Practice-oriented provable security is a modern approach in cryptography to concretely reduce security of a cryptographic construct to the computational hardness of an underlying problem. This dissertation studies a construct called authenticated encryption scheme, a set of algorithms whose collective purpose is to simultaneously guarantee both privacy and authenticity of the data being transmitted between two parties. First, we focus on the symmetric settings. We define precise security notions for authenticated encryption schemes, show relative strengths among our notions and existing standard notions, and investigate the effectiveness of one of the most popular design methodologies for authenticated encryption schemes, namely the generic composition paradigm. In this paradigm, one combines a standard encryption scheme—a construct whose goal is privacy—and a MAC scheme—a construct whose goal is authenticity—in a modular fashion to obtain an authenticated encryption scheme. The methods we study are Encrypt-and-MAC, MAC-then-Encrypt, and Encrypt-then-MAC . As a case study, we analyze the popular SSH Internet protocol suite, find that its current design yields insecure authenticated encryption schemes, then suggest provably secure fixes. Our proofs model SSH's authenticated encryption mechanism as a case of what we call the Encode-then-Encrypt-and-MAC composition method. Our proofs can thus be generically applied to other schemes employing this composition method. In real applications, symmetric-key cryptography is often used in combination with public-key cryptography. We focus on the most common way to combine public-key cryptography with authenticated encryption schemes. First, two parties run an authenticated key-exchange protocol to obtain a shared session key. Then, they secure successive data transmissions via an authenticated encryption scheme based on the session key. We show that such a communication session meets the notion of a secure channel proposed by Canetti and Krawczyk if and only if the underlying authenticated encryption scheme meets two new, simple definitions of security that we introduce, and the key-exchange protocol is secure. This reduces the secure channel requirements of Canetti and Krawczyk to easier to use, stand-alone security requirements on the underlying authenticated encryption scheme.
Index Terms
- Simultaneously ensuring privacy and authenticity in digital communication
Recommendations
How to Balance Privacy with Authenticity
Information Security and Cryptology --- ICISC 2008In several occasions, it is important to consider the privacy of an individual together with the authenticity of the message produced by that individual or hold by that individual. In the latter scenario, the authenticity of the message enables one to ...
Formal Analysis of Symbolic Authenticity
Frontiers of Combining SystemsAbstractAuthenticated encryption schemes are ways of encrypting messages which simultaneously assure the secrecy and authenticity of data. Designing authenticated encryption schemes can be error-prone. In this paper, we consider the authenticity of ...
Heterogeneous Signcryption with Key Privacy
A signcryption scheme allows a sender to produce a ciphertext for a receiver so that both confidentiality and non-repudiation can be ensured. It is built to be more efficient and secure, for example, supporting insider security, when compared with the ...