Authenticated Encryption (AE) is a term used to describe
encryptionIn cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
systems which simultaneously protect
confidentialityConfidentiality has been defined by the International Organization for Standardization in ISO-17799 as "ensuring that information is accessible only to those authorized to have access" and is one of the cornerstones of information security...
and
authenticityAuthenticity refers to the truthfulness of origins, attributions, commitments, sincerity, devotion, and intentions.Authenticity or Authentic may refer to:*Authentication, having passed the tests thereof...
(integrity) of communications. These goals have long been studied, but they have only recently enjoyed a high level of interest from cryptographers due to the complexity of implementing systems for privacy and
authenticationAuthentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true...
separately in a single application.
In addition to protecting message integrity and confidentiality, authenticated encryption can provide plaintext awareness and security against chosen ciphertext attack.
Authenticated Encryption (AE) is a term used to describe
encryptionIn cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
systems which simultaneously protect
confidentialityConfidentiality has been defined by the International Organization for Standardization in ISO-17799 as "ensuring that information is accessible only to those authorized to have access" and is one of the cornerstones of information security...
and
authenticityAuthenticity refers to the truthfulness of origins, attributions, commitments, sincerity, devotion, and intentions.Authenticity or Authentic may refer to:*Authentication, having passed the tests thereof...
(integrity) of communications. These goals have long been studied, but they have only recently enjoyed a high level of interest from cryptographers due to the complexity of implementing systems for privacy and
authenticationAuthentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true...
separately in a single application.
In addition to protecting message integrity and confidentiality, authenticated encryption can provide plaintext awareness and security against chosen ciphertext attack. In these attacks, an adversary attempts to gain an advantage against a cryptosystem (e.g., information about the secret decryption key) by submitting carefully chosen ciphertexts to some "decryption oracle" and analyzing the decrypted results. Authenticated encryption schemes can recognize improperly-constructed ciphertexts and refuse to decrypt them. This in turn prevents the attacker from requesting the decryption of any ciphertext unless he generated it correctly using the encryption algorithm, which would imply that he already knows the plaintext. Implemented correctly, this removes the usefulness of the decryption oracle, by preventing an attacker from gaining useful information that he does not already possess.
Many specialized authenticated encryption modes have been developed for use with symmetric
block cipherIn cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, termed blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
s. However, authenticated encryption can be generically constructed by combining an encryption scheme and a
Message Authentication CodeIn cryptography, a message authentication code is a short piece of information used to authenticate a message.A MAC algorithm, sometimes called a keyed hash function, accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC...
(MAC), provided that the encryption scheme is
semantically secureSemantic security is a widely-used definition for security in an asymmetric key encryption algorithm. For a cryptosystem to be semantically secure, it must be infeasible for a computationally-bounded adversary to derive significant information about a message when given only its ciphertext and...
under chosen plaintext attack and the MAC function is unforgeable under chosen message attack. Bellare and Namprempre (2000) analyzed three compositions of these primitives, and demonstrated that encrypting a message and subsequently applying a MAC to the ciphertext implies security against adaptive chosen ciphertext attack, provided that both functions meet the required properties.
See also
- CCM mode
CCM mode is a mode of operation for cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and privacy. CCM mode is only defined for block ciphers with a block length of 128 bits...
- CWC mode
In cryptography, CWC Mode is an AEAD block cipher mode of operation designed by Tadayoshi Kohno, John Viega and Doug Whiting. It combines the use of CTR mode for encryption with an efficient polynomial Carter-Wegman MAC....
- OCB mode
OCB mode is a mode of operation for cryptographic block ciphers.-Encryption and authentication:It was designed to provide both authentication and privacy. It is essentially a scheme for integrating a Message Authentication Code into the operation of a block cipher...
- EAX mode
EAX mode is a mode of operation for cryptographic block ciphers.It is an Authenticated Encryption with Associated Data algorithm designed to simultaneously protect both authentication and privacy of the message with a two-pass scheme, one pass for achieving privacy and one for authenticity for...
- GCM Mode
GCM mode is a mode of operation for symmetric key cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and privacy. GCM mode is defined for block ciphers with a block size of 128 bits...