Cryptography Reference
In-Depth Information
Auth
int
−
ctxt
A,E
(
)
, contradicting the definition of authenticated encryption. In fact,
the definition of authenticated encryption is strong enough to implyCCA security
and the reason is the same as in Theorem 5.2, namely the fact that an adversary
is unable to create—except with negligible probability—a valid ciphertext that
was not obtained from a query to the encryption oracle. Being able to build such
a ciphertext would violate ciphertext integrity and hence the adversary only
obtains useful information from encryption queries, which are not sufficient for
it to succeed because the scheme is assumed to be CPA secure. The fact that
authenticated encryption implies CCA security is proved in [16, Theorem 3.2]
to which we refer for a thorough discussion of all these properties as well as of
the approaches to authenticated encryption we have mentioned.
2. Let us go back to the approaches to authenticated encryption mentioned above
and, in particular, to the Encrypt-then-Mac construction. It is proved in [16,
Theorem 4.4] that, when applied to a CPA secure encryption scheme and a
SUF-CMA secure MAC, it yields a scheme achieving authenticated encryption
(in particular, this has Theorem 5.2 as a corollary and the proof is similar to
the one for that theorem). Encrypt-and-Mac is clearly weaker and it should not
be used. Mac-then-Encrypt, however, while not being secure in general due to
the interaction between the encryption scheme and the MAC, is secure in some
important particular cases (such as when being used with randomized counter
mode) and, in these cases, it may be preferable to Encrypt-then-Mac. The latter
is generically—as claimed before—the best of the three mentioned approaches
to authenticated encryption and hence is the one that is usually recommended for
practical use. Two of the most important Internet protocols, namely, SSL/TLS
and IPSec use, respectively, the Mac-then-Encrypt and the Encrypt-then-Mac
approaches.
n
5.5 MACs Based on Universal Hashing
One important cryptographic primitive, especially for authentication-related appli-
cations, is provided by hash functions. The generic term
hash function
is applied
to functions that take as input an arbitrary bit string and map it to a fixed-length
string—called a
message digest
or, simply, a
digest
—which is usually shorter, so
that the hash function is said to
compress
the strings. Hash functions play a relevant
role in database applications but for use in cryptography they have to satisfy some
additional properties that we will explain in a forthcoming section. For now we will
restrict our attention to a special class of hash functions generically called
universal
hash functions
. The idea is the following: a universal hash function is an efficiently
computable family of functions, indexed by a parameter called the key, with the
property that the probability over all keys that two different elements in the domain
have the same image (then we speak of a
collision
) is small. Thus we will consider
a parameterized family of functions
h
}
k
∈
K
. Such a family may
also be regarded as a single entity and then we often speak of a
keyed hash function
,
={
h
k
:
A
→
B
