P. Rogaway. Authenticated-encryption with associated-data. ACM CCS '02.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....Furthermore, since most applications that require privacy also require integrity, it is logical to focus on tools capable of providing both services simultaneously. There is thus great value in developing and standardizing dedicated AEAD schemes, as evidenced by a wealth of papers in this area [2, 4, 5, 6, 11, 12, 15]. Patents. Pragmatically, patents are a major impediment to the standardization and wide spread deployment of some of the modes presented in the above mentioned papers. In particular, three independent parties have applied for patents on single pass authenticated encryption schemes. It is not our ....

....assuming that the underlying block cipher is a secure pseudorandom function or pseudorandom permutation. Consequently, if we believe AES to be a secure pseudorandom permutation (which is a widely held belief) then CWC AES is secure. For our proofs of security, we use Rogaway s AEAD notions from [11]. In our provable security results we clearly show that the same block cipher key can be used in CWC s CTR mode portion, in the generation of the hash subkey K h , and in the block cipher applications used within CWC s message authentication portion. 1.1 Background and related work The notion of ....

[Article contains additional citation context not shown here]

P. Rogaway. Authenticated encryption with associated data. In Proceedings of the 9th Conference on Computer and Communications Security, Nov. 2002.

....Furthermore, since most applications that require privacy also require integrity, it is logical to focus on tools capable of providing both services simultaneously. There is thus great value in developing and standardizing dedicated AEAD schemes, as evidenced by a wealth of papers in this area [2, 4, 6, 7, 14, 15, 19]. Patents. Pragmatically, patents are a major impediment to the standardization and wide spread deployment of some of the modes presented in the above mentioned papers. In particular, three independent parties have applied for patents on single pass authenticated encryption schemes. It is not our ....

....assuming that the underlying block cipher is a secure pseudorandom function or pseudorandom permutation. Consequently, if we believe AES to be a secure pseudorandom permutation (which is a widely held belief) then CWC AES is secure. For our proofs of security, we use Rogaway s AEAD notions from [14]. In our provable security results we clearly show that the same block cipher key can be used in CWC s CTR mode portion, in the generation of the hash subkey K h , and in the block cipher applications used within CWC s message authentication portion. 1.1 Background and related work The notion of ....

[Article contains additional citation context not shown here]

P. Rogaway. Authenticated encryption with associated data. In Proceedings of the 9th Conference on Computer and Communications Security, Nov. 2002.

....wisdom was to compose the standard solutions for two. Recently, however, the area of authenticated encryption has received considerable attention. This was caused by many related reasons. First, a composition paradigm might not always work [7, 20, 2] at least if not used appropriately [2, 26]. Second, a tailored solution providing both privacy and authenticity might be noticeably more efficient (or have other advantages) than a straightforward composition [17, 27, 32, 2, 6] Third, the proper modeling of authenticated encryption is not so obvious, especially in the public key setting ....

....to the problem. Also, it generalizes the previous, so differently looking solutions of [13, 18] both of which can be shown to use some particular concealment and or short authenticated encryption. EXTENSIONS. All our techniques naturally support authenticated encryption with associated data [26], which we explain in the sequel. In fact, this distinction makes our composition paradigm even slightly more efficient. Also, we remark again that all our results apply to both the public and the symmetric key authenticated encryption. The only exception is the following extension that makes ....

[Article contains additional citation context not shown here]

P. ROGAWAY, "Authenticated-Encryption with Associated-Data," In Proc. 9th CCS, pp. 98--107, ACM, 2002.

....SSL or SSH. In the past few years, research in the symmetric key setting has introduced authenticated encryption [5, 19, 23] to combine both functionalities in a single primitive. Soon thereafter, a number of authenticated encryption schemes were proposed and other related investigations followed [26, 1, 22, 32, 31, 4, 11]. These results produced a variety of practical and efficient implementations. As importantly, they established authenticated encryption as a new cryptographic primitive which can be used to design simpler higher level protocols. More recent research has extended authentication encryption to the ....

....PSS R and OAEP, which we call Probabilistic Signature Encryption Padding (PSEP) This two padding will allow us to achieve optimal message bandwidth for signcryption using . EXTENSIONS. We extend the basic approach in two important ways. First, it can effortlessly support associated data [31], allowing one to bind a public label to a message when signcrypting it. This capability has many nice applications, including allowing us to trivially bind the message to the public keys of S and R, thus solving the aforementioned multi user problem for signcryption. Second, using the recent ....

[Article contains additional citation context not shown here]

Phillip Rogaway. Authenticated-encryption with associated-data. In Sandhu [35].

No context found.

P. Rogaway. Authenticated-encryption with associated-data. ACM CCS '02.

No context found.

P. Rogaway. Authenticated-encryption with associated-data. Proceedings of the 9th Annual Conference on Computer and Communications Security (CCS-9), ACM, pp. 98--107, 2002.

No context found.

P. Rogaway. Authenticated-encryption with associated-data. Proceedings of the 9th Annual Conference on Computer and Communications Security (CCS-9), ACM, pp. 98--107, 2002.

No context found.

P. Rogaway. Authenticated-encryption with associated-data. ACM CCS '02.

No context found.

P. Rogaway. Authenticated-encryption with associated-data. Proceedings of the 9th Annual Conference on Computer and Communications Security (CCS-9), pp. 98--107, ACM, 2002.

No context found.

P. Rogaway. Authenticated-encryption with associated-data. Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS '02), ACM Press, pp. 98--107, 2002.

No context found.

P. Rogaway. Authenticated-encryption with associated-data. Proceedings of the 9th Annual Conference on Computer and Communications Security (CCS-9), pp. 98--107, ACM, 2002.

No context found.

P. Rogaway. Authenticated-encryption with associated-data. Proceedings of the 9th Annual Conference on Computer and Communications Security , ACM, 2002. Available as http://www.cs.ucdavis. edu/~rogaway/papers/ad.html

No context found.

P. Rogaway. Authenticated-encryption with associated-data. Ninth ACM Conference on Computer and Communications Security (CCS-9). ACM Press, 2002. www.cs.ucdavis.edu/#rogaway

No context found.

P. Rogaway. Authenticated-encryption with associated-data. ACM CCS'02. ACM Press, 2002.

No context found.

P. Rogaway. Authenticated-encryption with associated-data. Proceedings of the 9th Annual Conference on Computer and Communications Security (CCS-9), pp. 98--107, ACM, 2002.

No context found.

P. Rogaway. Authenticated-encryption with associated-data. ACM CCS'02. ACM Press, 2002.

....(AE) schemes are symmetric key mechanisms by which a message M is a transformed into a ciphertext C in such a way that C protects both privacy and authenticity. Though AE schemes go back more than 20 years, only recently did AE get recognized as a distinct and signi cant cryptographic goal [3, 4, 10, 13]. Two factors seem to have triggered this. First was the realization that people had been doing rather poorly when they tried to glue together a traditional (privacy only) encryption scheme and a message authentication code (MAC) 2, 3, 11] second was the emergence of a class of melded AE ....

.... eld where 2 f2; 3; 4; 5; 6; 7; 8g Once parameters (E; have been xed, where E : Key f0; 1g is a block cipher, CCM can be regarded as a pair (CCM:Encrypt; CCM:Decrypt) which is an authenticated encryption with associateddata (AEAD) scheme, as de ned in [13]. Encryption and decryption have the following signatures: CCM:Encrypt : Key Nonce Header Plaintext Ciphertext CCM:Decrypt : Key Nonce Header Ciphertext Plaintext [ fInvalidg where Nonce = Byte Header = Byte Plaintext = Byte 8 Ciphertext = Byte Thus there is a ....

[Article contains additional citation context not shown here]

P. Rogaway. Authenticated-encryption with associated-data. Ninth ACM Conference on Computer and Communications Security (CCS-9). ACM Press, 2002. www.cs.ucdavis.edu/rogaway

....be encrypted in many applications we have a mixture of secret and non secret data, and it would be nice to have a mode of operation that provides privacy for the secret data and authenticity for both types of data. Thus was born the notion of authenticated encryption with associated data (AEAD) [16]. The non secret data is called the associated data or the header. This document. In this note we propose a new AEAD scheme, called EAX. The mechanism is a conventional AEAD scheme, meaning a method that, using a block cipher, makes two passes, one aimed at achieving privacy and one aimed at ....

....es implementations. 3 EAX Goals We wanted a block cipher based, nonce using AEAD scheme. It should provide both privacy, in the sense of indistinguishability from random bits, and integrity, in the sense of an adversary s inability to produce a new but valid (nonce, header, ciphertext) triple [16]. Nothing should be assumed about the nonces except that they are non repeating. Security must be demonstrated using the standard, provable security approach. The scheme should employ no tool beyond a block cipher E : Key f0; 1g that it is based on. We should assume nothing about E beyond ....

P. Rogaway. Authenticated-encryption with associated-data. Proceedings of the 9th Annual Conference on Computer and Communications Security , ACM, 2002. Available as http://www.cs.ucdavis. edu/~rogaway/papers/ad.html

No context found.

Phillip Rogaway; Authenticated-encryption with associated-data; in Ravi Sandhu, ed., Proceedings of the 9th ACM Conference on Computer and Communications Security; ACM Press, Washington, DC, USA; November 2002; pp. 98--107; URL http:// www.cs.ucdavis.edu/~rogaway/papers/ad.html.

No context found.

P. Rogaway. "Authenticated encryption with associated data," In Proceedings of the 9th CCS, Nov. 2002.

No context found.

P. Rogaway. Authenticated encryption with associated data. In V. Atluri, editor, Proceedings of the 9th Conference on Computer and Communications Security, Nov. 2002.

No context found.

P. Rogaway. Authenticated-encryption with associated-data. In Proc. 9th ACM Conference on Computer and Communications Security, pages 98--107, 2002.

No context found.

P. Rogaway. Authenticated-encryption with associated-data. In Proceedings of the 9th Conference on Computer and Communications Security, Nov. 2002.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC