2505:
466:
430:
315:
Authenticated encryption with associated data (AEAD) is a variant of AE that allows the message to include "associated data" (AD, additional non-confidential information, a.k.a. "additional authenticated data", AAD). A recipient can check the integrity of both the associated data and the confidential
437:
The plaintext is first encrypted, then a MAC is produced based on the resulting ciphertext. The ciphertext and its MAC are sent together. ETM is the standard method according to ISO/IEC 19772:2009. It is the only method which can reach the highest definition of security in AE, but this can only be
490:
520:
In addition, deeper analysis of SSL/TLS modeled the protection as MAC-then-pad-then-encrypt, i.e. the plaintext is first padded to the block size of the encryption function. Padding errors often result in the detectable errors on the recipient's side, which in turn lead to
64:
Many (but not all) AE schemes allow the message to contain "associated data" (AD) which is not made confidential, but its integrity is protected (i.e., it is readable, but tampering with it will be detected). A typical example is the
216:
block cipher operation modes could be error prone and difficult. This was confirmed by a number of practical attacks introduced into production protocols and applications by incorrect implementation, or lack of authentication.
368:, a guarantee that the decryption would fail for any other key. As of 2021, most existing AE schemes (including the very popular GCM) allow some messages to be decoded without an error using more than just the (correct) K
220:
Around the year 2000, a number of efforts evolved around the notion of standardizing modes that ensured correct implementation. In particular, strong interest in possibly secure modes was sparked by the publication of
497:
A MAC is produced based on the plaintext, then the plaintext and MAC are together encrypted to produce a ciphertext based on both. The ciphertext (containing an encrypted MAC) is sent. Until TLS 1.2, all available
388:
protocol is based on successful decryption of a message that uses a password-based key, Mallory's ability to craft a single message that would be successfully decrypted using 1000 different keys associated with
280:, provided that both functions meet minimum required properties. Katz and Yung investigated the notion under the name "unforgeable encryption" and proved it implies security against chosen ciphertext attacks.
397:
to succeed, Mallory also needs an ability to distinguish successful decryption by Alice from an unsuccessful one, due, for example, to a poor protocol design or implementation turning Alice's side into an
384:, the issue might appear to be one of a purely academic interest. However, under special circumstances, practical attacks can be mounted against vulnerable implementations. For example, if an
272:
Bellare and
Namprempre (2000) analyzed three compositions of encryption and MAC primitives, and demonstrated that encrypting a message and subsequently applying a MAC to the ciphertext (the
77:
the packet, all intermediate nodes in the message path need to know the destination, but for security reasons they cannot possess the secret key. Schemes that allow associated data provide
513:
who showed that SSL/TLS was, in fact, secure because of the encoding used alongside the MtE mechanism. However, Krawczyk's proof contains flawed assumptions about the randomness of the
2485:
2315:
200:
part is intended to provide authenticity and integrity protection for networking or storage metadata for which confidentiality is unnecessary, but authenticity is desired.
779:
747:
37:
scheme which simultaneously assures the data confidentiality (also known as privacy: the encrypted message is impossible to understand without the knowledge of a secret
473:
A MAC is produced based on the plaintext, and the plaintext is encrypted without the MAC. The plaintext's MAC and the ciphertext are sent together. Used in, e.g.,
2168:
1244:
Bellare, M.; Namprempre, C. (2000), "Authenticated
Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm", in T. Okamoto (ed.),
2088:
1476:
665:
people had been doing rather poorly when they tried to glue together a traditional (privacy-only) encryption scheme and a message authentication code (MAC)
1505:
376:
will be incorrect, the authentication tag would still match. Since crafting a message with such property requires
Mallory to already possess both K
1312:
477:. Even though the E&M approach has not been proved to be strongly unforgeable in itself, it is possible to apply some minor modifications to
2538:
1437:
1410:
1383:
1332:
1295:
1268:
879:
694:
it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes
2533:
2032:
1865:
2161:
277:
94:
1147:"Breaking and Provably Repairing the SSH Authenticated Encryption Scheme: A Case Study of the Encode-then-Encrypt-and-MAC Paradigm"
1469:
299:
2364:
2073:
1558:
1510:
538:
405:
Key commitment was originally studied in the 2010s by
Abdalla et al. and Farshim et al. under the name "robust encryption".
348:
AE was originally designed primarily to provide the ciphertext integrity: successful validation of an authentication tag by
1069:
862:
Katz, J.; Yung, M. (2001). "Unforgeable
Encryption and Chosen Ciphertext Secure Modes of Operation". In B. Schneier (ed.).
1860:
706:
393:, and thus known to her, potential passwords, can speed up her search for passwords by a factor of almost 1000. For this
261:, GCM) have been standardized in ISO/IEC 19772:2009. More authenticated encryption methods were developed in response to
2154:
2078:
2480:
2435:
2248:
1847:
1489:
1485:
678:
649:
578:
144:
1393:
Farshim, Pooya; Libert, Benoît; Paterson, Kenneth G.; Quaglia, Elizabeth A. (2013). "Robust
Encryption, Revisited".
997:
2359:
1462:
517:(IV). The 2011 BEAST attack exploited the non-random chained IV and broke all CBC algorithms in TLS 1.0 and under.
2475:
2104:
1743:
2465:
2310:
2083:
1618:
1613:
385:
2460:
2450:
2253:
2213:
2206:
2196:
2191:
2006:
1826:
2201:
2114:
1500:
333:
42:
412:
that does not allow this type of crafted messages to exist can be used. AEGIS is an example fast (if the
2508:
2354:
2300:
2129:
1779:
1733:
1623:
1581:
1566:
1548:
526:
522:
514:
944:
2470:
2394:
1799:
1703:
1653:
1628:
1245:
222:
1070:"Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm"
822:
208:
The need for authenticated encryption emerged from the observation that securely combining separate
17:
2233:
2124:
2001:
1950:
1889:
1708:
1668:
1648:
1198:"The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)"
563:
416:
is present), key-committing AEAD. It is possible to add key-commitment to an existing AEAD scheme.
413:
295:
258:
54:
2339:
2323:
2270:
2058:
2042:
1991:
1576:
321:
284:
66:
46:
38:
1342:
Albertini, Ange; Duong, Thai; Gueron, Shay; Kölbl, Stefan; Luykx, Atul; Schmieg, Sophie (2020).
489:
465:
429:
2399:
2389:
2260:
1935:
1433:
1406:
1379:
1328:
1291:
1285:
1264:
875:
796:
573:
394:
291:
2334:
2022:
1976:
1738:
1425:
1398:
1371:
1320:
1254:
1146:
867:
445:
402:. Naturally, this attack cannot be mounted at all when the keys are generated randomly.
254:
896:"CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness"
2037:
1986:
1981:
1769:
337:
266:
132:) in plaintext that will not be encrypted, but will be covered by authenticity protection.
50:
1253:, Lecture Notes in Computer Science, vol. 1976, Springer-Verlag, pp. 531–545,
2409:
2329:
2290:
2238:
2223:
2027:
1755:
1197:
329:
317:
70:
1095:
2527:
2490:
2445:
2404:
2384:
2280:
2243:
2218:
2119:
1996:
1698:
510:
444:
adopted EtM in 2005. In
November 2014, TLS and DTLS received extensions for EtM with
399:
390:
357:
349:
1172:
768:
2440:
2285:
2275:
2265:
2228:
2177:
583:
478:
474:
1120:
1429:
1402:
1375:
1073:
49:
that the sender can calculate only while possessing the secret key). Examples of
2419:
2109:
1955:
1884:
1880:
1789:
568:
454:
449:
226:
1420:
Chan, John; Rogaway, Phillip (2022). "On
Committing Authenticated-Encryption".
713:
2379:
2349:
2344:
2305:
1290:. Chapman & Hall/CRC Cryptography and Network Security Series. CRC Press.
34:
1366:
Abdalla, Michel; Bellare, Mihir; Neven, Gregory (2010). "Robust
Encryption".
1324:
1259:
1223:
871:
845:
2369:
1784:
1051:
895:
1571:
1034:
797:"Information technology -- Security techniques -- Authenticated encryption"
2414:
2374:
2063:
1960:
1945:
1940:
1930:
1894:
1814:
1728:
1608:
926:
924:
558:
553:
548:
543:
250:
246:
242:
234:
230:
58:
1343:
1016:
408:
To mitigate the attack described above without removing the "oracle", a
1899:
1855:
1633:
1355:
866:. Lecture Notes in Computer Science. Vol. 1978. pp. 284–299.
506:
499:
325:
74:
1344:"How to Abuse and Fix Authenticated Encryption Without Key Commitment"
233:
and chronology). Six different authenticated encryption modes (namely
45:(in other words, it is unforgeable: the encrypted message includes an
2295:
2068:
1809:
1804:
1774:
1764:
1723:
1718:
1713:
1693:
1688:
1663:
1658:
1643:
1603:
287:
was announced to encourage design of authenticated encryption modes.
739:
1794:
1683:
1638:
1586:
1543:
1538:
1532:
1397:. Vol. 7778. Berlin, Heidelberg: Springer Berlin Heidelberg.
1370:. Vol. 5978. Berlin, Heidelberg: Springer Berlin Heidelberg.
505:
MtE has not been proven to be strongly unforgeable in itself. The
488:
464:
441:
428:
78:
356:
indicates that the message was not tampered with by an adversary
1909:
1904:
1875:
1870:
1834:
269:
can be used in duplex mode to provide authenticated encryption.
262:
2150:
1458:
1678:
1673:
1526:
509:
implementation has been proven to be strongly unforgeable by
971:
769:"The Software Performance of Authenticated-Encryption Modes"
372:; while their plaintext decoded using a second (wrong) key K
1356:"Efficient Schemes for Committing Authenticated Encryption"
97:
for an AE implementation provides the following functions:
452:. Various EtM ciphersuites exist for SSHv2 as well (e.g.,
328:, but the payload needs to be confidential, and both need
1145:
Bellare, Mihir; Kohno, Tadayoshi; Namprempre, Chanathip.
998:"The AEGIS Family of Authenticated Encryption Algorithms"
930:
915:
679:"The CWC Authenticated Encryption (Associated Data) Mode"
316:
information in a message. AD is useful, for example, in
2316:
Cryptographically secure pseudorandom number generator
1424:. Vol. 13555. Cham: Springer Nature Switzerland.
481:
to make it strongly unforgeable despite the approach.
438:
achieved when the MAC used is "strongly unforgeable".
1152:. ACM Transactions on Information and System Security
943:
Len, Julia; Grubbs, Paul; Ristenpart, Thomas (2021).
740:"Encryption Modes with Almost Free Message Integrity"
1446:
631:
629:
627:
602:
600:
598:
2428:
2184:
2097:
2051:
2015:
1969:
1918:
1846:
1823:
1752:
1596:
1557:
1519:
1096:"Separate Confidentiality and Integrity Algorithms"
1050:(See also the comment section discussing a revised
959:
73:that contains its destination address. To properly
1100:RFC 4303 - IP Encapsulating Security Payload (ESP)
864:Fast Software Encryption (FSE): 2000 Proceedings
1072:. M. Bellare and C. Namprempre. Archived from
650:"A Conventional Authenticated-Encryption Mode"
294:is added as an alternative AE construction to
2162:
1470:
311:Authenticated encryption with associated data
79:authenticated encryption with associated data
8:
1222:Duong, Thai; Rizzo, Juliano (May 13, 2011).
983:
364:. The AE schemes usually do not provide the
1171:Rescorla, Eric; Dierks, Tim (August 2008).
618:
2169:
2155:
2147:
1477:
1463:
1455:
1451:
1447:
1054:recommendation for adding key-commitment.)
791:
789:
744:Cryptology ePrint Archive: Report 2000/039
1354:Bellare, Mihir; Hoang, Viet Tung (2022).
1317:Encyclopedia of Cryptography and Security
1258:
1179:. Internet Engineering Task Force (IETF)
1127:. Internet Engineering Task Force (IETF)
1102:. Internet Engineering Task Force (IETF)
776:Fast Software Encryption 2011 (FSE 2011)
251:encrypt then authenticate then translate
1247:Advances in Cryptology — ASIACRYPT 2000
594:
336:. The notion of AEAD was formalized by
420:Approaches to authenticated encryption
276:approach) implies security against an
1064:
1062:
1060:
767:T. Krovetz; P. Rogaway (2011-03-01).
712:. Daniel J. Bernstein. Archived from
707:"Failures of secret-key cryptography"
677:T. Kohno; J. Viega & D. Whiting.
635:
606:
273:
7:
18:AEAD block cipher modes of operation
1287:Introduction to Modern Cryptography
746:. Proceedings IACR EUROCRYPT 2001.
648:M. Bellare; P. Rogaway; D. Wagner.
1395:Public-Key Cryptography – PKC 2013
25:
960:Abdalla, Bellare & Neven 2010
738:Jutl, Charanjit S. (2000-08-01).
278:adaptive chosen ciphertext attack
2504:
2503:
1422:Computer Security – ESORICS 2022
171:(if used during the encryption).
1319:. Springer US. pp. 11–21.
1231:– BEAST attack whitepaper
949:. USENET '21. pp. 195–212.
2365:Information-theoretic security
2074:NIST hash function competition
1284:Katz, J.; Lindell, Y. (2020).
823:"Encryption modes development"
539:Block cipher mode of operation
227:integrity-aware parallelizable
1:
118:additional authenticated data
2539:Message authentication codes
2079:Password Hashing Competition
1490:message authentication codes
1486:Cryptographic hash functions
1430:10.1007/978-3-031-17146-8_14
1403:10.1007/978-3-642-36362-7_22
1376:10.1007/978-3-642-11799-2_28
182:does not match the supplied
2481:Message authentication code
2436:Cryptographic hash function
2249:Cryptographic hash function
2033:Merkle–Damgård construction
1173:"Record Payload Protection"
1039:Cryptography Stack Exchange
946:Partitioning Oracle Attacks
360:that does not possess the K
229:, IAPM, modes in 2000 (see
225:'s integrity-aware CBC and
145:message authentication code
2555:
2534:Symmetric-key cryptography
2360:Harvest now, decrypt later
1313:"Authenticated encryption"
461:Encrypt-and-MAC (E&M)
2499:
2476:Post-quantum cryptography
2146:
1496:
1454:
1450:
352:using her symmetric key K
2466:Quantum key distribution
2456:Authenticated encryption
2311:Random number generation
1827:key derivation functions
1325:10.1007/0-387-23483-7_15
1260:10.1007/3-540-44448-3_41
1224:"Here Come The ⊕ Ninjas"
984:Bellare & Hoang 2022
872:10.1007/3-540-44706-7_20
502:cipher suites were MtE.
235:offset codebook mode 2.0
31:Authenticated Encryption
2461:Public-key cryptography
2451:Symmetric-key algorithm
2254:Key derivation function
2214:Cryptographic primitive
2207:Authentication protocol
2197:Outline of cryptography
2192:History of cryptography
2105:Hash-based cryptography
2007:Length extension attack
619:Katz & Lindell 2020
485:MAC-then-Encrypt (MtE)
425:Encrypt-then-MAC (EtM)
386:identity authentication
2202:Cryptographic protocol
2115:Message authentication
1368:Theory of Cryptography
1035:"Key Committing AEADs"
1017:"Key Committing AEADs"
846:"Duplexing The Sponge"
494:
470:
434:
324:should be visible for
2355:End-to-end encryption
2301:Cryptojacking malware
1015:Gueron, Shay (2020).
931:Albertini et al. 2020
916:Albertini et al. 2020
515:initialization vector
492:
468:
432:
178:, or an error if the
95:programming interface
89:Programming interface
2471:Quantum cryptography
2395:Trusted timestamping
247:counter with CBC-MAC
53:that provide AE are
2234:Cryptographic nonce
2002:Side-channel attack
1076:on January 23, 2018
974:, pp. 352–368.
972:Farshim et al. 2013
962:, pp. 480–497.
414:AES instruction set
410:key-committing AEAD
344:Key-committing AEAD
259:Galois/counter mode
167:, and optionally a
112:, and optionally a
2340:Subliminal channel
2324:Pseudorandom noise
2271:Key (cryptography)
2059:CAESAR Competition
2043:HAIFA construction
1992:Brute-force attack
1311:Black, J. (2005).
495:
471:
435:
285:CAESAR competition
180:authentication tag
165:authentication tag
141:authentication tag
47:authentication tag
2521:
2520:
2517:
2516:
2400:Key-based routing
2390:Trapdoor function
2261:Digital signature
2142:
2141:
2138:
2137:
1936:ChaCha20-Poly1305
1753:Password hashing/
1439:978-3-031-17145-1
1412:978-3-642-36361-0
1385:978-3-642-11798-5
1361:. EUROCRYPT 2022.
1334:978-0-387-23473-1
1297:978-1-351-13301-2
1270:978-3-540-41404-9
881:978-3-540-41728-6
844:The Keccak Team.
719:on April 18, 2013
574:ChaCha20-Poly1305
525:attacks, such as
395:dictionary attack
292:ChaCha20-Poly1305
27:Encryption method
16:(Redirected from
2546:
2507:
2506:
2335:Insecure channel
2171:
2164:
2157:
2148:
2023:Avalanche effect
1977:Collision attack
1520:Common functions
1479:
1472:
1465:
1456:
1452:
1448:
1443:
1416:
1389:
1362:
1360:
1350:
1348:
1338:
1307:
1305:
1304:
1273:
1262:
1252:
1232:
1230:
1228:
1219:
1213:
1212:
1210:
1208:
1202:
1194:
1188:
1187:
1185:
1184:
1168:
1162:
1161:
1159:
1157:
1151:
1142:
1136:
1135:
1133:
1132:
1121:"Data Integrity"
1117:
1111:
1110:
1108:
1107:
1092:
1086:
1085:
1083:
1081:
1066:
1055:
1049:
1047:
1045:
1030:
1024:
1023:
1021:
1012:
1006:
1005:
993:
987:
981:
975:
969:
963:
957:
951:
950:
940:
934:
928:
919:
913:
907:
906:
904:
902:
892:
886:
885:
859:
853:
852:
850:
841:
835:
834:
832:
830:
819:
813:
812:
810:
808:
793:
784:
783:
773:
764:
758:
757:
755:
754:
735:
729:
728:
726:
724:
718:
711:
703:
697:
696:
691:
689:
683:
674:
668:
667:
662:
660:
654:
645:
639:
633:
622:
616:
610:
604:
469:E&M approach
456:
274:Encrypt-then-MAC
267:Sponge functions
255:encrypt-then-MAC
240:
51:encryption modes
21:
2554:
2553:
2549:
2548:
2547:
2545:
2544:
2543:
2524:
2523:
2522:
2513:
2495:
2424:
2180:
2175:
2134:
2093:
2052:Standardization
2047:
2038:Sponge function
2011:
1987:Birthday attack
1982:Preimage attack
1965:
1921:
1914:
1842:
1825:
1824:General purpose
1819:
1754:
1748:
1597:Other functions
1592:
1559:SHA-3 finalists
1553:
1515:
1492:
1483:
1440:
1419:
1413:
1392:
1386:
1365:
1358:
1353:
1346:
1341:
1335:
1310:
1302:
1300:
1298:
1283:
1280:
1271:
1250:
1243:
1235:
1226:
1221:
1220:
1216:
1206:
1204:
1200:
1196:
1195:
1191:
1182:
1180:
1170:
1169:
1165:
1155:
1153:
1149:
1144:
1143:
1139:
1130:
1128:
1119:
1118:
1114:
1105:
1103:
1094:
1093:
1089:
1079:
1077:
1068:
1067:
1058:
1043:
1041:
1032:
1031:
1027:
1019:
1014:
1013:
1009:
995:
994:
990:
982:
978:
970:
966:
958:
954:
942:
941:
937:
929:
922:
918:, pp. 1–2.
914:
910:
900:
898:
894:
893:
889:
882:
861:
860:
856:
848:
843:
842:
838:
828:
826:
821:
820:
816:
806:
804:
795:
794:
787:
771:
766:
765:
761:
752:
750:
737:
736:
732:
722:
720:
716:
709:
705:
704:
700:
687:
685:
681:
676:
675:
671:
658:
656:
652:
647:
646:
642:
634:
625:
617:
613:
605:
596:
592:
535:
487:
463:
453:
427:
422:
383:
379:
375:
371:
363:
355:
346:
318:network packets
313:
308:
238:
223:Charanjit Jutla
210:confidentiality
206:
126:associated data
116:(also known as
91:
28:
23:
22:
15:
12:
11:
5:
2552:
2550:
2542:
2541:
2536:
2526:
2525:
2519:
2518:
2515:
2514:
2512:
2511:
2500:
2497:
2496:
2494:
2493:
2488:
2486:Random numbers
2483:
2478:
2473:
2468:
2463:
2458:
2453:
2448:
2443:
2438:
2432:
2430:
2426:
2425:
2423:
2422:
2417:
2412:
2410:Garlic routing
2407:
2402:
2397:
2392:
2387:
2382:
2377:
2372:
2367:
2362:
2357:
2352:
2347:
2342:
2337:
2332:
2330:Secure channel
2327:
2321:
2320:
2319:
2308:
2303:
2298:
2293:
2291:Key stretching
2288:
2283:
2278:
2273:
2268:
2263:
2258:
2257:
2256:
2251:
2241:
2239:Cryptovirology
2236:
2231:
2226:
2224:Cryptocurrency
2221:
2216:
2211:
2210:
2209:
2199:
2194:
2188:
2186:
2182:
2181:
2176:
2174:
2173:
2166:
2159:
2151:
2144:
2143:
2140:
2139:
2136:
2135:
2133:
2132:
2127:
2122:
2117:
2112:
2107:
2101:
2099:
2095:
2094:
2092:
2091:
2086:
2081:
2076:
2071:
2066:
2061:
2055:
2053:
2049:
2048:
2046:
2045:
2040:
2035:
2030:
2028:Hash collision
2025:
2019:
2017:
2013:
2012:
2010:
2009:
2004:
1999:
1994:
1989:
1984:
1979:
1973:
1971:
1967:
1966:
1964:
1963:
1958:
1953:
1948:
1943:
1938:
1933:
1927:
1925:
1916:
1915:
1913:
1912:
1907:
1902:
1897:
1892:
1887:
1878:
1873:
1868:
1863:
1858:
1852:
1850:
1844:
1843:
1841:
1840:
1837:
1831:
1829:
1821:
1820:
1818:
1817:
1812:
1807:
1802:
1797:
1792:
1787:
1782:
1777:
1772:
1767:
1761:
1759:
1756:key stretching
1750:
1749:
1747:
1746:
1741:
1736:
1731:
1726:
1721:
1716:
1711:
1706:
1701:
1696:
1691:
1686:
1681:
1676:
1671:
1666:
1661:
1656:
1651:
1646:
1641:
1636:
1631:
1626:
1621:
1616:
1611:
1606:
1600:
1598:
1594:
1593:
1591:
1590:
1584:
1579:
1574:
1569:
1563:
1561:
1555:
1554:
1552:
1551:
1546:
1541:
1536:
1530:
1523:
1521:
1517:
1516:
1514:
1513:
1508:
1503:
1497:
1494:
1493:
1484:
1482:
1481:
1474:
1467:
1459:
1445:
1444:
1438:
1417:
1411:
1390:
1384:
1363:
1351:
1339:
1333:
1308:
1296:
1279:
1276:
1275:
1274:
1269:
1240:
1239:
1234:
1233:
1214:
1189:
1163:
1137:
1112:
1087:
1056:
1025:
1007:
1002:cfrg.github.io
996:Denis, Frank.
988:
976:
964:
952:
935:
920:
908:
887:
880:
854:
836:
814:
785:
759:
730:
698:
669:
640:
623:
621:, p. 116.
611:
593:
591:
588:
587:
586:
581:
576:
571:
566:
561:
556:
551:
546:
541:
534:
531:
527:Lucky Thirteen
523:padding oracle
486:
483:
462:
459:
426:
423:
421:
418:
381:
377:
373:
369:
366:key commitment
361:
353:
345:
342:
312:
309:
307:
304:
265:solicitation.
214:authentication
205:
202:
194:
193:
192:
191:
172:
150:
149:
148:
133:
90:
87:
71:network packet
26:
24:
14:
13:
10:
9:
6:
4:
3:
2:
2551:
2540:
2537:
2535:
2532:
2531:
2529:
2510:
2502:
2501:
2498:
2492:
2491:Steganography
2489:
2487:
2484:
2482:
2479:
2477:
2474:
2472:
2469:
2467:
2464:
2462:
2459:
2457:
2454:
2452:
2449:
2447:
2446:Stream cipher
2444:
2442:
2439:
2437:
2434:
2433:
2431:
2427:
2421:
2418:
2416:
2413:
2411:
2408:
2406:
2405:Onion routing
2403:
2401:
2398:
2396:
2393:
2391:
2388:
2386:
2385:Shared secret
2383:
2381:
2378:
2376:
2373:
2371:
2368:
2366:
2363:
2361:
2358:
2356:
2353:
2351:
2348:
2346:
2343:
2341:
2338:
2336:
2333:
2331:
2328:
2325:
2322:
2317:
2314:
2313:
2312:
2309:
2307:
2304:
2302:
2299:
2297:
2294:
2292:
2289:
2287:
2284:
2282:
2281:Key generator
2279:
2277:
2274:
2272:
2269:
2267:
2264:
2262:
2259:
2255:
2252:
2250:
2247:
2246:
2245:
2244:Hash function
2242:
2240:
2237:
2235:
2232:
2230:
2227:
2225:
2222:
2220:
2219:Cryptanalysis
2217:
2215:
2212:
2208:
2205:
2204:
2203:
2200:
2198:
2195:
2193:
2190:
2189:
2187:
2183:
2179:
2172:
2167:
2165:
2160:
2158:
2153:
2152:
2149:
2145:
2131:
2128:
2126:
2123:
2121:
2120:Proof of work
2118:
2116:
2113:
2111:
2108:
2106:
2103:
2102:
2100:
2096:
2090:
2087:
2085:
2082:
2080:
2077:
2075:
2072:
2070:
2067:
2065:
2062:
2060:
2057:
2056:
2054:
2050:
2044:
2041:
2039:
2036:
2034:
2031:
2029:
2026:
2024:
2021:
2020:
2018:
2014:
2008:
2005:
2003:
2000:
1998:
1997:Rainbow table
1995:
1993:
1990:
1988:
1985:
1983:
1980:
1978:
1975:
1974:
1972:
1968:
1962:
1959:
1957:
1954:
1952:
1949:
1947:
1944:
1942:
1939:
1937:
1934:
1932:
1929:
1928:
1926:
1923:
1920:Authenticated
1917:
1911:
1908:
1906:
1903:
1901:
1898:
1896:
1893:
1891:
1888:
1886:
1882:
1879:
1877:
1874:
1872:
1869:
1867:
1864:
1862:
1859:
1857:
1854:
1853:
1851:
1849:
1848:MAC functions
1845:
1838:
1836:
1833:
1832:
1830:
1828:
1822:
1816:
1813:
1811:
1808:
1806:
1803:
1801:
1798:
1796:
1793:
1791:
1788:
1786:
1783:
1781:
1778:
1776:
1773:
1771:
1768:
1766:
1763:
1762:
1760:
1757:
1751:
1745:
1742:
1740:
1737:
1735:
1732:
1730:
1727:
1725:
1722:
1720:
1717:
1715:
1712:
1710:
1707:
1705:
1702:
1700:
1697:
1695:
1692:
1690:
1687:
1685:
1682:
1680:
1677:
1675:
1672:
1670:
1667:
1665:
1662:
1660:
1657:
1655:
1652:
1650:
1647:
1645:
1642:
1640:
1637:
1635:
1632:
1630:
1627:
1625:
1622:
1620:
1617:
1615:
1612:
1610:
1607:
1605:
1602:
1601:
1599:
1595:
1588:
1585:
1583:
1580:
1578:
1575:
1573:
1570:
1568:
1565:
1564:
1562:
1560:
1556:
1550:
1547:
1545:
1542:
1540:
1537:
1535:(compromised)
1534:
1531:
1529:(compromised)
1528:
1525:
1524:
1522:
1518:
1512:
1511:Known attacks
1509:
1507:
1504:
1502:
1499:
1498:
1495:
1491:
1487:
1480:
1475:
1473:
1468:
1466:
1461:
1460:
1457:
1453:
1449:
1441:
1435:
1431:
1427:
1423:
1418:
1414:
1408:
1404:
1400:
1396:
1391:
1387:
1381:
1377:
1373:
1369:
1364:
1357:
1352:
1345:
1340:
1336:
1330:
1326:
1322:
1318:
1314:
1309:
1299:
1293:
1289:
1288:
1282:
1281:
1277:
1272:
1266:
1261:
1256:
1249:
1248:
1242:
1241:
1237:
1236:
1225:
1218:
1215:
1203:. H. Krawczyk
1199:
1193:
1190:
1178:
1174:
1167:
1164:
1148:
1141:
1138:
1126:
1122:
1116:
1113:
1101:
1097:
1091:
1088:
1075:
1071:
1065:
1063:
1061:
1057:
1053:
1040:
1036:
1029:
1026:
1018:
1011:
1008:
1003:
999:
992:
989:
985:
980:
977:
973:
968:
965:
961:
956:
953:
948:
947:
939:
936:
932:
927:
925:
921:
917:
912:
909:
897:
891:
888:
883:
877:
873:
869:
865:
858:
855:
847:
840:
837:
824:
818:
815:
802:
798:
792:
790:
786:
781:
777:
770:
763:
760:
749:
745:
741:
734:
731:
715:
708:
702:
699:
695:
680:
673:
670:
666:
651:
644:
641:
637:
632:
630:
628:
624:
620:
615:
612:
608:
603:
601:
599:
595:
589:
585:
582:
580:
577:
575:
572:
570:
567:
565:
562:
560:
557:
555:
552:
550:
547:
545:
542:
540:
537:
536:
532:
530:
528:
524:
518:
516:
512:
508:
503:
501:
491:
484:
482:
480:
476:
467:
460:
458:
455:
451:
447:
443:
439:
431:
424:
419:
417:
415:
411:
406:
403:
401:
396:
392:
387:
367:
359:
351:
343:
341:
339:
335:
331:
327:
323:
319:
310:
305:
303:
301:
297:
293:
288:
286:
283:In 2013, the
281:
279:
275:
270:
268:
264:
260:
256:
252:
248:
244:
236:
232:
228:
224:
218:
215:
211:
203:
201:
199:
189:
185:
181:
177:
173:
170:
166:
162:
158:
154:
153:
151:
146:
142:
138:
134:
131:
127:
123:
119:
115:
111:
107:
103:
102:
100:
99:
98:
96:
88:
86:
84:
80:
76:
72:
68:
62:
60:
56:
52:
48:
44:
40:
36:
32:
19:
2455:
2441:Block cipher
2286:Key schedule
2276:Key exchange
2266:Kleptography
2229:Cryptosystem
2178:Cryptography
1919:
1421:
1394:
1367:
1316:
1301:. Retrieved
1286:
1246:
1217:
1205:. Retrieved
1192:
1181:. Retrieved
1176:
1166:
1154:. Retrieved
1140:
1129:. Retrieved
1124:
1115:
1104:. Retrieved
1099:
1090:
1078:. Retrieved
1074:the original
1042:. Retrieved
1038:
1028:
1010:
1001:
991:
986:, p. 5.
979:
967:
955:
945:
938:
933:, p. 2.
911:
899:. Retrieved
890:
863:
857:
839:
827:. Retrieved
817:
805:. Retrieved
800:
775:
762:
751:. Retrieved
743:
733:
721:. Retrieved
714:the original
701:
693:
686:. Retrieved
672:
664:
657:. Retrieved
643:
638:, p. 2.
614:
609:, p. 1.
584:Signcryption
519:
504:
496:
493:MtE approach
472:
440:
436:
433:EtM approach
409:
407:
404:
365:
347:
334:authenticity
314:
289:
282:
271:
219:
213:
209:
207:
197:
195:
187:
183:
179:
175:
168:
164:
160:
156:
140:
136:
129:
125:
121:
117:
113:
109:
105:
92:
82:
63:
43:authenticity
30:
29:
2429:Mathematics
2420:Mix network
2110:Merkle tree
2098:Utilization
2084:NSA Suite B
1044:21 February
302:protocols.
257:, EtM; and
152:Decryption
101:Encryption
33:(AE) is an
2528:Categories
2380:Ciphertext
2350:Decryption
2345:Encryption
2306:Ransomware
1922:encryption
1699:RadioGatĂşn
1506:Comparison
1303:2023-06-08
1183:2018-09-12
1131:2018-09-12
1106:2018-09-12
801:19772:2009
753:2013-03-16
636:Black 2005
607:Black 2005
590:References
320:where the
184:ciphertext
157:ciphertext
137:ciphertext
93:A typical
35:encryption
2370:Plaintext
1839:KDF1/KDF2
1758:functions
1744:Whirlpool
1349:. USENIX.
1207:April 13,
1156:30 August
1080:April 13,
1052:libsodium
901:March 12,
829:April 17,
807:March 12,
803:. ISO/IEC
723:March 12,
688:March 12,
659:March 12,
330:integrity
290:In 2015,
176:plaintext
106:plaintext
2509:Category
2415:Kademlia
2375:Codetext
2318:(CSPRNG)
2064:CRYPTREC
1895:Poly1305
1815:yescrypt
1729:Streebog
1609:CubeHash
1589:(winner)
1177:RFC 5246
1125:RFC 4253
1033:poncho.
559:EAX mode
554:OCB mode
549:CWC mode
544:CCM mode
533:See also
511:Krawczyk
340:(2002).
306:Variants
243:Key Wrap
174:Output:
147:or MAC).
135:Output:
2185:General
1970:Attacks
1900:SipHash
1856:CBC-MAC
1790:LM hash
1770:Balloon
1634:HAS-160
1278:Sources
1238:General
569:GCM-SIV
507:SSL/TLS
500:SSL/TLS
358:Mallory
338:Rogaway
326:routing
253:, EAX;
249:, CCM;
204:History
155:Input:
104:Input:
2296:Keygen
2130:Pepper
2069:NESSIE
2016:Design
1810:scrypt
1805:PBKDF2
1780:Catena
1775:bcrypt
1765:Argon2
1724:Snefru
1719:Shabal
1714:SWIFFT
1694:RIPEMD
1689:N-hash
1664:MASH-2
1659:MASH-1
1644:Kupyna
1604:BLAKE3
1587:Keccak
1572:Grøstl
1549:BLAKE2
1436:
1409:
1382:
1331:
1294:
1267:
878:
825:. NIST
684:. NIST
655:. NIST
448:
400:oracle
322:header
239:
198:header
188:header
169:header
114:header
67:header
41:) and
2326:(PRN)
1924:modes
1800:Makwa
1795:Lyra2
1785:crypt
1734:Tiger
1684:MDC-2
1639:HAVAL
1624:Fugue
1582:Skein
1567:BLAKE
1544:SHA-3
1539:SHA-2
1533:SHA-1
1359:(PDF)
1347:(PDF)
1251:(PDF)
1227:(PDF)
1201:(PDF)
1150:(PDF)
1020:(PDF)
849:(PDF)
772:(PDF)
717:(PDF)
710:(PDF)
682:(PDF)
653:(PDF)
442:IPSec
380:and K
350:Alice
241:2.0;
237:, OCB
124:, or
81:, or
75:route
69:of a
2125:Salt
2089:CNSA
1956:IAPM
1910:VMAC
1905:UMAC
1890:PMAC
1885:CMAC
1881:OMAC
1876:NMAC
1871:HMAC
1866:GMAC
1835:HKDF
1704:SIMD
1654:Lane
1629:GOST
1614:ECOH
1501:List
1488:and
1434:ISBN
1407:ISBN
1380:ISBN
1329:ISBN
1292:ISBN
1265:ISBN
1209:2013
1158:2021
1082:2013
1046:2024
903:2013
876:ISBN
831:2013
809:2013
780:IACR
748:IACR
725:2013
690:2013
661:2013
579:SGCM
450:7366
391:weak
332:and
300:IETF
263:NIST
212:and
196:The
139:and
83:AEAD
1961:OCB
1951:GCM
1946:EAX
1941:CWC
1931:CCM
1861:DAA
1739:VSH
1709:SM3
1679:MD6
1674:MD4
1669:MD2
1649:LSH
1619:FSB
1527:MD5
1426:doi
1399:doi
1372:doi
1321:doi
1255:doi
868:doi
564:GCM
479:SSH
475:SSH
457:).
446:RFC
298:in
296:GCM
231:OCB
186:or
161:key
122:AAD
110:key
59:CCM
55:GCM
39:key
2530::
1577:JH
1432:.
1405:.
1378:.
1327:.
1315:.
1263:,
1175:.
1123:.
1098:.
1059:^
1037:.
1000:.
923:^
874:.
799:.
788:^
778:.
774:.
742:.
692:.
663:.
626:^
597:^
529:.
245:;
163:,
159:,
130:AD
128:,
120:,
108:,
85:.
61:.
57:,
2170:e
2163:t
2156:v
1883:/
1478:e
1471:t
1464:v
1442:.
1428::
1415:.
1401::
1388:.
1374::
1337:.
1323::
1306:.
1257::
1229:.
1211:.
1186:.
1160:.
1134:.
1109:.
1084:.
1048:.
1022:.
1004:.
905:.
884:.
870::
851:.
833:.
811:.
782:.
756:.
727:.
382:M
378:A
374:M
370:A
362:A
354:A
190:.
143:(
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.