Subject: AEZ: omission of a table or concrete-security formula for Sect 2 (Security Goals) From: Phillip Rogaway Date: Mon, 31 Mar 2014 16:50:40 -0700 (Pacific Daylight Time) To: crypto-competitions@googlegroups.com Message-ID: User-Agent: Alpine 2.00 (WNT 1167 2008-08-23) As requested by the CAESAR secretary, this note is to concretize the security goals for AEZ parameter set "aez". The basic security goal for aez is that an adversary can't be exhibited that violates confidentiality or integrity with advantage exceeding 22 s^2 / 2^128 + max(t/2^128, 2^-61) where s is the total number of 16-byte blocks of messages encrypted-or-authenticated (plus 3 blocks per message, by convention) and t is the time (including the description size) in which the adversary runs. (a) When we speak here of violating confidentiality or integrity we mean the MRAE (misuse-resistant AE) notion of Rogaway-Shrimpton-2004. (b) The second addend in the formula above is just a stand-in for an advantage term associated to breaking the strong-PRP property for AES. The value has been increased over the more naive t/2^128 value to account for low-advantage distinguishing attacks on AES (see [Bernstein and Lange, AC13]) that can be adapted to AEZ and other AE schemes. (c) The constants 22 and 3 are sufficient for our security bounds for AEZ+. We heuristically assume that these same bounds hold for AEZ itself. (d) The number of encryption and decryption queries does not appear in the formula above because, for simplicity, we have folded them into 's'. Kind regards, Viet Tung Hoang Ted Krovetz Phil Rogaway