Paper 2024/598

AE Robustness as Indistinguishable Decryption Leakage amid Multiple Failure Conditions

Abstract

Robustness has emerged as a critical criterion for authenticated encryption, alongside confidentiality and integrity. In this study, we revisit AEAD robustness by focusing on descriptive errors when multiple failure conditions exist. We introduce new notion, IND-CCLA and IND-sf-CCLA, that expands on classical security notions defined for AEAD by incorporating the indistinguishability of decryption leakage including text-based values and descriptive errors. We highlight that simply outputting a single error message when decryption fails is insufficient to guarantee robustness, as leakage can undermine this approach. We examine error flags used when validating a ciphertext during the decryption process, and investigate whether it is possible to merge multiple error flags into one to mitigate this security risk. This helps to prevent the resulted leakage from giving adversaries additional advantage in future attacks, particularly when parts of the failure-checking mechanism have implementation flaws or disabled by an adversary through implementation-level attacks. We provide a concrete proof of the robustness of Encode-then-Encipher ($\textsf{EtE}$) paradigm using our notions, demonstrating its capability to validate multiple failure conditions using a single error flag. We briefly revisit generic compositions for AE to show the practical relevance of our notions. We further present a transformation from our notion to a simulatable one, supporting future research on composable security regarding decryption leakage.