Authenticated encryption

From Wikipedia, the free encyclopedia

Authenticated Encryption (AE) is a term used to describe encryption systems which simultaneously protect confidentiality and authenticity (integrity) of communications. These goals have long been studied, but they have only recently enjoyed a high level of interest from cryptographers due to the complexity of implementing systems for privacy and authentication separately in a single application.

In addition to protecting message integrity and confidentiality, authenticated encryption can provide plaintext awareness and security against chosen ciphertext attack. In these attacks, an adversary attempts to gain an advantage against a cryptosystem (e.g., information about the secret decryption key) by submitting carefully chosen ciphertexts to some "decryption oracle" and analyzing the decrypted results. Authenticated encryption schemes can recognize improperly-constructed ciphertexts and refuse to decrypt them. This in turn prevents the attacker from requesting the decryption of any ciphertext unless he generated it correctly using the encryption algorithm, which would imply that he already knows the plaintext. Implemented correctly, this removes the usefulness of the decryption oracle, by preventing an attacker from gaining useful information that he does not already possess.

Many specialized authenticated encryption modes have been developed for use with symmetric block ciphers. However, authenticated encryption can be generically constructed by combining an encryption scheme and a Message Authentication Code (MAC), provided that the encryption scheme is semantically secure under chosen plaintext attack and the MAC function is unforgeable under chosen message attack. Bellare and Namprempre (2000) analyzed three compositions of these primitives, and demonstrated that encrypting a message and subsequently applying a MAC to the ciphertext implies security against adaptive chosen ciphertext attack, provided that both functions meet the required properties.

[edit] See also

[edit] References

  • M. Bellare and C. Namprempre, Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm. Extended abstract in Advances in Cryptology - Asiacrypt 2000 Proceedings, Lecture Notes in Computer Science Vol. 1976, T. Okamoto ed, Springer-Verlag, 2000.