Paper 2023/590
Reconsidering Generic Composition: the modes A10, A11 and A12 are insecure
Abstract
Authenticated Encryption (AE) achieves privacy and authenticity with a single scheme. It is possible to obtain an AE scheme gluing together an encryption scheme (privacy secure) and a Message Authentication Code (authenticity secure). This approach is called generic composition and its security has been studied by Namprempre et al. [NRS14]. They looked into all the possible gluings of an encryption scheme with a secure MAC to obtain a nonce-based AE-scheme. The encryption scheme is either IV-based (that is, with an additional random input, the initialization vector [IV]) or nonce-based (with an input to be used once, the nonce). Nampremepre et al. assessed the security/insecurity of all possible composition combinations except for 4 (N4, A10, A11 and A12). Berti et al. [BPP18a] showed that N4 is insecure and that the remaining modes (A10, A11, and A12) are either all secure or insecure. Here, we prove that these modes are all insecure with a counterexample.
Metadata
- Available format(s)
- Category
- Secret-key cryptography
- Publication info
- Published elsewhere. ACISP2023
- Keywords
- AEgeneric compositionintegrity
- Contact author(s)
- francesco berti @ biu ac il
- History
- 2023-04-28: approved
- 2023-04-25: received
- See all versions
- Short URL
- https://ia.cr/2023/590
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/590, author = {Francesco Berti}, title = {Reconsidering Generic Composition: the modes A10, A11 and A12 are insecure}, howpublished = {Cryptology {ePrint} Archive, Paper 2023/590}, year = {2023}, url = {https://eprint.iacr.org/2023/590} }