The security for authenticated encryption schemes is often captured by demanding CCA security (IND-CCA) and integrity of plaintexts (INT-PTXT). In this short note, we prove that this implies in particular integrity of ciphertexts, i.e., INT-CTXT. Hence, the two sets of requirements mentioned in the title are equivalent. The Security Games We treat the stateful notions in this short note since they are the most widely used notions for authenticated encryption (the main use case is realizing a

more »

... ptographic channel). A proof for the non-stateful versions would follow along the same lines. We restate the relevant stateful notions from [BKN04 ] formally in Figure 1 and Figure 2 . A (stateful) authenticated encryption scheme consists of a triple of algorithms Ψ = (Gen, E, D) for key generation, encryption, and decryption, respectively, as defined in detail in [BKN04 ] (including the definitions of correctness and being stateful). The message space is denoted by M and the ciphertext space is denoted by C. Our notation follows basically the notation of [BN08 ; BKN04 ].