Paper 2000/025
Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm
Mihir Bellare and Chanathip Namprempre
Abstract
We consider two possible notions of authenticity for symmetric encryption schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them to the standard notions of privacy for symmetric encryption schemes by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by ``generic composition,'' meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely \textsl{Encrypt-and-MAC}, \textsl{MAC-then-encrypt}, and \textsl{Encrypt-then-MAC}. For each of these, and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is ``yes'' and counter-examples for the cases where the answer is ``no.''
Metadata
- Available format(s)
- PDF PS
- Publication info
- Published elsewhere. Unknown where it was published
- Keywords
- Symmetric encryptionmessage authenticationauthenticated encryptionconcrete security
- Contact author(s)
- cnamprem @ cs ucsd edu
- History
- 2007-07-15: last of 2 revisions
- 2000-05-29: received
- See all versions
- Short URL
- https://ia.cr/2000/025
- License
-
CC BY