Beiträge in Tagungsbänden:
E. Andreeva, A. Bhati, D. Vizár:
"Nonce-Misuse Security of the SAEF Authenticated Encryption Mode";
in: "27th International Conference, Halifax, NS, Canada (Virtual Event), October 21-23, 2020",
Lecture Notes in Computer Science, vol 12804;
herausgegeben von: Springer;
Springer LNCS,
Cham,
2021,
ISBN: 978-3-030-81651-3,
S. 512
- 534.
Kurzfassung englisch:
ForkAE is a NIST lightweight cryptography candidate that uses the forkcipher primitive in two modes of operation - SAEF and PAEF - optimized for authenticated encryption of the shortest messages. SAEF is a sequential and online AEAD that minimizes the memory footprint compared to its alternative parallel mode PAEF, catering to the most constrained devices. SAEF was proven AE secure against nonce-respecting adversaries.
Due to their more acute and direct exposure to device misuse and mishandling, in most use cases of lightweight cryptography, nonce reuse presents a very realistic attack vector. Furthermore, many lightweight applications mandate security for their online AEAD schemes against block-wise adversaries. Surprisingly, a very few NIST lightweight AEAD candidates come with provable guarantees against these security threats.
In this work we investigate the provable security guarantees of SAEF when nonces are repeated under a refined version of the notion of online authenticated encryption OAE given by Fleischmann et al. in 2012. Using the coefficient H technique we show that, with no modifications, SAEF is OAE secure up to the birthday security bound, i.e., up to 2n/2
processed blocks of data, where n is the block size of the forkcipher. The implications of our work is that SAEF is safe to use in a block-wise fashion, and that if nonces get repeated, this has no impact on ciphertext integrity and confidentiality only degrades by a limited extent up to repetitions of common message prefixes.
"Offizielle" elektronische Version der Publikation (entsprechend ihrem Digital Object Identifier - DOI)
http://dx.doi.org/10.1007/978-3-030-81652-0_20
Elektronische Version der Publikation:
https://publik.tuwien.ac.at/files/publik_297284.pdf
Erstellt aus der Publikationsdatenbank der Technischen Universität Wien.