[Resource Topic] 2023/590: Reconsidering Generic Composition: the modes A10, A11 and A12 are insecure

Welcome to the resource topic for 2023/590

Title:
Reconsidering Generic Composition: the modes A10, A11 and A12 are insecure

Authors: Francesco Berti

Abstract:

Authenticated Encryption (AE) achieves privacy and authenticity
with a single scheme. It is possible to obtain an AE scheme
gluing together an encryption scheme (privacy secure) and a Message Authentication
Code (authenticity secure). This approach is called generic
composition and its security has been studied by Namprempre et al. [NRS14].
They looked into all the possible gluings of an encryption scheme with a
secure MAC to obtain a nonce-based AE-scheme. The encryption scheme
is either IV-based (that is, with an additional random input, the initialization
vector [IV]) or nonce-based (with an input to be used once, the
nonce). Nampremepre et al. assessed the security/insecurity of all possible
composition combinations except for 4 (N4, A10, A11 and A12).
Berti et al. [BPP18a] showed that N4 is insecure and that the remaining
modes (A10, A11, and A12) are either all secure or insecure.
Here, we prove that these modes are all insecure with a counterexample.

ePrint: https://eprint.iacr.org/2023/590

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .