Paper 2018/991
Reconsidering Generic Composition: the Tag-then-Encrypt case
Francesco Berti, Olivier Pereira, and Thomas Peters
Abstract
Authenticated Encryption ($\mathsf{AE}$) achieves confidentiality and authenticity, the two most fundamental goals of cryptography, in a single scheme. A common strategy to obtain $\mathsf{AE}$ is to combine a Message Authentication Code $(\mathsf{MAC})$ and an encryption scheme, either nonce-based or $\mathsf{iv}$-based. Out of the 180 possible combinations, Namprempre et al.~[25] proved that 12 were secure, 164 insecure and 4 were left unresolved: A10, A11 and A12 which use an $\iv$-based encryption scheme and N4 which uses a nonce-based one. The question of the security of these composition modes is particularly intriguing as N4, A11, and A12 are more efficient than the 12 composition modes that are known to be provably secure.\\ We prove that: $(i)$ N4 is not secure in general, $(ii)$ A10, A11 and A12 have equivalent security, $(iii)$ A10, A11, A12 and N4 are secure if the underlying encryption scheme is either misuse-resistant or ``message malleable'', a property that is satisfied by many classical encryption modes, $(iv)$ A10, A11 and A12 are insecure if the underlying encryption scheme is stateful or untidy.\\ All the results are quantitative.
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- Preprint. MINOR revision.
- Keywords
- Authenticated Encryptiongeneric compositiontag-then-encryptattacks and proves
- Contact author(s)
- francesco berti @ uclouvain be
- History
- 2018-10-22: received
- Short URL
- https://ia.cr/2018/991
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2018/991,
author = {Francesco Berti and Olivier Pereira and Thomas Peters},
title = {Reconsidering Generic Composition: the Tag-then-Encrypt case},
howpublished = {Cryptology ePrint Archive, Paper 2018/991},
year = {2018},
note = {\url{https://eprint.iacr.org/2018/991}},
url = {https://eprint.iacr.org/2018/991}
}
