Cryptography Reference
In-Depth Information
on and to see that the resulting scheme does not guarantee authenticity by showing
that an adversary can forge a valid encrypted message as follows:
•
Query the oracle about an arbitrary message
m
and obtain the corresponding
ciphertext
c
Enc
k
1
(
=
m
||
t
)
=
Enc
k
1
(
m
||
t
)
||
1.
Output the ciphertext
c
obtained by replacing the last bit of
c
by a 0bit.
We see that then
c
•
is a forgery, because
Dec
k
1
(
c
)
=
Dec
k
1
(
c
)
=
m
||
t
and
Ve r
k
2
(
m
,
t
)
=
1 since the pair
(
m
,
t
)
generated by the oracle is valid.
This attack is not very natural but is sufficient to prove that the Mac-then-Encrypt
approach is not generically secure although it may be secure in specific implementa-
tions. A more detailed discussion as well as further examples can be found in [123].
This approach is used in the SSL protocol whose security is discussed in this refer-
ence, where it is shown that the current practical implementations of the protocol are
safe.
5.4.2.3 Encrypt-then-Mac
This method inverts the order in which the MAC and the encryption scheme are
used. To wit, the message
m
is encrypted and then the MAC tag is computed for
the ciphertext obtained, so that this is precisely the CCA secure encryption scheme
we have considered. Thus the sender transmits the pair
(
c
,
t
)
where
c
←
Enc
k
1
(
m
)
and
t
←
Mac
k
2
(
c
)
. The receiver then computes
Ve r
k
2
(
c
,
t
)
and, if the ciphertext is
valid, it outputs
m
.
If the keys
k
1
and
k
2
are independent, the encryption scheme is CPA secure, and the
MAC is SUF-CMA secure, then the Encrypt-then-Mac combination can be proven
to be secure in the sense defined below. The idea is that an adversary cannot forge a
valid ciphertext because the MAC is secure and confidentiality is guaranteed by the
already mentioned fact that the system is actually CCA secure. Thus this approach
gives the best we could hope for: both CCA security and existential unforgeability
under adaptive chosen message attacks.
=
Dec
k
1
(
c
)
5.4.2.4 Security for Authenticated Encryption
We now make precise what it means that an encryption scheme provides secure
authenticated encryption. As mentioned, the scheme should provide both confiden-
tiality and integrity and we are going to formalize this. We will consider a private-key
encryption scheme
E
=
(
Gen
,
Enc
,
Dec
)
such that the decryption algorithm may
output the symbol
indicating that the ciphertext is rejected, and we define the
following integrity experiment:
⊥
Definition 5.4
The
ciphertext integrity experiment
Auth
int-ctxt
A,E
(
n
)
is the following:
1
n
1. A key
k
is generated by running
Gen
(
)
.
