Paper 2024/598

AE Robustness as Indistinguishable Decryption Leakage under Multiple Failure Conditions

Abstract

Robustness has emerged as a crucial criterion for authenticated encryption, in addition to the requirements of confidentiality and integrity. In this work, we examine the robustness of AEAD by focusing on descriptive errors. We introduce a novel notion IND-CCLA to formalize this robustness. IND-CCLA extends common notions defined for AEAD schemes by augmenting with the indistinguishability of leakage caused by decryption failures, including text-based values and descriptive error messages, particularly in scenarios with multiple failure conditions. Using this notion, we explore the disparity between a single-error decryption function and the actual leakage that occurs during decryption. We propose the concept of error unicity, which mandates that only one error is revealed—whether explicitly through decryption or implicitly through leakage—even when multiple failure conditions exist. This aims to mitigate the security risks associated with disclosing multiple errors through leakage. We further extend this notion to IND-sf-CCLA to formalize the stateful security involving out-of-order ciphertexts. We provide a concrete proof of the robustness of the Encode-then- Encipher ($\textsf{EtE}$) paradigm using our notions, demonstrating its capability to handle multiple failure conditions. Additionally, we briefly present a transformation from our notion to a simulatable one, which can support future research on composable security regarding decryption leakage.