OCB: a block-cipher mode of operation for efficient authenticated encryption
CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
Authenticated-encryption with associated-data
Proceedings of the 9th ACM conference on Computer and communications security
Encryption-Scheme Security in the Presence of Key-Dependent Messages
SAC '02 Revised Papers from the 9th Annual International Workshop on Selected Areas in Cryptography
An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation
EUROCRYPT '01 Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm
ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation
FSE '00 Proceedings of the 7th International Workshop on Fast Software Encryption
A Concrete Security Treatment of Symmetric Encryption
FOCS '97 Proceedings of the 38th Annual Symposium on Foundations of Computer Science
RSA-OAEP Is Secure under the RSA Assumption
Journal of Cryptology
Security under key-dependent inputs
Proceedings of the 14th ACM conference on Computer and communications security
Cryptanalysis of the windows random number generator
Proceedings of the 14th ACM conference on Computer and communications security
Circular-Secure Encryption from Decision Diffie-Hellman
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Journal of Computer Security - 20th IEEE Computer Security Foundations Symposium (CSF)
OAEP Is Secure under Key-Dependent Messages
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
On the (Im)Possibility of Key Dependent Encryption
TCC '09 Proceedings of the 6th Theory of Cryptography Conference on Theory of Cryptography
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
When private keys are public: results from the 2008 Debian OpenSSL vulnerability
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Hedged Public-Key Encryption: How to Protect against Bad Randomness
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
A theoretical treatment of related-key attacks: RKA-PRPS, RKA-PRFs, and applications
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
Towards key-dependent message security in the standard model
EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
Circular and leakage resilient public-key encryption under subgroup indistinguishability
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
On strong simulation and composable point obfuscation
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Black-box circular-secure encryption beyond affine functions
TCC'11 Proceedings of the 8th conference on Theory of cryptography
Efficient circuit-size independent public key encryption with KDM security
EUROCRYPT'11 Proceedings of the 30th Annual international conference on Theory and applications of cryptographic techniques: advances in cryptology
Key-dependent message security: generic amplification and completeness
EUROCRYPT'11 Proceedings of the 30th Annual international conference on Theory and applications of cryptographic techniques: advances in cryptology
On symmetric encryption and point obfuscation
TCC'10 Proceedings of the 7th international conference on Theory of Cryptography
Hold your sessions: an attack on java session-id generation
CT-RSA'05 Proceedings of the 2005 international conference on Topics in Cryptology
The security and performance of the galois/counter mode (GCM) of operation
INDOCRYPT'04 Proceedings of the 5th international conference on Cryptology in India
Plaintext-Dependent decryption: a formal security treatment of SSH-CTR
EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
Cryptographic agility and its relation to circular encryption
EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
Bounded key-dependent message security
EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
A provable-security treatment of the key-wrap problem
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
The security of triple encryption and a framework for code-based game-playing proofs
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Key-dependent message security for division function: discouraging anonymous credential sharing
ProvSec'11 Proceedings of the 5th international conference on Provable security
Randomness-Dependent message security
TCC'13 Proceedings of the 10th theory of cryptography conference on Theory of Cryptography
Hi-index | 0.00 |
This paper provides a comprehensive treatment of the security of authenticated encryption (AE) in the presence of key-dependent data, considering the four variants of the goal arising from the choice of universal nonce or random nonce security and presence or absence of a header. We present attacks showing that universal-nonce security for key-dependent messages is impossible, as is security for key-dependent headers, not only ruling out security for three of the four variants but showing that currently standarized and used schemes (all these target universal nonce security in the presence of headers) fail to provide security for key-dependent data. To complete the picture we show that the final variant (random-nonce security in the presence of key-dependent messages but key-independent headers) is efficiently achievable. Rather than a single dedicated scheme, we present a RO-based transform RHtE that endows any AE scheme with this security, so that existing implementations may be easily upgraded to have the best possible seurity in the presence of key-dependent data. RHtE is cheap, software-friendly, and continues to provide security when the key is a password, a setting in which key-dependent data is particularly likely. We go on to give a key-dependent data treatment of the goal of misuse resistant AE. Implementations are provided and show that RHtE has small overhead.