CCA Security with Short AEAD Tags
(2024) In IACR Communications in Cryptology 1(1).- Abstract
- The size of the authentication tag represents a significant overhead for applications that are limited by bandwidth or memory. Hence, some authenticated encryption designs have a smaller tag than the required privacy level, which was also suggested by the NIST lightweight cryptography standardization project. In the ToSC 2022, two papers have raised questions about the IND-CCA security of AEAD schemes in this situation. These papers show that (a) online AE cannot provide IND-CCA security beyond the tag length, and (b) it is possible to have IND-CCA security beyond the tag length in a restricted Encode-then-Encipher framework. In this paper, we address some of the remaining gaps in this area. Our main result is to show that, for a fixed... (More)
- The size of the authentication tag represents a significant overhead for applications that are limited by bandwidth or memory. Hence, some authenticated encryption designs have a smaller tag than the required privacy level, which was also suggested by the NIST lightweight cryptography standardization project. In the ToSC 2022, two papers have raised questions about the IND-CCA security of AEAD schemes in this situation. These papers show that (a) online AE cannot provide IND-CCA security beyond the tag length, and (b) it is possible to have IND-CCA security beyond the tag length in a restricted Encode-then-Encipher framework. In this paper, we address some of the remaining gaps in this area. Our main result is to show that, for a fixed stretch, Pseudo-Random Injection security implies IND-CCA security as long as the minimum ciphertext size is at least as large as the required IND-CCA security level. We also show that this bound is tight and that any AEAD scheme that allows empty plaintexts with a fixed stretch cannot achieve IND-CCA security beyond the tag length. Next, we look at the weaker notion of MRAE security, and show that two-pass schemes that achieve MRAE security do not achieve IND-CCA security beyond the tag size. This includes SIV and rugged PRPs. (Less)
Please use this url to cite or link to this publication:
https://lup.lub.lu.se/record/e77b5270-3045-4ca7-b1bb-c947c355fed1
- author
- Khairallah, Mustafa LU
- organization
- publishing date
- 2024-04-10
- type
- Contribution to journal
- publication status
- published
- subject
- in
- IACR Communications in Cryptology
- volume
- 1
- issue
- 1
- DOI
- 10.62056/aevua69p1
- language
- English
- LU publication?
- yes
- id
- e77b5270-3045-4ca7-b1bb-c947c355fed1
- date added to LUP
- 2024-03-15 09:28:51
- date last changed
- 2024-04-10 11:03:29
@article{e77b5270-3045-4ca7-b1bb-c947c355fed1, abstract = {{The size of the authentication tag represents a significant overhead for applications that are limited by bandwidth or memory. Hence, some authenticated encryption designs have a smaller tag than the required privacy level, which was also suggested by the NIST lightweight cryptography standardization project. In the ToSC 2022, two papers have raised questions about the IND-CCA security of AEAD schemes in this situation. These papers show that (a) online AE cannot provide IND-CCA security beyond the tag length, and (b) it is possible to have IND-CCA security beyond the tag length in a restricted Encode-then-Encipher framework. In this paper, we address some of the remaining gaps in this area. Our main result is to show that, for a fixed stretch, Pseudo-Random Injection security implies IND-CCA security as long as the minimum ciphertext size is at least as large as the required IND-CCA security level. We also show that this bound is tight and that any AEAD scheme that allows empty plaintexts with a fixed stretch cannot achieve IND-CCA security beyond the tag length. Next, we look at the weaker notion of MRAE security, and show that two-pass schemes that achieve MRAE security do not achieve IND-CCA security beyond the tag size. This includes SIV and rugged PRPs.}}, author = {{Khairallah, Mustafa}}, language = {{eng}}, month = {{04}}, number = {{1}}, series = {{IACR Communications in Cryptology}}, title = {{CCA Security with Short AEAD Tags}}, url = {{http://dx.doi.org/10.62056/aevua69p1}}, doi = {{10.62056/aevua69p1}}, volume = {{1}}, year = {{2024}}, }