scispace - formally typeset
Search or ask a question

Showing papers on "Authenticated encryption published in 2004"


Book ChapterDOI
20 Dec 2004
TL;DR: GCM is shown to be the most efficient mode of operation for high speed packet networks, by using a realistic model of a network crypto module and empirical data from studies of Internet traffic in conjunction with software experiments and hardware designs.
Abstract: The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing based on multiplication in a binary finite field. We analyze its security and performance, and show that it is the most efficient mode of operation for high speed packet networks, by using a realistic model of a network crypto module and empirical data from studies of Internet traffic in conjunction with software experiments and hardware designs. GCM has several useful features: it can accept IVs of arbitrary length, can act as a stand-alone message authentication code (MAC), and can be used as an incremental MAC. We show that GCM is secure in the standard model of concrete security, even when these features are used. We also consider several of its important system-security aspects.

505 citations


Book ChapterDOI
05 Feb 2004
TL;DR: A block-cipher mode of operation, EAX, for solving the problem of authenticated-encryption with associated-data (AEAD), which is on-line and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext.
Abstract: We propose a block-cipher mode of operation, EAX, for solving the problem of authenticated-encryption with associated-data (AEAD). Given a nonce N, a message M, and a header H, our mode protects the privacy of M and the authenticity of both M and H. Strings N, M, and H are arbitrary bit strings, and the mode uses 2 lceil |M|/nrceil + lceil |H|/nrceil + lceil |N|/ nrceil block-cipher calls when these strings are nonempty and n is the block length of the underlying block cipher. Among EAX’s characteristics are that it is on-line (the length of a message isn’t needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext.

263 citations


Book ChapterDOI
01 Mar 2004
TL;DR: This scheme is built on the scheme proposed by Boneh, Lynn and Shacham in 2001 to produce short signatures and introduces some randomness into this signature to increase its level of security in the random oracle model and to re-use that randomness to perform encryption.
Abstract: This paper proposes a new public key authenticated encryption (signcryption) scheme based on the Diffie-Hellman problem in Gap Diffie-Hellman groups. This scheme is built on the scheme proposed by Boneh, Lynn and Shacham in 2001 to produce short signatures. The idea is to introduce some randomness into this signature to increase its level of security in the random oracle model and to re-use that randomness to perform encryption. This results in a signcryption protocol that is more efficient than any combination of that signature with an El Gamal like encryption scheme. The new scheme is also shown to satisfy really strong security notions and its strong unforgeability is tightly related to the Diffie-Hellman assumption in Gap Diffie-Hellman groups.

166 citations


Posted Content
TL;DR: In this article, it was shown that allowing a message authentication adversary multiple verification attempts towards forgery is not equivalent to allowing it a single one, so that the notion of security that most message authentication schemes are proven to meet does not guarantee their security in practice.
Abstract: This paper points out that, contrary to popular belief, allowing a message authentication adversary multiple verification attempts towards forgery is not equivalent to allowing it a single one, so that the notion of security that most message authentication schemes are proven to meet does not guarantee their security in practice. We then show, however, that the equivalence does hold for strong unforgeability. Based on this we recover security of popular classes of message authentication schemes such as MACs (including HMAC and PRF-based MACs) and CWschemes. Furthermore, in many cases we do so with a tight security reduction, so that in the end the news we bring is surprisingly positive given the initial negative result. Finally, we show analogous results for authenticated encryption.

125 citations


Book ChapterDOI
05 Feb 2004
TL;DR: CWC as discussed by the authors is a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data, which is the first such mode having all five of the following properties: provable security, parallelizability, high performance in hardware and no intellectual property concerns.
Abstract: We introduce CWC, a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data. CWC is the first such mode having all five of the following properties: provable security, parallelizability, high performance in hardware, high performance in software, and no intellectual property concerns. We believe that having all five of these properties makes CWC a powerful tool for use in many performance-critical cryptographic applications. CWC is also the first appropriate solution for some applications; e.g., standardization bodies like the IETF and NIST prefer patent-free modes, and CWC is the first such mode capable of processing data at 10Gbps in hardware, which will be important for future IPsec (and other) network devices. As part of our design, we also introduce a new parallelizable universal hash function optimized for performance in both hardware and software.

123 citations


Journal ArticleDOI
TL;DR: The secure shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet as mentioned in this paper, however, the current SSH authenticated encryption mechanism is insecure and it is not secure.
Abstract: The secure shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol and to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.

108 citations



Journal ArticleDOI
TL;DR: A new property for encryption schemes, which is called confusion freeness, is introduced, and it is shown that the Abadi-Rogaway logic is sound and complete, whenever the encryption scheme used satisfies this property.
Abstract: We show that the Abadi-Rogaway logic of indistinguishability for cryptographic expressions is not complete by giving a natural example of a secure encryption function and a pair of expressions, such that the distributions associated to the two expressions are computationally indistinguishable, but equality cannot be proved within the logic. We then introduce a new property for encryption schemes, which we call confusion freeness, and show that the Abadi-Rogaway logic is sound and complete, whenever the encryption scheme used satisfies this property. We relate confusion freeness with standard cryptographic security notions, showing that any authenticated encryption scheme is confusion free. We also consider two extensions of the basic logic. The first is a refinement of the Abadi-Rogaway logic that overcomes certain limitations of the original proposal, allowing for encryption functions that do not hide the length of the message being sent. Both the soundness theorem of Abadi and Rogaway, and our completeness result for confusion free (or authenticated) encryption easily extend to this more realistic notion of secrecy. The second is an extension of the logic due to Abadi and Jurjens that allows to study more complex protocols in the presence of a passive adversary. Our completeness results holds for this extended logic as well.

97 citations


Journal ArticleDOI
TL;DR: The concepts of elliptic curve cryptosystems and self-certified public keys are adopted to build a novel digital signature scheme with message recovery where the public key and the identity of the user can be authenticated simultaneously in recovering the message.

60 citations


Book ChapterDOI
08 Sep 2004
TL;DR: This paper proposes a new public key authenticated encryption (signcryption) scheme based on the hardness of q-Diffie-Hellman problems in Gap Diffie- Hellman groups that is quite efficient and provides detachable signatures that are unlinkable to the original anonymous ciphertext.
Abstract: This paper proposes a new public key authenticated encryption (signcryption) scheme based on the hardness of q-Diffie-Hellman problems in Gap Diffie-Hellman groups. This new scheme is quite efficient: the signcryption operation has almost the same cost as an El Gamal encryption while the reverse operation only requires one pairing evaluation and three exponentiations. The scheme's chosen-ciphertext security is shown to be related to the hardness of the q-Diffie-Hellman Inversion (q–DHI) problem in the random oracle model while its unforgeability is proved under the q-Strong Diffie-Hellman assumption (q-SDH). It also provides detachable signatures that are unlinkable to the original anonymous ciphertext. We also show that most of the sender's workload can be computed offline. Our construction is based on a signature scheme independently studied by Boneh-Boyen and Zhang et al. in 2004.

50 citations


Book ChapterDOI
TL;DR: This paper proposes two identity-based schemes for authenticated broadcasting and distributed message authentication that supports multiple broadcasters and allows users to send messages back to the broadcaster where the authentication of messages is done with the identity of the user.
Abstract: Since its introduction, broadcast encryption has attracted many useful applications. In this paper, we propose two identity-based schemes for authenticated broadcasting and distributed message authentication. The first scheme supports multiple broadcasters and allows each broadcaster to dynamically broadcast messages into an arbitrary group of receivers determined by the broadcaster. The receivers can obtain the broadcasted message using the identity of the broadcaster and his own secret decryption key; hence it ensures both confidentiality and authenticity of the message. The second scheme allows users (receivers) to send messages back to the broadcaster where the authentication of messages is done with the identity of the user. We also provide security proofs for our schemes under the random oracle model.

01 Jan 2004
TL;DR: EAX is an alternative to CCM, which was created to answer the wish within standards bodies for a fully-specified and patent-free AEAD mode, with issues of efficiency, simplicity, elegance, ease of correct use, and provable-security guarantees.
Abstract: We propose a block-cipher mode of operation, EAX, for solving the problem of authenticated-encryption with associated-data (AEAD). Given a nonce N , a message M , and a header H, our mode protects the privacy of M and the authenticity of both M and H. Strings N , M , and H are arbitrary bit strings, and the mode uses 2�| M |/n� + �| H|/n� + �| N |/nblock-cipher calls when these strings are nonempty and n is the block length of the underlying block cipher. Among EAX's characteristics are that it is on-line (the length of a message isn't needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext. EAX is obtained by first creating a generic-composition method, EAX2, and then collapsing its two keys into one. EAX is provably secure under a standard complexity-theoretic assumption. The proof of this fact is novel and involved. EAX is an alternative to CCM (26), which was created to answer the wish within standards bodies for a fully-specified and patent-free AEAD mode. As such, CCM and EAX are two-pass schemes, with one pass for achieving privacy and one for authenticity. EAX is simpler and more efficient than CCM, avoiding, for example, elaborate padding rules or nonstandard parameters. With EAX we aimed to do as well as possible, within the space of two-pass schemes, with regard to issues of efficiency, simplicity, elegance, ease of correct use, and provable-security guarantees.

Journal Article
TL;DR: In this article, the authors investigate the authenticated encryption paradigm and its security against blockwise adaptive adversaries, mounting chosen ciphertext attacks on on-the-fly cryptographic devices and propose a generic construction called Decrypt-Then-Mask, and prove its security in the blockwise adversarial model.
Abstract: In this paper, we investigate the authenticated encryption paradigm, and its security against blockwise adaptive adversaries, mounting chosen ciphertext attacks on on-the-fly cryptographic devices. We remark that most of the existing solutions are insecure in this context, since they provide a decryption oracle for any ciphertext. We then propose a generic construction called Decrypt-Then-Mask, and prove its security in the blockwise adversarial model. The advantage of this proposal is to apply minimal changes to the encryption protocol. In fact, in our solution, only the decryption protocol is modified, while the encryption part is left unchanged. Finally, we propose an instantiation of this scheme, using the encrypted CBC-MAC algorithm, a secure pseudorandom number generator and the Delayed variant of the CBC encryption scheme.

Posted Content
TL;DR: A variation of the standard definition of chosen-ciphertext security is introduced, which is called IND-CCA3, and it is proved that IND- CCA3 is equivalent to authenticated-encryption.
Abstract: In this note we introduce a variation of the standard definition of chosen-ciphertext security, which we call IND-CCA3, and prove that IND-CCA3 is equivalent to authenticated-encryption.

Proceedings ArticleDOI
26 Sep 2004
TL;DR: This work identifies two security weaknesses in the Ma-Chen authenticated encryption scheme and proposes an efficient and secure improved scheme such that all the desired security requirements are satisfied.
Abstract: An authenticated encryption scheme allows messages to be encrypted and authenticated simultaneously. C. Ma and K. Chen proposed such a scheme with public verifiability (see Electronics Letters, vol.39, no.3 p.281-2, 2003). That is, in their scheme, the receiver can efficiently prove to a third party that a message has indeed originated from a specific sender. We first identify two security weaknesses in the Ma-Chen authenticated encryption scheme. Then, based on the Schnorr signature, we proposed an efficient and secure improved scheme such that all the desired security requirements are satisfied.

Proceedings ArticleDOI
28 Jun 2004
TL;DR: A new cipher is brought forward, which uses a keystream generator to produce infinite number of frame secret keys basing on an infinite root key space, and use a unique one-off frame secret key for each data encryption/decryption.
Abstract: This work presents a scheme to build data communication system that can effectively protect data integrity and confidentiality. Firstly, This work briefly introduces the situation of integrity and confidentiality protection. Then, This work brings forward a new cipher, which uses a keystream generator to produce infinite number of frame secret keys basing on an infinite root key space, and use a unique one-off frame secret key for each data encryption/decryption. Basing on this cipher, we construct a data communication system. This work illustrates how to build such a system and analyze its protections of data integrity and confidentiality. With the character of cipher, it offers high resistance against cryptanalysis to prevent data disclosure, and it gives little opportunities to those intractable attacks that can compromise data integrity.

Patent
26 Feb 2004
TL;DR: In this paper, a pseudo random number generator is used to generate random numbers whose length is shorter than 2 N with reference to the message length N. The random numbers are generated so as to perform an encryption processing and an authentication processing.
Abstract: The random numbers are generated so as to perform an encryption processing and an authentication processing, thereby accomplishing an in-advance computation and a parallel computation. Also, the encryption processing and the authentication processing are performed, using the generated random numbers whose length is shorter than 2 N with reference to the message length N. Concretely, the random numbers are generated using a pseudo random-number generator, and the generated random numbers are divided on each block basis. Also, a plaintext is divided on each block basis as well. Next, the exclusive-OR logical sums of random-number blocks R i (1≦i≦N+1) and plaintext blocks P i (1≦i≦N) are figured out, thereby acquiring ciphertext blocks C i (1≦i≦N+2). Moreover, a hash function performs a key-accompanying input of the random-number blocks R i (1≦i≦N+1), thereby generating the message authentication code of the generated ciphertext.

Journal Article
TL;DR: This paper formally defines and analyzes the security notions of authenticated encryption in unconditional security setting, and shows that the strongest security notion is the combined notion of APS and IntC.
Abstract: In this paper, we formally define and analyze the security notions of authenticated encryption in unconditional security setting. For confidentiality, we define the notions, APS (almost perfect secrecy) and NM (non-malleability), in terms of an information-theoretic viewpoint along with our model where multiple senders and receivers exist. For authenticity, we define the notions, IntC (integrity of ciphertexts) and IntP (integrity of plaintexts), from a view point of information theory. And then we combine the above notions to define the security notions of unconditionally secure authenticated encryption. Then, we analyze relations among the security notions. In particular, it is shown that the strongest security notion is the combined notion of APS and IntC. Finally, we formally define and analyze the following generic composition methods in the unconditional security setting along with our model: Encrypt-and-Sign, Sign-then-Encrypt and Encrypt-then-Sign. Consequently, it is shown that: the Encrypt-and-Sign composition method is not always secure; the Sign-then-Encrypt composition method is not always secure; and the Encrypt-then-Sign composition method is always secure, if a given encryption meets APS and a given signature is secure. key words: unconditional security, encryption, authenticated encryption, signcryption

Journal ArticleDOI
TL;DR: An insider forgery attack is proposed, which means that the security of the authenticated encryption scheme is not as good as the Girault schemes, and an improvement to these schemes is proposed to overcome the weakness.

Proceedings Article
01 Jan 2004
TL;DR: By combining the two notations of ring signature and authenticated encryption to- gether, a new type of authenticated encryption signature is introduced, called ring authenticated encryp- tion, which has the following properties: signer-ambiguity, sign-verifiability, recipient-designation, semantic-security, verification-convertibility, verify-dependence and recipient-ambIGuity.
Abstract: By combining the two notations of ring signature and authenticated encryption to- gether, we introduce a new type of authenticated encryption signature, called ring authenticated encryp- tion, which has the following properties: signer-ambiguity, signer-verifiability, recipient-designation, semantic-security, verification-convertibility, verification-dependence and recipient-ambiguity. We also give a variant that does not hold the property of recipient-ambiguity but can make a verifier know to whom a signature is sent when he checks its validity. Horster et al. (7) first proposed an authenticated en- cryption scheme modified from Nyberg-Ruepple's mes- sage signature (12), which aimed to achieve the purpose that the signature can only be verified by some specified recipients while keeping the message secret from the public. Compared with the straightforward approach employing the encryption and the signature schemes for a message, respectively, authenticated schemes require smaller bandwidth of communications to achieve pri- vacy, integrity and anthentication of information. How- ever, Horster et al.'s authenticated encryption scheme has a weakness that no one except the specified recip- ient can be convinced of the signer's signature, so it cannot make the recipient prove the dishonesty of the signer to any verifier without releasing his secret if the signer wants to repudiate his signature. To protect the recipient in case that the signer would repudiate his signature, Araki et al. (2) proposed a convertible lim- ited verifier scheme to enable the recipient to convert the signature to an ordinary one so that any verifier can verify its validity. But it needs the cooperation of the signer when the recipient converts the signature, which is obviously a weakness under the situation that the signer is unwilling to cooperate. To overcome this weakness, Wu et al. (15) proposed another convert- ible authenticated encryption scheme. During which, the recipient can easily produce the ordinary signature without the cooperation of the signer, and he can re- veal the converted signature and then any verifier can prove the dishonesty of the signer, if the signer wants to repudiate his signature. Recently, Huang et al. (8) showed that the scheme of Wu et al. does not consider that once an intruder knows the message then he can also easily convert a signature into an ordinary one,

Book ChapterDOI
13 Jul 2004
TL;DR: A new mode of encryption with inexpensive authentication, which uses information from the internal state of any round-based block cipher as an authenticator, is described, which has a number of benefits.
Abstract: We describe a new mode of encryption with inexpensive authentication, which uses information from the internal state of the cipher to provide the authentication. Our algorithms have a number of benefits: The encryption has properties similar to CBC mode, yet the encipherment and authentication can be parallelized and/or pipelined; The authentication overhead is minimal; The authentication process remains resistant against some IV reuse. Our first construction is the MTC4 encryption algorithm based on cryptographic hash functions which supports variable block sizes up to twice the hash output length, and variable key lengths. A proof of security is presented for MTC4. We then generalize the construction to create the Cipher-State (CS) mode of encryption that uses the internal state of any round-based block cipher as an authenticator. We give a concrete example using AES as the encryption primitive. We provide performance measurements for all constructions.

Journal ArticleDOI
TL;DR: These techniques—encryption, decryption and digital signature—are integrated in a new authenticated encryption scheme based on the elliptic curve cryptosystem, to achieve the confidentiality and authenticity of information.

Journal Article
TL;DR: CWC as mentioned in this paper is a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data, which is the first such mode having all five of the following properties: provable security, parallelizability, high performance in hardware and no intellectual property concerns.
Abstract: We introduce CWC, a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data. CWC is the first such mode having all five of the following properties: provable security, parallelizability, high performance in hardware, high performance in software, and no intellectual property concerns. We believe that having all five of these properties makes CWC a powerful tool for use in many performance-critical cryptographic applications. CWC is also the first appropriate solution for some applications; e.g., standardization bodies like the IETF and NIST prefer patent-free modes, and CWC is the first such mode capable of processing data at 10Gbps in hardware, which will be important for future IPsec (and other) network devices. As part of our design, we also introduce a new parallelizable universal hash function optimized for performance in both hardware and software.

Book ChapterDOI
20 Dec 2004
TL;DR: This work extends the traditional framework for considering integrity and confidentiality in an unconditionally secure environment is that of authentication codes with secrecy to encompass aspects of recent work on unconditional secure formulations of Authentication codes and encryption systems.
Abstract: Unconditional security provides security independent of assumptions regarding adversaries resources. Considerable research has been carried out into unconditionally secure authentication codes without secrecy, wherein the confidentiality of the plaintext is unimportant. Unconditionally secure encryption has been less thoroughly studied. The traditional framework for considering integrity and confidentiality in an unconditionally secure environment is that of authentication codes with secrecy. We extend this framework, in the symmetric case, to encompass aspects of recent work on unconditionally secure formulations of authentication codes and encryption systems. This will allow for a systematic analysis of unconditionally secure authenticated encryption schemes.

Posted Content
TL;DR: In this paper, a stream cipher based algorithm for computing message authentication codes is described, which employs the internal state of the underlying cipher to minimize the required additional-to-encryption computational effort and maintain general simplicity of the design.
Abstract: A stream cipher based algorithm for computing Message Authentication Codes is described. The algorithm employs the internal state of the underlying cipher to minimize the required additional-toencryption computational effort and maintain general simplicity of the design. The scheme appears to provide proper statistical properties, a comfortable level of resistance against forgery attacks in a chosen ciphertext attack model and high efficiency in software implementations.

Journal ArticleDOI
TL;DR: It is shown that both Tseng et al.'s authenticated encryption schemes do not achieve integrity and authentication and improvements are then proposed to repair the weaknesses.

ReportDOI
01 Oct 2004
TL;DR: A new mode of encryption with inexpensive authentication is described, which uses information from the internal state of the cipher to provide the authentication, and a Manticore class of authenticated encryption algorithms based on cryptographic hash functions are offered.
Abstract: We describe a new mode of encryption with inexpensive authentication, which uses information from the internal state of the cipher to provide the authentication. Our algorithms have a number of benefits: (1) the encryption has properties similar to CBC mode, yet the encipherment and authentication can be parallelized and/or pipelined, (2) the authentication overhead is minimal, and (3) the authentication process remains resistant against some IV reuse. We offer a Manticore class of authenticated encryption algorithms based on cryptographic hash functions, which support variable block sizes up to twice the hash output length and variable key lengths. A proof of security is presented for the MTC4 and Pepper algorithms. We then generalize the construction to create the Cipher-State (CS) mode of encryption that uses the internal state of any round-based block cipher as an authenticator. We provide hardware and software performance estimates for all of our constructions and give a concrete example of the CS mode of encryption that uses AES as the encryption primitive and adds a small speed overhead (10-15%) compared to AES alone.

Journal ArticleDOI
TL;DR: A new encryption mode for block cipher algorithms, which is based on the Plaintext Cipher Block Chaining (from now on, PCBC) mode, which supplies, apart from confidentiality, fast integrity checking with a minimum computational cost, which makes it eminently suitable for ensuring data integrity in GIS systems and at the same time assuring some other GIS requirements.

Journal ArticleDOI
Qi Xie1, Xiu Yuan Yu1
TL;DR: An attack is proposed to show that the Tseng et al.'s schemes are not secure in the following cases, which the specified verifier substitutes his secret key, or the signer generates the signature with these schemes for two or more specified verifiers.

Proceedings ArticleDOI
28 Mar 2004
TL;DR: A new (t, n) threshold-authenticated encryption scheme with message linkage to reduce the load on the signer using a division-of-labor signature based on the elliptic curve cryptosystem, because of its highly efficient performance and comprehensiveness of security.
Abstract: We present a new (t, n) threshold-authenticated encryption scheme with message linkage to reduce the load on the signer using a division-of-labor signature. Only t signers can examine and sign an over-large message on behalf of the whole group, by dividing the whole message into a few readable submessage blocks; then, each signer needs only to examine and sign the designated submessage block rather than the whole message. Consequently, the load on the signer should be substantially reduced to improve the performance. Moreover, the proposed scheme is based on the elliptic curve cryptosystem, because of its highly efficient performance and comprehensiveness of security, supporting the practical use of the scheme.