Paper 2019/1033

Anonymous AE

John Chan and Phillip Rogaway

Abstract

The customary formulation of authenticated encryption (AE) requires the decrypting party to supply the correct nonce with each ciphertext it decrypts. To enable this, the nonce is often sent in the clear alongside the ciphertext. But doing this can forfeit anonymity and degrade usability. Anonymity can also be lost by transmitting associated data (AD) or a session-ID (used to identify the operative key). To address these issues, we introduce anonymous AE, wherein ciphertexts must conceal their origin even when they are understood to encompass everything needed to decrypt (apart from the receiver's secret state). We formalize a type of anonymous AE we call anAE, anonymous nonce-based AE, which generalizes and strengthens conventional nonce-based AE, nAE. We provide an efficient construction for anAE, NonceWrap, from an nAE scheme and a blockcipher. We prove NonceWrap secure. While anAE does not address privacy loss through traffic-flow analysis, it does ensure that ciphertexts, now more expansively construed, do not by themselves compromise privacy.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published by the IACR in ASIACRYPT 2019
Keywords
anonymous encryptionauthenticated encryptionnoncesprivacyprovable securitysymmetric encryption
Contact author(s)
rogaway @ cs ucdavis edu
History
2019-09-16: received
Short URL
https://ia.cr/2019/1033
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2019/1033,
      author = {John Chan and Phillip Rogaway},
      title = {Anonymous AE},
      howpublished = {Cryptology ePrint Archive, Paper 2019/1033},
      year = {2019},
      note = {\url{https://eprint.iacr.org/2019/1033}},
      url = {https://eprint.iacr.org/2019/1033}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.