Cryptography Reference
In-Depth Information
(
,
)
A
receives the challenge ciphertext
c
t
,
is able to construct a valid ciphertext of
t
)
t
: this would not be a MAC forgery because
c
is the same in
(
,
=
the form
c
with
t
t
)
both cases. But the
E
I
-ciphertexts
(
c
,
t
)
and
(
c
,
are
different
and hence
A
could
t
)
query the decryption oracle on
(
c
,
, obtaining the corresponding plaintext, which
is the same as the one for
(
c
,
t
)
. This is prevented by requiring that
I
should be
t
)
SUF-CMA secure, which makes it hard for
A
to construct the ciphertext
(
c
,
.
5.4.2 Obtaining Authenticated Encryption
We have studied schemes that provide privacy and schemes that provide authenticity
but so far we have not considered any scheme that simultaneously provides both. In
contrast to what might appear at first sight, the combination of confidentiality and
integrity is not automatically guaranteed by the use of an encryption scheme and a
MAC, even assuming that both are secure.
We next review the common approaches towards the goal of
authenticated encryp-
tion
, which use different ways to combine an encryption scheme and a MAC.
5.4.2.1 Encrypt-and-Mac
The first idea that comes to mind, given an encryption scheme and a MAC, both
assumed secure, is just to apply the two schemes independently to the message
m
,
i.e.—using the previous notations and letting
k
1
be an encryption key and
k
2
aMAC
key—to compute (and send to the receiver) the pair
(
c
,
t
)
, where
c
=
Enc
k
1
(
m
)
and
t
=
Mac
k
2
(
m
)
. The receiver then computes
m
=
Dec
k
1
(
c
)
and
Ve r
k
2
(
m
,
t
)
.Ifthe
value 1 is obtained, then the receiver outputs
m
, otherwise it outputs
, meaning
that authentication has failed. This method is, in general, insecure for a very simple
reason: a MAC is not designed to hide the contents of the authenticated message and
hence it is possible that the tag
t
leaks significant information as the following easy
example shows:
⊥
Example 5.7
Let
be a UF-CMA secure MAC. Then it is straight-
forward to see that the MAC obtained by replacing the tag generation algorithm
Mac
by the following one:
(
Gen
,
Mac
,
Ve r
)
Mac
k
(
m
)
:=
m
||
Mac
k
(
m
)
is also UF-CMA secure. Suppose now that we combine this MAC with a CPA
secure—or even CCA secure—scheme as indicated above. Then the receiver obtains
a pair of the form
(where
t
is the tag corresponding to
m
in the original
MAC) which, if observed by an adversary, reveals the entire message
m
. Thus this
scheme is not even IND-EAV secure.
(
c
,
m
||
t
)
