Authenticated encryption schemes used in order to send one message to one recipient have received considerable attention in the last years. We investigate the case of schemes, we call authenticated 1→n schemes, that allow one to encrypt efficiently in a public-key setting a message for several, say n, recipients in an authenticated manner. We propose formal security definitions for such schemes...

Pure OMD is an authenticated encryption mode that will be presented by Reyhanitabar et al. at FSE 2015. It is (among others) claimed to achieve authenticity against nonce-misusing adversaries. We show that this claim is incorrect, by presenting an adversary that makes 3 queries (including the forgery) of a total complexity 6.

A new authenticated encryption (AE) mode for blockcipher is presented. The proposed scheme has attractive features for fast and compact operation. It requires rate-1 blockcipher call, and uses the encryption function of a blockcipher for both encryption and decryption. Moreover, the scheme enables one-pass, parallel operation under two-block partition. The proposed scheme thus attains similar c...

In [9], GSCM mode of operation for authenticated encryption was presented. GSCM is based on the Galois/Counter Mode (GCM). GSCM is an enhancement of GCM, which is characterized by its high throughput and low memory consumption in network applications. In this paper, we propose some enhancements to GSCM and compare it with the different implementations of GCM. We present stability, performance, ...

We propose the HBS (Hash Block Stealing) mode of operation. This is the first single-key mode that provably achieves the goal of providing deterministic authenticated encryption. The authentication part of HBS utilizes a newly-developed, vector-input polynomial hash function. The encryption part uses a blockcipher-based, counter-like mode. These two parts are combined in such a way as the numbe...

In this paper we present an improvement of the collision attack [1] on the authenticated encryption mode of operation OCB. [1] presents a detection of collision method and a way to use the collision, and it is possible to use the information from a collision to change some blocks of the message unnoticed, if they have a special property. We found a way to use the information from a collision to...

The OCB mode of operation for block ciphers has three variants, OCB1, OCB2 and OCB3. OCB1 OCB3 can be used as secure authenticated encryption schemes whereas been shown to classically insecure (Inoue et al., Crypto 2019). Even further, in the presence quantum queries functionality, a series works by Kaplan al. (Crypto 2016), Bhaumik (Asiacrypt 2021) Bonnetain have how break unforgeability modes...

Although two-party password-authenticated key exchange (PAKE) protocols have been intensively studied in recent years, group PAKE protocols have received little attention. In this paper, we propose a hierarchical group PAKE protocol nPAKE protocol under the setting where each party shares an independent password with a trusted server. The nPAKE protocol is a novel combination of the hierarchica...

A n-bit block cipher with a k-bit key is a set of 2k bijections on n-bit strings. A block cipher is a flexible building block; it can be used for encryption and authenticated encryption, to construct MAC algorithms and hash functions. When a block cipher is used for confidentiality protection, the security goal is to prevent a passive eavesdropper with limited computational power to learn any i...

Password-only authenticated key exchange (PAKE) protocols are designed to be secure even when users choose short, easilyguessed passwords. Security requires, in particular, that the protocol cannot be broken by an o -line dictionary attack in which an adversary enumerates all possible passwords in an attempt to determine the correct one based on previously-viewed transcripts. Recently, provably...