This paper investigates what sort of security can be retained by the most efficient (namely, rate-one) AE schemes like OCB under the release of unverified plaintext (RUP). At CT-RSA 2016, Chakraborti et al. have presented an impossibility result, which says that any rate-one AE scheme cannot ensure INT-RUP, a strong integrity requirement under RUP. In this paper we show that any rate-one AE scheme cannot satisfy PA2 (plaintext awareness 2) either, a strong privacy requirement under RUP introduced by Andreeva et al. at Asiacrypt 2014. Given these impossibility results, we relax the security requirements and identify new notions of tag-PA and tag-INT. The new notions are strictly weaker than PA2 and INT-RUP yet have considerable significance in the practical sense. In particular, tag-PA is strictly stronger than PA1 defined by Andreeva et al. at Asiacrypt 2014. Unfortunately, OCB is neither tag-PA nor tag-INT. We present a new rate-one AE scheme which is both tag-PA and tag-INT. The new scheme is essentially as efficient as OCB, consuming just one extra call to a block cipher.
CITATION STYLE
Hirose, S., Sasaki, Y., & Yasuda, K. (2017). Rate-One AE with Security Under RUP. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 10599 LNCS, pp. 3–20). Springer Verlag. https://doi.org/10.1007/978-3-319-69659-1_1
Mendeley helps you to discover research relevant for your work.