Paper 2020/1524

Nonce-Misuse Security of the SAEF Authenticated Encryption mode

Elena Andreeva, Amit Singh Bhati, and Damian Vizar


ForkAE is a NIST lightweight cryptography candidate that uses the forkcipher primitive in two modes of operation -- SAEF and PAEF -- optimized for authenticated encryption of the shortest messages. SAEF is a sequential and online AEAD that minimizes the memory footprint compared to its alternative parallel mode PAEF, catering to the most constrained devices. SAEF was proven AE secure against nonce-respecting adversaries. Due to their more acute and direct exposure to device misuse and mishandling, in most use cases of lightweight cryptography, nonce reuse presents a very realistic attack vector. Furthermore, many lightweight applications mandate security for their online AEAD schemes against block-wise adversaries. Surprisingly, very few NIST lightweight AEAD candidates come with provable guarantees against these security threats. In this work, we investigate the provable security guarantees of SAEF when nonces are repeated under a refined version of the notion of online authenticated encryption OAE given by Fleischmann et al. in 2012. We apply Using the coefficient H technique we show that, with no modifications, SAEF is OAE secure up to the birthday security bound, i.e., up to $2^{n/2}$ processed blocks of data, where $n$ is the block size of the forkcipher. The implications of our work are that SAEF is safe to use in a block-wise fashion, and that if nonces get repeated, this has no impact on ciphertext integrity and confidentiality only degrades by a limited extent up to repetitions of common message prefixes.

Note: Editorial updates

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Minor revision. Selected Areas in Cryptography 2020
Authenticated encryptionforkcipherlightweight cryptographyshort messagesonlineprovable securitynonce misuse
Contact author(s)
elena andreeva @ aau at
amitsingh bhati @ esat kuleuven be
damian vizar @ csem ch
2021-04-07: last of 2 revisions
2020-12-08: received
See all versions
Short URL
Creative Commons Attribution


      author = {Elena Andreeva and Amit Singh Bhati and Damian Vizar},
      title = {Nonce-Misuse Security of the SAEF Authenticated Encryption mode},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1524},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.