

Then, we proceed by showing a second modular approach to formalizing the goal by combining the nAE notion and a new property we call “key-equivalent separation by stretch” (kess). Second, we provide a formal definition for the notion of nonce-based variable-stretch AE (nvAE) as a natural extension to the traditional nAE model. First, we show that several recently proposed heuristic measures trying to augment the known schemes by inserting the tag length into the nonce and/or associated data fail to deliver any meaningful security in this setting. Yet there is a lack of formal definition for this goal. The problem of enhancing the well-established nonce-based AE (nAE) model and the standard schemes thereof to support variable tag lengths per key, without sacrificing any desirable functional and efficiency properties such as online encryption, has recently regained interest as evidenced by extensive discussion threads on the CFRG forum and the CAESAR competition. The RAE definition by Hoang, Krovetz, and Rogaway (Eurocrypt 2015), aiming at the “best-possible” AE security, supports variable stretch among other strong features, but achieving the RAE goal incurs a particular inefficiency: neither encryption nor decryption can be online. However, using variable-length tags per key can be desirable in practice or may occur as a result of a misuse. stretch or tag length, is a constant or a parameter of the scheme that must be fixed per key. In conventional authenticated-encryption (AE) schemes, the ciphertext expansion, a.k.a. NEC Laboratories Europe, Germany EPFL, Switzerland EPFL, Switzerland Reza Reyhanitabar Serge Vaudenay Damian Vizár Authenticated Encryption with Variable Stretch.We stress however that our results do not invalidate the OTR construction as a whole but simply prove that the TBC’s input masks should be designed differently. We indeed describe collisions between the input masks derived from the tweaks and explain how they result in practical attacks against this scheme, breaking privacy, authenticity, or both, using a single encryption query, with advantage at least 1/4. In this work we focus on OTR’s way to instantiate a TBC and show that it does not achieve such a property for a large amount of parameters.

More specifically, each tweak is expected to define a different, independent pseudo-random permutation. It considers an additional input, called tweak, to a standard blockcipher which adds some variability to this primitive. Tweakable blockcipher (TBC) is a powerful tool to design authenticated encryption schemes as illustrated by Minematsu’s Offset Two Rounds (OTR) construction.

In this paper, we extend their results to $n$-party protocols for $n \geq 2$, and prove that it is infeasible to securely compute every function while hiding two or more (input or output) sizes. Lindell, Nissim, and Orlandi (ASIACRYPT 2013) studied feasibility and infeasibility of general two-party protocols that hide not only the contents of the inputs of parties, but also some sizes of the inputs and/or the output.
