A. Background

Secure communication requires Authenticated Encryption (AE) since it guarantees the privacy and authenticity of messages. Simple encryption-only primitives, like block or stream ciphers, protect the confidentiality of messages from being seen by unauthorized parties. However, such primitives, if used on their own without authenticity protection, are insecure about being employed in communications because an active attacker can alter the ciphertext without being noticed. For instance, an eavesdropper of a banking transaction (without authenticity protection) could change bits of the messages (with the help of some prior knowledge or guessing) without even needing to read it and forward it to its source. Still, it could be accepted as a valid transaction. A cryptosystem with such property is termed malleable. On this front, [1] and [2] proposed the first authenticated encryption (AE) schemes, combining individual encryption schemes and message authentication code (MAC) schemes to pave for a new paradigm of protecting privacy and integrity simultaneously. The AE with associated data (AEAD) allows the addition of unencrypted but authenticated pieces of data, such as those used for packet routing [3], [4], [5].

AE safeguards confidentiality and integrity by following two different security models. Confidentiality defends data privacy against passive adversaries in the chosen-plaintext attack (IND-CPA) and active attackers in the chosen-ciphertext attack (IND-CCA) [2], [6], [7]. Integrity ensures that communications are authentic and haven’t been tampered with, whether in motion or at rest. In addition, AE protects the authenticity of plaintext with the INT-PTXT model and that of ciphertext with the INT-CTXT model.

Most AE structures in the literature assume that the stretch (tag length) is a fixed value per key. Still, a lack of support for variable stretch may render them vulnerable to tag-length variation under the same key attack [8]. For instance, popular standardized AE schemes such as OCB, GCM, and GCM might have their security degraded or could even suffer a complete loss of security if they are misused in this way [9], [10], [11], as raised by Manger [9]. The concern was presented several times in CFRG forum discussions about OCB variable tag length [9] and the CAESAR competition mailing list [12]. For example, If the adversary wages that kind of attack under a scheme using different tag lengths under the same key, the adversary needs to break the shortest one, and the whole security is void.

Besides the security perspective, tag length variability is also advantageous in the constrained resources environment, but recalculating parameters the cost for key exchange because of energy and bandwidth limitations Struik [13]. Reyhanitabar et al. (2017) formalized a nonce-based AE with variable stretch (vNBAE) security notion. They proposed a modular approach for defining the key-equivalent separation by stretch (KESS) concept, which, combined with the traditional NAE, implies the vNBAE security notion.

There have been types of attacks in which the attacker exploits background information about the implementation environment of AE schemes instead of analyzing them under the security models previously discussed. These attacks, known as side-channel attacks (SCAs), are especially harmful when chips containing private data are in an adversary’s hands or installed in locations where the general public can access them. Smart cards, sensor network nodes, and IoT devices are vulnerable [14], [15]. SCAs can be avoided using several strategies, such as masking [15], [16], [17] and hiding [18] [27], [28], [29], [30]. However, rekeying [15], [19], [20], which uses the target cipher plus a subkey generation algorithm that accepts the master key as input, is a less expensive method of obtaining resistance against side-channel attacks.

AE schemes are constructed employing particular underlying building blocks. Block ciphers are the most used building blocks in AE schemes. Famous block ciphers like AES [21], SKINNY [22], and GIFT [23] are used to create AE schemes. An example of stream ciphers is given in [24]. Dedicated and keyless permutations are the fundamental building block of constructions based on permutations. These permutations use Encrypt Mix Encrypt (EME), Encrypt XOR [25], and variations of the Even-Mansour design in place of sponge-like modes [26]. Furthermore, the cryptographic sponge is the most commonly used keyless permutation. Many algorithms, such as the Keccak-f applied in the SHA3 competition winner, employ keyless permutations in the sponge mode of operation. In contrast, others rely on different permutations [27]. Moreover, Some AE schemes use additional building blocks, such as hash and compression functions (CF), as in [28]. Still, others use unique underlying structures, such as those specified in [29], [30], and [31].

In addition to security-related attributes, the following key traits also enhance the effectiveness and performance of AE schemes: parallelizability, which measures the capacity of a scheme to handle the $k^{\mathrm {th}}$ block separately from the subsequent $j^{\mathrm {th}}$ block, given that $k\ne j$ [32], [33]; inverse free: An AE scheme is inverse-free if its algorithm does not need it inverse to carry out encryption or decryption operations [44], [45]; Online use, which demonstrates a scheme’s capacity to process the kth block of ciphertext after observing the first $k$ blocks of plaintext and without knowing any plaintext after the current block [34]. Incrementality is the capacity to update only parts affected by the most recent operation seen in an earlier ciphertext-tag pair (C, T) [35]. The single-pass feature indicates an AE algorithm’s ability to process all the plaintext at once to achieve privacy and authenticity in one pass. Being single-pass boosts the efficiency of an AE scheme [8], [36].

B. Contributions

This study proposes and implements a Parallel Sponge-based Authentication Encryption with Variable Tag length and Side-channel Protection (PAVTASP). This work is a complementing component of ongoing efforts to improve AE schemes’ security and performance and is motivated by PSASPIN [37] and ISAP [38]. But there are three fundamental ways in which the proposed scheme differs from ISAP: first, PAVTASP is parallelizable; it can process several data blocks at a time; second, PAVTASP makes use of the leveled implementation in a different fashion. For example, while PAVTASP utilizes a PRF based on a block cipher or Galois field multiplication in the key-generation part, ISAP uses the sponge construction in the two implementation levels. On the other side, PAVTASP differs from PSASPIN that it allows variable tag length under the same key without losing other desirable features of the scheme. Another contribution of PAVTASP is that it sets a lower bound for the tag length with the help of rekeying that extends the threshold of the number of operations that can be carried out without negotiating for a new key. Finally, the proposed scheme’s security is discussed, and its performance is evaluated, compared to other sponge-based AE schemes, after implementation in C programming language.

C. Organization of This Work

Section II describes the related work. Next, we present a general AE model in Section III, introduce the PAVTASP AE scheme and its processes in Section IV, and discuss the security analysis in Section V. The performance analysis is presented in Section VI. Finally, We offer the discussion in Section VII and conclude this work in Section VIII.

A. Notations

Here are definitions for the notations in this paper. The letters K, N, T, and IV are used respectively to represent the key, the nonce, the authentication tag, and the initialization vector. The plaintext message, the ciphertext, and the associated data are each denoted by M, $\boldsymbol {C}$ , and $\boldsymbol {A}$ , respectively. A failure of verification or an error is what we mean by ($\bot$ ). $\boldsymbol {S}$ stands for the 320-bit state of the sponge construction. $\boldsymbol {S} _{r}$ represents the rate part of the state, whereas $\boldsymbol {S} _{c}$ represents the capacity part of the state. The length of the string $`X'$ is denoted by the symbol $\vert $ $X\vert $ , whereas the text $`X'$ concatenated with the string $`Y'$ is designated as X$\vert \vert $ Y. $\boldsymbol {P}$ is the sponge permutation, $\boldsymbol {0}^{k}$ stands for an entirely 0-bit string of length $\boldsymbol {k}$ , and $\vert $ X$\vert $ is the symbol for the length of the string ‘$\boldsymbol {X}$ .’ We represent the XOR of the strings ‘X’ and ‘Y’ as ${\boldsymbol {X}\bigoplus \boldsymbol {Y}}$ . By $\left \lfloor{ \boldsymbol {X} }\right \rfloor _{k}$ , we refer to a bitstring $\boldsymbol {X}$ that has been truncated to its last $\boldsymbol {k}$ most significant bits. We refer to a bitstring $\boldsymbol {X}$ that has been truncated to the first k least significant bits as $\left \lfloor{ \boldsymbol {X} }\right \rfloor _{k}$ . Finally, we denote $\tau $ by the tag length(stretch).

B. Parameters

PAVTASP is an AE scheme using a 320-bit permutation $\boldsymbol {P}$ that applies eight rounds of ASCON permutations [57]. It requires five inputs: a 128-bit secret master $\boldsymbol {K}$ from which a session key $\boldsymbol {K} _{S}$ is obtained, a variable length tag length (stretch) $\tau $ , a variable length plaintext $\boldsymbol {M}$ , a variable length associated data AD, and a 128-bit nonce $\boldsymbol {N}$ . Decryption requires a 128-bit session key $\boldsymbol {K} _{S}$ obtained from $\boldsymbol {K}$ , a ciphertext $\boldsymbol {C}$ , a nonce $\boldsymbol {N}$ , an authentication tag T, and a variable length stretch value $\tau $ . For protection against SCAs, PAVTASP employs fresh rekeying to obtain a new key each time encryption/decryption and authentication operations are invoked. Figure 1 and Figure 2 respectively show a schematic view of the PAVTASP encryption and decryption processes. The initialization, encryption, and decryption/verification processes are described below. PAVTASP is a single-pass scheme that performs encryption and authentication in a single pass over the duplex structure. In addition, the scheme allows variable length and protects against SPAs and DPAs.

FIGURE 1.

Schematic view of PAVTASP encryption.

Show All

FIGURE 2.

Schematic view of PAVTASP decryption.

Show All

C. Pavtasp Processes

6) The Rekeying Function

Figure 3 illustrates several implementation options for the rekeying function. The leveled implementation used in this work is adapted from the method proposed by..Abdalla and Bellare [20] and implemented by [19] and [71]. The structure is split up into a rekeying function and a data processing (rekeyed) component. Several alternatives for implementing the data processing part include block ciphers like AES, sponge construction and its operation modes, and tweakable block ciphers [66]. On the other hand, a PRF serving as a pseudorandom generator ($G$ ) can be used to implement the rekeying function with different options, including the following: Constructions based on Galois field (GF) multiplication, leakage-resistant primitives like duplex sponges [38], [66], protected block ciphers like SERPENT [72] and AEAS, tweakable block ciphers or traditional block ciphers strengthened with countermeasures like hiding and masking [52], [65], [73].

FIGURE 3.

Rekeying function options that can be used in PAVTASP [37].

Show All

In this work, the rekeying function can be constructed in one of two ways using the leveled implementation. Using a rekeying function built on a GF multiplication field is the first option similar to those in [71], and [74]; however, some modifications are necessary because those implementations only protect against lower-order DPAs. On the other hand, this work integrates the defense mechanisms to protect against higher-order DPAs. A leakage-resilient block cipher is an additional option with a more complex design than the first one but is preferable for hardware implementations. The function $\boldsymbol {G}$ based on the GF multiplication is implemented in Algorithm 3 using combined shuffling and masking for defense against higher-order DPAs.

“Algorithm 3 Parallel Fresh Rekeying (PFRK)

Requires: $a, b \in G F\left(2^{2}\right)[y] / y^{d}+1$

Ensures: $c=b * b \in G F\left(2^{2}\right)[y] / y^{d}+1$

$x \leftarrow \operatorname{rand}(), j \leftarrow x, k \leftarrow x$ , with $h=1-m, 0 \leftarrow$ st

while $k \# x-1 \bmod d$ do

$k_{b} \leftarrow k$

$\text { for } h=1 \text { to } m \text { do }$

$k b_{h} \leftarrow k b_{h} \bigoplus b_{j}$

$j \leftarrow j+1 \bmod d$

End for

$k_{s} \leftarrow N \cdot b k_{h}$

$\text { for } h=1 \text { to } m d o$

$k_{s} \leftarrow N \cdot\left(b_{j} \bigoplus b k_{h}\right)$

End for

End while

Return $\left(k_{s_{h}}, s t+1\right)$ ” [37]

A. Security of Parallel Fresh Rekeying Function (G).

The parallel rekeying function creates session keys for use in the AE schemes’ encryption component using an initial master key [15], [20]. This method enables us to encrypt more data under the same key, increasing the key’s lifetime. Rekeying functions can be divided into two categories: parallel rekeying, which generates session keys, all at once, separately, and serial rekeying, in which the generated session keys depend on the prior states and are updated continuously [20]. According to [53], when concurrent access to data is implemented, parallel rekeying is required.

According to [20], a stateful generator’s pseudo-randomness is defined as follows: Consider the following experiment taking into account $G=\left ({K,N }\right)$ as a stateful generator with a block size of $\boldsymbol {k}$ , $\boldsymbol {n}$ as an integer, and $\boldsymbol {A}$ as an adversary:\begin{align*} &Experiment {EXP}_{G,n,A}^{prg-real} \\ & \quad for i=1,\ldots.,n \mathbf {do} \\ \quad &\left ({{Out}_{i},{St}_{i} }\right)\leftarrow N\left ({{St}_{i-1} }\right);\leftarrow st\parallel {Out}_{i} \\ &\quad g_{n}\leftarrow A\left ({st }\right) \\ &\quad return g_{n} \\ &Experiment {EXP}_{G,n,A}^{prg-rand} \\ &st\leftarrow {\{0,1\}}^{n.k} \\ &g_{n}\leftarrow A\left ({st }\right) \\ &return g_{n}\end{align*} View Source\begin{align*} &Experiment {EXP}_{G,n,A}^{prg-real} \\ & \quad for i=1,\ldots.,n \mathbf {do} \\ \quad &\left ({{Out}_{i},{St}_{i} }\right)\leftarrow N\left ({{St}_{i-1} }\right);\leftarrow st\parallel {Out}_{i} \\ &\quad g_{n}\leftarrow A\left ({st }\right) \\ &\quad return g_{n} \\ &Experiment {EXP}_{G,n,A}^{prg-rand} \\ &st\leftarrow {\{0,1\}}^{n.k} \\ &g_{n}\leftarrow A\left ({st }\right) \\ &return g_{n}\end{align*}

The security evaluation of the proposed parallel fresh rekeying function can be described concerning the security notions of pseudorandom generators. The approach proposed in [20] is followed in this work, but their schemes protect a block cipher, whereas that proposed here protects a parallel sponge-based AE scheme. Pseudorandomness, which represents adversary $A$ ’s inability to differentiate the generator’s output from a random string of identical length, is the desirable property of the generator. Real and random experiments define adversary $A\boldsymbol {'}\text{s}$ advantage and the generating function’s advantage (ADV) in the following way:

${ADV}_{G,n,A}^{prg}=\Pr \left [{ {EXP}_{G,n,A}^{prg-Real}=1 }\right]-\Pr \left [{ {EXP}_{G,n,A}^{prg-rand}=1 }\right] {ADV}_{G,n,A}^{prg}\left ({t }\right)={max}_{A}\left \{{ {ADV}_{G,n,A}^{prg} }\right \}$ . The advantage function quantifies the likelihood that $A$ can compromise function $G$ using the abovementioned resources. The maximum is overall $A$ running in $t$ , the time complexity, and the total time complexity is the running time of the two experiments, in addition to the size of adversary $A\boldsymbol {'}\text{s}$ code. The underlying PRF is what ensures the key generation function security $F:{\{0,1\}}^{l}\times {\{0,1\}}^{l}\times {\{0,1\}}^{l}\to {\{0,1\}}^{l}$ . Let ${\{0,1\}}^{l}\mathrm { }to$ be a function family that maps an $l$ -bit string to an $l$ -bit string assuming a uniform distribution. If $\boldsymbol {D}$ is a distribution with Oracle access, then \begin{align*} {ADV}_{F,D}^{prf}&={\mathrm {Pr}[D}^{(F,K)}=1:K\stackrel { R } \longleftarrow {\{0,1\}}^{n}] \\ &-\mathrm {Pr}[D^{f\left ({. }\right)}=1:f\stackrel {\$} \longleftarrow R^{n}]\end{align*} View Source\begin{align*} {ADV}_{F,D}^{prf}&={\mathrm {Pr}[D}^{(F,K)}=1:K\stackrel { R } \longleftarrow {\{0,1\}}^{n}] \\ &-\mathrm {Pr}[D^{f\left ({. }\right)}=1:f\stackrel {\$} \longleftarrow R^{n}]\end{align*} is the advantage of the distinguisher D. The advantage of F is: ${ADV}_{F}^{prf}\left ({t,q }\right)={Max}_{D}\left \{{ {ADV}_{F,D}^{prf} }\right \}$ ,

The overall $A$ ’s advantage is the maximum, $t$ denotes the time complexity, and $q$ represents the oracle queries executed. In the following, we demonstrate how the underlying PRF affects the pseudorandom of the parallel fresh rekeying function.

The Security of the PRF ($F$ ) under $l$ queries determines, quantitatively, the pseudo-randomness of the fresh rekeying function $(G)$ . When $F$ is a PRF, then ${ADV}_{G\left [{ F }\right],l}^{prg}\left ({t }\right)\approx \frac {l+t}{2^{k}}$ .

B. The Base AE Scheme Security

The sponge-based AE scheme, PAVTASP, is based on the duplex mode of operation. It receives a plaintext $M$ , associated data AD, a nonce $N$ , a stretch value $\tau $ , and a master key $K$ fed into the pseudorandom generator to produce subkeys to process data blocks in a parallel fashion. At the core of AE security, we consider two notions of security for sponge construction, confidentiality, and integrity [2], [6], [7]. Finally, the method put forward by Jovanovic et al. [75], Andreeva et al. [30], and Mihajloska et al. [76] is used to prove the security of the rekeyed part of PAVTASP.

C. Confidentiality (or Privacy)

Confidentiality ensures that only legitimate parties can view the messages in the IND-CPA model against passive attackers and the IND-CCA model against active attackers. The attacker is granted access to an encryption oracle in the first model and a decryption oracle in the second. The adversary’s advantage must always be insignificant for an AE scheme to be secure [2], [6], [7].

Consider $P$ a collection of idealized permutations of an AE scheme II. The following formula describes $A's$ advantage (ADV) while having access to both forward and inverse permutations in breaching scheme II ’s privacy:\begin{equation*} {ADV}_{II}^{priv}\left ({A }\right)=\vert {Pr}_{p,K}\left ({A^{p^{\pm },E_{K}}=1 }\right)-{Pr}_{p,{\$}}(A^{PP^{\pm,{\$} }}=1).\end{equation*} View Source\begin{equation*} {ADV}_{II}^{priv}\left ({A }\right)=\vert {Pr}_{p,K}\left ({A^{p^{\pm },E_{K}}=1 }\right)-{Pr}_{p,{\$}}(A^{PP^{\pm,{\$} }}=1).\end{equation*}

The $P^{\pm }$ denotes that $A$ can make queries to forward and inverse permutations. Assuming that $A$ does not call $E_{k}$ and $\$ $ using the same nonces, ${ADV}_{II}^{priv}(q_{p},q_{e},\lambda _{e})$ represents all adversaries the maximum advantages making queries to $E_{k}$ or $\$ $ .

D. Integrity or Authenticity

Integrity guarantees that communications come from reliable parties and haven’t been changed while in motion or at rest. AE provides plaintext integrity under the INT-PTXT paradigm and ciphertext integrity under the INT-CTXT paradigm. The former assures that the attacker cannot forge ciphertext decryption of data that the sender did not previously encrypt. The latter guarantees that the adversary cannot come up with a ciphertext that the sender had not created, regardless of whether the plaintext is new [2], [6].

Assume that $P$ is a collection of the AE scheme II ’s underpinning idealized permutations. Then, we can describe the integrity-related goals of AE are defined as demonstrated by the adversary $A$ ’s failure to produce a new plaintext that is not the outcome of a valid decryption $(D_{k}(C))$ process under a valid key $K$ :\begin{equation*} {ADV}_{II}^{auth}={Pr}_{P,K}\left ({A^{P^{\pm,E_{K},\mathrm { }D_{K}}}Forges }\right),\end{equation*} View Source\begin{equation*} {ADV}_{II}^{auth}={Pr}_{P,K}\left ({A^{P^{\pm,E_{K},\mathrm { }D_{K}}}Forges }\right),\end{equation*} The probability is taken over $A$ , and $K$ , assuming $P$ has been chosen randomly. We say that adversary $A$ wins in making a forgery if $D_{k}$ produces a message that is different from $\bot $ on receiving an input (A, C, N, $T$ ), and (A, $C$ ) have not been created by $E_{k}$ after taking (N, A, $M$ ) as input. The adversary is also assumed to be nonce-respecting in that it does not repeat the same nonces, as in the privacy case. Let us represent authenticity as ${ADV}_{II}^{auth}\left ({q_{p},q_{E},\lambda _{E},q_{D},\lambda _{D} }\right)$ . We can determine the maximum advantage over all adversaries by querying $P^{\pm }$ at most $q_{p}$ times making at most $q_{E}$ queries of total length at most $\lambda _{E}$ blocks to $E_{K}$ and at most $q_{D}$ queries of the total length $\lambda _{D}$ to $D_{K}/\bot $ .

For the proof of PAVTASP’s privacy, we consider an adversary $A$ making $q_{P}$ permutation queries and $q_{E}$ encryption queries whose total length is $\lambda _{E}$ . For integrity proof, we consider adversary $A$ making $q_{D}$ decryption queries totaling a length of $\lambda _{D}$ . The number of permutation calls is determined by $q_{E}$ encryption queries, and the same procedure is repeated for encryption queries with similar parameters. Considering $q_{E}$ , of $c$ associated data blocks and $f$ message blocks, and $T$ intermediate tags, the equivalent $n$ state values can be described as follows:\begin{align*} \left ({init.S_{0}\left [{ {\begin{array}{cccccccccccccccccccc} A_{S1,0} & M_{S1,0} & T_{s1,0}\\ \vdots & \vdots & \vdots \\ {\begin{array}{cccccccccccccccccccc} \vdots \\ \vdots \\ A_{Sn+1,c}\\ \end{array}} & {\begin{array}{cccccccccccccccccccc} \vdots \\ \vdots \\ M_{Sn+1,f}\\ \end{array}} & {\begin{array}{cccccccccccccccccccc} \vdots \\ \vdots \\ T_{sn+1,T}\\ \end{array}}\\ \end{array}} }\right] }\right) \tag{1}\end{align*} View Source\begin{align*} \left ({init.S_{0}\left [{ {\begin{array}{cccccccccccccccccccc} A_{S1,0} & M_{S1,0} & T_{s1,0}\\ \vdots & \vdots & \vdots \\ {\begin{array}{cccccccccccccccccccc} \vdots \\ \vdots \\ A_{Sn+1,c}\\ \end{array}} & {\begin{array}{cccccccccccccccccccc} \vdots \\ \vdots \\ M_{Sn+1,f}\\ \end{array}} & {\begin{array}{cccccccccccccccccccc} \vdots \\ \vdots \\ T_{sn+1,T}\\ \end{array}}\\ \end{array}} }\right] }\right) \tag{1}\end{align*} The number of state values $\sigma _{e,j}$ is c+f+4, assuming that the $j^{th}$ query is $c+f$ blocks, and which results in the number of $\Pi $ evaluations using the encryption query:\begin{equation*} \sigma _{E}:=\sum \nolimits _{j=1}^{q_{E}} {\sigma _{j,E}\le q_{E}\left ({c+f+4 }\right)=\lambda _{E}+{4q}_{E}.} \tag{2}\end{equation*} View Source\begin{equation*} \sigma _{E}:=\sum \nolimits _{j=1}^{q_{E}} {\sigma _{j,E}\le q_{E}\left ({c+f+4 }\right)=\lambda _{E}+{4q}_{E}.} \tag{2}\end{equation*}

We calculate for $\sigma _{D}$ and $\sigma _{j,D}$ in the same manner.

E. Syntax of NBAE with Variable Tag Length

We can expand the syntax of Nonce-Based Authenticated Encryption (NBAE) schemes to include a variable tag length as proposed by [8]. An AE scheme with variable stretch consists of a triplet $\mathrm {\Pi =(}K,E,D)$ where $K{\subseteq }{\{1,0\}}^{\ast }$ a set of keys with a uniform distribution, and $E{:}K\times N{\times }{\mathcal {T}}_{T}\times M\to C$ and $D{:}K\times A\times N{\times \mathbb {N}\times }C\to M\cup \{\bot \}$ are encryption and decryption algorithms in that order. In this context, we call $N$ the nonce space, A the Associated Data space, M the plaintext space, C the ciphertext space, and ${\mathcal {T}}$ the stretch space of the scheme $\mathrm {(\Pi })$ . We assume that $N\subseteq \left \{{ 1,0 }\right \}^{\ast }{, }M\subseteq \left \{{1,0 }\right \}^{\mathrm {\ast }},A\subseteq \left \{{1,0 }\right \}^{\ast },C\subseteq \left \{{ 1,0 }\right \}^{\ast }, and \mathrm { }{\mathcal {T}}_{T}\subseteq \mathbb {N}$ . We also assume that if $M\in M then\mathrm { }{\{0,1\}}^{\vert M\mathrm {\vert }}\subseteq M$ .

Reyhanitabar et al. [8] proposed a modular syntax for achieving the vNBAE, key-equivalent separation by stretch (KESS). The assumption is that the scheme should behave as having a fresh independent key with each value of a separate tag length value. In addition, they stated that KESS ensures that the scheme instances using different tag lengths be independent and inaccessible to one another rather than encouraging short tag lengths or claiming particular robustness.

Let $\Pi =(K,E,D)$ be and vNBAE scheme. Let A be an adversary that tries to break KESS of $\Pi $ by distinguishing two games, one containing the encryption and decryption oracles of the Real schemes and another of an Ideal scheme with similar parameters. The advantage of A in breaking the scheme is measured by ${ADV}_{\Pi }^{KESS}\left ({A }\right)=\Pr \left [{ A^{KESS-{Real}_{\Pi }}\Rightarrow }\right]\mathrm {-Pr}[A^{KESS-{Ideal}_{\Pi }}\Rightarrow 1]$ . When combined with NBAE security, KESS implies vNBAE Security. KESS’s role is merely to handle the interaction between queries with different tag lengths so that queries of $\tau $ bit of stretch are independent of one another. So we have:

$\left ({KESS\bigwedge NBAE }\right)\mathrm {\Rightarrow }vNBAE\mathrm {.}Let\Pi =\left ({K,E,D }\right)$ be a nonce-based AE scheme with a variable stretch; we have that:\begin{align*} &\hspace {-2pc}{ADV}_{\Pi }^{vNBAE\left ({\tau _{c} }\right)}\left ({t,q_{E},q_{D},\sigma }\right) \\ &\le {ADV}_{\Pi }^{KESS}\left ({t^{\prime},q_{E},q_{D},\sigma }\right) \\ &+{ADV}_{\Pi \left [{ c }\right]}^{NBAE}\left ({t^{\mathrm {''}},q_{E}^{\tau _{c}},q_{D}^{\tau _{c}},\sigma ^{\tau _{c}} }\right), \\ &\hspace {-2pc}with t^{\prime} =t+O\left ({q }\right)\mathrm { }andt^{\mathrm {''}}=t+O\left ({\sigma }\right)where q \\ &=\sum \nolimits _{\tau \mathrm {\in }{\mathcal {T}}_{T}} {\left ({q_{E}^{\tau }+q_{D}^{\tau } }\right)}and\sigma \\ &= \sum \nolimits _{\tau \in {\mathcal {T}}_{T}} {\left ({\sigma _{E}^{\tau }+\sigma _{D}^{\tau } }\right)\mathrm {.}}\end{align*} View Source\begin{align*} &\hspace {-2pc}{ADV}_{\Pi }^{vNBAE\left ({\tau _{c} }\right)}\left ({t,q_{E},q_{D},\sigma }\right) \\ &\le {ADV}_{\Pi }^{KESS}\left ({t^{\prime},q_{E},q_{D},\sigma }\right) \\ &+{ADV}_{\Pi \left [{ c }\right]}^{NBAE}\left ({t^{\mathrm {''}},q_{E}^{\tau _{c}},q_{D}^{\tau _{c}},\sigma ^{\tau _{c}} }\right), \\ &\hspace {-2pc}with t^{\prime} =t+O\left ({q }\right)\mathrm { }andt^{\mathrm {''}}=t+O\left ({\sigma }\right)where q \\ &=\sum \nolimits _{\tau \mathrm {\in }{\mathcal {T}}_{T}} {\left ({q_{E}^{\tau }+q_{D}^{\tau } }\right)}and\sigma \\ &= \sum \nolimits _{\tau \in {\mathcal {T}}_{T}} {\left ({\sigma _{E}^{\tau }+\sigma _{D}^{\tau } }\right)\mathrm {.}}\end{align*} The adversarial resources are $(t,q_{e},q_{d},\sigma)$ where $t$ is the adversarial running time $q_{D}\mathrm =(q_{E}^{\tau }\backslash \tau \in {\mathcal {T}}_{T})$ stands for the vector of the number of encryption queries made with the stretch value $\tau $ for every stretch $\tau \mathrm {\in }{\mathcal {T}}_{T}$ , and $q_{D}\mathrm =(q_{D}^{\tau }\backslash \tau \mathrm {\in }{\mathcal {T}}_{T})$ denotes the number of decryption queries, and $\sigma =(\sigma ^{\tau }\backslash \tau {\in }{\mathcal {T}}_{T})$ stands for the vector of the total amount of data processed by all queries with stretch value $\tau $ for every $\tau \in {\mathcal {T}}_{T}$ .

For a resources parameterized function of an AE scheme $\Pi $ for a given tag length value $\tau _{c}$ the adversarial advantage can be defined as ${ADV}_{\Pi }^{vNBAE\left ({\tau _{c} }\right)}\left ({r_{\tau _{c}} }\right)={Max}_{A}\{{ADV}_{\Pi }^{\tau _{c}}\left ({A}\right)\}$ . The maximum is taken over all adversaries with $r_{\tau _{c}}$ bound resources, the scheme is secure if, for all practical adversaries, with the resources mentioned above, the advantage is negligible. Thus a scheme $\Pi $ is a vNBAE-secure if for every stretch value $\tau _{c}\mathrm {\in }{\mathcal {T}}_{T}$ , for all practical adversaries with the specified resources, the advantage ${ADV}_{\Pi }^{vNBAE\left ({\tau _{c} }\right)}\left ({r_{\tau _{c}} }\right)$ is small, keeping in mind that the advantage ${ADV}_{\Pi }^{vNBAE\left ({\tau _{c} }\right)}\left ({r_{\tau _{c}} }\right)$ will be inevitably high if the stretch value $\tau _{c}$ is small.

F. A Lower Limit for Tag Lengths

As more data is processed with a single key, the security assurance provided by cryptographic systems deteriorates. Therefore, limiting the amount of plaintext and associated data blocks protected by calls to the authenticated encryption function during the key lifetime is recommended. For instance, $2^{64}$ would be a reasonable limit for most applications. Jovanovic, Luykx [75] set the integrity bound (tag length) of sponge-based schemes to $2^{\mathrm {c/2}}$ where c is the capacity. As soon as the lower bound limit approaches, a key exchange should be negotiated for the security to hold...Abdalla and Bellare [20] and Mennink [15] stated that with fresh rekeying, the security bounds of schemes could be enhanced, for instance, from $2^{\mathrm {k/2}}$ to $2^{\mathrm {k/3}}$ . For that reason, we claim that PAVTASP enhances the minimum recommended tag length of $2^{64}$ for the equal key length and capacity of 128 bits to $2^{\mathrm {128/3}}$ or approximately $2^{42} $ bits. NIST standard on this issue requires the implementing parties to be careful when using shorter tag lengths [40]. For instance, they recommend that packets that fail the integrity should be discarded silently to prevent them from giving useful information to the potential attackers and limiting the associated data packet to contain only the necessary header information.

G. Pavtasp Adversary Model

In this study, adversary A is considered powerful, with full access to the communication medium, intent on compromising privacy and integrity, access to encryption and decryption oracles, and the ability to employ various tag lengths while using the same key. Figure 4 depicts the PAVTASP adversarial model following the approach of Do et al. [77] and Jimale et al. [37].

FIGURE 4.

PAVTASP adversary model.

Show All

If adversary A cannot breach PAVTASP’s Security with a non-trivial probability under the specified assumptions, capabilities, and goals, then PAVTASP is assumed secure. For example, although A can utilize different values of stretch (tag lengths) under the same key, the KESS property instances of the schemes using stretch values are separated and cannot interact, so that will not increase the success probability of A.