Cryptology ePrint Archive: Report 2020/1524

Nonce-Misuse Security of the SAEF Authenticated Encryption mode

Elena Andreeva and Amit Singh Bhati and Damian Vizar

Abstract: ForkAE is a NIST lightweight cryptography candidate that uses the forkcipher primitive in two modes of operation -- SAEF and PAEF -- optimized for authenticated encryption of the shortest messages. SAEF is a sequential and online AEAD that minimizes the memory footprint compared to its alternative parallel mode PAEF, catering to the most constrained devices. SAEF was proven AE secure against nonce-respecting adversaries.

Due to their more acute and direct exposure to device misuse and mishandling, in most use cases of lightweight cryptography, nonce reuse presents a very realistic attack vector. Furthermore, many lightweight applications mandate security for their online AEAD schemes against block-wise adversaries. Surprisingly, very few NIST lightweight AEAD candidates come with provable guarantees against these security threats. In this work, we investigate the provable security guarantees of SAEF when nonces are repeated under a refined version of the notion of online authenticated encryption OAE given by Fleischmann et al. in 2012. We apply Using the coefficient H technique we show that, with no modifications, SAEF is OAE secure up to the birthday security bound, i.e., up to $2^{n/2}$ processed blocks of data, where $n$ is the block size of the forkcipher. The implications of our work are that SAEF is safe to use in a block-wise fashion, and that if nonces get repeated, this has no impact on ciphertext integrity and confidentiality only degrades by a limited extent up to repetitions of common message prefixes.

Category / Keywords: secret-key cryptography / Authenticated encryption, forkcipher, lightweight cryptography, short messages, online, provable security, nonce misuse

Original Publication (with minor differences): Selected Areas in Cryptography 2020

Date: received 4 Dec 2020, last revised 7 Apr 2021

Contact author: elena andreeva at aau at, amitsingh bhati at esat kuleuven be, damian vizar at csem ch

Available format(s): PDF | BibTeX Citation

Note: Editorial updates

Version: 20210407:170501 (All versions of this report)

Short URL: ia.cr/2020/1524


[ Cryptology ePrint archive ]