Closed cjpatton closed 10 months ago
Wouldn't the lack of blockwise security immediately preclude IND-CCA?
Yeah I suppose it would. I'm not sure it's worth getting this fine-grained in a document intended for IETF. Fewer options is better. Plus, IND-CCA is already standard for AEAD.
I'm not sure it's worth getting this fine-grained in a document intended for IETF. Fewer options is better.
I agree.
Hi all!
I looked through the related papers over the weekend and expanded the blockwise security section in the last commit to provide more context. The property is relevant for online AEADs used in streaming applications, and there is quite a lot of research on it. Additionally, it doesn't necessarily follow from IND-CCA, and not many algorithms provide it.
There is a dedicated security model for online AEADs called OAE. Blockwise security follows from it, but OAE is slightly stronger (it requires tags to be pseudorandom). Initially, it was claimed that OAE captures some sort of nonce-misuse resilience, but this assertion was questioned, and the model is now considered somewhat controversial.
So, I think blockwise security is the most relevant (strong) security target for online AEADs, and it would be nice to include it in the draft.
I'm not familiar with this property. Based on the description, it seems like (1) it would be a hard attack to pull off and (2) it doesn't necessarily apply to all AEADs.
For (1), I suggest clarifying the threat model for which this property is intended. It would also be helpful to get a flavor of how we mitigate attacks.