### Reconsidering Generic Composition

Chanathip Namprempre, Phillip Rogaway, and Thomas Shrimpton

##### Abstract

In the context of authenticated encryption (AE), generic composition has referred to the construction of an AE scheme by gluing together a conventional (privacy-only) encryption scheme and a MAC. Since the work of Bellare and Namprempre (2000) and then Krawczyk (2001), the conventional wisdom has become that there are three forms of generic composition, with Encrypt-then-MAC the only one that generically works. However, many caveats to this understanding have surfaced over the years. Here we explore this issue further, showing how this understanding oversimplifies the situation because it ignores the results’ sensitivity to definitional choices. When encryption is formalized differently, making it either IV-based or nonce-based, rather than probabilistic, and when the AE goal is likewise changed to take in a nonce, qualitatively different results emerge. We explore these alternatives versions of the generic-composition story. We also evidence the overreaching understanding of prior generic-composition results by pointing out that the Encrypt-then-MAC mechanism of ISO 19772 is completely wrong.

Available format(s)
Category
Secret-key cryptography
Publication info
A major revision of an IACR publication in EUROCRYPT 2014
Keywords
authenticated encryptiongeneric compositionIV-based encryptionnonce-based encryption
Contact author(s)
rogaway @ cs ucdavis edu
History
Short URL
https://ia.cr/2014/206

CC BY

BibTeX

@misc{cryptoeprint:2014/206,
author = {Chanathip Namprempre and Phillip Rogaway and Thomas Shrimpton},
title = {Reconsidering Generic Composition},
howpublished = {Cryptology ePrint Archive, Paper 2014/206},
year = {2014},
note = {\url{https://eprint.iacr.org/2014/206}},
url = {https://eprint.iacr.org/2014/206}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.