Skip to main content
SpringerLink
Log in
Book cover

International Conference on the Theory and Application of Cryptology and Information Security

ASIACRYPT 2019: Advances in Cryptology – ASIACRYPT 2019 pp 183–208Cite as

Anonymous AE

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11922))

Abstract

The customary formulation of authenticated encryption (AE) requires the decrypting party to supply the correct nonce with each ciphertext it decrypts. To enable this, the nonce is often sent in the clear alongside the ciphertext. But doing this can forfeit anonymity and degrade usability. Anonymity can also be lost by transmitting associated data (AD) or a session-ID (used to identify the operative key). To address these issues, we introduce anonymous AE, wherein ciphertexts must conceal their origin even when they are understood to encompass everything needed to decrypt (apart from the receiver’s secret state). We formalize a type of anonymous AE we call anAE, anonymous nonce-based AE, which generalizes and strengthens conventional nonce-based AE, nAE. We provide an efficient construction for anAE, NonceWrap, from an nAE scheme and a blockcipher. We prove NonceWrap secure. While anAE does not address privacy loss through traffic-flow analysis, it does ensure that ciphertexts, now more expansively construed, do not by themselves compromise privacy.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    While we define anAE to accommodate this use case, it was pointless for TLS to put length of the ciphertext in the AD: nAE ensures that ciphertexts are authenticated, which implies that their length is authenticated. Throwing |C| into the AD contributes nothing to security but does add complexity.

References

  1. Abadi, M., Rogaway, P.: Reconciling two views of cryptography (the computational soundness of formal encryption). J. Cryptol. 15(2), 103–127 (2002)

    Article  MathSciNet  Google Scholar 

  2. Abed, F., Forler, C., Lucks, S.: General classification of the authenticated encryption schemes for the CAESAR competition. Comput. Sci. Rev. 22, 13–26 (2016)

    Article  MathSciNet  Google Scholar 

  3. Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_33

    Chapter  MATH  Google Scholar 

  4. Bellare, M., Kohno, T., Namprempre, C.: Breaking and provably repairing the SSH authenticated encryption scheme: a case study of the encode-then-encrypt-and-MAC paradigm. ACM Trans. Inf. Syst. Secur. 7(2), 206–241 (2004)

    Article  Google Scholar 

  5. Bellare, M., Ng, R., Tackmann, B.: Nonces are noticed: AEAD revisited. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part I. LNCS, vol. 11692, pp. 235–265. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_9

    Chapter  Google Scholar 

  6. Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_24

    Chapter  MATH  Google Scholar 

  7. Bernstein, D.: Cryptographic competitions: CAESAR call for submissions. Webpage, January 2014. https://competitions.cr.yp.to/caesar-call.html

  8. Boyd, C., Hale, B., Mjølsnes, S.F., Stebila, D.: From Stateless to Stateful: Generic Authentication and Authenticated Encryption Constructions with Application to TLS. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 55–71. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8_4

    Chapter  Google Scholar 

  9. Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: The second-generation onion router. In: Blaze, M. (ed.) Proceedings of the 13th USENIX Security Symposium, August 9–13, 2004, San Diego, CA, USA, pp. 303–320. USENIX (2004)

    Google Scholar 

  10. Katz, J., Yung, M.: Unforgeable encryption and chosen ciphertext secure modes of operation. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44706-7_20

    Chapter  MATH  Google Scholar 

  11. Kohno, T., Palacio, A., Black, J.: Building secure cryptographic transforms, or how to encrypt and MAC. IACR Cryptology ePrint Archive 2003:177 (2003)

    Google Scholar 

  12. McGrew, D.: An interface and algorithms for authenticated encryption. IETF RFC 5116, January 2018

    Google Scholar 

  13. Namprempre, C., Rogaway, P., Shrimpton, T.: AE5 security notions: definitions implicit in the CAESAR call. IACR Cryptology ePrint Archive 2013:242 (2013)

    Google Scholar 

  14. Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_15

    Chapter  Google Scholar 

  15. Rescorla, E., Tschofenig, H., Modadugu, N.: The datagram transport layer security (DTLS) protocol version 1.3. Internet-Draft draft-ietf-tls-dtls13-31, Internet Engineering Task Force, March 2019. Work in Progress

    Google Scholar 

  16. Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 02: 9th Conference on Computer and Communications Security, pp. 98–107. ACM Press, Washington D.C., 18–22 November 2002

    Google Scholar 

  17. Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: ACM CCS 01: 8th Conference on Computer and Communications Security, pp. 196–205. ACM Press, Philadelphia, 5–8 November 2001

    Google Scholar 

  18. Rogaway, P., Shrimpton, T.: Deterministic authenticated-encryption: a provable-security treatment of the key-wrap problem. Cryptology ePrint Archive, Report 2006/221 (2006). http://eprint.iacr.org/2006/221

  19. Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_23

    Chapter  Google Scholar 

  20. Rogaway, P., Zhang, Y.: Simplifying game-based definitions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 3–32. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_1

    Chapter  Google Scholar 

Download references

Acknowledgments

We thank Dan Bernstein for inspiring this work. Within the CAESAR call, he suggested the use of “secret message numbers” in lieu of nonces; in private communications with the second author, he asked how one might efficiently demultiplex multiple AE communication streams without having marked them in a privacy-compromising manner.

We thank the anonymous ASIACRYPT referees. Their comments brought home that anonymous AE was a concern that transcended our formulation of it. They suggested the name anAE.

This work was supported by NSF CNS 1717542 and NSF CNS 1314855. Many thanks to the NSF for their years of financial support.

Author information

Authors and Affiliations

  1. Department of Computer Science, University of California, Davis, USA

    John Chan & Phillip Rogaway

Authors
  1. John Chan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Phillip Rogaway
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to John Chan .

Editor information

Editors and Affiliations

  1. University of Auckland, Auckland, New Zealand

    Steven D. Galbraith

  2. Security Fundamentals Lab, NICT, Tokyo, Japan

    Shiho Moriai

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chan, J., Rogaway, P. (2019). Anonymous AE. In: Galbraith, S., Moriai, S. (eds) Advances in Cryptology – ASIACRYPT 2019. ASIACRYPT 2019. Lecture Notes in Computer Science(), vol 11922. Springer, Cham. https://doi.org/10.1007/978-3-030-34621-8_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-34621-8_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-34620-1

  • Online ISBN: 978-3-030-34621-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation