## Authenticated-encryption with associated-data (2002)

Venue: | In Proc. 9th CCS |

Citations: | 37 - 11 self |

### BibTeX

@INPROCEEDINGS{Rogaway02authenticated-encryptionwith,

author = {Phillip Rogaway},

title = {Authenticated-encryption with associated-data},

booktitle = {In Proc. 9th CCS},

year = {2002},

pages = {98--107},

publisher = {ACM Press}

}

### Years of Citing Articles

### OpenURL

### Abstract

Keywords: Associated-data problem, authenticated-encryption, block-cipher usage, key separation, modes of operation, OCB.

### Citations

1226 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...1. The proceedings version of this paper appears as [21]. Remarks. (1) AE and AEAD schemes employ a nonce. They have to do this (or be stateful or probabilistic) in order to achieve semantic security =-=[11]-=-. It is the responsibility of the sender not to reuse any nonce. For this purpose the sender will need to maintain state (such as a counter) or use coins. The receiver can be stateless (replay-detecti... |

660 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1984
(Show Context)
Citation Context ...e larger of ffi = Pr[K $sK; (X1; X2; \Delta )sA : X1 6= X2 and FK (X1) \PhisFK (X2) = \Delta ] and ffl = Pr[K $sK; (X; C)sA : FK (X) = C]: Pseudorandom functions. Pseudorandom function originate with =-=[10]-=-; our treatment is a concrete-security one that follows [2]. Let F : K \ThetasX ! f0; 1g o/ be a function family. Let Rand(X ; o/ ) be the set of all functions from X to f0; 1g o/ . Define Adv prf F (... |

370 | A concrete security treatment of symmetric encryption
- Bellare, Desai, et al.
- 1997
(Show Context)
Citation Context ... responses. Adversaries for AE and AEAD schemes are always assumed to be nonce-respecting. We write an oracle as superscript to the adversary that uses it. AE-schemes. We follow [22] (which builds on =-=[1, 4, 11]-=-) in defining nonce-using authenticatedencryption schemes and their security. An authenticated-encryption scheme (an AE-scheme), or simply an encryption scheme, is a three-tuple \Pis= (K; E; D). Assoc... |

234 | Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. Asiacrypt 2000
- Bellare, Namprempre
(Show Context)
Citation Context ...ted-encryption with associated-data (AEAD). The generic composition approach. In the past, protocol designers addressed AEAD using the generic composition paradigm (as first named and investigated by =-=[3]-=-), where one glues together a (privacy-only) encryption scheme and a message authentication code (MAC). One might, for example, encrypt a string M , prepend a header H, and then MAC the resulting stri... |

208 | The security of the cipher block chaining message authentication code
- Bellare, Kilian, et al.
(Show Context)
Citation Context ...C[&] 0\Lambdas\PhisY [&] for is2 to h \Gammas1 do Y [i]sg(5; N; i; H[i]) if jHj ! n then \Deltasg(6; N; i; pad(H)) else if H = n then \Deltasg(7; N; i; H) else if jH&j ! n then \Deltasg(8; H[1]; i; Y =-=[2]-=- \Phis\Deltas\Deltas\Deltas\PhisY [h \Gammas1] \Phispad(H[h]) else if jHM j = n then \Deltasg(9; H[1]; i; Y [2] \Phis\Deltas\Deltas\Deltas\PhisY [h \Gammas1] \PhisH[h]) Tag \Lambdasg(1; N; &; Checksum... |

150 | OCB: A block-cipher mode of operation for efficient authenticated encryption
- Rogaway, Ballare, et al.
- 2001
(Show Context)
Citation Context ... was the development of techniques that provide privacy+authenticity without using the generic composition paradigm. Beginning with Jutla [15] and continuing with Gligor et al. [9] and Rogaway et al. =-=[22]-=- there emerged new block-cipher modes that entwined privacy and authenticity in a single, compact mode. Such "integrated" authenticated-encryption (AE) schemes promised improved efficiency compared to... |

134 |
LFSR-based Hashing and Authentication
- Krawczyk
- 1994
(Show Context)
Citation Context ... an associated distribution and X ` f0; 1g \Lambdas. We assume that X has a linear-time membership test. We use a variant of the property called almost-xor-universal (AXU), which was first defined by =-=[19]-=-. For consistency with other notions we define xor-universality as a kind of adversarial advantage. For F : K \ThetasX ! f0; 1g o/ a function family and A an adversary, let Adv axu F (A) be the larger... |

110 | Encryption modes with almost free message integrity
- Jutla
- 2001
(Show Context)
Citation Context ...ut the recognition of AEAD as a distinct cryptographic problem was the development of techniques that provide privacy+authenticity without using the generic composition paradigm. Beginning with Jutla =-=[15]-=- and continuing with Gligor et al. [9] and Rogaway et al. [22] there emerged new block-cipher modes that entwined privacy and authenticity in a single, compact mode. Such "integrated" authenticated-en... |

91 | How to protect DES against exhaustive key search - Kilian, Rogaway - 1996 |

66 | Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient encryption - Bellare, Rogaway - 1976 |

64 | Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes
- Gligor, Donescu
- 2002
(Show Context)
Citation Context ...t cryptographic problem was the development of techniques that provide privacy+authenticity without using the generic composition paradigm. Beginning with Jutla [15] and continuing with Gligor et al. =-=[9]-=- and Rogaway et al. [22] there emerged new block-cipher modes that entwined privacy and authenticity in a single, compact mode. Such "integrated" authenticated-encryption (AE) schemes promised improve... |

63 | A Block-Cipher Mode of Operation for Parallelizable Message Authentication
- Black, Rogaway
- 2002
(Show Context)
Citation Context ... .E N;H K (M ) the message M is OCB-encrypted under key K to get C = C k T = E NK (M ) where C is the "ciphertext core" and T is a o/ -bit "tag"; associated-data H, if nonempty, is PMAC-authenticated =-=[5]-=- under the same key to yield a o/ -bit result \Deltas= PMACK(H) (set \Deltas= 0o/ if H = "); and the O .CB-ciphertext is .EN;H K (M ) = C k(T \Phi \Delta ). We favor this OCB-extension because it is s... |

29 |
private communication
- Walker, DESY
(Show Context)
Citation Context ...dversarial success generalizes the notion of authenticity of ciphertexts [4, 17]. Second, we describe two ways to turn an AE-scheme into an AEAD-scheme. One method, suggested by Cam-Winget and Walker =-=[6]-=-, we call nonce stealing. The method is simple and useful, but somewhat limited in its applicability as, in practice, the associated-data H can only be a few bytes. A less restrictive approach, cipher... |

22 | Universal Padding Schemes For RSA
- Coron, Joye, et al.
- 2002
(Show Context)
Citation Context ...the CBC-MAC. A proof is offered by [14]. Somewhat further afield, recent work that considers circumstances under which a key may be safely reused across two different cryptographic mechanisms include =-=[8, 12]-=-. An early version of the current paper was provided to NIST and has been on their web site since Nov '01. The proceedings version of this paper appears as [21]. Remarks. (1) AE and AEAD schemes emplo... |

18 | Combining Public Key Cryptosystems
- Haber, Pinkas
- 2001
(Show Context)
Citation Context ...the CBC-MAC. A proof is offered by [14]. Somewhat further afield, recent work that considers circumstances under which a key may be safely reused across two different cryptographic mechanisms include =-=[8, 12]-=-. An early version of the current paper was provided to NIST and has been on their web site since Nov '01. The proceedings version of this paper appears as [21]. Remarks. (1) AE and AEAD schemes emplo... |

8 |
On the Security of CTR
- Jonsson
- 2002
(Show Context)
Citation Context ...ks for authenticated-encryption schemes beyond IAPM. A proposal by Whiting, Housley and Ferguson [23] constructs an AEAD-scheme that entails CTR mode encryption and the CBC-MAC. A proof is offered by =-=[14]-=-. Somewhat further afield, recent work that considers circumstances under which a key may be safely reused across two different cryptographic mechanisms include [8, 12]. An early version of the curren... |

7 | Counter with CBC-MAC (CCM). Submission to NIST. Available at http://csrc.nist.gov/CryptoToolkit/modes - Whiting, Housley, et al. - 2002 |

3 | A mode of operation with partial encryption and message integrity (PEMI
- Hawkes, Rose
- 2002
(Show Context)
Citation Context ... needed to bind to a ciphertext some cleartext data, such as an IP address. People wanted a cheap and secure way to do this when using an AE-mode such as OCB. Additional related work. Hawkes and Rose =-=[13]-=- propose a way to modify Jutla's IAPM mode [15] in order to create an AEAD-scheme. They claim a security proof and that their method works for authenticated-encryption schemes beyond IAPM. A proposal ... |

2 |
Unforgeable encryption and adaptively secure modes of operation
- Kaliski
- 2001
(Show Context)
Citation Context ...prising, because we start from somewhat different tools. Origin of the problem. The need to handle associated-data when using an integrated AE mode was first pointed out to the author by Burt Kaliski =-=[16]-=-. Several more individuals soon communicated the same sentiment. Those attuned to this problem were involved in standardization efforts that needed to bind to a ciphertext some cleartext data, such as... |

1 |
Personal communications, Aug 2001. [21] P. Rogaway. Authenticated-encryption with associated-data
- Rivest
(Show Context)
Citation Context ...g, let the nonce be N = 0, and let the message that one wants to MAC be the associated-data H. This addresses a question posed by Rivest, who asked if OCB can be used in some simple way to give a MAC =-=[20]-=-. (Note that trying to use OCB [22] or IAPM [15] as a MAC by sending only the tag block does not work.) When building an AEAD-scheme based on an AE-scheme like those in [15, 22] a more significant adv... |