RIV for Robust Authenticated Encryption
نویسندگان
چکیده
Typical AE schemes are supposed to be secure when used as specified. However, they can – and often do – fail miserably when used improperly. As a partial remedy, Rogaway and Shrimpton proposed (nonce-)misuse-resistant AE (MRAE) and the first MRAE scheme SIV (“Synthetic Initialization Vector”). This paper proposes RIV (“Robust Initialization Vector”), which extends the generic SIV construction by an additional call to the internal PRF. RIV inherits the full security assurance from SIV, but unlike SIV and other MRAE schemes, RIV is also provably secure when releasing unverified plaintexts. This follows a recent line of research on “Robust Authenticated Encryption”, similar to the CAESAR candidate AEZ. An AES-based instantiation of RIV runs at less than 1.5 cpb on current x64 processors. Unlike the proposed instantiation of AEZ, which gains speed by relying on reduced-round AES, our instantiation of RIV is provably secure under the single assumption of the AES being secure.
منابع مشابه
RSPAE: RFID Search Protocol based on Authenticated Encryption
Search protocols are among the main applications of RFID systems. Since a search protocol should be able to locate a certain tag among many tags, not only it should be secure against RFID threats but also it should be affordable. In this article, an RFID-based search protocol will be presented. We use an encryption technique that is referred to as authenticated encryption in order to boost the ...
متن کاملArtemia: a family of provably secure authenticated encryption schemes
Authenticated encryption schemes establish both privacy and authenticity. This paper specifies a family of the dedicated authenticated encryption schemes, Artemia. It is an online nonce-based authenticated encryption scheme which supports the associated data. Artemia uses the permutation based mode, JHAE, that is provably secure in the ideal permutation model. The scheme does not require the in...
متن کاملImprovement on a Threshold Authenticated Encryption Scheme
The authenticated encryption scheme allows one signer to generate an authenticated cipher-text so that no one except the designated verifier can recover the message and verify the message. In a (t, n) threshold authenticated encryption scheme, any t or more signers can generate an authenticated encryption for a message and send it to the designated verifier. Compared with the conventional encry...
متن کاملAuthenticated Encryption in the Face of Protocol and Side Channel Leakage
Authenticated encryption schemes in practice have to be robust against adversaries that have access to various types of leakage, for instance decryption leakage on invalid ciphertexts (protocol leakage), or leakage on the underlying primitives (side channel leakage). This work includes several novel contributions: we augment the notion of nonce-base authenticated encryption with the notion of c...
متن کاملA Robust Convertible Multi - Authenticated Encryption Scheme with One - Way Hash Function
A convertible multi-authenticated encryption (CMAE) scheme allows a group of signers to cooperatively produce a valid authenticated encryption signature and still preserves the characteristic of convertible authenticated encryption (CAE) schemes. In 2008, Tsai proposed a CMAE scheme based on the intractability of one-way hash functions and discrete logarithms. However, we find that Tsai’s schem...
متن کامل