Journal ArticleOPEN ACCESS

Lower bound on linear authenticated encryption

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (2004) 3006 348-360
DOI: 10.1007/978-3-540-24654-1_25
2Citations
Citations of this article
20Readers
Mendeley users who have this article in their library.

This article is free to access.

Abstract

We show that any scheme to encrypt m blocks of size n bits each, which assures message integrity, is linear in (GF2)n, uses m + k invocations of random functions (from n bits to n bits) and un bits of randomness, must have k + u at least Ω (logm). This lower bound is proved in a very general model which rules out many promising linear modes of operations for encryption with message integrity. This lower bound is tight as in an earlier paper "Encryption Models with Almost Free Message Integrity", Proc. Eurocrypt 2001, we show a linear scheme to encrypt m blocks while assuring message integrity by using only m + 2 + log m invocations of random permutations. © Springer-Verlag Berlin Heidelberg 2004.

Cite

CITATION STYLE

APA

Jutla, C. S. (2004). Lower bound on linear authenticated encryption. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 3006, 348–360. https://doi.org/10.1007/978-3-540-24654-1_25

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free