Can we use a MAC to transform a CPA secure encryption scheme into CCA secure one?
Asked
Active
Viewed 466 times
2
-
1How does encrypt-then-MAC protect from CCA? and may be more.. And remember AEAD > CCAx – kelalaka Oct 09 '22 at 20:54
-
1Thank you @kelalaka. – user104304 Oct 09 '22 at 21:32
-
The straightforward approach is to use a MAC to create an AE scheme (typically using Encrypt-then-MAC), which then implies CCA security. But there are subtleties in the security required for the MAC. Check here: https://eprint.iacr.org/2000/025. Alternatively, MAC-then-Encrypt is also a (very fragile) option and only works for specific combinations of encryption and MACs. – Marc Ilunga Oct 09 '22 at 23:17
1 Answers
4
I will assume that the question is more conceptual and doesn't necessarily ask what one "should" do in real life. One can take a couple of approaches to achieve what is asked in the question. But, speaking abstractly, the straightforward answer is to use the MAC with the CPA secure encryption scheme to build an AE secure encryption scheme. The reason this works is that AE security implies CCA security. For proof, refer to This paper by Mihir Bellare and Chanathip Namprempre. We, therefore, have several concrete options:
Encrypt-then-MAC: This is the straightforward answer as it is a generically safe construction for an AE secure scheme. However, the devil is in the details. For this construction to be secure, we need that the MAC provides the stronger security that is SUF-CMA (the adversary should not produce a pair of message-tag $(m,t)$ that was already created in the game.
MAC-then-Encrypt: As discussed in the paper I linked to, this construction doesn't generically provide AE security. Hence it is not always expected to provide CCA security. But there are specific combinations such that this method provides AE security. Namely, assuming the encryption scheme is "stream cipher" like or is the CBC mode without padding, then the MtE construction achieves AE security and, therefore, CCA security. See This paper by Hugo Krawczyk or the CCM mode of operation for AEAD.
Practically speaking, based on the most important criteria, one would use properly implemented AEAD schemes like GCM, CCM, GCM-SIV, Chacha20-Poly1305, and so on. These will provide CCA out of the box.
For further discussions on generic composition of encryption and MAC, see answer to this questions.
Marc Ilunga
- 3,188
- 1
- 9
- 22
-
1Note that this Should we MAC-then-encrypt or encrypt-then-MAC? is our canonical Q/A. – kelalaka Oct 12 '22 at 09:11
-
@kelalaka, I added a reference to the question and answer. Although it seems to me, it doesn't "obviously" answer OP's question. – Marc Ilunga Oct 28 '22 at 11:37