Models and Proofs of Protocol Security: A Progress Report
CAV '09 Proceedings of the 21st International Conference on Computer Aided Verification
Generic Construction of Stateful Identity Based Encryption
ISC '09 Proceedings of the 12th International Conference on Information Security
Modular verification of security protocol code by typing
Proceedings of the 37th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
On the soundness of authenticate-then-encrypt: formalizing the malleability of symmetric encryption
Proceedings of the 17th ACM conference on Computer and communications security
Securing interactive sessions using mobile device through visual channel and visual inspection
Proceedings of the 26th Annual Computer Security Applications Conference
A calculus for game-based security proofs
ProvSec'10 Proceedings of the 4th international conference on Provable security
Efficient authentication for mobile and pervasive computing
ICICS'10 Proceedings of the 12th international conference on Information and communications security
Computer Networks: The International Journal of Computer and Telecommunications Networking
The software performance of authenticated-encryption modes
FSE'11 Proceedings of the 18th international conference on Fast software encryption
E-MACs: towards more secure and more efficient constructions of secure channels
ICISC'10 Proceedings of the 13th international conference on Information security and cryptology
Non-interactive distributed encryption: a new primitive for revocable privacy
Proceedings of the 10th annual ACM workshop on Privacy in the electronic society
Modular code-based cryptographic verification
Proceedings of the 18th ACM conference on Computer and communications security
Confidentiality and integrity: a constructive perspective
TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
New definitions and separations for circular security
PKC'12 Proceedings of the 15th international conference on Practice and Theory in Public Key Cryptography
Authenticated encryption: how reordering can impact performance
ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
StegoTorus: a camouflage proxy for the Tor anonymity system
Proceedings of the 2012 ACM conference on Computer and communications security
McOE: a family of almost foolproof on-line authenticated encryption schemes
FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
Oblivious transfer with hidden access control from attribute-based encryption
SCN'12 Proceedings of the 8th international conference on Security and Cryptography for Networks
Computational soundness of coinductive symbolic security under active attacks
TCC'13 Proceedings of the 10th theory of cryptography conference on Theory of Cryptography
Computationally complete symbolic attacker and key exchange
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Deduction soundness: prove one, get five for free
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Authenticated key agreement in wireless networks with automated key management
Proceedings of the 6th International Conference on Security of Information and Networks
| Hi-index | 0.00 |
An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity. We consider two possible notions of authenticity for such schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them, when coupled with IND-CPA (indistinguishability under chosen-plaintext attack), to the standard notions of privacy IND-CCA and NM-CPA (indistinguishability under chosen-ciphertext attack and nonmalleability under chosen-plaintext attack) by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by “generic composition,” meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC, MAC-then-encrypt, and Encrypt-then-MAC. For each of these and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming that the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is “yes” and counter-examples for the cases where the answer is “no.”