scispace - formally typeset
Search or ask a question
Topic

Authenticated encryption

About: Authenticated encryption is a research topic. Over the lifetime, 1328 publications have been published within this topic receiving 25968 citations. The topic is also known as: AEAD & Authenticated Encryption with Associated Data.


Papers
More filters
Journal Article
TL;DR: It is pointed out that Tseng-Jan's scheme suffers from serious security faults such that any adversary can easily forge valid signature blocks and pass the receiver's verification, and the scheme does not provide forward secrecy and non-repudiation.
Abstract: An authenticated encryption scheme is a message transmission scheme, which sends messages in a secure and authentic way. In large message transmission, traditional authenticated encryption scheme has the disadvantage that the communication and the computation costs are too high. In 2002, Tseng-Jan proposed an efficient authenticated encryption scheme with messages linkage; that is, only a random number was used and the communication costs and the computational complexity were better than previously proposed schemes. The current paper, however, points out that Tseng-Jan's scheme suffers from serious security faults such that any adversary can easily forge valid signature blocks and pass the receiver's verification, and the scheme does not provide forward secrecy and non-repudiation. We also propose an improvement to the scheme to overcome the weaknesses.

6 citations

Patent
01 Jun 2015
TL;DR: In this paper, a key-stream set of blocks is generated by a deterministic pseudo-random number generator function that is instantiated with the secret encryption key, and each block is encrypted on a per-block basis, with a corresponding block from the keystream.
Abstract: System, device, and method of authenticated encryption of messages. A message intended for authenticated encryption is stored; and a secret authentication key and a secret encryption key are stored. A key-stream set of blocks is generated, each block including pseudo-random bits. The aggregate length of the key-stream is equal to or greater than the message-length of the message. Each block of the key-stream is generated by a deterministic pseudo-random number generator function that is instantiated with the secret encryption key. The key-stream is generated on a block-by-block basis, until the key-stream reaches in aggregate the message-length of the message. Each block of bits of the message is encrypted, on a per-block basis, with a corresponding block from the key-stream. Authentication is performed on the result of the encrypting operation, or on the message, by applying a keyed cryptographic checksum function that ascertains integrity and that utilizes the secret authentication key.

6 citations

01 Jan 2006
TL;DR: This work proposes CWC, the first block cipher-based AE scheme that is simultaneously provably secure, fully parallelizable, and free from intellectual property claims, and states provable security results about both the Encode-then-E&M paradigm and the SSH AE scheme.
Abstract: We study authenticated encryption (AE) schemes, or symmetric cryptographic protocols designed to protect both the privacy and the integrity of digital communications. When the AE schemes that we propose or study are secure, we prove so using the modern cryptography approach of practice-oriented provable security; this approach involves formally defining what it means for an AE scheme to be secure, and then deriving proofs of security via reductions from the security of the construction's underlying components. When we find that an AE scheme is insecure, we support our discoveries with example attacks and then propose security improvements. We first study the AE portion of the Secure Shell (SSH) protocol. The SSH AE scheme is based on the Encrypt-and-MAC paradigm. Despite previous negative results on the Encrypt-and-MAC paradigm, we prove that the overall design of the SSH AE scheme is secure under reasonable assumptions. Our proofs for SSH contribute to the field of cryptography in several ways. First, we extend previous formal definitions of security for AE schemes to capture additional security goals, namely resistance to replay and re-ordering attacks. We also formalize a new AE paradigm, Encode-then-E&M, that captures the differences between the real SSH AE scheme and the previous Encrypt-and-MAC model. We state provable security results about both the Encode-then-E&M paradigm and the SSH AE scheme. Motivated by the differences between previous models and real AE schemes, we then consider and prove security results about generalizations of two other natural AE paradigms, MAC-then-Encrypt and Encrypt-then-MAC, as well as further generalizations of the Encode-then-E&M paradigm. Motivated by practical requirements and the IPsec community, we propose CWC --- the first block cipher-based AE scheme that is simultaneously provably secure, fully parallelizable, and free from intellectual property claims. Finally, we discover and propose fixes to security defects with the WinZip AE-2 AE scheme. Our attacks exploit interactions between AE-2's provably secure Encrypt-then-MAC core and the rest of the system. Since WinZip could have avoided certain attacks by applying the provable security approach to the whole AE-2 scheme, our results suggest the importance of pushing the provable security approach further into real systems

6 citations

Book ChapterDOI
20 Sep 2017
TL;DR: This work defines channel protocols, as well as security for channels constructed from stateful length-hiding authenticated encryption (stLHAE) schemes, and initiates the concept of secure termination where, upon receipt of a signifying message, a receiver is guaranteed to have received every message that has been sent, and will ever be sent, on the channel.
Abstract: Secure channels are one of the most pivotal building blocks of cryptography today. Internet connections, secure messaging, protected IoT data, etc., all rely upon the security of the underlying channel. In this work we define channel protocols, as well as security for channels constructed from stateful length-hiding authenticated encryption (stLHAE) schemes. Furthermore, we initiate the concept of secure termination where, upon receipt of a signifying message, a receiver is guaranteed to have received every message that has been sent, and will ever be sent, on the channel. We apply our results to real-world protocols, linking the channel environment to previous analyses of TLS 1.2, and demonstrating that TLS 1.2 achieves secure termination via fatal alerts and \(\texttt {close\_notify}\) messages, per the specification of the Alert Protocol.

6 citations

Journal ArticleDOI
TL;DR: An extremely efficient forgery attack on Lilliput-AE that demonstrates the potential security risk in using a very simple tweakey schedule in which the same part of the key/tweak is reused in every round, even when round constants are employed to prevent slide attacks.
Abstract: Lilliput-AE is a tweakable block cipher submitted as a candidate to the NIST lightweight cryptography standardization process. It is based upon the lightweight block cipher Lilliput, whose cryptanalysis so far suggests that it has a large security margin. In this note, we present an extremely efficient forgery attack on Lilliput-AE: Given a single arbitrary message of length about $$2^{36}$$ bytes, we can instantly produce another valid message that leads to the same tag, along with the corresponding ciphertext. The attack uses a weakness in the tweakey schedule of Lilliput-AE which leads to the existence of a related-tweak differential characteristic with probability 1 in the underlying block cipher. The weakness we exploit, which does not exist in Lilliput, demonstrates the potential security risk in using a very simple tweakey schedule in which the same part of the key/tweak is reused in every round, even when round constants are employed to prevent slide attacks. Following this attack, the Lilliput-AE submission to NIST was tweaked.

6 citations


Network Information
Related Topics (5)
Public-key cryptography
27.2K papers, 547.7K citations
90% related
Cryptography
37.3K papers, 854.5K citations
89% related
Encryption
98.3K papers, 1.4M citations
86% related
Hash function
31.5K papers, 538.5K citations
84% related
Authentication
74.7K papers, 867.1K citations
83% related
Performance
Metrics
No. of papers in the topic in previous years
YearPapers
202319
202252
202167
2020109
2019111
201897