Authenticated encryption aims to satisfy both secrecy (encryption) and integrity (authentication) simultaneously. Let’s define the experiment:
unforgeable encryption experiment :
- key is generated
- adversary is given access to encryption oracle .
- outputs . Let , then
- succeeds if and .
A private key encryption is AE scheme if it satisfies both CCA security and unforgeability. Let’s define two oracles:
- : sends encryption of for any message
- : sends decryption error for any ciphertext
Our goal is to not let adversary distinguish between correct oracle response and above two oracles. This guarantees that adversary can’t distinguish between encryption of and valid message , ensures secrecy and also can’t decrypt any valid ciphertext, ensures integrity.
AE experiment :
- key is generated
- uniform bit is chosen
- adversary is given access to oracles:
- if ,
- if ,
- outputs bit
- succeeds if .
- AE with AD (associated data) is possible when some data is public is needed to be sent with integrity only.
- CCA security and AE are separate notions, with an encryption that is CCA secure, we want secrecy but not integrity, AE targets both.
- with any encryption that is CCA secure and MAC that is strongly secure, AE scheme can be constructed.
Three constructions are possible when designing an AE:
- encrypt and authenticate: and
- TODO: prove this is not AE secure
- authenticate then encrypt: and
- TODO: prove this is not AE secure
- encrypt then authenticate: and
- to forge a mac, adversary needs pair for original , but strong security of MAC, makes this negligible, thus decryption oracle for AE scheme is useless and CCA security of AE reduces to CPA security of .
AE construction:
- : outputs two keys
- : outputs where, and
- : verifies , and outputs .
Prove that if is CPA secure ENC scheme and is strongly secure MAC scheme, then above construction is AE scheme.
- you begin by first proving that if is a strongly secure MAC, then probability of forgeability is negligible, i.e. probability of event that any new, valid pair is accepted is negligible.
- This renders the decryption oracle useless, as only error will be sent to the adversary for any other pair for which it hasn’t already queried the encryption oracle.
- This turns the CCA security of encryption scheme to CPA security.
- denote this by
- create adversary which is running experiment by attacking and runs as subroutine
- Now, our goal is to prove that , i.e. if is successful in outputting a new, valid , then will be able to succeed in sforge experiment.
- Now, since is negligible, then we prove that is CCA-secure (CPA security), i.e.
- again run CPA experiment with adversary running as subroutine, answering encryption oracle queries and outputting errors for decryption oracle queries.
- when outputs then, outputs exactly those message, get the challenge ciphertext , and calculate .
- output the same bit as output by .
- then