Download now Free registration required
This paper provides a comprehensive treatment of the security of Authenticated Encryption (AE) in the presence of key-dependent data, considering the four variants of the goal arising from the choice of universal nonce or random nonce security and presence or absence of a header. The authors present attacks showing that universal-nonce security for key-dependent messages is impossible, as is security for key-dependent headers, not only ruling out security for three of the four variants but showing that currently standarized and used schemes (all these target universal nonce security in the presence of headers) fail to provide security for key-dependent data. To complete the picture they show that the final variant (random-nonce security in the presence of key-dependent messages but key-independent headers) is efficiently achievable.
- Format: PDF
- Size: 230.1 KB