[Back]

E. Andreeva, A. Bhati, D. Vizár:
"Nonce-Misuse Security of the SAEF Authenticated Encryption Mode";
in: "27th International Conference, Halifax, NS, Canada (Virtual Event), October 21-23, 2020", Lecture Notes in Computer Science, vol 12804; issued by: Springer; Springer LNCS, Cham, 2021, ISBN: 978-3-030-81651-3, 512 - 534.

ForkAE is a NIST lightweight cryptography candidate that uses the forkcipher primitive in two modes of operation - SAEF and PAEF - optimized for authenticated encryption of the shortest messages. SAEF is a sequential and online AEAD that minimizes the memory footprint compared to its alternative parallel mode PAEF, catering to the most constrained devices. SAEF was proven AE secure against nonce-respecting adversaries.

Due to their more acute and direct exposure to device misuse and mishandling, in most use cases of lightweight cryptography, nonce reuse presents a very realistic attack vector. Furthermore, many lightweight applications mandate security for their online AEAD schemes against block-wise adversaries. Surprisingly, a very few NIST lightweight AEAD candidates come with provable guarantees against these security threats.

In this work we investigate the provable security guarantees of SAEF when nonces are repeated under a refined version of the notion of online authenticated encryption OAE given by Fleischmann et al. in 2012. Using the coefficient H technique we show that, with no modifications, SAEF is OAE secure up to the birthday security bound, i.e., up to 2n/2
processed blocks of data, where n is the block size of the forkcipher. The implications of our work is that SAEF is safe to use in a block-wise fashion, and that if nonces get repeated, this has no impact on ciphertext integrity and confidentiality only degrades by a limited extent up to repetitions of common message prefixes.

http://dx.doi.org/10.1007/978-3-030-81652-0_20

https://publik.tuwien.ac.at/files/publik_297284.pdf