2015
DOI: 10.1007/978-3-662-46800-5_2
|View full text |Cite
|
Sign up to set email alerts
|

Robust Authenticated-Encryption AEZ and the Problem That It Solves

Abstract: Abstract. With a scheme for robust authenticated-encryption a user can select an arbitrary value λ ≥ 0 and then encrypt a plaintext of any length into a ciphertext that's λ characters longer. The scheme must provide all the privacy and authenticity possible for the requested λ. We formalize and investigate this idea, and construct a well-optimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCB-AES or CTR-AES (on Haswell, AEZ has a peak speed of about 0.7 … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
85
0

Year Published

2017
2017
2021
2021

Publication Types

Select...
6
1

Relationship

0
7

Authors

Journals

citations
Cited by 113 publications
(85 citation statements)
references
References 47 publications
0
85
0
Order By: Relevance
“…This step usually costs Adv srkprp Φ,E (D), where D is some strong related-key PRP distinguisher with a certain amount of resources, usually q queries to the keyed oracle E φ(k) and τ time, and Φ is the set of related-key deriving functions φ that D is allowed to choose. This reduction is in fact also broadly used beyond the area of tweakable blockciphers, such as in authenticated encryption schemes [1,3,11,21,28,33,37,44,50,51] and message authentication codes [4,13,16,24,29,30,41,47,[57][58][59], and in fact, we are not aware of any security result of a construction based on a standard-model blockcipher that uses a structurally different approach. Inspired by this, we investigate what level of tweakable blockcipher security can be achieved if this proof technique is employed.…”
Section: Optimal Security In Standard Model?mentioning
confidence: 99%
“…This step usually costs Adv srkprp Φ,E (D), where D is some strong related-key PRP distinguisher with a certain amount of resources, usually q queries to the keyed oracle E φ(k) and τ time, and Φ is the set of related-key deriving functions φ that D is allowed to choose. This reduction is in fact also broadly used beyond the area of tweakable blockciphers, such as in authenticated encryption schemes [1,3,11,21,28,33,37,44,50,51] and message authentication codes [4,13,16,24,29,30,41,47,[57][58][59], and in fact, we are not aware of any security result of a construction based on a standard-model blockcipher that uses a structurally different approach. Inspired by this, we investigate what level of tweakable blockcipher security can be achieved if this proof technique is employed.…”
Section: Optimal Security In Standard Model?mentioning
confidence: 99%
“…For instance, if E's security matches that of a tweakable (variable input length) cipher, the MAC-then-Encrypt constructions become a sort of encodethen-encipher. The latter is secure against release of unverified plaintext [25]. We leave open the identification of sufficient conditions on E for a generic composition result in the presence of leakage to pull through for EtM or E&M; relatedly, we leave open the extension of our work to the encode-then-encipher setting.…”
Section: Mac-and/then-encrypt Are Brittle Under Leakagementioning
confidence: 99%
“…Andreeva et al [2] (RUP) considered the release of unverified plaintexts, where the decryption oracle releases candidate plaintexts even if they fail verification. The robust authenticated encryption notion of Hoang et al [25] also implies security against the leakage of these candidate plaintexts, among other goals. Barwell et al [4] defined the SAE framework as a generalisation of these notions, and used it to compare the three previous works.…”
Section: Related Workmentioning
confidence: 99%
See 2 more Smart Citations