Security of online AE schemes in RUP setting

Abstract

Authenticated encryption (AE) combines privacy with data integrity, and in the process of decryption, the plaintext is always kept until successful verification. But in applications with insufficient memory or with realtime requirement, release of unverified plaintext is unavoidable. Furthermore most of present online AE schemes claim to keep the unverified plaintext, leading to online encryption but offline decryption, which seems unreasonable for online applications. Thus, security of the releasing unverified plaintext (RUP) setting, especially for online AE scheme need to be taken seriously. The notion of plaintext awareness (PA) together with IND-CPA have been formalized to achieve privacy in RUP setting by Andreeva et al. in 2014. But notion of PA is too strong and conflicts to online property, namely no online AE scheme can be PA secure according to their results, leading PA to lose its practical significance. In this paper, we define a similar security notion OPA and combine OPA with OPRP-CPA (IND-CPA) to achieve privacy of online AE scheme in RUP setting, which solves the conflicts between PA and online property. And we analysis the relation between OPA and some other notions. Then we study OPA security of existing online AE schemes, and show OPA insecurity of Stream Structure and structures with the property of “controll ciphertext to jump between two plaintexts” (CCJP), which are adopted by most of schemes in the ongoing CAESAR competition. At last, combining the property CCJP with the simple tagproducing process, we look upon the INT-RUP insecurity of existing schemes from new different angle.