International Conference on the Theory and Application of Cryptology and Information Security

ASIACRYPT 2000: Advances in Cryptology — ASIACRYPT 2000 pp 531-545

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm

  • Mihir Bellare
  • Chanathip Namprempre
Conference paper

DOI: 10.1007/3-540-44448-3_41

Volume 1976 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Bellare M., Namprempre C. (2000) Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. In: Okamoto T. (eds) Advances in Cryptology — ASIACRYPT 2000. ASIACRYPT 2000. Lecture Notes in Computer Science, vol 1976. Springer, Berlin, Heidelberg


We consider two possible notions of authenticity for symmetric encryption schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them to the standard notions of privacy for symmetric encryption schemes by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by “generic composition,” meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC plaintext, MAC-then-encrypt, and Encrypt-then- MAC. For each of these, and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is “yes” and counter-examples for the cases where the answer is “no.”

Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Mihir Bellare
    • 1
  • Chanathip Namprempre
    • 1
  1. 1.Dept. of Computer Science & EngineeringUniversity of California at San DiegoLa JollaUSA