Paper 2015/189

Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance

Viet Tung Hoang, Reza Reyhanitabar, Phillip Rogaway, and Damian Vizár

Abstract

A definition of \textit{online authenticated-encryption} (OAE), call it OAE1, was given by Fleischmann, Forler, and Lucks (2012). It has become a popular definitional target because, despite allowing encryption to be online, security is supposed to be maintained even if nonces get reused. We argue that this expectation is effectively wrong. OAE1 security has also been claimed to capture best-possible security for any online-AE scheme. We claim that this understanding is wrong, too. So motivated, we redefine OAE-security, providing a radically different formulation, OAE2. The new notion effectively \textit{does} capture best-possible security for a user's choice of plaintext segmentation and ciphertext expansion. It is achievable by simple techniques from standard tools. Yet even for OAE2, nonce-reuse can still be devastating. The picture to emerge is that no OAE definition can meaningfully tolerate nonce-reuse, but, at the same time, OAE security ought neverhave been understood to turn on this question.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
Authenticated encryptionCAESAR competitionmisuse resistancenonce reuseonline AEsymmetric encryption
Contact author(s)
tvhoang @ cs fsu edu
History
2018-11-29: last of 6 revisions
2015-03-04: received
See all versions
Short URL
https://ia.cr/2015/189
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/189,
      author = {Viet Tung Hoang and Reza Reyhanitabar and Phillip Rogaway and Damian Vizár},
      title = {Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance},
      howpublished = {Cryptology ePrint Archive, Paper 2015/189},
      year = {2015},
      note = {\url{https://eprint.iacr.org/2015/189}},
      url = {https://eprint.iacr.org/2015/189}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.