Affiliation:
1. Seagate Research Group
2. Department of Electrical and Information Technology, Lund University
Abstract
The size of the authentication tag represents a significant overhead for applications that are limited by bandwidth or memory. Hence, some authenticated encryption designs have a smaller tag than the required privacy level, which was also suggested by the NIST lightweight cryptography standardization project. In the ToSC 2022, two papers have raised questions about the IND-CCA security of AEAD schemes in this situation. These papers show that (a) online AE cannot provide IND-CCA security beyond the tag length, and (b) it is possible to have IND-CCA security beyond the tag length in a restricted Encode-then-Encipher framework. In this paper, we address some of the remaining gaps in this area. Our main result is to show that, for a fixed stretch, Pseudo-Random Injection security implies IND-CCA security as long as the minimum ciphertext size is at least as large as the required IND-CCA security level. We also show that this bound is tight and that any AEAD scheme that allows empty plaintexts with a fixed stretch cannot achieve IND-CCA security beyond the tag length. Next, we look at the weaker notion of MRAE security, and show that two-pass schemes that achieve MRAE security do not achieve IND-CCA security beyond the tag size. This includes SIV and rugged PRPs.
Publisher
International Association for Cryptologic Research
Reference16 articles.
1. CAESAR: Competition for Authenticated Encryption: Security,
Applicability, and Robustness;Crypto competitions,2019
2. Lightweight cryptography;National Institute of Standardization;CSRC,2019
3. Authenticated Encryption: Relations among Notions and
Analysis of the Generic Composition Paradigm;Mihir Bellare,2000
4. Robust Authenticated-Encryption AEZ and the Problem That It
Solves;Viet Tung Hoang,2015
5. Is AEZ v4. 1 sufficiently resilient against key-recovery
attacks?;Colin Chaigneau;IACR Transactions on Symmetric Cryptology,2016