International Association
for Cryptologic Research

We consider the case where an authenticated encryption scheme outputs the decrypted plaintext before successful verification. This scenario raises many security issues, and is highlighted in the upcoming CAESAR competition. It arises for example when devices have insufficient memory to store the entire plaintext, or when the decrypted plaintext needs to be processed early due to real-time requirements. Firstly, we formalize the releasing unverified plaintext (RUP) setting. To achieve privacy in this setting, we propose using plaintext awareness (PA) along with IND-CPA. An authenticated encryption scheme is PA if there exists a plaintext extractor for every adversary. The plaintext extractor does not know the secret key, but tries to fool the adversary by mimicking the decryption oracle. The release of unverified plaintext then becomes harmless, because it is infeasible to distinguish between answers from the real decryption oracle and from the plaintext extractor. We introduce two notions of plaintext awareness in the symmetric-key setting (PA1 and PA2), and show implications and separations between PA1, PA2, and existing notions. To achieve integrity of the ciphertexts, INT-CTXT in the RUP setting is required, which we refer to as INT-RUP. These security notions are then used to make a classification of symmetric-key schemes in the RUP setting. We analyze existing authenticated encryption schemes in this setting, and provide solutions to fix insecure schemes.