2014
DOI: 10.1007/978-3-662-45611-8_6
|View full text |Cite
|
Sign up to set email alerts
|

How to Securely Release Unverified Plaintext in Authenticated Encryption

Abstract: Abstract. Scenarios in which authenticated encryption schemes output decrypted plaintext before successful verification raise many security issues. These situations are sometimes unavoidable in practice, such as when devices have insufficient memory to store an entire plaintext, or when a decrypted plaintext needs early processing due to real-time requirements. We introduce the first formalization of the releasing unverified plaintext (RUP) setting. To achieve privacy, we propose using plaintext awareness (PA)… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
57
0
1

Year Published

2017
2017
2019
2019

Publication Types

Select...
6

Relationship

0
6

Authors

Journals

citations
Cited by 78 publications
(58 citation statements)
references
References 41 publications
0
57
0
1
Order By: Relevance
“…We model this by explicitly defining security relative to a class of leakage functions (as is common for instance in the contexts for related-key or key-dependent message attacks). By appropriately setting the class of leakage functions, we show that our notion generalises previous strengthened AE security notions, including SAE, RUP and distinguishable decryption errors [2,4,13], and previous leakage notions, including the simulatable leakage, auxiliary input and probing models [17,26,56].…”
Section: Our Contributionsmentioning
confidence: 76%
See 4 more Smart Citations
“…We model this by explicitly defining security relative to a class of leakage functions (as is common for instance in the contexts for related-key or key-dependent message attacks). By appropriately setting the class of leakage functions, we show that our notion generalises previous strengthened AE security notions, including SAE, RUP and distinguishable decryption errors [2,4,13], and previous leakage notions, including the simulatable leakage, auxiliary input and probing models [17,26,56].…”
Section: Our Contributionsmentioning
confidence: 76%
“…We establish that schemes susceptible to release of unverified plaintext are unsuitable even for much more modest types of leakage and we confirm modern folklore that this affects all schemes that are roughly of the type Encrypt-and-MAC or MAC-then-Encrypt (cf. [2]). Conversely, we show that Encrypt-then-MAC style schemes are secure against a large class of leakage functions, where we express this class in terms of the leakage classes against which the underlying primitives are secure.…”
Section: Our Contributionsmentioning
confidence: 99%
See 3 more Smart Citations