CCA Security with Short AEAD Tags

. The size of the authentication tag represents a significant overhead for applications that are limited by bandwidth or memory. Hence, some authenticated encryption designs have a smaller tag than the required privacy level, which was also suggested by the NIST lightweight cryptography standardization project. In the ToSC 2022, two papers have raised questions about the IND-CCA security of AEAD schemes in this situation. These papers show that (a) online AE cannot provide IND-CCA security beyond the tag length, and (b) it is possible to have IND-CCA security beyond the tag length in a restricted Encode-then-Encipher framework. In this paper, we address some of the remaining gaps in this area. Our main result is to show that, for a fixed stretch, Pseudo-Random Injection security implies IND-CCA security as long as the minimum ciphertext size is at least as large as the required IND-CCA security level. We also show that this bound is tight and that any AEAD scheme that allows empty plaintexts with a fixed stretch cannot achieve IND-CCA security beyond the tag length. Next, we look at the weaker notion of MRAE security, and show that two-pass schemes that achieve MRAE security do not achieve IND-CCA security beyond the tag size. This includes SIV and rugged PRPs.


Introduction
Authenticated Encryption with Associated Data (AEAD) is one of the most important symmetric-key primitives.It provides privacy and authenticity, simultaneously.It has gained significant attention over the past 25 years, culminating in two cryptographic competitions to either recommend or standardize AEAD schemes for a variety of applications; the CAESAR competition [com19] and the NIST lightweight cryptography standardization project [oST19].While these projects encouraged cryptographers and designers to diversify the design space of AEADs, they also helped shine light on some of the less studied aspects of AEADs.AEAD schemes typically require a nonce N or a random IV , usually communicated out-of-band, and expand the ciphertext size by λ bits, referred to as the ciphertext stretch, or stretch for short.The integrity of an AEAD scheme cannot be ensured with λ = 0, and in terms of bit-security, it is capped at λ bits, as the adversary can simply try to guess the redundancy in the ciphertext.However, the impact of the stretch on privacy has been an interesting aspect of the security of AEAD schemes.
an encryption algorithm and a decryption/verification algorithm.The security notions are also defined using two idealized oracles; $ and ⊥.The first oracle replaces the encryption algorithm and returns random strings, while the latter replaces the decryption algorithm and rejects all ciphertexts.The game is defined between a challenger and an adversary, where the challenger flips a coin at the beginning of the game, and decides to operate in the real world or the ideal world.The adversary makes q e queries to the left oracle and q d queries to the right oracle.It runs in time t.It returns 1 if it thinks the challenger is ideal.For a security notion n, a scheme Π and an adversary A, the advantage of A against the challenger is defined as

Related Work
The security notions of AEADs have been heavily studied.We give a few highlights that are relevant to our study.In 2000, Bellare and Namprempre [BN00] studied the relation between different security notions of AEAD, and one of their results is to show that IND-CPA and INT-CTXT together imply IND-CCA.In particular, if there is an IND-CCA adversary A against an AEAD scheme Π that makes at most q e encryption queries and q d forgery attempts, and runs in time at most t, then there exist two adversaries B and C, such that where both adversaries run is time O(t), B makes at most q e encryption queries, and C makes at most q e encryption queries and q d forgery attempts.While their result is for a weaker security notion, namely indistinguishability of the encryption of random plaintexts, the result is still significant and motivates our study, among others.During the CAESAR competition, Hoang et al. [HKR15] proposed AEZ, an AEAD scheme aimed at being a secure AEAD scheme with arbitrary stretch sizes.In fact, they consider λ as an input from the user/adversary.In order to achieve this, they designed an enciphering scheme.An enciphering scheme is a variable-block-size Tweakable Block Cipher (TBC).Then, they apply a framework known as Encode-then-Encipher (EtE), where the message is encoded with λ bits of redundancy, e.g., the message can be padded with 0 λ , and then encrypted using the enciphering scheme.This approach has a lot of promise, but their scheme uses an internal fixed-block size TBC with block size of n bits.
The scheme has birthday bound security, capping the security to n/2 bits.Besides, it follows the proof-then-prune strategy, where the security proof is done assuming an ideal TBC, but in practice they use a 4-round cipher based on the AES round function.This approach has been shown to lead to birthday-bound key recovery attacks [CG16] and plays a significant role in the scheme's excellent practical performance.Nevertheless, we view their work on defining the robust AE security notion as essential to our work.We will be referring to a more restricted version known as Pseudo-Random Injection (PRI), where we consider IND-CCA security when λ can be short, but is fixed as part of the scheme.In 2016, Abed et al. [AFL + 16] proposed the Robust IV (RIV) scheme as more efficient solution to address similar AEAD goals to AEZ, but the authors provide a security bound where the AEAD security is upper bounded by the INT-CTXT security.
At CRYPTO 2022, Degabriele and Karadžić [DK22] proposed the concept of a rugged Pseudo-Random Permutation (PRP); a variable-block-length PRP scheme that is not secure against IND-CCA attacks, but can be used in the EtE framework when part of the encoded plaintext text is encrypted using an IND-CCA-secure PRP.Then, they propose two EtE-like AEAD schemes based on their construction, one with λ-bit AEAD security and one with λ/2-bit AEAD security.
Last but not least, two recent papers appeared in ToSC22 addressing the IND-CCA security of online AEAD schemes.An online AEAD scheme is a scheme that is parameterized by a small integer m, where the first m bits of the ciphertext depend only on the first m bits of plaintext; the first 2m bits of ciphertext depend on the first 2m bits of plaintext;...etc.In [Kha22], Khairallah showed that online AEAD schemes cannot have IND-CCA security more than λ bits.He also showed that the Combined Feedback (COFB) [CIMN20] AEAD scheme has at most n/2-bit IND-CCA security when instantiated with an n-bit block cipher.In [HII + 22], Hosoyamada et al. showed a similar result and provided an attack on the ROCCA AEAD scheme [SLN + 21] with 2 λ queries.They also showed that it is possible to build a nonce-based AEAD scheme using the EtE framework with 256-bit IND-CCA security and 128-bit INT-CTXT security, if the underlying enciphering scheme is a fixed length strong Tweakable PRP (TPRP).SIV when the underlying encryption scheme is IND-CCA-insecure, and show that when the encryption scheme is stream-cipher-like, the attack can be used to decrypt any messages, capping the IND-CCA security of SIV in these cases to λ bits.

Contributions
3. We also show that while the recently proposed rugged PRPs [DK22] share a similar philosophy to this paper, they are not sufficient to address our security goals.We do this by proposing matching attacks in the IND-CCA model.
While our results are mostly negative, they help paint a clearer picture of the IND-CCA security with short tags landscape.We show that two-pass schemes do not achieve the required security in this model and that the enciphering assumption in [HII + 22] is not needed.However, the PRI assumption we need is very close to the enciphering assumption.Besides, we show -by both security proof and attack-that in order to achieve the required security, we must constrain the minimum size of the plaintext.It is possible to have a different security argument based on variable stretch size and the minimum ciphertext size in general, but we leave that approach out of our scope.Table 2 shows a summary of the implications of [Kha22, HII + 22] and our work.

Preliminaries
Notations We use small case letters, e.g., v, to refer to integer variables.We use uppercase letters , e.g., V , to refer to variables that are bit-strings.We use calligraphic letters, e.g., V, to refer to sets of values.We use boldface uppercase letters, e.g., V, to refer to adversaries.ε refers to an empty bit-string.{0, 1} b is the set of all bit-strings of size exactly b. {0, 1} b+ is the set of all bit-strings of greater than or equal b. {0, 1} * ≡ {0, 1} 0+ is the set of all bit-strings including ε.For two bit-strings X and Y , X∥Y is the concatenation of X and Y .|X| is the length of the bit-string X expressed by the number of bits.⌊X⌋ n is the bit-string composed of the n-leftmost bits of X, while ⌈X⌉ n is the bit-string composed of n-rightmost bits of X. ← is an assignment from a statement on the right hand side to a variable on the left hand side.$ ← − samples a value uniformly from the set on the right hand side and assigns it to the variable on the left hand side.X ⇒ X means the algorithm/adversary on the left hand side returns X.
Authenticated Encryption An Authenticated Encryption (AE) scheme [BN00] is a symmetric-key algorithm that provides both privacy and authenticity.An AEAD scheme [Rog02] differs in that both algorithms take an extra input called associated data A which is a public portion of the message, used for authentication only.In this paper, we focus on nonce-based AEAD, sometimes known as NAE, which takes a third input, N , called nonce.An AEAD scheme Π is a triplet (K, Enc, Dec), where K is the key space, Enc : K×N ×A×M → C is the encryption algorithm and Dec : K×N ×A×C → M∪{⊥} is the decryption algorithm, which returns ⊥ if the input is not a valid ciphertext.Let M = {0, 1} s+ , then C = {0, 1} (s+λ)+ , where s is the minimum-plaintext size and λ is the ciphertext stretch.For every Enc(K, N, A, M ) ⇒ C, |C| = |M | + λ.For some schemes, the ciphertext can be separated into two distinctive bit-strings, in which case we redefine In this case, T is referred to as the tag, and |T | is the stretch.In some scheme, we define a tweak space T = N × A and we combine each pair (N, A) in one variable T w .In such cases, we refer to T w as the nonce and we count how many times a nonce repeats accordingly.Let $ : N × A × M → C be a random oracle that returns a uniformly random ciphertext of the same size as Enc and ⊥: N × A × C → {⊥} is an oracle that rejects all ciphertexts.Let A be an adversary against Π.We define four security notions: The last one captures IND-CCA security and is the focus of our work.

CCA Security of Pseudo-Random Injections
In this section, we study the IND-CCA security of a Pseudo-Random Injection (PRI).We start by defining tweakable PRIs.Then, we define their security.We refer to one of the results of [RS06] that addresses the security gap between PRIs when the tweak is fixed and ideal Deterministic AEAD (DAE).While the ideal AEAD scheme is defined according to AEAD security, we can argue that tweakable PRIs capture the best possible notion of AEAD in practice.An ideal AEAD scheme rejects all decryption queries that have not been generated by its encryption random oracle.In practice, an AEAD scheme should be able to decrypt valid ciphertexts that have not been generated yet.
Definition 1.A tweakable fixed-stretch injection is a keyed function π : K×T ×{0, 1} s+ → {0, 1} (s+λ)+ , where K is the key space, T is the tweak space, s is the minimum plaintext length expressed in bits, and λ is referred to as the ciphertext stretch, such that π(K, T w , •) is an injective function from {0, 1} s+ to {0, We sometimes refer to π(K, T w , M ) as πTw K (M ).
Definition 2. The security of a tweakable fixed-stretch injection π : K × T × {0, 1} s+ → {0, 1} (s+λ)+ for a given key K selected randomly from K is defined by its indistinguishability from a tweakable fixed-stretch injection f selected randomly from the set of injections with the same domain, co-domain and stretch.f : T × {0, 1} s+ → {0, 1} (s+λ)+ is a set of independent uniform random fixed-stretch injections indexed by the tweak T w ∈ T .Let Adv pri π (A) denote the Pseudo-Random Injection (PRI) advantage of π against an adversary A. It is defined as , and ⊥ if no such point exists, and similarly for f −1 .
We note that PRI security is similar to robust AE security.However, the two differ in that robust AE considers a variable stretch that is given by the user/adversary as an input, as pointed out in [HKR15].In [RS06], the authors showed that when the tweak is fixed, a PRI is almost an ideal DAE.However, the bound is quite large when the stretch is short.
Theorem 1. ([RS06, Theorem 7]) Let π : K × T × {0, 1} s+ → {0, 1} (s+λ)+ be a PRI.Let A be an adversary that makes at most q e queries to π and q d queries to π−1 , with a total of q = q e + q d queries.Then, In order to get a better and more practical bound, we consider the restricted case of nonce-misusing adversaries, where the adversary makes at most µ encryption queries with the same tweak T w and consider IND-CCA security rather than AEAD security.The next theorem is a generalization of Theorem 1 in [HII + 22].It is also influenced by and uses techniques from Theorem 7 of [RS06].Afterwards, we give a matching attack.
Theorem 2. Let π : K × T × {0, 1} s+ → {0, 1} (s+λ)+ be a PRI.Then, for any IND-CCA adversary A that makes q e queries to π and q d queries to π−1 , there exists a PRI adversary B that makes at most q e queries to π and q d queries to π−1 and runs in time at most O(t), such that given (q d + q e ) < 2 s+λ−1 .For any T w ∈ T , A makes at most µ queries to π.
Proof.First, we replace π with an ideal random injection, which gives us the first term.Next, we describe the PRI oracles and the ideal world oracles, then we describe three bad events where that are used to analyze the adversarial advantage.The oracles of both worlds are described in Algorithm 1.
Adversarial Queries: The adversary makes queries to its two oracle with the following conditions: it does not repeat queries and does not forward queries, i.e. if C ← Enc(T w , M ), the adversary cannot make the query Dec(T w , C) and if M ← Dec(T w , C), the adversary cannot make the query Enc(T w , M ).C Tw,c ← ϕ 6:

PRI oracles:
O Tw,c ← ϕ 9: end for 10: bad1 ← false 11: bad2 ← false 12: badF ← false 1. bad1: This happens if the Enc oracle samples randomly a ciphertext that corresponds to a previously assigned point to the random injection, or a ciphertext that have been deemed invalid by the Dec oracle.In the real-world, the oracle performs a corrective step, while in the ideal-world such step is not performed.

bad2:
This happens if the Dec oracle samples a decrypted message that has been outputted by the Enc for the same T w .
3. badF: This is the event that a successful forgery occurs.
Note that bad2 is impossible in the real world, since all the inputs to Enc are automatically excluded from the valid plaintexts.Thus, this event can only happen in the ideal world, when the adversary queries C ← Enc(T w , M ), then makes a subsequent query M ′ ←

Dec(T w , C
′ ) such that C ′ ̸ = C and M ′ = M .On the other hand, bad1 can happen in both worlds in two ways: 1. bad1a: Two queries C 1 ← Enc(T w , M 1 ) and Algorithm 2 Intermediate World Oracles M Tw,c ← ϕ 5: C Tw,c ← ϕ 6: n Tw,c ← 0 10: end for 11: bad1 ← false 12: bad2 ← false 13: badF ← false If none of bad1 or bad2 occur, then all the queries are compatible with a random injection description.However, the two games are not identical, since the probability distribution of successful forgery is slightly different in different worlds.The real world decryption oracle does not exclude plaintexts and ciphertexts used during encryption queries from the lists of valid plaintexts and ciphertexts.For this purpose, we introduce an intermediate world in Algorithm 2. We shall apply the triangle inequality as follows:

Distinguishing the Intermediate and Ideal Worlds:
We note that the only difference between the two worlds is in the bias of the coing that determines whether the forgery is successful.Let (T i , C i ) be the i th decryption query.Let F 1,i be the event that the adversary gets a successful forgery in the intermediate world, while F 2,i is the event that the adversary gets a successful forgery in the ideal world.Thus, we bound the distiniguishing advantage using the statistical distance between the distributions of these events.
Let q i d be the number of decryption queries with the same tweak T i prior to the i th query, q i f is the number of successful forgeries with the same tweak prior to the i th query. and Thus,

Distinguishing the Intermediate and Real Worlds
The forgery bias in the real and intermediate worlds is the same.Thus, the adversary can only distinguish the two worlds if bad1 or bad2 occur.Otherwise, the two worlds are indistinguishable.

Winning Condition:
We restrict the game to the case where the game terminates if any of the bad events bad1 or bad2 occur.This can only increase the adversary's advantage.
From this description, we know from [Sho04, Lemma 1] bad1a: For a given queries Enc(T i , M i ), there are at most (µ − 1) previous queries with the same T i .Thus, the probability of the event is bounded by (2) bad1b: Let the i th encryption query be (T i , M i ), c i = |M i | + λ and q i d be the number of decryption queries made before the i th encryption query with the same tweak T i and ciphertext length c i .Let E i be the event that bad1b is set in the i th encryption query.Let nE i be the even that bad1b is not set in any of the first i − 1 encryption queries.Given the game terminates if bad1b is set, the probability that bad1b is set in any encryption query is The last inequality follows from the worst case when all the encryption queries are performed after all the decryption queries and each tweak appears in at most µ encryption queries.
bad2: For any decryption query with tweak T j , there are at most µ encryption queries with the same tweak.Let q j d be the number of decryption queries with tweak T j before the j th decryption query and q j f is the number of such queries that did not output ⊥.For the oracle description, n Tj ,c is the number of encryption calls that use the same tweak T j .In the case of decryption oracle, the probability that bad2 is set in the j th decryption query in the intermediate world is the probability that the conditions on lines 8 and 10 are set, which is given by Let D j be the event that bad2 is set in the j th decryption query, and nD j be the even that bad2 is not set in the first j − 1 decryption queries, then, given the game terminates if bad2 is set, the probability that bad is set during the first q d decryption queries is given by The overall bound follows from Equations 1, 2, 3 and 4.
This result gives the first ingredient of building schemes with IND-CCA security with a fixed stretch; set a minimum plaintext length.However, we have to be careful when using this result.One tempting approach to bound the IND-CCA security is to first bound the PRI security, then rely on Theorem 2 to get the final bound.However, this approach may lead to loose bounds.In the IND-CCA game, we allow the decryption oracle to be as weak as the scheme itself.This means that forged messages may exhibit non-random patterns in the real world, without the scheme being considered insecure.However, by making the transition to PRI first, we penalize the scheme for potentially having such non-random patterns in forged messages.Thus, for a given scheme, it is still useful to perform a dedicated IND-CCA analysis.

Matching Attack on the Minimum Plaintext Length
The result from Theorem 2 presents somewhat bad news for instantiating AEAD in general, since the standard AEAD syntax allows for messages to be short and even empty strings.In this section, we show that, unfortunately, this dependence on the minimum plaintext length is tight, by giving a nonce-respecting adversary that breaks IND-CCA security with O(2 s+λ ) queries.Theorem 3.For any AEAD scheme Π with plaintext domain {0, 1} s+ and a fixed stretch λ, there is a nonce-respecting IND-CCA adversary A such that where q d is the number of decryption oracle queries.In the special case where the plaintext space is {0, 1} * , which includes the empty string, Proof.We construct an adversary A as follows: A repeats this attack q d times, with a different T w each time.In the real-world, the condition in step 4 can never occur.In the ideal-world, since

Insufficiency of MRAE security
An MRAE scheme is a scheme that that allows the adversary to repeat the nonce while maintaining AEAD security.If the nonce is treated as a constant, the scheme becomes a DAE scheme.While [RS06] showed that a DAE scheme and a PRI are indistinguishable, PRIs can be quite expensive, and DAE/MRAE can be achieved using cheaper methods.In this section, we give a few examples of schemes that achieve MRAE security, while having their IND-CCA attacks with 2 λ queries.

Generalized nonce-based synthetic IV schemes
In this section, we study the SIV structure in different variations, and generalize it to be nonce-based.This generalization is not new, as it was proposed in [PS16] and used in the SCT and Romulus-M [IKMP20] modes.We start by defining nonce-IV-based encryption, then consider the different instances.
Note that the definition of IND-CCA security here differs from the definition of sTPRP security, in that the sTPRP security compares a scheme to a family of random permutation, while IND-CCA compares it to a random oracle.Besides, sTPRP security assumes that, in the ideal world, the decryption oracle is ideal and outputs random strings (up to the being a permutation), while IND-CCA security, as defined above, assumes the decryption is always real and can have weaknesses.
Algorithm 3 Algorithmic description of the nSIV scheme return M 8: else 9: return ⊥ 10: end if Matching attacks on nSIV with IND-CCA-insecure encryption nSIV achieves MRAE security even if the underlying encryption scheme is not IND-CCA secure.An interesting question is whether nSIV can achieve IND-CCA security beyond the tag length.This is also motivated by the results of [Kha22] and [HII + 22], which show that online AE cannot achieve such security.We now show that if the underlying encryption scheme of nSIV is not IND-CCA secure, then it cannot achieve the required security level.In this section, we discuss two examples.First, we attack SIV from [RS06] where Ẽ is online.Second, we discuss how to apply this attack to SIV when Ẽ is a stream-cipher-like encryption scheme e.g., counter mode.In Section 5, we discuss a recently proposed scheme in CRYPTO 2022, namely UIV [DK22] and apply a variant of the second attack to it.Definition 6.Let e be an nonce-IV-based encryption scheme.We say e is online if ∃n ∈ Z + , s.t. e satisfies that for two queries C = e.E N K (IV, M ) and C Theorem 4. Let nSIV[f, e] be the AEAD encryption scheme given in depicted in Figure 1.
There is an IND-CCA adversary A against nSIV[f, e] that makes 1 encryption query and q d decryption queries such that 4. If M ′ =⊥, repeats steps 2 and 3.
After each decryption query, the probability of step 5 getting executed is 1/2 λ .After q d decryption query, the probability that A executes step 5 is lower bounded by 0.5q d /2 n .If step 5 gets executed in the real world, the condition is always satisfied, while it is satisfied in the ideal world with probability 1/2 n .
The adversary described above breaks the IND-CCA game with about 2 λ decryption queries.However, if e is a stream-cipher-like encryption scheme, such as the one in Figure 2, the adversary can be adapted to act as a decryption oracle.The adversary receives a ciphertext corresponding an unknown message.Then, the adversary performs steps 2-4, with n = 0. Once it gets M ′ ̸ =⊥, it decrypts M = M ′ ⊕ C ′ ⊕ C.This attack also shows a matching attack on the Encode-then-Encipher scheme based on UIV proposed in [DK22].
We study matching attacks on plain AEAD schemes proposed in [DK22] in Section 5.

Matching Attacks on Rugged PRPs
In CRYPTO 2022, Degabriele and Karadžić [DK22] proposed the concept of rugged PRPs as a new security notion that helps achieve some of the security goals required from an Encode-then-Encipher scheme, without the underlying enciphering scheme being a strong TPRP, which sounds like a similar problem to the problem we are studying.They proposed an underlying encryption scheme called UIV and proposed two AEAD modes based on this scheme.The first is the normal Encode-then-Encipher scheme.The second is an Encode-then-Decipher scheme, where the AEAD encryption uses the decryption algorithm of the underlying encryption scheme and vice-versa.In the former case, the redundancy bits can be set to a constant, while in the latter case, the redundancy bits are set by hashing ẼN,A In the real world, this happens with probability 1, while in the ideal world this happens with probability 2 −2λ .A makes only two encryption queries and runs in roughly the time it needs to find the hash collision.For a practical hash function, after about 2 λ/2 hash attempts, the collision can be found with high probability.
Strengthened Encode-then-Decipher from UIV In Figure 3 (d), we envision a slightly strengthened version, where the nonce is also included as an input to f .This prevents the previous attack.However, we show that while this makes the attack qualitatively harder, it does not affect the security level.We consider an adversary B that operates as follows: 1. B finds a collision H(N, A 1 , M 1 ) = H(N, A 2 , M 2 ), and 2. B asks for the encryption query (T 1 , C 1 ) = Enc(N, A 1 , M 1 ).

B asks for the encryption query M
′ = Dec(N, A 2 , T $ , C 2 ).
The oracles of the PRI are the oracles of Algorithm 1 including the highlighted lines.They are based on the PRI oracles proposed in[RS06, Theorem 7].These oracles are a implementation of a random injection with the desired domain and range, using lazy sampling.The first oracle Enc selects a valid image for the injection with tweak T w and the input M .For each tweak T w and ciphertext length c, it maintains a list V Tw,c of queried inputs.The second oracle Dec simulates a decryption function.It determines the list of valid ciphertexts and the list of valid plaintexts.Valid ciphertexts are ciphertexts that have not generated by an Enc query and have not been queried to Dec. The list of valid plaintexts are plaintexts that have not been queried to Enc or have not been generated by Dec and are not equal to ⊥.The Dec oracle then samples a biased coin with bias |M e |/|C e | based on the sizes of these two lists and decides whether the forgery is valid or not.If the forgery is valid, it sames a valid plaintext and assigns it as a corresponding input.If not, it outputs ⊥ and adds the queried ciphertext to the list of invalid ciphertexts.The Ideal-World Oracles: From the definition of IND-CCA security, the decryption oracle must be exactly the same.Thus, only modifications are in the Enc oracle.The oracle samples random ciphertexts and does not update the lists of valid inputs and outputs.Algorithm 1 PRI and Ideal World Oracles1: Initialize 2: L c = {|C||C ∈ {0, 1} (s+λ)+ } 3: for (T w , c) ∈ T × L c do 4: M Tw,c ← ϕ 5:

2.
A selects a random tweak T w and asks for the decryption Dec(T w , C ′ ) ⇒ M ′ .3. A selects a random message M , such that |M | = s and M ̸ = M ′ , and asks for the encryption Enc(T w , M ). 4. A terminates and returns 1 if C = C ′ .

Definition 3 .
A nonce-IV-based encryption scheme is a tuple Π(K, E, D), where E : K×N ×A×IV ×{0, 1} s+ → IV ×{0, 1} s+ is a keyed encryption function with key space K, plaintext/ciphertext space {0, 1} s+ , nonce space N , header space A and IV space IV, while D : K×N ×A×IV ×{0, 1} s+ → IV ×{0, 1} s+ is its decryption function.E(K, N, A, •, •) is a permutation for its fourth and fifth inputs, and D(K, N, A, E(K, N, A, IV, M )) = (IV, M ).Definition 4. Let Π(K, E, D) be a nonce-IV-based encryption scheme.Let A be an IND-CCA adversary against Π.In the real world, A interacts with E K and D K , while in the ideal world, interacts with $ and D K .$ behaves the same as E K except that it replaces the ciphertext generated in each encryption query by a random string of the same length.Let Adv ind−cca Π (A) denote the IND-CCA advantage of Π against A. It is defined as

Figure 1 :
Figure 1: The nSIV scheme with an online encryption scheme

Table 1
sums up the real and ideal oracles corresponding to four prominent security notions.IND-CPA refers to indistinguishability against chosen plaintext adversaries, while IND-CCA refers to indistinguishability against chosen ciphertext adversaries.INT-CTXT refers to integrity of ciphertexts (regardless of confidentiality) and AEAD refers to a unified security notion of both IND-CPA and INT-CTXT 1 .We are mainly interested in IND-CCA security, which captures confidentiality even when the decryption oracle is always real and can be occasionally forged.

Table 1 :
The real-world and ideal-world oracles corresponding to different AEAD security notions