Paper 2021/103

RUP Security of the SAEF Authenticated Encryption mode

Elena Andreeva, Amit Singh Bhati, and Damian Vizar


ForkAE is a family of authenticated encryption (AE) schemes using a forkcipher as a building block. ForkAE was published in Asiacrypt'19 and is a second-round candidate in the NIST lightweight cryptography process. ForkAE comes in several modes of operation: SAEF, PAEF, and rPAEF. SAEF is optimized for authenticated encryption of short messages and processes the message blocks in a sequential and online manner. SAEF requires a smaller internal state than its parallel sibling PAEF and is better fitted for devices with smaller footprint. At SAC 2020 it was shown that SAEF is also an online nonce misuse-resistant AE (OAE) and hence offers enhanced security against adversaries that make blockwise adaptive encryption queries. It has remained an open question if SAEF resists attacks against blockwise adaptive decryption adversaries, or more generally when the decrypted plaintext is released before the verification (RUP). RUP security is a particularly relevant security target for lightweight (LW) implementations of AE schemes on memory-constrained devices or devices with stringent real-time requirements. Surprisingly, very few NIST lightweight AEAD candidates come with any provable guarantees against RUP. In this work, we show that the SAEF mode of operation of the ForkAE family comes with integrity guarantees in the RUP setting. The RUP integrity (INT-RUP) property was defined by Andreeva et~al.~in Asiacrypt'14. Our INT-RUP proof is conducted using the coefficient H technique and it shows that, without any modifications, SAEF is INT-RUP secure up to the birthday bound, i.e., up to $2^{n/2}$ processed data blocks, where $n$ is the block size of the forkcipher. The implication of our work is that SAEF is indeed RUP secure in the sense that the release of unverified plaintexts will not impact its ciphertext integrity.

Note: Editorial updates.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Authenticated encryptionforkcipherlightweight cryptographyshort messagesonlineprovable securityrelease of unverified plaintextRUP.
Contact author(s)
elena andreeva @ aau at
amitsingh bhati @ esat kuleuven be
damian vizar @ csem ch
2021-04-07: last of 2 revisions
2021-01-28: received
See all versions
Short URL
Creative Commons Attribution


      author = {Elena Andreeva and Amit Singh Bhati and Damian Vizar},
      title = {RUP Security of the SAEF Authenticated Encryption mode},
      howpublished = {Cryptology ePrint Archive, Paper 2021/103},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.