We show that any scheme to encrypt m blocks of size n bits while assuring message integrity, that apart from using m + k invocations of random functions (from n bits to n bits) and vn bits of randomness, is linear in (GF 2) n , must have k + v at least (log m). This lower bound is proved in a very general model which rules out many promising linear modes of operations for encryption with messag...

This paper explores a new type of MACs called messagerecovery MACs (MRMACs). MRMACs have an additional input R that gets recovered upon verification. Receivers must execute verification in order to recover R, making the verification process unskippable. Such a feature helps avoid mis-implementing verification algorithms. The syntax and security notions of MRMACs are rigorously formulated. In pa...

In the context of authenticated encryption (AE), generic composition has referred to the construction of an AE scheme by gluing together a conventional (privacy-only) encryption scheme and a MAC. Since the work of Bellare and Namprempre (2000) and then Krawczyk (2001), the conventional wisdom has become that there are three forms of generic composition, with Encrypt-then-MAC the only one that g...

Farzaneh Abed Bauhaus-Universität Weimar, farzaneh.abed(at)uni-weimar.de Scott Fluhrer Cisco Systems, sfluhrer(at)cisco.com John Foley Cisco Systems , foleyj(at)cisco.com Christian Forler Bauhaus-Universität Weimar, christian.forler(at)uni-weimar.de Eik List Bauhaus-Universität Weimar, eik.list(at)uni-weimar.de Stefan Lucks Bauhaus-Universität Weimar, stefan.lucks(at)uni-weimar.de David McGrew ...

This memo describes the use of the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) as a Transport Layer Security (TLS) authenticated encryption operation. GCM provides both confidentiality and data origin authentication, can be efficiently implemented in hardware for speeds of 10 gigabits per second and above, and is also well-suited to software implementations. This memo define...

Recently, Chung et al. (2009) proposed a novel and valuable threshold authenticated encryption scheme. Unfortunately, it has a potential weakness: if the secret message involves criminal evidence or illegal content, the designated receiver cannot authenticate the secret message in the later dispute. The authors of this paper aim at enhancing Chung et al.’s scheme by adding the convertibility ca...

We show that HILA5 is not secure against chosen-ciphertext attacks. Specifically, we demonstrate a key-recovery attack on HILA5 using an active attack on reused keys. The attack works around the error correction in HILA5. The attack applies to the HILA5 key-encapsulation mechanism (KEM), and also to the public-key encryption mechanism (PKE) obtained by NIST’s procedure for combining the KEM wit...

We present a new, provably secure, self-synchronizing authenticated encryption mode of operation, SLC, with the ability to re-synchronize after loss of transmission units of sub-block size, enabling it to efficiently handle short packets. The new scheme uses two components, self-synchronizing MAC and self-synchronizing encryption scheme, each of which is individually interesting. The SLC mode, ...

This document specifies the conventions for using Message Authentication Code (MAC) encryption with the Cryptographic Message Syntax (CMS) authenticated-enveloped-data content type. This mirrors the use of a MAC combined with an encryption algorithm that’s already employed in IPsec, Secure Socket Layer / Transport Layer Security (SSL/TLS) and Secure SHell (SSH), which is widely supported in exi...

We give a provable-security treatment for the key-wrap problem, providing definitions, constructions, and proofs. We suggest that key-wrap’s goal is security in the sense of deterministic authenticated-encryption (DAE), a notion that we put forward. We also provide an alternative notion, a pseudorandom injection (PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze...