本文为英国伦敦大学（作者：Jean Paul Degabriele）的博士论文，共182页。

认证加密是指同时提供消息机密性和消息真实性的加密方案，它是几乎所有实际使用的密码协议的重要组成部分。本文旨在缩小实际应用中的认证加密与在理论密码学框架下研究的认证加密之间的差距。我们研究了当前技术无法捕获的某些类型的攻击，并展示了如何通过扩展现有的安全模型来捕获更广泛的攻击阵列来解决这一问题。我们从IPsec的一个案例研究开始：一种广泛部署的安全协议，用于跨Internet和其他网络来保护数据。尽管IPsec很受欢迎，但它的安全性并没有得到太多的正式处理。作为一种安全协议，它提供了相对较高的可配置性，以适应多种使用场景。我们在此提出一组新的有效攻击，这些攻击完全破坏了IPsec标准允许的一半配置的机密性。接下来，我们将注意力转移到增强安全模型上。我们特别考虑利用可区分的解密失败和密文碎片的攻击。最近针对实用密码系统的一些攻击，包括我们对IPsec的攻击，属于这两类攻击之一。我们扩展了现有的安全模型来捕获此类攻击，并制定了新的安全概念来捕获在这种新环境中出现的漏洞。然后我们继续探讨这些概念之间的关系，并构造满足我们的安全概念的认证加密方案。

Authenticated encryption refers to a classof cryptographic schemes that simultaneously provide message confidentialityand message authenticity. It is an essential component of almost everycryptographic protocol that is used in practice. In this thesis we aim tonarrow the gap that exists between authenticated encryption as used inpractice, and authenticated encryption as studied in the framework oftheoretical cryptography. We examine how certain types of attacks are not capturedby the current techniques, and show how this can be remedied by expandingexisting security models to capture a wider array of attacks. We begin with acase study of IPsec: a widely deployed security protocol for protecting dataacross the Internet and other networks. Despite its popularity, IPsec’ssecurity has not received much formal treatment. As a security protocol itoffers a relatively high degree of configurability, so as to accommodatemultiple usage scenarios. We here present a new set of efficient attacks thatfully break the confidentiality of half of the configurations that arepermitted by the IPsec standard. Next we turn our attention to the enhancementof security models. In particular we consider attacks that exploitdistinguishable decryption failures and ciphertext fragmentation. A number ofrecent attacks against practical cryptosystems, including our attacks on IPsec,fall in one of these two categories. We extend the current security models tocapture such attacks, and formulate new security notions to capturevulnerabilities that arise in this new setting. We then go on to explore howthese notions relate to each other, and construct authenticated encryptionschemes that satisfy our security notions.

1. 引言

2. 对称加密

3. 安全网络协议

4. 针对IPsec的新攻击

5. 可识别的解密失败

6. 密文碎片

更多精彩文章请关注公众号：