Hubbry Logo
Authenticated encryptionAuthenticated encryptionMain
Open search
Authenticated encryption
Community hub
Authenticated encryption
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Authenticated encryption
Authenticated encryption
Authenticated encryption
View on Wikipedia
from Wikipedia

Authenticated encryption (AE) is any encryption scheme which simultaneously assures the data confidentiality (also known as privacy: the encrypted message is impossible to understand without the knowledge of a secret key) and authenticity (in other words, it is unforgeable: the encrypted message includes an authentication tag that the sender can calculate only while possessing the secret key[1]). Examples of encryption modes that provide AE are GCM, CCM.[1]

Many (but not all) AE schemes allow the message to contain "associated data" (AD) which is not made confidential, but is integrity protected (i.e., readable, but tamperevident). A typical example is the header of a network packet that contains its destination address. To properly route the packet, all intermediate nodes in the message path need to know the destination, but for security reasons they cannot possess the secret key.[2] Schemes that allow associated data provide authenticated encryption with associated data, or AEAD.

History

[edit]

The need for authenticated encryption emerged from the observation that securely combining separate confidentiality and authentication block cipher operation modes could be error prone and difficult.[3][4] This was confirmed by a number of practical attacks introduced into production protocols and applications by incorrect implementation, or lack of authentication.[5]

Around the year 2000, a number of efforts evolved around the notion of standardizing modes that ensured correct implementation. In particular, strong interest in possibly secure modes was sparked by the publication of Charanjit Jutla's integrity-aware CBC and integrity-aware parallelizable, IAPM, modes[6] in 2000 (see OCB and chronology[7]). Six different authenticated encryption modes (namely offset codebook mode 2.0, OCB 2.0; Key Wrap; counter with CBC-MAC, CCM; encrypt then authenticate then translate, EAX; encrypt-then-MAC, EtM; and Galois/counter mode, GCM) have been standardized in ISO/IEC 19772:2009.[8] More authenticated encryption methods were developed in response to NIST solicitation.[9] Sponge functions can be used in duplex mode to provide authenticated encryption.[10]

Bellare and Namprempre (2000) analyzed three compositions of encryption and MAC primitives, and demonstrated that encrypting a message and subsequently applying a MAC to the ciphertext (the Encrypt-then-MAC approach) implies security against an adaptive chosen ciphertext attack, provided that both functions meet minimum required properties. Katz and Yung investigated the notion under the name "unforgeable encryption" and proved it implies security against chosen ciphertext attacks.[11]

In 2013, the CAESAR competition was announced to encourage design of authenticated encryption modes.[12]

In 2015, ChaCha20-Poly1305 is added as an alternative AE construction to GCM in IETF protocols.

Variants

[edit]

Authenticated encryption with associated data

[edit]

Authenticated encryption with associated data (AEAD) is a variant of AE that allows the message to include "associated data" (AD, additional non-confidential information, a.k.a. "additional authenticated data", AAD). A recipient can check the integrity of both the associated data and the confidential information in a message. AD is useful, for example, in network packets where the header should be visible for routing, but the payload needs to be confidential, and both need integrity and authenticity. The notion of AEAD was formalized by Rogaway (2002).[2]

Key-committing AEAD

[edit]

AE was originally designed primarily to provide the ciphertext integrity: successful validation of an authentication tag by Alice using her symmetric key KA indicates that the message was not tampered with by an adversary Mallory that does not possess the KA. The AE schemes usually do not provide the key commitment, a guarantee that the decryption would fail for any other key.[13] As of 2021, most existing AE schemes (including the very popular GCM) allow some messages to be decrypted without an error using more than just the (correct) KA; while the plaintext decrypted using a second (wrong) key KM will be incorrect, the authentication tag would still match the new plaintext.[14] Since crafting a message with such property requires Mallory to already possess both KA and KM, the issue might appear to be one of a purely academic interest.[15] However, under special circumstances, practical attacks can be mounted against vulnerable implementations. For example, if an identity authentication protocol is based on successful decryption of a message that uses a password-based key, Mallory's ability to craft a single message that would be successfully decrypted using 1000 different keys associated with weak, and thus known to her, potential passwords, can speed up her search for passwords by a factor of almost 1000. For this dictionary attack to succeed, Mallory also needs an ability to distinguish successful decryption by Alice from an unsuccessful one, due, for example, to a poor protocol design or implementation turning Alice's side into an oracle. Naturally, this attack cannot be mounted at all when the keys are generated randomly.[16]

Key commitment was originally studied in the 2010s by Abdalla et al.[17] and Farshim et al.[18] under the name "robust encryption".[15][19]

To mitigate the attack described above without removing the "oracle", a key-committing AEAD that does not allow this type of crafted messages to exist can be used. AEGIS is an example of fast (if the AES instruction set is present), key-committing AEAD.[20] It is possible to add key-commitment to an existing AEAD scheme.[21][22]

Misuse-resistant authenticated encryption

[edit]

Misuse-resistant authenticated encryption (MRAE) has the additional property that reusing the same nonce for several messages does not allow an attacker to recover the plaintext. MRAE was formalized in 2006 by Phillip Rogaway and Thomas Shrimpton.[23] One example of a MRAE algorithm is AES-GCM-SIV.

Approaches to authenticated encryption

[edit]

Encrypt-then-MAC (EtM)

[edit]
EtM approach

The plaintext is first encrypted, then a MAC is produced based on the resulting ciphertext. The ciphertext and its MAC are sent together. ETM is the standard method according to ISO/IEC 19772:2009.[8] It is the only method which can reach the highest definition of security in AE, but this can only be achieved when the MAC used is "strongly unforgeable".[24]

IPSec adopted EtM in 2005.[25] In November 2014, TLS and DTLS received extensions for EtM with RFC 7366. Various EtM ciphersuites exist for SSHv2 as well (e.g., hmac-sha1-etm@openssh.com).

Encrypt-and-MAC (E&M)

[edit]
E&M approach

A MAC is produced based on the plaintext, and the plaintext is encrypted without the MAC. The plaintext's MAC and the ciphertext are sent together. Used in, e.g., SSH.[26] Even though the E&M approach has not been proved to be strongly unforgeable in itself,[24] it is possible to apply some minor modifications to SSH to make it strongly unforgeable despite the approach.[27]

MAC-then-Encrypt (MtE)

[edit]
MtE approach

A MAC is produced based on the plaintext, then the plaintext and MAC are together encrypted to produce a ciphertext based on both. The ciphertext (containing an encrypted MAC) is sent. Until TLS 1.2, all available SSL/TLS cipher suites were MtE.[28]

MtE has not been proven to be strongly unforgeable in itself.[24] The SSL/TLS implementation has been proven to be strongly unforgeable by Krawczyk who showed that SSL/TLS was, in fact, secure because of the encoding used alongside the MtE mechanism.[29] However, Krawczyk's proof contains flawed assumptions about the randomness of the initialization vector (IV). The 2011 BEAST attack exploited the non-random chained IV and broke all CBC algorithms in TLS 1.0 and under.[30]

In addition, deeper analysis of SSL/TLS modeled the protection as MAC-then-pad-then-encrypt, i.e. the plaintext is first padded to the block size of the encryption function. Padding errors often result in the detectable errors on the recipient's side, which in turn lead to padding oracle attacks, such as Lucky Thirteen.

See also

[edit]

References

[edit]

Sources

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Authenticated encryption

View on Grokipedia
from Grokipedia
Authenticated encryption (AE) is a cryptographic technique that provides both and for , ensuring that the encrypted cannot be tampered with or forged without detection. A common form is authenticated encryption with associated (AEAD), in which the encryption process generates a and an tag using a key and a unique nonce, while also allowing optional associated —such as headers or metadata—to be authenticated without encryption. This dual protection addresses vulnerabilities in traditional encryption modes that only ensure but not authenticity, preventing attacks like chosen-ciphertext manipulations. The security of authenticated encryption is formally defined by combining indistinguishability under (IND-CPA) for —where an adversary learns nothing about the beyond its length—and of (INT-CTXT), where forging a valid ciphertext is computationally infeasible. AEAD modes typically operate on symmetric block ciphers like AES and require a nonce that must be unique per encryption to avoid key reuse vulnerabilities. Prominent standardized AEAD algorithms include AES in Galois/Counter Mode (GCM), which uses counter mode for and a Galois field multiplier for , producing tags of variable lengths from 32 to 128 bits; AES in Counter with CBC-MAC (CCM); and ChaCha20 with Poly1305. These modes are designed for efficiency, supporting parallel processing and online data handling without needing the full length in advance. Authenticated encryption is integral to modern secure protocols, including (TLS) via cipher suites like AES-GCM, where it protects and . In IPsec's Encapsulating Security Payload (ESP), AEAD modes such as AES-GCM provide end-to-end security for VPNs and network communications, often preferred for their performance and support. These applications highlight AE's role in mitigating real-world threats, with standards from NIST and the IETF ensuring and robustness across implementations.

Fundamentals

Definition and Motivation

Authenticated encryption (AE) is a symmetric-key designed to provide both of the and authenticity of the , ensuring that the remains private and untampered during transmission or storage. It operates as a mode of operation typically built upon block ciphers or other underlying primitives, transforming a message into a alongside an authentication tag that verifies the integrity and origin of the encrypted . This dual protection prevents adversaries from both on the content and forging or modifying messages without detection. The primary motivation for AE stems from the vulnerabilities inherent in using and message codes (MACs) separately, such as in modes like CBC for combined with for , which can lead to security flaws if the composition is not performed correctly. For instance, improper ordering in generic compositions—like encrypt-then-MAC or MAC-then-encrypt—may fail to achieve strong security notions, exposing systems to attacks such as chosen-ciphertext attacks or oracle exploits where side-channel information from validation leaks details. By integrating and into a single, provably secure mechanism, AE simplifies implementation, reduces the risk of composition errors, and minimizes the , making it a preferred choice for secure protocol design. At a high level, AE schemes involve key components including a secret key for cryptographic operations, a nonce or initialization vector (IV) to ensure uniqueness across encryptions, the plaintext to be protected, and optionally associated data (AD) that is authenticated but not encrypted. The encryption process generates a ciphertext from the plaintext using the key and nonce, along with an authentication tag derived from the ciphertext, plaintext, and any AD. During decryption, the receiver first verifies the tag against the provided ciphertext and AD using the shared key; only if the tag is valid is the plaintext recovered and released, thereby enforcing both security properties.

Security Requirements

Authenticated encryption (AE) schemes must satisfy stringent privacy and authenticity requirements to protect against adversaries in realistic threat models. The privacy requirement is formalized as indistinguishability under chosen-plaintext attack (IND-CPA), ensuring that an adversary cannot distinguish between the ciphertexts of two chosen plaintexts of equal length, even after querying an encryption oracle. This builds the foundation for confidentiality, and when combined with authenticity, provides security against chosen-ciphertext attacks equivalent to indistinguishability under chosen-ciphertext attack (IND-CCA). Complementing privacy, the authenticity requirement is captured by against (INT-PTXT), which guarantees that an adversary cannot forge a valid (, tag) pair that decrypts to a legitimate with more than negligible probability, even after adaptively querying an . Under this game-based definition, the adversary's success probability in producing such a —distinct from previously queried encryptions—must be bounded by a in the . A related but stronger notion, of ciphertexts (INT-CTXT), prevents of any tag that verifies under the scheme, implying INT-PTXT; however, INT-PTXT is the minimal standard for AE as it directly ties authenticity to recovery. AE is deemed secure when it simultaneously achieves IND-CPA for and INT-PTXT for authenticity, providing comprehensive protection against both passive and active tampering. This combination ensures resistance to chosen-ciphertext attacks, as invalid ciphertexts are rejected by the mechanism without revealing information. Such dual satisfaction ensures that AE schemes resist a broad class of adversaries modeled in the standard multi-user setting with left-or-right queries. For schemes supporting associated data (AD), such as authenticated encryption with associated data (AEAD), security notions extend to ensure both and authenticity for the AD alongside the . requires that the AD remains indistinguishable in influence on the , preventing leakage or manipulation that could reveal information about it, while authenticity mandates that any forgery attempt altering the AD results in invalidation upon decryption. Thus, the adversary cannot produce a valid (nonce, header, ) for unqueried AD without negligible success, preserving the binding between AD and the encrypted . These security guarantees are typically proven via reductions to the underlying , such as pseudorandom permutations or strongly unforgeable MACs, with the adversary's advantage in breaking bounded by terms like q/nq / n, where qq represents the number of queries and nn the size of the key or nonce space, ensuring concrete security that degrades predictably with usage. For instance, in generic compositions like encrypt-then-MAC, the overall IND-CCA advantage is at most twice the MAC's probability plus the encryption's IND-CPA loss, maintaining tightness without excessive security inflation. Such reductions confirm that inherits robustness from its components, with probabilities often further tightened to σ2/2τ\sigma^2 / 2^\tau for σ\sigma messages and tag length τ\tau.

Historical Development

Origins

The concept of authenticated encryption emerged from foundational work in the on secure symmetric , including definitions of for schemes and for message authentication codes (MACs). Researchers established notions such as indistinguishability under chosen-plaintext attacks (IND-CPA) for and existential unforgeability under chosen-message attacks for authenticity, laying the groundwork for combining these properties. The formal notion of authenticated encryption, providing both privacy and integrity in a single symmetric scheme, was independently introduced in 2000. Mihir Bellare and Chanathip Namprempre defined multiple security models for authenticated encryption and analyzed generic composition methods to achieve them securely. Concurrently, and Moti Yung formalized "unforgeable encryption," proving that it implies chosen-ciphertext security while enabling efficient block-cipher-based constructions with minimal overhead, such as approximately 1.33 block encryptions per block of data plus two additional calls. A key contribution from Bellare and Namprempre was the introduction and of generic composition paradigms, including Encrypt-then-MAC (EtM), where a message is encrypted and then a MAC is computed over the ciphertext to ensure both and authenticity. Katz and Yung further emphasized efficiency, showing how to build such schemes from standard without excessive computational cost, addressing the practical limitations of separate and . Initial motivations for authenticated encryption stemmed from the recognition that real-world protocols often required integrated and to avoid composition pitfalls, such as those seen in early unauthenticated ciphers, and to support emerging applications like secure wireless communications. Early concrete proposals for authenticated encryption include , proposed by Phillip Rogaway in 2001, which provides parallelizable authenticated encryption using a . Another early proposal was the CCM (Counter with ) mode in 2002, developed by Doug Whiting, Russell Housley, and Niels Ferguson, which combines counter-mode encryption for privacy with for authentication on associated data and payloads; its security was rigorously proven by Jakob Jonsson, establishing birthday-bound privacy and authenticity.

Standardization Efforts

Standardization efforts for authenticated encryption (AE) began in the early 2000s with initiatives aimed at evaluating and recommending secure modes of operation. The New European Schemes for Signatures, Integrity, and Encryption (NESSIE) project, which ran from 2000 to 2003, issued a call for submissions of cryptographic algorithms, including those providing data confidentiality and authentication, leading to evaluations of early AE proposals alongside block ciphers and other primitives. The U.S. National Institute of Standards and Technology (NIST) played a pivotal role through its Special Publication (SP) 800-38 series, which provides recommendations for block cipher modes of operation suitable for federal use. Starting with SP 800-38A in 2001 for basic confidentiality modes, the series expanded to include AE modes, such as the Counter with CBC-MAC (CCM) mode in SP 800-38C published in 2004. NIST further approved the Galois/Counter Mode (GCM) in SP 800-38D in 2007, establishing it as a standard for authenticated encryption with associated data (AEAD) in government systems. The (IETF) advanced AE integration into network protocols, particularly through RFC 5116 in 2008, which defined a uniform interface and algorithms for AEAD to facilitate their use in protocols like and TLS. Building on this, TLS 1.3, specified in RFC 8446 in 2018, mandates the use of AEAD algorithms for record protection, deprecating legacy modes that lack such as CBC without explicit checks. Internationally, the ISO/IEC 19772 standard, first published in 2009, specifies methods for , outlining six mechanisms to achieve and objectives for data processing. More recent efforts include the Crypto Forum Research Group (CFRG) draft specification for the family of algorithms, with versions circulating since 2023, recommending AEGIS-128L, AEGIS-256, and variants for high-performance applications. In response to identified vulnerabilities like multi-key attacks, discussions in emphasized key-committing for AEAD schemes, prompting additions and recommendations to ensure that ciphertexts bind uniquely to keys, as explored in subsequent analyses of schemes like and others. These updates also consider adaptations for post-quantum contexts, with NIST workshops in 2023 proposing further of robust AE modes compatible with emerging quantum-resistant algorithms.

Security Properties

Confidentiality Assurance

Authenticated encryption (AE) ensures confidentiality by employing underlying symmetric encryption primitives that mask the , rendering it indistinguishable from random data to unauthorized parties. Typically, this is achieved through pseudorandom permutations, such as those in modes like CBC, or pseudorandom streams generated in counter (CTR) mode, where the is XORed with a keystream derived from the applied to incremented counter blocks initialized with a secret key. This mechanism provides , meaning that the reveals no about the beyond its length, even under chosen-plaintext attacks (IND-CPA), as the behaves like a probabilistic mapping to uniformly random strings. In the adversarial model, AE protects confidentiality against chosen-ciphertext attacks (CCA), where an active adversary can submit ciphertexts for decryption but receives no useful information from valid ones due to the scheme's authentication properties, which reject invalid inputs without leaking details. This IND-CCA security builds on the indistinguishability notion, ensuring that the adversary's advantage in distinguishing encryptions of two plaintexts remains negligible, even with adaptive queries. The role of the nonce (or initialization vector) is crucial for maintaining this security: it provides freshness by ensuring each encryption uses a unique value, preventing nonce reuse that could otherwise allow adversaries to XOR ciphertexts and recover plaintext differences through linear dependencies in the keystream. Formally, the confidentiality guarantee holds that the statistical distance between the distribution of ciphertexts encrypting a plaintext and random strings of the same length is negligible in the security parameter, typically bounded by the square of the total number of blocks encrypted divided by twice the block size (e.g., Adv ≤ σ²/2ⁿ for nonce-based schemes). This bound ensures that for practical key and nonce lengths, such as 128-bit blocks and 96-bit nonces, the probability of information leakage remains computationally infeasible.

Integrity and Authenticity

In authenticated encryption (AE), is ensured through the generation of an authentication tag, which is computed over the and any associated data using a (MAC)-like function. This tag detects unauthorized modifications to the encrypted message, as any alteration to the or associated data will result in a mismatch during verification. For instance, in the encrypt-then-MAC (EtM) , the is first encrypted to produce the CC, and then the tag τ\tau is derived as τ=T(Km,C)\tau = T(K_m, C), where TT is a strongly unforgeable MAC under chosen-message attacks (SUF-CMA) and KmK_m is the MAC key. A common implementation involves polynomial hash functions, such as the GHASH in Galois/Counter Mode (GCM), which iteratively multiplies input blocks by a hash subkey HH in the finite field GF(2128)\mathrm{GF}(2^{128}) to produce a value sensitive to bit flips or rearrangements. Forgery resistance in AE schemes arises from the cryptographic strength of the underlying MAC, which rejects invalid tags with overwhelming probability, typically 2t2^{-t} for a tag of length tt bits under random guessing, or bounded by the number of processed blocks divided by 2t2^t for targeted attacks. In SUF-CMA-secure constructions like EtM, an adversary cannot produce a new valid (ciphertext, tag) pair beyond those queried, limiting successful forgeries to negligible probabilities even after many interactions. This upholds of ciphertexts (INT-CTXT), ensuring that modified transmissions are detected and discarded during decryption. Authenticity in AE is implicitly provided by the shared symmetric key, which only legitimate parties possess, allowing verification that the message originated from an authorized sender. Without knowledge of the key, an attacker cannot generate a valid tag, thereby preventing impersonation or substitution attacks. If keys are securely distributed and nonces are properly managed to avoid reuse, AE resists man-in-the-middle attacks by binding the tag to the specific ciphertext and associated data, making undetected interceptions infeasible. Authentication tags are typically fixed-length outputs, such as 128 bits in full-strength schemes, to balance and ; truncation to shorter lengths (e.g., 96 or 64 bits) reduces overhead but increases probability, necessitating usage limits like a maximum of 232t2^{32-t} messages to maintain bounds. For example, in GCM, tags are derived by encrypting the GHASH output and truncating to the desired length, with shorter tags advised only for low-risk applications.

Variants

Authenticated Encryption with Associated Data (AEAD)

Authenticated encryption with associated data (AEAD) extends standard authenticated encryption by incorporating integrity protection for additional unencrypted , referred to as associated data. In an AEAD scheme, the encryption takes a secret key KK, a nonce NN, PP, and associated data AA, outputting CC and authentication tag TT. The corresponding decryption inputs KK, NN, CC, TT, and AA, verifying the tag and recovering PP if valid, or rejecting otherwise. This allows protocols to authenticate metadata, such as packet headers, alongside the encrypted without encrypting the metadata itself. The security of AEAD builds on authenticated encryption by extending confidentiality and integrity guarantees to the associated data. Specifically, it achieves indistinguishability under (IND-CPA) for the encrypted , ensuring adversaries cannot distinguish ciphertexts from random strings even after adaptive queries, while also providing integrity against attacks (INT-PTXT) that covers both the and associated . Any modification to AA or PP will cause the tag TT to fail verification, preventing forgeries or tampering. These properties hold under nonce-respecting adversaries who do not repeat nonces. AEAD is particularly suited to network protocols where certain protocol fields require integrity protection but not confidentiality. For instance, in IPsec's Encapsulating Security Payload (ESP), AEAD encrypts the sensitive payload while treating packet headers as associated data to ensure their authenticity without encryption, thereby securing communications in VPNs and site-to-site tunnels. This approach reduces overhead compared to separate encryption and authentication mechanisms. A generic construction for AEAD combines a nonce-based scheme with a pseudorandom function (PRF) acting as a MAC. One such method encrypts PP to CC using the scheme, then computes TT as the PRF output on concatenated with CC and AA, yielding the full output (C,T)(C, T). This construction provably achieves AEAD security if the underlying components are secure.

Key-Committing AEAD

Key-committing with associated data (AEAD) is a of standard AEAD that ensures a and its tag are uniquely bound to the key, preventing the same from being valid under multiple distinct keys. This holds even if an adversary can manipulate nonces or messages, as the scheme incorporates a key-dependent commitment that makes key recovery computationally infeasible from the alone. In essence, it transforms a non-committing AEAD into one where the key is "committed" via a pseudorandom function or similar mechanism, such as deriving a commitment string from the key to bind the outputs. The motivation for key-committing AEAD arises from vulnerabilities in non-committing schemes like AES-GCM, where partitioning oracle attacks can exploit the ability of a single ciphertext-tag pair to authenticate under multiple keys, enabling efficient key or password recovery in offline scenarios. For instance, in , researchers demonstrated adaptive chosen-ciphertext attacks against AES-GCM implementations, such as in proxies, recovering passwords with as few as 21,503 oracle queries for 70% success rate by partitioning the key space and testing multi-collisions. These attacks highlight the risks in multi-user or multi-key environments, where non-committing AEADs fail to provide robust binding, prompting the development of committing variants to enhance security against such offline key-extraction threats. The core security notion is key-indistinguishability under commitment, formalized through games where an adversary attempts to find a ciphertext-tag valid under two distinct keys (e.g., both honest, one revealed, or both corrupted), with the scheme secure if the advantage remains negligible. This relies on the of the commitment mechanism, ensuring that key-dependent tags or derivations uniquely identify the key without revealing it, thus providing stronger misattribution resistance than standard AEAD privacy and authenticity. Fully committing schemes extend this to all inputs (key, nonce, associated data, message), but key commitment specifically targets key binding. A prominent example is the family of AEAD modes, proposed in 2013 as part of the CAESAR competition and advanced in a 2023 CFRG draft for standardization, which achieves key commitment through its stream-cipher-like design using AES rounds to generate key-dependent states for both and . variants, such as AEGIS-256, serve as high-performance alternatives to non-committing schemes like GCM, offering resistance to the aforementioned attacks while maintaining efficiency on modern hardware.

Misuse-Resistant AEAD

Misuse-resistant authenticated encryption with associated data (AEAD) refers to variants of AEAD schemes that provide and authenticity even in the face of certain implementation errors, such as the reuse of nonces or brief key . Unlike standard nonce-based AEAD, which can suffer catastrophic security degradation—including full recovery or efficient forgeries—when nonces repeat under the same key, misuse-resistant schemes ensure that security bounds remain meaningful, albeit potentially degraded, under such misuse. These schemes are particularly valuable in scenarios where nonce management is error-prone, such as in distributed systems or long-lived sessions. The security of misuse-resistant AEAD is typically formalized through notions like indistinguishability under (IND-CCA) for and against plaintext attacks (INT-PTXT) for authenticity, extended to nonce-misusing adversaries. Under nonce , these schemes maintain non-zero security, often degrading to revealing only whether ciphertexts encrypt identical (for privacy) or preventing forgeries beyond a quadratic bound in the number of repeated nonces. For rate-1 constructions, which achieve near-optimal (one call per message block asymptotically), the security loss is bounded by terms like Q^2 / 2^{n/2}, where Q is the number of encryptions and n the block size, ensuring practical protection against accidental misuse. Key constructions include deterministic AEAD modes, which eliminate the nonce entirely by deriving a synthetic (SIV) from the header and full , as in the SIV mode introduced in 2007. SIV uses a pseudorandom function to compute the SIV over the inputs and then encrypts via counter mode, providing IND-CPA privacy and INT-PTXT with advantage σ^2 / 2^n, where σ is the total blocks processed. Another approach is nonce-misuse-resistant AEAD like COPA (2013), an online and parallelizable scheme that extends offset-based encryption with , achieving birthday-bound (n/2 bits) even under nonce repetition by incorporating message-dependent tweaks. More recent examples include AES-GCM-SIV (2017), which adapts GCM for misuse resistance through key-derived counters and multiplication-based , bounding losses to 3Q^2 / 2^{96} under up to 2^{64} unique . These schemes often trade efficiency for robustness, requiring full-message during IV or tweak computation, which can double the number of calls compared to standard AEAD like AES-GCM. For instance, processes the entire message twice (once for SIV generation, once for ), leading to roughly 2 cycles per byte overhead on modern hardware, while AES-GCM- incurs about 1.04 cycles per byte for versus 0.68 for non-misuse-resistant GCM. Despite this, their deployment in standards like RFC 8452 justifies the cost for high-assurance applications.

Constructions

Encrypt-then-MAC (EtM)

Encrypt-then-MAC (EtM) is a generic construction for that combines a symmetric scheme with a (MAC) by first encrypting the and then authenticating the resulting , optionally along with associated . Given a PP, nonce NN, encryption key KK, MAC key KK', and associated AA, the process computes the as C=\Enc(K,P,N)C = \Enc(K, P, N) and the authentication tag as T=\MAC(K,CA)T = \MAC(K', C \parallel A), producing the final output (C,T)(C, T). This approach ensures that any tampering with the invalidates the tag without requiring decryption of the full message. The security of EtM relies on the properties of its components: it achieves indistinguishability under (IND-CCA) and ciphertext integrity (INT-CTXT) provided the underlying scheme is IND-CPA secure and the MAC is strongly existentially unforgeable under chosen-message attack (sEUF-CMA). Specifically, the advantage of an adversary breaking IND-CCA in EtM is at most the IND-CPA advantage of the plus the sEUF-CMA advantage of the MAC, while the INT-CTXT advantage is at most the sEUF-CMA advantage of the MAC. These bounds, established through hybrid arguments, demonstrate that EtM fully realizes the strongest privacy and integrity notions for generic compositions. EtM offers several practical benefits, including simplicity in design and implementation, as it separates and clearly while using independent keys for each. It is parallelizable in scenarios where the and MAC computations support concurrent processing, such as with ciphers or polynomial-based MACs. Due to its robust guarantees across all standard notions—unlike other compositions that may fail in certain cases—EtM is recommended for most authenticated encryption applications.

Encrypt-and-MAC (E&M)

In the Encrypt-and-MAC (E&M) paradigm, is applied to the prior to , integrating the (MAC) tag into the encrypted output. Specifically, given a PP, associated data AA, encryption key KK, and MAC key KK', the scheme first computes the tag T=MAC(K,PA)T = \text{MAC}(K', P \| A), then forms the ciphertext C=Enc(K,PT)C = \text{Enc}(K, P \| T), and outputs CC with the tag either implicit within the ciphertext or provided separately for verification. Upon decryption, the receiver recovers PTP' \| T' from CC, recomputes the MAC on PAP' \| A, and accepts only if it matches TT'; otherwise, it rejects the message. This approach aims to ensure both through and through the embedded MAC. Security analysis shows that E&M achieves plaintext integrity (INT-PTXT), providing authenticity against forgeries of valid plaintexts, assuming the underlying MAC is strongly unforgeable under chosen-message attacks (SUF-CMA) and the encryption is indistinguishable under chosen-plaintext attack (IND-CPA). However, it only guarantees IND-CPA privacy, as the construction does not protect against chosen-ciphertext attacks (CCA); the embedded MAC computation on the plaintext can potentially leak information about PP if the MAC is not perfectly hiding, though the encryption of the tag mitigates direct exposure. For full IND-CCA security or ciphertext integrity (INT-CTXT), E&M falls short, as adversaries can malleate the ciphertext to produce invalid but decryptable outputs without immediate detection during verification. A key drawback of E&M is its vulnerability to release-of-unverified plaintext (ROUP) attacks, where a decryption might return the recovered before verifying the MAC tag, allowing attackers to probe for information about manipulated ciphertexts. This design, which requires full decryption prior to , contrasts with paradigms that verify externally and thus exposes systems to padding or similar exploits if verification is not strictly enforced post-decryption. Overall, E&M is generally considered insecure for robust authenticated encryption due to these gaps and reliance on perfect to avoid partial disclosures. The flaws in E&M were rigorously analyzed in early work on generic composition paradigms for authenticated encryption, highlighting its limitations compared to more secure alternatives.

MAC-then-Encrypt (MtE)

In the MAC-then-Encrypt (MtE) composition, a message authentication code (MAC) is first computed on the PP and associated data AA, yielding a tag T=MAC(K,PA)T = \text{MAC}(K', P \parallel A), where KK' is the MAC key and \parallel denotes . This tag is then appended to the , and the combined value PTP \parallel T is encrypted using a symmetric encryption scheme Enc(K,)\text{Enc}(K, \cdot) with key KK, producing the ciphertext C=Enc(K,PT)C = \text{Enc}(K, P \parallel T), which serves as the sole output. The decryption process reverses this: it decrypts CC to recover PTP'\parallel T', verifies the MAC on PAP'\parallel A, and outputs PP' only if the tag is valid; otherwise, it rejects the ciphertext. Security analysis of MtE shows that it achieves indistinguishability under (IND-CPA) for and of plaintexts (INT-PTXT) when composed from an IND-CPA-secure scheme and a strongly unforgeable under chosen-message attack (SUF-CMA) MAC, with tight reduction bounds: the IND-CPA advantage is at most that of the underlying , and the INT-PTXT advantage is at most that of the MAC. If the scheme is instead IND-CCA-secure (indistinguishability under ) and the MAC is deterministic and SUF-CMA, MtE provides full IND-CCA security, as invalid MACs during decryption act as an additional check against malleability. However, standard MtE constructions using common IND-CPA modes (e.g., CBC or CTR) typically only guarantee IND-CPA and INT-PTXT , without IND-CCA or (INT-CTXT), due to vulnerabilities in the base . A key advantage of MtE is its compact output format, where the authentication tag is integrated into the ciphertext without requiring a separate field, reducing overhead in protocols with length constraints. This composition has been employed in Encapsulating Security Payload (ESP) configurations, where (via Authentication Header or ESP integrity) precedes to protect packet payloads efficiently. Limitations of MtE include potential padding mismatches when using block cipher modes like CBC, as the must accommodate the variable-length plus fixed-size tag, which can introduce alignment issues or expose if is not uniformly handled. Additionally, it is susceptible to chosen-ciphertext attacks that exploit decryption oracles, such as those leaking plaintext recovery through manipulated (e.g., in not covered by the MAC), enabling efficient breaches with as few as 2152^{15} queries for 128-bit block sizes.

Common Schemes

AES-GCM

AES-GCM ( in Galois/Counter Mode) is an authenticated with associated data (AEAD) scheme that provides both and authenticity for messages. Originally proposed by McGrew and in 2004, it was standardized by the National Institute of Standards and Technology (NIST) in Special Publication 800-38D in November 2007 as a mode of operation for the AES . AES-GCM employs AES in counter mode (CTR) for and the GHASH universal hash function for authentication, enabling efficient processing of , , and associated data while producing a short authentication tag. This construction follows the encrypt-then-MAC paradigm, where the MAC is computed over the and associated data. The encryption process in AES-GCM divides the plaintext PP into 128-bit blocks PiP_i, generating the corresponding ciphertext blocks CiC_i via counter mode: Ci=AESK(Ni)Pi,C_i = \text{AES}_K(N \mathbin\Vert i) \oplus P_i, where KK is the 128-, 192-, or 256-bit secret key, NN is the nonce, \mathbin\Vert denotes bit-string concatenation, and ii is the block counter starting from 1. The final ciphertext CC is the concatenation of all CiC_i, with any partial final block handled by XORing with the truncated counter output. The authentication tag TT is then derived from the associated data AA, the ciphertext CC, and their lengths: T=GHASHH(A0tC0slen(A)len(C))AESK(N0311),T = \text{GHASH}_{H}(A \mathbin\Vert 0^{t} \mathbin\Vert C \mathbin\Vert 0^{s} \mathbin\Vert \text{len}(A) \mathbin\Vert \text{len}(C)) \oplus \text{AES}_K(N \mathbin\Vert 0^{31} \mathbin\Vert 1), where HH is the hash subkey, 0t0^{t} and 0s0^{s} are bit strings of zeros padding AA and CC to multiples of 128 bits (with t,s128t, s \leq 128), and len()\text{len}(\cdot) encodes the bit lengths of AA and CC as 64-bit values. The sender appends TT (or a truncated version) to CC for transmission, and the receiver recomputes and verifies the tag using the same inputs. The GHASH function operates as a Cartesian product hash in the finite field F2128\mathbb{F}_{2^{128}}, defined by the irreducible polynomial X128+X7+X2+1X^{128} + X^7 + X^2 + 1. The hash subkey HH is computed as the first output block of the cipher under the all-zero input: H=AESK(0128)H = \text{AES}_K(0^{128}). GHASH processes an input bit string XX (padded to a multiple of 128 bits into mm blocks X1,,XmX_1, \dots, X_m) iteratively: GHASHH(X)=(i=1mXiHm+1i)mod(X128+X7+X2+1),\text{GHASH}_H(X) = \left( \bigoplus_{i=1}^m X_i H^{m+1-i} \right) \mod (X^{128} + X^7 + X^2 + 1), where multiplication and addition are in F2128\mathbb{F}_{2^{128}}, represented as 128-bit strings with the least significant bit as the lowest-degree term. This polynomial-based hashing provides provable security against forgery under chosen-plaintext attacks when the key is secret. AES-GCM uses the 128-bit AES block cipher and supports nonce lengths up to 2^{64}-2 bits, with a recommended fixed length of 96 bits (12 bytes) for simplicity and ; other lengths require additional processing via GHASH on the nonce. The authentication tag length can be 32, 64, 96, 104, 112, 120, or 128 bits, truncated from the full 128-bit computation by removing the most significant bits. Nonces must be unique per key usage to avoid degradation, and the scheme limits messages to less than 2^{39}-256 blocks (approximately 2^{32} * 128 bits) under the recommended nonce length. AES-GCM is designed for high performance, with both the CTR encryption and GHASH authentication operations being parallelizable across multiple blocks, allowing efficient on multi-core systems. It benefits from via the AES New Instructions (AES-NI) set introduced in Intel processors starting from 2010, which includes dedicated instructions for AES rounds and carry-less (PCLMULQDQ) for GHASH, achieving throughputs exceeding several gigabytes per second on modern CPUs.

ChaCha20-Poly1305

ChaCha20-Poly1305 is an authenticated encryption with associated data (AEAD) scheme that combines the ChaCha20 stream cipher for confidentiality and the Poly1305 one-time authenticator for integrity and authenticity. Standardized by the Internet Engineering Task Force (IETF) in RFC 7539 in 2015, it is designed for efficient software implementation across diverse platforms. The ChaCha20 component is a 20-round stream cipher developed by Daniel J. Bernstein in 2008 as an evolution of the Salsa20 design, relying on addition, rotation, and XOR (ARX) operations for its core quarter-round function. It generates a keystream from a 256-bit key, a nonce, and a 32-bit block counter, producing 64-byte blocks that are XORed with the plaintext to yield the ciphertext. Poly1305, introduced by in 2005, serves as the in this construction. It operates as a universal hash function over the prime field defined by the modulus p=21305p = 2^{130} - 5, using a 256-bit one-time key split into a 128-bit multiplier rr (with specific bits cleared for security) and a 128-bit additive constant ss. The tag is computed conceptually as the 128 least significant bits of (rP+s)modp(r \cdot P + s) \mod p, where PP represents the encoded input message interpreted in the prime field; its security relies on the assumption that the one-time key behaves as a pseudorandom function, providing resistance to with probability at most 21062^{-106} for messages up to 21262^{126} blocks under a single key. The scheme employs a 256-bit symmetric key and a 96-bit nonce (with support for 192-bit or 256-bit nonces in extended configurations via nonce derivation), producing a 128-bit tag. To generate the Poly1305 one-time key KK', the first 32 bytes of the 64-byte output from ChaCha20 invoked with the key KK, nonce NN, and counter value 0 are used as KK', while the remaining 32 bytes are discarded. Encryption proceeds by generating a keystream with ChaCha20 using the same key KK and nonce NN, but starting the block counter at 1, and XORing it with the PP to produce the CC, where the keystream length matches P|P| without additional on the . Mathematically, C=(i=1P/64ChaCha20(K,N,i))P,C = \left( \bigoplus_{i=1}^{\lceil |P|/64 \rceil} \text{ChaCha20}(K, N, i) \right) \oplus P,
Add your contribution
Related Hubs
User Avatar
No comments yet.