Symbol | Description |
---|---|

n | AEAD block length (in bits) |

k | AEAD key length (in bits) |

r | AEAD nonce length (in bits) |

t | Size of the authentication tag (in bits) |

L | Maximum length of each message (in blocks) |

s | Total plaintext length in all messages (in blocks) |

q | Number of protected messages (AEAD encryption invocations) |

v | Number of attacker forgery attempts (failed AEAD decryption invocations) |

p | Upper bound on adversary attack probability |

o | Offline adversary work (in number of encryption and decryption queries; multi-key setting only) |

u | Number of keys (multi-key setting only) |

B | Maximum number of blocks encrypted by any key (multi-key setting only) |

- Confidentiality advantage (CA): The probability of a passive attacker succeeding in breaking the confidentiality properties (IND-CPA) of the AEAD scheme. In this document, the definition of confidentiality advantage roughly is the probability that an attacker successfully distinguishes the ciphertext outputs of the AEAD scheme from the outputs of a random function.
- Integrity advantage (IA): The probability of an active attacker succeeding in breaking the integrity properties (INT-CTXT) of the AEAD scheme. In this document, the definition of integrity advantage roughly is the probability that an attacker is able to forge a ciphertext that will be accepted as valid.
- Authenticated Encryption advantage (AEA): The probability of an active attacker succeeding in breaking the authenticated-encryption properties of the AEAD scheme. In this document, the definition of authenticated encryption advantage roughly is the probability that an attacker successfully distinguishes the ciphertext outputs of the AEAD scheme from the outputs of a random function or is able to forge a ciphertext that will be accepted as valid.

- Confidentiality limit (CL): The number of messages an application can encrypt before giving the adversary a confidentiality advantage higher than CA.
- Integrity limit (IL): The number ciphertexts an application can decrypt, either successfully or not, before giving the adversary an integrity advantage higher than IA.
- Authenticated encryption limit (AEL): The combined number of messages and number of ciphertexts an application can encrypt or decrypt before giving the adversary an authenticated encryption advantage higher than AEA.

AEAD | Maximum q | Maximum v |
---|---|---|

AEAD_AES_128_GCM | 2^{32.5} |
2^{71} |

AEAD_AES_256_GCM | 2^{32.5} |
2^{71} |

AEAD_CHACHA20_POLY1305 | n/a | 2^{46} |

AEAD_AES_128_CCM | 2^{30} |
2^{30} |

AEAD_AES_128_CCM_8 | 2^{30.9} |
2^{13} |

AEAD | Maximum q | Maximum v |
---|---|---|

AEAD_AES_128_GCM | 2^{69}/B |
2^{69}/B |

AEAD_AES_256_GCM | 2^{69}/B |
2^{69}/B |

AEAD_CHACHA20_POLY1305 | 2^{100} |
2^{46} |

AEAD_AES_128_CCM | 2^{30}/sqrt(u) |
2^{30}/sqrt(u) |

AEAD_AES_128_CCM_8 | 2^{30.9}/sqrt(u) |
2^{13}/u |