Authenticated encryption
Encyclopedia
Authenticated Encryption (AE) is a block cipher mode of operation which simultaneously provides confidentiality
, integrity
and authenticity
assurances on the data. It became readily apparent that securely compositing a confidentiality mode
with an authentication mode
could be error prone and difficult. As Bellare, Rogaway, and Wagner wrote in A Conventional Authenticated-Encryption Mode:
And in The CWC Authenticated Encryption (Associated Data) Mode, Kohno, Whiting, and Viega write:
In addition to protecting message integrity and confidentiality, authenticated encryption can provide plaintext awareness and security against chosen ciphertext attack. In these attacks, an adversary attempts to gain an advantage against a cryptosystem (e.g., information about the secret decryption key) by submitting carefully chosen ciphertexts to some "decryption oracle" and analyzing the decrypted results. Authenticated encryption schemes can recognize improperly-constructed ciphertexts and refuse to decrypt them. This in turn prevents the attacker from requesting the decryption of any ciphertext unless he generated it correctly using the encryption algorithm, which would imply that he already knows the plaintext. Implemented correctly, this removes the usefulness of the decryption oracle, by preventing an attacker from gaining useful information that he does not already possess.
Many specialized authenticated encryption modes have been developed for use with symmetric block cipher
s. However, authenticated encryption can be generically constructed by combining an encryption scheme and a Message Authentication Code
(MAC), provided that the encryption scheme is semantically secure
under chosen plaintext attack and the MAC function is unforgeable under chosen message attack. Bellare and Namprempre (2000) analyzed three compositions of these primitives, and demonstrated that encrypting a message and subsequently applying a MAC to the ciphertext implies security against adaptive chosen ciphertext attack, provided that both functions meet the required properties.
Six different authenticated encryption modes, namely OCB
2.0, Key Wrap, CCM
, EAX
, Encrypt-then-MAC and GCM
, have been standardized in ISO/IEC 19772:2009 (Authenticated encryption).
Confidentiality
Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
, integrity
Data integrity
Data Integrity in its broadest meaning refers to the trustworthiness of system resources over their entire life cycle. In more analytic terms, it is "the representational faithfulness of information to the true state of the object that the information represents, where representational faithfulness...
and authenticity
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
assurances on the data. It became readily apparent that securely compositing a confidentiality mode
Block cipher modes of operation
In cryptography, modes of operation is the procedure of enabling the repeated and secure use of a block cipher under a single key.A block cipher by itself allows encryption only of a single data block of the cipher's block length. When targeting a variable-length message, the data must first be...
with an authentication mode
Block cipher modes of operation
In cryptography, modes of operation is the procedure of enabling the repeated and secure use of a block cipher under a single key.A block cipher by itself allows encryption only of a single data block of the cipher's block length. When targeting a variable-length message, the data must first be...
could be error prone and difficult. As Bellare, Rogaway, and Wagner wrote in A Conventional Authenticated-Encryption Mode:
...people had been doing rather poorly when they tried to glue together a traditional (privacy-only) encryption scheme and a message authentication code (MAC).
And in The CWC Authenticated Encryption (Associated Data) Mode, Kohno, Whiting, and Viega write:
...it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes.
In addition to protecting message integrity and confidentiality, authenticated encryption can provide plaintext awareness and security against chosen ciphertext attack. In these attacks, an adversary attempts to gain an advantage against a cryptosystem (e.g., information about the secret decryption key) by submitting carefully chosen ciphertexts to some "decryption oracle" and analyzing the decrypted results. Authenticated encryption schemes can recognize improperly-constructed ciphertexts and refuse to decrypt them. This in turn prevents the attacker from requesting the decryption of any ciphertext unless he generated it correctly using the encryption algorithm, which would imply that he already knows the plaintext. Implemented correctly, this removes the usefulness of the decryption oracle, by preventing an attacker from gaining useful information that he does not already possess.
Many specialized authenticated encryption modes have been developed for use with symmetric block cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
s. However, authenticated encryption can be generically constructed by combining an encryption scheme and a Message Authentication Code
Message authentication code
In cryptography, a message authentication code is a short piece of information used to authenticate a message.A MAC algorithm, sometimes called a keyed hash function, accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC...
(MAC), provided that the encryption scheme is semantically secure
Semantic security
Semantic security is a widely used definition for security in an asymmetric key encryption algorithm. For a cryptosystem to be semantically secure, it must be infeasible for a computationally bounded adversary to derive significant information about a message when given only its ciphertext and...
under chosen plaintext attack and the MAC function is unforgeable under chosen message attack. Bellare and Namprempre (2000) analyzed three compositions of these primitives, and demonstrated that encrypting a message and subsequently applying a MAC to the ciphertext implies security against adaptive chosen ciphertext attack, provided that both functions meet the required properties.
Six different authenticated encryption modes, namely OCB
OCB mode
OCB mode is a mode of operation for cryptographic block ciphers.-Encryption and authentication:It was designed to provide both authentication and privacy. It is essentially a scheme for integrating a Message Authentication Code into the operation of a block cipher...
2.0, Key Wrap, CCM
CCM mode
CCM mode is a mode of operation for cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits...
, EAX
EAX mode
EAX mode is a mode of operation for cryptographic block ciphers. It is an Authenticated Encryption with Associated Data algorithm designed to simultaneously provide both authentication and privacy of the message with a two-pass scheme, one pass for achieving privacy and one for authenticity for...
, Encrypt-then-MAC and GCM
Galois/Counter Mode
Galois/Counter Mode is a mode of operation for symmetric key cryptographic block ciphers that has been widely adopted because of its efficiency and performance...
, have been standardized in ISO/IEC 19772:2009 (Authenticated encryption).
See also
- Block cipher mode of operation
- NIST: Modes Development
- CCM modeCCM modeCCM mode is a mode of operation for cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits...
- CWC modeCWC modeIn cryptography, CWC Mode is an AEAD block cipher mode of operation that provides both encryption and built-in message integrity, similar to CCM and OCB modes. Designed by Tadayoshi Kohno, John Viega and Doug Whiting, NIST is CWC mode for standardization...
- OCB modeOCB modeOCB mode is a mode of operation for cryptographic block ciphers.-Encryption and authentication:It was designed to provide both authentication and privacy. It is essentially a scheme for integrating a Message Authentication Code into the operation of a block cipher...
- EAX modeEAX modeEAX mode is a mode of operation for cryptographic block ciphers. It is an Authenticated Encryption with Associated Data algorithm designed to simultaneously provide both authentication and privacy of the message with a two-pass scheme, one pass for achieving privacy and one for authenticity for...
- GCM ModeGalois/Counter ModeGalois/Counter Mode is a mode of operation for symmetric key cryptographic block ciphers that has been widely adopted because of its efficiency and performance...