Abstract
An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity. We consider two possible notions of authenticity for such schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them, when coupled with IND-CPA (indistinguishability under chosen-plaintext attack), to the standard notions of privacy IND-CCA and NM-CPA (indistinguishability under chosen-ciphertext attack and nonmalleability under chosen-plaintext attack) by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by “generic composition,” meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC, MAC-then-encrypt, and Encrypt-then-MAC. For each of these and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming that the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is “yes” and counter-examples for the cases where the answer is “no.”
Article PDF
Similar content being viewed by others
References
J.H. An and M. Bellare. Does encryption with redundancy provide authenticity? In Advances in Cryptology—EUROCRYPT 2002, ed. by L.R. Knudsen, Amsterdam, The Netherlands, Apr. 28–May 2, 2002. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 512–528
J.H. An, Y. Dodis, T. Rabin, On the security of joint signature and encryption, in Advances in Cryptology—EUROCRYPT 2002, ed. by L.R. Knudsen, Amsterdam, The Netherlands, Apr. 28–May 2, 2002. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 83–107
M. Bellare, New proofs for NMAC and HMAC: Security without collision-resistance, in Advances in Cryptology—CRYPTO, ed. by C. Dwork, Santa Barbara, CA, USA, Aug. 20–24, 2006. Lecture Notes in Computer Science, vol. 4117 (Springer, Berlin, 2006), pp. 602–619
M. Bellare, C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, in Advances in Cryptology—ASIACRYPT 2000, ed. by T. Okamoto, Kyoto, Japan, Dec. 3–7, 2000. Lecture Notes in Computer Science, vol. 1976 (Springer, Berlin, 2000), pp. 531–545
M. Bellare, P. Rogaway, Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography, in Advances in Cryptology—ASIACRYPT 2000, ed. by T. Okamoto, Kyoto, Japan, Dec. 3–7, 2000. Lecture Notes in Computer Science, vol. 1976 (Springer, Berlin, 2000), pp. 317–330
M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in Advances in Cryptology—EUROCRYPT 2006, ed. by S. Vaudenay, St. Petersburg, Russia, May 29–June 1, 2006. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 409–426. Available as Cryptology ePrint Report 2005/334
M. Bellare, A. Sahai, Non-malleable encryption: Equivalence between two notions, and an indistinguishability-based characterization, in Advances in Cryptology—CRYPTO’99, ed. by M.J. Wiener, Santa Barbara, CA, USA, Aug. 15–19, 1999. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 519–536. Available as Cryptology ePrint Report 2006/228
M. Bellare, R. Canetti, H. Krawczyk, Keying hash functions for message authentication, in Advances in Cryptology—CRYPTO’96, ed. by N. Koblitz, Santa Barbara, CA, USA, Aug. 18–22, 1996. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 1–15
M. Bellare, A. Desai, E. Jokipii, P. Rogaway, A concrete security treatment of symmetric encryption, in 38th Annual Symposium on Foundations of Computer Science, Miami Beach, Florida, Oct. 19–22, 1997 (IEEE Computer Society, Los Alamitos, 1997), pp. 394–403
M. Bellare, A. Desai, D. Pointcheval, P. Rogaway, Relations among notions of security for public-key encryption schemes, in Advances in Cryptology—CRYPTO’98, ed. by H. Krawczyk, Santa Barbara, CA, USA, Aug. 23–27, 1998. Lecture Notes in Computer Science, vol. 1462 (Springer, Berlin, 1998), pp. 26–45
M. Bellare, J. Kilian, P. Rogaway, The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)
M. Bellare, O. Goldreich, A. Mityagin, The power of verification queries in message authentication and authenticated encryption, 2004. Available as Cryptology ePrint Report 2004/309
M. Bellare, T. Kohno, C. Namprempre, Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm. ACM Trans. Inf. Syst. Secur. 7(2), 206–241 (2004)
M. Bellare, P. Rogaway, D. Wagner, The EAX mode of operation, in Fast Software Encryption 2004, ed. by B.K. Roy, W. Meier, New Delhi, India, Feb. 5–7, 2004. Lecture Notes in Computer Science, vol. 3017 (Springer, Berlin, 2004), pp. 389–407
M. Bellare, K. Pietrzak, P. Rogaway, Improved security analyses for CBC MACs, in Advances in Cryptology—CRYPTO 2005, ed. by V. Shoup, Santa Barbara, CA, USA, Aug. 14–18, 2005. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 527–545
M. Bellare, D. Hoffheinz, E. Kiltz, IND-CCA revisited: When and how should challenge decryption be disallowed? Manuscript, 2007
J. Black, Authenticated encryption, in Encyclopedia of Cryptography and Security, ed. by H.C. van Tilborg (Springer, Berlin, 2005)
J. Black, P. Rogaway, CBC MACs for arbitrary-length messages: The three-key constructions, in Advances in Cryptology—CRYPTO 2000, ed. by M. Bellare, Santa Barbara, CA, USA, Aug. 20–24, 2000. Lecture Notes in Computer Science, vol. 1880 (Springer, Berlin, 2000), pp. 197–215
J. Black, P. Rogaway, A block-cipher mode of operation for parallelizable message authentication, in Advances in Cryptology—EUROCRYPT 2002, ed. by L.R. Knudsen, Amsterdam, The Netherlands, Apr. 28–May 2, 2002. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 384–397
J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway, UMAC: Fast and secure message authentication, in Advances in Cryptology—CRYPTO’99, ed. by M.J. Wiener, Santa Barbara, CA, USA, Aug. 15–19, 1999. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 216–233
R. Canetti, H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, in Advances in Cryptology—EUROCRYPT 2001, ed. by B. Pfitzmann, Innsbruck, Austria, May 6–10, 2001. Lecture Notes in Computer Science, vol. 2045 (Springer, Berlin, 2001), pp. 451–472
R. Cramer, I. Damgård, Secure signature schemes based on interactive protocols, in Advances in Cryptology—CRYPTO’95, ed. by D. Coppersmith, Santa Barbara, CA, USA, Aug. 27–31, 1995. Lecture Notes in Computer Science, vol. 963 (Springer, Berlin, 1995), pp. 297–310
A. Desai, New paradigms for constructing symmetric encryption schemes secure against chosen-ciphertext attack, in Advances in Cryptology—CRYPTO 2000, ed. by M. Bellare, Santa Barbara, CA, USA, Aug. 20–24, 2000. Lecture Notes in Computer Science, vol. 1880 (Springer, Berlin, 2000), pp. 394–412
D. Dolev, C. Dwork, M. Naor, Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)
N. Ferguson, D. Whiting, B. Schneier, J. Kelsey, S. Lucks, T. Kohno, Helix: Fast encryption and authentication in a single cryptographic primitive, in Fast Software Encryption 2003, ed. by T. Johansson, Lund, Sweden, Feb. 24–26, 2003. Lecture Notes in Computer Science, vol. 2887 (Springer, Berlin, 2003), pp. 330–346
A. Freier, P. Karlton, P. Kocher, The SSL protocol: Version 3.0, 1996
V. Gligor, P. Donescu, Fast encryption and authentication: XCBC encryption and XECB authentication modes, in Fast Software Encryption 2001, ed. by M. Matsui, Yokohama, Japan, Apr. 2–4, 2001. Lecture Notes in Computer Science, vol. 2355 (Springer, Berlin, 2001)
O. Goldreich, A uniform complexity treatment of encryption and zero-knowledge. J. Cryptol. 6(1), 21–53 (1993)
S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci. 28, 270–299 (1984)
S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)
S. Halevi, An observation regarding Jutla’s modes of operation, 2001. Available as Cryptology ePrint Report 2001/015
J. Hastad, The security of the IAPM and IACBC modes. J. Cryptol. 20(2), 153–163 (2007)
T. Iwata, K. Kurosawa, OMAC: One-key CBC MAC, in Fast Software Encryption 2003, ed. by T. Johansson, Lund, Sweden, Feb. 24–26, 2003. Lecture Notes in Computer Science, vol. 2887 (Springer, Berlin, 2003), pp. 129–153
E. Jaulmes, A. Joux, F. Valette, On the security of randomized CBC-MAC beyond the birthday paradox limit: A new construction, in Fast Software Encryption 2002, ed. by J. Daemen, V. Rijmen, Leuven, Belgium, Feb. 4–6, 2002. Lecture Notes in Computer Science, vol. 2365 (Springer, Berlin, 2002), pp. 237–251
C. Jutla, Encryption modes with almost free message integrity, in Advances in Cryptology—EUROCRYPT 2001, ed. by B. Pfitzmann, Innsbruck, Austria, May 6–10, 2001. Lecture Notes in Computer Science, vol. 2045 (Springer, Berlin, 2001), pp. 529–544
J. Katz, M. Yung, Unforgeable encryption and chosen ciphertext secure modes of operation, in Fast Software Encryption, ed. by B. Schneier, New York, NY, USA, Apr. 10–12, 2000. Lecture Notes in Computer Science, vol. 1978 (Springer, Berlin, 2000), pp. 284–299
J. Katz, M. Yung, Characterization of security notions for probabilistic private-key encryption. J. Cryptol. 19(1), 67–95 (2006)
S. Kent, IP encapsulating security payload (ESP). RFC 4303, Dec. 2005
T. Kohno, J. Viega, D. Whiting, CWC: A high-performance conventional authenticated encryption mode, in Fast Software Encryption 2004, ed. by B.K. Roy, New Delhi, India, Feb. 5–7, 2004. Lecture Notes in Computer Science, vol. 3017 (Springer, Berlin, 2004), pp. 408–426
H. Krawczyk, The order of encryption and authentication for protecting communications (or: How secure is SSL?), in Advances in Cryptology—CRYPTO 2001, ed. by J. Kilian, Santa Barbara, CA, USA, Aug. 19–23, 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 310–331
K. Kurosawa, T. Iwata, TMAC: Two-key CBC MAC, in Topics in Cryptology—CT-RSA 2003, ed. by M. Joye, San Francisco, CA, USA, Apr. 13–17, 2003. Lecture Notes in Computer Science, vol. 2612 (Springer, Berlin, 2003), pp. 33–49
D. McGrew, J. Viega, The security and performance of the Galois/Counter Mode (GCM) of operation, in Progress in Cryptology—INDOCRYPT 2004: 5th International Conference in Cryptology in India, ed. by A. Canteaut, K. Viswanathan, Chennai, India, Dec. 20–22, 2004. Lecture Notes in Computer Science, vol. 3348 (Springer, Berlin, 2004), pp. 343–355
M. Naor, M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks, in 22nd Annual ACM Symposium on Theory of Computing, Baltimore, Maryland, USA, May 14–16, 1990 (ACM Press, New York, 1990)
E. Petrank, C. Rackoff, CBC MAC for real time data sources. J. Cryptol. 13(3), 315–338 (2000)
C. Rackoff, D.R. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in Advances in Cryptology—CRYPTO’91, ed. by J. Feigenbaum, Santa Barbara, CA, USA, Aug. 11–15, 1991. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1991), pp. 433–444
P. Rogaway, Authenticated-encryption with associated-data, in ACM CCS 2002: 9th Conference on Computer and Communications Security, ed. by V. Atluri, Washington, D.C., USA, Nov. 18–22, 2002 (ACM Press, New York, 2002), pp. 98–107
P. Rogaway, T. Shrimpton, A provable-security treatment of the key-wrap problem, in Advances in Cryptology—EUROCRYPT 2006, ed. by S. Vaudenay, St. Petersburg, Russia, May 29–June 1, 2006. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 373–390
P. Rogaway, M. Bellare, J. Black, T. Krovetz, OCB: A block-cipher mode of operation for efficient authenticated encryption, in ACM CCS 2001: 8th Conference on Computer and Communications Security, ed. by M. Reiter, Philadelphia, PA, USA, Nov. 5–8, 2001 (ACM Press, New York, 2001), pp. 196–205
J. Song, R. Poovendran, J. Lee, T. Iwata, The advanced encryption standard-cipher-based message authentication code-pseudo-random function-128 (AES-CMAC-PRF-128) algorithm for the Internet key exchange protocol (IKE). RFC 4615, 2006
D. Whiting, R. Housley, N. Ferguson, AES encryption & authentication using CTR mode & CBC-MAC. IEEE P802.11 doc 02/001r2, May 2002
T. Ylonen, C. Lonvick, The secure shell (SSH) transport layer protocol. RFC 4253, Jan. 2006
Y. Zheng, Digital signcryption or how to achieve cost(signature & encryption) ≪ cost(signature) + cost(encryption), in Advances in Cryptology—CRYPTO’97, ed. by B.S. Kaliski, Santa Barbara, CA, USA, Aug. 17–21, 1997. Lecture Notes in Computer Science, vol. 1294 (Springer, Berlin, 1997), pp. 165–179
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by H. Krawczyk
M. Bellare’s work was supported in part by a 1996 Packard Foundation Fellowship in Science and Engineering, NSF CAREER Award CCR-9624439, NSF grants CNS-0524765 and CNS-0627779, and a gift from Intel Corporation.
C. Namprempre’s work was supported in part by grants of the first author and the Thailand Research Fund.
Rights and permissions
About this article
Cite this article
Bellare, M., Namprempre, C. Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. J Cryptol 21, 469–491 (2008). https://doi.org/10.1007/s00145-008-9026-x
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-008-9026-x