Reconsidering Generic Composition: the Tag-then-Encrypt case

@inproceedings{Berti2018ReconsideringGC,
  title={Reconsidering Generic Composition: the Tag-then-Encrypt case},
  author={Francesco Berti and Olivier Pereira and Thomas Peters},
  booktitle={IACR Cryptol. ePrint Arch.},
  year={2018}
}
Authenticated Encryption (\(\mathsf {AE}\)) achieves confidentiality and authenticity, the two most fundamental goals of cryptography, in a single scheme. A common strategy to obtain \(\mathsf {AE}\) is to combine a Message Authentication Code \((\mathsf {MAC})\) and an encryption scheme, either nonce-based or \(iv\)-based. Out of the 180 possible combinations, Namprempre et al. [20] proved that 12 were secure, 164 insecure and 4 were left unresolved: A10, A11 and A12 which use an \(iv\)-based… 

Reducing the Cost of Authenticity with Leakages: a \mathsf CIML2 -Secure \mathsf AE Scheme with One Call to a Strongly Protected Tweakable Block Cipher

TLDR
A new Authenticated Encryption mode that offers ciphertext integrity in the presence of nonce misuse and side-channel leakages in both encryption and decryption is presented.

Reducing the Cost of Authenticity with Leakages: a CIML2-Secure AE Scheme with One Call to a Strongly Protected Tweakable Block Cipher

This paper presents CONCRETE (Commit−Encrypt−Send− the−Key) a new Authenticated Encryption mode that offers CIML2 security, that is, ciphertext integrity in the presence of nonce misuse and

Fast Decryption: a New Feature of Misuse-Resistant AE

TLDR
The MRAE proposal (decryption-fast SIV or DFV) allows to decrypt as fast as a plain decryption, hence theoretically doubles its speed from the original SIV, while keeping the encryption speed equivalent to SIV.

References

SHOWING 1-10 OF 33 REFERENCES

Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem

TLDR
It is suggested that key-wrap's goal is security in the sense of deterministic authenticated-encryption (DAE), and it is shown that a DAE scheme with a vector-valued header, such as SIV, directly realizes this goal.

Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation

TLDR
This work presents definitions of a new notion of security for private-key encryption called encryption unforgeability which captures an adversary's inability to generate valid ciphertexts and presents and analyzes a new mode of encryption, RPC, which is unforgeable in the strongest sense.

Authenticated-encryption with associated-data

  • P. Rogaway
  • Computer Science, Mathematics
    CCS '02
  • 2002
TLDR
This paper formalizes and investigates the authenticated-encryption with associated-data (AEAD) problem, and studies two simple ways to turn an authenticated-Encryption scheme that does not support associated- data into one that does: nonce stealing and ciphertext translation.

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm

TLDR
This work analyzes the security of authenticated encryption schemes designed by "generic composition," meaning making black-box use of a given symmetric encryption scheme and a given MAC and indicates whether or not the resulting scheme meets the notion in question assuming the given symmetry is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack.

Reconsidering Generic Composition

TLDR
This work evidence the overreaching understanding of prior generic-composition results by pointing out that the Encrypt-then-MAC mechanism of ISO 19772 is completely wrong.

The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?)

TLDR
It is shown that any secure channels protocol designed to work with any combination of secure encryption (against chosen plaintext attacks) and secure MAC must use the encrypt-then-authenticate method.

Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm

TLDR
This paper proposes several fixes to the SSH protocol and, using techniques from modern cryptography, it proves that their modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements.

Nonce-Based Symmetric Encryption

TLDR
This work investigates an alternative syntax for an encryption scheme, where the encryption process e is a deterministic function that surfaces an initialization vector (IV) that is guaranteed to be a nonce-something that takes on a new value with every message one encrypts.

Authenticated and Misuse-Resistant Encryption of Key-Dependent Data

TLDR
A RO-based transform RHtE is presented that endows any AE scheme with this security, so that existing implementations may be easily upgraded to have the best possible seurity in the presence of key-dependent data.

The Power of Verification Queries in Message Authentication and Authenticated Encryption

This paper points out that, contrary to popular belief, allowing a message authentication adversary multiple verification attempts towards forgery is not equivalent to allowing it a single one, so