For a secure channel, we however not only care about the confidentiality of messages exchanged, but also their integrity: no intermediate party should be able to modify the communication between the two endpoint parties.
Bellare and Namprempre [BN00] coined the notion of authenticated encryption (AE) for a symmetric encryption scheme providing the combination of both confidentiality and integrity of plaintext messages. Integrity of plaintexts (INT-PTXT) here formalizes that an adversary is not able to forge a valid ciphertext that decrypts to a previously unseen message (i.e., a new message). Bellare and Rogaway [BR00] considered an even stronger variant, integrity of
ciphertexts (INT-CTXT), which captures that an adversary is unable to forge an new valid
ciphertext, even one decrypting to a previously seen message.
In real-world applications, it is often necessary that some parts of the exchanged communi- cation is accessible to intermediate parties. For example, routing information for a message in a packet header of an Internet Protocol [Pos81a] packet must be accessible in transport. Still, such routing information should be integrity-protected against adversarial modification on the way. For such purposes, Rogaway [Rog02] established the notion of authenticated encryption
with associated data (AEAD), which emerged as the core building block for secure channels
(and other cryptographic components) to date. The notion of AEAD aims at jointly achieving the three described goals: providing confidentiality and integrity for the message encrypted as well as integrity for some additional string, the associated data ad. An AEAD scheme AEAD takes the associated data value ad ∈ {0, 1}∗ as additional input in the Enc and Dec algorithms. In order to avoid the use of randomness (as a potential source of weaknesses) in the encryption process, the encryption algorithm can be made deterministic by taking a nonce N ∈ {0, 1}n (a non-repeating number like a counter) as additional input which is also provided to the decryption algorithm; we then call the AEAD scheme nonce-based, without nonces we call it randomized. Putting everything together, correctness for a (nonce-based) AEAD scheme then demands that for any key K←− K, any message m ∈ {0, 1}$ ∗, any associated data ad ∈ {0, 1}∗, and any nonce N ∈ {0, 1}n it holds that DecK(N, ad, EncK(N, ad, m)) = m.
9.2.1 Stateless Notions for Confidentiality and Integrity
We can now formalize the security notions for (authenticated) symmetric encryption (with associated data) that capture confidentiality and integrity. We will do so in the syntax of nonce-based AEAD. Note that other notions can be easily obtained: for randomized AEAD by dropping the nonce input and making the encryption algorithm randomized, for authenticated encryption without associated data by additionally dropping the associated data input, and for classical symmetric encryption by additionally omitting the integrity requirements.
Confidentiality. Confidentiality captures the idea that an adversary is unable to distinguish the encryption of two messages of its choice, it comes in the variants of indistinguishability under chosen-plaintext attacks (IND-CPA) and under chosen-ciphertext attacks (IND-CCA). The security experiments for both notions (which we state formally in Figure 9.1) have in common that the adversary A is given access to a left-or-right encryption oracle OLoR which on input two messages m0 and m1 of equal length (|m0| = |m1|), along with a nonce N and associated data ad, always outputs the encryption EncK(N, ad, mb), for a key K ←− K and a bit b$ ←− {0, 1}$
fixed in the experiment and unknown to A. The adversary is then asked to distinguish between the cases b = 0 and b = 1, and if it cannot do so with non-negligible probability in the security parameter, the scheme is said to be IND-CPA-secure. For the stronger IND-CCA security notion, the adversary is additionally given access to a decryption oracle ODec which it may query on
9.2. Authenticated Encryption (with Associated Data)
ExptIND-ATK,bAEAD,A (1λ): 1 K←− K$ 2 Q ← ∅
3 b0←− A$ OLoR,[ODec]ATK=CCA(1λ) 4 return b0 OLoR(N, ad, m0, m1): 5 if |m0| 6= |m1| then 6 return 7 c ← EncK(N, ad, mb) 8 Q ← Q ∪ {(N, ad, c)} 9 return c ODec(N, ad, c): 10 m ← DecK(N, ad, c) 11 if (N, ad, c) /∈ Q then 12 return m 13 else 14 return ExptINT-ATKAEAD,A(1λ):
1 K←− K$ 2 Q ← ∅ 3 win ← 0 4 AOEnc,ODec(1λ) 5 return win OEnc(N, ad, m): 6 c ← EncK(N, ad, m) 7 if ATK = PTXT then 8 Q ← Q ∪ {(N, ad, m)} 9 else// ATK = CTXT 10 Q ← Q ∪ {(N, ad, c)} 11 return c ODec(N, ad, c): 12 m ← DecK(N, ad, c) 13 if m 6= ⊥ then
14 if ATK = PTXT and (N, ad, m) /∈ Q then 15 win ← 1
16 if ATK = CTXT and (N, ad, c) /∈ Q then 17 win ← 1
18 return m
Figure 9.1: Security experiments for confidentiality (IND-ATK) and integrity (INT-ATK) of AEAD
schemes, where ATK is a placeholder for CPA or CCA, resp. PTXT or CTXT. The brackets [ODec]ATK=CCA indicate that only the IND-CCA adversary has access to the ODec oracle.
ciphertexts (along with a nonce and associated data) distinct from those obtained from the OLoR oracle, i.e., on any distinct combination of ciphertext, nonce, and associated data (and hence especially on newly crafted ciphertexts). The latter restriction is to prevent a trivial win of the adversary by querying OLoR on some distinct m0 and m1 along with some nonce N
and associated data ad to obtain a ciphertext c, then query ODec on N , ad, and c to obtain a
decryption m, and output 0 in case m = m0 and 1 otherwise.
Integrity. Integrity captures the idea that an adversary cannot tamper with the messages respectively ciphertexts exchanged and accordingly comes in the variant of plaintext and ciphertext integrity (INT-PTXT, resp. INT-CTXT). In the security experiments (see Figure 9.1), the adversary is given encryption and decryption oracles OEnc and ODec, which compute c ← EncK(N, ad, m), resp. m ← DecK(N, ad, c), for inputs of the adversary’s choice. The
adversary is declared successful (via a flag win = 1, initialized to 0) if it submits to its decryption oracle a tuple of nonce N , associated data ad, and ciphertext c that decrypts to a non-error message m 6= ⊥, given that (N, ad, m) were never queried to OEnc (for INT-PTXT) resp. that
c was never output on an OEnc query with nonce N and associated data ad (for INT-CTXT).
That is, for INT-PTXT the adversary is required to forge an (N, ad, c) tuple resulting in a previously unseen message m, while for INT-CTXT any (N, ad, c) distinct from previous OEnc input/outputs is considered a valid forgery, even if it decrypts to a message m previously queried to OEnc. Note that INT-CTXT security implies INT-PTXT security, as, conversely, a successful
INT-PTXT forgery c such that (N, ad, m) /∈ Q in particular implies that for c also (N, ad, c) /∈ Q in the INT-CTXT experiment, as by correctness no other message m0 together with N and ad could have been encrypted to c.
We can now formalize the different confidentiality and integrity security notions for AEAD schemes. It is easy to see that IND-CCA security implies IND-CPA security (by omitting the ODec oracle). Furthermore, INT-CTXT security implies INT-PTXT security, as a distinct message decrypted in particular necessitates a distinct ciphertext input in the ODec oracle.
Definition 9.1 (Security for AEAD schemes). Let AEAD = (Enc, Dec) be a nonce-based AEAD scheme with key space K.
Let experiment ExptIND-ATK,bAEAD,A (1λ) for an adversary A and a bit b ∈ {0, 1} be defined as in
Figure 9.1, where ATK is a placeholder for either CPA or CCA. We say that AEAD provides indis-
tinguishability under chosen-plaintext attacks, respectively, chosen-ciphertext attacks ( IND-CPA,
resp. IND-CCA) if for all PPT adversaries A the following advantage function is negligible in the security parameter:
AdvIND-ATKAEAD,A(λ) := Pr
h
ExptIND-ATK,1AEAD,A (1λ) = 1i− PrhExptIND-ATK,0AEAD,A (1λ) = 1i .
Likewise, let experiment ExptINT-ATK,bAEAD,A (1λ) for an adversary A be defined as in Figure 9.1,
where ATK is a placeholder for either PTXT or CTXT. We say that AEAD provides integrity of
plaintexts, respectively, ciphertexts ( INT-PTXT, resp. INT-CTXT) if for all PPT adversaries A
the following advantage function is negligible in the security parameter:
AdvINT-ATKAEAD,A(λ) := PrhExptINT-ATKAEAD,A(1λ) = 1i.