \\
+      $\id{good} \gets 0$; \\
+      $A^{\id{tag}(\cdot), \id{verify}(\cdot, \cdot)}$; \\
+      \RETURN $\id{good}$;
+    \newline
+    Oracle $\id{tag}(x)$: \+ \\
+      $\tau \gets T_K(x)$; \\
+      $\Xid{T}{list} \gets \Xid{T}{list} \cup \{(x, \tau)\}$; \\
+      \RETURN $\tau$;
+    \next
+    Oracle $\id{verify}(x, \tau)$: \+ \\
+      $b \gets V_K(x, \tau)$; \\
+      \IF $b = 1 \land (x, \tau) \notin \Xid{T}{list}$ \THEN
+        $\id{good} \gets 1$; \\
+      \RETURN $b$;
+  \end{program}
+  That is, the adversary `wins' if it submits a query to its verification
+  oracle which is \emph{new} -- doesn't match any message/tag pair from the
+  tagging oracle -- and \emph{valid} -- the verification oracle returned
+  success.  We define the adversary's \emph{success probability} as
+  \[ \Succ{suf-cma}{\M}(A) =
+       \Pr[\Expt{suf-cma}{\M}(A) = 1]. \]
+  We define the \emph{SUF-CMA insecurity of $\M$} to be
+  \[ \InSec{suf-cma}(\M; t, q_T, \mu_T, q_V, \mu_V) =
+       \max_A \Adv{suf-cma}{\M}(A) \]
+  where the maximum is taken over all adversaries which run in time~$t$,
+  issue at most $q_T$ tagging queries totalling at most $\mu_T$ bits, and
+  issue at most $q_V$ verification queries totalling at most $\mu_V$ bits.
+  If $\InSec{suf-cma}(\M; t, q_T, \mu_T, q_V, \mu_V) \le \epsilon$
+  then we say that $\E$ is $(t, q_T, \mu_T, q_V, \mu_V)$-SUF-CMA.
+\end{definition}
+
+\subsection{Initialization vectors and encryption modes}
+\label{sec:iv}
+
+In order to reduce the number of definitions in this paper to a tractable
+level, we will describe the basic modes independently of how initialization
+vectors (IVs) are chosen, and then construct the actual encryption schemes by
+applying various IV selection methods from the modes.
+
+We consider the following IV selection methods.
+\begin{description}
+\item[Random selection] An IV is chosen uniformly at random just before
+  encrypting each message.
+\item[Counter] The IV for each message is a \emph{generalized counter} (see
+  discussion below, and definition~\ref{def:genctr}).
+\item[Encrypted counter] The IV for a message is the result of applying the
+  block cipher to a generalized counter, using the same key as for message
+  encryption.
+\item[Carry-over] The IV for the first message is fixed; the IV for
+  subsequent messages is some function of the previous plaintexts or
+  ciphertexts (e.g., the last ciphertext block of the previous message).
+\end{description}
+Not all of these methods are secure for all of the modes we consider.
+
+\begin{definition}[Generalized counters]
+  \label{def:genctr}
+  If $S$ is a finite set, then a \emph{generalized counter in $S$} is an
+  bijection $c\colon \Nupto{|S|} \leftrightarrow S$.  For brevity, we shall
+  refer simply to `counters', leaving implicit the generalization.
+\end{definition}
+
+\begin{remark}[Examples of generalized counters] \leavevmode
+  \begin{itemize}
+  \item There is a `natural' binary representation of the natural numbers
+    $\Nupto{2^\ell}$ as $\ell$-bit strings: for any $n \in \Nupto{2^\ell}$,
+    let $R(n)$ be the unique $r \in \Bin^\ell$ such that $\smash{n =
+    \sum_{0\le i<\ell} 2^i r[i]}$.  Then $R(\cdot)$ is a generalized counter
+    in $\Bin^\ell$.
+  \item We can represent elements of the finite field $\gf{2^\ell}$ as
+    $\ell$-bit strings.  Let $p(x) \in \gf{2}[x]$ be a primitive polynomial
+    of degree $\ell$; then represent $\gf{2^\ell}$ by $\gf{2}[x]/(p(x))$.
+    Now for any $a \in \gf{2^\ell}$, let $R(a)$ be the unique $r \in
+    \Bin^\ell$ such that $\smash{a = \sum_{0\le i<\ell} x^i r[i]}$.  Because
+    $p(x)$ is primitive, $x$ generates the multiplicative group
+    $\gf{2^\ell}^{\,*}$, so define $c(n) = R(x^n)$ for $0 \le n < 2^\ell - 1$
+    and $c(2^{\ell - 1}) = 0^\ell$; then $c(\cdot)$ is a generalized counter
+    in $\Bin^\ell$.  This counter can be implemented efficiently in hardware
+    using a linear feedback shift register.
+  \end{itemize}
+\end{remark}
+
+\begin{definition}[Encryption modes]
+  \label{def:enc-modes}
+
+  A \emph{block cipher encryption mode} $m_P = (\id{encrypt}, \id{decrypt})$
+  is a pair of deterministic oracle algorithms (and implicitly-defined
+  plaintext and ciphertext spaces) which satisfy the following conditions:
+  \begin{enumerate}
+  \item The algorithm $\id{encrypt}$ runs with oracle access to a permutation
+    $P\colon \Bin^\ell \leftrightarrow \Bin^\ell$; on input a plaintext $x$
+    and an initialization vector $v \in \Bin^\ell$, it returns a ciphertext
+    $y$ and a \emph{chaining value} $v' \in \Bin^\ell$.  We write $(v', y) =
+    \id{encrypt}^{P(\cdot)}(v, x)$. 
+  \item The algorithm $\id{decrypt}$ runs with oracle access to a permutation
+    $P\colon \Bin^\ell \leftrightarrow \Bin^\ell$ and its inverse
+    $P^{-1}(\cdot)$; on input a ciphertext $y$ and an initialization vector
+    $v \in \Bin^\ell$, it returns a plaintext $x$.  We write that $x =
+    \id{decrypt}^{P(\cdot), P^{-1}(\cdot)}(v, y)$.
+  \item For all permutations $P\colon \Bin^\ell \leftrightarrow \Bin^\ell$,
+    all plaintexts $x$ and all initialization vectors $v$, if $(v', y) =
+    \id{encrypt}^{P(\cdot)}(v, x)$ then $x = \id{decrypt}^{P(\cdot),
+    P^{-1}(\cdot)}(v, y)$. 
+  \item There exists an efficient algorithm which, given a ciphertext $y$ and
+    the initialization vector but \emph{not} access to $P$, computes the
+    chaining value $v'$ such that $(v', y) = \id{encrypt}^P(v, x)$.
+  \end{enumerate}
+  Similarly, a \emph{PRF encryption mode} $m_F = (\id{encrypt},
+  \id{decrypt})$ is a pair of deterministic oracle algorithms (and
+  implicitly-defined plaintext and ciphertext spaces) which satisfy the
+  following conditions:
+  \begin{enumerate}
+  \item The algorithm $\id{encrypt}$ runs with oracle access to a function
+    $F\colon \Bin^\ell \to \Bin^L$; on input a plaintext $x$ and an
+    initialization vector $v \in \Bin^\ell$, it returns a ciphertext $y$ and
+    a \emph{chaining value} $v' \in \Bin^\ell$.  We write $(v', y) =
+    \id{encrypt}^{F(\cdot)}(v, x)$.
+  \item The algorithm $\id{decrypt}$ runs with oracle access to a function
+    $F\colon \Bin^\ell \to \Bin^L$; on input a ciphertext $y$ and an
+    initialization vector $v \in \Bin^\ell$, it returns a plaintext $x$.  We
+    write that $(v', x) = \id{decrypt}^{F(\cdot)}(v, y)$.
+  \item For all functions $F\colon \Bin^\ell \to \Bin^L$, all plaintexts $x$
+    and all initialization vectors $v$, if $(v', y) =
+    \id{encrypt}^{F(\cdot)}(v, x)$ then $x = \id{decrypt}^{F(\cdot)}(v, y)$.
+  \item There exists an efficient algorithm which, given a ciphertext $y$ and
+    the initialization vector but \emph{not} access to $F$, computes the
+    chaining value $v'$ such that $(v', y) = \id{encrypt}^F(v, x)$.
+  \qed
+  \end{enumerate}
+\end{definition}
+
+\begin{definition}[Symmetric encryption schemes from modes]
+  \label{def:enc-scheme}
+  Let $F$ be a pseudorandom permutation on $\Bin^\ell$ (resp.\ a
+  pseudorandom function from $\Bin^\ell$ to $\Bin^L$); let $m =
+  (\id{encrypt}, \id{decrypt})$ be a block cipher (resp.\ PRF) encryption
+  mode.  (To save on repetition, if $F$ is a PRF then define $F_K^{-1}(x) =
+  \bot$ for all keys $K$ and inputs $x$.)  We define the following symmetric
+  encryption schemes according to how IVs are selected. 
+
+  \begin{itemize}
+  \def\Enc{\Xid{\E}{$m$\what}^{\super}}
+  \def\GG{\Xid{G}{$m$\what}^{\super}}
+  \def\EE{\Xid{E}{$m$\what}^{\super}}
+  \def\DD{\Xid{D}{$m$\what}^{\super}}
+
+  \def\what{$\$$}
+  \def\super{F}
+  \item Randomized selection: define $\Enc = (\GG, \EE, \DD)$, where
+    \begin{program}
+      Algorithm $\GG()$: \+ \\
+        $K \getsr \keys F$; \\
+        \RETURN $K$;
+      \next
+      Algorithm $\EE(K, x)$: \+ \\
+        $v \getsr \Bin^\ell$; \\
+        $(v', x) \gets \id{encrypt}^{F_K(\cdot)}(v, x)$; \\
+        \RETURN $(v, y)$;
+      \next
+      Algorithm $\DD(K, y')$; \+ \\
+        $(v, y) \gets y'$; \\
+        $(v', x) \gets {}$ \\
+        \qquad $\id{decrypt}^{F_K(\cdot), F^{-1}_K(\cdot)}(v, y)$; \\
+        \RETURN $x$;
+    \end{program}
+
+  \def\what{C}
+  \def\super{F, c}
+  \def\imsg{\Xid{i}{msg}}
+  \item Generalized counters: define $\Enc = (\GG, \EE, \DD)$, where $c$ is a
+    generalized counter in $\Bin^\ell$, and
+    \begin{program}
+      Algorithm $\GG()$: \+ \\
+        $K \getsr \keys F$; \\
+        $\imsg \gets 0$; \\
+        \RETURN $K$;
+      \next
+      Algorithm $\EE(K, x)$: \+ \\
+        $i \gets c(\imsg)$; \\
+        $(v', x) \gets \id{encrypt}^{F_K(\cdot)}(i, x)$; \\
+        $\imsg \gets \imsg + 1$; \\
+        \RETURN $(i, y)$;
+      \next
+      Algorithm $\DD(K, y')$; \+ \\
+        $(i, y) \gets y'$; \\
+        $(v', x) \gets {}$ \\
+        \qquad $\id{decrypt}^{F_K(\cdot), F^{-1}_K(\cdot)}(i, y)$; \\
+        \RETURN $x$;
+    \end{program}
+
+  \def\what{E}
+  \def\super{F, c}
+  \def\imsg{\Xid{i}{msg}}
+  \item Encrypted counters: if $L \ge \ell$, then define $\Enc = (\GG, \EE,
+    \DD)$, where $c$ is a generalized counter in $\Bin^\ell$, and 
+    \begin{program}
+      Algorithm $\GG()$: \+ \\
+        $K \getsr \keys F$; \\
+        $\imsg \gets 0$; \\
+        \RETURN $K$;
+      \next
+      Algorithm $\EE(K, x)$: \+ \\
+        $i \gets c(\imsg)$; \\
+        $v \gets F_K(i)[0 \bitsto \ell]$; \\
+        $(v', x) \gets \id{encrypt}^{F_K(\cdot)}(v, x)$; \\
+        $\imsg \gets \imsg + 1$; \\
+        \RETURN $(i, y)$;
+      \next
+      Algorithm $\DD(K, y')$; \+ \\
+        $(i, y) \gets y'$; \\
+        $v \gets F_K(i)[0 \bitsto \ell]$; \\
+        $(v', x) \gets {}$ \\
+        \qquad $\id{decrypt}^{F_K(\cdot), F^{-1}_K(\cdot)}(v, y)$; \\
+        \RETURN $x$;
+    \end{program}
+    (We require $L \ge \ell$ for this to be well-defined; otherwise the
+    encrypted counter value is too short.)
+
+  \def\what{L}
+  \def\super{F, V_0}
+  \def\vnext{\Xid{v}{next}}
+  \item Carry-over: define $\Enc = (\GG, \EE, \DD)$ where $V_0 \in \Bin^\ell$
+    is the initialization vector for the first message, and
+    \begin{program}
+      Algorithm $\GG()$: \+ \\
+        $K \getsr \keys F$; \\
+        $\vnext \gets V_0$; \\
+        \RETURN $K$;
+      \next
+      Algorithm $\EE(K, x)$: \+ \\
+        $v \gets \vnext$; \\
+        $(v', x) \gets \id{encrypt}^{F_K(\cdot)}(v, x)$; \\
+        $\vnext \gets v'$; \\
+        \RETURN $(v, y)$;
+      \next
+      Algorithm $\DD(K, y')$; \+ \\
+        $(v, y) \gets y'$; \\
+        $(v', x) \gets {}$ \\
+        \qquad $\id{decrypt}^{F_K(\cdot), F^{-1}_K(\cdot)}(v, y)$; \\
+        \RETURN $x$;
+    \end{program}
+  \end{itemize}
+
+  Note that, while the encryption algorithms of the above schemes are either
+  randomized or stateful, the decryption algorithms are simple and
+  deterministic.
+\end{definition}
+
+The following simple and standard result will be very useful in our proofs.
+
+\begin{proposition}
+  \label{prop:enc-info-to-real}
+  \leavevmode
+  \begin{enumerate}
+  \item Suppose that $\E^P = (G^P, E^P, D^P)$ is one of the symmetric
+    encryption schemes of definition~\ref{def:enc-scheme}, constructed from a
+    pseudorandom permutation $P\colon \Bin^\ell \leftrightarrow \Bin^\ell$.
+    If $q$ is an upper bound on the number of PRP applications required for
+    the encryption $q_E$ messages totalling $\mu_E$ bits, and $t'$ is some
+    small constant, then
+    \[ \InSec{lor-cpa}(\E^P; t, q_E, \mu_E) \le
+         \InSec{lor-cpa}(\E^{\Perm{\ell}}; t, q_E, \mu_E) +
+         2 \cdot \InSec{prp}(P; t + q t', q) .
+    \]
+  \item Similarly, suppose that $\E^F = (G^F, E^F, D^F)$ is one of the
+    symmetric encryption schemes of definition~\ref{def:enc-scheme},
+    constructed from a pseudorandom function $F\colon \Bin^\ell \to \Bin^L$.
+    If $q$ is an upper bound on the number of PRP applications required for
+    the encryption $q_E$ messages totalling $\mu_E$ bits, and $t'$ is some
+    small constant, then
+    \[ \InSec{lor-cpa}(\E^F; t, q_E, \mu_E) \le
+         \InSec{lor-cpa}(\E^{\Func{\ell}{L}}; t, q_E, \mu_E) +
+         2 \cdot \InSec{prf}(F; t + q t', q) .
+    \]
+  \end{enumerate}
+\end{proposition}
+\begin{proof}
+  \begin{enumerate}
+  \item Let $A$ be an adversary attacking the LOR-CPA security of $\E^P$,
+    which takes time $t$ and issues $q_E$ encryption queries totalling
+    $\mu_E$ bits.  We construct an adversary $B$ attacking the security of
+    the PRP $P$ as follows.  $B$ selects a random $b^* \inr \Bin$.  It then
+    runs $A$, simulating the LOR-CPA game by using $b^*$ to decide whether to
+    encrypt the left or right plaintext, and using its oracle access to $P$
+    to do the encryption.  Eventually, $A$ returns a bit $b$.  If $b = b^*$,
+    $B$ returns $1$ (indicating `pseudorandom'); otherwise it returns $0$.
+    
+    If $B$'s oracle is selected from the PRP $P$, then $B$ correctly
+    simulates the LOR-CPA game for $\E^P$, and $B$ returns $1$ with
+    probability precisely $(\Adv{lor-cpa}{\E^P}(A) + 1)/2$.  Conversely, if
+    $B$'s oracle is a random permutation, then $B$ correctly simulates the
+    LOR-CPA game for $\E^{\Perm{\ell}}$, so $B$ returns $1$ with probability
+    $(\Adv{lor-cpa}{\E^P}(A) + 1)/2$.  Thus, we have
+    \begin{eqnarray}[rl]
+      \Adv{prp}{P}(B)
+      & = (\Adv{lor-cpa}{\E^P}(A) + 1)/2
+          - (\Adv{lor-cpa}{\E^{\Perm{\ell}}}(A) + 1)/2 \\
+      & = (\Adv{lor-cpa}{\E^P}(A)
+          - \Adv{lor-cpa}{\E^{\Perm{\ell}}}(A))/2 .
+    \end{eqnarray}
+    Note that the extra work which $B$ does over $A$ -- initialization,
+    tidying up and encrypting messages -- is bounded by some small constant
+    $t_P$ multiplied by the number of oracle queries~$q$ made by~$B$, and the
+    required result follows by multiplying through by~$2$ and rearranging.
+  \item The proof for this case is almost identical: merely substitute $F$
+    for $P$, `PRF' for `PRP' and $\Func{\ell}{L}$ for $\Perm{\ell}$ in the
+    above.  \qed
+  \end{enumerate}
+\end{proof}
+
+Of course, proving theorems about each of the above schemes individually will
+be very tedious.  We therefore define a `hybrid' scheme which switches
+between the above selection methods.  This isn't a practical encryption
+scheme -- just a `trick' to reduce the number of complicated proofs we need
+to give.
+
+\begin{definition}[Hybrid encryption modes]
+  \label{def:enc-hybrid}
+  \def\Enc{\Xid{\E}{$m$\what}^{\super}_{\sub}}
+  \def\GG{\Xid{G}{$m$\what}^{\super}_{\sub}}
+  \def\EE{\Xid{E}{$m$\what}^{\super}_{\sub}}
+  \def\DD{\Xid{D}{$m$\what}^{\super}_{\sub}}
+  \def\what{H}
+  \def\super{F, V_0, c}
+  \def\sub{n_L, n_C, n_E}
+  \def\imsg{\Xid{i}{msg}}
+  \def\vnext{\Xid{v}{next}}
+  Let $n_L$, $n_C$ and $n_E$ be nonnegative integers, with $n_L + n_C + n_E
+  \le 2^{\ell}$; let $F$ be a pseudorandom permutation on $\Bin^\ell$ (resp.\
+  a pseudorandom function from $\Bin^\ell$ to $\Bin^L$); let $m =
+  (\id{encrypt}, \id{decrypt})$ be a block cipher (resp.\ PRF) encryption
+  mode let $V_0 \in \Bin^\ell$ be an initialization vector; and let $c\colon
+  \Nupto{2^\ell} \to \Bin^\ell$ be a generalized counter.  (Again, if $F$ is
+  a PRF, we set $F_K(x) = \bot$ for all $K$ and $x$.)  We define the scheme
+  $\Enc = (\GG, \EE, \DD)$ as follows.
+  \begin{program}
+    Algorithm $\GG()$: \+ \\
+      $K \getsr \keys F$; \\
+      $\imsg \gets 0$; \\
+      $\vnext \gets V_0$; \\
+      \RETURN $K$;
+    \next
+    Algorithm $\DD(K, y')$; \+ \\
+      $(v, y) \gets y'$; \\
+      $(v', x) \gets \id{decrypt}^{F_K(\cdot), F^{-1}_K(\cdot)}(v, y)$; \\
+      \RETURN $x$;
+    \newline
+    Algorithm $\EE(K, x)$: \+ \\
+      \IF $\imsg < n_L$ \THEN $v \gets \vnext$; \\
+      \ELSE\IF $\imsg < n_L + n_C$ \THEN $v \gets c(\imsg)$; \\
+      \ELSE\IF $\imsg < n_L + n_C + n_E$ \THEN
+        $v \gets F_K(c(\imsg)[0 \bitsto \ell])$; \\
+      \ELSE $v \getsr \Bin^\ell$; \\
+      $(v', x) \gets \id{encrypt}^{F_K(\cdot)}(v, x)$; \\
+      $\vnext \gets v'$; \\
+      $\imsg \gets \imsg + 1$; \\
+      \RETURN $(v, y)$;
+  \end{program}
+  For this to be well-defined, we require that $L \ge \ell$ or $n_E = 0$ --
+  otherwise the encrypted counter values are too short.
+\end{definition}
+
+The following proposition relates the security of our artificial hybrid
+scheme to that of the practical schemes defined in
+definition~\ref{def:enc-scheme}.
+
+\begin{proposition}
+  \label{prop:enc-hybrid}
+  Let $F$ be a pseudorandom permutation on $\Bin^\ell$ (resp.\ a pseudorandom
+  function from $\Bin^\ell$ to $\Bin^L$); let $m$ be a block cipher (resp.\
+  PRF) encryption mode.  Then:
+  \begin{enumerate}
+  \def\ii#1{\item $\displaystyle#1$}
+  \ii{\InSec{lor-cpa}(\Xid{E}{$m\$$}^F; t, q_E, \mu_E) \le
+        \InSec{lor-cpa}(\Xid{E}{$m$H}^{F, V_0, c}_{0, 0, 0}; t, q_E, \mu_E)}
+  \ii{\InSec{lor-cpa}(\Xid{E}{$m$C}^{F, c}; t, q_E, \mu_E) \le
+        \InSec{lor-cpa}
+          (\Xid{E}{$m$H}^{F, V_0, c}_{q_E, 0, 0}; t, q_E, \mu_E)}
+  \ii{\InSec{lor-cpa}(\Xid{E}{$m$E}^{F, c}; t, q_E, \mu_E) \le
+        \InSec{lor-cpa}
+          (\Xid{E}{$m$H}^{F, V_0, c}_{0, q_E, 0}; t, q_E, \mu_E)}
+  \ii{\InSec{lor-cpa}(\Xid{E}{$m$L}^{F, V_0}; t, q_E, \mu_E) \le
+        \InSec{lor-cpa}
+          (\Xid{E}{$m$H}^{F, V_0, c}_{0, 0, q_E}; t, q_E, \mu_E)}
+  \end{enumerate}
+\end{proposition}
+
+\begin{proof}
+  For 1, it suffices to note that $\Xid{E}{$m\$$}^F \equiv \Xid{E}{$m$H}^{c,
+  V_0}_{0, 0, 0}$ for any $c$, $V_0$.  For the others, we observe that, while
+  the IVs returned in the ciphertexts differ, it's very easy to simulate
+  encryption for the practical schemes given an encryption oracle for the
+  hybrid scheme: for the counter and encrypted-counter schemes, the counter
+  function is public knowledge; for the carry-over scheme, the correct IV for
+  the first message is known, and the IV any subsequent messages can be
+  computed from the previous IV and ciphertext according to condition~4 in
+  definition~\ref{def:enc-scheme}.
+\end{proof}
+
+%%%--------------------------------------------------------------------------
+
+\section{Ciphertext block chaining (CBC) encryption}
+\label{sec:cbc}
+
+\subsection{Description}
+\label{sec:cbc-desc}
+
+Suppose $E$ is an $\ell$-bit pseudorandom permutation.  CBC mode works as
+follows.  Given a message $X$, we divide it into $\ell$-bit blocks $x_0$,
+$x_1$, $\ldots$, $x_{n-1}$.  Choose an initialization vector $v \in
+\Bin^\ell$.  Before passing each $x_i$ through $E$, we XOR it with the
+previous ciphertext, with $v$ standing in for the first block:
+\begin{equation}
+  y_0 = E_K(x_0 \xor v) \qquad
+  y_i = E_K(x_i \xor y_{i-1} \ \text{(for $1 \le i < n$)}.
+\end{equation}
+The ciphertext is then the concatenation of $v$ and the $y_i$.  Decryption is
+simple:
+\begin{equation}
+  x_0 = E^{-1}_K(y_0) \xor v \qquad
+  x_i = E^{-1}_K(y_i) \xor y_{i-1} \ \text{(for $1 \le i < n$)}
+\end{equation}
+See figure~\ref{fig:cbc} for a diagram of CBC encryption.
+
+\begin{figure}
+  \begin{cgraph}{cbc-mode}
+    []!{0; <0.85cm, 0cm>: <0cm, 0.5cm>::}
+    *+=(1, 0)+[F]{\mathstrut x_0}="x"
+      :[dd] *{\xor}="xor"
+      [ll] *+=(1, 0)+[F]{\mathstrut v} :"xor"
+      :[dd] *+[F]{E}="e" :[ddd] *+=(1, 0)+[F]{\mathstrut y_0}="i"
+      "e" [l] {K} :"e"
+    [rrruuuu] *+=(1, 0)+[F]{\mathstrut x_1}="x"
+      :[dd] *{\xor}="xor"
+      "e" [d] :`r [ru] `u "xor" "xor"
+      :[dd] *+[F]{E}="e" :[ddd]
+      *+=(1, 0)+[F]{\mathstrut y_1}="i"
+      "e" [l] {K} :"e"
+    [rrruuuu] *+=(1, 0)+[F--]{\mathstrut x_i}="x"
+      :@{-->}[dd] *{\xor}="xor"
+      "e" [d] :@{-->}`r [ru] `u "xor" "xor"
+      :@{-->}[dd] *+[F]{E}="e" :@{-->}[ddd]
+      *+=(1, 0)+[F--]{\mathstrut y_i}="i"
+      "e" [l] {K} :@{-->}"e"
+    [rrruuuu] *+=(1, 0)+[F]{\mathstrut x_{n-1}}="x"
+      :[dd] *{\xor}="xor"
+      "e" [d] :@{-->}`r [ru] `u "xor" "xor"
+      :[dd] *+[F]{E}="e" :[ddd]
+      *+=(1, 0)+[F]{\mathstrut y_{n-1}}="i"
+      "e" [l] {K} :"e"
+  \end{cgraph}
+
+  \caption{Encryption using CBC mode}
+  \label{fig:cbc}
+\end{figure}
+    
+\begin{definition}[CBC algorithms]
+  \label{def:cbc}
+  For any permutation $P\colon \Bin^\ell \to \Bin^\ell$, any initialization
+  vector $v \in \Bin^\ell$, any plaintext $x \in \Bin^{\ell\N}$ and any
+  ciphertext $y \in \Bin^*$, we define the encryption mode $\id{CBC} =
+  (\id{cbc-encrypt}, \id{cbc-decrypt})$ as follows:
+  \begin{program}
+    Algorithm $\id{cbc-encrypt}^{P(\cdot)}(v, x)$: \+ \\
+      $y \gets \emptystring$; \\
+      \FOR $i = 0$ \TO $|x|/\ell$ \DO \\ \ind
+        $x_i \gets x[\ell i \bitsto \ell (i + 1)]$; \\
+        $y_i \gets P(x_i \xor v)$; \\
+        $v \gets y_i$; \\
+        $y \gets y \cat y_i$; \- \\
+      \RETURN $(v, y)$;
+    \next
+    Algorithm $\id{cbc-decrypt}^{P(\cdot), P^{-1}(\cdot)}(v, y)$: \+ \\
+      \IF $|y| \bmod \ell \ne 0$ \THEN \RETURN $\bot$; \\
+      $x \gets \emptystring$; \\
+      \FOR $1 = 0$ \TO $|y|/\ell$ \DO \\ \ind
+        $y_i \gets y[\ell i \bitsto \ell (i + 1)]$; \\
+        $x_i \gets P^{-1}(y_i) \xor v$; \\
+        $v \gets y_i$; \\
+        $x \gets x \cat x_i$; \- \\
+      \RETURN $(v, x)$;
+  \end{program}
+  Now, let $c$ be a generalized counter in $\Bin^\ell$.  We define the
+  encryption schemes $\Xid{E}{CBC$\$$}^P$, $\Xid{E}{CBCE}^P$ and
+  $\Xid{E}{CBCH}^{P, c, \bot}_{0, 0, n_E}$, as described in
+  definition~\ref{def:enc-scheme}.
+\end{definition}
+
+\subsection{Security of CBC mode}
+
+We now present our main theorem on CBC mode.
+
+\begin{theorem}[Security of hybrid CBC mode]
+  \label{thm:cbc}
+  Let $P\colon \keys P \times \Bin^\ell \to \Bin^\ell$ be a pseudorandom
+  permutation; let $v_0 \in \Bin^\ell$ be an initialization vector; let $n_L
+  \in \{\, 0, 1 \,\}$; let $c$ be a generalized counter in $\Bin^\ell$; and
+  let $n_C \in \N$ be a nonnegative integer; and suppose that at most one of
+  $n_L$ and $n_C$ is nonzero.  Then, for any $t$, $q_E \ge n$ and $\mu_E$,
+  \[ \InSec{lor-cpa}
+       (\Xid{\E}{CBCH}^{P, c, v_0}_{n_L, 0, n_E}; t, q_E, \mu_E) \le
+     2 \cdot \InSec{prp}(P; t + q t_P, q) + \frac{q (q - 1)}{2^\ell - q}
+  \]
+  where $q = n_L + n_E + \mu_E/\ell$ and $t_P$ is some small constant.
+\end{theorem}
+
+The proof of this theorem we postpone until section~\ref{sec:cbc-proof}.  As
+promised, the security of our randomized and stateful schemes follow as
+simple corollaries.
+
+\begin{corollary}[Security of practical CBC modes]
+  \label{cor:cbc}
+  Let $P$ and $c$ be as in theorem~\ref{thm:cbc}.  Then for any $t$, $q_E$
+  and $\mu_E$, and some small constant $t_P$,
+  \begin{eqnarray*}[rl]
+    \InSec{lor-cpa}(\Xid{\E}{CBC$\$$}^P; t, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prp}(P; t + q t_P, q) + \frac{q (q - 1)}{2^\ell - q}
+    \\
+    \InSec{lor-cpa}(\Xid{\E}{CBCE}^{P, c}; t, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prp}(P; t + q' t_P, q') +
+          \frac{q' (q' - 1)}{2^\ell - q'}
+    \\
+  \tabpause{and}
+    \InSec{lor-cpa}(\Xid{\E}{CBCL}^{P, v_0}; t, 1, \mu_E)
+    & \le 2 \cdot \InSec{prp}(P; t + q t_P, q) +
+          \frac{q (q - 1)}{2^\ell - q}
+  \end{eqnarray*}
+  where $q = \mu_E/\ell$, and $q' = q + q_E$.
+\end{corollary}
+\begin{proof}
+  Follows from theorem~\ref{thm:cbc} and proposition~\ref{prop:enc-hybrid}.
+\end{proof}
+
+\begin{remark}
+  The insecurity of CBC mode over that inherent in the underlying PRP is
+  essentially a birthday bound: note for $q \le 2^{\ell/2}$, our denominator
+  $2^\ell - q \approx 2^\ell$, and for larger $q$, the term $q (q - 1)/2^\ell
+  > 1$ anyway, so all security is lost (according to the above result).
+  Compared to \cite[theorem~17]{Bellare:2000:CST}, we gain the tiny extra
+  term in the denominator, but lose the PRP-as-a-PRF term $q^2
+  2^{-\ell-1}$.\footnote{%
+    In fact, they don't prove the stated bound of $q (3 q - 2)/2^{\ell+1}$
+    but instead the larger $q (2 q - 1)/2^\ell$.  The error is in the
+    application of their proposition~8: the PRF-insecurity term is doubled,
+    so the PRP-as-a-PRF term must be also.} %
+\end{remark}
+
+\subsection{Ciphertext stealing}
+
+Ciphertext stealing \cite{Daemen:1995:CHF,Schneier:1996:ACP,RFC2040} allows
+us to encrypt any message in $\Bin^*$ without the need for padding.  The
+trick is to fill in the `gap' at the end of the last block with the end bit
+of the previous ciphertext, and then to put the remaining short penultimate
+block at the end.  Decryption proceeds by first decrypting the final block to
+recover the remainder of the penultimate one.  See
+figure~\ref{fig:cbc-steal}.
+
+\begin{figure}
+  \begin{cgraph}{cbc-steal-enc}
+    []!{0; <0.85cm, 0cm>: <0cm, 0.5cm>::}
+    *+=(1, 0)+[F]{\mathstrut x_0}="x"
+      :[dd] *{\xor}="xor"
+      [ll] *+=(1, 0)+[F]{\mathstrut v} :"xor"
+      :[dd] *+[F]{E}="e" :[ddddd] *+=(1, 0)+[F]{\mathstrut y_0}="i"
+      "e" [l] {K} :"e"
+    [rrruuuu] *+=(1, 0)+[F]{\mathstrut x_1}="x"
+      :[dd] *{\xor}="xor"
+      "e" [d] :`r [ru] `u "xor" "xor"
+      :[dd] *+[F]{E}="e" :[ddddd]
+      *+=(1, 0)+[F]{\mathstrut y_1}="i"
+      "e" [l] {K} :"e"
+    [rrruuuu] *+=(1, 0)+[F--]{\mathstrut x_i}="x"
+      :@{-->}[dd] *{\xor}="xor"
+      "e" [d] :@{-->}`r [ru] `u "xor" "xor"
+      :@{-->}[dd] *+[F]{E}="e" :@{-->}[ddddd]
+      *+=(1, 0)+[F--]{\mathstrut y_i}="i"
+      "e" [l] {K} :@{-->}"e"
+    [rrruuuu] *+=(1, 0)+[F]{\mathstrut x_{n-2}}="x"
+      :[dd] *{\xor}="xor"
+      "e" [d] :@{-->}`r [ru] `u "xor" "xor"
+      :[dd] *+[F]{E}="e"
+      "e" [l] {K} :"e"
+    [rrruuuu] *+=(1, 0)+[F]{\mathstrut x_{n-1} \cat 0^{\ell-t}}="x"
+      :[dd] *{\xor}="xor"
+      "e" [d] :`r [ru] `u "xor" "xor"
+      "e" [dddddrrr] *+=(1, 0)+[F]{\mathstrut y_{n-1}[0 \bitsto t]}="i"
+      "e" [dd] ="x"
+      "i" [uu] ="y"
+      []!{"x"; "e" **{}, "x"+/4pt/ ="p",
+          "x"; "y" **{}, "x"+/4pt/ ="q",
+          "y"; "x" **{}, "y"+/4pt/ ="r",
+          "y"; "i" **{}, "y"+/4pt/ ="s",
+          "e";
+          "p" **\dir{-};
+          "q" **\crv{"x"};
+          "r" **\dir{-};
+          "s" **\crv{"y"};
+          "i" **\dir{-}?>*\dir{>}}
+      "xor" :[dd] *+[F]{E}="e"
+      "e" [l] {K} :"e"
+      "e" [dddddlll] *+=(1, 0)+[F]{\mathstrut y_{n-2}}="i"
+      "e" [dd] ="x"
+      "i" [uu] ="y"
+      []!{"x"; "e" **{}, "x"+/4pt/ ="p",
+          "x"; "y" **{}, "x"+/4pt/ ="q",
+          "y"; "x" **{}, "y"+/4pt/ ="r",
+          "y"; "i" **{}, "y"+/4pt/ ="s",
+          "x"; "y" **{} ?="c" ?(0.5)/-4pt/ ="cx" ?(0.5)/4pt/ ="cy",
+          "e";
+          "p" **\dir{-};
+          "q" **\crv{"x"};
+          "cx" **\dir{-};
+          "c" *[@]\cir<4pt>{d^u};
+          "cy";
+          "r" **\dir{-};
+          "s" **\crv{"y"};
+          "i" **\dir{-}?>*\dir{>}}
+  \end{cgraph}
+
+  \begin{cgraph}{cbc-steal-dec}
+    []!{0; <0.85cm, 0cm>: <0cm, 0.5cm>::}
+    *+=(1, 0)+[F]{\mathstrut y_0}="y"
+      :[ddddddd] *+[F]{D}="d" [l] {K} :"d"
+      [rrrdd] *{\xor} ="nx" "d" [u] :`r [rd] `d "nx" "nx"
+      "d" :[dd] *{\xor} ="xor" [ll] *+=(1, 0)+[F]{\mathstrut v} :"xor"
+      :[dd] *+=(1, 0)+[F]{\mathstrut x_0} "nx"="xor"
+    "y" [rrr] *+=(1, 0)+[F]{\mathstrut y_1}="y"
+      :[ddddddd] *+[F]{D}="d" [l] {K} :"d"
+      [rrrdd] *{\xor} ="nx" "d" [u] :@{-->}`r [rd] `d "nx" "nx"
+      "d" :"xor"
+      :[dd] *+=(1, 0)+[F]{\mathstrut x_1} "nx"="xor"    
+    "y" [rrr] *+=(1, 0)+[F--]{\mathstrut y_i}="y"
+      :@{-->}[ddddddd] *+[F]{D}="d" [l] {K} :"d"
+      [rrrdd] *{\xor} ="nx" "d" [u] :@{-->}`r [rd] `d "nx" "nx"
+      "d" :"xor"
+      :[dd] *+=(1, 0)+[F--]{\mathstrut x_i} "nx"="xor"    
+    "y" [rrr] *+=(1, 0)+[F]{\mathstrut y_{n-2}}="y"
+      [dddddrrr] *+[F]{D}="d" [r] {K} :"d"
+      "y" [dd] ="x"
+      "d" [uu] ="e"
+      []!{"x"; "y" **{}, "x"+/4pt/ ="p",
+          "x"; "e" **{}, "x"+/4pt/ ="q",
+          "e"; "x" **{}, "e"+/4pt/ ="r",
+          "e"; "d" **{}, "e"+/4pt/ ="s",
+          "y";
+          "p" **\dir{-};
+          "q" **\crv{"x"};
+          "r" **\dir{-};
+          "s" **\crv{"e"};
+          "d" **\dir{-}?>*\dir{>}}
+      "d" :[dd] {z} ="z"
+      "z" [llluu] *{\xor} ="x1"
+      "z" :`l [lu] `u "x1" |*+{\scriptstyle 0^t \cat z[t \bitsto \ell]} "x1"
+      "z" :[dd] *{\xor} ="xor2"
+      :[dd] *+[F]{\mathstrut x_{n-1}[0 \bitsto t]}
+    "y" [rrr] *+=(1, 0)+[F]{\mathstrut y_{n-1} \cat 0^{\ell-t}}="y"
+      [dd] ="x"
+      "d" [llluu] ="e"
+      []!{"x"; "y" **{}, "x"+/4pt/ ="p",
+          "x"; "e" **{}, "x"+/4pt/ ="q",
+          "e"; "x" **{}, "e"+/4pt/ ="r",
+          "e"; "x1" **{}, "e"+/4pt/ ="s",
+          "x"; "e" **{} ?="c" ?(0.5)/-4pt/ ="cx" ?(0.5)/4pt/ ="cy",
+          "y";
+          "p" **\dir{-};
+          "q" **\crv{"x"};
+          "cx" **\dir{-};
+          "c" *[@]\cir<4pt>{d^u};
+          "cy";
+          "r" **\dir{-};
+          "s" **\crv{"e"};
+          "x1" **\dir{-}?>*\dir{>}}
+      "x1" [d] :`r [rd] `d "xor2" "xor2"
+      "x1" :[dd] *+[F]{D}="d" [l] {K} :"d"
+      "d" :"xor"
+      :[dd] *+[F]{\mathstrut x_{n-2}}
+  \end{cgraph}
+
+  \caption{Encryption and decryption using CBC mode with ciphertext stealing}
+  \label{fig:cbc-steal}
+\end{figure}
+
+Encrypting messages shorter than the block involves `IV stealing', which is a
+grotty hack but works fine if IVs are random; if the IVs are encrypted
+counters then there's nothing (modifiable) to steal from.
+
+We formally present a description of a randomized CBC stealing mode.
+
+\begin{definition}[CBC mode with ciphertext stealing]
+  \label{def:cbc-steal}
+  Let $P\colon \keys P \times \Bin^\ell \to \Bin^\ell$ be a pseudorandom
+  permutation.  Let $c$ be a generalized counter on $\Bin^\ell$.  We define
+  the randomized symmetric encryption scheme
+  $\Xid{\E}{CBC$\$$-steal}^P = (\Xid{G}{CBC$\$$-steal}^P,
+  \Xid{E}{CBC$\$$-steal}^P, \Xid{D}{CBC\$-steal}^P)$ for messages in $\Bin^*$
+  as follows:
+  \begin{program}
+    Algorithm $\Xid{G}{CBC$\$$-steal}^P()$: \+ \\
+      $K \getsr \keys P$; \\
+      \RETURN $K$;
+    \- \\[\medskipamount]
+    Algorithm $\Xid{E}{CBC$\$$-steal}^P(K, x)$: \+ \\
+      $t \gets |x| \bmod \ell$; \\
+      \IF $t \ne 0$ \THEN $x \gets x \cat 0^{\ell-t}$; \\
+      $v \getsr \Bin^\ell$; \\
+      $y \gets v \cat \id{cbc-encrypt}(K, v, x)$; \\
+      \IF $t \ne 0$ \THEN \\ \ind
+        $b \gets |y| - 2\ell$; \\
+        $y \gets $\=$y[0 \bitsto b] \cat
+                     y[b + \ell \bitsto |y|] \cat {}$ \\
+                  \>$y[b \bitsto b + t]$; \- \\
+      \RETURN $y$;
+    \next
+    Algorithm $\Xid{D}{CBC$\$$-steal}^P(K, y)$: \+ \\
+      \IF $|y| < \ell$ \THEN \RETURN $\bot$; \\
+      $v \gets y[0 \bitsto \ell]$; \\
+      $t = |y| \bmod \ell$; \\
+      \IF $t \ne 0$ \THEN \\ \ind
+        $b \gets |y| - t - \ell$; \\
+        $z \gets P^{-1}_K(y[b \bitsto b + \ell])$; \\
+        $y \gets $\=$y[0 \bitsto b] \cat
+                     y[b + \ell \bitsto |y|] \cat {}$ \\
+                  \>$z[t \bitsto \ell]$; \- \\
+      $x \gets \id{cbc-decrypt}(K, v, y[\ell \bitsto |y|])$; \\
+      \IF $t \ne 0$ \THEN \\ \ind
+        $x \gets x \cat z[0 \bitsto t] \xor y[b \bitsto b + t]$; \- \\
+      \RETURN $x$;
+  \end{program}
+\end{definition}
+
+The security of ciphertext stealing follows directly from the definition and
+the security CBC mode.
+
+\begin{corollary}[Security of CBC with ciphertext stealing]
+  \label{cor:cbc-steal}
+  Let $P\colon \keys P \times \Bin^\ell \to \Bin^\ell$ be a pseudorandom
+  permutation.  Then
+  \begin{eqnarray*}[rl]
+    \InSec{lor-cpa}(\Xid{\E}{CBC$\$$-steal}; t, q_E, \mu_E)
+    & \le \InSec{lor-cpa}
+            (\Xid{\E}{CBC$\$$}; t, q_E, \mu_E + q_E (\ell - 1)) \\
+    & \le 2 \cdot \InSec{prp}(P; t + q t_P, q) +
+          \frac{q (q - 1)}{2^\ell - 2^{\ell/2}}
+  \end{eqnarray*}
+  where $q = \bigl\lfloor \bigl(\mu_E + q_E (\ell - 1)\bigr)/\ell
+  \bigr\rfloor$ and $t_P$ is some small constant.
+\end{corollary}
+
+\begin{proof}
+  From the definition, we see that the encryption algorithm
+  $\Xid{E}{CBC-steal}$ simply pads a plaintext, encrypts it as for standard
+  CBC mode, and postprocesses the ciphertext.  Hence, if $A$ is any adversary
+  attacking $\Xid{\E}{CBC-steal}$, we can construct an adversary
+  $A'$ which simply runs $A$ except that, on each query to the encryption
+  oracle, it pads both plaintexts, queries its CBC oracle, postprocesses the
+  ciphertext returned, and gives the result back to $A$.  The fact that
+  plaintexts can now be up to $\ell - 1$ bits shorter than the next largest
+  whole number of blocks means that $B$ submits no more than $\mu_E + q_E
+  (\ell - 1)$ bits of plaintext to its oracle.  The required result
+  follows then directly from theorem~\ref{thm:cbc}.
+\end{proof}
+
+\subsection{Proof of theorem~\ref{thm:cbc}}
+\label{sec:cbc-proof}
+
+The techniques and notation used in this proof will also be found in several
+of the others.  We recommend that readers try to follow this one carefully.
+
+We begin considering CBC mode using a completely random permutation.  To
+simplify notation slightly, we shall write $n = n_L + n_E$.  Our main goal is
+to prove the claim that there exists a garbage-emitter $W$ such that
+\[
+   \InSec{rog-cpa-$W$}
+     (\Xid{\E}{CBCH}^{\Perm{\ell}, c, v_0}_{n_L, 0, n_E};
+       t, q_E, \mu_E) \le
+     \frac{q (q - 1)}{2 \cdot (2^\ell - n)}.
+\]
+From this, we can apply proposition~\ref{prop:rog-and-lor} to obtain
+\[
+   \InSec{lor-cpa}
+     (\Xid{\E}{CBCH}^{\Perm{\ell}, c, \bot}_{0, 0, n};
+       t, q_E, \mu_E) \le
+     \frac{q (q - 1)}{2^\ell - n}.
+\]
+and, noting that there are precisely $q = \mu_E/\ell$ PRP-applications, we
+apply proposition~\ref{prop:enc-info-to-real} to obtain the required result.
+
+Our garbage-emitter $W$ is a bit complicated.  It chooses random but
+\emph{distinct} blocks for the `ciphertext'; for the IVs, it uses $v_0$ for
+the first message if $n_L = 1$, and otherwise it chooses random blocks
+distinct from each other and the `ciphertext' blocks for the next $n_E$
+messages, and just random blocks for subsequent ones.  The algorithm $W$ is
+shown in figure~\ref{fig:cbc-garbage}.
+
+\begin{figure}
+  \begin{program}
+    Initialization: \+ \\
+      $i \gets 0$; \\
+      $\id{gone} \gets \emptyset$;
+    \- \\[\medskipamount]
+    Function $\id{fresh}()$ \+ \\
+      $x \getsr \Bin^\ell \setminus \id{gone}$; \\
+      $\id{gone} \gets \id{gone} \cup \{ x \}$; \\
+      \RETURN $x$;
+    \next
+    Garbage emitter $W(m)$: \+ \\
+      \IF $i \ge 2^\ell$ \THEN \ABORT; \\
+      \IF $i < n_L$ \THEN $v \gets v_0$; \\
+      \ELSE \IF $i < n$ \THEN $v \gets \id{fresh}()$; \\
+      $i \gets i + 1$ \\
+      \ELSE $v \getsr \Bin^\ell$; \\
+      $y \gets \emptystring$; \\
+      \FOR $j = 0$ \TO $m/\ell$; \\ \ind
+        $y_j \gets \id{fresh}()$; \\
+        $y \gets y \cat y_j$; \- \\
+      \RETURN $(v, y)$;
+  \end{program}
+
+  \caption{Garbage emitter $W$ for CBC mode}
+  \label{fig:cbc-garbage}
+\end{figure}
+
+Fortunately, it doesn't need to be efficient: the above simulations only need
+to be able to do the LOR game, not the ROG one.  The unpleasant-sounding
+\ABORT\ only occurs after $2^\ell$ queries.  If that happens we give up and
+say the adversary won anyway: the claim is trivially true by this point,
+since the adversary's maximum advantage is 1.
+
+Now we show that this lash-up is a good imitation of CBC encryption to
+someone who doesn't know the key.  The intuition works like this: every time
+we query a random permutation at a new, fresh input value, we get a new,
+different, random output value; conversely, if we repeat an input, we get the
+same value out as last time.  So, in the real `result' CBC game, if all the
+permutation inputs are distinct, it looks just like the garbage emitted by
+$W$.  Unfortunately, that's not quite enough: the adversary can work out what
+the permutation inputs ought to be and spot when there ought to have been a
+collision but wasn't.  So we'll show that, provided all the $P$-inputs --
+values which \emph{would} be input to the permutation if we're playing that
+game -- are distinct, the two games look identical.
+
+We need some notation to describe the values in the game.  Let $c_i = c(i)$
+be the $i$th counter value, for $0 \le i < n_E$, and let $v_i$ be the $i$th
+initialization vector, where $v_0$ is as given if $n_L = 1$, $v_i = P(c_i -
+n_L)$ if $n_L \le i < n$, and $v_i \inr \Bin^\ell$ if $n \le i < q_E$.  Let
+$q' = \mu_E/\ell = q - n$ be the total number of plaintext blocks in the
+adversary's queries, let $x_i$ be the $i$th plaintext block queried, let
+$y_i$ be the $i$th ciphertext block returned, let
+\[ w_i = \begin{cases}
+     v_j     & if block $i$ is the first block of the $j$th query, and \\
+     y_{i-1} & otherwise
+\end{cases} \]
+and let $z_i = x_i \xor w_i$, all for $0 \le i < q'$.  This is summarized
+diagramatically in figure~\ref{fig:cbc-proof-notation}.  The $P$-inputs are
+now precisely the $c_i$ and the $z_i$.  We'll denote probabilities in the
+`result' game as $\Pr_R[\cdot]$ and in the `garbage' game as $\Pr_G[\cdot]$.
+
+\begin{figure}
+  \begin{vgraphs}
+    \begin{vgraph}{cbc-notation-a}
+      [] !{<1.33cm, 0cm>: <0cm, 1cm>::}
+      {c_i} :[r] *+[F]{E}="e" [u] {K} :"e" :[r] {v_i}
+    \end{vgraph}
+    \begin{vgraph}{cbc-notation-b}
+      [] !{<1.33cm, 0cm>: <0cm, 1cm>::}
+      {x_i} :[r] *{\xor} ="xor" :[r] {z_i}
+        :[r] *+[F]{E}="e" [u] {K} :"e" :[r] {y_i}
+      "xor" [u] {w_i} ="w" :"xor"
+      "w" [lu] {v_j} ="v" :"w"
+      "w" [ru] {y_{i-1}} ="y" :"w"
+      "v" :@{.}|-*+\hbox{or} "y"
+    \end{vgraph}
+  \end{vgraphs}
+
+  \caption{Notation for the proof of theorem~\ref{thm:cbc}.}
+  \label{fig:cbc-proof-notation}
+\end{figure}
+
+Let $C_r$ be the event, in either game, that $z_i = z_j$ for some $0 \le i <
+j < r$, or that $z_i = c_j$ for some $0 \le i < r$ and some $0 \le j < n_E$.
+We need to bound the probability that $C_{q'}$ occurs in both the `result'
+and `garbage' games.  We'll do this inductively.  By the definition,
+$\Pr_R[C_0] = \Pr_G[C_0] = 0$.
+
+Firstly, tweak the games so that all of the IVs corresponding to counters are
+chosen at the beginning, instead of as we go along.  Obviously this doesn't
+make any difference to the adversary's view of the proceedings, but it makes
+our analysis easier.
+
+Let's assume that $C_r$ didn't happen; we want the probability that $C_{r+1}$
+did, which is obviously just the probability that $z_r$ collides with some
+$z_i$ for $0 \le i < r$ or some $c_i$ for $0 \le i < n$.  At this point, the
+previous $z_i$ are fixed.  So:
+\begin{equation}
+  \label{eq:cbc-coll}
+  \Pr[C_{r+1} | \bar{C}_r]
+    = \sum_{z \in \Bin^\ell} \biggl(
+        \sum_{0\le i<n} \Pr[z = c_i] +
+        \sum_{0\le i<r} \Pr[z = z_i]
+      \biggr) \cdot \Pr[z_r = z]
+\end{equation}
+Now note that $z_r = w_r \xor x_r$.  We've no idea how $x_r$ was chosen; but,
+one of the following cases holds.
+\begin{enumerate}
+\item If $x_r$ is the first block of the first plaintext, i.e., $r = 0$, and
+  $n_L = 1$, then $w_r = v_0$.  However, in this case we know that $n_E = 0$
+  by hypothesis.  There are no $z_i$ which $z_r$ might collide with, so the
+  probability of a collision is zero.
+\item If $x_r$ is the first block of plaintext $i$, and $0 \le i < n$, then
+  $w_r = v_i$, and was chosen at random from a set of $2^\ell - i \le 2^\ell
+  - n \le 2^\ell - n - r$ possibilities, either by our random permutation or
+  by $W$.  We know $x_r$ is independent of $w_r$ because none of the previous
+  $P$-inputs were equal to $c_i$, by our assumption of $\bar{C}_r$.
+\item If $x_r$ is the first block of plaintext $i$, and $n \le i < q'$, then
+  $w_r = v_i$, and was chosen at random from all $2\ell$ possible $\ell$-bit
+  blocks.  We know $x_r$ is independent of $w_r$ because we just chose $w_r$
+  at random, after $x_r$ was chosen.
+\item Otherwise, $x_r$ is a subsequent block in some message, and $w_r =
+  y_{r-1}$, and was chosen at random from a set of $2^\ell - n - r$
+  possibilities, either by our random permutation or by $W$.  We know $x_r$
+  is independent of $w_r$ because $z_{r-1}$ is a new $P$-input, by our
+  assumption of $\bar{C}_r$.
+\end{enumerate}
+So, except in case~1, which isn't a problem anyway, $w_r$ is independent of
+$x_r$, and chosen uniformly at random from a set of at least $2^\ell - r - n$
+elements, in either game -- so we can already see that $\Pr_R[C_i] =
+\Pr_G[C_i]$ for any $i \ge 0$.  Finally, the $z_i$ and $c_i$ are all
+distinct, so the $z_i \xor x$ and $c_i \xor x$ must all be distinct, for any
+fixed $x$.  So:
+\begin{eqnarray}[rl]
+  \Pr[C_{r+1} | \bar{C}_r] 
+  & = \sum_{x \in \Bin^\ell} \biggl(
+        \sum_{0\le i<n} \Pr[w_r = x \xor c_i] +
+        \sum_{0\le i<r} \Pr[w_r = x \xor z_i]
+      \biggr) \cdot \Pr[x_r = x] \\
+  & \le \sum_{x \in \Bin^\ell} \frac{r + n}{2^\ell - r - n} \Pr[x_r = x]
+    = \frac{r + n}{2^\ell - r - n} \sum_{x \in \Bin^\ell} \Pr[x_r = x] \\
+  & = \frac{r + n}{2^\ell - r - n}.
+\end{eqnarray}
+Now we're almost home.  All the $c_i$ and $z_i$ are distinct; all the $v_i$
+and $y_i$ are random, assuming $C_{q'}$.  We can bound $\Pr[C_{q'}]$ thus:
+\begin{equation}
+  \Pr[C_{q'}]
+  \le \sum_{0<i\le q'} \Pr[C_i | \bar{C}_{i-1}]
+  \le \sum_{0\le i\le q'} \frac{i + n - 1}{2^\ell - i - n + 1}
+\end{equation}
+Now, let $i' = i + n - 1$.  Then
+\begin{equation}
+  \Pr[C_{q'}]
+    \le \sum_{n-1\le i'\le q'+n-1} \frac{i'}{2^\ell - i'}
+    \le \sum_{0\le i'<q} \frac{i'}{2^\ell - q}
+    = \frac{q (q - 1)}{2 \cdot (2^\ell - q)}
+\end{equation}
+
+Finally, let $R$ be the event that the adversary returned 1 at the end of the
+game -- indicating a guess of `result'.  Then, noting as we have, that
+$\Pr_R[C_{q'}] = \Pr_G[C_{q'}]$, we get this:
+\begin{eqnarray}[rl]
+  \Adv{rog-cpa-$W$}{\Xid{\E}{CBCH}^{P, c, n}}(A)
+  & = \Pr_R[R] - \Pr_G[R] \\
+  & \begin{eqnalign}[rLl][b]
+    {} = & (\Pr_R[R | C_{q'}] \Pr_R[C_{q'}] +
+         \Pr_R[R | \bar{C}_{q'}] \Pr_R[\bar{C}_{q'}]) - {} \\
+    & & (\Pr_G[R | C_{q'}] \Pr_R[C_{q'}] +
+         \Pr_G[R | \bar{C}_{q'}] \Pr_G[\bar{C}_{q'}])
+      \end{eqnalign} \\
+  & = \Pr_R[R | C_{q'}] \Pr_R[C_{q'}] - \Pr_G[R | C_{q'}] \Pr_G[C_{q'}] \\
+  & \le \Pr[C_{q'}] \le \frac{q (q - 1)}{2 \cdot (2^\ell - q)}
+\end{eqnarray}
+And we're done!
+\qed
+
+%%%--------------------------------------------------------------------------
+
+\section{Ciphertext feedback (CFB) encryption}
+\label{sec:cfb}
+
+\subsection{Description}
+\label{sec:cfb-desc}
+
+Suppose $F$ is an $\ell$-bit-to-$L$-bit pseudorandom function, and let $t \le
+L$.  CFB mode works as follows.  Given a message $X$, we divide it into
+$t$-bit blocks $x_0$, $x_1$, $\ldots$, $x_{n-1}$.  Choose an initialization
+vector $v \in \Bin^\ell$.  We maintain a \emph{shift register} $s_i$, whose
+initial value is $v$.  To encrypt a block $x_i$, we XOR it with the result of
+passing the shift register through the PRF, forming $y_i$, and then update
+the shift register by shifting in the ciphertext block $y_i$.  That is,
+\begin{equation}
+  s_0 = v \qquad
+  y_i = x_i \xor F_K(s_i) \qquad
+  s_{i+1} = s_i \shift{t} y_i \ \text{(for $0 \le i < n$)}.
+\end{equation}
+Decryption follows from noting that $x_i = y_i \xor F_K(s_i)$.  See
+figure~\ref{fig:cfb} for a diagrammatic representation.
+
+Also, we observe that the final plaintext block needn't be $t$ bits long: we
+can pad it out to $t$ bits and truncate the result without affecting our
+ability to decrypt.
+
+\begin{figure}
+  \begin{cgraph}{cfb-mode}
+    [] !{<0.425cm, 0cm>: <0cm, 0.5cm>::}
+    *+=(2, 0)+[F]{\mathstrut v} ="v" :|<>(0.35)@{/}_<>(0.35){\ell}[rrrrr]
+      *+[o][F]{\shift{t}} ="shift"
+      [ll] :|-@{/}^-{\ell}[dd] *+[F]{E} ="e" [ll] {K} :"e"
+      :|-@{/}^-{t}[dd] *{\xor} ="xor"
+      [lll] *+=(2, 0)+[F]{\mathstrut x_0} :|-@{/}_-{t} "xor"
+      :|-@{/}^-{t}[ddd] *+=(2, 0)+[F]{\mathstrut y_0}
+      "xor" [d] :`r "shift" "shift"|-@{/}_-{t}
+    :|-@{/}_-{\ell}[rrrrrrr] *+[o][F]{\shift{t}} ="shift"
+      [ll] :|-@{/}^-{\ell}[dd] *+[F]{E} ="e" [ll] {K} :"e"
+      :|-@{/}^-{t}[dd] *{\xor} ="xor"
+      [lll] *+=(2, 0)+[F]{\mathstrut x_1} :|-@{/}_-{t} "xor"
+      :|-@{/}^-{t}[ddd] *+=(2, 0)+[F]{\mathstrut y_1}
+      "xor" [d] :`r "shift" "shift"|-@{/}_-{t}
+    :@{-->}|-@{/}_-{\ell}[rrrrrrr] *+[o][F]{\shift{t}} ="shift"
+      [ll] :@{-->}|-@{/}^-{\ell}[dd] *+[F]{E} ="e" [ll] {K} :"e"
+      :@{-->}|-@{/}^-{t}[dd] *{\xor} ="xor"
+      [lll] *+=(2, 0)+[F--]{\mathstrut x_i} :@{-->}|-@{/}_-{t} "xor"
+      :@{-->}|-@{/}^-{t}[ddd] *+=(2, 0)+[F--]{\mathstrut y_i}
+      "xor" [d] :@{-->} `r "shift" "shift"|-@{/}_-{t}
+    [rrrrrdd] *+[F]{E} ="e"
+      "shift" :@{-->}`r "e" |-@{/}_-{\ell} "e" 
+      [ll] {K} :"e"
+      :|-@{/}^-{t}[dd] *{\xor} ="xor"
+      [lll] *+=(2, 0)+[F]{\mathstrut x_{n-1}} :|-@{/}_-{t} "xor"
+      :|-@{/}^-{t}[ddd] *+=(2, 0)+[F]{\mathstrut y_{n-1}}
+  \end{cgraph}
+
+  \caption{Encryption using CFB mode}
+  \label{fig:cfb}
+\end{figure}
+
+\begin{definition}[CFB algorithms]
+  For any function $F\colon \Bin^\ell \to \Bin^t$, any initialization vector
+  $v \in \Bin^\ell$, any plaintext $x \in \Bin^*$ and any ciphertext $y \in
+  \Bin^*$, we define PRF encryption mode $\id{CFB} = (\id{cfb-encrypt},
+  \id{cfb-decrypt})$ as follows:
+  \begin{program}
+    Algorithm $\id{cfb-encrypt}(F, v, x)$: \+ \\
+      $s \gets v$; \\
+      $L \gets |x|$; \\
+      $x \gets x \cat 0^{t\lceil L/t \rceil - L}$; \\
+      $y \gets \emptystring$; \\
+      \FOR $i = 0$ \TO $(|x| - t')/t$ \DO \\ \ind
+        $x_i \gets x[ti \bitsto t(i + 1)]$; \\
+        $y_i \gets x_i \xor F(s)$; \\
+        $s \gets s \shift{t} y_i$; \\
+        $y \gets y \cat y_i$; \- \\
+      \RETURN $(s, y[0 \bitsto L])$;
+    \next
+    Algorithm $\id{cfb-decrypt}(F, v, y)$: \+ \\
+      $s \gets v$; \\
+      $L \gets |y|$; \\
+      $y \gets y \cat 0^{t\lceil L/t \rceil - L}$; \\
+      $x \gets \emptystring$; \\
+      \FOR $i = 0$ \TO $(|x| - t')/t$ \DO \\ \ind
+        $y_i \gets y[ti \bitsto t(i + 1)]$; \\
+        $x_i \gets x_i \xor F(s)$; \\
+        $s \gets s \shift{t} y_i$; \\
+        $x \gets x \cat x_i$; \- \\
+      \RETURN $x[0 \bitsto L]$;
+  \end{program}
+  We now define the schemes $\Xid{\E}{CFB$\$$}^F$,
+  $\Xid{\E}{CFBC}^{F, c}$, $\Xid{\E}{CFBE}^{F, c}$, and
+  $\Xid{\E}{CFBL}^{F, V_0}$ according to
+  definition~\ref{def:enc-scheme}; and we define the hybrid scheme
+  $\Xid{\E}{CFBH}^{F, V_0, c}_{n_L, n_C, n_E}$ according to
+  definition~\ref{def:enc-hybrid}.
+\end{definition}
+
+\subsection{Security of CFB mode}
+
+%% I suspect David will want to put some negative results here, and complain
+%% about Alkassar et al.'s alleged proof.  I'll press on with the positive
+%% stuff.
+%%
+%% The problems come when $t < \ell$.  Then C-mode isn't necessarily secure
+%% (well, we get a similar bound with $t$ instead of $\ell$, which isn't very
+%% impressive).  The L-mode needs careful selection of the initial IV.
+
+\begin{definition}[Sliding strings]
+  \label{def:slide}
+  We say that an $\ell$-bit string $x$ \emph{$t$-slides} if there exist
+  integers $i$ and $j$ such that $0 \le j < i < \ell/t$ and $x[i t \bitsto
+  \ell] = x[j t \bitsto \ell - (i - j) t]$.
+\end{definition}
+\begin{remark}
+  For all $\ell > 0$ and $t < \ell$, the string $0^{\ell-1} 1$ does not
+  $t$-slide.
+\end{remark}
+
+\begin{theorem}[Security of CFB mode]
+  \label{thm:cfb}
+  Let $F$ be a pseudorandom function from $\Bin^\ell$ to $\Bin^t$; let $V_0
+  \in \Bin^\ell$ be a non-$t$-sliding string; let $c$ be a generalized
+  counter in $\Bin^\ell$; and let $n_L$, $n_C$, $n_E$ and $q_E$ be
+  nonnegative integers; and furthermore suppose that
+  \begin{itemize}
+  \item $n_L + n_C + n_E \le q_E$,
+  \item $n_L = 0$, or $n_C = n_E = 0$, or $\ell \le t$ and $V_0 \ne c(i)$
+    for any $n_L \le i < n_L + n_C + n_E$, and
+  \item either $n_C = 0$ or $\ell \le t$.
+  \end{itemize}
+  Then, for any $t_E$ and $\mu_E$, and whenever
+  we have
+  \[ \InSec{lor-cpa}(\Xid{\E}{CFBH}^{F, V_0, c}_{n_L, n_C, n_E};
+       t_E, q_E, \mu_E) \le
+       2 \cdot \InSec{prf}(F; t_E + q t_F, q) + \frac{q (q - 1)}{2^\ell}
+  \]
+  where $q = \bigl\lfloor \bigl(\mu_E + q_E (t - 1)\bigr)/t \bigr\rfloor +
+  n_E$, and $t_F$ is some small constant.
+\end{theorem}
+
+The proof is a bit involved; we postpone it until
+section~\ref{sec:cfb-proof}.
+
+\begin{corollary}
+  \label{cor:cfb-prf}
+  Let $F$, $c$ and $V_0$ be as in theorem~\ref{thm:cfb}.  Then for any $t_E$,
+  $q_E$ and $\mu_E$,
+  \begin{eqnarray*}[rl]
+    \InSec{lor-cpa}(\Xid{\E}{CFB$\$$}^F; t_E, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prf}(F; t_E + q t_F, q) + \frac{q (q - 1)}{2^\ell}
+    \\
+    \InSec{lor-cpa}(\Xid{\E}{CFBE}^{F, c}; t_E, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prf}(F; t_E + q' t_F, q') +
+          \frac{q' (q' - 1)}{2^\ell}
+    \\
+    \InSec{lor-cpa}(\Xid{\E}{CFBL}^{F, V_0}; t_E, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prf}(F; t_E + q t_F, q) + \frac{q (q - 1)}{2^\ell}
+    \\
+  \tabpause{and, if $\ell \le t$,}
+    \InSec{lor-cpa}(\Xid{\E}{CFBC}^{F, c}; t_E, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prf}(F; t_E + q t_F, q) + \frac{q (q - 1)}{2^\ell}
+  \end{eqnarray*}
+  where $q = \bigl\lfloor \bigl(\mu_E + q_E (t - 1)\bigr)/t \bigr\rfloor +
+  n_E$, $q' = q + q_E$, and $t_F$ is some small constant.
+\end{corollary}
+\begin{proof}
+  Follows from theorem~\ref{thm:cfb} and proposition~\ref{prop:enc-hybrid}.  
+\end{proof}
+
+\begin{corollary}
+  \label{cor:cfb-prp}
+  Let $P$ be a pseudorandom permutation on $\Bin^\ell$, and let $c$ and $V_0$
+  be as in theorem~\ref{thm:cfb}.  Then for any $t_E$, $q_E$ and $\mu_E$,
+  \begin{eqnarray*}[rl]
+    \InSec{lor-cpa}(\Xid{\E}{CFB$\$$}^P; t_E, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prp}(P; t_E + q t_F, q) + \frac{q (q - 1)}{2^\ell}
+    \\
+    \InSec{lor-cpa}(\Xid{\E}{CFBE}^{P, c}; t_E, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prp}(P; t_E + q' t_F, q') +
+          \frac{q' (q' - 1)}{2^\ell}
+    \\
+    \InSec{lor-cpa}(\Xid{\E}{CFBL}^{P, V_0}; t_E, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prp}(P; t_E + q t_F, q) + \frac{q (q - 1)}{2^\ell}
+    \\
+  \tabpause{and, if $\ell \le t$,}
+    \InSec{lor-cpa}(\Xid{\E}{CFBC}^{P, c}; t_E, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prp}(P; t_E + q t_F, q) + \frac{q (q - 1)}{2^\ell}
+  \end{eqnarray*}
+  where $q = \bigl\lfloor \bigl(\mu_E + q_E (t - 1)\bigr)/t \bigr\rfloor +
+  n_E$, $q' = q + q_E$, and $t_F$ is some small constant.
+\end{corollary}
+\begin{proof}
+  Follows from corollary~\ref{cor:cfb-prf} and
+  proposition~\ref{prop:prps-are-prfs}.
+\end{proof}
+
+\subsection{Proof of theorem~\ref{thm:cfb}}
+\label{sec:cfb-proof}
+
+Our proof follows the same lines as for CBC mode: we show the ROG-CPA
+security of hybrid-CFB mode using an ideal random function, and then apply
+our earlier results to complete the proof.  However, the ROG-CPA result will
+be useful later when we consider the security of OFB mode, so we shall be a
+little more formal about defining it.
+
+The garbage emitter is in some sense the `perfect' one: it emits a `correct'
+IV followed by a uniform random string of the correct length.
+
+\begin{definition}[The $W_\$$ garbage emitter]
+  Let natural numbers $n_L$, $n_C$, and $V_0 \in \Bin^\ell$ be given; then we
+  define the garbage emitter $W_\$$ as follows.
+  \begin{program}
+    Initialization: \+ \\
+      $i \gets 0$; \\
+      $v \gets V_0$;
+    \- \\[\medskipamount]
+    Garbage emitter $W_\$(m)$: \+ \\
+      \IF $i < n_L$ \THEN $v' \gets v$; \\
+      \ELSE \IF $n_L \le i < n_L + n_C$ \THEN $v' \gets c(i)$; \\
+      \ELSE \IF $n_L + n_C \le i$ \THEN $v' \getsr \Bin^\ell$; \\
+      $i \gets i + 1$; \\
+      $m' \gets t \lfloor (m + t - 1)/t\rfloor$; \\
+      $y \getsr \Bin^{m'}$; \\
+      $v \gets v' \shift{m'} y$; \\
+      \RETURN $(v', y[0 \bitsto m])$
+  \end{program}
+\end{definition}
+
+We now show that CFB mode with a random function is hard to distinguish from
+$W_\$$.
+\begin{lemma}[Pseudorandomness of CFB mode]
+  \label{lem:cfb-rog}
+  Let $\ell$, $t$, $n_L$, $n_C$, $n_E$, $q_E$, $c$, $V_0$, and $q$ be as in
+  theorem~\ref{thm:cfb}.  Then, for any $t_E$ and $\mu_E$,
+  \[ \InSec{rog-cpa-$W_\$$}
+       (\Xid{\E}{CFBH}^{\Func{\ell}{t}, V_0, c}_{n_L, n_C, n_E};
+        t, q_E, \mu_E) \le
+       \frac{q (q - 1)}{2^{\ell+1}}.
+  \]
+\end{lemma}
+Theorem~\ref{thm:cfb} follows from this result by application of
+propositions \ref{prop:rog-and-lor} and~\ref{prop:enc-info-to-real}.  It
+remains therefore for us to prove lemma~\ref{lem:cfb-rog}.
+
+To reduce the weight of notation, let us agree to suppress the adornments on
+$\Adv{}{}$ and $\InSec{}$ symbols.  Also, let $m_L = n_L$; let $m_C$ = $n_L +
+n_C$; and let $m_E = n_L + n_C + n_E$.  (Remember: the $m$s are
+cu\textit{m}ulative.) 
+
+The truncation of ciphertext blocks makes matters complicated.  Let us say
+that an adversary is \emph{block-respecting} if all of its plaintext queries
+are a multiple of $t$ bits in length; obviously all of the oracle responses
+for a block-respecting adversary are also a multiple of $t$ bits in length.
+\begin{claim*}
+  If $A'$ be a block-respecting adversary querying a total of $\mu_E$ bits of
+  plaintext queries; then
+  \[ \Adv{}{}(A') \le \frac{q (q - 1)}{2^{\ell+1}} \]
+ where $q = \mu_E/t$.
+\end{claim*}
+Lemma~\ref{lem:cfb-rog} follows from this claim: if $A$ is any adversary,
+then we construct a block-respecting adversary $A'$ by padding $A$'s
+plaintext queries and truncating the oracle responses; and if $A$ makes $q_E$
+queries totalling $\mu_E$ bits, then the total bits queried by $A'$ is no
+more than $\bigl\lfloor\bigl( \mu_E + q_E (t - 1) \bigr)\bigr\rfloor$ bits.
+We now proceed to the proof of the above claim.
+
+Suppose, then, that we are given a block-respecting adversary $A$ which makes
+$q$ queries to its encryption oracle.  Let $F(\cdot)$ denote the application
+of the random function.  We want to show that, provided all of the $F$-inputs
+are distinct, the $F$-outputs are uniformly random, and hence the CFB
+ciphertexts are uniformly random.  As for the CBC case, life isn't that good
+to us: we have to deal with the case where the adversary can see that two
+$F$-inputs would have collided, and therefore that a garbage string couldn't
+have been generated by CFB encryption of his plaintext.
+
+Our notation will be similar to, yet slightly different from, that of
+section~\ref{sec:cbc-proof}.
+
+Let $q' = q - n_E$ be the number of $t$-bit plaintext blocks the adversary
+submits, and for $0 \le i < q'$, let $x_i$ be the $i$th plaintext block
+queried, and let $y_i$ be the $i$th ciphertext block returned.
+
+For $m_L \le i < m_E$, let $c_i = c(i)$ be the $i$th counter value.  For $0
+\le i < q_E$ let $v_i$ be the $i$th initialization vector, i.e.,
+\[ v_i = \begin{cases}
+     V_0             & if $i = 0$ and $n_L > 0$; \\
+     v_{i-1} \shift{t} Y_{i-1}
+                     & if $1 \le i < m_L$ and $Y_{i-1}$ was the ciphertext
+                       from query $i - 1$; \\
+     c_i             & if $m_L \le i < m_C$; \\
+     F(c_i)          & if the oracle is `result', and $m_C \le i < m_E$;
+                       or \\
+     R_i             & for some $R_i \inr \Bin^\ell$, otherwise.
+   \end{cases}
+\]
+Note that the only difference in the $v_i$ between the `result' and `garbage'
+games occurs in the encrypted-counters phase.  Furthermore, if no other
+$F$-input is equal to any $c_i$ for $m_C \le i < m_E$ then the IVs are
+identically distributed.
+
+Now, for $0 \le i < q'$, define
+\[ z_i = \begin{cases}
+     v_j                        & if block $i$ is the first block of the
+                                  $j$th query, or \\ 
+     z_{i-1} \shift{t} y_{i-1}  & otherwise
+   \end{cases}
+\]
+and let $w_i = x_i \xor y_i$.  In the `result' game, we have $w_i = F(z_i)$,
+of course.  All of this notation is summarized diagrammatically in
+figure~\ref{fig:cfb-proof-notation}.  The $F$-inputs are precisely the $z_i$
+and $c_i$ for $m_C \le i < m_E$.
+
+We'll denote probabilities in the `result' game as $\Pr_R[\cdot]$ and in the
+`garbage' game as $\Pr_G[\cdot]$.
+
+\begin{figure}
+  \begin{vgraphs}
+    \begin{vgraph}{cfb-notation-a}
+      [] !{<1.333cm, 0cm>: <0cm, 1cm>::}
+      {z_i} ="z" :|-@{/}_-{\ell}[r] *+[F]{F} ="F"
+        :|-@{/}_-{t}[r] {w_i} ="w" :|-@{/}_-{t}[r] *{\xor} ="xor"
+      "xor" [u] {x_i} ="x" :|-@{/}^-{t}"xor" :|-@{/}^-{t}[d] {y_i} ="y"
+      "z" [lu] {v_j} ="v" :"z"
+      "z" [ru] {z_{i-1} \shift{t} y_{i-1}} ="y" :"z"
+      "v" :@{.}|-*+\hbox{or} "y"
+    \end{vgraph}
+  \end{vgraphs}
+
+  \caption{Notation for the proof of lemma~\ref{lem:cfb-rog}.}
+  \label{fig:cfb-proof-notation}
+\end{figure}
+
+Let $C_r$ be the event, in either game, that $z_i = z_j$ for some $0 \le i <
+j < r$, or that $z_i = c_j$ for some $0 \le i < r$ and some $m_C \le j <
+m_E$.
+
+Let's assume that $C_r$ didn't happen; we want the probability that $C_{r+1}$
+did, which is just the probability that $z_r$ collides with some $z_i$ where
+$0 \le i < r$, or some $c_i$ for $m_C \le i < m_E$.  Observe that, under this
+assumption, all the $w_i$, and hence the $y_i$, are uniformly distributed,
+and that therefore the two games are indistinguishable.
+
+One of the following cases holds.
+\begin{enumerate}
+\item If $r = 0$ and $m_L > 0$ then $z_r = V_0$.  There is no other $z_i$ yet
+  for $z_r$ to collide with, though it might collide with some encrypted
+  counter $F(c_i)$, with probability $n_E/2^\ell$.
+\item If $z_r = c_i$ is the IV for some message $i$ where $m_L \le i < m_C$,
+  life is a bit complicated.  It can't collide with $V_0$ or other $c_i$ by
+  assumption; the encrypted counters and random IVs haven't been chosen yet;
+  and either $n_C = 0$ (in which case there's nothing to do here anyway) or
+  $\ell \le t$, so there are no $z_i$ containing partial copies of $V_0$ to
+  worry about.  This leaves non-IV $z_i$: again, $\ell \le t$, so $z_i =
+  y_i[t - \ell \bitsto t]$, which is random by our assumption of $\bar{C}_r$;
+  hence a collision with one of these $z_i$ occurs with probability at most
+  $r/2^\ell$.
+\item If $z_r$ is the IV for some message $i$ where $m_C \le i < m_E$, then
+  it can collide with previous $z_i$ or either previous or future $c_i$.  We
+  know, however, that no $F$-input has collided with $c_i$, so in the
+  `result' game, $z_r = F(c_r)$ is uniformly distributed; in the `garbage'
+  game, $W_\$$ generates $z_r$ at random anyway.  It collides, therefore,
+  with probability at most $(r + n_E)/2^\ell$.
+\item If $z_r$ is the IV for some message $i$ where $m_E \le i < q'$ then
+  $z_r$ was chosen uniformly at random.  Hence it collides with probability
+  at most $(r + n_E)/2^\ell$.
+\item Finally, either $z_r$ is not the IV for a message, or it is, but the
+  message number $i < n_L$, so in either case, $z_r = z_{r-1} \shift{t}
+  y_{r-1}$.  We have two subcases to consider.
+  \begin{enumerate}
+  \item If $1 \le r < \ell/t$ (we dealt with the case $r = 0$ above) then
+    some of $V_0$ remains in the shift register.  If $z_r$ collides with some
+    $z_i$, for $0 \le i < r$, then we must have $z_r[0 \bitsto \ell - t r] =
+    z_i[0 \bitsto \ell - t r]$; but $z_r[0 \bitsto \ell - t r] = V_0[t r
+    \bitsto \ell]$, and $z_i[0 \bitsto \ell - t r] = V_0[t i \bitsto \ell - t
+    (r - i)]$, i.e., we have found a $t$-sliding of $V_0$, which is
+    impossible by hypothesis.  Hence, $z_r$ cannot collide with any earlier
+    $z_i$.  Also by hypothesis, $n_C = n_E = 0$ if $\ell > t$, so $z_r$
+    cannot collide with any counters $c_i$.
+  \item Suppose, then, that $r \ge \ell/t$.  For $0 \le j < \ell/t$, let $H_j
+    = \ell - t j$, $L_j = \max(0, H_j - t)$, and $N_j = H_j - L_j$.  (Note
+    that $\sum_{0\le j<\ell/t} N_j = \ell$.)  Then $z_r[L_j \bitsto H_j] =
+    y_{r-j-1}[t - N_j \bitsto t]$; but the $y_i$ for $i < r$ are uniformly
+    distributed.  Thus, $z_r$ collides with some specific other value $z'$
+    only with probability $1/2^{\sum_j N_j} = 1/2^\ell$.  The overall
+    collision probablity for $z_r$ is then at most $(r + n_E)/2^\ell$.
+  \end{enumerate}
+\end{enumerate}
+In all these cases, it's clear that the collision probability is no more than
+$(r + n_E)/2^\ell$.
+
+The probability that there is a collision during the course of the game is
+$\Pr[C_{q'}]$, which we can now bound thus:
+\begin{equation}
+  \Pr[C_q'] \le \sum_{0<i\le q'} \Pr[C_i | \bar{C}_{i-1}]
+            \le \sum_{0<i\le q'} \frac{i + n_E}{2^\ell}.
+\end{equation}
+If we set $i' = i + n_E$, then we get
+\begin{equation}
+  \Pr[C_q'] \le \sum_{0\le i'\le q} \frac{i'}{2^\ell}
+              = \frac{q (q - 1)}{2^{\ell+1}}.
+\end{equation}
+Finally, then, we can apply the same argument as we used at the end of
+section~\ref{sec:cbc-proof} to show that
+\begin{equation}
+  \Adv{}{}(A') \le \frac{q (q - 1)}{2^{\ell+1}}
+\end{equation}
+as claimed.  This completes the proof.
+
+%%%--------------------------------------------------------------------------
+
+\section{OFB mode encryption}
+\label{sec:ofb}
+
+\subsection{Description}
+\label{sec:ofb-desc}
+
+Suppose $F$ is an $\ell$-bit-to-$L$-bit pseudorandom function, and let $t \le
+L$.  OFB mode works as follows.  Given a message $X$, we divide it into
+$t$-bit blocks $x_0$, $x_1$, $\ldots$, $x_{n-1}$.  Choose an initialization
+vector $v \in \Bin^\ell$.  We maintain a \emph{shift register} $s_i$, whose
+initial value is $v$.  To encrypt a block $x_i$, we XOR it with the result
+$z_i$ of passing the shift register through the PRF, forming $y_i$, and then
+update the shift register by shifting in the PRF output $z_i$.  That
+is,
+\begin{equation}
+  s_0 = v \qquad
+  z_i = F_K(s_i) \qquad
+  y_i = x_i \xor z_i \qquad
+  s_{i+1} = s_i \shift{t} z_i \ \text{(for $0 \le i < n$)}.
+\end{equation}
+Decryption is precisely the same operation.
+
+Also, we observe that the final plaintext block needn't be $t$ bits long: we
+can pad it out to $t$ bits and truncate the result without affecting our
+ability to decrypt.
+
+\begin{figure}
+  \begin{cgraph}{ofb-mode}
+    [] !{<0.425cm, 0cm>: <0cm, 0.5cm>::}
+    *+=(2, 0)+[F]{\mathstrut v} ="v" :|<>(0.35)@{/}_<>(0.35){\ell}[rrrrr]
+      *+[o][F]{\shift{t}} ="shift"
+      [ll] :|-@{/}^-{\ell}[dd] *+[F]{E} ="e" [ll] {K} :"e"
+      :|-@{/}^-{t}[ddd] *{\xor} ="xor"
+      [lll] *+=(2, 0)+[F]{\mathstrut x_0} :|-@{/}_-{t} "xor"
+      :|-@{/}^-{t}[dd] *+=(2, 0)+[F]{\mathstrut y_0}
+      "xor" [u] :`r "shift" "shift"|-@{/}_-{t}
+    :|-@{/}_-{\ell}[rrrrrrr] *+[o][F]{\shift{t}} ="shift"
+      [ll] :|-@{/}^-{\ell}[dd] *+[F]{E} ="e" [ll] {K} :"e"
+      :|-@{/}^-{t}[ddd] *{\xor} ="xor"
+      [lll] *+=(2, 0)+[F]{\mathstrut x_1} :|-@{/}_-{t} "xor"
+      :|-@{/}^-{t}[dd] *+=(2, 0)+[F]{\mathstrut y_1}
+      "xor" [u] :`r "shift" "shift"|-@{/}_-{t}
+    :@{-->}|-@{/}_-{\ell}[rrrrrrr] *+[o][F]{\shift{t}} ="shift"
+      [ll] :@{-->}|-@{/}^-{\ell}[dd] *+[F]{E} ="e" [ll] {K} :"e"
+      :@{-->}|-@{/}^-{t}[ddd] *{\xor} ="xor"
+      [lll] *+=(2, 0)+[F--]{\mathstrut x_i} :@{-->}|-@{/}_-{t} "xor"
+      :@{-->}|-@{/}^-{t}[dd] *+=(2, 0)+[F--]{\mathstrut y_i}
+      "xor" [u] :@{-->} `r "shift" "shift"|-@{/}_-{t}
+    [rrrrrdd] *+[F]{E} ="e"
+      "shift" :@{-->}`r "e" |-@{/}_-{\ell} "e" 
+      [ll] {K} :"e"
+      :|-@{/}^-{t}[ddd] *{\xor} ="xor"
+      [lll] *+=(2, 0)+[F]{\mathstrut x_{n-1}} :|-@{/}_-{t} "xor"
+      :|-@{/}^-{t}[dd] *+=(2, 0)+[F]{\mathstrut y_{n-1}}
+  \end{cgraph}
+
+  \caption{Encryption using OFB mode}
+  \label{fig:ofb}
+\end{figure}
+
+\begin{definition}[OFB algorithms]
+  For any function $F\colon \Bin^\ell \to \Bin^t$, any initialization vector
+  $v \in \Bin^\ell$, any plaintext $x \in \Bin^*$ and any ciphertext $y \in
+  \Bin^*$, we define PRF encryption mode $\id{OFB} = (\id{ofb-encrypt},
+  \id{ofb-decrypt})$ as follows:
+  \begin{program}
+    Algorithm $\id{ofb-encrypt}(F, v, x)$: \+ \\
+      $s \gets v$; \\
+      $L \gets |x|$; \\
+      $x \gets x \cat 0^{t\lceil L/t \rceil - L}$; \\
+      $y \gets \emptystring$; \\
+      \FOR $i = 0$ \TO $(|x| - t')/t$ \DO \\ \ind
+        $x_i \gets x[ti \bitsto t(i + 1)]$; \\
+        $z_i \gets F(s)$; \\
+        $y_i \gets x_i \xor z_i$; \\
+        $s \gets s \shift{t} z_i$; \\
+        $y \gets y \cat y_i$; \- \\
+      \RETURN $(s, y[0 \bitsto L])$;
+    \next
+    Algorithm $\id{ofb-decrypt}(F, v, y)$: \+ \\
+      \RETURN $\id{ofb-encrypt}(F, v, y)$; 
+  \end{program}
+  We now define the schemes $\Xid{\E}{OFB$\$$}^F$, $\Xid{\E}{OFBC}^{F, c}$,
+  $\Xid{\E}{OFBE}^{F, c}$, and $\Xid{\E}{OFBL}^{F, V_0}$ according to
+  definition~\ref{def:enc-scheme}; and we define the hybrid scheme
+  $\Xid{\E}{OFBH}^{F, V_0, c}_{n_L, n_C, n_E}$ according to
+  definition~\ref{def:enc-hybrid}.
+\end{definition}
+
+\begin{remark}[Similarity to CFB mode]
+  \label{rem:ofb-like-cfb}
+  OFB mode is strongly related to CFB mode: we can OFB encrypt a message $x$
+  by \emph{CFB-encrypting} the all-zero string $0^{|x|}$ with the same key
+  and IV.  That is, we could have written $\id{ofb-encrypt}$ and
+  $\id{ofb-decrypt}$ like this:
+  \begin{program}
+    Algorithm $\id{ofb-encrypt}(F, v, x)$: \+ \\
+      $(s, z) \gets \id{cfb-encrypt}(F, v, 0^{|x|})$; \\
+      \RETURN $(s, x \xor z)$; 
+    \next
+    Algorithm $\id{ofb-decrypt}(F, v, y)$: \+ \\
+      \RETURN $\id{ofb-encrypt}(F, v, y)$; 
+  \end{program}
+  We shall use this fact to prove the security of OFB mode in the next
+  section.
+\end{remark}
+
+\subsection{Security of OFB mode}
+
+\begin{theorem}[Security of OFB mode]
+  \label{thm:ofb}
+  Let $F$ be a pseudorandom function from $\Bin^\ell$ to $\Bin^t$; let $V_0
+  \in \Bin^\ell$ be a non-$t$-sliding string; let $c$ be a generalized
+  counter in $\Bin^\ell$; and let $n_L$, $n_C$, $n_E$ and $q_E$ be
+  nonnegative integers; and furthermore suppose that
+  \begin{itemize}
+  \item $n_L + n_C + n_E \le q_E$,
+  \item $n_L = 0$, or $n_C = n_E = 0$, or $\ell \le t$ and $V_0 \ne c(i)$
+    for any $n_L \le i < n_L + n_C + n_E$, and
+  \item either $n_C = 0$ or $\ell \le t$.
+  \end{itemize}
+  Then, for any $t_E$ and $\mu_E$, and whenever
+  we have
+  \[ \InSec{lor-cpa}(\Xid{\E}{OFBH}^{F, V_0, c}_{n_L, n_C, n_E};
+       t_E, q_E, \mu_E) \le
+       2 \cdot \InSec{prf}(F; t_E + q t_F, q) + \frac{q (q - 1)}{2^\ell}
+  \]
+  where $q = \bigl\lfloor \bigl(\mu_E + q_E (t - 1)\bigr)/t \bigr\rfloor +
+  n_E$, and $t_F$ is some small constant.
+\end{theorem}
+\begin{proof}
+  We claim that
+  \[ \InSec{rog-cpa-$W_\$$}
+       (\Xid{\E}{OFBH}^{\Func{\ell}{t}, V_0, c}_{n_L, n_C, n_E};
+        t, q_E, \mu_E) \le
+       \frac{q (q - 1)}{2^{\ell+1}}.
+  \]
+  This follows from lemma~\ref{lem:cfb-rog}, which makes the same statement
+  about CFB mode, and the observation in remark~\ref{rem:ofb-like-cfb}.
+  Suppose $A$ attempts to distinguish OFBH encryption from $W_\$$.  We define
+  the adversary $B$ which uses $A$ to attack CFBH encryption, as follows:
+  \begin{program}
+    Adversary $B^{E(\cdot)}$: \+ \\
+      \RETURN $A^{\id{ofb}(\cdot)}$; \-
+    \next
+    Function $\id{ofb}(x)$: \+ \\
+      $(v, z) \gets E(0^{|x|})$; \\
+      \RETURN $(v, x \xor z)$;
+  \end{program}
+  Now we apply proposition~\ref{prop:rog-and-lor}; the theorem follows.
+\end{proof}
+
+\begin{corollary}
+  \label{cor:ofb-prf}
+  Let $F$, $c$ and $V_0$ be as in theorem~\ref{thm:ofb}.  Then for any $t_E$,
+  $q_E$ and $\mu_E$,
+  \begin{eqnarray*}[rl]
+    \InSec{lor-cpa}(\Xid{\E}{OFB$\$$}^F; t_E, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prf}(F; t_E + q t_F, q) + \frac{q (q - 1)}{2^\ell}
+    \\
+    \InSec{lor-cpa}(\Xid{\E}{OFBE}^{F, c}; t_E, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prf}(F; t_E + q' t_F, q') +
+          \frac{q' (q' - 1)}{2^\ell}
+    \\
+    \InSec{lor-cpa}(\Xid{\E}{OFBL}^{F, V_0}; t_E, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prf}(F; t_E + q t_F, q) + \frac{q (q - 1)}{2^\ell}
+    \\
+  \tabpause{and, if $\ell \le t$,}
+    \InSec{lor-cpa}(\Xid{\E}{OFBC}^{F, c}; t_E, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prf}(F; t_E + q t_F, q) + \frac{q (q - 1)}{2^\ell}
+  \end{eqnarray*}
+  where $q = \bigl\lfloor \bigl(\mu_E + q_E (t - 1)\bigr)/t \bigr\rfloor +
+  n_E$, $q' = q + q_E$, and $t_F$ is some small constant.
+\end{corollary}
+\begin{proof}
+  Follows from theorem~\ref{thm:ofb} and proposition~\ref{prop:enc-hybrid}.  
+\end{proof}
+
+\begin{corollary}
+  \label{cor:ofb-prp}
+  Let $P$ be a pseudorandom permutation on $\Bin^\ell$, and let $c$ and $V_0$
+  be as in theorem~\ref{thm:ofb}.  Then for any $t_E$, $q_E$ and $\mu_E$,
+  \begin{eqnarray*}[rl]
+    \InSec{lor-cpa}(\Xid{\E}{OFB$\$$}^P; t_E, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prp}(P; t_E + q t_F, q) + \frac{q (q - 1)}{2^\ell}
+    \\
+    \InSec{lor-cpa}(\Xid{\E}{OFBE}^{P, c}; t_E, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prp}(P; t_E + q' t_F, q') +
+          \frac{q' (q' - 1)}{2^\ell}
+    \\
+    \InSec{lor-cpa}(\Xid{\E}{OFBL}^{P, V_0}; t_E, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prp}(P; t_E + q t_F, q) + \frac{q (q - 1)}{2^\ell}
+    \\
+  \tabpause{and, if $\ell \le t$,}
+    \InSec{lor-cpa}(\Xid{\E}{OFBC}^{P, c}; t_E, q_E, \mu_E)
+    & \le 2 \cdot \InSec{prp}(P; t_E + q t_F, q) + \frac{q (q - 1)}{2^\ell}
+  \end{eqnarray*}
+  where $q = \bigl\lfloor \bigl(\mu_E + q_E (t - 1)\bigr)/t \bigr\rfloor +
+  n_E$, $q' = q + q_E$, and $t_F$ is some small constant.
+\end{corollary}
+\begin{proof}
+  Follows from corollary~\ref{cor:ofb-prf} and
+  proposition~\ref{prop:prps-are-prfs}.
+\end{proof}
+
+%%%--------------------------------------------------------------------------
+
+\section{CBCMAC mode message authentication}
+\label{sec:cbcmac}
+
+
+
+\begin{figure}
+  \begin{cgraph}{cbc-mac}
+    []!{<0.425cm, 0cm>: <0cm, 0.75cm>::}
+    *+=(2, 0)+[F]{\mathstrut x_0}
+      :`d [dr] [rrr] *+[F]{E} ="e" [d] {K} :"e"
+    :[rrr] *{\xor} ="xor"
+      [u] *+=(2, 0)+[F]{\mathstrut x_1} :"xor"
+      :[rrr] *+[F]{E} ="e" [d] {K} :"e"
+    :@{-->}[rrr] *{\xor} ="xor"
+      [u] *+=(2, 0)+[F--]{\mathstrut x_i} :@{-->}"xor"
+      :@{-->}[rrr] *+[F]{E} ="e" [d] {K} :@{-->}"e"
+    :@{-->}[rrr] *{\xor} ="xor"
+      [u] *+=(2, 0)+[F]{\mathstrut x_{n-1}} :"xor"
+      :[rrr] *+[F]{E} ="e" [d] {K} :"e"
+    :[rrr] *+=(2, 0)+[F]{\mathstrut \tau}
+  \end{cgraph}
+
+  \caption{Message authentication using CBCMAC mode}
+  \label{fig:cbcmac}
+\end{figure}
+
+\fixme
+Alas, it's been so long since I've picked this up that I've (a) forgotten how
+the proof for this mode went, and (b) lost my notes.  You'll either have to
+wait, or I'll have to drop this bit.
+
+%%%--------------------------------------------------------------------------
+
+\section{Ackonowledgements}
+
+Thanks to Clive Jones for his suggestions on notation, and his help in
+structuring the proofs.
+
+%%%----- That's all, folks --------------------------------------------------
+
+\bibliography{mdw-crypto,cryptography2000,cryptography,rfc}
+
+\end{document}
+
+%%% Local Variables: 
+%%% mode: latex
+%%% TeX-master: t
+%%% End: 
-- 
2.11.0