Message Authentication Codes (MACs) and Authenticated Encryption

Goals

• Define message integrity
• Prove the security of MAC constructions
• Explain why authenticated encryption is necessary and how to achieve it

Message Integrity

• What ingredients are necessary for a MAC?
• Define the MAC security game
• Can we define a secure MAC using a PRF?
• How are variable-length MACs constructed?
• How do MACs deal with padding?
  • What can go wrong?
• Why do straightforward applications of hashes to construct MACs fail?

Authenticated Encryption

• Why do we need authenticated encryption?
• Why is IND-CPA a limited notion of secrecy?
• Which combination of MAC-then-encrypt, encrypt-then-MAC, or encrypt-and-MAC is most likely to be secure?
• Define the authenticated-encryption game
  • What properties does AE imply?
• Define the ciphertext integrity game
• What is AEAD?