The security of the cipher block chaining message authentication code
Journal of Computer and System Sciences
Authenticated-encryption with associated-data
Proceedings of the 9th ACM conference on Computer and communications security
SIAM Journal on Computing
The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?)
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Keying Hash Functions for Message Authentication
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Relations Among Notions of Security for Public-Key Encryption Schemes
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels
EUROCRYPT '01 Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS ...
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Indistinguishability of Random Systems
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Universally Composable Notions of Key Exchange and Secure Channels
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm
ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation
FSE '00 Proceedings of the 7th International Workshop on Fast Software Encryption
A Concrete Security Treatment of Symmetric Encryption
FOCS '97 Proceedings of the 38th Annual Symposium on Foundations of Computer Science
Practical Cryptography
Universally Composable Security: A New Paradigm for Cryptographic Protocols
FOCS '01 Proceedings of the 42nd IEEE symposium on Foundations of Computer Science
A Model for Asynchronous Reactive Systems and its Application to Secure Message Transmission
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
OCB: A block-cipher mode of operation for efficient authenticated encryption
ACM Transactions on Information and System Security (TISSEC)
Indistinguishability amplification
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
Constructive cryptography – a primer
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Tag size does matter: attacks and proofs for the TLS record protocol
ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Constructive cryptography --- a new paradigm for security definitions and proofs
TOSCA'11 Proceedings of the 2011 international conference on Theory of Security and Applications
Confidentiality and integrity: a constructive perspective
TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
Hi-index | 0.00 |
A communication channel from an honest sender A to an honest receiver B can be described as a system with three interfaces labeled A, B, and E (the adversary), respectively, where the security properties of the channel are characterized by the capabilities provided at the E-interface. A security mechanism, such as encryption or a message authentication code (MAC), can be seen as the transformation of a certain type of channel into a stronger type of channel, where the term "transformation" refers to a natural simulation-based definition. For example, the main purpose of a MAC can be regarded as transforming an insecure into an authenticated channel, and encryption then corresponds to transforming an authenticated into a fully secure channel; this is the well-known Encrypt-then-Authenticate (EtA) paradigm. In the dual paradigm, Authenticate-then-Encrypt (AtE), encryption first transforms an insecure into a confidential channel, and a MAC transforms this into a secure channel. As pointed out by Bellare and Namprempre, and Krawczyk, there are encryption schemes for which AtE does not achieve the expected guarantees. We highlight two reasons for investigating nevertheless AtE as a general paradigm: First, this calls for a definition of confidentiality; what separates a confidential from a secure channel is its (potential) malleability. We propose the first systematic analysis of malleability for symmetric encryption, which, in particular, allows us to state a generic condition on encryption schemes to be sufficient for AtE. Second, AtE is used in practice, for example in TLS. We show that the schemes used in TLS (stream ciphers and CBC encryption) satisfy the condition. This is consistent with Krawczyk's results on similar instantiations of AtE in game-based models.