Paper 2021/103

OAE-RUP: A Strong Online AEAD Security Notion and its Application to SAEF

Elena Andreeva, TU Wien
Amit Singh Bhati, COSIC, KU Leuven
Damian Vizar, CSEM
Abstract

Release of unverified plaintexts (RUP) security is an important target for robustness in AE schemes. It is also highly crucial for lightweight (LW) implementations of online AE schemes on memory-constrained devices. Surprisingly, very few online AEAD schemes come with provable guarantees against RUP integrity and not one with any well-defined RUP confidentiality. In this work, we first propose a new strong security notion for online AE schemes called OAE-RUP that captures security under blockwise processing of both encryption (which includes nonce-misuse) and decryption (which includes RUP). Formally, OAE-RUP combines the standard RUP integrity notion INT-RUP with a new RUP confidentiality notion sOPRPF (strong Online PseudoRandom Permutation followed by a pseudorandom Function). sOPRPF is based on the concept of "strong online permutations" and can be seen as an extension of the well-known CCA3 notion (Abed et al., FSE 2014) that captures arbitrary-length inputs. An OAE-RUP-secure scheme is resistant against nonce-misuse as well as leakage of unverified plaintexts where the integrity remains unaffected, and the confidentiality of any encrypted plaintext is preserved up to the leakage of the longest prefix with the leaked plaintexts and the leakage of the length of the longest prefix with the nonce-repeating ciphertexts. We then prove the OAE-RUP security of the SAEF mode. SAEF is a ForkAE mode (Asiacrypt 2019) that is optimized for authenticated encryption of short messages and processes the message blocks sequentially and in an online manner. At SAC 2020, it was shown that SAEF is also an online nonce misuse-resistant AE (OAE), offering enhanced security against adversaries that make blockwise adaptive encryption queries. It has remained an open question if SAEF also resists attacks against blockwise adaptive decryption adversaries or, more generally, when the decrypted plaintext is released before verification (RUP). Our proofs are conducted using the coefficients H technique, and they show that, without any modifications, SAEF is OAE-RUP secure up to the birthday bound, i.e., up to $2^{n/2}$ processed data blocks, where $n$ is the block size of the forkcipher.

Note: 1. Added two RUP-confidentiality notions (sOPRPF and CR-RUP) for online encryption. 2. Defined a strong AEAD security notion named OAE-RUP (as sOPRPF+INT-RUP) for online AEAD schemes. 3. Studied relations/differences among popular AEAD notions to compare them with OAE-RUP and to argue its importance. 4. Proved OAE-RUP security of SAEF ForkAE mode up to the birthday bound.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint.
Keywords
Authenticated encryptionlightweight cryptographyprovable securityonlinerelease of unverified plaintextOAE-RUP
Contact author(s)
elena andreeva @ tuwien ac at
amitsingh bhati @ esat kuleuven be
damian vizar @ csem ch
History
2024-05-29: last of 3 revisions
2021-01-28: received
See all versions
Short URL
https://ia.cr/2021/103
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2021/103,
      author = {Elena Andreeva and Amit Singh Bhati and Damian Vizar},
      title = {{OAE}-{RUP}: A Strong Online {AEAD} Security Notion and its Application to {SAEF}},
      howpublished = {Cryptology ePrint Archive, Paper 2021/103},
      year = {2021},
      note = {\url{https://eprint.iacr.org/2021/103}},
      url = {https://eprint.iacr.org/2021/103}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.