Paper 2021/103

OAE-RUP: A Strong Online AEAD Security Notion and its Application to SAEF

Amit Singh Bhati, COSIC, KU Leuven
Elena Andreeva, TU Wien
Damian Vizar, CSEM
Abstract

Release of unverified plaintexts (RUP) security is an important target for robustness in AE schemes. It is also highly crucial for lightweight (LW) implementations of online AE schemes on memory-constrained devices. Surprisingly, very few online AEAD schemes come with provable guarantees against RUP integrity and not one with any well-defined RUP confidentiality. In this work, we first propose a new strong security notion for online AE schemes called OAE-RUP that captures security under blockwise processing of both encryption (which includes nonce-misuse) and decryption (which includes RUP). Formally, OAE-RUP combines the standard RUP integrity notion INT-RUP with a new RUP confidentiality notion sOPRPF (strong Online PseudoRandom Permutation followed by a pseudorandom Function). sOPRPF is based on the concept of "strong online permutations" and can be seen as an extension of the well-known CCA3 notion (Abed et al., FSE 2014) that captures arbitrary-length inputs. An OAE-RUP-secure scheme is resistant against nonce-misuse as well as leakage of unverified plaintexts where the integrity remains unaffected, and the confidentiality of any encrypted plaintext is preserved up to the leakage of the longest prefix with the leaked plaintexts and the leakage of the length of the longest prefix with the nonce-repeating ciphertexts. We then prove the OAE-RUP security of the SAEF mode. SAEF is a ForkAE mode (Asiacrypt 2019) that is optimized for authenticated encryption of short messages and processes the message blocks sequentially and in an online manner. At SAC 2020, it was shown that SAEF is also an online nonce misuse-resistant AE (OAE), offering enhanced security against adversaries that make blockwise adaptive encryption queries. It has remained an open question if SAEF also resists attacks against blockwise adaptive decryption adversaries or, more generally, when the decrypted plaintext is released before verification (RUP). Our proofs are conducted using the coefficients H technique, and they show that, without any modifications, SAEF is OAE-RUP secure up to the birthday bound, i.e., up to $2^{n/2}$ processed data blocks, where $n$ is the block size of the forkcipher.

Note: - Affiliations are updated and a minor typo in tag length is fixed.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Major revision. SCN 2024
Keywords
Authenticated encryptionforkcipherlightweightprovable securityonlinerelease of unverified plaintextOAE-RUP
Contact author(s)
amitsingh bhati @ esat kuleuven be
elena andreeva @ tuwien ac at
damian vizar @ csem ch
History
2025-05-21: last of 7 revisions
2021-01-28: received
See all versions
Short URL
https://ia.cr/2021/103
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2021/103,
      author = {Amit Singh Bhati and Elena Andreeva and Damian Vizar},
      title = {{OAE}-{RUP}: A Strong Online {AEAD} Security Notion and its Application to {SAEF}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2021/103},
      year = {2021},
      url = {https://eprint.iacr.org/2021/103}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.