Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance
read more
Citations
A provable-security treatment of the key-wrap problem
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers
Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption
XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees
XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees
References
Handbook of Applied Cryptography
OCB: a block-cipher mode of operation for efficient authenticated encryption
Authenticated-encryption with associated-data
Duplexing the sponge: single-pass authenticated encryption and other applications
Security flaws induced by CBC padding -applications to SSL, IPSEC, WTLS …
Related Papers (5)
Frequently Asked Questions (15)
Q2. What is the scheme BT suggest to encrypt a plaintext M?
The scheme BT suggest to encrypt a plaintext 𝑀 is to apply an online cipher to 𝑅 ‖𝑀 ‖ 𝑅 where 𝑅 is a random block and 𝑀 is a sequence of blocks.
Q3. What is the point of having general purpose notions and provable-security guarantees?
But the whole point of having general-purpose notions and provable-security guarantees is to avoid relying on application-specific characteristics of a protocol to enable security.
Q4. What does the author emphasize about the OAE2 scheme?
The authors emphasize that moving from OAE1 to OAE2 does not enable one to safely repeat nonces; an OAE2-secure scheme will still be susceptible to CPSS attack, for example.
Q5. What is the reason that nAE schemes have a large nonce space?
As for the nonce space 𝒩 ′ of 𝛱 ′, the authors note that the usual reason that nAE schemes sport a fairly large nonce space, like 𝒩 ′ = {0, 1}96, is that there may be a large number of messages encrypted under a single key.
Q6. What does the definition say about the blocksize parameter?
That there’s a blocksize parameter at all implies that, to the definition’s architects, it is desirable, or at least acceptable, to buffer some bits of plaintext before acting on them—just not too many.
Q7. How do you construct an artificial counterexample?
Indeed it is easy to construct an artificial counterexample; for example, starting with a OAE1[𝑛]-secure scheme that is LCP[𝑛], augment the key with 𝑛 extra bits, 𝐾 ′, and modify encryption so that when the first block of plaintext coincides with 𝐾 ′, then reverse the bits of the remainder of the plaintext before proceeding.
Q8. What is the way to fix the problem of an infinite AD space?
the authors comment that re-partitioning a segmented-AE scheme’s syntax along the lines of first/next/last calls, instead of init/next/last calls, would again fix the problem of an infinite AD space 𝒜. Finally, one could always modify the STREAM construction by applying to 𝐴, or 𝑁 , a PRF (keyed by a key separated from 𝐾) or a collision-intractable hash function, reducing these strings to fixed-length ones.
Q9. What did the authors think of the weakening of MRAE?
While the authors understood that they were weakening MRAE, they saw the weakening as relatively inconsequential: they say that their scheme, McOE, “because of being on-line, satisfies a slightly weaker security definition against nonce-reusing adversaries” [26, p. 198] (emphasis ours).
Q10. What is the probability that A can reproduce S?
Q11. What is the preferred approach to a new AE scheme?
The authors don’t view OAE2 as a goal for which one should design a fundamentally new AE scheme; the preferred approach is to use a conventional AE scheme and wrap it in a higher-level protocol.
Q12. What is the definition of what is a nonce?
That is, while OAE2 defines what must happen when nonces repeat, absent a contravening analysis for some application, nonce-repetition should still be deprecated.
Q13. What is the reason the TSS manuscript has been so uninfluential?
The authors consider it unfortunate that the TSS manuscript has been so uninfluential up until now, as it seems to us more definitionally prescient than alternative lines.
Q14. What is the point of limiting blocksize to a single byte?
Another application might need to limit the blocksize to a single byte, to ensure bounded latency despite bytes arriving at indeterminate times.
Q15. How many bits of data are needed to authenticate each segment?
If segments are 1 KByte (which is fairly short) and tags are 128 bits (which is fairly long), the difference in bandwidth between authenticating every segment and authenticating only the last one will always be less than 2%.