We show that any scheme to encrypt m blocks of size n bits each, which assures message integrity, is linear in (GF2)~n, uses m+k invocations of random functions (from n bits to n bits) and vn bits of randomness, must have k+v at least (log m). This lower bound is proved in a very general model which rules out many promising linear modes of operations for encryption with message integrity. This lower bound is tight as in an earlier paper Encryption Models with Almost Free Message Integrity, Proc. Eurocrypt 2001, we show a linear scheme to encrypt m blocks while assuring message integrity by using only m+2+log m invocations of random permutations.
展开▼