2508:
454:
419:
478:
304:
Authenticated encryption with associated data (AEAD) is a variant of AE that allows the message to include "associated data" (AD, additional non-confidential information, a.k.a. "additional authenticated data", AAD). A recipient can check the integrity of both the associated data and the confidential
426:
The plaintext is first encrypted, then a MAC is produced based on the resulting ciphertext. The ciphertext and its MAC are sent together. ETM is the standard method according to ISO/IEC 19772:2009. It is the only method which can reach the highest definition of security in AE, but this can only be
508:
In addition, deeper analysis of SSL/TLS modeled the protection as MAC-then-pad-then-encrypt, i.e. the plaintext is first padded to the block size of the encryption function. Padding errors often result in the detectable errors on the recipient's side, which in turn lead to
53:
Many (but not all) AE schemes allow the message to contain "associated data" (AD) which is not made confidential, but its integrity is protected (i.e., it is readable, but tampering with it will be detected). A typical example is the
205:
block cipher operation modes could be error prone and difficult. This was confirmed by a number of practical attacks introduced into production protocols and applications by incorrect implementation, or lack of authentication.
357:, a guarantee that the decryption would fail for any other key. As of 2021, most existing AE schemes (including the very popular GCM) allow some messages to be decoded without an error using more than just the (correct) K
209:
Around the year 2000, a number of efforts evolved around the notion of standardizing modes that ensured correct implementation. In particular, strong interest in possibly secure modes was sparked by the publication of
485:
A MAC is produced based on the plaintext, then the plaintext and MAC are together encrypted to produce a ciphertext based on both. The ciphertext (containing an encrypted MAC) is sent. Until TLS 1.2, all available
377:
protocol is based on successful decryption of a message that uses a password-based key, Mallory's ability to craft a single message that would be successfully decrypted using 1000 different keys associated with
269:, provided that both functions meet minimum required properties. Katz and Yung investigated the notion under the name "unforgeable encryption" and proved it implies security against chosen ciphertext attacks.
386:
to succeed, Mallory also needs an ability to distinguish successful decryption by Alice from an unsuccessful one, due, for example, to a poor protocol design or implementation turning Alice's side into an
373:, the issue might appear to be one of a purely academic interest. However, under special circumstances, practical attacks can be mounted against vulnerable implementations. For example, if an
261:
Bellare and
Namprempre (2000) analyzed three compositions of encryption and MAC primitives, and demonstrated that encrypting a message and subsequently applying a MAC to the ciphertext (the
66:
the packet, all intermediate nodes in the message path need to know the destination, but for security reasons they cannot possess the secret key. Schemes that allow associated data provide
501:
who showed that SSL/TLS was, in fact, secure because of the encoding used alongside the MtE mechanism. However, Krawczyk's proof contains flawed assumptions about the randomness of the
189:
part is intended to provide authenticity and integrity protection for networking or storage metadata for which confidentiality is unnecessary, but authenticity is desired.
26:
scheme which simultaneously assures the data confidentiality (also known as privacy: the encrypted message is impossible to understand without the knowledge of a secret
374:
461:
A MAC is produced based on the plaintext, and the plaintext is encrypted without the MAC. The plaintext's MAC and the ciphertext are sent together. Used in, e.g.,
2488:
2318:
1232:
Bellare, M.; Namprempre, C. (2000), "Authenticated
Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm", in T. Okamoto (ed.),
653:
people had been doing rather poorly when they tried to glue together a traditional (privacy-only) encryption scheme and a message authentication code (MAC)
767:
735:
211:
365:
will be incorrect, the authentication tag would still match. Since crafting a message with such property requires
Mallory to already possess both K
1300:
465:. Even though the E&M approach has not been proved to be strongly unforgeable in itself, it is possible to apply some minor modifications to
2156:
2076:
682:
it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes
1464:
1493:
1135:"Breaking and Provably Repairing the SSH Authenticated Encryption Scheme: A Case Study of the Encode-then-Encrypt-and-MAC Paradigm"
2541:
2092:
1425:
1398:
1371:
1320:
1283:
1256:
867:
394:
Key commitment was originally studied in the 2010s by
Abdalla et al. and Farshim et al. under the name "robust encryption".
337:
AE was originally designed primarily to provide the ciphertext integrity: successful validation of an authentication tag by
1057:
850:
Katz, J.; Yung, M. (2001). "Unforgeable
Encryption and Chosen Ciphertext Secure Modes of Operation". In B. Schneier (ed.).
2536:
694:
382:, and thus known to her, potential passwords, can speed up her search for passwords by a factor of almost 1000. For this
250:, GCM) have been standardized in ISO/IEC 19772:2009. More authenticated encryption methods were developed in response to
1853:
2020:
666:
637:
2149:
266:
83:
1381:
Farshim, Pooya; Libert, Benoît; Paterson, Kenneth G.; Quaglia, Elizabeth A. (2013). "Robust
Encryption, Revisited".
985:
505:(IV). The 2011 BEAST attack exploited the non-random chained IV and broke all CBC algorithms in TLS 1.0 and under.
1457:
288:
2367:
2298:
2061:
1546:
1498:
526:
1848:
2142:
2066:
2483:
2438:
2241:
1835:
1477:
1473:
566:
401:
that does not allow this type of crafted messages to exist can be used. AEGIS is an example fast (if the
133:
2362:
1450:
932:
2478:
1731:
1233:
1536:
1058:"Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm"
810:
197:
The need for authenticated encryption emerged from the observation that securely combining separate
2468:
2313:
2071:
1606:
1601:
1186:"The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)"
405:
is present), key-committing AEAD. It is possible to add key-commitment to an existing AEAD scheme.
2463:
2453:
2246:
2206:
2199:
2184:
2179:
1994:
1814:
1330:
Albertini, Ange; Duong, Thai; Gueron, Shay; Kölbl, Stefan; Luykx, Atul; Schmieg, Sophie (2020).
2251:
2194:
2102:
1488:
322:
31:
1273:
784:
2511:
2357:
2303:
2117:
1767:
1721:
1611:
1569:
1554:
514:
510:
502:
1134:
391:. Naturally, this attack cannot be mounted at all when the keys are generated randomly.
2473:
2397:
1787:
1691:
1641:
1616:
884:"CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness"
121:) in plaintext that will not be encrypted, but will be covered by authenticity protection.
8:
2226:
2112:
1989:
1938:
1877:
1777:
1696:
1656:
1636:
551:
402:
284:
247:
43:
1241:, Lecture Notes in Computer Science, vol. 1976, Springer-Verlag, pp. 531–545,
2342:
2326:
2268:
2046:
2030:
1979:
1564:
1185:
310:
273:
55:
35:
27:
1083:
2402:
2392:
2258:
1923:
1421:
1394:
1367:
1316:
1279:
1252:
863:
561:
433:
adopted EtM in 2005. In
November 2014, TLS and DTLS received extensions for EtM with
383:
280:
1160:
756:
2337:
2189:
2010:
1964:
1726:
1413:
1386:
1359:
1308:
1242:
855:
434:
243:
1108:
2025:
1974:
1969:
1757:
1472:
1417:
1390:
1363:
1061:
326:
255:
39:
38:
that the sender can calculate only while possessing the secret key). Examples of
438:
2412:
2332:
2288:
2231:
2216:
2015:
1743:
1408:
Chan, John; Rogaway, Phillip (2022). "On
Committing Authenticated-Encryption".
953:
701:
477:
453:
418:
318:
306:
59:
1278:. Chapman & Hall/CRC Cryptography and Network Security Series. CRC Press.
2530:
2493:
2448:
2407:
2387:
2278:
2236:
2211:
2107:
1984:
1354:
Abdalla, Michel; Bellare, Mihir; Neven, Gregory (2010). "Robust
Encryption".
1312:
1247:
1211:
859:
833:
498:
388:
379:
346:
338:
1686:
883:
2443:
2283:
2273:
2263:
2221:
2165:
1022:
785:"Information technology -- Security techniques -- Authenticated encryption"
571:
466:
462:
2422:
2097:
1943:
1872:
1868:
914:
912:
556:
215:
1331:
1004:
897:
397:
To mitigate the attack described above without removing the "oracle", a
2382:
2352:
2347:
2308:
1343:
854:. Lecture Notes in Computer Science. Vol. 1978. pp. 284–299.
23:
1332:"How to Abuse and Fix Authenticated Encryption Without Key Commitment"
941:
909:
222:
and chronology). Six different authenticated encryption modes (namely
34:(in other words, it is unforgeable: the encrypted message includes an
2372:
1772:
1651:
1039:
276:
was announced to encourage design of authenticated encryption modes.
1559:
2417:
2377:
2051:
1948:
1933:
1928:
1918:
1882:
1802:
1716:
1596:
727:
546:
541:
536:
531:
239:
235:
231:
223:
219:
47:
1385:. Vol. 7778. Berlin, Heidelberg: Springer Berlin Heidelberg.
1358:. Vol. 5978. Berlin, Heidelberg: Springer Berlin Heidelberg.
493:
MtE has not been proven to be strongly unforgeable in itself. The
67:
1887:
1843:
1621:
494:
487:
345:
indicates that the message was not tampered with by an adversary
314:
63:
299:
258:
can be used in duplex mode to provide authenticated encryption.
2293:
2056:
1797:
1792:
1762:
1752:
1711:
1706:
1701:
1681:
1676:
1646:
1631:
1591:
1782:
1671:
1626:
1574:
1531:
1526:
1520:
497:
implementation has been proven to be strongly unforgeable by
430:
1380:
959:
757:"The Software Performance of Authenticated-Encryption Modes"
361:; while their plaintext decoded using a second (wrong) key K
1897:
1892:
1863:
1858:
1822:
1344:"Efficient Schemes for Committing Authenticated Encryption"
251:
86:
for an AE implementation provides the following functions:
441:. Various EtM ciphersuites exist for SSHv2 as well (e.g.,
317:, but the payload needs to be confidential, and both need
1666:
1661:
1514:
1329:
1133:
Bellare, Mihir; Kohno, Tadayoshi; Namprempre, Chanathip.
986:"The AEGIS Family of Authenticated Encryption Algorithms"
965:
918:
903:
667:"The CWC Authenticated Encryption (Associated Data) Mode"
635:
600:
408:
305:
information in a message. AD is useful, for example, in
2319:
Cryptographically secure pseudorandom number generator
1412:. Vol. 13555. Cham: Springer Nature Switzerland.
664:
469:
to make it strongly unforgeable despite the approach.
427:
achieved when the MAC used is "strongly unforgeable".
1140:. ACM Transactions on Information and System Security
931:
Len, Julia; Grubbs, Paul; Ristenpart, Thomas (2021).
728:"Encryption Modes with Almost Free Message Integrity"
1434:
754:
619:
617:
615:
590:
588:
586:
1353:
1084:"Separate Confidentiality and Integrity Algorithms"
1038:(See also the comment section discussing a revised
947:
930:
62:that contains its destination address. To properly
1132:
1088:RFC 4303 - IP Encapsulating Security Payload (ESP)
1231:
612:
583:
2528:
852:Fast Software Encryption (FSE): 2000 Proceedings
1158:
1060:. M. Bellare and C. Namprempre. Archived from
638:"A Conventional Authenticated-Encryption Mode"
283:is added as an alternative AE construction to
2150:
1458:
300:Authenticated encryption with associated data
68:authenticated encryption with associated data
1341:
1210:Duong, Thai; Rizzo, Juliano (May 13, 2011).
971:
448:
353:. The AE schemes usually do not provide the
1407:
1271:
1159:Rescorla, Eric; Dierks, Tim (August 2008).
831:
606:
2157:
2143:
1465:
1451:
1209:
1042:recommendation for adding key-commitment.)
779:
777:
732:Cryptology ePrint Archive: Report 2000/039
1342:Bellare, Mihir; Hoang, Viet Tung (2022).
1305:Encyclopedia of Cryptography and Security
1246:
472:
413:
1167:. Internet Engineering Task Force (IETF)
1115:. Internet Engineering Task Force (IETF)
1090:. Internet Engineering Task Force (IETF)
849:
764:Fast Software Encryption 2011 (FSE 2011)
476:
452:
417:
240:encrypt then authenticate then translate
77:
1235:Advances in Cryptology — ASIACRYPT 2000
774:
325:. The notion of AEAD was formalized by
2529:
1002:
409:Approaches to authenticated encryption
332:
265:approach) implies security against an
2138:
1446:
1298:
1052:
1050:
1048:
755:T. Krovetz; P. Rogaway (2011-03-01).
700:. Daniel J. Bernstein. Archived from
695:"Failures of secret-key cryptography"
665:T. Kohno; J. Viega & D. Whiting.
623:
594:
262:
725:
1275:Introduction to Modern Cryptography
734:. Proceedings IACR EUROCRYPT 2001.
636:M. Bellare; P. Rogaway; D. Wagner.
13:
1383:Public-Key Cryptography – PKC 2013
1178:
1045:
1020:
14:
2553:
983:
948:Abdalla, Bellare & Neven 2010
726:Jutl, Charanjit S. (2000-08-01).
629:
267:adaptive chosen ciphertext attack
2507:
2506:
2164:
1410:Computer Security – ESORICS 2022
160:(if used during the encryption).
1307:. Springer US. pp. 11–21.
1219:– BEAST attack whitepaper
1203:
1152:
1126:
1101:
1076:
1014:
996:
977:
937:. USENET '21. pp. 195–212.
924:
876:
843:
825:
803:
2368:Information-theoretic security
2062:NIST hash function competition
1272:Katz, J.; Lindell, Y. (2020).
811:"Encryption modes development"
748:
719:
687:
658:
527:Block cipher mode of operation
216:integrity-aware parallelizable
1:
577:
107:additional authenticated data
2542:Message authentication codes
2067:Password Hashing Competition
1478:message authentication codes
1474:Cryptographic hash functions
1418:10.1007/978-3-031-17146-8_14
1391:10.1007/978-3-642-36362-7_22
1364:10.1007/978-3-642-11799-2_28
171:does not match the supplied
7:
2484:Message authentication code
2439:Cryptographic hash function
2242:Cryptographic hash function
2021:Merkle–Damgård construction
1161:"Record Payload Protection"
1027:Cryptography Stack Exchange
934:Partitioning Oracle Attacks
520:
349:that does not possess the K
294:
218:, IAPM, modes in 2000 (see
214:'s integrity-aware CBC and
134:message authentication code
10:
2558:
2537:Symmetric-key cryptography
2363:Harvest now, decrypt later
1301:"Authenticated encryption"
1265:
449:Encrypt-and-MAC (E&M)
192:
2502:
2479:Post-quantum cryptography
2431:
2172:
2134:
2085:
2039:
2003:
1957:
1906:
1834:
1811:
1740:
1584:
1545:
1507:
1484:
1442:
1438:
443:hmac-sha1-etm@openssh.com
341:using her symmetric key K
2469:Quantum key distribution
2459:Authenticated encryption
2314:Random number generation
1815:key derivation functions
1313:10.1007/0-387-23483-7_15
1248:10.1007/3-540-44448-3_41
1212:"Here Come The ⊕ Ninjas"
972:Bellare & Hoang 2022
860:10.1007/3-540-44706-7_20
490:cipher suites were MtE.
224:offset codebook mode 2.0
20:Authenticated Encryption
2464:Public-key cryptography
2454:Symmetric-key algorithm
2247:Key derivation function
2207:Cryptographic primitive
2200:Authentication protocol
2185:Outline of cryptography
2180:History of cryptography
2093:Hash-based cryptography
1995:Length extension attack
607:Katz & Lindell 2020
473:MAC-then-Encrypt (MtE)
414:Encrypt-then-MAC (EtM)
375:identity authentication
2252:Secure Hash Algorithms
2195:Cryptographic protocol
2103:Message authentication
1356:Theory of Cryptography
1023:"Key Committing AEADs"
1005:"Key Committing AEADs"
834:"Duplexing The Sponge"
482:
458:
423:
313:should be visible for
2358:End-to-end encryption
2304:Cryptojacking malware
1003:Gueron, Shay (2020).
919:Albertini et al. 2020
904:Albertini et al. 2020
503:initialization vector
480:
456:
421:
167:, or an error if the
84:programming interface
78:Programming interface
2474:Quantum cryptography
2398:Trusted timestamping
236:counter with CBC-MAC
42:that provide AE are
2227:Cryptographic nonce
1990:Side-channel attack
1064:on January 23, 2018
962:, pp. 352–368.
960:Farshim et al. 2013
950:, pp. 480–497.
403:AES instruction set
399:key-committing AEAD
333:Key-committing AEAD
248:Galois/counter mode
156:, and optionally a
101:, and optionally a
2343:Subliminal channel
2327:Pseudorandom noise
2269:Key (cryptography)
2047:CAESAR Competition
2031:HAIFA construction
1980:Brute-force attack
1299:Black, J. (2005).
483:
459:
424:
274:CAESAR competition
169:authentication tag
154:authentication tag
130:authentication tag
36:authentication tag
2524:
2523:
2520:
2519:
2403:Key-based routing
2393:Trapdoor function
2259:Digital signature
2130:
2129:
2126:
2125:
1924:ChaCha20-Poly1305
1741:Password hashing/
1427:978-3-031-17145-1
1400:978-3-642-36361-0
1373:978-3-642-11798-5
1349:. EUROCRYPT 2022.
1322:978-0-387-23473-1
1285:978-1-351-13301-2
1258:978-3-540-41404-9
869:978-3-540-41728-6
832:The Keccak Team.
707:on April 18, 2013
562:ChaCha20-Poly1305
513:attacks, such as
384:dictionary attack
281:ChaCha20-Poly1305
16:Encryption method
2549:
2510:
2509:
2338:Insecure channel
2190:Classical cipher
2159:
2152:
2145:
2136:
2135:
2011:Avalanche effect
1965:Collision attack
1508:Common functions
1467:
1460:
1453:
1444:
1443:
1440:
1439:
1436:
1435:
1431:
1404:
1377:
1350:
1348:
1338:
1336:
1326:
1295:
1293:
1292:
1261:
1250:
1240:
1220:
1218:
1216:
1207:
1201:
1200:
1198:
1196:
1190:
1182:
1176:
1175:
1173:
1172:
1156:
1150:
1149:
1147:
1145:
1139:
1130:
1124:
1123:
1121:
1120:
1109:"Data Integrity"
1105:
1099:
1098:
1096:
1095:
1080:
1074:
1073:
1071:
1069:
1054:
1043:
1037:
1035:
1033:
1018:
1012:
1011:
1009:
1000:
994:
993:
981:
975:
969:
963:
957:
951:
945:
939:
938:
928:
922:
916:
907:
901:
895:
894:
892:
890:
880:
874:
873:
847:
841:
840:
838:
829:
823:
822:
820:
818:
807:
801:
800:
798:
796:
781:
772:
771:
761:
752:
746:
745:
743:
742:
723:
717:
716:
714:
712:
706:
699:
691:
685:
684:
679:
677:
671:
662:
656:
655:
650:
648:
642:
633:
627:
621:
610:
604:
598:
592:
457:E&M approach
444:
263:Encrypt-then-MAC
256:Sponge functions
244:encrypt-then-MAC
229:
40:encryption modes
2557:
2556:
2552:
2551:
2550:
2548:
2547:
2546:
2527:
2526:
2525:
2516:
2498:
2427:
2168:
2163:
2122:
2081:
2040:Standardization
2035:
2026:Sponge function
1999:
1975:Birthday attack
1970:Preimage attack
1953:
1909:
1902:
1830:
1813:
1812:General purpose
1807:
1742:
1736:
1585:Other functions
1580:
1547:SHA-3 finalists
1541:
1503:
1480:
1471:
1428:
1401:
1374:
1346:
1334:
1323:
1290:
1288:
1286:
1268:
1259:
1238:
1223:
1214:
1208:
1204:
1194:
1192:
1188:
1184:
1183:
1179:
1170:
1168:
1157:
1153:
1143:
1141:
1137:
1131:
1127:
1118:
1116:
1107:
1106:
1102:
1093:
1091:
1082:
1081:
1077:
1067:
1065:
1056:
1055:
1046:
1031:
1029:
1019:
1015:
1007:
1001:
997:
982:
978:
970:
966:
958:
954:
946:
942:
929:
925:
917:
910:
906:, pp. 1–2.
902:
898:
888:
886:
882:
881:
877:
870:
848:
844:
836:
830:
826:
816:
814:
809:
808:
804:
794:
792:
783:
782:
775:
759:
753:
749:
740:
738:
724:
720:
710:
708:
704:
697:
693:
692:
688:
675:
673:
669:
663:
659:
646:
644:
640:
634:
630:
622:
613:
605:
601:
593:
584:
580:
523:
475:
451:
442:
416:
411:
372:
368:
364:
360:
352:
344:
335:
307:network packets
302:
297:
227:
212:Charanjit Jutla
199:confidentiality
195:
115:associated data
105:(also known as
80:
17:
12:
11:
5:
2555:
2545:
2544:
2539:
2522:
2521:
2518:
2517:
2515:
2514:
2503:
2500:
2499:
2497:
2496:
2491:
2489:Random numbers
2486:
2481:
2476:
2471:
2466:
2461:
2456:
2451:
2446:
2441:
2435:
2433:
2429:
2428:
2426:
2425:
2420:
2415:
2413:Garlic routing
2410:
2405:
2400:
2395:
2390:
2385:
2380:
2375:
2370:
2365:
2360:
2355:
2350:
2345:
2340:
2335:
2333:Secure channel
2330:
2324:
2323:
2322:
2311:
2306:
2301:
2296:
2291:
2289:Key stretching
2286:
2281:
2276:
2271:
2266:
2261:
2256:
2255:
2254:
2249:
2244:
2234:
2232:Cryptovirology
2229:
2224:
2219:
2217:Cryptocurrency
2214:
2209:
2204:
2203:
2202:
2192:
2187:
2182:
2176:
2174:
2170:
2169:
2162:
2161:
2154:
2147:
2139:
2132:
2131:
2128:
2127:
2124:
2123:
2121:
2120:
2115:
2110:
2105:
2100:
2095:
2089:
2087:
2083:
2082:
2080:
2079:
2074:
2069:
2064:
2059:
2054:
2049:
2043:
2041:
2037:
2036:
2034:
2033:
2028:
2023:
2018:
2016:Hash collision
2013:
2007:
2005:
2001:
2000:
1998:
1997:
1992:
1987:
1982:
1977:
1972:
1967:
1961:
1959:
1955:
1954:
1952:
1951:
1946:
1941:
1936:
1931:
1926:
1921:
1915:
1913:
1904:
1903:
1901:
1900:
1895:
1890:
1885:
1880:
1875:
1866:
1861:
1856:
1851:
1846:
1840:
1838:
1832:
1831:
1829:
1828:
1825:
1819:
1817:
1809:
1808:
1806:
1805:
1800:
1795:
1790:
1785:
1780:
1775:
1770:
1765:
1760:
1755:
1749:
1747:
1744:key stretching
1738:
1737:
1735:
1734:
1729:
1724:
1719:
1714:
1709:
1704:
1699:
1694:
1689:
1684:
1679:
1674:
1669:
1664:
1659:
1654:
1649:
1644:
1639:
1634:
1629:
1624:
1619:
1614:
1609:
1604:
1599:
1594:
1588:
1586:
1582:
1581:
1579:
1578:
1572:
1567:
1562:
1557:
1551:
1549:
1543:
1542:
1540:
1539:
1534:
1529:
1524:
1518:
1511:
1509:
1505:
1504:
1502:
1501:
1496:
1491:
1485:
1482:
1481:
1470:
1469:
1462:
1455:
1447:
1433:
1432:
1426:
1405:
1399:
1378:
1372:
1351:
1339:
1327:
1321:
1296:
1284:
1267:
1264:
1263:
1262:
1257:
1228:
1227:
1222:
1221:
1202:
1177:
1151:
1125:
1100:
1075:
1044:
1013:
995:
990:cfrg.github.io
984:Denis, Frank.
976:
964:
952:
940:
923:
908:
896:
875:
868:
842:
824:
802:
773:
747:
718:
686:
657:
628:
611:
609:, p. 116.
599:
581:
579:
576:
575:
574:
569:
564:
559:
554:
549:
544:
539:
534:
529:
522:
519:
515:Lucky Thirteen
511:padding oracle
474:
471:
450:
447:
415:
412:
410:
407:
370:
366:
362:
358:
355:key commitment
350:
342:
334:
331:
301:
298:
296:
293:
254:solicitation.
203:authentication
194:
191:
183:
182:
181:
180:
161:
139:
138:
137:
122:
79:
76:
60:network packet
15:
9:
6:
4:
3:
2:
2554:
2543:
2540:
2538:
2535:
2534:
2532:
2513:
2505:
2504:
2501:
2495:
2494:Steganography
2492:
2490:
2487:
2485:
2482:
2480:
2477:
2475:
2472:
2470:
2467:
2465:
2462:
2460:
2457:
2455:
2452:
2450:
2449:Stream cipher
2447:
2445:
2442:
2440:
2437:
2436:
2434:
2430:
2424:
2421:
2419:
2416:
2414:
2411:
2409:
2408:Onion routing
2406:
2404:
2401:
2399:
2396:
2394:
2391:
2389:
2388:Shared secret
2386:
2384:
2381:
2379:
2376:
2374:
2371:
2369:
2366:
2364:
2361:
2359:
2356:
2354:
2351:
2349:
2346:
2344:
2341:
2339:
2336:
2334:
2331:
2328:
2325:
2320:
2317:
2316:
2315:
2312:
2310:
2307:
2305:
2302:
2300:
2297:
2295:
2292:
2290:
2287:
2285:
2282:
2280:
2279:Key generator
2277:
2275:
2272:
2270:
2267:
2265:
2262:
2260:
2257:
2253:
2250:
2248:
2245:
2243:
2240:
2239:
2238:
2237:Hash function
2235:
2233:
2230:
2228:
2225:
2223:
2220:
2218:
2215:
2213:
2212:Cryptanalysis
2210:
2208:
2205:
2201:
2198:
2197:
2196:
2193:
2191:
2188:
2186:
2183:
2181:
2178:
2177:
2175:
2171:
2167:
2160:
2155:
2153:
2148:
2146:
2141:
2140:
2137:
2133:
2119:
2116:
2114:
2111:
2109:
2108:Proof of work
2106:
2104:
2101:
2099:
2096:
2094:
2091:
2090:
2088:
2084:
2078:
2075:
2073:
2070:
2068:
2065:
2063:
2060:
2058:
2055:
2053:
2050:
2048:
2045:
2044:
2042:
2038:
2032:
2029:
2027:
2024:
2022:
2019:
2017:
2014:
2012:
2009:
2008:
2006:
2002:
1996:
1993:
1991:
1988:
1986:
1985:Rainbow table
1983:
1981:
1978:
1976:
1973:
1971:
1968:
1966:
1963:
1962:
1960:
1956:
1950:
1947:
1945:
1942:
1940:
1937:
1935:
1932:
1930:
1927:
1925:
1922:
1920:
1917:
1916:
1914:
1911:
1908:Authenticated
1905:
1899:
1896:
1894:
1891:
1889:
1886:
1884:
1881:
1879:
1876:
1874:
1870:
1867:
1865:
1862:
1860:
1857:
1855:
1852:
1850:
1847:
1845:
1842:
1841:
1839:
1837:
1836:MAC functions
1833:
1826:
1824:
1821:
1820:
1818:
1816:
1810:
1804:
1801:
1799:
1796:
1794:
1791:
1789:
1786:
1784:
1781:
1779:
1776:
1774:
1771:
1769:
1766:
1764:
1761:
1759:
1756:
1754:
1751:
1750:
1748:
1745:
1739:
1733:
1730:
1728:
1725:
1723:
1720:
1718:
1715:
1713:
1710:
1708:
1705:
1703:
1700:
1698:
1695:
1693:
1690:
1688:
1685:
1683:
1680:
1678:
1675:
1673:
1670:
1668:
1665:
1663:
1660:
1658:
1655:
1653:
1650:
1648:
1645:
1643:
1640:
1638:
1635:
1633:
1630:
1628:
1625:
1623:
1620:
1618:
1615:
1613:
1610:
1608:
1605:
1603:
1600:
1598:
1595:
1593:
1590:
1589:
1587:
1583:
1576:
1573:
1571:
1568:
1566:
1563:
1561:
1558:
1556:
1553:
1552:
1550:
1548:
1544:
1538:
1535:
1533:
1530:
1528:
1525:
1523:(compromised)
1522:
1519:
1517:(compromised)
1516:
1513:
1512:
1510:
1506:
1500:
1499:Known attacks
1497:
1495:
1492:
1490:
1487:
1486:
1483:
1479:
1475:
1468:
1463:
1461:
1456:
1454:
1449:
1448:
1445:
1441:
1437:
1429:
1423:
1419:
1415:
1411:
1406:
1402:
1396:
1392:
1388:
1384:
1379:
1375:
1369:
1365:
1361:
1357:
1352:
1345:
1340:
1333:
1328:
1324:
1318:
1314:
1310:
1306:
1302:
1297:
1287:
1281:
1277:
1276:
1270:
1269:
1260:
1254:
1249:
1244:
1237:
1236:
1230:
1229:
1225:
1224:
1213:
1206:
1191:. H. Krawczyk
1187:
1181:
1166:
1162:
1155:
1136:
1129:
1114:
1110:
1104:
1089:
1085:
1079:
1063:
1059:
1053:
1051:
1049:
1041:
1028:
1024:
1017:
1006:
999:
991:
987:
980:
973:
968:
961:
956:
949:
944:
936:
935:
927:
920:
915:
913:
905:
900:
885:
879:
871:
865:
861:
857:
853:
846:
835:
828:
812:
806:
790:
786:
780:
778:
769:
765:
758:
751:
737:
733:
729:
722:
703:
696:
690:
683:
668:
661:
654:
639:
632:
625:
620:
618:
616:
608:
603:
596:
591:
589:
587:
582:
573:
570:
568:
565:
563:
560:
558:
555:
553:
550:
548:
545:
543:
540:
538:
535:
533:
530:
528:
525:
524:
518:
516:
512:
506:
504:
500:
496:
491:
489:
479:
470:
468:
464:
455:
446:
440:
436:
432:
428:
420:
406:
404:
400:
395:
392:
390:
385:
381:
376:
356:
348:
340:
330:
328:
324:
320:
316:
312:
308:
292:
290:
286:
282:
277:
275:
272:In 2013, the
270:
268:
264:
259:
257:
253:
249:
245:
241:
237:
233:
225:
221:
217:
213:
207:
204:
200:
190:
188:
178:
174:
170:
166:
162:
159:
155:
151:
147:
143:
142:
140:
135:
131:
127:
123:
120:
116:
112:
108:
104:
100:
96:
92:
91:
89:
88:
87:
85:
75:
73:
69:
65:
61:
57:
51:
49:
45:
41:
37:
33:
29:
25:
21:
2458:
2444:Block cipher
2284:Key schedule
2274:Key exchange
2264:Kleptography
2222:Cryptosystem
2166:Cryptography
1907:
1409:
1382:
1355:
1304:
1289:. Retrieved
1274:
1234:
1205:
1193:. Retrieved
1180:
1169:. Retrieved
1164:
1154:
1142:. Retrieved
1128:
1117:. Retrieved
1112:
1103:
1092:. Retrieved
1087:
1078:
1066:. Retrieved
1062:the original
1030:. Retrieved
1026:
1016:
998:
989:
979:
974:, p. 5.
967:
955:
943:
933:
926:
921:, p. 2.
899:
887:. Retrieved
878:
851:
845:
827:
815:. Retrieved
805:
793:. Retrieved
788:
763:
750:
739:. Retrieved
731:
721:
709:. Retrieved
702:the original
689:
681:
674:. Retrieved
660:
652:
645:. Retrieved
631:
626:, p. 2.
602:
597:, p. 1.
572:Signcryption
507:
492:
484:
481:MtE approach
460:
429:
425:
422:EtM approach
398:
396:
393:
354:
336:
323:authenticity
303:
278:
271:
260:
208:
202:
198:
196:
186:
184:
176:
172:
168:
164:
157:
153:
149:
145:
129:
125:
118:
114:
110:
106:
102:
98:
94:
81:
71:
52:
32:authenticity
19:
18:
2432:Mathematics
2423:Mix network
2098:Merkle tree
2086:Utilization
2072:NSA Suite B
1032:21 February
291:protocols.
246:, EtM; and
141:Decryption
90:Encryption
22:(AE) is an
2531:Categories
2383:Ciphertext
2353:Decryption
2348:Encryption
2309:Ransomware
1910:encryption
1687:RadioGatĂşn
1494:Comparison
1291:2023-06-08
1171:2018-09-12
1119:2018-09-12
1094:2018-09-12
789:19772:2009
741:2013-03-16
624:Black 2005
595:Black 2005
578:References
309:where the
173:ciphertext
146:ciphertext
126:ciphertext
82:A typical
24:encryption
2373:Plaintext
1827:KDF1/KDF2
1746:functions
1732:Whirlpool
1337:. USENIX.
1195:April 13,
1144:30 August
1068:April 13,
1040:libsodium
889:March 12,
817:April 17,
795:March 12,
791:. ISO/IEC
711:March 12,
676:March 12,
647:March 12,
319:integrity
279:In 2015,
165:plaintext
95:plaintext
2512:Category
2418:Kademlia
2378:Codetext
2321:(CSPRNG)
2299:Machines
2052:CRYPTREC
1883:Poly1305
1803:yescrypt
1717:Streebog
1597:CubeHash
1577:(winner)
1165:RFC 5246
1113:RFC 4253
1021:poncho.
547:EAX mode
542:OCB mode
537:CWC mode
532:CCM mode
521:See also
499:Krawczyk
329:(2002).
295:Variants
232:Key Wrap
163:Output:
136:or MAC).
124:Output:
2173:General
1958:Attacks
1888:SipHash
1844:CBC-MAC
1778:LM hash
1758:Balloon
1622:HAS-160
1266:Sources
1226:General
557:GCM-SIV
495:SSL/TLS
488:SSL/TLS
347:Mallory
327:Rogaway
315:routing
242:, EAX;
238:, CCM;
193:History
144:Input:
93:Input:
2294:Keygen
2118:Pepper
2057:NESSIE
2004:Design
1798:scrypt
1793:PBKDF2
1768:Catena
1763:bcrypt
1753:Argon2
1712:Snefru
1707:Shabal
1702:SWIFFT
1682:RIPEMD
1677:N-hash
1652:MASH-2
1647:MASH-1
1632:Kupyna
1592:BLAKE3
1575:Keccak
1560:Grøstl
1537:BLAKE2
1424:
1397:
1370:
1319:
1282:
1255:
866:
813:. NIST
672:. NIST
643:. NIST
437:
389:oracle
311:header
228:
187:header
177:header
158:header
103:header
56:header
30:) and
2329:(PRN)
1912:modes
1788:Makwa
1783:Lyra2
1773:crypt
1722:Tiger
1672:MDC-2
1627:HAVAL
1612:Fugue
1570:Skein
1555:BLAKE
1532:SHA-3
1527:SHA-2
1521:SHA-1
1347:(PDF)
1335:(PDF)
1239:(PDF)
1215:(PDF)
1189:(PDF)
1138:(PDF)
1008:(PDF)
837:(PDF)
760:(PDF)
705:(PDF)
698:(PDF)
670:(PDF)
641:(PDF)
431:IPSec
369:and K
339:Alice
230:2.0;
226:, OCB
113:, or
70:, or
64:route
58:of a
2113:Salt
2077:CNSA
1944:IAPM
1898:VMAC
1893:UMAC
1878:PMAC
1873:CMAC
1869:OMAC
1864:NMAC
1859:HMAC
1854:GMAC
1823:HKDF
1692:SIMD
1642:Lane
1617:GOST
1602:ECOH
1489:List
1476:and
1422:ISBN
1395:ISBN
1368:ISBN
1317:ISBN
1280:ISBN
1253:ISBN
1197:2013
1146:2021
1070:2013
1034:2024
891:2013
864:ISBN
819:2013
797:2013
768:IACR
736:IACR
713:2013
678:2013
649:2013
567:SGCM
439:7366
380:weak
321:and
289:IETF
252:NIST
201:and
185:The
128:and
72:AEAD
1949:OCB
1939:GCM
1934:EAX
1929:CWC
1919:CCM
1849:DAA
1727:VSH
1697:SM3
1667:MD6
1662:MD4
1657:MD2
1637:LSH
1607:FSB
1515:MD5
1414:doi
1387:doi
1360:doi
1309:doi
1243:doi
856:doi
552:GCM
467:SSH
463:SSH
445:).
435:RFC
287:in
285:GCM
220:OCB
175:or
150:key
111:AAD
99:key
48:CCM
44:GCM
28:key
2533::
1565:JH
1420:.
1393:.
1366:.
1315:.
1303:.
1251:,
1163:.
1111:.
1086:.
1047:^
1025:.
988:.
911:^
862:.
787:.
776:^
766:.
762:.
730:.
680:.
651:.
614:^
585:^
517:.
234:;
152:,
148:,
119:AD
117:,
109:,
97:,
74:.
50:.
46:,
2158:e
2151:t
2144:v
1871:/
1466:e
1459:t
1452:v
1430:.
1416::
1403:.
1389::
1376:.
1362::
1325:.
1311::
1294:.
1245::
1217:.
1199:.
1174:.
1148:.
1122:.
1097:.
1072:.
1036:.
1010:.
992:.
893:.
872:.
858::
839:.
821:.
799:.
770:.
744:.
715:.
371:M
367:A
363:M
359:A
351:A
343:A
179:.
132:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.