Paper 2024/023

CCA Security with Short AEAD Tags

Mustafa Khairallah, Seagate Research Group, Singapore
Abstract

The size of the authentication tag represents a significant overhead for applications that are limited by bandwidth or memory. Hence, some authenticated encryption designs have a smaller tag than the required privacy level, which was also suggested by the NIST lightweight cryptography standardization project. In the ToSC 2022, two papers have raised questions about the IND-CCA security of AEAD schemes in this situation. These papers show that (a) online AE cannot provide IND-CCA security beyond the tag length, and (b) it is possible to have IND-CCA security beyond the tag length in a restricted Encrypt-then-Encipher framework. In this paper, we address some of the remaining gaps in this area. Our main result is to show that, for a fixed stretch, Pseudo-Random Injection security implies IND-CCA security as long as the minimum ciphertext size is at least as large as the required IND-CCA security level. We also show that this bound is tight and that any AEAD scheme that allows empty plaintexts with a fixed stretch cannot achieve IND-CCA security beyond the tag length. Next, we look at the weaker notion of MRAE security, and show that two-pass schemes that achieve MRAE security do not achieve IND-CCA security beyond the tag size. This includes SIV and rugged PRPs.

Note: Updated acknowledgements and publication information.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Minor revision. IACR Communications in Cryptology
Keywords
Chosen Ciphertext AttacksIND-CCAAEADSIVAuthenticationRugged PRP
Contact author(s)
khairallah @ ieee org
History
2024-03-27: last of 4 revisions
2024-01-07: received
See all versions
Short URL
https://ia.cr/2024/023
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/023,
      author = {Mustafa Khairallah},
      title = {{CCA} Security with Short {AEAD} Tags},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/023},
      year = {2024},
      url = {https://eprint.iacr.org/2024/023}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.