## Authenticated Encryption: Relations among
notions and analysis of the generic composition paradigm

** Authors: M. Bellare and C. Namprempre **
** Abstract: ** An authenticated encryption scheme is a symmetric
encryption scheme whose goal is to provide both privacy and
integrity. We consider two possible notions of authenticity for such
schemes, namely integrity of plaintexts and integrity of
ciphertexts, and relate them (when coupled with IND-CPA) to the
standard notions of privacy (IND-CCA, NM-CPA) by presenting
implications and separations between all notions considered. We then analyze the security of authenticated encryption
schemes designed by ``generic composition,'' meaning making black-box use of
a given symmetric encryption scheme and a given MAC. Three composition
methods are considered, namely *Encrypt-and-MAC*,
*MAC-then-encrypt*, and *Encrypt-then-MAC*. For each of these,
and for each notion of security, we indicate whether or not the resulting
scheme meets the notion in question assuming the given symmetric encryption
scheme is secure against chosen-plaintext attack and the given MAC is
unforgeable under chosen-message attack. We provide proofs for the cases
where the answer is ``yes'' and counter-examples for the cases where the
answer is ``no.''

** Ref:** Extended abstract in Advances in Cryptology - Asiacrypt 2000
Proceedings, Lecture Notes in Computer Science Vol. 1976, T. Okamoto ed,
Springer-Verlag, 2000. Full paper available below.

** Full paper: ** Available as compressed
postscript, postscript, or
pdf. ( Help if this doesn't work).