Paper 2000/025

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Mihir Bellare and Chanathip Namprempre


An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity. We consider two possible notions of authenticity for such schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them (when coupled with IND-CPA) to the standard notions of privacy (IND-CCA, NM-CPA) by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by ``generic composition,'' meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC, MAC-then-encrypt, and Encrypt-then-MAC. For each of these, and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is ``yes'' and counter-examples for the cases where the answer is ``no.''

Available format(s)
Publication info
Published elsewhere. Unknown where it was published
Symmetric encryptionmessage authenticationauthenticated encryptionconcrete security
Contact author(s)
nchanath @ engr tu ac th
2007-07-15: last of 2 revisions
2000-05-29: received
See all versions
Short URL
Creative Commons Attribution


      author = {Mihir Bellare and Chanathip Namprempre},
      title = {Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm},
      howpublished = {Cryptology ePrint Archive, Paper 2000/025},
      year = {2000},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.