Paper 2001/079

Authenticated Encryption in the Public-Key Setting: Security Notions and Analyses

Jee Hea An


This paper addresses the security of authenticated encryption schemes in the public key setting. We present two new notions of authenticity that are stronger than the integrity notions given in the symmetric setting \cite{bn00}. We also show that chosen-ciphertext attack security (IND-CCA) in the public key setting is not obtained in general from the combination of chosen-plaintext security (IND-CPA) and integrity of ciphertext (INT-CTXT), which is in contrast to the results shown in the symmetric setting \cite{ky00,bn00}. We provide security analyses of authenticated encryption schemes constructed by combining a given public key encryption scheme and a given digital signature scheme in a ``generic'' manner ---namely, Encrypt-and-Sign, Sign-then-Encrypt, and Encrypt-then-Sign--- and show that none of them, in general, provide security under all notions defined in this paper. We then present a scheme called {\em ESSR} that meets all security notions defined here. We also give security analyses on an efficient Diffie-Hellman based scheme called {\em DHETM}, which can be thought of as a transform of the encryption scheme ``DHIES'' \cite{abr01} into an {\em authenticated} encryption scheme in the public key setting.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Public key settingAuthenticated encryptionPrivacyAuthenticityUnforgeability
Contact author(s)
jeehea @ cs ucsd edu
2001-09-12: received
Short URL
Creative Commons Attribution


      author = {Jee Hea An},
      title = {Authenticated Encryption in the Public-Key Setting: Security Notions and Analyses},
      howpublished = {Cryptology ePrint Archive, Paper 2001/079},
      year = {2001},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.