On The Design And Analysis Of Authenticated Encryption

An authenticated encryption(AE)scheme is a cryptographic scheme which ul-tilizes symmetric ciphers to settle both privacy and authenticity in reality.It has been widely applied to many fields and the research results appeared endless.The design of AE schemes involves logical-operations,S-boxes,AES-round functions,block ci-phers,permutations,compression functions,stream ciphers,tweakable ciphers,and so on and covers all aspects of symmetric ciphers.AE schemes can be divided into block-cipher-based,permutation-based,compression-function-based,and tweakable-cipher-based AE modes of operation and stream-cipher-based,logical-operation-based,S-box-based,and AES-round-function-based dedicated AE algorithms.This disserta-tion mainly focuses on the design of AE modes of operation.This dissertation first describes the research background,the research significance,and the current research status of AE schemes and finds some key issues that should be considered in the design of AE schemes.Then,considering these key issues,we research and discuss the design and analysis of AE schemes.We ultilize the theory of provable security,specially the H-coefficients technique which has not been paid widely attention,and emphasize the importance of the H-coefficients technique in the design and analysis of AE modes of operation.The specific research contents and innovation points of this dissertation are de-scribed as follows:1.Propose two classes of blockcipher-based AE modes of operation with close-to optimal security.Considering the key issue that GCM has wide applications but it only ensures the birthday bound security,we introduce an Encrypted Davies-Meyer(EDM)construction and its dual construction EDMD,and describe two classes of block-cipher-based AE modes of operation with close-to optimal security.Then,we present the security proofs and the analyses of the efficiency for new AE schemes.The result shows that:if the underlying block cipher is a secure pseudorandom permutation(PRP),then new AE schemes are proven close-to optimally secure.Moreover,compared with other beyond-birthday-bound-secure(BBB-secure)AE schemes,new AE schemes also have better performance.2.Propose a class of parallelizable on-line permutation-based AE mode of operation with related-key security.Considering the key issue that there is no par-allelizable on-line permutation-based AE mode,we introduce a parallelizable on-line construction,add a tweak as an extra input,and describe a class of parallelizable on-line permutation-based AE mode of operation with related-key security.We formally define the security models of tweakable on-line AE schemes in the single key and relatedkey settings,and verify the provable security of our proposed new AE scheme by using the H-coefficients technique.The result shows that:if the underlying permutation is a secure ideal/random permutation,then the new AE scheme is proven related-key secure.Moreover,compared with blockcipher-based AE schemes and other permutation-based AE schemes,the new AE scheme has better performance.3.Propose two classes of compression-function-based AE modes of operation with close-to optimal security.Considering the key issue that there is no BBB-secure compression-function-based AE mode,we intrduce a randomized encryption mode and describe two classes of compression-function-based AE modes of operation with close-to optimal security for the first time.Then,we present the security proofs and the anal-yses of the efficiency for new AE schemes.The result shows that:if the underlying compression function is a secure pseudorandom function(PRF),then the privacy of RWCTR ensures at most about(n—2)-bit security and the authenticity of RWCTR ensures at most about(n—logn)-bit security;while,the privacy of RWCTRN enjoys at most about(n—2)-bit security and the authenticity of RWCTRN enjoys at most about(n—logn)-bit security in the nonce initial-vector(IV)scenario,and the privacy and authenticity of RWCTRN guarantee at most about n/2-bit security in the arbitrary IV scenario,where n is the blocksize.Moreover,compared with other compression-function-based AE schemes,new AE schemes not only have the better security,but also have the higher performance.4.Propose a class of tweakable-cipher-based AE mode of operation with in-tegrity under releasing unverified plaintext(INT-RUP).Considering the open prob-lem presented by Rogaway et al.whether there exists an efficient way to fix OCB to be INT-RUP,we focus on the weakness of the checksum processing of OCB,obtain this result that the plaintext checksum is vulnerable in the INT-RUP security model,and present an attack of AE schemes with plaintext and ciphertext checksum(PCC)in the INT-RUP security model.To fix the security flaw of PCC,we provide a new intermedi-ate checksum(IC)construction,apply it to OCB,and present a new OCB scheme with intermediate checksum(OCB-IC).The result shows that:OCB-IC settles the INT-RUP security flaw of OCB and is proven birthday-bound secure in the INT-RUP security model.The proposed IC approach will provide a new direction for settling the security of“rate?1”AE schemes in the releasing unverified plaintext(RUP)setting.Finally,we summarize the dissertation and put forward to the further research di-rections and future works.