Authenticated On-Line Encryption
Pierre-Alain Fouque,Antoine Joux,Gwenaëlle Martinet,Frédéric Valette +3 more
- Vol. 3006, pp 145-159
Reads0
Chats0
TLDR
This paper proposes a generic construction called Decrypt-Then-Mask, and proves its security in the blockwise adversarial model, and proposes an instantiation of this scheme, using the encrypted CBC-MAC algorithm, a secure pseudorandom number generator and the Delayed variant of the CBC encryption scheme.Abstract:
In this paper, we investigate the authenticated encryption paradigm, and its security against blockwise adaptive adversaries, mounting chosen ciphertext attacks on on-the-fly cryptographic devices. We remark that most of the existing solutions are insecure in this context, since they provide a decryption oracle for any ciphertext. We then propose a generic construction called Decrypt-Then-Mask, and prove its security in the blockwise adversarial model. The advantage of this proposal is to apply minimal changes to the encryption protocol. In fact, in our solution, only the decryption protocol is modified, while the encryption part is left unchanged. Finally, we propose an instantiation of this scheme, using the encrypted CBC-MAC algorithm, a secure pseudorandom number generator and the Delayed variant of the CBC encryption scheme.read more
Citations
More filters
Journal Article
How to sign digital streams
Rosario Gennaro,Pankaj Rohatgi +1 more
TL;DR: This work presents a new efficient paradigm for signing digital streams that uses the constraint of a finite stream which is entirely known to the sender and uses this constraint to devise an extremely efficient solution to the problem of authenticating digital streams.
Book ChapterDOI
How to Securely Release Unverified Plaintext in Authenticated Encryption
Elena Andreeva,Elena Andreeva,Andrey Bogdanov,Atul Luykx,Atul Luykx,Bart Mennink,Bart Mennink,Nicky Mouha,Nicky Mouha,Kan Yasuda +9 more
TL;DR: The first formalization of the releasing unverified plaintext (RUP) setting was proposed in this paper, where a plaintext extractor mimicking the decryption oracle is used to fool adversaries without the secret key.
Journal Article
A practice-oriented treatment of Pseudorandom Number Generators
TL;DR: A general security frame work for PRNGs is given, incorporating the attacks that users are typically concerned about, and the most popular ones, including the ANSI X9.17 PRNG and the FIPS 186 PRNG are analyzed.
Book ChapterDOI
Plaintext-Dependent decryption: a formal security treatment of SSH-CTR
TL;DR: This paper presents a formal security analysis of SSH in counter mode in a security model that accurately captures the capabilities of real-world attackers, as well as security-relevant features of the SSH specifications and the OpenSSH implementation of SSH.
Posted Content
Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR.
TL;DR: In this article, the authors present a formal security analysis of SSH in counter mode in a security model that accurately captures the capabilities of real-world attackers, as well as security-relevant features of the SSH specifications and the OpenSSH implementation of SSH.
References
More filters
Proceedings ArticleDOI
A concrete security treatment of symmetric encryption
TL;DR: This work studies notions and schemes for symmetric (ie. private key) encryption in a concrete security framework and gives four different notions of security against chosen plaintext attack, providing both upper and lower bounds, and obtaining tight relations.
Journal ArticleDOI
The Security of the Cipher Block Chaining Message Authentication Code
TL;DR: A technical lemma of independent interest is bounding the success probability of a computationally unbounded adversary in distinguishing between a random ml-bit to l-bit function and the CBC MAC of a random l- bit to l -bit function.
Proceedings ArticleDOI
OCB: a block-cipher mode of operation for efficient authenticated encryption
TL;DR: It is proved OCB secure, quantifying the adversary's ability to violate the mode's privacy or authenticity in terms of the quality of its block cipher as a pseudorandom permutation (PRP) or as a strong PRP, respectively.
Journal ArticleDOI
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm
TL;DR: In this paper, the authors consider two possible notions of authenticity for authenticated encryption schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them, when coupled with IND-CPA (indistinguishability under chosen-plaintext attack), to the standard notions of privacy IND-CCA and NMCPA, and provide proofs for the cases where the answer is "yes" and counter-examples for the answer "no".
Book ChapterDOI
The Security of Cipher Block Chaining
TL;DR: This work provides its first formal justification, showing the following general lemma: that cipher block chaining a pseudorandom function gives a Pseudo-Cipher Block Chaining function.