dc.description.abstract |
Authenticated encryption schemes are usually expected to offer confidentiality and authenticity. In case of release of unverified plaintext (RUP), an adversary
gets separated access to the decryption and verification functionality, and has more
power in breaking the scheme. Andreeva et al. (ASIACRYPT 2014) formalized RUP
security using plaintext awareness, informally meaning that the decryption functionality gives no extra power in breaking confidentiality, and INT-RUP security, covering
authenticity in case of RUP. We describe a single, unified model, called AERUP
security, that ties together these notions: we prove that an authenticated encryption
scheme is AERUP secure if and only if it is conventionally secure, plaintext aware,
and INT-RUP secure. We next present ANYDAE, a generalization of SUNDAE of
Banik et al. (ToSC 2018/3). ANYDAE is a lightweight deterministic scheme that
is based on a block cipher with block size n and arbitrary mixing functions that
all operate on an n-bit state. It is particularly efficient for short messages, it does
not rely on a nonce, and it provides maximal robustness to a lack of secure state.
Whereas SUNDAE is not secure under release of unverified plaintext (a fairly simple
attack can be mounted in constant time), ANYDAE is. We make handy use of the
AERUP security model to prove that ANYDAE achieves both conventional security
as RUP security, provided that certain modest conditions on the mixing functions
are met. We describe two simple instances, called MONDAE and TUESDAE, that
conform to these conditions and that are competitive with SUNDAE, in terms of
efficiency and optimality. |
en_US |