Abstract
Release of unverified plaintexts (RUP) security is an important target for robustness in AE schemes. It is also highly crucial for lightweight (LW) implementations of online AE schemes on memory-constrained devices. Surprisingly, very few online AEAD schemes come with provable guarantees against RUP integrity and not one with any well-defined RUP confidentiality.
In this work, we first propose a new strong security notion for online AE schemes called OAE-RUP that captures security under blockwise processing of both encryption (which includes nonce-misuse) and decryption (which includes RUP). Formally, OAE-RUP combines the standard RUP integrity notion INT-RUP with a new RUP confidentiality notion sOPRPF (strong Online PseudoRandom Permutation followed by a pseudorandom Function). sOPRPF is based on the concept of “strong online permutations” and can be seen as an extension of the well-known CCA3 notion (Abed et al., FSE 2014) that captures arbitrary-length inputs.
An OAE-RUP-secure scheme is resistant against nonce-misuse as well as leakage of unverified plaintexts where the integrity remains unaffected, and the confidentiality of any encrypted plaintext is preserved up to the leakage of the longest prefix with the leaked plaintexts and the leakage of the length of the longest prefix with the nonce-repeating ciphertexts.
We then prove the OAE-RUP security of the SAEF mode. SAEF is a ForkAE mode (Asiacrypt 2019) that is optimized for authenticated encryption of short messages and processes the message blocks sequentially and in an online manner. At SAC 2020, it was shown that SAEF is also an online nonce misuse-resistant AE (OAE), offering enhanced security against adversaries that make blockwise adaptive encryption queries. It has remained an open question if SAEF also resists attacks against blockwise adaptive decryption adversaries or, more generally, when the decrypted plaintext is released before verification (RUP).
Our proofs are conducted using the coefficients H technique, and they show that, without any modifications, SAEF is OAE-RUP secure up to the birthday bound, i.e., up to \(2^{n/2}\) processed data blocks, where n is the block size of the forkcipher.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The existing definition of OPRPF in [4] models the last ciphertext block as an output of a random function, however, we consider it here as a random permutation (as invertibility is required to successfully decrypt a ciphertext for leakage).
References
Abed, F., et al.: Pipelineable on-line encryption. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 205–223. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_11
Al Fardan, N.J., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: 2013 IEEE Symposium on Security and Privacy, pp. 526–540. IEEE (2013)
AlFardan, N., Paterson, K.G.: Plaintext-recovery attacks against datagram TLS. In: Network and Distributed System Security Symposium (NDSS 2012) (2012)
Andreeva, E., Bhati, A.S., Vizár, D.: Nonce-misuse security of the SAEF authenticated encryption mode. In: Dunkelman, O., Jacobson, Jr., M.J., O’Flynn, C. (eds.) SAC 2020. LNCS, vol. 12804, pp. 512–534. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81652-0_20
Bhati, A.S., Andreeva, E., Vizar, D.: OAE-RUP: a strong online AEAD security notion and its application to SAEF. Cryptology ePrint Archive, Paper 2021/103 (2021). https://eprint.iacr.org/2021/103
Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 105–125. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_6
Andreeva, E., Lallemand, V., Purnal, A., Reyhanitabar, R., Roy, A., Vizár, D.: ForkAE v. Submission to NIST LwC Standardization Process (2019)
Andreeva, E., Lallemand, V., Purnal, A., Reyhanitabar, R., Roy, A., Vizár, D.: Forkcipher: a new primitive for authenticated encryption of very short messages. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11922, pp. 153–182. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34621-8_6
Ashur, T., Dunkelman, O., Luykx, A.: Boosting authenticated encryption robustness with minimal modifications. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 3–33. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_1
Banik, S., et al.: GIFT-COFB. Cryptology ePrint Archive (2020)
Bellare, M., Boldyreva, A., Knudsen, L., Namprempre, C.: Online ciphers and the hash-CBC construction. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 292–309. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_18
Bellizia, D., et al.: Spook: sponge-based leakage-resistant authenticated encryption with a masked tweakable block cipher. IACR Trans. Symmetric Cryptol. 2020(1), 295–349 (2020)
Bernstein, D.J.: Cryptographic competitions: CAESAR. http://competitions.cr.yp.to
Bhati, A.S., Andreeva, E., Vizar, D., Deprez, A., Pittevils, J., Roy, A.: New results and insights on ForkAE. In: NIST Lightweight Cryptography Workshop (2020)
Bhattacharjee, A., List, E., López, C.M., Nandi, M.: The Oribatida family of lightweight authenticated encryption schemes. In: Indian Statistical Institute Kolkata: Kolkata, India p. 2019 (2019)
Canvel, B., Hiltgen, A., Vaudenay, S., Vuagnoux, M.: Password interception in a SSL/TLS channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_34
Chakraborti, A., Datta, N., Jha, A., Mancillas-López, C., Nandi, M., Sasaki, Y.: INT-RUP secure lightweight parallel AE modes. IACR Trans. Symmetric Cryptol. 81–118 (2019)
Chakraborti, A., Datta, N., Jha, A., Mancillas-López, C., Nandi, M., Sasaki, Y.: ESTATE: a lightweight and low energy authenticated encryption mode. IACR Trans. Symmetric Cryptol. 350–389 (2020)
Chakraborti, A., Datta, N., Jha, A., Mitragotri, S., Nandi, M.: From combined to hybrid: making feedback-based AE even smaller. IACR Trans. Symmetric Cryptol. 417–445 (2020)
Chakraborti, A., Datta, N., Nandi, M.: INT-RUP analysis of block-cipher based authenticated encryption schemes. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 39–54. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8_3
Chakraborty, B., Nandi, M.: The mf mode of authenticated encryption with associated data. J. Math. Cryptol. 16(1), 73–97 (2022)
Datta, N., Dutta, A., Ghosh, S.: INT-RUP security of SAEB and TinyJAMBU. In: Isobe, T., Sarkar, S. (eds.) INDOCRYPT 2022. LNCS, vol. 13774, pp. 146–170. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22912-1_7
Datta, N., Luykx, A., Mennink, B., Nandi, M.: Understanding RUP integrity of COLM. IACR Trans. Symmetric Cryptol. 143–161 (2017)
Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_12
Gueron, S., Jha, A., Nandi, M.: Comet: counter mode encryption with authentication tag. In: Second Round Candidate of the NIST LWC Competition (2019)
Hirose, S., Sasaki, Y., Yasuda, K.: Rate-one AE with security under RUP. In: Nguyen, P., Zhou, J. (eds.) ISC 2017. LNCS, vol. 10599, pp. 3–20. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69659-1_1
Hoang, V.T., Reyhanitabar, R., Rogaway, P., Vizár, D.: Online authenticated-encryption and its nonce-reuse misuse-resistance. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 493–517. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_24
Imamura, K., Minematsu, K., Iwata, T.: Integrity analysis of authenticated encryption based on stream ciphers. Int. J. Inf. Secur. 17, 493–511 (2018)
Iwata, T., Khairallah, M., Minematsu, K., Peyrin, T.: Duel of the titans: the Romulus and Remus families of lightweight AEAD algorithms. IACR Trans. Symmetric Cryptol. 2020(1), 43–120 (2020)
Iwata, T., Yasuda, K.: BTM: a single-key, inverse-cipher-free mode for deterministic authenticated encryption. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 313–330. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05445-7_20
Iwata, T., Yasuda, K.: HBS: a single-key mode of operation for deterministic authenticated encryption. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 394–415. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03317-9_24
Naito, Y., Matsui, M., Sugawara, T., Suzuki, D.: SAEB: a lightweight blockcipher-based AEAD mode of operation. Cryptology ePrint Archive (2019)
NIST: DRAFT Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process (2018). https://csrc.nist.gov/Projects/Lightweight-Cryptography
NIST: NIST Workshop on the Requirements for an Accordion Cipher Mode 2024 (2024). https://csrc.nist.gov/Events/2024/accordion-cipher-mode-workshop-2024
Patarin, J.: The “coefficients H’’ technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21
Purnal, A., Andreeva, E., Roy, A., Vizár, D.: What the fork: implementation aspects of a forkcipher. In: NIST Lightweight Cryptography Workshop 2019 (2019)
Rogaway, P.: Authenticated-encryption with associated-data. In: ACM Conference on Computer and Communications Security, pp. 98–107 (2002)
Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_23
Vaudenay, S.: Security flaws induced by CBC padding—applications to SSL, IPSEC, WTLS... In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_35
Wu, H., Huang, T.: TinyJAMBU: a family of lightweight authenticated encryption algorithms. Submission to NIST LwC Standardization Process (2019)
Zhang, P., Wang, P., Hu, H., Cheng, C., Kuai, W.: INT-RUP security of checksum-based authenticated encryption. In: Okamoto, T., Yu, Y., Au, M.H., Li, Y. (eds.) ProvSec 2017. LNCS, vol. 10592, pp. 147–166. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68637-0_9
Acknowledgments
Amit Singh Bhati was supported by CyberSecurity Research Flanders with reference number VR20192203, in part by the Research Council KU Leuven C1 on Security and Privacy for Cyber-Physical Systems and the Internet of Things with contract number C16/15/058 and by the Flemish Government through FWO Project G.0835.16 A security Architecture for IoT.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Table 1: Full Details
A Table 1: Full Details
In this section, we first revise the (security) properties as described in Table 1 and then explain how each checkmark entry is derived.
-
1.
Online AE (OAE) Security [4]: Ensures the AE mode can be implemented online with reasonable security, protecting against blockwise and nonce-misusing adversaries.
-
2.
Nonce-Misuse Resilience (NMR) Security [9]: Provides security even when the nonce is repeated in other queries, safeguarding against specific nonce-misusing adversaries.
-
3.
Misuse-Resistant AE (MRAE) Security [38]: A stronger version of NMR, ensuring security against nonce-misusing adversaries. MRAE is more robust than OAE and NMR but requires at least two passes over plaintext data, making it unsuitable for online implementations.
-
4.
Integrity under RUP (INT-RUP) [6]: Ensures integrity even when unverified plaintexts are released, protecting against adversaries seeing unverified decrypted plaintexts.
-
5.
Plaintext Awareness (PA) [6]: Combined with IND-CPA, it ensures confidentiality even when unverified plaintexts are released. PA requires at least two passes over plaintext data for encryption, making it incompatible with OAE security (and online implementations).
-
6.
sOPRPF Security 2.2: Ensures confidentiality (up to the longest common prefix) even when unverified plaintexts are released and the nonce is repeated. sOPRPF is weaker than PA but is suitable for online implementations. It is kept separate from INT-RUP in Table 1 as some schemes only provide INT-RUP security.
-
7.
One-pass Encryption and Decryption: Ensures the mode requires only one pass over the data, supporting online encryption and decryption. While OAE-RUP implies single-pass encryption and decryption, the reverse is not always true.
1.1 A.1 Results in Table 1
We now describe the results of Table 1. The MRAE security of ESTATE and Romulus-M is proven in [18] and [29], respectively which by definition implies the NMR security of them. Both of these modes require passing the message twice to encrypt it, i.e., they do not support one-pass encryption and OAE security. We note that for decryption, these modes only require passing the ciphertext once i.e. they have one-pass decryption and are proven INT-RUP secure in [18] and [29], respectively. We also note that in [29], Romulus-M is proven IND-CPA+PA1 using a general argument which says an SIV type MAC-then-Encrypt AEAD mode with MAC as a PRF and encryption as a PA1 scheme is IND-CPA+PA1. This implies that ESTATE which also follows the same composition idea with CBC-style MAC part (shown to be a PRF in [18]) and OFB encryption (can be similarly shown PA1 as CTR mode is shown in [6]) is also IND-CPA+PA1.
All the rest modes in Table 1 provide one-pass encryption and decryption and hence are neither MRAE nor IND-CPA+PA1 secure. The INT-RUP security of Oribatida, LOCUS/LOTUS, and TinyJAMBU is proven in [15, 17] and [22], respectively. The NMR security of Spook and TinyJAMBU is proven in [12] and [40], respectively and the OAE security of SAEF is proven in [4] which by definition implies its NMR security. Finally, the sOPRPF+INT-RUP (or jointly named as OAE-RUP) security of SAEF mode is proven in this work.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Bhati, A.S., Andreeva, E., Vizár, D. (2024). OAE-RUP: A Strong Online AEAD Security Notion and Its Application to SAEF. In: Galdi, C., Phan, D.H. (eds) Security and Cryptography for Networks. SCN 2024. Lecture Notes in Computer Science, vol 14974. Springer, Cham. https://doi.org/10.1007/978-3-031-71073-5_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-71073-5_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-71072-8
Online ISBN: 978-3-031-71073-5
eBook Packages: Computer ScienceComputer Science (R0)