Leakage-resilience and misuse-resistance are two important properties for the deployment of authenticated encryption schemes. They aim at mitigating the impact of implementation flaws due to side-channel leakages and misused randomness. In this paper, we discuss their interactions and incompatibilities. For this purpose, we first show a generic composition mode of a MAC with an encryption schem...

Many security protocols rely on authentication of communicating entities and encryption of exchanged data. Traditionally, authentication and encryption have been separate processes, however there are combined solutions, referred to as authenticated-encryption (AE). The payment card industry is revising its protocol specifications and considering AE, however there has been uncertainty around per...

We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals “no information” aboutm, while (2) the binder b can be “meaningfully...

Article history: Received 26 August 2010 Received in revised form 22 November 2010 Accepted 25 March 2011 Available online 14 April 2011 Communicated by L. Viganò

Tseng et al. have introduced in 2003 an authenticated encryption scheme by using self-certified public keys. Based on this scheme several authors have proposed new signature schemes avoiding some attacks against the original proposal. In this paper we show that there is a weakness on all these schemes affecting both the authentication of the signer’s public key and the own security of the syste...

We show that the Abadi-Rogaway logic of indistinguishability for cryptographic expressions is not complete by giving a natural example of a secure encryption function and a pair of expressions, such that the distributions associated to the two expressions are computationally indistinguishable, but equality cannot be proved within the logic. We then introduce a new property for encryption scheme...

We present a bitsliced implementation of AES encryption in counter mode for 64-bit Intel processors. Running at 7.59 cycles/byte on a Core 2, it is up to 25% faster than previous implementations, while simultaneously offering protection against timing attacks. In particular, it is the only cache-timing-attack resistant implementation offering competitive speeds for stream as well as for packet ...

Secure and authenticated message delivery/storage is one of the major aims of computer and communication security research. The current standard method to achieve this aim is “(digital) signature followed by encryption”. In this paper, we address a question on the cost of secure and authenticated message delivery/storage, namely, whether it is possible to transport/store messages of varying len...

We propose the Synthetic Counter-in-Tweak (SCT) mode, which turns a tweakable block cipher into a nonce-based authenticated encryption scheme (with associated data). The SCT mode combines in a SIV-like manner a Wegman-Carter MAC inspired from PMAC for the authentication part and a new counter-like mode for the encryption part, with the unusual property that the counter is applied on the tweak i...