Rate-One AE with Security Under RUP

Abstract

This paper investigates what sort of security can be retained by the most efficient (namely, rate-one) AE schemes like OCB under the release of unverified plaintext (RUP). At CT-RSA 2016, Chakraborti et al. have presented an impossibility result, which says that any rate-one AE scheme cannot ensure INT-RUP, a strong integrity requirement under RUP. In this paper we show that any rate-one AE scheme cannot satisfy PA2 (plaintext awareness 2) either, a strong privacy requirement under RUP introduced by Andreeva et al. at Asiacrypt 2014. Given these impossibility results, we relax the security requirements and identify new notions of tag-PA and tag-INT. The new notions are strictly weaker than PA2 and INT-RUP yet have considerable significance in the practical sense. In particular, tag-PA is strictly stronger than PA1 defined by Andreeva et al. at Asiacrypt 2014. Unfortunately, OCB is neither tag-PA nor tag-INT. We present a new rate-one AE scheme which is both tag-PA and tag-INT. The new scheme is essentially as efficient as OCB, consuming just one extra call to a block cipher.

Appendices

Appendix

A Rational of Associated Data Computation in \(\mathrm {\Theta }\mathrm {CB}\mathrm {t}\)

In Sect. 4, we presented \(\mathrm {\Theta }\mathrm {CB}\mathrm {t}\) as an instantiation of the tag-feedback, where A is processed with PMAC and the result is used as a part of tweak. We stress that identifying the best construction for incorporating A is non-trivial. Here, we explain the rational behind \(\mathrm {\Theta }\mathrm {CB}\mathrm {t}\) especially about the incorporation of A.

1.1 A.1 Synthetic Approach

We incorporate associated data A into the tag feedback. One can immediately notice that associated data A cannot be just input to the underlying \(\mathrm {\Theta }\)CB, even if it accepts associated data. This is because we need to make \({ FV }{\!}\) dependent directly on A, not via tag T, to achieve \(({ FV }{\!},T,A)\)-robust decryption.

So we use a keyed function \(F_{K}\) to “hash” associated data \(A\in \mathbb {A}\). By following the design of OCB2, we use PMAC as \(F_{K}\). Write \(U\leftarrow \mathsf {PMAC}_K(A)\). Write W the tag output of the underlying \(\mathrm {\Theta }\)CB. Then we make the tweak input, tw, and the final tag, T, by using or combining U and W. There are four possibilities: U, W, \(U\oplus W\) and \(U\mathbin {\Vert }W\), and thus 16 combinations as shown in Fig. 3.

Fig. 3.

Synthetic approach for tw and T

Fig. 4.

Sixteen choices for tw and T

The analysis for those sixteen cases is summarized in Table 2.

In Fig. 4, ‘−’ represents that the construction is not suitable with respect to efficiency or security, and superscript numbers indicate the reasons as follows.  

\(-^1\)::

The new tag size |T| increases from the original |W|.

\(-^2\)::

By using U as new tag T, only A is authorized. Integrity can be violated.

\(-^3\)::

Recovering \({ IV }{\!}\) from \({ FV }{\!}\) during decryption is not dependent on T, thus correct M for invalid T is leaked by querying invalid T (violating confidentiality). This clearly illustrates the fact that the tag feedback is essential for \(({ FV }{\!},T,A)\)-robust decryption.

\(-^4\)::

U is not used anywhere, which is obviously insecure.

\(-^5\)::

T is directly used as tweak, thus recovering \({ IV }{\!}\) from \({ FV }{\!}\) during decryption is not dependent on U, which is insufficient for \(({ FV }{\!},T,A)\)-robust decryption.

 

In the end, we have four secure constructions. Among them TF is more advantageous on the simplicity of the security proof. To simply describe the concept of our construction, we chose TF to build \(\mathrm {\Theta }\mathrm {CB}\mathrm {t}\).

B Authenticity against Adversaries Asking Old Triplets

In this section, we show that some sort of authenticity still remains even against adversaries asking old triplets (FV, T, A). For an old triplet (FV, T, A), if adversary \({\varvec{A}}\) makes a \(\mathcal {D}\)-query \(({ FV }{\!},T,A,C)\), then we call the triplet corrupted. We want that all uncorrupted triplets \(({ FV }{\!},A,T)\) remain secure. This motivates us to define the \(\ddot{\mathrm {auth}}\)-advantage of \({\varvec{A}}\) as

$$\begin{aligned} {\text {Adv}}^{\ddot{\mathrm {auth}},\tau }_{\varPi }({\varvec{A}}):= \Pr \bigl [{\varvec{A}}^{\mathcal {E}_K,\mathcal {G}_K,\mathcal {V}_K,\mathcal {D}_K}\,\mathrm{forges \,a}\, \tau {\text {-}}\mathrm{bit\, tag\, with\, uncorrupted}\bigr ], \end{aligned}$$

where by “forges with uncorrupted” we mean \({\varvec{A}}\) being able to make the \(\mathcal {V}\)-oracle return \(\top \) for a query \(({ FV }{\!},T,A,C)\) such that \(({ FV }{\!},T,A)\) is uncorrupted.

Theorem 4

Let \({\varvec{A}}\) be any adversary against authenticity of \(\mathrm {\Theta }\mathrm {CB}\mathrm {t}\). Suppose that \({\varvec{A}}\) makes at most \(q_{\mathrm {e}}\), \(q_{\mathrm {g}}\), \(q_{\mathrm {v}}\) and \(q_{\mathrm {d}}\) queries to \(\mathrm {\Theta }\mathsf {t}.\mathcal {E}\), \(\mathrm {\Theta }\mathsf {t}.\mathcal {G}\), \(\mathrm {\Theta }\mathsf {t}.\mathcal {V}\) and \(\mathrm {\Theta }\mathsf {t}.\mathcal {D}\), respectively. Let \(q=q_{\mathrm {e}}+q_{\mathrm {g}}+q_{\mathrm {v}}+q_{\mathrm {d}}\). Then,

$$\begin{aligned} {\text {Adv}}_{\mathrm {\Theta }\mathrm {CB}\mathrm {t}}^{\ddot{\mathrm {auth}},\tau }({\varvec{A}})\le \frac{q^2}{2^{n}}+\frac{2qq_{\mathrm {d}}}{2^{n}-q}+ \frac{q_{\mathrm {v}}}{2^{\tau }(1-(q_{\mathrm {v}}+1)2^{-n})} . \end{aligned}$$

The proof is omitted due to the page limit.