RUP security is a particularly relevant security target for lightweight (LW) implementations of AE schemes on memory-constrained devices or devices with stringent real-time requirements. Surprisingly, very few NIST lightweight AEAD candidates come with any provable guarantees against RUP. In this work, we show that the SAEF mode of operation of the ForkAE family comes with integrity guarantees in the RUP setting. The RUP integrity (INT-RUP) property was defined by Andreeva et~al.~in Asiacrypt'14. Our INT-RUP proof is conducted using the coefficient H technique and it shows that, without any modifications, SAEF is INT-RUP secure up to the birthday bound, i.e., up to $2^{n/2}$ processed data blocks, where $n$ is the block size of the forkcipher. The implication of our work is that SAEF is indeed RUP secure in the sense that the release of unverified plaintexts will not impact its ciphertext integrity.
Category / Keywords: secret-key cryptography / Authenticated encryption, forkcipher, lightweight cryptography, short messages, online, provable security, release of unverified plaintext, RUP. Date: received 27 Jan 2021, last revised 7 Apr 2021 Contact author: elena andreeva at aau at,amitsingh bhati@esat kuleuven be,damian vizar@csem ch Available format(s): PDF | BibTeX Citation Note: Editorial updates. Version: 20210407:170820 (All versions of this report) Short URL: ia.cr/2021/103