Anonymous AE

The customary formulation of authenticated encryption (AE) requires the decrypting party to supply the correct nonce with each ciphertext it decrypts. To enable this, the nonce is often sent in the clear alongside the ciphertext. But doing this can forfeit anonymity and degrade usability. Anonymity can also be lost by transmitting associated data (AD) or a session-ID (used to identify the operative key). To address these issues, we introduce anonymous AE, wherein ciphertexts must conceal their origin even when they are understood to encompass everything needed to decrypt (apart from the receiver’s secret state). We formalize a type of anonymous AE we call anAE, anonymous noncebased AE, which generalizes and strengthens conventional nonce-based AE, nAE. We provide an efficient construction for anAE, NonceWrap, from an nAE scheme and a blockcipher. We prove NonceWrap secure. While anAE does not address privacy loss through traffic-flow analysis, it does ensure that ciphertexts, now more expansively construed, do not by themselves compromise privacy.

[1]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[2]  Tadayoshi Kohno,et al.  Building Secure Cryptographic Transforms, or How to Encrypt and MAC , 2003, IACR Cryptol. ePrint Arch..

[3]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[4]  Mihir Bellare,et al.  Key-Privacy in Public-Key Encryption , 2001, ASIACRYPT.

[5]  Jonathan Katz,et al.  Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation , 2000, FSE.

[6]  Phillip Rogaway,et al.  Simplifying Game-Based Definitions: Indistinguishability up to Correctness and Its Application to Stateful AE , 2018, IACR Cryptol. ePrint Arch..

[7]  Eric Rescorla,et al.  The Datagram Transport Layer Security (DTLS) Protocol Version 1.3 , 2020, RFC.

[8]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2001, Journal of Cryptology.

[9]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[10]  David A. McGrew,et al.  An Interface and Algorithms for Authenticated Encryption , 2008, RFC.

[11]  Britta Hale,et al.  From Stateless to Stateful: Generic Authentication and Authenticated Encryption Constructions with Application to TLS , 2015, CT-RSA.

[12]  Stefan Lucks,et al.  General classification of the authenticated encryption schemes for the CAESAR competition , 2016, Comput. Sci. Rev..

[13]  Mihir Bellare,et al.  Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[14]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[15]  Chanathip Namprempre,et al.  Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm , 2004, TSEC.

[16]  Chanathip Namprempre,et al.  AE5 Security Notions: Definitions Implicit in the CAESAR Call , 2013, IACR Cryptol. ePrint Arch..

[17]  Mihir Bellare,et al.  Nonces are Noticed: AEAD Revisited , 2019, IACR Cryptol. ePrint Arch..

[18]  Chanathip Namprempre,et al.  Reconsidering Generic Composition , 2014, IACR Cryptol. ePrint Arch..