| This thesis studies authenticated encryption, a transform whose security goal is to achieve both privacy and authenticity simultaneously. We look at authenticated encryption in both symmetric and asymmetric settings.; In the symmetric setting, we examine the security of a popular paradigm called encryption-with-redundancy, where some “redundancy” is appended to the data before encrypting. The redundancy is computed by applying a redundancy function to the data. We investigate the security of the paradigm at both a general and a specific level, based on the security of the base primitives (i.e. the encryption scheme and the redundancy function).; For authenticated encryption in the asymmetric setting, we provide security definitions including two new notions of authenticity. We then give security analyses of the following three generic methods used for constructing authenticated encryption schemes based on an encryption and a signature scheme: Encrypt-and-Sign, Sign-then-Encrypt, and Encrypt-then-Sign. We also give a generic and a specific construction of authenticated encryption schemes, where the former meets all the security notions we defined, and the latter is an efficient construction that provides “reasonable” security guarantees.; We also provide security analyses of iterated constructions of MACs, which are important tools in constructing authenticated encryption schemes in the symmetric setting. |
