UC Davis

Authenticated encryption (AE) is a cryptographic primitiveproviding message privacy and authenticity simultaneously. From a standard definition of AE, several natural assumptions may arise. (1) An observer of an encrypted message learns nothing about its origin. (2) If one attempts to decrypt a ciphertext using a different key (or any other decryption input) from what was used at encryption, then decryption should fail. One might conclude the former from promises of privacy and the latter from promises of authenticity.

We observe that the validity of those assumptions do notfollow from standard AE definitions of privacy and authenticity. For (1), when sending a ciphertext, there is typically other information sent along with it. This information, commonly referred to as metadata, can be message numbers that mark the message's position in a sequence or information that identifies the sender among other possibilities. For (2), it is possible to validly decrypt a ciphertext with the ``wrong'' arguments.

This dissertation's main contribution consists of definitions and constructions that address these assumptions. With respect to the first, it offers an AE variant, anonymous AE (anAE)---a primitive that folds all cryptographically relevant metadata directly into its ciphertexts. For the second, it furthers the study of committing AE (cAE)---a variant of AE that ensures that decryption of a ciphertext is only possible with the ``correct'' inputs. These two primitives provide security that users may have mistakenly assumed AE satisfied. Lastly, we give concrete constructions for these primitives along with their proofs of security.