McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

Fleischmann, Ewan; Forler, Christian; Lucks, Stefan

doi:10.1007/978-3-642-34047-5_12

Cited by 79 publications

(102 citation statements)

References 34 publications

Supporting

Mentioning

102

Contrasting

Order By: Relevance

“…For the cases when nonce values do repeat, none of these AE schemes provides any formal security guarantees. Indeed, all of these schemes, including the latest OTR, can be "attacked" under nonce repetition, as described by Fleischmann et al [12].…”

Section: Introductionmentioning

confidence: 99%

COBRA: A Parallelizable Authenticated Online Cipher Without Block Cipher Inverse

Andreeva

Luykx

Mennink

et al. 2015

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. We present a new, misuse-resistant scheme for online authenticated encryption, following the framework set forth by Fleischmann et al. (FSE 2012). Our scheme, COBRA, is roughly as efficient as the GCM mode of operation for nonce-based authenticated encryption, performing one block cipher call plus one finite field multiplication per message block in a parallelizable way. The major difference from GCM is that COBRA preserves privacy up to prefix under nonce repetition. However, COBRA only provides authenticity against nonce-respecting adversaries. As compared to COPA (ASIACRYPT 2013), our new scheme requires no block cipher inverse and hence enjoys provable security under a weaker assumption about the underlying block cipher. In addition, COBRA can possibly perform better than COPA on platforms where finite field multiplication can be implemented faster than the block cipher in use, since COBRA essentially replaces half of the block cipher calls in COPA with finite field multiplications.

show abstract

Section: Introductionmentioning

confidence: 99%

COBRA: A Parallelizable Authenticated Online Cipher Without Block Cipher Inverse

Andreeva

Luykx

Mennink

et al. 2015

Fast Software Encryption

View full text Add to dashboard Cite

show abstract

“…For online arbitrary IV schemes, we demonstrate that PA1 security can be achieved only if the ciphertext is substantially longer than the plaintext, or the decryption is offline. We show that McOE-G [23] achieves PA1 if the plaintext is padded so that the ciphertext becomes twice as long. We also prove that APE [2], an online deterministic AE scheme with offline decryption, achieves PA1.…”

Section: Analysis Of Authenticated Encryption Schemesmentioning

confidence: 98%

“…Online Scheme PA1 PA2 Remark random CTR, CBC [35] nonce OCB [39] GCM [33], SpongeWrap [16] CCM [47] not online [41] arbitrary COPA [3] privacy up to prefix McOE-G [23] ′′ APE [2] ′′, backwards decryption SIV [40], BTM [27], HBS [28] privacy up to repetition Encode-then-Encipher [12] ′′, VIL SPRP, padding…”

Section: Typementioning

confidence: 99%

“…Unfortunately, DAE schemes cannot be online. To resolve this issue, Fleischmann et al [23] explored online DAE schemes, where privacy holds only up to repetitions of messages with identical prefixes or up to the longest common prefix.…”

Section: Background and Related Workmentioning

confidence: 99%

“…While random and nonce IV schemes can achieve semantic security, arbitrary IV schemes cannot, and therefore reduce to deterministic security. In the latter case, the most common notions are "privacy up to repetition" which is used for DAE [40] and "privacy up to prefix" which is used for authenticated online encryption [23]. In any case, we write $ to indicate the ideal oracle from which an adversary tries to distinguish the real encryption oracle E K , regardless of the IV type.…”

Section: Types Of Ae Schemesmentioning

confidence: 99%

See 2 more Smart Citations

How to Securely Release Unverified Plaintext in Authenticated Encryption

Andreeva

Bogdanov

Luykx

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Scenarios in which authenticated encryption schemes output decrypted plaintext before successful verification raise many security issues. These situations are sometimes unavoidable in practice, such as when devices have insufficient memory to store an entire plaintext, or when a decrypted plaintext needs early processing due to real-time requirements. We introduce the first formalization of the releasing unverified plaintext (RUP) setting. To achieve privacy, we propose using plaintext awareness (PA) along with IND-CPA. An authenticated encryption scheme is PA if it has a plaintext extractor, which tries to fool adversaries by mimicking the decryption oracle without the secret key. Releasing unverified plaintext then becomes harmless as it is infeasible to distinguish the decryption oracle from the plaintext extractor. We introduce two notions of plaintext awareness in the symmetric-key setting, PA1 and PA2, and show that they expose a new layer of security between IND-CPA and IND-CCA. To achieve integrity of ciphertexts, INT-CTXT in the RUP setting is required, which we refer to as INT-RUP. These new security notions are used to make a classification of symmetric-key schemes in the RUP setting. Furthermore, we re-analyze existing authenticated encryption schemes, and provide solutions to fix insecure schemes.

show abstract

A simple authentication encryption scheme

Mazumder

Miyaji

2017

Concurrency and Computation

View full text Add to dashboard Cite

An authentication encryption (AE) scheme satisfies to transfer an authenticated data between 2 parties or more. There are vast applications of the AE such as access control, encryption, enhancing trust between multiple parties, and assure the originality of a message. However, the main challenge of the AE is to maintain low-cost features for its construction. Furthermore, there is another emerging issue of Internet of Things (IoT) in the field of data and network communication.The numbers of application of the IoT are increasing expeditiously, where various kinds of device have been used such as IoT-end device, constrained device, and RfID. Moreover, the main challenge of the IoT-end devices and resource constrained devices is to keep a certain level of security bound including minimum cost. However, the IoT-end devices, resource constrained devices, and RfID have lack of resources such as memory, power, and processors. Interestingly, the AE can play a vital role between data acquisition (sensors, actuators) and data aggregation of usual platform of the IoT. Thus, the construction of the AE should satisfy the properties of low-cost, least resources, and less operating-time. Though, there are many familiar constructions of AE such as OTR, McOE, POE, OAE, APE, COPE, CLOC, and SILK but most of the schemes depend on the features of nonce and associate data. In the aspect of security, the usage of nonce and associated data are adequate.However, these 2 features increase the overhead cost. Therefore, we propose a simple construction of IV-based AE where blockcipher compression function is used as encryption function. Our proposed scheme's efficiency-rate is 1 with reasonable privacy-security bound. In addition, it can encrypt arbitrary length of message in each iteration without padding.

show abstract

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

Cited by 79 publications

References 34 publications

COBRA: A Parallelizable Authenticated Online Cipher Without Block Cipher Inverse

COBRA: A Parallelizable Authenticated Online Cipher Without Block Cipher Inverse

How to Securely Release Unverified Plaintext in Authenticated Encryption

A simple authentication encryption scheme

Contact Info

Product

Resources

About