Abstract
Authenticated encryption schemes are usually expected to offer confidentiality and authenticity. In case of release of unverified plaintext (RUP), an adversary gets separated access to the decryption and verification functionality, and has more power in breaking the scheme. Andreeva et al. (ASIACRYPT 2014) formalized RUP security using plaintext awareness, informally meaning that the decryption functionality gives no extra power in breaking confidentiality, and INT-RUP security, covering authenticity in case of RUP. We describe a single, unified model, called AERUP security, that ties together these notions: we prove that an authenticated encryption scheme is AERUP secure if and only if it is conventionally secure, plaintext aware, and INT-RUP secure. We next present ANYDAE, a generalization of SUNDAE of Banik et al. (ToSC 2018/3). ANYDAE is a lightweight deterministic scheme that is based on a block cipher with block size n and arbitrary mixing functions that all operate on an n-bit state. It is particularly efficient for short messages, it does not rely on a nonce, and it provides maximal robustness to a lack of secure state. Whereas SUNDAE is not secure under release of unverified plaintext (a fairly simple attack can be mounted in constant time), ANYDAE is. We make handy use of the AERUP security model to prove that ANYDAE achieves both conventional security as RUP security, provided that certain modest conditions on the mixing functions are met. We describe two simple instances, called MONDAE and TUESDAE, that conform to these conditions and that are competitive with SUNDAE, in terms of efficiency and optimality.
Highlights
The rise of the Internet of Things comes with high demands on and constrictive conditions for cryptographic schemes
The equivalence, in particular, means that AERUP more closely matches the idea of release of unverified plaintext (RUP) security, in contrast to robust authenticated encryption of Hoang et al [HKR15], that considers a strong notion of security against a maximum misuse of a nonce, subtle authenticated encryption of Barwell et al [BPS15], that considers different types of leakage oracles, and RUPAE of Ashur et al [ADL17], that mostly focuses on the strength of the decryption function in case of nonce-based encryption
By the H-coefficient technique of Theorem 1, we obtain for the remaining distance of (10): AERUPSΠ(A) ≤ ratio + bad, where ratio = 0 given the bound of Lemma 2, and bad is set to be the bound of Lemma 1
Summary
The rise of the Internet of Things comes with high demands on and constrictive conditions for cryptographic schemes. Such constraints may come in various types, as these small interconnected devices may have to operate with low power, low area, low memory, or otherwise. Lightweight cryptography is about developing cryptographic solutions for such constrained environments, and partly ignited by the upcoming NIST lightweight competition [Nat18], the field is gaining momentum. Licensed under Creative Commons License CC-BY 4.0. Authenticated encryption schemes appeared, such as CLOC [IMGM14], JAMBU [WH16], COFB [CIMN17], SAEB [NMSS18], Beetle [CDNY18], and SUNDAE [BBLT18]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
