COFFE: Ciphertext Output Feedback Faithful Encryption On-Line Authenticated Encryption Without a Block Cipher
نویسندگان
چکیده
In this paper we introduce the first authenticated encryption scheme based on a hash function, called COFFE. This research has been motivated by the challenge to fit secure cryptography into constrained devices – some of these devices have to use a hash function, anyway, and the challenge is to avoid the usage of an additional block cipher to provide authenticated encryption. COFFE satisfies the common security requirements regarding authenticated encryption, i.e., IND-CPAand INT-CTXT-security. Beyond that, it provides the following additional security features: resistance against side-channel attacks and INT-CTXT security in the nonce-misuse scenario. It also support failure-friendly authentication under reasonable assumptions.
منابع مشابه
Cryptanalysis of the Authenticated Encryption Algorithm COFFE
COFFE is a hash-based authenticated encryption scheme. In the original paper, it was claimed to have IND-CPA security and also ciphertext integrity even in nonce-misuse scenario. In this paper, we analyse the security of COFFE. Our attack shows that even under the assumption that the primitive hash function is ideal, a valid ciphertext can be forged with 2 enquiries with success probability clo...
متن کاملCMCC: Misuse Resistant Authenticated Encryption with Minimal Ciphertext Expansion
In some wireless environments, minimizing the size of messages is paramount due to the resulting significant energy savings. We present CMCC, an authenticated encryption scheme with associated data (AEAD) that is also nonce misuse resistant. The main focus for this work is minimizing ciphertext expansion, especially for short messages including plaintext lengths less than the underlying block c...
متن کاملRFC 5297 SIV - AES October 2008
This memo describes SIV (Synthetic Initialization Vector), a block cipher mode of operation. SIV takes a key, a plaintext, and multiple variable-length octet strings that will be authenticated but not encrypted. It produces a ciphertext having the same length as the plaintext and a synthetic initialization vector. Depending on how it is used, SIV achieves either the goal of deterministic authen...
متن کاملA Conventional Authenticated-Encryption Mode
We propose a block-cipher mode of operation, EAX, for authenticated-encryption with associateddata (AEAD). Given a nonce N , a message M , and a header H, the mode protects the privacy of M and the authenticity of both M and H. Strings N, M, H E {0, 1} are arbitrary, and the mode uses 2→M/n∈ + →H/n∈ + →N/n∈ block-cipher calls when these strings are nonempty and n is the block length of the unde...
متن کاملAuthentication Failures in NIST version of GCM
In this note, we study the security of the Galois/Counter mode authenticated encryption recently published by NIST. We show how an adversary can recover the secret key of the keyed hash function underlying the authentication, using a chosen IV attack. Once this secret key is known, the encryption mode is no longer authenticated. As a con sequence, all chosen ciphertext attacks against the conf...
متن کامل