Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1976)


We consider two possible notions of authenticity for symmetric encryption schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them to the standard notions of privacy for symmetric encryption schemes by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by “generic composition,” meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC plaintext, MAC-then-encrypt, and Encrypt-then- MAC. For each of these, and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is “yes” and counter-examples for the cases where the answer is “no.”


Encryption Scheme Authentication Scheme Symmetric Encryption Composition Method Choose Ciphertext Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bellare, R. Canetti AND H. Krawczyk, “Keying hash functions for message authentication,” Advances in Cryptology-Crypto’ 96, LNCS Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996.CrossRefGoogle Scholar
  2. 2.
    M. Bellare, A. Desai, E. Jokipii AND P. Rogaway, “A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation,” Proc. of the 38th IEEE FOCS, IEEE, 1997.Google Scholar
  3. 3.
    M. Bellare, A. Desai, D. Pointcheval AND P. Rogaway, “Relations among notions of security for public-key encryption schemes,” Advances in Cryptology-Crypto’ 98, LNCS Vol. 1462, H. Krawczyk ed., Springer-Verlag, 1998.Google Scholar
  4. 4.
    M. Bellare, J. Kilian, P. Rogaway, “The security of the cipher block chaining message authentication code,” Advances in Cryptology-Crypto’ 94, LNCS Vol. 839, Y. Desmedt ed., Springer-Verlag, 1994.Google Scholar
  5. 5.
    M. Bellare, C. Namprempre, “Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm,” Full version of this paper, available via
  6. 6.
    M. Bellare AND P. Rogaway, “Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography,” Advances in Cryptology-ASIACRYPT’ 00, LNCS Vol. ??, T. Okamoto ed., Springer-Verlag, 2000.Google Scholar
  7. 7.
    M. Bellare AND A. Sahai, “Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization,” Advances in Cryptology-Crypto’ 99, LNCS Vol. 1666, M. Wiener ed., Springer-Verlag, 1999.Google Scholar
  8. 8.
    J. Black, S. Halevi, H. Krawczyk, T. Krovetz AND P. Rogaway, “UMAC: Fast and secure message authentication,” Advances in Cryptology-Crypto’ 99, LNCS Vol. 1666, M. Wiener ed., Springer-Verlag, 1999.Google Scholar
  9. 9.
    A. Desai, “New paradigms for constructing symmetric encryption schemes secure against chosen ciphertext attack,” Advances in Cryptology-Crypto’ 00, LNCS Vol. 1880, M. Bellare ed., Springer-Verlag, 2000.Google Scholar
  10. 10.
    D. Dolev, C. Dwork, AND M. Naor, “Non-malleable cryptography,” Proc. of the 23rd ACM STOC, ACM, 1991.Google Scholar
  11. 11.
    D. Dolev, C. Dwork, AND M. Naor, “Non-malleable cryptography,” to appear in SIAM J. Comput. Google Scholar
  12. 12.
    S. Goldwasser AND S. Micali, “Probabilistic encryption,” Journal of Computer and System Science,Vol. 28, 1984, pp. 270–299.zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    C. Jutla, “Encryption modes with almost free message integrity,” Report 2000/039, Cryptology ePrint Archive,, August 2000.
  14. 14.
    J. Katz AND M. Yung, “Complete characterization of security notions for probabilistic private-key encryption,” Proc. of the 32ndACM STOC, ACM, 2000.Google Scholar
  15. 15.
    J. Katz AND M. Yung, “Unforgeable Encryption and Adaptively Secure Modes of Operation,” Fast Software Encryption’ 00, LNCS Vol. ??, B. Schneier ed., Springer-Verlag, 2000.Google Scholar
  16. 16.
    S. Kent AND R. Atkinson, “IP Encapsulating Security Payload (ESP),” Request for Comments 2406, November 1998.Google Scholar
  17. 17.
    M. Naor AND M. Yung, “Public-key cryptosystems provably secure against chosen ciphertext attacks,” Proc. of the 22nd ACM STOC, ACM, 1990.Google Scholar
  18. 18.
    C. Rackoff AND D. Simon, “Non-Interactive zero-knowledge proof of knowledge and chosen ciphertext attack,” Advances in Cryptology-Crypto’ 91, LNCS Vol. 576, J. Feigenbaum ed., Springer-Verlag, 1991.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  1. 1.Dept. of Computer Science & EngineeringUniversity of California at San DiegoLa JollaUSA

Personalised recommendations