Advertisement

Journal of Cryptology

, Volume 21, Issue 4, pp 469–491 | Cite as

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm

  • Mihir Bellare
  • Chanathip Namprempre
Article

Abstract

An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity. We consider two possible notions of authenticity for such schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them, when coupled with IND-CPA (indistinguishability under chosen-plaintext attack), to the standard notions of privacy IND-CCA and NM-CPA (indistinguishability under chosen-ciphertext attack and nonmalleability under chosen-plaintext attack) by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by “generic composition,” meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC, MAC-then-encrypt, and Encrypt-then-MAC. For each of these and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming that the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is “yes” and counter-examples for the cases where the answer is “no.”

Keywords

Symmetric encryption Message authentication Authenticated encryption Concrete security 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    J.H. An and M. Bellare. Does encryption with redundancy provide authenticity? In Advances in Cryptology—EUROCRYPT 2002, ed. by L.R. Knudsen, Amsterdam, The Netherlands, Apr. 28–May 2, 2002. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 512–528 CrossRefGoogle Scholar
  2. [2]
    J.H. An, Y. Dodis, T. Rabin, On the security of joint signature and encryption, in Advances in Cryptology—EUROCRYPT 2002, ed. by L.R. Knudsen, Amsterdam, The Netherlands, Apr. 28–May 2, 2002. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 83–107 CrossRefGoogle Scholar
  3. [3]
    M. Bellare, New proofs for NMAC and HMAC: Security without collision-resistance, in Advances in Cryptology—CRYPTO, ed. by C. Dwork, Santa Barbara, CA, USA, Aug. 20–24, 2006. Lecture Notes in Computer Science, vol. 4117 (Springer, Berlin, 2006), pp. 602–619 CrossRefGoogle Scholar
  4. [4]
    M. Bellare, C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, in Advances in Cryptology—ASIACRYPT 2000, ed. by T. Okamoto, Kyoto, Japan, Dec. 3–7, 2000. Lecture Notes in Computer Science, vol. 1976 (Springer, Berlin, 2000), pp. 531–545 CrossRefGoogle Scholar
  5. [5]
    M. Bellare, P. Rogaway, Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography, in Advances in Cryptology—ASIACRYPT 2000, ed. by T. Okamoto, Kyoto, Japan, Dec. 3–7, 2000. Lecture Notes in Computer Science, vol. 1976 (Springer, Berlin, 2000), pp. 317–330 CrossRefGoogle Scholar
  6. [6]
    M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in Advances in Cryptology—EUROCRYPT 2006, ed. by S. Vaudenay, St. Petersburg, Russia, May 29–June 1, 2006. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 409–426. Available as Cryptology ePrint Report 2005/334 CrossRefGoogle Scholar
  7. [7]
    M. Bellare, A. Sahai, Non-malleable encryption: Equivalence between two notions, and an indistinguishability-based characterization, in Advances in Cryptology—CRYPTO’99, ed. by M.J. Wiener, Santa Barbara, CA, USA, Aug. 15–19, 1999. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 519–536. Available as Cryptology ePrint Report 2006/228 Google Scholar
  8. [8]
    M. Bellare, R. Canetti, H. Krawczyk, Keying hash functions for message authentication, in Advances in Cryptology—CRYPTO’96, ed. by N. Koblitz, Santa Barbara, CA, USA, Aug. 18–22, 1996. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 1–15 Google Scholar
  9. [9]
    M. Bellare, A. Desai, E. Jokipii, P. Rogaway, A concrete security treatment of symmetric encryption, in 38th Annual Symposium on Foundations of Computer Science, Miami Beach, Florida, Oct. 19–22, 1997 (IEEE Computer Society, Los Alamitos, 1997), pp. 394–403 CrossRefGoogle Scholar
  10. [10]
    M. Bellare, A. Desai, D. Pointcheval, P. Rogaway, Relations among notions of security for public-key encryption schemes, in Advances in Cryptology—CRYPTO’98, ed. by H. Krawczyk, Santa Barbara, CA, USA, Aug. 23–27, 1998. Lecture Notes in Computer Science, vol. 1462 (Springer, Berlin, 1998), pp. 26–45 Google Scholar
  11. [11]
    M. Bellare, J. Kilian, P. Rogaway, The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000) zbMATHCrossRefMathSciNetGoogle Scholar
  12. [12]
    M. Bellare, O. Goldreich, A. Mityagin, The power of verification queries in message authentication and authenticated encryption, 2004. Available as Cryptology ePrint Report 2004/309 Google Scholar
  13. [13]
    M. Bellare, T. Kohno, C. Namprempre, Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm. ACM Trans. Inf. Syst. Secur. 7(2), 206–241 (2004) CrossRefGoogle Scholar
  14. [14]
    M. Bellare, P. Rogaway, D. Wagner, The EAX mode of operation, in Fast Software Encryption 2004, ed. by B.K. Roy, W. Meier, New Delhi, India, Feb. 5–7, 2004. Lecture Notes in Computer Science, vol. 3017 (Springer, Berlin, 2004), pp. 389–407 Google Scholar
  15. [15]
    M. Bellare, K. Pietrzak, P. Rogaway, Improved security analyses for CBC MACs, in Advances in Cryptology—CRYPTO 2005, ed. by V. Shoup, Santa Barbara, CA, USA, Aug. 14–18, 2005. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 527–545 Google Scholar
  16. [16]
    M. Bellare, D. Hoffheinz, E. Kiltz, IND-CCA revisited: When and how should challenge decryption be disallowed? Manuscript, 2007 Google Scholar
  17. [17]
    J. Black, Authenticated encryption, in Encyclopedia of Cryptography and Security, ed. by H.C. van Tilborg (Springer, Berlin, 2005) Google Scholar
  18. [18]
    J. Black, P. Rogaway, CBC MACs for arbitrary-length messages: The three-key constructions, in Advances in Cryptology—CRYPTO 2000, ed. by M. Bellare, Santa Barbara, CA, USA, Aug. 20–24, 2000. Lecture Notes in Computer Science, vol. 1880 (Springer, Berlin, 2000), pp. 197–215 CrossRefGoogle Scholar
  19. [19]
    J. Black, P. Rogaway, A block-cipher mode of operation for parallelizable message authentication, in Advances in Cryptology—EUROCRYPT 2002, ed. by L.R. Knudsen, Amsterdam, The Netherlands, Apr. 28–May 2, 2002. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 384–397 CrossRefGoogle Scholar
  20. [20]
    J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway, UMAC: Fast and secure message authentication, in Advances in Cryptology—CRYPTO’99, ed. by M.J. Wiener, Santa Barbara, CA, USA, Aug. 15–19, 1999. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 216–233 Google Scholar
  21. [21]
    R. Canetti, H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, in Advances in Cryptology—EUROCRYPT 2001, ed. by B. Pfitzmann, Innsbruck, Austria, May 6–10, 2001. Lecture Notes in Computer Science, vol. 2045 (Springer, Berlin, 2001), pp. 451–472 Google Scholar
  22. [22]
    R. Cramer, I. Damgård, Secure signature schemes based on interactive protocols, in Advances in Cryptology—CRYPTO’95, ed. by D. Coppersmith, Santa Barbara, CA, USA, Aug. 27–31, 1995. Lecture Notes in Computer Science, vol. 963 (Springer, Berlin, 1995), pp. 297–310 Google Scholar
  23. [23]
    A. Desai, New paradigms for constructing symmetric encryption schemes secure against chosen-ciphertext attack, in Advances in Cryptology—CRYPTO 2000, ed. by M. Bellare, Santa Barbara, CA, USA, Aug. 20–24, 2000. Lecture Notes in Computer Science, vol. 1880 (Springer, Berlin, 2000), pp. 394–412 CrossRefGoogle Scholar
  24. [24]
    D. Dolev, C. Dwork, M. Naor, Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000) zbMATHCrossRefMathSciNetGoogle Scholar
  25. [25]
    N. Ferguson, D. Whiting, B. Schneier, J. Kelsey, S. Lucks, T. Kohno, Helix: Fast encryption and authentication in a single cryptographic primitive, in Fast Software Encryption 2003, ed. by T. Johansson, Lund, Sweden, Feb. 24–26, 2003. Lecture Notes in Computer Science, vol. 2887 (Springer, Berlin, 2003), pp. 330–346 Google Scholar
  26. [26]
    A. Freier, P. Karlton, P. Kocher, The SSL protocol: Version 3.0, 1996 Google Scholar
  27. [27]
    V. Gligor, P. Donescu, Fast encryption and authentication: XCBC encryption and XECB authentication modes, in Fast Software Encryption 2001, ed. by M. Matsui, Yokohama, Japan, Apr. 2–4, 2001. Lecture Notes in Computer Science, vol. 2355 (Springer, Berlin, 2001) Google Scholar
  28. [28]
    O. Goldreich, A uniform complexity treatment of encryption and zero-knowledge. J. Cryptol. 6(1), 21–53 (1993) zbMATHCrossRefMathSciNetGoogle Scholar
  29. [29]
    S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci. 28, 270–299 (1984) zbMATHCrossRefMathSciNetGoogle Scholar
  30. [30]
    S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988) zbMATHCrossRefMathSciNetGoogle Scholar
  31. [31]
    S. Halevi, An observation regarding Jutla’s modes of operation, 2001. Available as Cryptology ePrint Report 2001/015 Google Scholar
  32. [32]
    J. Hastad, The security of the IAPM and IACBC modes. J. Cryptol. 20(2), 153–163 (2007) zbMATHCrossRefMathSciNetGoogle Scholar
  33. [33]
    T. Iwata, K. Kurosawa, OMAC: One-key CBC MAC, in Fast Software Encryption 2003, ed. by T. Johansson, Lund, Sweden, Feb. 24–26, 2003. Lecture Notes in Computer Science, vol. 2887 (Springer, Berlin, 2003), pp. 129–153 Google Scholar
  34. [34]
    E. Jaulmes, A. Joux, F. Valette, On the security of randomized CBC-MAC beyond the birthday paradox limit: A new construction, in Fast Software Encryption 2002, ed. by J. Daemen, V. Rijmen, Leuven, Belgium, Feb. 4–6, 2002. Lecture Notes in Computer Science, vol. 2365 (Springer, Berlin, 2002), pp. 237–251 CrossRefGoogle Scholar
  35. [35]
    C. Jutla, Encryption modes with almost free message integrity, in Advances in Cryptology—EUROCRYPT 2001, ed. by B. Pfitzmann, Innsbruck, Austria, May 6–10, 2001. Lecture Notes in Computer Science, vol. 2045 (Springer, Berlin, 2001), pp. 529–544 CrossRefGoogle Scholar
  36. [36]
    J. Katz, M. Yung, Unforgeable encryption and chosen ciphertext secure modes of operation, in Fast Software Encryption, ed. by B. Schneier, New York, NY, USA, Apr. 10–12, 2000. Lecture Notes in Computer Science, vol. 1978 (Springer, Berlin, 2000), pp. 284–299 CrossRefGoogle Scholar
  37. [37]
    J. Katz, M. Yung, Characterization of security notions for probabilistic private-key encryption. J. Cryptol. 19(1), 67–95 (2006) zbMATHCrossRefMathSciNetGoogle Scholar
  38. [38]
    S. Kent, IP encapsulating security payload (ESP). RFC 4303, Dec. 2005 Google Scholar
  39. [39]
    T. Kohno, J. Viega, D. Whiting, CWC: A high-performance conventional authenticated encryption mode, in Fast Software Encryption 2004, ed. by B.K. Roy, New Delhi, India, Feb. 5–7, 2004. Lecture Notes in Computer Science, vol. 3017 (Springer, Berlin, 2004), pp. 408–426 Google Scholar
  40. [40]
    H. Krawczyk, The order of encryption and authentication for protecting communications (or: How secure is SSL?), in Advances in Cryptology—CRYPTO 2001, ed. by J. Kilian, Santa Barbara, CA, USA, Aug. 19–23, 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 310–331 CrossRefGoogle Scholar
  41. [41]
    K. Kurosawa, T. Iwata, TMAC: Two-key CBC MAC, in Topics in Cryptology—CT-RSA 2003, ed. by M. Joye, San Francisco, CA, USA, Apr. 13–17, 2003. Lecture Notes in Computer Science, vol. 2612 (Springer, Berlin, 2003), pp. 33–49 CrossRefGoogle Scholar
  42. [42]
    D. McGrew, J. Viega, The security and performance of the Galois/Counter Mode (GCM) of operation, in Progress in Cryptology—INDOCRYPT 2004: 5th International Conference in Cryptology in India, ed. by A. Canteaut, K. Viswanathan, Chennai, India, Dec. 20–22, 2004. Lecture Notes in Computer Science, vol. 3348 (Springer, Berlin, 2004), pp. 343–355 Google Scholar
  43. [43]
    M. Naor, M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks, in 22nd Annual ACM Symposium on Theory of Computing, Baltimore, Maryland, USA, May 14–16, 1990 (ACM Press, New York, 1990) Google Scholar
  44. [44]
    E. Petrank, C. Rackoff, CBC MAC for real time data sources. J. Cryptol. 13(3), 315–338 (2000) zbMATHCrossRefMathSciNetGoogle Scholar
  45. [45]
    C. Rackoff, D.R. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in Advances in Cryptology—CRYPTO’91, ed. by J. Feigenbaum, Santa Barbara, CA, USA, Aug. 11–15, 1991. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1991), pp. 433–444 Google Scholar
  46. [46]
    P. Rogaway, Authenticated-encryption with associated-data, in ACM CCS 2002: 9th Conference on Computer and Communications Security, ed. by V. Atluri, Washington, D.C., USA, Nov. 18–22, 2002 (ACM Press, New York, 2002), pp. 98–107 CrossRefGoogle Scholar
  47. [47]
    P. Rogaway, T. Shrimpton, A provable-security treatment of the key-wrap problem, in Advances in Cryptology—EUROCRYPT 2006, ed. by S. Vaudenay, St. Petersburg, Russia, May 29–June 1, 2006. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 373–390 CrossRefGoogle Scholar
  48. [48]
    P. Rogaway, M. Bellare, J. Black, T. Krovetz, OCB: A block-cipher mode of operation for efficient authenticated encryption, in ACM CCS 2001: 8th Conference on Computer and Communications Security, ed. by M. Reiter, Philadelphia, PA, USA, Nov. 5–8, 2001 (ACM Press, New York, 2001), pp. 196–205 CrossRefGoogle Scholar
  49. [49]
    J. Song, R. Poovendran, J. Lee, T. Iwata, The advanced encryption standard-cipher-based message authentication code-pseudo-random function-128 (AES-CMAC-PRF-128) algorithm for the Internet key exchange protocol (IKE). RFC 4615, 2006 Google Scholar
  50. [50]
    D. Whiting, R. Housley, N. Ferguson, AES encryption & authentication using CTR mode & CBC-MAC. IEEE P802.11 doc 02/001r2, May 2002 Google Scholar
  51. [51]
    T. Ylonen, C. Lonvick, The secure shell (SSH) transport layer protocol. RFC 4253, Jan. 2006 Google Scholar
  52. [52]
    Y. Zheng, Digital signcryption or how to achieve cost(signature & encryption) cost(signature) + cost(encryption), in Advances in Cryptology—CRYPTO’97, ed. by B.S. Kaliski, Santa Barbara, CA, USA, Aug. 17–21, 1997. Lecture Notes in Computer Science, vol. 1294 (Springer, Berlin, 1997), pp. 165–179 Google Scholar

Copyright information

© International Association for Cryptologic Research 2008

Authors and Affiliations

  1. 1.Dept. of Computer Science & EngineeringUniversity of California, San DiegoLa JollaUSA
  2. 2.Electrical Engineering, Faculty of EngineeringThammasat UniversityPatumtaniThailand

Personalised recommendations