Paper 2023/590

Reconsidering Generic Composition: the modes A10, A11 and A12 are insecure

Francesco Berti, Bar-Ilan University, Ramat-Gan 529002, Israel
Abstract

Authenticated Encryption (AE) achieves privacy and authenticity with a single scheme. It is possible to obtain an AE scheme gluing together an encryption scheme (privacy secure) and a Message Authentication Code (authenticity secure). This approach is called generic composition and its security has been studied by Namprempre et al. [NRS14]. They looked into all the possible gluings of an encryption scheme with a secure MAC to obtain a nonce-based AE-scheme. The encryption scheme is either IV-based (that is, with an additional random input, the initialization vector [IV]) or nonce-based (with an input to be used once, the nonce). Nampremepre et al. assessed the security/insecurity of all possible composition combinations except for 4 (N4, A10, A11 and A12). Berti et al. [BPP18a] showed that N4 is insecure and that the remaining modes (A10, A11, and A12) are either all secure or insecure. Here, we prove that these modes are all insecure with a counterexample.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. ACISP2023
Keywords
AEgeneric compositionintegrity
Contact author(s)
francesco berti @ biu ac il
History
2023-04-28: approved
2023-04-25: received
See all versions
Short URL
https://ia.cr/2023/590
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/590,
      author = {Francesco Berti},
      title = {Reconsidering Generic Composition:  the modes A10, A11 and A12 are insecure},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/590},
      year = {2023},
      url = {https://eprint.iacr.org/2023/590}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.