Due to their more acute and direct exposure to device misuse and mishandling, in most use cases of lightweight cryptography, nonce reuse presents a very realistic attack vector. Furthermore, many lightweight applications mandate security for their online AEAD schemes against block-wise adversaries. Surprisingly, very few NIST lightweight AEAD candidates come with provable guarantees against these security threats. In this work, we investigate the provable security guarantees of SAEF when nonces are repeated under a refined version of the notion of online authenticated encryption OAE given by Fleischmann et al. in 2012. We apply Using the coefficient H technique we show that, with no modifications, SAEF is OAE secure up to the birthday security bound, i.e., up to $2^{n/2}$ processed blocks of data, where $n$ is the block size of the forkcipher. The implications of our work are that SAEF is safe to use in a block-wise fashion, and that if nonces get repeated, this has no impact on ciphertext integrity and confidentiality only degrades by a limited extent up to repetitions of common message prefixes.
Category / Keywords: secret-key cryptography / Authenticated encryption, forkcipher, lightweight cryptography, short messages, online, provable security, nonce misuse Original Publication (with minor differences): Selected Areas in Cryptography 2020 Date: received 4 Dec 2020, last revised 7 Apr 2021 Contact author: elena andreeva at aau at,amitsingh bhati@esat kuleuven be,damian vizar@csem ch Available format(s): PDF | BibTeX Citation Note: Editorial updates Version: 20210407:170501 (All versions of this report) Short URL: ia.cr/2020/1524