Release of Unveriﬁed Plaintext: Tight Uniﬁed Model and Application to ANYDAE

. Authenticated encryption schemes are usually expected to oﬀer conﬁden-tiality and authenticity. In case of release of unveriﬁed plaintext (RUP), an adversary gets separated access to the decryption and veriﬁcation functionality, and has more power in breaking the scheme. Andreeva et al. (ASIACRYPT 2014) formalized RUP security using plaintext awareness, informally meaning that the decryption functionality gives no extra power in breaking conﬁdentiality, and INT-RUP security, covering authenticity in case of RUP. We describe a single, uniﬁed model, called AERUP security, that ties together these notions: we prove that an authenticated encryption scheme is AERUP secure if and only if it is conventionally secure, plaintext aware, and INT-RUP secure. We next present ANYDAE, a generalization of SUNDAE of Banik et al. (ToSC 2018/3). ANYDAE is a lightweight deterministic scheme that is based on a block cipher with block size n and arbitrary mixing functions that all operate on an n -bit state. It is particularly eﬃcient for short messages, it does not rely on a nonce, and it provides maximal robustness to a lack of secure state. Whereas SUNDAE is not secure under release of unveriﬁed plaintext (a fairly simple attack can be mounted in constant time), ANYDAE is. We make handy use of the AERUP security model to prove that ANYDAE achieves both conventional security as RUP security, provided that certain modest conditions on the mixing functions are met. We describe two simple instances, called MONDAE and TUESDAE, that conform to these conditions and that are competitive with SUNDAE, in terms of eﬃciency and optimality.


Introduction
The rise of the Internet of Things comes with high demands on and constrictive conditions for cryptographic schemes.Such constraints may come in various types, as these small interconnected devices may have to operate with low power, low area, low memory, or otherwise.Lightweight cryptography is about developing cryptographic solutions for such constrained environments, and partly ignited by the upcoming NIST lightweight competition [Nat18], the field is gaining momentum.Specifically, in recent years, various lightweight

SUNDAE and Its RUP Security
Banik et al. [BBLT18] introduced SUNDAE as a deterministic authenticated encryption scheme [RS06].It is a block cipher based construction that is developed to meet various of the constraints put forward by the applications of lightweight cryptography.More specifically, SUNDAE internally uses an n-bit block cipher.It has an n-bit state, and makes a + 2m + 1 block cipher calls for the authenticated encryption of associated data of a blocks and message of m blocks.Banik et al. proved that SUNDAE achieves confidentiality and authenticity up to attack complexity around 2 n/2 .We discuss the SUNDAE mode in detail in Section 4.
Despite its recent introduction, SUNDAE found quick adoption.It serves as mode in no less than five authenticated encryption schemes submitted to the NIST Lightweight Cryptography Standardization Process: ESTATE [CDJ + 19], SIV-Rijndael256 [BGIS19a], SIV-TEM-PHOTON [BGIS19b], SUNDAE-GIFT [BBP + 19], and TRIFLE [DGM + 19].SUNDAE is particularly efficient for short messages, it has a state size as small as the block size of the underlying cipher, and it offers good implementation characteristics both on lightweight and high-performance platforms.One of the properties of the SUNDAE mode is that it "provides maximal robustness to a lack of proper randomness or secure state" [BBLT18].This is achieved by making SUNDAE deterministic, i.e., not depending on a nonce for security.In the context of lightweight cryptography, this property of SUNDAE is particularly important as the mode may be ran in environments with extremely limited state to store a counter, or it may be ran in an environment that has no access to an entropy source to generate a random nonce.
The developers of SUNDAE stated that for their construction, "unverified plaintext from the decryption algorithm should not be released."This is somewhat in contradiction with the claimed "maximal robustness to a lack of [...] secure state."We provide clarity in this ambivalence by demonstrating that SUNDAE is not RUP secure (Section 4.2).The attack is quite simple: in an authenticated encryption evaluation of SUNDAE, the tag simply equals the state after data absorption.In an unverified decryption evaluation, an adversary A may set the tag to an arbitrary value and learn the encryption of this value.This allows it to "reconstruct" a verification evaluation by itself, and to produce a forgery.Admittedly, Banik et al. explicitly mentioned that unverified plaintext should not be released, and our RUP forgery does not invalidate SUNDAE's security.

ANYDAE: Salvaging SUNDAE in the RUP Setting
Motivated by our attack on SUNDAE, we investigate the possibilities to improve SUNDAE to achieve RUP security.To do this, we present a generalization of SUNDAE, dubbed ANYDAE, in Section 5. Like SUNDAE, ANYDAE consists of a sequential evaluation of an n-bit block cipher, but it is interlaced with evaluations of arbitrary mixing functions.We derive sufficient conditions on these mixing functions in order for ANYDAE to be secure in the new AERUP security model (Section 5.2).The level of security that is achieved is the same as that of SUNDAE, up to constant.
ANYDAE is thus AERUP secure under certain modest assumptions on the mixing functions.The proof sees the notion of AERUP security in action: it consists of describing a proper simulator, and bounding the distance between E, D, and V on the one hand and the random function, the simulator, and the rejection function on the other hand.This bounding, in turn, is performed using the H-coefficient technique [Pat08,CS14].
Finally, we map the result to two simple instantiations.The first instantiation is MONDAE (Section 5.3).MONDAE resolves the issue of RUP security in SUNDAE quite elegantly: it simply fixes one bit of the state after generation of the tag to 1.This appears as a modest change -efficiency-wise -to achieve stronger security.The second instantiation is TUESDAE (Section 5.4).TUESDAE is designed to be optimal in the number of block cipher invocations for most of its inputs.For example, for associated data of a blocks and a message of m blocks, with a + m > 1, TUESDAE makes exactly a + 2m block cipher invocations [CDN18] and works well along with an n = 128-bit block cipher.

Related Work
We recall that the goal of the SUNDAE developers was to investigate what minimality limits can be met by using a block ciphers.ANYDAE, likewise, centers around the same problem.As block ciphers are still widely used, this is a valid question to consider.
An alternative approach to design an authenticated encryption scheme is by using a cryptographic permutation in a keyed duplex mode [BDPV11,MRV15,DMV17]. State of the art shows that a keyed duplex with b-bit permutation can absorb (de facto, authenticate) data at b bits per permutation call and squeeze (de facto, encrypt) data at b − 2s bits per permutation, where s is the targeted security level.We remark that for a block cipher, the state size is k + n bits, where k is the key size and n the block size.
One can see SUNDAE and ANYDAE as variants of the keyed duplex in the following way: (i) instead of a cryptographic permutation, a keyed block cipher is used, and (ii) due to the secrecy of this primitive, full-block squeezing is possible.The differences in domain separation and state mixing are minor.From this point of view, one may dispute the use of a block cipher in SUNDAE and MONDAE: after all, a block cipher is designed to be efficient both in forward and inverse direction, but only evaluated in forward direction.Efficiency of the schemes may be sped-up by using cryptographic primitives that are specifically developed to be efficient in forward direction.

Preliminaries
For any finite set X , we denote by X $ ← − X the random selection of an element X from X .Let m, n ∈ N. We let X n denote the set of n tuples of X and X * denotes the set ∪ i≥1 X i .Using this notation, we let {0, 1} n denote the set of n-bit strings, {0, 1} ≤n the set of bit strings of length at most n bits, and {0, 1} * the set of arbitrarily length strings.We denote by |X| the bit length of X.The empty string is denoted by ε.We often refer to an n bit binary string as a block.We write X[1 . . .] to denote the sequence X We denote by F(n) (resp., P(n)) the set of all n-bit functions (resp.permutations).We denote by F( * , n) the set of all functions that on input of a value M ∈ {0, 1} * output a value of size |M | + n bits.Note that any such function can be defined by lazy sampling, and, overloading notation, by $ $ ← − F( * , n) we denote the event of defining a function $ that for every fresh input M ∈ {0, 1} * returns a random bit string of length |M | + n.
If m ≤ n, for X ∈ {0, 1} n we denote by X m (resp., X m ) the m left-most (resp., right-most) bits of X.We let pad n : {0, 1} ≤n → {0, 1} n be the function that takes as input a bit string X of size at most n bits, and transforms it into a string of size n bits as follows: We define the function fix 1 : {0, 1} n → {0, 1} n that fixes the rightmost bit of its input to 1: (1) The function fix 10 : {0, 1} n → {0, 1} n likewise fixes the rightmost two bits of its input to 10.For a function f , we denote its range by range(f ).The expression "a ?b : c" equals b if a holds and c if a does not hold.Let GF(2 n ) be the finite field of order 2 n .Let It can likewise be represented by an integer in {0, . . ., 2 n − 1}, by evaluating the polynomial a at x = 2.For two elements a, b ∈ {0, 1} n , addition a ⊕ b is defined as addition of their polynomials, a(x) + b(x) ∈ GF(2 n ), and multiplication a ⊗ b is defined with respect to the irreducible polynomial f An adversary A is a probabilistic algorithm.By A O → 1 we denote that A has query access to its oracle O, and after its communication outputs 1.Note that the oracle O, itself, may be defined by a list of oracles.

Block Ciphers
Let k, n ∈ N. A block cipher E : {0, 1} k × {0, 1} n → {0, 1} n is a function that takes as input a key K ∈ {0, 1} k and a message block X ∈ {0, 1} n and transforms it into a ciphertext Y ∈ {0, 1} n .We write E K (X) = E(K, X).The transformation is bijective, i.e., for fixed key K the function E K is invertible, however, we will not be concerned with inverse evaluations of E. As such, security of block ciphers is measured by its PRP (pseudorandom permutation) security.Definition 1.Let k, n ∈ N, and let E : {0, 1} k × {0, 1} n → {0, 1} n be a block cipher.The PRP security of E against an adversary A is defined as where the randomness is taken over , and over the random choices of A.

Differential-Uniform and Regular Functions
Let n ∈ N and let T be a (possibly empty) finite set.We describe the concepts of differential-uniformity and regularity of a function ρ : {0, Based on Definition 3, we obtain the following corollary.

Patarin's H-Coefficient Technique
Consider a computationally unbounded deterministic adaptive adversary A that interacts with either a real oracle O re or an ideal oracle O id .After its interaction, A outputs a decision bit.The collection of all queries-responses obtained by A during its interaction with its oracle are summarized in a transcript τ .This transcript may, in addition, contain additional information about the random oracle that is revealed to the adversary after its interaction but before it outputs its decision bit.This is without loss of generality: the adversary gains more knowledge and hence more distinguishing power.
Let X re and X id be the random variables that take a transcript τ induced by the real and the ideal world respectively.The probability of realizing a transcript τ in the ideal world (i.e., Pr (X id = τ )) is called the ideal interpolation probability and the probability of realizing it in the real world is called the real interpolation probability.A transcript τ is said to be attainable if the ideal interpolation probability is non zero.We denote the set of all attainable transcripts by Θ.Following these notations, we state the main theorem of the H-coefficient technique as follows [Pat08,CS14].

Theorem 1 (H-coefficient technique).
Let A be a fixed computationally unbounded deterministic adversary that has access to either the real oracle O re or the ideal oracle O id .Let Θ = Θ g Θ b be some partition of the set of all attainable transcripts into good and bad transcripts.Suppose there exists ratio ≥ 0 such that for any τ ∈ Θ g , and there exists bad ≥ 0 such that Pr (X id ∈ Θ b ) ≤ bad .Then, (3)

Authenticated Encryption
We consider deterministic authenticated encryption in the context of potential release of unverified plaintext (RUP).Following Andreeva et al. [ABL + 14], we separate the decryption algorithm into plaintext computation and tag verification.Formally, let k, t ∈ N.An authenticated encryption scheme AE is a family of algorithms (E, D, V) where Here

Conventional Security Models
Conventionally, an authenticated encryption scheme should offer confidentiality, meaning that its ciphertexts are computationally indistinguishable from random, and integrity, meaning that its tags are unforgeable.For confidentiality, we stay with the standard security model that measures the adversarial power to distinguish E K for random key Definition 4. Let AE = (E, D, V) be an authenticated encryption scheme.The CONF security of AE against an adversary A is defined as where the randomness is taken over , and over the random choices of A.
For integrity, the adversary is given access to E K for random key K $ ← − {0, 1} k , and it additionally gets access to the verification oracle V K , and it succeeds if it manages to find a forgery for V K , i.e., if the oracle ever returns with on input of some query (A, T, C) that was not the result of an earlier encryption query.
Definition 5. Let AE = (E, D, V) be an authenticated encryption scheme.The INT security of AE against an adversary A is defined as where the randomness is taken over K $ ← − {0, 1} k and over the random choices of A. The event "forges" happens if V K ever returns on some query (A, T, C), and (A, T, C) is not the result of an earlier encryption query (formally, there is no M such that an encryption call (A, M ) resulted in (T, C)).
Typically, we combine the above two security notions of an authenticated encryption into an unified one defined as: Definition 6.Let AE = (E, D, V) be an authenticated encryption scheme.The AE security of AE against an adversary A is defined as where the randomness is taken over , and over the random choices of A, and where ⊥ is an oracle that rejects on every input.
The well-established result about the security of an authenticated encryption scheme is the following, which we take from Rogaway and Shrimpton [RS06, Propositions 8 and 9].E, D, V) be an authenticated encryption scheme.For any adversaries A 1 with query complexity q 1 , A 2 with query complexity q 2 (total query complexity of encryption and verification oracle), and A 3 with query complexity q 3 (total query complexity of encryption and verification oracle), where B 1 , B 2 , B 3 , and B 4 are some adversaries with query complexities q 1 , q 2 , q 3 , and q 3 respectively.
Note that, although Proposition 1 is taken from [RS06], the security definitions and notations are different.Nevertheless, the translation to our definitions is straightforward, with the following differences.For proving the first inequality, B 1 runs A 1 and answers A 1 's queries through its own oracle, i.e, either through E K or $.For the second inequality, B 2 runs A 2 and answers its encryption queries either through E K or $, and it answers its forging attempt either through V K or ⊥.The third inequality holds the same way.

RUP Security Model
Andreeva et al. [ABL + 14] proposed two versions for confidentiality in the RUP setting: plaintext awareness 1 (PA1) and plaintext awareness 2 (PA2).In both models, the real world is constituted of both E K and D K for random K $ ← − {0, 1} k .In the ideal world, the decryption algorithm is replaced by a simulator1 S that mimics the outputs of D K .In PA1, the simulator has insight in the queries that the adversary made to E K , whereas in PA2, it has no insight in these queries (and, of course, the adversary is not allowed to make trivial queries).We will consider PA1 security, where the simulator has insight to the queries that the adversary makes to E K .Definition 7. Let AE = (E, D, V) be an authenticated encryption scheme.Let S be a simulator.The PA1 security of AE against an adversary A is defined as where the randomness is taken over K $ ← − {0, 1} k and over the random choices of S and A.
We consider integrity in the RUP setting, which differs from the conventional notion of integrity in the fact that the adversary has access to the plaintext computation algorithm D, and can use its outputs to improve its advantage in forging a tag.The notion is taken from Andreeva et al. [ABL + 14].Definition 8. Let AE = (E, D, V) be an authenticated encryption scheme.The INT-RUP security of AE against an adversary A is defined as where the randomness is taken over K $ ← − {0, 1} k and over the random choices of A. The event "forges" happens if V K ever returns top on some query (A, T, C), and (A, T, C) is not the result of an earlier encryption query (formally, there is no M such that an encryption call (A, M ) resulted in (T, C)).

Generalized AERUP Security
In this section, we define an indistinguishability framework for AE security in the released unverified plaintext setting, dubbed as AERUP.The new model, in itself, basically combines RUP confidentiality (i.e., PA1) and integrity (i.e., INT-RUP), in the exact same way as AE unified CONF and INT (see Definition 6).This way it is a handy model for delivering a RUP security proof in one single go, so without delivering multiple different but related security proofs.
As before, the security model considers a distinguisher that has access to either of two worlds, the real or ideal world.In the real world, it can query the encryption, decryption, and verification oracles of the AE algorithm, (E K , D K , V K ), for random key K $ ← − {0, 1} k .In the ideal world, it has access to a random function $ $ ← − F( * , t), a simulator S that has access to the history of encryption queries, and a reject oracle ⊥.Donghoon Chang, Nilanjan Datta, Avijit Dutta, Bart Mennink, Mridul Nandi, Somitra Sanadhya and Ferdinand Sibleyras 9 Definition 9. Let AE = (E, D, V) be an authenticated encryption scheme.Let S be a simulator.The AERUP security of AE against an adversary A is defined as where the randomness is taken over , and over the random choices of S and A. The adversary is not allowed to relay an earlier response from the first oracle to the third oracle.
Note that, as the simulator has access to the query history that A made to its first oracle, we can safely allow A to relay an earlier response from the first oracle to the second oracle.

Reductions From AERUP
The model of AERUP security is general: if an authenticated encryption scheme AE is AERUP secure, then it is AE secure in terms of Definition 6, PA1 secure in terms of Definition 7, and INT-RUP secure in terms of Definition 8. Stated differently, The three reductions are given in below three propositions.
Proposition 2 (AE ⇐ AERUP).Let AE = (E, D, V) be an authenticated encryption scheme.Let S be a simulator.For any adversary A with query complexity q which is the sum of encryption and verification query complexities, where B is some adversary with query complexity q.
Proof.The proof is trivial as the notion of AE is identical to that of AERUP without access to the decryption oracle.Stated differently, B simulates the oracles of A by simply ignoring its second oracle and relaying all other oracle queries.
Note by Propositions 1 and 2, CONF ⇐ AERUP.We will use this observation in the next reduction.
Proposition 3 (PA1 ⇐ AERUP).Let AE = (E, D, V) be an authenticated encryption scheme.Let S be a simulator.For any adversary A that makes q e encryption queries and q d decryption queries, where B 1 and B 2 are some adversaries where the query complexity of B 1 is q e + q d and the query complexity of B 2 is q e .Proof.Let A be an adversary, making q e encryption and q d decryption queries, that breaks the PA1 security of AE with respect to any simulator S with advantage PA1 S AE (A).We define an adversary B 1 that has the same encryption and decryption query complexity as A, interacts with either (E K , D K , V K ) or (E K , S, ⊥): it defines the simulator for A to be that for itself, and relays queries of A to its own oracles the obvious way (i.e., B 1 never queries its third oracle).Adversary B 2 with query complexity q e , in turn, only has access 10 Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE to an encryption oracle and simulates a simulator S and the ⊥-oracle.By definition of B 1 and B 2 , we have where Proposition 4 (INT-RUP ⇐ AERUP).Let AE = (E, D, V) be an authenticated encryption scheme.For any adversary A that makes altogether q encryption, decryption, and verification queries, where B is some adversary with query complexity q that involves encryption, decryption, and verification queries, and S is any simulator.
Proof.Let A be an adversary that breaks the INT-RUP security of AE with advantage INT-RUP AE (A).We define an adversary B against the AERUP security of AE that has the same query complexity as A: it relays queries of A to its own oracles the obvious way, and at the end of the game, it returns 1 if and only if A made a successful verification query.By definition of B, we have where i = follows from the fact that Pr A $,S,⊥ forges = 0 as ⊥ oracle always returns ⊥.

Reduction To AERUP
Likewise, we can prove that if an authenticated encryption scheme AE is AE secure, PA1 secure, and INT-RUP secure, it is also AERUP secure.Stated differently, We will prove this reduction below.Here, we note that Propositions 1 implies that CONF ⇐ AE.
Proposition 5 (AE + PA1 + INT-RUP ⇒ AERUP).Let AE = (E, D, V) be an authenticated encryption scheme.Let S be a simulator.For any adversary A that makes q e encryption, q d decryption, and q v verification queries, where B 1 is adversary with total query complexity q e + q d + q v that includes encryption, decryption, and verification queries to its own oracles, B 2 is an adversary with total query complexity q e + q d that includes encryption and decryption queries to its own oracles, and B 3 is an adversary with query complexity q e .Proof.Let A be an adversary that breaks the AERUP security of AE with advantage AERUP S AE (A).We define an adversary B 1 that has the same query complexity (i.e., q e + q d + q v ) as A, interacts with a triplet of encryption, decryption, and verification oracles: it relays queries of A to its own oracles in the obvious way.If A does not make any valid verification query to V K , B 1 's success is zero; otherwise, B 1 forges with that message and tag coming from A's successful verification.Adversary B 2 , in turn, only has access to a pair of encryption and decryption oracles, and simulates the ⊥ oracle: it relays encryption and decryption queries of A to its own oracles and for any verification query of A, it always rejects.Finally, B 2 returns whatever A returns.We also define adversary B 3 that has access to an encryption oracle and simulates a simulator S and the ⊥-oracle.B 3 returns whatever A returns.By definition of B 1 , B 2 , and B 3 , we have where i = follows from the fact that Pr B E K ,D K ,⊥ 1 forges = 0 as ⊥ oracle always returns ⊥.

Comparison with Existing Notions
The comparison with conventional AE security (Definition 6) as well as the comparison with the standalone definitions of PA1 and INT-RUP security (Definitions 7 and 8) are already discussed.We compare AERUP security with various standalone authenticated encryption security notions beyond conventional security.
Hoang et al. [HKR15] introduced the notion of robust authenticated encryption, RAE.This notion covers a strong level of security, where the authenticated encryption should withstand attackers that do not obey to the nonce uniqueness (either there is no nonce or the nonce can be reused).In the RAE security notion, the goal of an adversary is to distinguish an authenticated encryption scheme from a random injective function.It bridges the gap between AE and SPRP security through a ciphertext expanding parameter λ.Examples of schemes satisfying this notion are AEZ and Encode-then-SPRP [HKR15].Hoang et al. also considered a variant with decryption leakage, RAE sim , in which a simulator simulates the decryption leakage without having any access to the query history.Note that this is a stronger model than PA1, where the simulator sees the communication between the adversary and E K .Our model of AERUP security is a variant of RAE sim where the simulator has access to the query-response history.This particularly means that RAE sim ⇒ AERUP.
Barwell et al. [BPS15] presented subtle authenticated encryption, SAE.The model is a generalization, basically a refinement, of RAE for nonce-based authenticated encryption, and covers several types of security definitions by varying the decryption oracle choices in the ideal world: it may be Γ K (for some key-dependent leakage) or Γ (independent of the key).Note that the latter case implies RAE sim .
Ashur et al. [ADL17] presented an alternative notion of RUP security, RUPAE.The notion focuses on nonce-based authenticated encryption, and RUPAE combines PA1 and INT-RUP in this setting with the restriction that the ideal model decryption is simply a random function.Ashur et al. proved GCM-RUP to be secure in the described nonce-based model.For comparison, in our case we are not relying on a nonce but neither are we simplifying the simulator by replacing it by a random function.
Although RAE and RUPAE are stronger than ours, it appears that these models may only be achieved by an "Encode then SPRP" construction, which is two-pass in both encryption and decryption (where "pass" refers to the number of times a message is sequentially fed to the construction).In contrast, nonce misuse security can be achieved in our relaxed model more efficiently, namely with a scheme whose decryption is single-pass.In summary, AERUP more closely matches the notion of RUP security than RAE, SAE, or RUPAE, in light of the equivalence proven in Sections 3.4 and 3.5.This equivalence also clearly exposes the main goal of the AERUP security model: to have one single security proof representing all different security notions required to hold for a RUP secure authenticated encryption scheme.
We note that Fouque et al. [FJMV03,FMP03] considered (concurrent) block-wise adaptive security of authenticated encryption.In this case, the adversary can see blockwise outputs of the scheme before committing to the next block input.From a decryption perspective, it is a stronger model than any of the models of discussed so far.

SUNDAE
We describe the specification of SUNDAE of Banik et al. [BBLT18] in the context of potential release of unverified plaintext, ergo with separated decryption and verification, in Section 4.1.We present our RUP attack against SUNDAE in Section 4.2.

Specification
The SUNDAE authenticated encryption scheme is built on top of a block cipher E : {0, 1} k × {0, 1} n → {0, 1} n for some k, n ∈ N. Its key space is identical to that of E, {0, 1} k , but it accepts arbitrarily sized associated data A and message M .The encryption of SUNDAE is length preserving, meaning that the responded ciphertext is of size |M |.The tag is of size {0, 1} n .The encryption, decryption, and verification algorithms of SUNDAE are specified in Figure 1.It can be seen as a MAC-then-Encrypt construction based on GCBC1 (with minor adjustments) [Nan09] and OFB [FIP80].An evaluation of SUNDAE on input of (A, M ) with |A|, |M | > 0 is depicted in Figure 2.

RUP Insecurity
We describe a simple universal forgery attack against SUNDAE in the RUP setting.
3. return T = T ?: ⊥ The adversary makes 1 query to E, 3 queries to D, and 1 query to V.
Proof.We show a simple universal forgery attack for arbitrary associated data A = A[1 . . .a] and message M = M [1 . . .m] with a ≥ 2 and m ≥ 1: Get the tag T and ciphertext C; • V(A, T, C) is a valid forgery for the data A and message M .
14 Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE The core idea of the attack is that, in fact, a D query can be seen as a direct query to the underlying block cipher E K which allows us to simulate step by step the tag generation process in E. The attack works because from the first step we get

and the second and third queries allow us to compute ∆ that is the internal state difference after the second block cipher call between processing A[1] and A [1]. After processing A [1] A[2] ⊕ ∆ in the first case or A[1] A[2]
in the second case we get a full internal state collision for arbitrary A[2] as we corrected the difference ∆.Hence the tag and ciphertext will remain equal whenever what follows is the same, which leads to this simple forgery.
The strategy is also applicable in the case where A = ε or M = ε: we just need to use the proper starting value b 1 b 2 0 n−2 instead of 110 n−2 , and we can do the same trick with the first two processed blocks.The case of a single block data or message is also trivial as it generates the tag with 2 block cipher calls that we can fully simulate with 2 D queries.
The attack does not contradict the security claims of the original SUNDAE, but it is something to be aware of especially when implementing IoT products.Indeed, as already mentioned in the introduction, SUNDAE is claimed to offer maximal robustness to a lack of secure state.

ANYDAE
SUNDAE admits a RUP attack as the adversary can learn E K (T ) for any choice T ∈ {0, 1} n .This allows it to "reconstruct" the forgery starting from the initial value 110 n−2 , block cipher call by block cipher call.There are various solutions to counter this problem, which all center around adjusting the way the value T is generated or the value T is used to generate the encryption stream.
Naive solutions like transforming it through a block cipher call are undesirable: they increase state size (for the computation of the encrypted mask) or implementation size (for the implementation of the block cipher inverse).Instead, our focus is on updating the way T is used to generate the key stream.We do so by considering a generalized construction dubbed ANYDAE.The mode is specified in Section 5.1, we prove security of ANYDAE in Section 5.2, and we give two example instantiations in Sections 5.3 and 5.4.

Specification
The generalized ANYDAE authenticated encryption scheme is also built on top of a block cipher E : {0, 1} k × {0, 1} n → {0, 1} n for some k, n ∈ N. In addition, it uses a formatting function to parse data to be encrypted, and mixing functions to process the state.Let T Donghoon Chang, Nilanjan Datta, Avijit Dutta, Bart Mennink, Mridul Nandi, Somitra Sanadhya and Ferdinand Sibleyras 15 3. return T = T ?: ⊥ be a (possibly empty) finite set.Let Fmt : {0, 1} * → ({0, 1} n ) × (T ) −1 for any > 0 be a formatting function, that takes an arbitrarily length bit string and generates a sequence of n-bit blocks of certain length and a sequence of elements of T of the same length minus one.Furthermore, consider the following three state processing functions: ANYDAE has, just like SUNDAE, a key space identical to that of E, and it is also length preserving.The encryption, decryption, and verification algorithms of SUNDAE are specified in Figure 3.The message authentication part is simplified significantly due to the use of the formatting function to pre-process A and M .Then, ρ 1 is used to process the state in message authentication and ρ 2 and ρ 3 are used to process the state in the OFB encryption mode.The scheme is depicted in Figure 4.

Security of ANYDAE
We will prove that ANYDAE is an AERUP secure authenticated encryption scheme if Fmt is prefix-free, ρ 1 , ρ 2 , ρ 3 are sufficiently regular and/or differential-uniform, and certain conditions on the set of first block outputs of Fmt are satisfied.2. ρ 1 is 1 -differential-uniform and γ 1 -regular; 2 For Fmt, prefix-freeness means that for any two elements 16 Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE then, for any adversary A having total complexity σ and making q v verification queries, and operating in time t, where Ω := |F 1 ∩ range(ρ 3 )| and B is some adversary that makes σ queries to its oracle and operates in time t ≈ t, and S is some simulator that is described in the proof.
The proof of Theorem 2 is given in Section 6.The simulator that is used, is described within the proof.Although the theorem looks complex due to the conditions dictated on Fmt, ρ 1 , ρ 2 , and ρ 3 , it can easily be mapped to simple examples.SUNDAE of Section 4 is an instance of ANYDAE, but Theorem 2 does not apply as condition 5 is violated: the cardinality of the intersection of F 1 and range(ρ 2 ) is at least 1.In Section 5.3, we describe MONDAE, arguably the simplest instance of ANYDAE that in addition only differs from SUNDAE of Banik et al. [BBLT18] by a simple fix 1 function.In Section 5.4, we describe TUESDAE, a variant that is optimal in the number of block cipher calls for most of the possible inputs.

Example 1: MONDAE (RUP Secure SUNDAE)
Recall from Section 4.2 that SUNDAE is not RUP secure.It appears that it is surprisingly simple to salvage SUNDAE.To demonstrate this, we propose MONDAE, that differs only in the fact that we insert a fix 1 function right after the value T is output.More detailed, line 2 in the OFB encryption part of Figure 1 gets replaced by For the case of positive-length associated data and message, the MONDAE construction is depicted in Figure 5.The tweak works because, simply said, it prevents the adversary from learning E K (T ) for any choice of T ∈ {0, 1} n .Donghoon Chang, Nilanjan Datta, Avijit Dutta, Bart Mennink, Mridul Nandi, Somitra Sanadhya and Ferdinand Sibleyras 17 Figure 6: The formatting function Fmt of MONDAE.
It is clear to see that, in fact, MONDAE is a specific instantiation of the generalized construction ANYDAE, namely by defining and taking the formatting function Fmt of Figure 6.This means that MONDAE is not only unforgeable in the RUP setting: it meets AERUP security of Definition 9.The result is a direct corollary of Theorem 2, noting that for MONDAE, we have Corollary 2 (AERUP security of MONDAE).Let AE = (E, D, V) be the MONDAE authenticated encryption scheme based on block cipher E : {0, 1} k × {0, 1} n → {0, 1} n .For any adversary A having total complexity σ and making q v verification queries, and operating in time t, where B is some adversary that makes σ queries to its oracle and operates in time t ≈ t, and S is some simulator that is described in the proof of Theorem 2. 28.

Example 2: TUESDAE (RUP Secure Optimal ANYDAE)
We now consider the problem of optimizing ANYDAE, or stating differently, defining the functions ρ 1 , ρ 2 , ρ 3 , and the formatting function in such a way that ANYDAE becomes optimal in the number of block cipher invocations for most inputs.We call the resulting construction TUESDAE.For associated data of a blocks and a message of m blocks with a + m > 1, one encryption using TUESDAE consists of exactly a + 2m block cipher invocations.Moreover, if (a, m) is (1, 0) or (0, 1), TUESDAE requires exactly 1 block cipher invocation if the length of the data block (associated data in the former case and message in the latter case) is less than n − 4 bits.Note that, as we need to distinguish on the one hand between associated data and message and on the other hand between partial and full data, it is impossible for any deterministic authenticated encryption scheme to just have a single block cipher call for a single (full) data block.The choice we made for ρ 1 requires, for good security properties, n − 1 to be prime so it is well suited for use along with a typical n = 128-bit block cipher.For X ∈ {0, 1} n , write X ≫ t as the right rotation of X by t bits, and write TUESDAE is an instantiation of ANYDAE by defining and taking the formatting function Fmt of Figure 7. Here, we use type to indicate whether the current data block is associated data (type = 0) or message (type = 1), we use full X to indicate whether X is n-bit (full X = 1) or partial (full X = 0), and we use final X to indicate whether X is a final block of its type (final X = 1) or not (final X = 0).We define empty i to be 1 if and only if i = a − 1 and m = 0. Finally, bin(a) i denotes the i-bit binary representation of an integer a.
It is easy to verify that Fmt is prefix-free: the three rightmost bits of B[1] are 000 in case A, 100 in case B, and * * 1 in cases C, D, and E. For the last three cases, difference is in δ[1]: it equals * 011 * for case C, either of {00 * 0 * , 01 * * * , 100 * * } for case D, and either of {1010 * , 110 * * , 111 * * , 0001 * } for case E. Here, for case E, distinction is made using Also note that for any Corollary 3 (AERUP security of TUESDAE).Let AE = (E, D, V) be the TUESDAE authenticated encryption scheme based on block cipher E : {0, 1} k × {0, 1} n → {0, 1} n , where n − 1 is prime.For any adversary A having total complexity σ and making q v verification queries, and operating in time t, where B is some adversary that makes σ queries to its oracle and operates in time t ≈ t, and S is some simulator that is described in the proof of Theorem 2.
Note that the result only applies for prime n−1, as in this case, ρ 1 is differential-universal.However, the choice of ρ 1 is not strict in TUESDAE; any good differential-universal function suits.
Remark 1.We briefly elaborate on the differences between MONDAE and TUESDAE.For any query with associated data of a blocks and message of m blocks, with a + m > 1, one encryption using TUESDAE consists of an optimal number of a + 2m block cipher invocations, whereas MONDAE requires a + 2m + 1 invocations.Moreover, if (a, m) is (1, 0) or (0, 1), and the length of the data block is less than (n − 4) bits, then TUESDAE requires an optimal amount of one block cipher invocation, whereas MONDAE requires one additional block cipher invocation.To achieve this optimality, TUESDAE needs to execute a few conditional statements (see Figure 7).These would require some additional multiplexers that results in a slight increase of the hardware area.

Proof of Theorem 2
We consider any adversary A that has access to either (E K , D K , V K ) for K $ ← − {0, 1} k or ($, S, ⊥) for $ $ ← − F( * , t) and S some simulator that we will define later on, and tries to distinguish both worlds.The adversary has encryption complexity σ e , decryption complexity σ d , and verification complexity σ v , with σ e + σ d + σ v = σ, and operates in time t.As a first step, we replace E K by a random permutation P $ ← − P(n), at the cost of PRP E (B) for some distinguisher B that makes σ queries to its oracle and operates in time t ≈ t.As a second step, we switch from P to a random function and our focus is on upper bounding the remaining distance AERUP S Π (A).

Defining Adversary and Oracles
Without loss of generality, A is deterministic.Suppose it makes q e encryption queries (A + i , M + i ) qe i=1 to the encryption oracle, where the block lengths of A + i and M + i are denoted by a + i and m + i , with an aggregate of total σ e blocks, q d decryption queries to the decryption oracle, where the block lengths of A − i and C − i are denoted by a − i and c − i , with an aggregate of total σ d blocks, and q v verification queries (A i , C i , T i ) qv i=1 to the verification oracle, where the block lengths of A i and C i are denoted by a i and c i , with an aggregate of total σ v blocks.We assume that A is non-trivial and non-repeating, which means that all queries are distinct and there is no (A i , C i , T i ) that is an answer of an earlier encryption query.By (i, * ), we mean the i-th message of type * , where * ∈ {+, −, }.We use the notation (j, ) ≺ (i, * ) to denote that j-th message of type was queried prior to the i-th message of type * .

Description of the Real World
The real world O re consists of the encryption oracle Π.E[R], the decryption oracle Π.D[R], and the verification oracle Π.V[R] as outlined above.After the adversary has made all its queries, the oracles release all the internal variables from Figure 3.The encryption and verification oracles reveal all (X, Y )'s corresponding to authentication and all (U, V )'s corresponding to encryption.The decryption oracle reveals all (U, V )'s corresponding to decryption (the oracle does not verify the MAC).Note that there is some redundancy in the values, as the U 's can be deduced from the values M , C, and V , but we reveal these for completeness.

Description of the Ideal World
The ideal world O id consists of three oracles ($, S, ⊥).The verification oracle ⊥ simply responds with the ⊥-sign for each input (A i , C i , T i ).We will elaborate on the remaining two oracles, encryption $ and decryption S, in detail.For these two oracles, we maintain an initially empty table L to store (U, V )-tuples.Note that, as we work in the PA1-setting, i.e., S has insight in the queries made to the encryption oracle, this is sound.
The encryption oracle $ is a random function that for each input ( ) generates a ciphertext and tag as For later purposes, $ will in addition set the following internal variables, which correspond to the inputs and outputs of R that are determined by M + i , C + i , T + i : It stores all the individual (U + i , V + i ) tuples in table L. The decryption oracle S is a simulator that we define to operate as follows on input of a query (A Donghoon Chang, Nilanjan Datta, Avijit Dutta, Bart Mennink, Mridul Nandi, Somitra Sanadhya and Ferdinand Sibleyras 21 Once the adversary has made all queries, we move to an offline phase where the adversary will be given the internal values (X, Y ) and (U, V ), just like in the real world.Note that the (U, V )'s have already been defined for encryption and decryption oracle.For any input query (A i , C i , T i ), verification oracle ⊥ defines (U, V ) in exactly the similar way as the decryption oracle defines for an input query (A − i , C − i , T − i ) and also determines the underlying message M i [1 . . .c i ] which is released to the adversary.For the (X, Y )'s we use the following technique to define them.Note that we only have to focus on the encryption and verification queries; we do not bother about the (X, Y )'s for decryption queries as a decryption call does not verify the tag.For any query (i, * ) with * ∈ {+, }, we first compute the function Fmt(A * i , M * i ) to obtain the sequence Let (j, ) ≺ (i, * ) with ∈ {+, } be a query for which B * i has the longest common prefix with B j .Let p < * i be the length of the longest common prefix of B * i and B j .Next, we set Finally, when the sampling of internal values is over, O id returns all the internal values.These are for each encryption query ( for each decryption query for each verification query (A i , M i , C i , T i , b i ).

Attainable Transcripts
The overall transcript of the attack is τ = (τ e , τ d , τ v ), where 22 Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE A transcript τ = (τ e , τ d , τ v ) is said to be attainable (with respect to A) if the probability to realize this transcript in the ideal world O id is non-zero.Note that, particularly, for an attainable transcript τ , any verification query in τ v satisfies b i = ⊥.Following Section 2.3, we denote by Θ the set of all attainable transcripts, and by X re and X id the probability distributions of transcript τ induced by the real world and ideal world, respectively.

Definition of Bad Transcripts
We say that an attainable transcript τ is bad if one of the following events hold: Note that, considering the real world, Coll XX denotes the event of an accidental collision between two inputs to R in the authentication part, where we exclude trivial collisions due to common prefix.Event Coll XU corresponds to accidental collisions between an input to R in the authentication and one in the encryption part.Event Coll UU corresponds to accidental collisions between two inputs to R in the encryption part, where we exclude trivial collisions triggered by a decryption query for a known U -value.Event Forge corresponds to the event that for any verification query, the last block cipher output in the MAC function collides with the given tag in the verification query.
In line with the H-coefficient technique (Theorem 1), Θ b denotes the set of all attainable transcripts that are bad.

Probability of Bad Transcripts
We now bound the probability of a bad event in the ideal world.
Lemma 1.Let X id and Θ b be as defined as above.Then, Proof.By applying the union bound, and we bound the three probabilities individually.We let #X be the number of X's in the transcript and #U the number of U 's.
We consider the following cases: As ρ 1 is γ 1 -regular, the probability that this event happens is at most γ 1 ; As ρ 1 is γ 1 -regular, the probability that this event happens is at most γ 1 ; Donghoon Chang, Nilanjan Datta, Avijit Dutta, Bart Mennink, Mridul Nandi, Somitra Sanadhya and Ferdinand Sibleyras 23 To bound the above event, we split it into two different subcases: and the probability of the above event is zero.Otherwise, the above event boils down to This event is bounded by the 1 -differential-uniformity of ρ 1 , where the probability is calculated over the random sampling of Y * i [k−1], where we assume that (j, ) ≺ (i, * ).

Case (b):
Otherwise, Y * i [k − 1] and Y j [k − 1] are independent and the above event is bounded by the regular probability γ 1 of ρ 1 function that directly follows from Corollary 1.
Combining all the four cases, we obtain Bounding Coll XU .We consider the following cases: and hence, the probability that Coll XU is set is 0; As |F 1 ∩ range(ρ 3 )| = Ω, and as ρ 3 is γ 3 -regular, the probability that this event happens is at most Ω#U • γ 3 , where we have already summed over all possible query choices; As ρ 1 is γ 1 -regular, the probability that this event happens is at most γ 1 ; . If (j, ) ≺ (i, * ), we can bound this event by γ 3 due to the random sampling of and ρ 3 being γ 3 -regular.Otherwise, we bound the event by γ 1 as ρ 1 is γ 1 -regular.
For the third case, we have already summed over all possible occurrences of the case.The second and fourth case together occur at most #X • #U times.We therefore obtain Bounding Coll UU .We consider the following cases: for some previous request (j, ) and some k.Since T + i is always sampled uniformly at random.As ρ 2 is γ 2 -regular, the probability that this event happens is at most γ 2 ; for some previous request (j, ) and some k.Since C + i [k − 1] is always sampled uniformly at random, so is As ρ 3 is γ 3 -regular, the probability that this event happens is at most γ 3 .
We obtain Bounding Forge.For a fixed verification query, the event is trivially bounded by 2 −n as Y i [ ] is sampled uniformly at random.Summing over all possible choices of the index i, we have Pr (Forge) ≤ q v 2 n .

Conclusion. We obtain that
This completes the proof, noting that and in addition #U ≤ σ.

Analysis of Good Transcripts
In this section we show that for a good transcript τ , realizing τ is almost as likely in the real world as in the ideal world.Formally, we prove the following lemma.
Proof.Let τ = (τ e , τ v , τ d ) be a good transcript.Let s e be the number of distinct X values in X + := (X + 1 , . . ., X + qe ) and s v be the number of distinct X values in X := (X 1 , . . ., X qv ).Moreover, let k i be the number of non-fresh blocks for the i-th decryption query and k i be This allows us to compute the ideal interpolation probability as follows: in the online phase, the encryption oracle samples q e tag values and σ qe ciphertext blocks uniformly at random.The decryption oracle samples σ d message blocks uniformly at random and the verification oracle samples σ v message blocks uniformly at random.In the offline phase, the ideal oracle samples a total amount of s e + s v values Y .Hence, We now compute the real interpolation probability for τ .Since τ is a good transcript and Fmt is a prefix-free function, X + i [ i ] is fresh.Therefore, the values T + i are uniformly distributed.Moreover, we do not have any collision in the tuple U + := (U + 1 , . . ., U + qe ) as τ is good.This means that the ciphertext blocks are also generated uniformly at random.It is easy to see that the decryption oracle samples exactly σ d message blocks and the verification oracle samples exactly σ v message blocks.Moreover, as there are s e + s v distinct X values in encryption and verification query history, we have, We conclude that the ratio of the real to ideal interpolation probability equals 1.

Conclusion
By the H-coefficient technique of Theorem 1, we obtain for the remaining distance of (10): where ratio = 0 given the bound of Lemma 2, and bad is set to be the bound of Lemma 1.

Conclusion
In this paper, we first proposed AERUP, a unified RUP security notion for deterministic authenticated encryption schemes.Next, we considered a generalized version of SUNDAE, called ANYDAE, and derived necessary and sufficient conditions for ANYDAE to achieve AERUP security.We introduced two instantiations of ANYDAE, called MONDAE and TUESDAE.MONDAE exhibits a structural resemblance with SUNDAE, with a minimal change in the construction so that its RUP security is retained.Therefore, it is at par with SUNDAE in terms of efficiency and optimality.TUESDAE is an optimal construction in terms of the number of block cipher invocations at the cost of a little increase of hardware area.It is an interesting open question to investigate AERUP security for existing SIV based constructions.