## Authenticated encryption: Relations among notions and analysis of the generic composition paradigm (2000)

### Cached

### Download Links

- [www.cs.ucsd.edu]
- [www.cs.ucsd.edu]
- [www.mathmagic.cn]
- [www.cs.ucsd.edu]
- [www.cs.ucsd.edu]
- [cseweb.ucsd.edu]
- [cseweb.ucsd.edu]
- [charlotte.ucsd.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 221 - 22 self |

### BibTeX

@INPROCEEDINGS{Bellare00authenticatedencryption:,

author = {Mihir Bellare and Chanathip Namprempre},

title = {Authenticated encryption: Relations among notions and analysis of the generic composition paradigm},

booktitle = {},

year = {2000},

pages = {531--545},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

and analysis of the generic composition paradigm

### Citations

1174 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...r chosen-plaintext or (adaptive) chosen-ciphertext attack, leading to four notions of security we abbreviate IND-CPA, IND-CCA, NM-CPA, NM-CCA. (The original definitions were in the asymmetric setting =-=[26, 25, 42, 21]-=- but can be "lifted" to the symmetric setting using the encryption oracle based template of [5]). The relations among these notions are well-understood [6, 21, 33]. We consider two notions of integrit... |

832 | A digital signature scheme secure against adaptive chosen-message attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ... notions of a message authentication scheme using games. Game WUF-CMAMA of Figure 6 captures the standard notion of unforgeability under chosen-message attacks, namely the adaptation of the notion of =-=[27]-=- to the symmetric setting as per [7]. This notion considers the adversary successful if it forges a tag of a message that it did not query to its Tag oracle. Game SUF-CMAMA captures a stronger notion ... |

476 | Keying hash functions for message authentication
- Bellare, Canetti, et al.
(Show Context)
Citation Context ...“generic composition,” where a privacy-only symmetric encryption scheme (for example a block cipher mode of operation like CBC) is combined with a message authentication (MA) scheme (for example HMAC =-=[4]-=- or CBC-MAC). The goal of symmetric encryption is usually viewed as privacy, but an authenticated encryption scheme is simply a symmetric encryption scheme meeting additional authenticity goals. The f... |

449 | Relations Among Notions of Security for Public-Key Encryption Schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...ption schemes, and integrates them into the existing mosaic of notions by relating them to the main known notions of privacy for symmetric encryption, via implications and separations in the style of =-=[6]-=-. The second part of this paper analyzes several generic composition methods with regard to meeting the previous notions. Let us now look at these items in more detail. 1.1 Relations among notions Pri... |

448 | Nonmalleable cryptography
- Dolev, Dwork, et al.
- 2006
(Show Context)
Citation Context ...r chosen-plaintext or (adaptive) chosen-ciphertext attack, leading to four notions of security we abbreviate IND-CPA, IND-CCA, NM-CPA, NM-CCA. (The original definitions were in the asymmetric setting =-=[26, 25, 42, 21]-=- but can be "lifted" to the symmetric setting using the encryption oracle based template of [5]). The relations among these notions are well-understood [6, 21, 33]. We consider two notions of integrit... |

352 | A concrete security treatment of symmetric encryption: Analysis of DES modes of operation
- Bellare, Desai, et al.
(Show Context)
Citation Context ...eviate IND-CPA, IND-CCA, NM-CPA, NM-CCA. (The original definitions were in the asymmetric setting [12,10,18] but can be “lifted” to the symmetric setting using the encryption oracle based template of =-=[2]-=-). The relations among these notions are wellunderstood [3,11]. (These papers state results for the asymmetric setting, but as noted in [3] it is an easy exercise to transfer them to the symmetric set... |

339 |
Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack
- Rackoff, Simon
- 1992
(Show Context)
Citation Context ...r chosen-plaintext or (adaptive) chosen-ciphertext attack, leading to four notions of security we abbreviate IND-CPA, IND-CCA, NM-CPA, NM-CCA. (The original definitions were in the asymmetric setting =-=[26, 25, 42, 21]-=- but can be "lifted" to the symmetric setting using the encryption oracle based template of [5]). The relations among these notions are well-understood [6, 21, 33]. We consider two notions of integrit... |

263 | Analysis of key-exchange protocols and their use for building secure channels
- Canetti, Krawczyk
- 2001
(Show Context)
Citation Context ...rt, referred to as the key wrap problem, and introduce a notion of deterministic authenticated encryption, which they prove to be equivalent to key wrapping. Generic composition. Canetti and Krawczyk =-=[18]-=- show that EtM implements a "secure channel," and Krawczyk [37] shows that E&M and MtE in general do not. Krawczyk [37], however, finds some particular instantiations of MtE that do implement secure c... |

249 | Public-key cryptosystems provably secure against chosen ciphertext attacks
- Naor, Yung
- 1990
(Show Context)
Citation Context ... notions IND-CCA, NM-CCA were denoted IND-CCA2 and NM-CCA2, respectively, in [6]. The chosen-ciphertext attacks here are the adaptive kind [42]. Consideration of non-adaptive chosenciphertext attacks =-=[40]-=- leads to two more notions, denoted IND-CCA1 and NM-CCA1 by [6], who worked out the relations between six notions of privacy, these two and the four we consider here. (Their results hold for both the ... |

193 | The security of the cipher block chaining message authentication code
- Bellare, Kilian, et al.
- 2000
(Show Context)
Citation Context ...scheme using games. Game WUF-CMAMA of Figure 6 captures the standard notion of unforgeability under chosen-message attacks, namely the adaptation of the notion of [27] to the symmetric setting as per =-=[7]-=-. This notion considers the adversary successful if it forges a tag of a message that it did not query to its Tag oracle. Game SUF-CMAMA captures a stronger notion in which, to be successful, not only... |

139 | On the security of joint signature and encryption
- An, Dodis, et al.
- 2002
(Show Context)
Citation Context ...ecure channel,” and Krawczyk [37] shows that E&M and MtE in general do not. Krawczyk [37], however, finds some particular instantiations of MtE that do implement secure channels. An, Dodis, and Rabin =-=[2]-=- analyze generic-composition-based signcryption. Other general approaches. An and Bellare [1] analyze the “encryption with redundency” paradigm in which one attempts to get an authenticated encryption... |

138 | signcryption or how to achieve cost (signature &encryption) << cost (signature) + cost (encryption), (Extended abstract
- Zheng
(Show Context)
Citation Context ... consider two other notions of authenticity not considered here. They also observe the implication INT-CTXT ^ IND-CPA ! IND-CCA and present an authenticated encryption scheme called RPC. Signcryption =-=[49]-=- is an asymmetric analog of authenticated encryption. 1.4 Subsequent related work A preliminary version of our paper appeared in 2000 [9]. Subsequent to this, there has been a lot of work on authentic... |

137 | OCB: A block-cipher mode of operation for efficient authenticated encryption
- Rogaway, Bellare, et al.
- 2003
(Show Context)
Citation Context ...ns of security that require protection against replay attacks. Dedicated schemes. Dedicated schemes are ones that attempt to directly achieve IND-CPA ^ INT-CTXT. These include IACBC [32, 28, 29], OCB =-=[44]-=-, XCBC [24], CCM [47], Helix [22], GCM [39], CWC [36] and EAX [13]. Some of these are more efficient than schemes obtained by generic composition, having effectively the same cost as privacy-only sche... |

123 | The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)", Crypto 2001
- Krawczyk
(Show Context)
Citation Context ... of deterministic authenticated encryption, which they prove to be equivalent to key wrapping. Generic composition. Canetti and Krawczyk [18] show that EtM implements a "secure channel," and Krawczyk =-=[37]-=- shows that E&M and MtE in general do not. Krawczyk [37], however, finds some particular instantiations of MtE that do implement secure channels. An, Dodis, and Rabin [2] analyze generic-composition-b... |

120 |
The SSL protocol (version 3.0
- FREIER, KARLTON, et al.
- 1996
(Show Context)
Citation Context ...o the plaintext and then encrypt them together. "Decrypt+verify" is performed by first decrypting to get the plaintext and candidate tag, and then verifying the tag. SSL uses a variant of this method =-=[23]-=-. -- Encrypt-then-MAC (EtM): E(KekKm, M ) = CkT (Km, C) where C = E(Ke, M ). Namely, encrypt the plaintext to get a ciphertext C and append a MAC of C. "Decrypt+verify" is performed by first verifying... |

111 | UMAC: Fast and secure message authentication
- Black, Halevi, et al.
- 1999
(Show Context)
Citation Context ...r CTR.) Also assume we are given a message authentication schemeMA whose tagging and tag-verifying algorithms we denote by T and V, respectively. (Possibilities include the CBC-MAC, HMAC [4], or UMAC =-=[15]-=-). We assume the encryption scheme meets the weakest notion of privacy, namely IND-CPA. This is an appropriate assumption because standard modes of operations such as CBC and CTR do meet the notion [5... |

106 | Encryption modes with almost free message integrity
- Jutla
- 2001
(Show Context)
Citation Context ...nd considers notions of security that require protection against replay attacks. Dedicated schemes. Dedicated schemes are ones that attempt to directly achieve IND-CPA ^ INT-CTXT. These include IACBC =-=[32, 28, 29]-=-, OCB [44], XCBC [24], CCM [47], Helix [22], GCM [39], CWC [36] and EAX [13]. Some of these are more efficient than schemes obtained by generic composition, having effectively the same cost as privacy... |

82 | New proofs for nmac and hmac: Security without collision-resistance
- Bellare
- 2006
(Show Context)
Citation Context ...e the MA scheme meets a notion of unforgeability under chosen message attack. (We will consider both a weak and a strong version of this notion. Standard constructs such as HMAC and CBC-MAC meet both =-=[7, 4, 3]-=-.) We want to “compose” (meaning, appropriately combine) 4sComposition Method Privacy Integrity IND-CPA IND-CCA NM-CPA INT-PTXT INT-CTXT Encrypt-and-MAC insecure insecure insecure secure insecure MAC-... |

75 | A uniform-complexity treatment of encryption and zero-knowledge
- Goldreich
- 1993
(Show Context)
Citation Context |

65 | CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions
- Black, Rogaway
- 2000
(Show Context)
Citation Context ...aning any SUF-CMA secure MA scheme is also WUF-CMA secure. There are many practical MACs that are SUF-CMA secure under standard assumptions, for example, HMAC [4, 3], CBC-MAC [7, 10], EMAC [41], XCBC =-=[16]-=-, PMAC [17], TMAC [38], OMAC [30], and CMAC [46]. UMAC [15] and RMAC [31] are randomized WUF-CMA MA schemes. 3 Relations among notions of symmetric encryption In this section, we detail the results su... |

62 | Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography
- Bellare, Rogaway
- 2000
(Show Context)
Citation Context ...and their relations to the notions of authenticity. Authenticity of an encryption scheme has been understood as a goal by designers for many years. The INT-CTXT notion seems to have first appeared in =-=[11, 34]-=-. (These two works are concurrent and independent.) Katz and Yung [34] consider two other notions of authenticity not considered here. They also observe the implication INT-CTXT ∧ IND-CPA → IND-CCA an... |

61 | Characterization of security notions for probabilistic privatekey encryption
- Katz, Yung
(Show Context)
Citation Context ... were in the asymmetric setting [26, 25, 42, 21] but can be "lifted" to the symmetric setting using the encryption oracle based template of [5]). The relations among these notions are well-understood =-=[6, 21, 33]-=-. We consider two notions of integrity (we use the terms authenticity and integrity interchangeably) for symmetric encryption schemes. INT-PTXT (integrity of plaintexts) requires that it be computatio... |

58 | A block-cipher mode of operation for parallelizable message authentication
- Black, Rogaway
(Show Context)
Citation Context ...UF-CMA secure MA scheme is also WUF-CMA secure. There are many practical MACs that are SUF-CMA secure under standard assumptions, for example, HMAC [4, 3], CBC-MAC [7, 10], EMAC [41], XCBC [16], PMAC =-=[17]-=-, TMAC [38], OMAC [30], and CMAC [46]. UMAC [15] and RMAC [31] are randomized WUF-CMA MA schemes. 3 Relations among notions of symmetric encryption In this section, we detail the results summarized in... |

56 | Non-malleable encryption. Equivalence between two notions, and an indistinguishability-based characterization
- Bellare, Sahai
- 1999
(Show Context)
Citation Context ...∪ {C} ; Return C proc VF(C) M ← D(K,C) If M �= ⊥ and C �∈ S then win ← true Return (M �= ⊥) proc Finalize Return win Figure 5: Game INT-PTXTSE (left) and Game INT-CTXTSE (right) where SE = (K, E, D). =-=[14]-=-, adapted to the symmetric setting. This facilitates our proofs and analyses and also facilitates concrete security measurements. Game NM-CPASE provides the adversary with the usual LR oracle to which... |

53 |
The EAX mode of operation
- Bellare, Rogaway, et al.
- 2004
(Show Context)
Citation Context ...icated schemes. Dedicated schemes are ones that attempt to directly achieve IND-CPA ∧ INT-CTXT. These include IACBC [32, 28, 29], OCB [44], XCBC [24], CCM [47], Helix [22], GCM [39], CWC [36] and EAX =-=[13]-=-. Some of these are more efficient than schemes obtained by generic composition, having effectively the same cost as privacy-only schemes. IND-CCA. Authenticated encryption is not the only approach to... |

39 | Code-based game-playing proofs and the security of triple encryption. Cryptology ePrint Archive, Report 2004/331
- Bellare, Rogaway
- 2004
(Show Context)
Citation Context ...ut obtained. By a1�... �an, we denote a string encoding of a1,... ,an from which the latter are uniquely recoverable. Games. Our definitions and proofs will be in the code-based game-playing style of =-=[12]-=-. We recall some background here. A game —look at Figure 7 for an example— has an Initialize procedure, procedures to respond to adversary oracle queries, and a Finalize procedure. A game G is execute... |

38 | The security and performance of the galois/counter mode (gcm) of operation
- McGrew, Viega
- 2004
(Show Context)
Citation Context ...nst replay attacks. Dedicated schemes. Dedicated schemes are ones that attempt to directly achieve IND-CPA ^ INT-CTXT. These include IACBC [32, 28, 29], OCB [44], XCBC [24], CCM [47], Helix [22], GCM =-=[39]-=-, CWC [36] and EAX [13]. Some of these are more efficient than schemes obtained by generic composition, having effectively the same cost as privacy-only schemes. IND-CCA. Authenticated encryption is n... |

37 | Unforgeable encryption and chosen ciphertext secure modes of operation
- Katz, Yung
- 2011
(Show Context)
Citation Context ...and their relations to the notions of authenticity. Authenticity of an encryption scheme has been understood as a goal by designers for many years. The INT-CTXT notion seems to have first appeared in =-=[11, 34]-=-. (These two works are concurrent and independent.) Katz and Yung [34] consider two other notions of authenticity not considered here. They also observe the implication INT-CTXT ^ IND-CPA ! IND-CCA an... |

33 | Phelix: Fast Encryption and Authentication in a Single Cryptographic Primitive, 2005. Available at http://www.ecrypt.eu.org/stream/phelix.html
- Whiting, Schneier, et al.
(Show Context)
Citation Context ...ction against replay attacks. Dedicated schemes. Dedicated schemes are ones that attempt to directly achieve IND-CPA ^ INT-CTXT. These include IACBC [32, 28, 29], OCB [44], XCBC [24], CCM [47], Helix =-=[22]-=-, GCM [39], CWC [36] and EAX [13]. Some of these are more efficient than schemes obtained by generic composition, having effectively the same cost as privacy-only schemes. IND-CCA. Authenticated encry... |

33 | Authenticated-encryption with associated-data
- Rogaway
- 2002
(Show Context)
Citation Context ... related work A preliminary version of our paper appeared in 2000 [9]. Subsequent to this, there has been a lot of work on authenticated encryption. We summarize some of it below. Extensions. Rogaway =-=[43]-=- introduces an extension of the notion of authenticated encryption called authenticated encryption with associated data (AEAD). Here the data has two fields, a header and a plaintext. Integrity is req... |

27 | On the security of randomized CBC-MAC beyond the birthday paradox limit: A new construction
- Jaulmes, Joux, et al.
- 2002
(Show Context)
Citation Context ... practical MACs that are SUF-CMA secure under standard assumptions, for example, HMAC [4, 3], CBC-MAC [7, 10], EMAC [41], XCBC [16], PMAC [17], TMAC [38], OMAC [30], and CMAC [46]. UMAC [15] and RMAC =-=[31]-=- are randomized WUF-CMA MA schemes. 3 Relations among notions of symmetric encryption In this section, we detail the results summarized in Figure 1 and provide proofs. We begin with the implications a... |

26 |
IP encapsulating security payload (ESP). Request for Comments (Proposed Standard
- Atkinson
- 1995
(Show Context)
Citation Context ...rg 2000s532 Mihir Bellare and Chanathip Namprempre symmetric encryption, via implications and separations in the style of [3]. The second part of this paper is motivated by emerging standards such as =-=[16]-=- which design authenticated encryption schemes by what we call “generic composition” of encryption and MAC schemes. We analyze, with regard to meeting the previous notions, several generic composition... |

25 | Secure signature schemes based on interactive protocols
- Cramer, Damg˚ard
- 1995
(Show Context)
Citation Context ...osen-message attack. (The message does not have to be new as long as the output tag was not previously attached to this message by the legitimate parties.) This notion seems to have first appeared in =-=[19]-=-, albeit in the asymmetric setting. We note that any pseudorandom function is a strongly unforgeable MAC, and most practical MACs seem to be strongly unforgeable. Therefore, analyzing the composition ... |

25 | A provable-security treatment of the key-wrap problem
- Rogaway, Shrimpton
- 2006
(Show Context)
Citation Context ...nticated encryption with associated data (AEAD). Here the data has two fields, a header and a plaintext. Integrity is required for the whole, but privacy only for the plaintext. Rogaway and Shrimpton =-=[45]-=- explore the problem of cryptographic key transport, referred to as the key wrap problem, and introduce a notion of deterministic authenticated encryption, which they prove to be equivalent to key wra... |

22 |
and Kaoru Kurosawa, “OMAC: One-key CBC
- Iwata
(Show Context)
Citation Context ...e is also WUF-CMA secure. There are many practical MACs that are SUF-CMA secure under standard assumptions, for example, HMAC [4, 3], CBC-MAC [7, 10], EMAC [41], XCBC [16], PMAC [17], TMAC [38], OMAC =-=[30]-=-, and CMAC [46]. UMAC [15] and RMAC [31] are randomized WUF-CMA MA schemes. 3 Relations among notions of symmetric encryption In this section, we detail the results summarized in Figure 1 and provide ... |

22 |
The Secure Shell (SSH) Transport Layer Protocol", RFC 4253
- Ylonen, Lonvick
- 2006
(Show Context)
Citation Context ...laintext and append a MAC of the plaintext. "Decrypt+verify" is performed by first decrypting to get the plaintext and then verifying the tag. The Transport Layer of SSH uses a variant of this method =-=[48]-=-. -- MAC-then-encrypt (MtE): E(KekKm, M ) = E(Ke, M kT (Km, M )). Namely, append a MAC to the plaintext and then encrypt them together. "Decrypt+verify" is performed by first decrypting to get the pla... |

19 | Breaking and Provably Repairing the SSH Authenticated Encryption Scheme: A Case Study of the Encode-then-Encrypt-and-MAC Paradigm
- Bellare, Kohno, et al.
- 2004
(Show Context)
Citation Context ...in SSH. Our results about E&M might make one pessimistic about the security of SSH, which as we said above, is E&M-based. However, SSH in fact uses a variant of E&M, and a direct analysis provided by =-=[8]-=- shows that this variant is in fact secure in most ways. This work also extends ours to allow stateful verification and considers notions of security that require protection against replay attacks. De... |

16 | Does encryption with redundancy provide authenticity
- An, Bellare
- 2001
(Show Context)
Citation Context ...wever, finds some particular instantiations of MtE that do implement secure channels. An, Dodis, and Rabin [2] analyze generic-composition-based signcryption. Other general approaches. An and Bellare =-=[1]-=- analyze the “encryption with redundency” paradigm in which one attempts to get an authenticated encryption scheme by adding some redundancy to the plaintext before encrypting. Bellare and Rogaway [11... |

16 | Improved Security Analyses for CBC MACs
- Bellare, Pietrzak, et al.
- 2005
(Show Context)
Citation Context ...F-CMA implies WUF-CMA, meaning any SUF-CMA secure MA scheme is also WUF-CMA secure. There are many practical MACs that are SUF-CMA secure under standard assumptions, for example, HMAC [4, 3], CBC-MAC =-=[7, 10]-=-, EMAC [41], XCBC [16], PMAC [17], TMAC [38], OMAC [30], and CMAC [46]. UMAC [15] and RMAC [31] are randomized WUF-CMA MA schemes. 3 Relations among notions of symmetric encryption In this section, we... |

16 |
Encapsulating Security Payload
- ”IP
- 1998
(Show Context)
Citation Context ...Ke, M ). Namely, encrypt the plaintext to get a ciphertext C and append a MAC of C. "Decrypt+verify" is performed by first verifying the tag and then decrypting C. IPSEC uses a variant of this method =-=[35]-=-. Here E is the encryption algorithm of the authenticated encryption scheme while the "decrypt+verify" process specifies a decryption algorithm D. The latter will either return a plaintext or a specia... |

10 | New Paradigms for Constructing Symmetric Encryption Schemes Secure Against Chosen-Ciphertext Attack
- Desai
(Show Context)
Citation Context ...ely the same cost as privacy-only schemes. IND-CCA. Authenticated encryption is not the only approach to achieving IND-CCA. Direct approaches yielding more compact schemes have been provided by Desai =-=[20]-=-. 2 Definitions Conventions. Unless otherwise indicated, an algorithm may be randomized. An adversary is an algorithm. By y $ A(x1, x2, . . .), we mean we execute algorithm A with fresh coins on input... |

5 |
CBC MAC for real time data sources
- Petrank, Rackoff
- 1997
(Show Context)
Citation Context ...WUF-CMA, meaning any SUF-CMA secure MA scheme is also WUF-CMA secure. There are many practical MACs that are SUF-CMA secure under standard assumptions, for example, HMAC [4, 3], CBC-MAC [7, 10], EMAC =-=[41]-=-, XCBC [16], PMAC [17], TMAC [38], OMAC [30], and CMAC [46]. UMAC [15] and RMAC [31] are randomized WUF-CMA MA schemes. 3 Relations among notions of symmetric encryption In this section, we detail the... |

5 | Iwata T.: The Advanced Encryption Standard-Cipher-based Message Authentication Code Pseudo-Random Function-128 (AESCMAC-PRF-128) Algorithm for the Internet Key Exchange
- Song, Poovendran, et al.
- 2008
(Show Context)
Citation Context ...MA secure. There are many practical MACs that are SUF-CMA secure under standard assumptions, for example, HMAC [4, 3], CBC-MAC [7, 10], EMAC [41], XCBC [16], PMAC [17], TMAC [38], OMAC [30], and CMAC =-=[46]-=-. UMAC [15] and RMAC [31] are randomized WUF-CMA MA schemes. 3 Relations among notions of symmetric encryption In this section, we detail the results summarized in Figure 1 and provide proofs. We begi... |

3 |
TMAC: Two-key CBC
- Kurosawa, Iwata
- 2003
(Show Context)
Citation Context ...re MA scheme is also WUF-CMA secure. There are many practical MACs that are SUF-CMA secure under standard assumptions, for example, HMAC [4, 3], CBC-MAC [7, 10], EMAC [41], XCBC [16], PMAC [17], TMAC =-=[38]-=-, OMAC [30], and CMAC [46]. UMAC [15] and RMAC [31] are randomized WUF-CMA MA schemes. 3 Relations among notions of symmetric encryption In this section, we detail the results summarized in Figure 1 a... |

2 |
AES encryption & authentication using CTR mode
- Whiting, Housley, et al.
- 2002
(Show Context)
Citation Context ...equire protection against replay attacks. Dedicated schemes. Dedicated schemes are ones that attempt to directly achieve IND-CPA ^ INT-CTXT. These include IACBC [32, 28, 29], OCB [44], XCBC [24], CCM =-=[47]-=-, Helix [22], GCM [39], CWC [36] and EAX [13]. Some of these are more efficient than schemes obtained by generic composition, having effectively the same cost as privacy-only schemes. IND-CCA. Authent... |

1 | An observation regarding Jutla's modes of operation
- Halevi
- 2001
(Show Context)
Citation Context ...nd considers notions of security that require protection against replay attacks. Dedicated schemes. Dedicated schemes are ones that attempt to directly achieve IND-CPA ^ INT-CTXT. These include IACBC =-=[32, 28, 29]-=-, OCB [44], XCBC [24], CCM [47], Helix [22], GCM [39], CWC [36] and EAX [13]. Some of these are more efficient than schemes obtained by generic composition, having effectively the same cost as privacy... |

1 |
The security of the IAPM and IACBC modes
- Hastad
- 2007
(Show Context)
Citation Context ...nd considers notions of security that require protection against replay attacks. Dedicated schemes. Dedicated schemes are ones that attempt to directly achieve IND-CPA ^ INT-CTXT. These include IACBC =-=[32, 28, 29]-=-, OCB [44], XCBC [24], CCM [47], Helix [22], GCM [39], CWC [36] and EAX [13]. Some of these are more efficient than schemes obtained by generic composition, having effectively the same cost as privacy... |