Jump to content

Talk:Authenticated encryption

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 131.196.163.169 (talk) at 13:02, 26 November 2023 (→‎Repudiation: Reply). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

WikiProject iconCryptography: Computer science C‑class Mid‑importance
WikiProject iconThis article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.CryptographyWikipedia:WikiProject CryptographyTemplate:WikiProject CryptographyCryptography articles
CThis article has been rated as C-class on Wikipedia's content assessment scale.
MidThis article has been rated as Mid-importance on the importance scale.
Taskforce icon
This article is supported by WikiProject Computer science (assessed as Mid-importance).
WikiProject iconComputing: Software C‑class Low‑importance
WikiProject iconThis article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing articles
CThis article has been rated as C-class on Wikipedia's content assessment scale.
LowThis article has been rated as Low-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Software (assessed as Low-importance).
Taskforce icon
This article is supported by WikiProject Computer Security (assessed as Mid-importance).
Things you can help WikiProject Computer Security with:
Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information...
  • Answer question about Same-origin_policy
  • Review importance and quality of existing articles
  • Identify categories related to Computer Security
  • Tag related articles
  • Identify articles for creation (see also: Article requests)
  • Identify articles for improvement
  • Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc.
  • Find editors who have shown interest in this subject and ask them to take a look here.

History

From Block cipher modes of operation: ... After observing that compositing a confidentiality mode with a authenticity mode could be difficult and error prone, the cryptographic community began to supply modes which combined confidentiality and data integrity into a single cryptographic primitive. The modes are referred to as authenticated encryption, AE, and authenc. Examples of authenticated encryption modes are CCM (SP800-38C), GCM (SP800-38D), CWC, EAX, IAPM, and OCB.

May 2002

Patents can be a bear for me because I'm not always aware of the minor legal issues. But I think this is one of the earliest Authenticated Encryption modes: US2003/0223585 A1, "Method and Apparatus for Performing Encryption and Authentication", May 2002 by Tardo and Matthews. It appears they perform the single pass operation (see the methods accompanying Figure 7), but it also appears that Authenticate and Encrypt (A&E) is performed. According to Krawczyk, A&E is insecure but I don't think it affects the legal standing of the "single pass" innovation.

May 2003

Kohno, Viega, Whiting, "CWC: A High-Performance Conventional Authenticated Encryption Mode", IACR, May 2003 (http://eprint.iacr.org/2003/106).

December 2003

Jutla, "Encryption Modes with Almost Free Message Integrity", Journal of Cryptography, December 2003 (http://www.springerlink.com/content/q615311611mx2057/).

Repudiation

Maybe it should be noted that authenticated encryption, being symmetric, cannot supply non-repudiation like a digital signature would. I.e. all parties which know the key can easily make authenticated messages. E.g. suppose Alice sends Bob a message "I, Alice, owe Bob $100". Bob keeps the message and eventually demands to be paid, but Alice now denies having sent the message. Suppose both agree to giving a trusted third party the key, then there is no way for this third party to tell whether the message was actually written by Alice, as it could equally have been written by Bob, who, by necessity, also knows the key. Likewise, Bob could have altered the message to read "I, Alice, owe Bob $1000" with no (cryptographic) way for the trusted third party to figure out who is telling the truth.

Non-repudiation can obviously be added on top of authenticated encryption by signing the authentication tag using an asymmetric algorithm. The default lack of non-repudiation is no criticism of AE, as it may not be required, is easily supplemented, and unavoidable in any purely symmetric cryptosystem. Aragorn2 (talk) 10:23, 19 June 2019 (UTC)[reply]

Non-repudiation can obviously be added on top of authenticated encryption by signing the authentication tag using an asymmetric algorithm. The default lack of non-repudiation is no criticism of AE, as it may not be required, is easily supplemented, and unavoidable in any purely symmetric cryptosystem.
Aragorn2
(
talk
) 10:23, 19 June 2019 (UTC)Reply
Style text Switch editor Reply to ‪Aragorn2‬ AdvancedReturn to replyReturn to reply
131.196.163.169 (talk) 13:02, 26 November 2023 (UTC)[reply]

Privacy vs. confidentiality

@Olivander1337: The term privacy is routinely used to define confidentiality in AEAD schemes. See, for example, the title of Mihir Bellare's paper [1]. I have no issue with adding a note that this use is not related to the privacy preservation. Dimawik (talk) 15:14, 5 November 2023 (UTC)[reply]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:Authenticated_encryption&oldid=1186941102"