Authenticated-encryption with associated-data

Phillip Rogaway
2002 Proceedings of the 9th ACM conference on Computer and communications security - CCS '02  
When a message is transformed into a ciphertext in a way designed to protect both its privacy and authenticity, there may be additional information, such as a packet header, that travels alongside the ciphertext (at least conceptually) and must get authenticated with it. We formalize and investigate this authenticated-encryption with associated-data (AEAD) problem. Though the problem has long been addressed in cryptographic practice, it was never provided a definition or even a name. We do
more » ... and go on to look at efficient solutions for AEAD, both in general and for the authenticatedencryption scheme OCB. For the general setting we study two simple ways to turn an authenticated-encryption scheme that does not support associated-data into one that does: nonce stealing and ciphertext translation. For the case of OCB we construct an AEAD-scheme by combining OCB and the pseudorandom function PMAC, using the same key for both algorithms. We prove that, despite "interaction" between the two schemes when using a common key, the combination is sound. We also consider achieving AEAD by the generic composition of a nonce-based, privacy-only encryption scheme and a pseudorandom function.
doi:10.1145/586110.586125 dblp:conf/ccs/Rogaway02 fatcat:sanmlcvzvnfgndnhsguoyawke4