Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [authenticated-encryption]

Combination of encryption and authentication in a way that ensures confidentiality, integrity and authentication

Authenticated encryption (AE) and authenticated encryption with associated data (AEAD) are forms of encryption that simultaneously assure the confidentiality, integrity, and authenticity of data.

CCM, EAX, Poly1305, and GCM are examples.

550 questions
8
votes
1 answer

Should we use the new CAESAR competition ciphers?

At the beginning of this year, the CAESAR competition published the final portfolio for authenticated encryption algorithms. I'm not a cryptographer and when I look at other applications, almost always AES-GCM or ChaCha20-Poly1305 is used for…
Aliquis
  • 573
  • 1
  • 4
  • 7
5
votes
1 answer

Do AEADs also authenticate the nonce?

I'd like to include an authenticated timestamp in my messages. I'm wondering if I can save a little space by putting the timestamp in the nonce. Concrete example: Let's say I'm using XChaCha20-Poly1305 with a shared secret key. I generate the…
Kannan Goundan
  • 331
  • 3
  • 10
5
votes
1 answer

Can one make a secure AEAD from any secure cipher and any secure MAC?

Can one make a secure AEAD from any secure cipher and any secure MAC using encrypt-then-MAC: with independent keys and IVs (any cipher and MAC) if the cipher is a stream cipher (including a block cipher in CTR mode), using parts of the keystream…
Demi
  • 4,793
  • 1
  • 19
  • 39
4
votes
1 answer

Key Committing AEADs

There are multi-key attacks against some AEADs. In other words, multiple keys can be used to decrypt a message since multiple keys can be valid for an authentication tag. How would one go about adding key commitment to an AEAD like AES-GCM or…
Edgar
  • 41
  • 2
4
votes
1 answer

What is the purpose of an Authentication Tag in AEAD encryption schemes?

AEAD encryption schemes produce something referred to as an "authentication tag." What does this tag consist of, what is its purpose, and is the tag itself human-readable data such as a plaintext string or is it cipher text?
the_endian
  • 165
  • 1
  • 7
4
votes
1 answer

What's the purpose of secret message numbers in CAESAR ciphers?

The CAESAR call for submissions specifies that ciphers may accept as a parameter a secret message number. The requirements are that: It must be possible to recover the plaintext and the secret message number from the ciphertext, associated data,…
Luis Casillas
  • 14,468
  • 2
  • 31
  • 53
3
votes
2 answers

Why is release of unverified plaintext so Bad?

Lately I came across of release of unverified plaintext. I was told that this is a bad thing, but I don't really get why. Isn't unverified plaintext released just nonsense? How can this be attacked in the context of authenticated encryption?
Digimon Kaiser
  • 79
  • 2
3
votes
1 answer

Example situation where an authentication tag can prevent an attack?

In Authenticated Encryption, we use an authentication tag to make sure the message is not tampered. The authentication tag can prevent any random bytes sent by the attacker being decrypted by the receiver. The question is: what sorts of attack…
Ma Joad
  • 163
  • 2
3
votes
1 answer

Common pitfalls to be taken care of while implementing Encrypt then HMAC scheme

i would like to implement a custom Encrypt than HMAC scheme instead of using AES-GCM can anyone share resource to do it correctly . are there any common pitfalls i should be aware of for secure implementation ( i browsed internet but got shady sites…
ANISH M 18CS006
  • 51
  • 13
2
votes
3 answers

Do all AEAD implementations use symmetric key ciphers in practice?

Everything I've seen so far in modern implementations (the Linux Kernel AEAD API, JVM crypto provider (AES-GCM), RFC 8439, libsodium, etc) seems to imply that only symmetric key block ciphers are used in practice for AEAD. Are there asymmetric key…
Les Hazlewood
  • 123
  • 6
2
votes
1 answer

Energy consumption by mobile or sensor node when executing xor / encryption / decryption

I try to estimate the energy consumption by a sensor node when executing an authentication algorithm witch contains operations (hashing, XOR, Encryption / decryption by public/private key, addition,...). The algorithm is named MDA (Message Digest…
jabberimaher
  • 21
  • 1
2
votes
1 answer

Authenticated encryption with forged verification key

Is it part of the (or a common) security model of symmetric authenticated encryption to prevent an adversary from exhibiting a decryption/verification key that makes a given genuine ciphertext verify, yet deciphers differently than it does with the…
fgrieu
  • 140,762
  • 12
  • 307
  • 587
2
votes
0 answers

Dedicated authenticated encryption

Authenticated encryption is said to be achievable with either of these three things: Use a separate algorithm that ensures authentications such as HMAC. Use one of the several block cipher modes of operation that generate/verify an authentication…
Melab
  • 3,655
  • 2
  • 22
  • 44
2
votes
0 answers

Maximum strength of an authenticated encryption scheme like this

Assume that we have a authentication-capable block cipher with key size $k$ and block size $n$ where $n = 2 \times m$. The function used to encrypt blocks takes the block index $i$ as an additional input and returns an $m$-bit intermediate…
Melab
  • 3,655
  • 2
  • 22
  • 44
2
votes
3 answers

verify contents, but not order

Is there an algorithm that can be used to verify the contents of a cyphertext, but not the order of the elements? I am thinking that a deck of cards could be shuffled, and it must be verifiable that the deck contains all cards, but not to know what…
Billy Moon
  • 129
  • 5
1
2 3