Beyond full‐bit secure authenticated encryption without input‐length limitation

The security bound is an important evaluation criterion in an authenticated encryption (AE) scheme. Many AE schemes that are widely used have birthday-bound security, which means that the scheme has b/2-bit security, where b is the block size of the underlying primitive. However, due to the increased interest in lightweight cryptography, smaller block-size primitives have been developed, which has led to more active research on AE schemes with beyond birthday-bound security. Although all such AE schemes are secure up to a full-bit (i.e. b-bit) bound at most, Naito et al. proposed the first beyond full-bit-bound secure AE schemes, PFB_Plus and PFB omega, at Eurocrypt 2020. PFB_Plus and PFB omega achieve 2b-bit security and omega b-bit security, respectively, where omega is a parameter s.t. omega is an element of N. In this work, the author points out a downside of PFB omega that was not clearly specified in its proposal paper and resolves it with the proposed scheme, exPFB omega. The downside of PFB omega is that there is a limitation on each input size; it can process only up to 2(b) - 2 blocks for each input in spite of its high security bound. The author's scheme, exPFB omega, is the first AE to achieve omega b-bit security and has no limitation on each input size for omega >= 3.