You are looking at a specific version 20000926:011239 of this paper. See the latest version.

Paper 2000/025

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Mihir Bellare and Chanathip Namprempre

Abstract

We consider two possible notions of authenticity for symmetric encryption schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them to the standard notions of privacy for symmetric encryption schemes by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by ``generic composition,'' meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely \textsl{Encrypt-and-MAC}, \textsl{MAC-then-encrypt}, and \textsl{Encrypt-then-MAC}. For each of these, and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is ``yes'' and counter-examples for the cases where the answer is ``no.''

Metadata
Available format(s)
PDF PS
Publication info
Published elsewhere. Unknown where it was published
Keywords
Symmetric encryptionmessage authenticationauthenticated encryptionconcrete security
Contact author(s)
cnamprem @ cs ucsd edu
History
2007-07-15: last of 2 revisions
2000-05-29: received
See all versions
Short URL
https://ia.cr/2000/025
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.