Beyond full‐bit secure authenticated encryption without input‐length limitation

Abstract

The security bound is an important evaluation criterion in an authenticated encryption (AE) scheme. Many AE schemes that are widely used have birthday-bound security, which means that the scheme has b/2-bit security, where b is the block size of the underlying primitive. However, due to the increased interest in lightweight cryptography, smaller block-size primitives have been developed, which has led to more active research on AE schemes with beyond birthday-bound security. Although all such AE schemes are secure up to a full-bit (i.e. b-bit) bound at most, Naito et al. proposed the first beyond full-bit-bound secure AE schemes, P F B _ P l u s and P F B ω, at Eurocrypt 2020. P F B _ P l u s and P F B ω achieve 2b-bit security and ωb-bit security, respectively, where ω is a parameter s.t. ω ∈ N. In this work, the author points out a downside of P F B ω that was not clearly specified in its proposal paper and resolves it with the proposed scheme, e x P F B ω. The downside of P F B ω is that there is a limitation on each input size; it can process only up to 2b − 2 blocks for each input in spite of its high security bound. The author's scheme, e x P F B ω, is the first AE to achieve ωb-bit security and has no limitation on each input size for ω ≥ 3.