The section is divided as follows. In Appendix C.1, we consider pseudorandom functions based on secret tweakable permutations, and derive a bound on the security ofMROAbs. Similarly, we consider the IV-CPA security ofMROEncin AppendixC.2. The proof of Theorem6 is then given in AppendixC.3.
C.1 Secret-Primitive Pseudorandom Functions
Letπe←−$ Perm](T, b) be a tweakable permutation withT of Section 5. LetFeπ :{0,1}∗→ {0,1}τ be a keyless
MAC function based on πe that processes a message M of arbitrary length to derive a tag T ∈ {0,1}τ.
(Theoretically,eπfunctions as the key toF, but for the sake of presentation it is better to viewF as a keyless
function.) Define by $F an idealized version ofF, which returnsT
$
←− {0,1}τ for every input. We define the
pseudorandom function (PRF) security ofF based on secreteπas
AdvprfF (D) =∆D(Feπ; $F), (9)
where the probabilities are taken over the random choices of eπ and $F. By AdvprfF (q, σ) we denote the maximum advantage over all distinguishers that make at mostqqueries to the construction encryption oracle, of total length at mostσpadded blocks.
Secret-Primitive MROAbs. We will analyze the PRF security of a keyless variantMROAbs: {0,1}n
× {0,1}∗× {0,1}∗→ {0,1}τ based on ideal tweakable permutation
e π←−$ Perm](T, b), cf. Fig.8.
e
πN00,0,0∗H
0e
πhN0−∗1,0,0H
h−1e
πN00,1,0∗M
0e
πN0m−∗1,1,0M
m−1. . .
. . .
0
be
π 0 , 2 , 0 N 0 ∗ |H| k |M|T
τ \Fig. 8: KeylessMROAbseπ based on secret tweakable permutation
e π
Lemma 10. Let πe←−$ Perm](T, b)and considerMROAbseπ of Fig. 8. Then,AdvprfMROAbs(q, σ)≤ σ2
2b.
Proof. Note that every different nonce sets an independent instance ofMROAbseπ, aseπis a random tweakable permutation. ForN∈ {0,1}n, denote byσ
N the total complexity made for nonceN.
ConsiderMROAbseπ(
N,·,·) for any fixed nonceN. Theorem 15 of the full version of [74] shows that it is indistinguishable from $F(N,·,·) up to σ
2
N
2b. Summation over all nonces gives P N∈{0,1}n σ2N 2b ≤ σ2 2b. ut
C.2 Secret-Primitive Encryption Schemes
Leteπ←−$ Perm](T, b) be a tweakable permutation withT of Section 5. LetEeπ:{0,1}n× {0,1}∗→ {0,1}τ×
{0,1}∗ be a keyless initial value based encryption scheme based onπethat processes a messageM of arbitrary length as follows: it selects a random initial valueIV ←− {$ 0,1}τand uses it to derive a ciphertextC
∈ {0,1}|M|. It is required to be invertible for fixedIV and nonceN, and its inverse is denoted by (Eeπ)−1(IV, N,
·). Define
by $E an idealized version ofE, which returns IV kC←− {$ 0,1}τ+|M|for every input. Following, Namprempre et al. [68], we define the IV-based chosen plaintext attack (IV-CPA) security ofE based on P as
Adviv-cpaE (D) =∆D(Eeπ; $E), (10) where the probabilities are taken over the random choices of E,πeand $E. ByAdviv-cpaE (q, σ) we denote the maximum advantage over all distinguishers that make at mostqqueries to the construction encryption oracle, of total length at mostσpadded blocks.
Secret-Primitive MROEnc. We will analyze the IV-CPA security of a keyless variantMROEnc:{0,1}n×
{0,1}∗× {0,1}τ → {0,1}∗ based on ideal tweakable permutationπe $
←−Perm](T, b), cf. Fig.9. It is required to be given a randomT ←− {$ 0,1}τ (included as explicit parameter toMROEncfor simplicity), which operates as
theIV, and produces a ciphertext on input of a nonce and a message. Note thatMROEnconly useseπfor tweaks of the form (N,0,0,1), but generality is maintained to suit the analysis.
e
π
N0,0,10∗T
k0
C
0M
0e
π
N0,0,10∗T
km−1
C
m−1M
m−1. . .
Fig. 9: Keyless MROEnceπ based on secret tweakable permutation
e π
Lemma 11. Let πe←−$ Perm](T, b)and considerMROEnceπ of Fig.9. Then,AdvivMROEnc-cpa (q, σ)≤σ2
2b +
q2
2τ+1. Proof. Note that every different nonce sets an independent instance ofMROEnceπ, aseπis a random tweakable permutation. For N ∈ {0,1}n, denote byq
N the total number of queries and byσN the total complexity
ConsiderMROEnceπ(N,
·,·) for any fixed nonceN. It reminds of XOR$ from Bellare et al. [8] with two differences: (i) XOR$ uses a random function whileMROEncuses a permutationeπN0,00,∗1, and (ii) XOR$ inputs T+ ctr to the primitive whileMROEncinputsT kctr. The proof nevertheless mostly carries over. As a first step, we replaceπe0N,00,∗1 by a random function $F :{0,1}b → {0,1}b. This step costs us at most σ
2
N
2b by the RP/RF-switch. Note that everynew initial value sets an independent instance of MROEnc$F, as $
F is a random function. Denote theq initial values byT1, . . . , Tq. Clearly,MROEnc$F behaves like a random $E as long asTi6=Tj. A collision in theT’s happens with probability at most q
2
2τ+1, due to our condition that the
T’s are uniformly randomly generated from{0,1}τ. Concluding, MROEnceπ(N,
·,·) is indistinguishable from $E(N,·,·) up to σ 2 N 2b + qN2
2τ+1. Summation over all nonces givesPN∈{0,1}n
σ2N 2b + q2N 2τ+1 ≤ σ 2 2b + q2 2τ+1. ut C.3 Proof of Theorem 6 LetK←− {$ 0,1}k andP $
←−Perm(b). Let D be anonce-misusing AE distinguisher againstMRO. For rigority,
write E[AbsPK,EncPK] :=MROEK andD[AbsPK,DecPK] :=MRODK, including an explicit mentioning of the
underlying primitiveP.
As explained in Section5, we can identify the tweakable blockcipherEe of Section3 inMRO. It is used for tweak space
T =T0={0,1}b−k× {0,1, . . . ,21020−1} × {0,1,2} × {0,1} .
We replaceEe with a random secret tweakable permutationeπ←−$ Perm](T, b), and find by a hybrid argument:
AdvaeMRO,P(D) =∆D(E[AbsPK,Enc P K],D[Abs P K,Dec P K], P±; $E,⊥, P±)
≤∆D(E[Absπe,Enceπ],D[Abseπ,Deceπ], P±; $E,⊥, P±) + ∆D1(EePK, P±; eπ, P±)
=∆D(E[Absπe,Enceπ],D[Abseπ,Deceπ], P±; $E,⊥, P±) +
Adv^mprp e
E,P (D1),
whereAbseπ is the keyless PRF of Fig.8andEnceπ the encryption scheme of Fig.9(withDeceπits corresponding
decryption function), and whereD1 is some MTPRP distinguisher making at mostσconstruction queries and at mostpqueries toP± (in theq
E+qD evaluations ofE andD, the underlyingEeis evaluated at mostσ times). By Lemma4, the masking space T is b-proper, and Theorem2 applies.
We proceed with the remaining∆-distance. As before, the construction oracles are independent ofP± and we can drop it without loss of generality. Leteπ0←−$ Perm](T, b). Then,
∆D(E[Abseπ,Enceπ],D[Abseπ,Deceπ], P±; $E,⊥, P±) =∆D(E[Abseπ,Enceπ],D[Abseπ,Deceπ] ; $E,⊥)
=∆D(E[Abseπ,Enceπ 0
],D[Abseπ,Deceπ0] ; $E,⊥), asAbs andEnc/Decevaluateπeon different tweaks.
Above reduction allows to view the absorption and encryption to be independently keyed (via eπandeπ0). This paves the path for the use of a separation of AE security into PRF security ofAbs and IV-CPA security ofEnc, as inspired by the MAC-then-Encrypt approach of Namprempre et al. [68] and its adaption to misuse resistance as presented by Gueron and Lindell [39]. For completeness, we re-derive it for our current setting. We have
∆D(E[Abseπ,Enceπ 0
≤∆D(E[Abseπ,Enceπ 0
],D[Abseπ,Deceπ0] ;E[$F,Enceπ0],D[$F,Deceπ0]) + ∆D(E[$F,Enceπ
0
],D[$F,Deceπ 0
] ; $E,⊥)
≤AdvprfAbs(D2) +∆D(E[$F,Enceπ 0
],D[$F,Deceπ 0
] ; $E,⊥),
where D2 is some PRF distinguisher making at mostqE+qD queries to the construction encryption oracle, of total length at mostσblocks. Regarding the remaining distance:
∆D(E[$F,Enceπ 0 ],D[$F,Deceπ 0 ] ; $E,⊥) ≤∆D(E[$F,Enceπ 0
],D[$F,Deceπ0] ; E[$F,Enceπ0],⊥) +∆D(E[$F,Enceπ 0
],⊥; $E,⊥)
≤∆D(E[$F,Enceπ 0
],D[$F,Deceπ0] ; E[$F,Enceπ0],⊥) +Adviv-cpaEnc (D3),
whereD3is some IV-CPA distinguisher making at mostqE queries to the construction encryption oracle, of total length at mostσblocks. The remaining distance boils down to forging a tag for a random $F, in which
D succeeds with probability at most qD
2τ. Concluding, we find that
AdvaeMRO,P(D)≤Adv^mprp e
E,P (D1) +Adv
prf
Abs(D2) +Adviv-cpaEnc (D3) +qD
2τ ,
≤Adv^mprp e
E,P (σ, p) +Adv
prf
Abs(qE+qD, σ) +Adviv-cpaEnc (qE, σ) + qD 2τ .
A bound on the first term follows from Theorem2and the b-properness of the masking. The second two advantages are bounded using Lemmas10and11.