Advertisement

Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm

Abstract

An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity. We consider two possible notions of authenticity for such schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them, when coupled with IND-CPA (indistinguishability under chosen-plaintext attack), to the standard notions of privacy IND-CCA and NM-CPA (indistinguishability under chosen-ciphertext attack and nonmalleability under chosen-plaintext attack) by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by “generic composition,” meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC, MAC-then-encrypt, and Encrypt-then-MAC. For each of these and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming that the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is “yes” and counter-examples for the cases where the answer is “no.”

This is a preview of subscription content, log in to check access.

References

  1. [1]

    J.H. An and M. Bellare. Does encryption with redundancy provide authenticity? In Advances in Cryptology—EUROCRYPT 2002, ed. by L.R. Knudsen, Amsterdam, The Netherlands, Apr. 28–May 2, 2002. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 512–528

  2. [2]

    J.H. An, Y. Dodis, T. Rabin, On the security of joint signature and encryption, in Advances in Cryptology—EUROCRYPT 2002, ed. by L.R. Knudsen, Amsterdam, The Netherlands, Apr. 28–May 2, 2002. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 83–107

  3. [3]

    M. Bellare, New proofs for NMAC and HMAC: Security without collision-resistance, in Advances in Cryptology—CRYPTO, ed. by C. Dwork, Santa Barbara, CA, USA, Aug. 20–24, 2006. Lecture Notes in Computer Science, vol. 4117 (Springer, Berlin, 2006), pp. 602–619

  4. [4]

    M. Bellare, C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, in Advances in Cryptology—ASIACRYPT 2000, ed. by T. Okamoto, Kyoto, Japan, Dec. 3–7, 2000. Lecture Notes in Computer Science, vol. 1976 (Springer, Berlin, 2000), pp. 531–545

  5. [5]

    M. Bellare, P. Rogaway, Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography, in Advances in Cryptology—ASIACRYPT 2000, ed. by T. Okamoto, Kyoto, Japan, Dec. 3–7, 2000. Lecture Notes in Computer Science, vol. 1976 (Springer, Berlin, 2000), pp. 317–330

  6. [6]

    M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in Advances in Cryptology—EUROCRYPT 2006, ed. by S. Vaudenay, St. Petersburg, Russia, May 29–June 1, 2006. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 409–426. Available as Cryptology ePrint Report 2005/334

  7. [7]

    M. Bellare, A. Sahai, Non-malleable encryption: Equivalence between two notions, and an indistinguishability-based characterization, in Advances in Cryptology—CRYPTO’99, ed. by M.J. Wiener, Santa Barbara, CA, USA, Aug. 15–19, 1999. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 519–536. Available as Cryptology ePrint Report 2006/228

  8. [8]

    M. Bellare, R. Canetti, H. Krawczyk, Keying hash functions for message authentication, in Advances in Cryptology—CRYPTO’96, ed. by N. Koblitz, Santa Barbara, CA, USA, Aug. 18–22, 1996. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 1–15

  9. [9]

    M. Bellare, A. Desai, E. Jokipii, P. Rogaway, A concrete security treatment of symmetric encryption, in 38th Annual Symposium on Foundations of Computer Science, Miami Beach, Florida, Oct. 19–22, 1997 (IEEE Computer Society, Los Alamitos, 1997), pp. 394–403

  10. [10]

    M. Bellare, A. Desai, D. Pointcheval, P. Rogaway, Relations among notions of security for public-key encryption schemes, in Advances in Cryptology—CRYPTO’98, ed. by H. Krawczyk, Santa Barbara, CA, USA, Aug. 23–27, 1998. Lecture Notes in Computer Science, vol. 1462 (Springer, Berlin, 1998), pp. 26–45

  11. [11]

    M. Bellare, J. Kilian, P. Rogaway, The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)

  12. [12]

    M. Bellare, O. Goldreich, A. Mityagin, The power of verification queries in message authentication and authenticated encryption, 2004. Available as Cryptology ePrint Report 2004/309

  13. [13]

    M. Bellare, T. Kohno, C. Namprempre, Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm. ACM Trans. Inf. Syst. Secur. 7(2), 206–241 (2004)

  14. [14]

    M. Bellare, P. Rogaway, D. Wagner, The EAX mode of operation, in Fast Software Encryption 2004, ed. by B.K. Roy, W. Meier, New Delhi, India, Feb. 5–7, 2004. Lecture Notes in Computer Science, vol. 3017 (Springer, Berlin, 2004), pp. 389–407

  15. [15]

    M. Bellare, K. Pietrzak, P. Rogaway, Improved security analyses for CBC MACs, in Advances in Cryptology—CRYPTO 2005, ed. by V. Shoup, Santa Barbara, CA, USA, Aug. 14–18, 2005. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 527–545

  16. [16]

    M. Bellare, D. Hoffheinz, E. Kiltz, IND-CCA revisited: When and how should challenge decryption be disallowed? Manuscript, 2007

  17. [17]

    J. Black, Authenticated encryption, in Encyclopedia of Cryptography and Security, ed. by H.C. van Tilborg (Springer, Berlin, 2005)

  18. [18]

    J. Black, P. Rogaway, CBC MACs for arbitrary-length messages: The three-key constructions, in Advances in Cryptology—CRYPTO 2000, ed. by M. Bellare, Santa Barbara, CA, USA, Aug. 20–24, 2000. Lecture Notes in Computer Science, vol. 1880 (Springer, Berlin, 2000), pp. 197–215

  19. [19]

    J. Black, P. Rogaway, A block-cipher mode of operation for parallelizable message authentication, in Advances in Cryptology—EUROCRYPT 2002, ed. by L.R. Knudsen, Amsterdam, The Netherlands, Apr. 28–May 2, 2002. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 384–397

  20. [20]

    J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway, UMAC: Fast and secure message authentication, in Advances in Cryptology—CRYPTO’99, ed. by M.J. Wiener, Santa Barbara, CA, USA, Aug. 15–19, 1999. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 216–233

  21. [21]

    R. Canetti, H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, in Advances in Cryptology—EUROCRYPT 2001, ed. by B. Pfitzmann, Innsbruck, Austria, May 6–10, 2001. Lecture Notes in Computer Science, vol. 2045 (Springer, Berlin, 2001), pp. 451–472

  22. [22]

    R. Cramer, I. Damgård, Secure signature schemes based on interactive protocols, in Advances in Cryptology—CRYPTO’95, ed. by D. Coppersmith, Santa Barbara, CA, USA, Aug. 27–31, 1995. Lecture Notes in Computer Science, vol. 963 (Springer, Berlin, 1995), pp. 297–310

  23. [23]

    A. Desai, New paradigms for constructing symmetric encryption schemes secure against chosen-ciphertext attack, in Advances in Cryptology—CRYPTO 2000, ed. by M. Bellare, Santa Barbara, CA, USA, Aug. 20–24, 2000. Lecture Notes in Computer Science, vol. 1880 (Springer, Berlin, 2000), pp. 394–412

  24. [24]

    D. Dolev, C. Dwork, M. Naor, Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)

  25. [25]

    N. Ferguson, D. Whiting, B. Schneier, J. Kelsey, S. Lucks, T. Kohno, Helix: Fast encryption and authentication in a single cryptographic primitive, in Fast Software Encryption 2003, ed. by T. Johansson, Lund, Sweden, Feb. 24–26, 2003. Lecture Notes in Computer Science, vol. 2887 (Springer, Berlin, 2003), pp. 330–346

  26. [26]

    A. Freier, P. Karlton, P. Kocher, The SSL protocol: Version 3.0, 1996

  27. [27]

    V. Gligor, P. Donescu, Fast encryption and authentication: XCBC encryption and XECB authentication modes, in Fast Software Encryption 2001, ed. by M. Matsui, Yokohama, Japan, Apr. 2–4, 2001. Lecture Notes in Computer Science, vol. 2355 (Springer, Berlin, 2001)

  28. [28]

    O. Goldreich, A uniform complexity treatment of encryption and zero-knowledge. J. Cryptol. 6(1), 21–53 (1993)

  29. [29]

    S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci. 28, 270–299 (1984)

  30. [30]

    S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)

  31. [31]

    S. Halevi, An observation regarding Jutla’s modes of operation, 2001. Available as Cryptology ePrint Report 2001/015

  32. [32]

    J. Hastad, The security of the IAPM and IACBC modes. J. Cryptol. 20(2), 153–163 (2007)

  33. [33]

    T. Iwata, K. Kurosawa, OMAC: One-key CBC MAC, in Fast Software Encryption 2003, ed. by T. Johansson, Lund, Sweden, Feb. 24–26, 2003. Lecture Notes in Computer Science, vol. 2887 (Springer, Berlin, 2003), pp. 129–153

  34. [34]

    E. Jaulmes, A. Joux, F. Valette, On the security of randomized CBC-MAC beyond the birthday paradox limit: A new construction, in Fast Software Encryption 2002, ed. by J. Daemen, V. Rijmen, Leuven, Belgium, Feb. 4–6, 2002. Lecture Notes in Computer Science, vol. 2365 (Springer, Berlin, 2002), pp. 237–251

  35. [35]

    C. Jutla, Encryption modes with almost free message integrity, in Advances in Cryptology—EUROCRYPT 2001, ed. by B. Pfitzmann, Innsbruck, Austria, May 6–10, 2001. Lecture Notes in Computer Science, vol. 2045 (Springer, Berlin, 2001), pp. 529–544

  36. [36]

    J. Katz, M. Yung, Unforgeable encryption and chosen ciphertext secure modes of operation, in Fast Software Encryption, ed. by B. Schneier, New York, NY, USA, Apr. 10–12, 2000. Lecture Notes in Computer Science, vol. 1978 (Springer, Berlin, 2000), pp. 284–299

  37. [37]

    J. Katz, M. Yung, Characterization of security notions for probabilistic private-key encryption. J. Cryptol. 19(1), 67–95 (2006)

  38. [38]

    S. Kent, IP encapsulating security payload (ESP). RFC 4303, Dec. 2005

  39. [39]

    T. Kohno, J. Viega, D. Whiting, CWC: A high-performance conventional authenticated encryption mode, in Fast Software Encryption 2004, ed. by B.K. Roy, New Delhi, India, Feb. 5–7, 2004. Lecture Notes in Computer Science, vol. 3017 (Springer, Berlin, 2004), pp. 408–426

  40. [40]

    H. Krawczyk, The order of encryption and authentication for protecting communications (or: How secure is SSL?), in Advances in Cryptology—CRYPTO 2001, ed. by J. Kilian, Santa Barbara, CA, USA, Aug. 19–23, 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 310–331

  41. [41]

    K. Kurosawa, T. Iwata, TMAC: Two-key CBC MAC, in Topics in Cryptology—CT-RSA 2003, ed. by M. Joye, San Francisco, CA, USA, Apr. 13–17, 2003. Lecture Notes in Computer Science, vol. 2612 (Springer, Berlin, 2003), pp. 33–49

  42. [42]

    D. McGrew, J. Viega, The security and performance of the Galois/Counter Mode (GCM) of operation, in Progress in Cryptology—INDOCRYPT 2004: 5th International Conference in Cryptology in India, ed. by A. Canteaut, K. Viswanathan, Chennai, India, Dec. 20–22, 2004. Lecture Notes in Computer Science, vol. 3348 (Springer, Berlin, 2004), pp. 343–355

  43. [43]

    M. Naor, M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks, in 22nd Annual ACM Symposium on Theory of Computing, Baltimore, Maryland, USA, May 14–16, 1990 (ACM Press, New York, 1990)

  44. [44]

    E. Petrank, C. Rackoff, CBC MAC for real time data sources. J. Cryptol. 13(3), 315–338 (2000)

  45. [45]

    C. Rackoff, D.R. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in Advances in Cryptology—CRYPTO’91, ed. by J. Feigenbaum, Santa Barbara, CA, USA, Aug. 11–15, 1991. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1991), pp. 433–444

  46. [46]

    P. Rogaway, Authenticated-encryption with associated-data, in ACM CCS 2002: 9th Conference on Computer and Communications Security, ed. by V. Atluri, Washington, D.C., USA, Nov. 18–22, 2002 (ACM Press, New York, 2002), pp. 98–107

  47. [47]

    P. Rogaway, T. Shrimpton, A provable-security treatment of the key-wrap problem, in Advances in Cryptology—EUROCRYPT 2006, ed. by S. Vaudenay, St. Petersburg, Russia, May 29–June 1, 2006. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 373–390

  48. [48]

    P. Rogaway, M. Bellare, J. Black, T. Krovetz, OCB: A block-cipher mode of operation for efficient authenticated encryption, in ACM CCS 2001: 8th Conference on Computer and Communications Security, ed. by M. Reiter, Philadelphia, PA, USA, Nov. 5–8, 2001 (ACM Press, New York, 2001), pp. 196–205

  49. [49]

    J. Song, R. Poovendran, J. Lee, T. Iwata, The advanced encryption standard-cipher-based message authentication code-pseudo-random function-128 (AES-CMAC-PRF-128) algorithm for the Internet key exchange protocol (IKE). RFC 4615, 2006

  50. [50]

    D. Whiting, R. Housley, N. Ferguson, AES encryption & authentication using CTR mode & CBC-MAC. IEEE P802.11 doc 02/001r2, May 2002

  51. [51]

    T. Ylonen, C. Lonvick, The secure shell (SSH) transport layer protocol. RFC 4253, Jan. 2006

  52. [52]

    Y. Zheng, Digital signcryption or how to achieve cost(signature & encryption) cost(signature) + cost(encryption), in Advances in Cryptology—CRYPTO’97, ed. by B.S. Kaliski, Santa Barbara, CA, USA, Aug. 17–21, 1997. Lecture Notes in Computer Science, vol. 1294 (Springer, Berlin, 1997), pp. 165–179

Download references

Author information

Correspondence to Chanathip Namprempre.

Additional information

M. Bellare’s work was supported in part by a 1996 Packard Foundation Fellowship in Science and Engineering, NSF CAREER Award CCR-9624439, NSF grants CNS-0524765 and CNS-0627779, and a gift from Intel Corporation.

C. Namprempre’s work was supported in part by grants of the first author and the Thailand Research Fund.

Communicated by H. Krawczyk

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Bellare, M., Namprempre, C. Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. J Cryptol 21, 469–491 (2008). https://doi.org/10.1007/s00145-008-9026-x

Download citation

Keywords

  • Symmetric encryption
  • Message authentication
  • Authenticated encryption
  • Concrete security