Reconsidering Generic Composition: the Tag-then-Encrypt case

  title={Reconsidering Generic Composition: the Tag-then-Encrypt case},
  author={Francesco Berti and Olivier Pereira and Thomas Peters},
  booktitle={IACR Cryptol. ePrint Arch.},
Authenticated Encryption (\(\mathsf {AE}\)) achieves confidentiality and authenticity, the two most fundamental goals of cryptography, in a single scheme. A common strategy to obtain \(\mathsf {AE}\) is to combine a Message Authentication Code \((\mathsf {MAC})\) and an encryption scheme, either nonce-based or \(iv\)-based. Out of the 180 possible combinations, Namprempre et al. [20] proved that 12 were secure, 164 insecure and 4 were left unresolved: A10, A11 and A12 which use an \(iv\)-based… 

Reducing the Cost of Authenticity with Leakages: a \mathsf CIML2 -Secure \mathsf AE Scheme with One Call to a Strongly Protected Tweakable Block Cipher

A new Authenticated Encryption mode that offers ciphertext integrity in the presence of nonce misuse and side-channel leakages in both encryption and decryption is presented.

Reducing the Cost of Authenticity with Leakages: a CIML2-Secure AE Scheme with One Call to a Strongly Protected Tweakable Block Cipher

This paper presents CONCRETE (Commit−Encrypt−Send− the−Key) a new Authenticated Encryption mode that offers CIML2 security, that is, ciphertext integrity in the presence of nonce misuse and

Fast Decryption: a New Feature of Misuse-Resistant AE

The MRAE proposal (decryption-fast SIV or DFV) allows to decrypt as fast as a plain decryption, hence theoretically doubles its speed from the original SIV, while keeping the encryption speed equivalent to SIV.



Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem

It is suggested that key-wrap's goal is security in the sense of deterministic authenticated-encryption (DAE), and it is shown that a DAE scheme with a vector-valued header, such as SIV, directly realizes this goal.

Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation

This work presents definitions of a new notion of security for private-key encryption called encryption unforgeability which captures an adversary's inability to generate valid ciphertexts and presents and analyzes a new mode of encryption, RPC, which is unforgeable in the strongest sense.

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm

This work considers two possible notions of authenticity for authenticated encryption schemes, namely integrity of plaintexts and integrity of ciphertexts, and relates them to the standard notions of privacy IND-CCA and NM-CPA by presenting implications and separations between all notions considered.

Authenticated-encryption with associated-data

  • P. Rogaway
  • Computer Science, Mathematics
    CCS '02
  • 2002
This paper formalizes and investigates the authenticated-encryption with associated-data (AEAD) problem, and studies two simple ways to turn an authenticated-Encryption scheme that does not support associated- data into one that does: nonce stealing and ciphertext translation.

Reconsidering Generic Composition

This work evidence the overreaching understanding of prior generic-composition results by pointing out that the Encrypt-then-MAC mechanism of ISO 19772 is completely wrong.

The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?)

It is shown that any secure channels protocol designed to work with any combination of secure encryption (against chosen plaintext attacks) and secure MAC must use the encrypt-then-authenticate method.

Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm

This paper proposes several fixes to the SSH protocol and, using techniques from modern cryptography, it proves that their modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements.

Nonce-Based Symmetric Encryption

This work investigates an alternative syntax for an encryption scheme, where the encryption process e is a deterministic function that surfaces an initialization vector (IV) that is guaranteed to be a nonce-something that takes on a new value with every message one encrypts.

Authenticated and Misuse-Resistant Encryption of Key-Dependent Data

A RO-based transform RHtE is presented that endows any AE scheme with this security, so that existing implementations may be easily upgraded to have the best possible seurity in the presence of key-dependent data.

The Power of Verification Queries in Message Authentication and Authenticated Encryption

This paper points out that, contrary to popular belief, allowing a message authentication adversary multiple verification attempts towards forgery is not equivalent to allowing it a single one, so