| rfc9771v1.txt | rfc9771.txt | |||
|---|---|---|---|---|
| Internet Research Task Force (IRTF) A. Bozhko, Ed. | Internet Research Task Force (IRTF) A. Bozhko, Ed. | |||
| Request for Comments: 9771 CryptoPro | Request for Comments: 9771 CryptoPro | |||
| Category: Informational April 2025 | Category: Informational May 2025 | |||
| ISSN: 2070-1721 | ISSN: 2070-1721 | |||
| Properties of Authenticated Encryption with Associated Data (AEAD) | Properties of Authenticated Encryption with Associated Data (AEAD) | |||
| Algorithms | Algorithms | |||
| Abstract | Abstract | |||
| Authenticated Encryption with Associated Data (AEAD) algorithms | Authenticated Encryption with Associated Data (AEAD) algorithms | |||
| provide both confidentiality and integrity of data. The widespread | provide both confidentiality and integrity of data. The widespread | |||
| use of AEAD algorithms in various applications has led to an | use of AEAD algorithms in various applications has led to an | |||
| skipping to change at line 197 ¶ | skipping to change at line 197 ¶ | |||
| * A deterministic operation of authenticated decryption has four | * A deterministic operation of authenticated decryption has four | |||
| inputs, each a binary string: a secret key K of a fixed bit | inputs, each a binary string: a secret key K of a fixed bit | |||
| length, a nonce N, associated data A, and a ciphertext C. The | length, a nonce N, associated data A, and a ciphertext C. The | |||
| operation verifies the integrity of the ciphertext and | operation verifies the integrity of the ciphertext and | |||
| associated data and decrypts the ciphertext. It returns a | associated data and decrypts the ciphertext. It returns a | |||
| special symbol FAIL if the inputs are not authentic; otherwise, | special symbol FAIL if the inputs are not authentic; otherwise, | |||
| the operation returns a plaintext P. | the operation returns a plaintext P. | |||
| We note that specifications of AEAD algorithms that use | We note that specifications of AEAD algorithms that use | |||
| authentication tags to ensure integrity MAY define it as an | authentication tags to ensure integrity may define the authentication | |||
| independent output of the encryption operation and as an independent | tag as an independent output of the encryption operation and an | |||
| input of the decryption operation. Throughout this document, by | independent input of the decryption operation. Throughout this | |||
| default, we consider the authentication tag as part of the | document, by default, we consider the authentication tag as part of | |||
| ciphertext. | the ciphertext. | |||
| For more details on the AEAD definition, please refer to [RFC5116]. | For more details on the AEAD definition, please refer to [RFC5116]. | |||
| Throughout this document, by default, we consider nonce-based AEAD | Throughout this document, by default, we consider nonce-based AEAD | |||
| algorithms, which have an interface as defined above, and we give no | algorithms, which have an interface as defined above, and we give no | |||
| other restrictions on their structure. However, some properties | other restrictions on their structure. However, some properties | |||
| considered in the document apply only to particular classes of such | considered in the document apply only to particular classes of such | |||
| algorithms, like AEAD algorithms based on block ciphers (such | algorithms, like AEAD algorithms based on block ciphers (such | |||
| algorithms use a block cipher as a building block). If that is the | algorithms use a block cipher as a building block). If that is the | |||
| case, we explicitly point that out in the corresponding section. | case, we explicitly point that out in the corresponding section. | |||
| skipping to change at line 271 ¶ | skipping to change at line 271 ¶ | |||
| We say that an AEAD algorithm provides security if it provides the | We say that an AEAD algorithm provides security if it provides the | |||
| conventional properties listed in this section. | conventional properties listed in this section. | |||
| 4.2.1. Confidentiality | 4.2.1. Confidentiality | |||
| Definition: | Definition: | |||
| An AEAD algorithm guarantees that the plaintext is not available | An AEAD algorithm guarantees that the plaintext is not available | |||
| to an active, nonce-respecting adversary. | to an active, nonce-respecting adversary. | |||
| Security notion: | Security notions: | |||
| IND-CCA [BN2000] (or IND-CCA2 [S04]) | IND-CCA [BN08] (or IND-CCA2 [S04]) | |||
| Synonyms: | Synonyms: | |||
| Message privacy | Message privacy | |||
| Notes: | Notes: | |||
| Confidentiality against passive adversaries can also be | Confidentiality against passive adversaries can also be | |||
| considered. The corresponding security notion is IND-CPA [BN2000] | considered. The corresponding security notion is IND-CPA [BN08] | |||
| [R02]. | [R02]. | |||
| Further reading: | Further reading: | |||
| [R02], [BN2000], [S04] | [R02], [BN08], [S04] | |||
| 4.2.2. Data Integrity | 4.2.2. Data Integrity | |||
| Definition: | Definition: | |||
| An AEAD algorithm allows one to ensure that the ciphertext and the | An AEAD algorithm allows one to ensure that the ciphertext and the | |||
| associated data have not been changed or forged by an active, | associated data have not been changed or forged by an active, | |||
| nonce-respecting adversary. | nonce-respecting adversary. | |||
| Security notion: | Security notions: | |||
| IND-CTXT [BN2000] (or AUTH [R02]) | INT-CTXT [BN08] (or AUTH [R02]) | |||
| Synonyms: | Synonyms: | |||
| Message authentication, authenticity | Message authentication, authenticity | |||
| Further reading: | Further reading: | |||
| [R02], [BN2000], [S04] | [R02], [BN08], [S04] | |||
| 4.2.3. Authenticated Encryption Security | 4.2.3. Authenticated Encryption Security | |||
| Definition: | Definition: | |||
| An AEAD algorithm provides confidentiality and data integrity | An AEAD algorithm provides confidentiality and data integrity | |||
| against active, nonce-respecting adversaries. | against active, nonce-respecting adversaries. | |||
| Security notion: | Security notions: | |||
| IND-CPA and IND-CTXT [BN2000] [R02] (or equivalently, IND-CCA3 | IND-CPA and INT-CTXT [BN08] [R02] (or equivalently, IND-CCA3 | |||
| [S04]) | [S04]) | |||
| Notes: | Notes: | |||
| Please refer to [AEAD-LIMITS] for usage limits on modern AEAD | Please refer to [AEAD-LIMITS] for usage limits on modern AEAD | |||
| algorithms used in IETF protocols. | algorithms used in IETF protocols. | |||
| Further reading: | Further reading: | |||
| [R02], [BN2000], [S04] | [R02], [BN08], [S04] | |||
| 4.3. Security Properties | 4.3. Security Properties | |||
| 4.3.1. Blockwise Security | 4.3.1. Blockwise Security | |||
| Definition: | Definition: | |||
| An AEAD algorithm provides security even if an adversary can | An AEAD algorithm provides security even if an adversary can | |||
| adaptively choose the next part of the plaintext depending on | adaptively choose the next part of the plaintext depending on | |||
| already-computed ciphertext parts during an encryption operation. | already-computed ciphertext parts during an encryption operation. | |||
| Security notion: | Security notions: | |||
| D-LORS-BCPA for confidentiality against passive adversaries, B- | D-LORS-BCPA for confidentiality against passive adversaries, B- | |||
| INT-CTXT for integrity [EV17]; OAE1 [HRRV15] (a stronger notion; | INT-CTXT for integrity [EV17]; OAE1 [HRRV15] (a stronger notion; | |||
| originally OAE (Online Authenticated Encryption) in [FFL12]) | originally OAE (Online Authenticated Encryption) in [FFL12]) | |||
| Examples: | Examples: | |||
| Deoxys [JNPS21], SAEF [ABV21] | Deoxys [JNPS21], SAEF [ABV21] | |||
| Notes: | Notes: | |||
| Blockwise security is highly relevant for streamable AEAD | Blockwise security is highly relevant for streamable AEAD | |||
| algorithms (see Section 4.4.8). The OAE1 security notion [HRRV15] | algorithms (see Section 4.4.8). The OAE1 security notion [HRRV15] | |||
| skipping to change at line 361 ¶ | skipping to change at line 361 ¶ | |||
| 4.3.2. Full Commitment | 4.3.2. Full Commitment | |||
| Definition: | Definition: | |||
| An AEAD algorithm guarantees that it is hard to find two or more | An AEAD algorithm guarantees that it is hard to find two or more | |||
| different tuples of the key, nonce, associated data, and plaintext | different tuples of the key, nonce, associated data, and plaintext | |||
| such that they encrypt to the same ciphertext. In other words, an | such that they encrypt to the same ciphertext. In other words, an | |||
| AEAD scheme guarantees that a ciphertext is a commitment to all | AEAD scheme guarantees that a ciphertext is a commitment to all | |||
| inputs of an authenticated encryption operation. | inputs of an authenticated encryption operation. | |||
| Security notion: | Security notions: | |||
| CMT-4 [BH22], generalized CMT for a restricted setting (see the | CMT-4 [BH22], generalized CMT for a restricted setting (see the | |||
| notes below) [MLGR23] | notes below) [MLGR23] | |||
| Examples: | Examples: | |||
| Ascon [DEMS21a] [DEMS21b] [YSS23], full committing versions of | Ascon [DEMS21a] [DEMS21b] [YSS23], full committing versions of | |||
| Galois/Counter Mode (GCM) and GCM-SIV [BH22], generic | Galois/Counter Mode (GCM) and GCM-SIV [BH22], generic | |||
| constructions [BH22] and [CR22] | constructions [BH22] and [CR22] | |||
| Notes: | Notes: | |||
| Full commitment can be considered in a weaker setting, where | Full commitment can be considered in a weaker setting, where | |||
| skipping to change at line 394 ¶ | skipping to change at line 394 ¶ | |||
| 4.3.3. Key Commitment | 4.3.3. Key Commitment | |||
| Definition: | Definition: | |||
| An AEAD algorithm guarantees that it is hard to find two or more | An AEAD algorithm guarantees that it is hard to find two or more | |||
| different keys and the same number of potentially equal triples of | different keys and the same number of potentially equal triples of | |||
| nonce, associated data, and plaintext such that they encrypt to | nonce, associated data, and plaintext such that they encrypt to | |||
| the same ciphertext under corresponding keys. In other words, an | the same ciphertext under corresponding keys. In other words, an | |||
| AEAD scheme guarantees that a ciphertext is a commitment to the | AEAD scheme guarantees that a ciphertext is a commitment to the | |||
| key used for an authenticated encryption operation. | key used for an authenticated encryption operation. | |||
| Security notion: | Security notions: | |||
| CMT-1 [BH22] | CMT-1 [BH22] | |||
| Synonyms: | Synonyms: | |||
| Key robustness, key collision resistance | Key robustness, key collision resistance | |||
| Examples: | Examples: | |||
| Ascon [DEMS21a] [DEMS21b] [YSS23], generic constructions from | Ascon [DEMS21a] [DEMS21b] [YSS23], generic constructions from | |||
| [BH22] and [CR22] | [BH22] and [CR22] | |||
| Notes: | Notes: | |||
| skipping to change at line 422 ¶ | skipping to change at line 422 ¶ | |||
| Further reading: | Further reading: | |||
| [BH22], [CR22], [FOR17], [LGR21], [GLR17] | [BH22], [CR22], [FOR17], [LGR21], [GLR17] | |||
| 4.3.4. Leakage Resistance | 4.3.4. Leakage Resistance | |||
| Definition: | Definition: | |||
| An AEAD algorithm provides security even if some additional | An AEAD algorithm provides security even if some additional | |||
| information about computations of an encryption (and possibly | information about computations of an encryption (and possibly | |||
| decryption) operation is obtained via side-channel leakages. | decryption) operation is obtained via side-channel leakages. | |||
| Security notion: | Security notions: | |||
| CIL1 [GPPS19] (CIML2 [BPPS17] with leakages in decryption) for | CIL1 [GPPS19] (CIML2 [BPPS17] with leakages in decryption) for | |||
| integrity, CCAL1 [GPPS19] (CCAmL2 [GPPS19] with leakages in | integrity, CCAL1 [GPPS19] (CCAmL2 [GPPS19] with leakages in | |||
| decryption) for authenticated encryption security | decryption) for authenticated encryption security | |||
| Examples: | Examples: | |||
| Ascon [DEMS21a] [DEMS21b] (security under CIML2 and CCAL1 notions | Ascon [DEMS21a] [DEMS21b] (security under CIML2 and CCAL1 notions | |||
| [B20]), TEDT [GPPS19] | [B20]), TEDT [GPPS19] | |||
| Notes: | Notes: | |||
| Leakages during AEAD operation executions are implementation- | Leakages during AEAD operation executions are implementation- | |||
| skipping to change at line 481 ¶ | skipping to change at line 481 ¶ | |||
| Further reading: | Further reading: | |||
| [GPPS19], [B20], [BPPS17], [BMOS17] | [GPPS19], [B20], [BPPS17], [BMOS17] | |||
| 4.3.5. Multi-user Security | 4.3.5. Multi-user Security | |||
| Definition: | Definition: | |||
| The security of an AEAD algorithm degrades slower than linearly | The security of an AEAD algorithm degrades slower than linearly | |||
| with an increase in the number of users. | with an increase in the number of users. | |||
| Security notion: | Security notions: | |||
| mu-ind [BT16] | mu-ind [BT16] | |||
| Examples: | Examples: | |||
| AES-GCM [D07], ChaCha20-Poly1305 [RFC8439], AES-GCM-SIV [RFC8452], | AES-GCM [D07], ChaCha20-Poly1305 [RFC8439], AES-GCM-SIV [RFC8452], | |||
| AEGIS [AEGIS-AEAD] | AEGIS [AEGIS-AEAD] | |||
| Notes: | Notes: | |||
| It holds that for any AEAD algorithm, security degrades no worse | For any AEAD algorithm, security degrades no worse than linearly | |||
| than linearly with an increase in the number of users [BT16]. | with an increase in the number of users [BT16]. However, for some | |||
| However, for some applications with a significant number of users, | applications with a significant number of users, better multi-user | |||
| better multi-user guarantees are required. For example, in the | guarantees are required. For example, in the TLS 1.3 protocol, | |||
| TLS 1.3 protocol, AEAD algorithms are used with a randomized nonce | AEAD algorithms are used with a randomized nonce | |||
| (deterministically derived from a traffic secret and a sequence | (deterministically derived from a traffic secret and a sequence | |||
| number) to address this issue. Using nonce randomization in block | number) to address this issue. Using nonce randomization in block | |||
| cipher counter-based AEAD modes can contribute to multi-user | cipher counter-based AEAD modes can contribute to multi-user | |||
| security [BT16]. Multi-user usage limits for AES-GCM and | security [BT16]. Multi-user usage limits for AES-GCM and | |||
| ChaCha20-Poly1305 are provided in [AEAD-LIMITS]. | ChaCha20-Poly1305 are provided in [AEAD-LIMITS]. | |||
| A weaker security notion, multi-user key recovery, is also | A weaker security notion, multi-user key recovery, is also | |||
| introduced and thoroughly studied in [BT16]. While this document | introduced and thoroughly studied in [BT16]. While this document | |||
| focuses on indistinguishability for security notions, key recovery | focuses on indistinguishability for security notions, key recovery | |||
| might be relevant and valuable to study alongside | might be relevant and valuable to study alongside | |||
| skipping to change at line 521 ¶ | skipping to change at line 521 ¶ | |||
| [BT16], [HTT18], [LMP17], [DGGP21], [BHT18] | [BT16], [HTT18], [LMP17], [DGGP21], [BHT18] | |||
| 4.3.6. Nonce Hiding | 4.3.6. Nonce Hiding | |||
| Definition: | Definition: | |||
| An AEAD algorithm provides confidentiality for the nonce value | An AEAD algorithm provides confidentiality for the nonce value | |||
| used to encrypt plaintext. The algorithm includes information | used to encrypt plaintext. The algorithm includes information | |||
| about the nonce in the ciphertext and doesn't require the nonce as | about the nonce in the ciphertext and doesn't require the nonce as | |||
| input for the decryption operation. | input for the decryption operation. | |||
| Security notion: | Security notions: | |||
| AE2 [BNT19] | AE2 [BNT19] | |||
| Examples: | Examples: | |||
| Hide-Nonce (HN) transforms [BNT19] | Hide-Nonce (HN) transforms [BNT19] | |||
| Notes: | Notes: | |||
| As discussed in [BNT19], adversary-visible nonces might compromise | As discussed in [BNT19], adversary-visible nonces might compromise | |||
| message and user privacy, similar to the way any metadata might. | message and user privacy, similar to the way any metadata might. | |||
| As pointed out in [B13], even using a counter as a nonce value | As pointed out in [B13], even using a counter as a nonce value | |||
| might compromise privacy. Designing a privacy-preserving way to | might compromise privacy. Designing a privacy-preserving way to | |||
| skipping to change at line 552 ¶ | skipping to change at line 552 ¶ | |||
| Definition: | Definition: | |||
| An AEAD algorithm provides security (resilience or resistance) | An AEAD algorithm provides security (resilience or resistance) | |||
| even if an adversary can repeat nonces in its encryption queries. | even if an adversary can repeat nonces in its encryption queries. | |||
| Nonce misuse resilience and resistance are defined as follows: | Nonce misuse resilience and resistance are defined as follows: | |||
| Nonce misuse resilience: Security is provided for messages | Nonce misuse resilience: Security is provided for messages | |||
| encrypted with non-repeated (fresh) nonces (correctly encrypted | encrypted with non-repeated (fresh) nonces (correctly encrypted | |||
| messages). | messages). | |||
| Security notion: | Security notions: | |||
| CPA resilience (confidentiality), authenticity resilience | Chosen-Plaintext Attack (CPA) resilience (confidentiality), | |||
| (integrity), CCA resilience (authenticated encryption) | authenticity resilience (integrity), Chosen-Ciphertext | |||
| [ADL17] | Attack (CCA) resilience (authenticated encryption) [ADL17] | |||
| Examples: | Examples: | |||
| ChaCha20-Poly1305 [RFC8439], AES-GCM [D07] (only | ChaCha20-Poly1305 [RFC8439], AES-GCM [D07] (only | |||
| confidentiality) | confidentiality) | |||
| Nonce misuse resistance: Security is provided for all messages | Nonce misuse resistance: Security is provided for all messages | |||
| that were not encrypted with the same nonce value more than | that were not encrypted with the same nonce value more than | |||
| once. | once. | |||
| Security notion: | Security notions: | |||
| MRAE [RS06] | MRAE [RS06] | |||
| Examples: | Examples: | |||
| AES-GCM-SIV [RFC8452], Deoxys-II [JNPS21] | AES-GCM-SIV [RFC8452], Deoxys-II [JNPS21] | |||
| Notes: | Notes: | |||
| Synthetic Initialization Vector (SIV) construction [RS06] is | Synthetic Initialization Vector (SIV) construction [RS06] is | |||
| a generic construction that provides nonce misuse | a generic construction that provides nonce misuse | |||
| resistance. | resistance. | |||
| skipping to change at line 587 ¶ | skipping to change at line 587 ¶ | |||
| Nonce misuse resilience follows from nonce misuse resistance. | Nonce misuse resilience follows from nonce misuse resistance. | |||
| Nonce misuse resistance does not follow from nonce misuse | Nonce misuse resistance does not follow from nonce misuse | |||
| resilience. | resilience. | |||
| Applications: | Applications: | |||
| Any application where nonce uniqueness can't be guaranteed, | Any application where nonce uniqueness can't be guaranteed, | |||
| security against fault-injection attacks and malfunctions, | security against fault-injection attacks and malfunctions, | |||
| processes parallelization, full disk encryption | processes parallelization, full disk encryption | |||
| Further reading: | Further reading: | |||
| [RS06], [ADL17] | [RS06], [ADL17], [IIM25] | |||
| 4.3.8. Quantum Security | 4.3.8. Quantum Security | |||
| Definition: | Definition: | |||
| An AEAD algorithm provides security (in a Q1 or Q2 model) against | An AEAD algorithm provides security (in a Q1 or Q2 model) against | |||
| a quantum adversary. Q1 and Q2 models are defined as follows: | a quantum adversary. Q1 and Q2 models are defined as follows: | |||
| Q1 model: An adversary has access to local quantum computational | Q1 model: An adversary has access to local quantum computational | |||
| power. It has classical access to encryption and decryption | power. It has classical access to encryption and decryption | |||
| oracles. | oracles. | |||
| skipping to change at line 638 ¶ | skipping to change at line 638 ¶ | |||
| Further reading: | Further reading: | |||
| [KLLNP16], [BBCLNSS21], [G17] | [KLLNP16], [BBCLNSS21], [G17] | |||
| 4.3.9. Reforgeability Resilience | 4.3.9. Reforgeability Resilience | |||
| Definition: | Definition: | |||
| An AEAD algorithm guarantees that once a successful forgery for | An AEAD algorithm guarantees that once a successful forgery for | |||
| the algorithm has been found, it is still hard to find any | the algorithm has been found, it is still hard to find any | |||
| subsequent forgery. | subsequent forgery. | |||
| Security notion: | Security notions: | |||
| j-Int-CTXT [FLLW17] | j-Int-CTXT [FLLW17] | |||
| Examples: | Examples: | |||
| Deoxys [JNPS21], AEGIS [AEGIS-AEAD], Ascon [DEMS21a] [DEMS21b] | Deoxys [JNPS21], AEGIS [AEGIS-AEAD], Ascon [DEMS21a] [DEMS21b] | |||
| Applications: | Applications: | |||
| Voice over IP (VoIP), real-time streaming in a lightweight | Voice over IP (VoIP), real-time streaming in a lightweight | |||
| setting, applications that require small ciphertext expansion | setting, applications that require small ciphertext expansion | |||
| (i.e., short tags) | (i.e., short tags) | |||
| Further reading: | Further reading: | |||
| [BC09], [FLLW17] | [BC09], [FLLW17] | |||
| 4.3.10. Release of Unverified Plaintext (RUP) Integrity | 4.3.10. Release of Unverified Plaintext (RUP) Integrity | |||
| Definition: | Definition: | |||
| An AEAD algorithm provides data integrity even if plaintext is | An AEAD algorithm provides data integrity even if plaintext is | |||
| released for every ciphertext, including those with failed | released for every ciphertext, including those with failed | |||
| integrity verification. | integrity verification. | |||
| Security notion: | Security notions: | |||
| INT-RUP [A14] | INT-RUP [A14] | |||
| Examples: | Examples: | |||
| GCM-RUP [ADL17] | GCM [IIM25], GCM-RUP [ADL17] | |||
| Applications: | Applications: | |||
| Decryption with limited memory [FJMV2004], real-time streaming | Decryption with limited memory [FJMV2004], real-time streaming | |||
| protocols | protocols | |||
| Notes: | Notes: | |||
| In [ADL17], a generic approach to achieve INT-RUP security is | In [ADL17], a generic approach to achieve INT-RUP security is | |||
| introduced. | introduced. | |||
| In the provided definition, we only consider integrity in the RUP | In the provided definition, we only consider integrity in the RUP | |||
| setting, since confidentiality, in the usual sense, is | setting, since confidentiality, in the usual sense, is | |||
| unachievable under RUP. In [A14], the notion of "Plaintext | unachievable under RUP. In [A14], the notion of "Plaintext | |||
| Awareness" is introduced, capturing the best possible | Awareness" is introduced, capturing the best possible | |||
| confidentiality under RUP in the following sense: "the adversary | confidentiality under RUP in the following sense: "the adversary | |||
| cannot gain any additional knowledge about the plaintext from | cannot gain any additional knowledge about the plaintext from | |||
| decryption queries besides what it can derive from encryption | decryption queries besides what it can derive from encryption | |||
| queries". | queries". | |||
| Further reading: | Further reading: | |||
| [A14], [ADL17] | [A14], [ADL17], [IIM25] | |||
| 4.4. Implementation Properties | 4.4. Implementation Properties | |||
| 4.4.1. Hardware Efficient | 4.4.1. Hardware Efficient | |||
| Definition: | Definition: | |||
| An AEAD algorithm ensures optimal performance when operating on | An AEAD algorithm ensures optimal performance when operating on | |||
| hardware that complies with the specified requirements. | hardware that complies with the specified requirements. | |||
| Notes: | Notes: | |||
| skipping to change at line 709 ¶ | skipping to change at line 709 ¶ | |||
| requirements for the AEAD to fulfill its intended purpose, as well | requirements for the AEAD to fulfill its intended purpose, as well | |||
| as to match its performance and security claims. | as to match its performance and security claims. | |||
| 4.4.2. Inverse-Free | 4.4.2. Inverse-Free | |||
| Definition: | Definition: | |||
| An AEAD algorithm based on a given primitive can be implemented | An AEAD algorithm based on a given primitive can be implemented | |||
| without invoking the inverse of that primitive. | without invoking the inverse of that primitive. | |||
| Examples: | Examples: | |||
| AES-GCM [D07], ChaCha20-Poly1305 [RFC8439], OCB [RFC7253], MGM | AES-GCM [D07], ChaCha20-Poly1305 [RFC8439], MGM [RFC9058], AEGIS | |||
| [RFC9058], AEGIS [AEGIS-AEAD] | [AEGIS-AEAD] | |||
| Notes: | Notes: | |||
| In a sponge-based AEAD algorithm, an underlying permutation is | In a sponge-based AEAD algorithm, an underlying permutation is | |||
| viewed as a primitive. | viewed as a primitive. | |||
| 4.4.3. Lightweight | 4.4.3. Lightweight | |||
| Definition: | Definition: | |||
| An AEAD algorithm can be efficiently and securely implemented on | An AEAD algorithm can be efficiently and securely implemented on | |||
| resource-constrained devices. In particular, it meets the | resource-constrained devices. In particular, it meets the | |||
| skipping to change at line 847 ¶ | skipping to change at line 847 ¶ | |||
| When specifying security requirements for an AEAD algorithm in an | When specifying security requirements for an AEAD algorithm in an | |||
| application, it SHOULD be indicated, for every required security | application, it SHOULD be indicated, for every required security | |||
| property, whether only integrity or confidentiality is necessary. | property, whether only integrity or confidentiality is necessary. | |||
| Additionally, for each security property, it SHOULD be specified | Additionally, for each security property, it SHOULD be specified | |||
| whether an analysis in an alternative security notion is required. | whether an analysis in an alternative security notion is required. | |||
| We also note that some additional properties come with trade-offs in | We also note that some additional properties come with trade-offs in | |||
| terms of classical security and efficiency, and they may only be | terms of classical security and efficiency, and they may only be | |||
| supported in non-standardized or modified AEAD algorithms. This | supported in non-standardized or modified AEAD algorithms. This | |||
| immediately implies challenges in deployment and interoperability. | immediately implies challenges in deployment and interoperability. | |||
| In an application, the requirements for additional AEAD properties | In an application, the requirements for additional AEAD properties | |||
| SHOULD be highly motivated and justified, as should all trade-offs be | SHOULD be highly motivated and justified, and all trade-offs should | |||
| carefully considered. | be carefully considered. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| This document has no IANA actions. | This document has no IANA actions. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [D07] Dworkin, M., "Recommendation for Block Cipher Modes of | [D07] Dworkin, M., "Recommendation for Block Cipher Modes of | |||
| skipping to change at line 982 ¶ | skipping to change at line 982 ¶ | |||
| 187-220, DOI 10.1007/978-3-319-96884-1_7, 2018, | 187-220, DOI 10.1007/978-3-319-96884-1_7, 2018, | |||
| <https://doi.org/10.1007/978-3-319-96884-1_7>. | <https://doi.org/10.1007/978-3-319-96884-1_7>. | |||
| [BMOS17] Barwell, G., Martin, D.P., Oswald, E., and M. Stam, | [BMOS17] Barwell, G., Martin, D.P., Oswald, E., and M. Stam, | |||
| "Authenticated Encryption in the Face of Protocol and Side | "Authenticated Encryption in the Face of Protocol and Side | |||
| Channel Leakage", Advances in Cryptology - ASIACRYPT 2017, | Channel Leakage", Advances in Cryptology - ASIACRYPT 2017, | |||
| Lecture Notes in Computer Science, vol. 10624, pp. | Lecture Notes in Computer Science, vol. 10624, pp. | |||
| 693-723, DOI 10.1007/978-3-319-70694-8_24, 2017, | 693-723, DOI 10.1007/978-3-319-70694-8_24, 2017, | |||
| <https://doi.org/10.1007/978-3-319-70694-8_24>. | <https://doi.org/10.1007/978-3-319-70694-8_24>. | |||
| [BN2000] Bellare, M. and C. Namprempre, "Authenticated Encryption: | [BN08] Bellare, M. and C. Namprempre, "Authenticated Encryption: | |||
| Relations among Notions and Analysis of the Generic | Relations among Notions and Analysis of the Generic | |||
| Composition Paradigm", Advances in Cryptology - ASIACRYPT | Composition Paradigm", Journal of Cryptology, vol. 21, pp. | |||
| 2000, Lecture Notes in Computer Science, vol. 1976, pp. | 469-491, DOI 10.1007/s00145-008-9026-x, 2008, | |||
| 531-545, DOI 10.1007/3-540-44448-3_41, 2000, | <https://doi.org/10.1007/s00145-008-9026-x>. | |||
| <https://doi.org/10.1007/3-540-44448-3_41>. | ||||
| [BNT19] Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed: | [BNT19] Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed: | |||
| AEAD Revisited", Advances in Cryptology - CRYPTO 2019, | AEAD Revisited", Advances in Cryptology - CRYPTO 2019, | |||
| Lecture Notes in Computer Science, vol. 11692, pp. | Lecture Notes in Computer Science, vol. 11692, pp. | |||
| 235-265, DOI 10.1007/978-3-030-26948-7_9, 2019, | 235-265, DOI 10.1007/978-3-030-26948-7_9, 2019, | |||
| <https://doi.org/10.1007/978-3-030-26948-7_9>. | <https://doi.org/10.1007/978-3-030-26948-7_9>. | |||
| [BPPS17] Berti, F., Pereira, O., Peters, T., and F.-X. Standaert, | [BPPS17] Berti, F., Pereira, O., Peters, T., and F.-X. Standaert, | |||
| "On Leakage-Resilient Authenticated Encryption with | "On Leakage-Resilient Authenticated Encryption with | |||
| Decryption Leakages", IACR Transactions on Symmetric | Decryption Leakages", IACR Transactions on Symmetric | |||
| skipping to change at line 1120 ¶ | skipping to change at line 1119 ¶ | |||
| DOI 10.1007/978-3-662-47989-6_24, 2015, | DOI 10.1007/978-3-662-47989-6_24, 2015, | |||
| <https://doi.org/10.1007/978-3-662-47989-6_24>. | <https://doi.org/10.1007/978-3-662-47989-6_24>. | |||
| [HTT18] Hoang, V.T., Tessaro, S., and A. Thiruvengadam, "The | [HTT18] Hoang, V.T., Tessaro, S., and A. Thiruvengadam, "The | |||
| Multi-user Security of GCM, Revisited: Tight Bounds for | Multi-user Security of GCM, Revisited: Tight Bounds for | |||
| Nonce Randomization", Proceedings of the 2018 ACM SIGSAC | Nonce Randomization", Proceedings of the 2018 ACM SIGSAC | |||
| Conference on Computer and Communications Security (CCS | Conference on Computer and Communications Security (CCS | |||
| '18), pp. 1429-1440, DOI 10.1145/3243734.3243816, 2018, | '18), pp. 1429-1440, DOI 10.1145/3243734.3243816, 2018, | |||
| <https://doi.org/10.1145/3243734.3243816>. | <https://doi.org/10.1145/3243734.3243816>. | |||
| [IIM25] Inoue, A., Iwata, T., and K. Minematsu, "Comprehensive | ||||
| Robustness Analysis of GCM, CCM, and OCB3", Topics in | ||||
| Cryptology - CT-RSA 2025, Lecture Notes in Computer | ||||
| Science, vol. 15598, DOI 10.1007/978-3-031-88661-4_4, | ||||
| 2025, <https://doi.org/10.1007/978-3-031-88661-4_4>. | ||||
| [JMV2002] Joux, A., Martinet, G., and F. Valette, "Blockwise- | [JMV2002] Joux, A., Martinet, G., and F. Valette, "Blockwise- | |||
| Adaptive Attackers Revisiting the (In)Security of Some | Adaptive Attackers Revisiting the (In)Security of Some | |||
| Provably Secure Encryption Modes: CBC, GEM, IACBC", | Provably Secure Encryption Modes: CBC, GEM, IACBC", | |||
| Advances in Cryptology - CRYPTO 2002, Lecture Notes in | Advances in Cryptology - CRYPTO 2002, Lecture Notes in | |||
| Computer Science, vol. 2442, DOI 10.1007/3-540-45708-9_2, | Computer Science, vol. 2442, DOI 10.1007/3-540-45708-9_2, | |||
| 2002, <https://doi.org/10.1007/3-540-45708-9_2>. | 2002, <https://doi.org/10.1007/3-540-45708-9_2>. | |||
| [JNPS21] Jean, M., Nikolić, I., Peyrin, T., and Y. Seurin, "The | [JNPS21] Jean, M., Nikolić, I., Peyrin, T., and Y. Seurin, "The | |||
| Deoxys AEAD family", Journal of Cryptology, vol. 34, no. | Deoxys AEAD family", Journal of Cryptology, vol. 34, no. | |||
| 31, DOI 10.1007/s00145-021-09397-w, 2021, | 31, DOI 10.1007/s00145-021-09397-w, 2021, | |||
| skipping to change at line 1267 ¶ | skipping to change at line 1272 ¶ | |||
| suffice. | suffice. | |||
| For the examples given in this section, we leave it out of scope how | For the examples given in this section, we leave it out of scope how | |||
| to concretely redefine conventional security for these classes; we | to concretely redefine conventional security for these classes; we | |||
| only briefly describe the additional functionality they offer and | only briefly describe the additional functionality they offer and | |||
| provide further references. | provide further references. | |||
| A.1. Incremental Authenticated Encryption | A.1. Incremental Authenticated Encryption | |||
| Definition: | Definition: | |||
| An AEAD algorithm allows re-encrypting and authenticating a | For a message that only partly differs from some previous message, | |||
| message (associated data and a plaintext pair), which only partly | an AEAD algorithm allows re-encrypting and authenticating that | |||
| differs from some previous message, faster than processing it from | message (associated data and a plaintext pair) faster than | |||
| scratch. | processing it from scratch. | |||
| Examples: | Examples: | |||
| Incremental AEAD algorithm of [SY16] | Incremental AEAD algorithm of [SY16] | |||
| Security notion: | Security notions: | |||
| Privacy, authenticity [SY16] | Privacy, authenticity [SY16] | |||
| Notes: | Notes: | |||
| When compared with conventional AEAD, the interface of an | When compared with conventional AEAD, the interface of an | |||
| incremental AEAD algorithm is usually expanded with several | incremental AEAD algorithm is usually expanded with several | |||
| operations, which perform different types of updates. For | operations, which perform different types of updates. For | |||
| example, one can consider operations such as "Append" or "Chop", | example, one can consider operations such as "Append" or "Chop", | |||
| which provide a straightforward additional functionality. A | which provide a straightforward additional functionality. A | |||
| comprehensive definition of an incremental AEAD interface is | comprehensive definition of an incremental AEAD interface is | |||
| provided in [SY16]. | provided in [SY16]. | |||
| skipping to change at line 1304 ¶ | skipping to change at line 1309 ¶ | |||
| expansion (the difference between the length of plaintext and | expansion (the difference between the length of plaintext and | |||
| corresponding ciphertext) along with an input to the encryption | corresponding ciphertext) along with an input to the encryption | |||
| operation. This feature enables the regulation of desired data | operation. This feature enables the regulation of desired data | |||
| integrity guarantees, which depend on ciphertext expansion, for | integrity guarantees, which depend on ciphertext expansion, for | |||
| each particular application while using the same algorithm | each particular application while using the same algorithm | |||
| implementation. | implementation. | |||
| Examples: | Examples: | |||
| AEZ [HKR2015] | AEZ [HKR2015] | |||
| Security notion: | Security notions: | |||
| RAE [HKR2015] | Robust Authenticated Encryption (RAE) [HKR2015] | |||
| Notes: | Notes: | |||
| The security goal of robust AEAD algorithms is to ensure the best | The security goal of robust AEAD algorithms is to ensure the best | |||
| possible security, even with small ciphertext expansion (referred | possible security, even with small ciphertext expansion (referred | |||
| to as stretch). For instance, analyzing any AEAD algorithm with a | to as stretch). For instance, analyzing any AEAD algorithm with a | |||
| one-byte stretch for conventional integrity reveals insecurity, as | one-byte stretch for conventional integrity reveals insecurity, as | |||
| the probability of forging a ciphertext is no less than 1/256. | the probability of forging a ciphertext is no less than 1/256. | |||
| Nonetheless, from the robust AEAD perspective, an algorithm with | Nonetheless, from the robust AEAD perspective, an algorithm with | |||
| such forgery probability for a one-byte ciphertext expansion is | such forgery probability for a one-byte ciphertext expansion is | |||
| secure, representing the best achievable security in that | secure, representing the best achievable security in that | |||
| End of changes. 31 change blocks. | ||||
| 53 lines changed or deleted | 58 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||