Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm (original) (raw)
Related papers
Ciphertext verification security of symmetric encryption schemes
Science in China Series F: Information Sciences, 2009
This paper formally discusses the security problem caused by the ciphertext verification, presenting a new security notion named IND-CVA (indistinguishability under ciphertext verification attacks) to characterize the privacy of encryption schemes in this situation. Allowing the adversary to access to both encryption oracle and ciphertext verification oracle, the new notion IND-CVA is slightly stronger than IND-CPA (indistinguishability under chosen-plaintext attacks) but much weaker than IND-CCA (indistinguishability under chosen-ciphertext attacks), and can be satisfied by most of the popular symmetric encryption schemes such as OTP (one-time-pad), CBC (cipher block chaining) and CTR (counter). An MAC (message authentication scheme) is usually combined with an encryption to guarantee secure communication (e.g. SSH, SSL and IPSec). However, with the notion of IND-CVA, this paper shows that a secure MAC can spoil the privacy in some cases.
Structural Classifcation of Authenticated Encryption Schemes
2020
In this short note, we aim to give a structural classifcation of modes of operations for authenticated encryption (AEAD). First, we briefy discuss various features that are desirable in an AEAD mode. Then, we classify AEAD modes according to their structure, understand their target area of applications, discuss their basic design goals and associated features. Finally, we give a brief description of each of the 32 second round candidates in NIST LwC project, distributing them in appropriate class based on their structure.
V.: Provable-security analysis of authenticated encryption
2013
Kerberos is a widely-deployed network authentication protocol that is being considered for standardization. Many works have analyzed its security, identifying flaws and often suggesting fixes, thus helping the protocol’s evolution. Several recent results present successful formal-methods-based verification of a significant portion of the current version 5, and some even imply security in the computational setting. For these results to be meaningful, encryption in Kerberos should satisfy strong cryptographic security notions. However, neither currently deployed as part of Kerberos encryption schemes nor their proposed revisions are known to provably satisfy such notions. We take a close look at Kerberos ’ encryption and confirm that most of the options in the current version provably provide privacy and authenticity, some with slight modification that we suggest. Our results complement the formal-methods-based analysis of Kerberos that justifies its current design.
Reforgeability of Authenticated Encryption Schemes
IACR Cryptol. ePrint Arch., 2017
This work pursues the idea of multi-forgery attacks as introduced by Ferguson in 2002. We recoin reforgeability for the complexity of obtaining further forgeries once a first forgery has succeeded. First, we introduce a security notion for the integrity (in terms of reforgeability) of authenticated encryption schemes: \(j\text {-}\textsc {Int}\text {-}\textsc {CTXT}\), which is derived from the notion INT-CTXT. Second, we define an attack scenario called \(j\text {-IV-Collision Attack}\) (\(j\text {-IV-CA}\)), wherein an adversary tries to construct j forgeries provided a first forgery. The term collision in the name stems from the fact that we assume the first forgery to be the result from an internal collision within the processing of the associated data and/or the nonce. Next, we analyze the resistance to \(j\text {-IV-CAs}\) of classical nonce-based AE schemes (CCM, CWC, EAX, GCM) as well as all 3rd-round candidates of the CAESAR competition. The analysis is done in the nonce-re...
Improved convertible authenticated encryption scheme with provable security
Information Processing Letters, 2011
Convertible authenticated encryption (CAE) schemes allow a signer to produce an authenticated ciphertext such that only a designated recipient can decrypt it and verify the recovered signature. The conversion property further enables the designated recipient to reveal an ordinary signature for dealing with a later dispute over repudiation. Based on the ElGamal cryptosystem, in 2009, Lee et al. proposed a CAE scheme with only heuristic security analyses. In this paper, we will demonstrate that their scheme is vulnerable to the chosen-plaintext attack and then further propose an improved variant. Additionally, in the random oracle model, we prove that the improved scheme achieves confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) and unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA).
Artemia: a family of provably secure authenticated encryption schemes
ISC Int. J. Inf. Secur., 2014
Authenticated encryption schemes establish both privacy and authenticity. This paper specifies a family of the dedicated authenticated encryption schemes, Artemia. It is an online nonce-based authenticated encryption scheme which supports the associated data. Artemia uses the permutation based mode, JHAE, that is provably secure in the ideal permutation model. The scheme does not require the inverse of the permutation in the decryption function, which causes the resource efficiency. Artemia permutations have an efficient and a simple structure and are provably secure against the differential and linear cryptanalysis. In the permutations, MDS recursive layers are used that can be easily implemented in both software and hardware.
Relations Among Notions of Security for Identity Based Encryption Schemes
Lecture Notes in Computer Science, 2006
Identity based encryption (IBE) schemes have been flourishing since the very beginning of this century. In IBE it is widely believed that proving the security of a scheme in the sense of IND-ID-CCA2 is sufficient to claim the scheme is also secure in the senses of both SS-ID-CCA2 and NM-ID-CCA2. The justification for this belief is the relations among indistinguishability (IND), semantic security (SS) and non-malleability (NM). But these relations are proved only for conventional public key encryption (PKE) schemes in historical works. The fact is that between IBE and PKE, there exists a difference of special importance, i.e. only in IBE the adversaries can perform a particular attack, namely the chosen identity attack. This paper shows that security proved in the sense of IND-ID-CCA2 is validly sufficient for implying security in any other sense in IBE. This is to say the security notion, IND-ID-CCA2, captures the essence of security for all IBE schemes. To achieve this intention, we first describe formal definitions of the notions of security for IBE, and then present the relations among IND, SS and NM in IBE, along with rigorous proofs. All of these results are proposed with the consideration of the chosen identity attack.
Authenticated Encryption Schemes: A Systematic Review
IEEE Access, 2022
Authenticated encryption (AE) is a cryptographic construction that simultaneously protects confidentiality and integrity. A considerable amount of research has been devoted to the area since its formal inception in 2000. Different lines of research have been proposed to enhance the available schemes in terms of security, efficiency, and design and to implement new ideas. However, a comprehensive systematic literature review (SLR) of the topic has not been provided to the best of the authors' knowledge. This study fills this gap in the literature by proposing a framework for classifying AE schemes and highlighting past contributions to help researchers familiarize themselves with the current state and directions for future research in the area. This SLR covered AE schemes proposed from 2000 to 2020. A total of 217 articles, selected from eight sources, were categorized into independent schemes, CAESAR competition schemes, and NIST lightweight competition schemes. These schemes were then classified according to their design approaches, securityrelated properties, and functional features. Our analysis reveals that a significant outstanding challenge in AE is to balance security, efficiency, and the provision of desirable features.
A New Security Definition for Public Key Encryption Schemes and Its Applications
The strongest security definition for public key encryption (PKE) schemes is indistinguishability against adaptive chosen ciphertext attacks (IND-CCA). A practical IND-CCA secure PKE scheme in the standard model is well-known to be difficult to construct given the fact that there are only a few such kind of PKE schemes available. From another perspective, we observe that for a large class of PKE-based applications, although IND-CCA security is sufficient, it is not a necessary requirement. Examples are Key Encapsulation Mechanism (KEM), MT-authenticator, providing pseudorandomness with a-priori information, and so on. This observation leads us to propose a slightly weaker version of IND-CCA, which requires ciphertexts of two randomly selected messages are indistinguishable under chosen ciphertext attacks. Under this new security notion, we show that highly efficient schemes proven secure in the standard model can be built in a straightforward way. We also demonstrate that such a security definition is already sufficient for the applications above.
New security notions and relations for public-key encryption
Journal of Mathematical Cryptology, 2012
Since their introduction, the notions of indistinguishability and non-malleability have been changed and extended by different authors to support different goals. In this paper, we propose new flavors of these notions, investigate their relative strengths with respect to previous notions, and provide the full picture of relationships (i.e., implications and separations) among the security notions for public-key encryption schemes. We take into account the two general security goals of indistinguishability and non-malleability, each in the message space, key space, and hybrid message-key space to find six specific goals, a couple of them, namely complete indistinguishability and key non-malleability, are new. Then for each pair of goals, coming from the indistinguishability or non-malleability classes, we prove either an implication or a separation, completing the full picture of relationships among all these security notions. The implications and separations are respectively supported by formal proofs (i.e., reductions) in the concrete-security framework and by counterexamples.