Paper 2024/598

AE Robustness as Indistinguishable Decryption Leakage under Multiple Failure Conditions

Abstract

Robustness has emerged as an important criterion for authenticated encryption, alongside the requirements of confidentiality and integrity. We introduce a novel notion, denoted as IND-CCLA, to formalize the robustness of authenticated encryption from the perspective of decryption leakage. This notion is an augmentation of common notions defined for AEAD schemes by considering indistinguishability of potential leakage due to decryption failure including candidate plaintext and error messages, particularly in the presence of multiple failure conditions. With this notion, we study the disparity between a single-error decryption function and the actual leakage incurred during decryption. We introduce the concept of error unicity to require that only one error is disclosed, whether explicitly via decryption or implicitly via leakage, even there are multiple failure conditions. This aims to mitigate the security issue caused by disclosing multiple errors via leakage. We further extend this notion to IND-sf-CCLA to formalize the stateful security involving out-of-order ciphertext. We provide a concrete proof on the robustness of Encode-then-Encipher paradigm through our notions to show its ability to admit multiple failure conditions. Additionally, we briefly show a transformation from our notion to a simulatable one, which can aid future study on composable security concerning decryption leakage.