Paper 2014/144

How to Securely Release Unverified Plaintext in Authenticated Encryption

Elena Andreeva, Andrey Bogdanov, Atul Luykx, Bart Mennink, Nicky Mouha, and Kan Yasuda


Scenarios in which authenticated encryption schemes output decrypted plaintext before successful verification raise many security issues. These situations are sometimes unavoidable in practice, such as when devices have insufficient memory to store an entire plaintext, or when a decrypted plaintext needs early processing due to real-time requirements. We introduce the first formalization of the releasing unverified plaintext (RUP) setting. To achieve privacy, we propose using plaintext awareness (PA) along with IND-CPA. An authenticated encryption scheme is PA if it has a plaintext extractor, which tries to fool adversaries by mimicking the decryption oracle without the secret key. Releasing unverified plaintext then becomes harmless as it is infeasible to distinguish the decryption oracle from the plaintext extractor. We introduce two notions of plaintext awareness in the symmetric-key setting, PA1 and PA2, and show that they expose a new layer of security between IND-CPA and IND-CCA. To achieve integrity of ciphertexts, INT-CTXT in the RUP setting is required, which we refer to as INT-RUP. These new security notions are used to make a classification of symmetric-key schemes in the RUP setting. Furthermore, we re-analyze existing authenticated encryption schemes, and provide solutions to fix insecure schemes.

Note: Added missing term in Proposition 11.

Available format(s)
Secret-key cryptography
Publication info
A major revision of an IACR publication in ASIACRYPT 2014
Symmetric-key CryptographyAuthenticated EncryptionReleasing Unverified PlaintextPlaintext AwarenessPlaintext ExtractorCAESAR Competition
Contact author(s)
nicky @ mouha be
2020-04-01: last of 4 revisions
2014-02-27: received
See all versions
Short URL
Creative Commons Attribution


      author = {Elena Andreeva and Andrey Bogdanov and Atul Luykx and Bart Mennink and Nicky Mouha and Kan Yasuda},
      title = {How to Securely Release Unverified Plaintext in Authenticated Encryption},
      howpublished = {Cryptology ePrint Archive, Paper 2014/144},
      year = {2014},
      doi = {10.1007/978-3-662-45611-8_6},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.