Paper 2015/895

Rogue Decryption Failures: Reconciling AE Robustness Notions

Guy Barwell, Dan Page, and Martijn Stam

Abstract

An authenticated encryption scheme is deemed secure (AE) if ciphertexts both look like random bitstrings and are unforgeable. AE is a much stronger notion than the traditional IND--CCA. One shortcoming of AE as commonly understood is its idealized, all-or-nothing decryption: if decryption fails, it will always provide the \emph{same single} error message \emph{and nothing more}. Reality often turns out differently: encode-then-encipher schemes often output decrypted ciphertext before verification has taken place whereas pad-then-MAC-then-encrypt schemes are prone to distinguishable verification failures due to the subtle interaction between padding and the MAC-then-encrypt concept. Three recent papers provided what appeared independent and radically different definitions to model this type of decryption leakage. We reconcile these three works by providing a reference model of security for authenticated encryption in the face of decryption leakage from invalid queries. Having tracked the development of AE security games, we provide a single expressive framework allowing us to compare and contrast the previous notions. We find that at their core, the notions are essentially equivalent, with their key differences stemming from definitional choices independent of the desire to capture real world behaviour.

Note: This is the full version

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Major revision. IMA International Conference on Cryptography and Coding 2015
DOI
10.1007/978-3-319-27239-9_6
Keywords
provable securityauthenticated encryptionmultiple errorsunverified plaintextrobustness
Contact author(s)
guy barwell @ bristol ac uk
History
2016-05-07: revised
2015-09-15: received
See all versions
Short URL
https://ia.cr/2015/895
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/895,
      author = {Guy Barwell and Dan Page and Martijn Stam},
      title = {Rogue Decryption Failures: Reconciling AE Robustness Notions},
      howpublished = {Cryptology ePrint Archive, Paper 2015/895},
      year = {2015},
      doi = {10.1007/978-3-319-27239-9_6},
      note = {\url{https://eprint.iacr.org/2015/895}},
      url = {https://eprint.iacr.org/2015/895}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.