How to Securely Release Unverified Plaintext in Authenticated Encryption

Elena Andreeva, Andrey Bogdanov, Atul Luykx, Bart Mennink, Nicky Mouha, Kan Yasuda

Research output: Chapter in Book/Report/Conference proceedingArticle in proceedingsResearchpeer-review

Abstract

Scenarios in which authenticated encryption schemes output decrypted plaintext before successful verification raise many security issues. These situations are sometimes unavoidable in practice, such as when devices have insufficient memory to store an entire plaintext, or when a decrypted plaintext needs early processing due to real-time requirements. We introduce the first formalization of the releasing unverified plaintext (RUP) setting. To achieve privacy, we propose using plaintext awareness (PA) along with IND-CPA. An authenticated encryption scheme is PA if it has a plaintext extractor, which tries to fool adversaries by mimicking the decryption oracle, without the secret key. Releasing unverified plaintext to the attacker then becomes harmless as it is infeasible to distinguish the decryption oracle from the plaintext extractor. We introduce two notions of plaintext awareness in the symmetric-key setting, PA1 and PA2, and show that they expose a new layer of security between IND-CPA and IND-CCA. To achieve integrity, INT-CTXT in the RUP setting is required, which we refer to as INT-RUP. These new security notions are compared with conventional definitions, and are used to make a classification of symmetric-key schemes in the RUP setting. Furthermore, we re-analyze existing authenticated encryption schemes, and provide solutions to fix insecure schemes.
Original languageEnglish
Title of host publicationAdvances in Cryptology – ASIACRYPT 2014 : Proceedings of the 20th International Conference on the Theory and Application of Cryptology and Information Security - Part I
EditorsPalash Sarkar, Tetsu Iwata
PublisherSpringer
Publication date2014
Pages105-125
ISBN (Print)978-3-662-4561
ISBN (Electronic)8-3-662-45611-8
DOIs
Publication statusPublished - 2014
Event20th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT 2014) - Kaoshiung, Taiwan, Province of China
Duration: 7 Dec 201411 Dec 2014
Conference number: 20
http://des.cse.nsysu.edu.tw/asiacrypt2014/

Conference

Conference20th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT 2014)
Number20
Country/TerritoryTaiwan, Province of China
CityKaoshiung
Period07/12/201411/12/2014
Internet address
SeriesLecture Notes in Computer Science
Number8873
ISSN0302-9743

Fingerprint

Dive into the research topics of 'How to Securely Release Unverified Plaintext in Authenticated Encryption'. Together they form a unique fingerprint.

Cite this