Reconsidering Generic Composition: The Tag-then-Encrypt Case

  • Francesco Berti
  • Olivier Pereira
  • Thomas Peters
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11356)


Authenticated Encryption (\(\mathsf {AE}\)) achieves confidentiality and authenticity, the two most fundamental goals of cryptography, in a single scheme. A common strategy to obtain \(\mathsf {AE}\) is to combine a Message Authentication Code \((\mathsf {MAC})\) and an encryption scheme, either nonce-based or \(iv\)-based. Out of the 180 possible combinations, Namprempre et al. [20] proved that 12 were secure, 164 insecure and 4 were left unresolved: A10, A11 and A12 which use an \(iv\)-based encryption scheme and N4 which uses a nonce-based one. The question of the security of these composition modes is particularly intriguing as N4, A11, and A12 are more efficient than the 12 composition modes that are known to be provably secure.

We prove that: (i) N4 is not secure in general, (ii) A10, A11 and A12 have equivalent security, (iii) A10, A11, A12 and N4 are secure if the underlying encryption scheme is either misuse-resistant or “message malleable”, a property that is satisfied by many classical encryption modes, (iv) A10, A11 and A12 are insecure if the underlying encryption scheme is stateful or untidy. All the results are quantitative.



Thomas Peters is a postdoctoral researcher of the Belgian Fund for Scientific Research (F.R.S.-FNRS). This work has been funded in parts by the European Union (EU) and the Walloon Region through the FEDER project USERMedia (convention number 501907-379156) and the ERC project SWORD (convention number 724725).


  1. 1.
    Atluri, V. (ed.): Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, Washington, DC, 18–22 November 2002. ACM (2002)Google Scholar
  2. 2.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: 38th Annual Symposium on Foundations of Computer Science, FOCS 1997, Miami Beach, 19–22 October 1997, pp. 394–403. IEEE Computer Society (1997)Google Scholar
  3. 3.
    Bellare, M., Kohno, T., Namprempre, C.: Authenticated encryption in SSH: provably fixing the SSH binary packet protocol. In: Atluri [1], pp. 1–11Google Scholar
  4. 4.
    Bellare, M., Kohno, T., Namprempre, C.: Breaking and provably repairing the SSH authenticated encryption scheme: a case study of the encode-then-encrypt-and-MAC paradigm. ACM Trans. Inf. Syst. Secur. 7(2), 206–241 (2004)CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto [22], pp. 531–545CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto [22], pp. 317–330CrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J.: Caesar call for submissions, final, 27 January 2014Google Scholar
  8. 8.
    Berti, F., Koeune, F., Pereira, O., Peters, T., Standaert, F.-X.: Ciphertext integrity with misuse and leakage: definition and efficient constructions with symmetric primitives. In: Kim, J., Ahn, G.-J., Kim, S., Kim, Y., López, J., Kim, T., (eds.) Proceedings of the 2018 on Asia Conference on Computer and Communications Security, AsiaCCS 2018, Incheon, Republic of Korea, 04–08 June 2018, pp. 37–50. ACM (2018)Google Scholar
  9. 9.
    Berti, F., Pereira, O., Peters, T.: Reconsidering generic composition: the tag-then-encrypt case. Cryptology ePrint Archive, Report 2018/991 (2018).
  10. 10.
    Berti, F., Pereira, O., Peters, T., Standaert, F.-X.: On leakage-resilient authenticated encryption with decryption leakages. IACR Trans. Symmetric Cryptol. 2017(3), 271–293 (2017)Google Scholar
  11. 11.
    Boyd, C., Hale, B., Mjølsnes, S.F., Stebila, D.: From stateless to stateful: generic authentication and authenticated encryption constructions with application to TLS. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 55–71. Springer, Cham (2016). Scholar
  12. 12.
    Dworkin, M.J.: Recommendation for block cipher modes of operation: Galois/counter mode (GCM) and GMAC. Technical report (2007)Google Scholar
  13. 13.
    IETF: The transport layer security (TLS) protocol version 1.3 draft-ietf-tls-tls13-28. Technical report (2018).
  14. 14.
    Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. CRC Press, Boca Raton (2014)zbMATHGoogle Scholar
  15. 15.
    Katz, J., Yung, M.: Unforgeable encryption and chosen ciphertext secure modes of operation. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001). Scholar
  16. 16.
    Kohno, T., Palacio, A., Black, J.: Building secure cryptographic transforms, or how to encrypt and MAC. IACR Cryptology ePrint Archive, 2003:177 (2003)Google Scholar
  17. 17.
    Krawczyk, H.: The order of encryption and authentication for protecting communications (or: How secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001). Scholar
  18. 18.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). Scholar
  19. 19.
    McGrew, D.A.: An interface and algorithms for authenticated encryption. RFC 5116, 1–22 (2008)Google Scholar
  20. 20.
    Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014). Scholar
  21. 21.
    Nir, Y., Langley, A.: Chacha20 and poly1305 for IETF protocols. RFC 7539, 1–45 (2015)Google Scholar
  22. 22.
    Okamoto, T. (ed.): ASIACRYPT 2000. LNCS, vol. 1976. Springer, Heidelberg (2000). Scholar
  23. 23.
    Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag size Does matter: attacks and proofs for the TLS record protocol. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 372–389. Springer, Heidelberg (2011). Scholar
  24. 24.
    Peyrin, T., Seurin, Y.: Counter-in-tweak: authenticated encryption modes for tweakable block ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 33–63. Springer, Heidelberg (2016). Scholar
  25. 25.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri [1], pp. 98–107Google Scholar
  26. 26.
    Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). Scholar
  27. 27.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). Scholar
  28. 28.
    Rogaway, P., Zhang, Y.: Simplifying game-based definitions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 3–32. Springer, Cham (2018). Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Francesco Berti
    • 1
  • Olivier Pereira
    • 1
  • Thomas Peters
    • 1
  1. 1.ICTEAM/ELEN/Crypto GroupUniversité catholique de LouvainLouvain-la-NeuveBelgium

Personalised recommendations