Reference: ACM Conference on Computer and Communications Security (CCS'02), pp. 98-107, ACM press, 2002.
When a message is transformed into a ciphertext in a way
designed to protect both its privacy and authenticity,
there may be additional information, such as a packet header,
that travels alongside the ciphertext (at least conceptually)
and must get authenticated with it.
We formalize and investigate this
authenticated-encryption with associated-data (AEAD) problem.
Though the problem has long been addressed in cryptographic practice,
it was never provided a definition or even a name.
We do this, and go on to look at efficient solutions for AEAD,
both in general and for the authenticated-encryption scheme OCB.
For the general setting we study two simple ways to turn an
authenticated-encryption scheme that does not support associated-data
into one that does:
nonce stealing and ciphertext translation
For the case of OCB
we construct an AEAD-scheme
by combining OCB and the pseudorandom function PMAC,
using the same key for both algorithms.
We prove that, despite "interaction"
between the two schemes when using a common key,
the combination is sound.
We also consider achieving AEAD by the generic composition of
a nonce-based, privacy-only encryption scheme and a pseudorandom function.
Availability: pdf or ps
Rogaway's home page.