The paper "Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm" by Mihir Bellare and Chanathip Namprempre explores the security properties of authenticated encryption schemes, which aim to provide both privacy and integrity. The authors consider two main notions of integrity: integrity of plaintexts (INT-PTXT) and integrity of ciphertexts (INT-CTXT), and relate them to the standard notions of privacy, IND-CPA (indistinguishability under chosen-plaintext attack), IND-CCA (indistinguishability under chosen-ciphertext attack), and NM-CPA (nonmalleability under chosen-plaintext attack). They present implications and separations between these notions, showing that INT-CTXT ∧ IND-CPA implies IND-CCA, but not vice versa, and that INT-PTXT ∧ IND-CPA does not imply NM-CPA. The paper also analyzes the security of authenticated encryption schemes designed using "generic composition," which involves combining a symmetric encryption scheme with a message authentication (MA) scheme. Three composition methods are considered: Encrypt-and-MAC (E\&M), MAC-then-encrypt (MtE), and Encrypt-then-MAC (EtM). For each method, the authors determine whether the resulting scheme meets the security notions of INT-CTXT ∧ IND-CPA or INT-PTXT ∧ IND-CPA, assuming the underlying encryption scheme is IND-CPA secure and the MA scheme is unforgeable under chosen-message attack. Proofs are provided for positive results, while counterexamples are given for negative results. The analysis highlights that EtM is secure under all considered notions, making it a robust choice for standardization. MtE is also secure under INT-PTXT ∧ IND-CPA, while E\&M fails to provide IND-CPA security for most commonly used MAC schemes. The paper concludes with a discussion of related work and extensions, including extensions to authenticated encryption with associated data (AEAD) and dedicated schemes designed to achieve specific security goals.The paper "Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm" by Mihir Bellare and Chanathip Namprempre explores the security properties of authenticated encryption schemes, which aim to provide both privacy and integrity. The authors consider two main notions of integrity: integrity of plaintexts (INT-PTXT) and integrity of ciphertexts (INT-CTXT), and relate them to the standard notions of privacy, IND-CPA (indistinguishability under chosen-plaintext attack), IND-CCA (indistinguishability under chosen-ciphertext attack), and NM-CPA (nonmalleability under chosen-plaintext attack). They present implications and separations between these notions, showing that INT-CTXT ∧ IND-CPA implies IND-CCA, but not vice versa, and that INT-PTXT ∧ IND-CPA does not imply NM-CPA. The paper also analyzes the security of authenticated encryption schemes designed using "generic composition," which involves combining a symmetric encryption scheme with a message authentication (MA) scheme. Three composition methods are considered: Encrypt-and-MAC (E\&M), MAC-then-encrypt (MtE), and Encrypt-then-MAC (EtM). For each method, the authors determine whether the resulting scheme meets the security notions of INT-CTXT ∧ IND-CPA or INT-PTXT ∧ IND-CPA, assuming the underlying encryption scheme is IND-CPA secure and the MA scheme is unforgeable under chosen-message attack. Proofs are provided for positive results, while counterexamples are given for negative results. The analysis highlights that EtM is secure under all considered notions, making it a robust choice for standardization. MtE is also secure under INT-PTXT ∧ IND-CPA, while E\&M fails to provide IND-CPA security for most commonly used MAC schemes. The paper concludes with a discussion of related work and extensions, including extensions to authenticated encryption with associated data (AEAD) and dedicated schemes designed to achieve specific security goals.