Browse Theses

Practice-oriented provable security is a modern approach in cryptography to concretely reduce security of a cryptographic construct to the computational hardness of an underlying problem. This dissertation studies a construct called authenticated encryption scheme, a set of algorithms whose collective purpose is to simultaneously guarantee both privacy and authenticity of the data being transmitted between two parties. First, we focus on the symmetric settings. We define precise security notions for authenticated encryption schemes, show relative strengths among our notions and existing standard notions, and investigate the effectiveness of one of the most popular design methodologies for authenticated encryption schemes, namely the generic composition paradigm. In this paradigm, one combines a standard encryption scheme—a construct whose goal is privacy—and a MAC scheme—a construct whose goal is authenticity—in a modular fashion to obtain an authenticated encryption scheme. The methods we study are Encrypt-and-MAC, MAC-then-Encrypt, and Encrypt-then-MAC . As a case study, we analyze the popular SSH Internet protocol suite, find that its current design yields insecure authenticated encryption schemes, then suggest provably secure fixes. Our proofs model SSH's authenticated encryption mechanism as a case of what we call the Encode-then-Encrypt-and-MAC composition method. Our proofs can thus be generically applied to other schemes employing this composition method. In real applications, symmetric-key cryptography is often used in combination with public-key cryptography. We focus on the most common way to combine public-key cryptography with authenticated encryption schemes. First, two parties run an authenticated key-exchange protocol to obtain a shared session key. Then, they secure successive data transmissions via an authenticated encryption scheme based on the session key. We show that such a communication session meets the notion of a secure channel proposed by Canetti and Krawczyk if and only if the underlying authenticated encryption scheme meets two new, simple definitions of security that we introduce, and the key-exchange protocol is secure. This reduces the secure channel requirements of Canetti and Krawczyk to easier to use, stand-alone security requirements on the underlying authenticated encryption scheme.