Authenticated Encryption in Theory and in Practice

Authenticated encryption refers to a class of cryptographic schemes that simultaneously provide message confidentiality and message authenticity. It is an essential component of almost every cryptographic protocol that is used in practice. In this thesis we aim to narrow the gap that exists between authenticated encryption as used in practice, and authenticated encryption as studied in the framework of theoretical cryptography. We examine how certain types of attacks are not captured by the current techniques, and show how this can be remedied by expanding existing security models to capture a wider array of attacks. We begin with a case study of IPsec: a widely deployed security protocol for protecting data across the Internet and other networks. Despite its popularity, IPsec’s security has not received much formal treatment. As a security protocol it offers a relatively high degree of configurability, so as to accommodate multiple usage scenarios. We here present a new set of efficient attacks that fully break the confidentiality of half of the configurations that are permitted by the IPsec standard. Next we turn our attention to the enhancement of security models. In particular we consider attacks that exploit distinguishable decryption failures and ciphertext fragmentation. A number of recent attacks against practical cryptosystems, including our attacks on IPsec, fall in one of these two categories. We extend the current security models to capture such attacks, and formulate new security notions to capture vulnerabilities that arise in this new setting. We then go on to explore how these notions relate to each other, and construct authenticated encryption schemes that satisfy our security notions.