Section 4.2.9 needs a bit more precision
Closed this issue · 1 comments
Nonce misuse resistance. Security is provided for all messages.
What do you mean by "Security" here? The usual notion of IND$-CPA, which implies that every ciphertext is computationally indistinguishable from random. We only get this for AEAD if every (nonce, associated data, triple) given to the encryption oracle is unique.
The reference [RS06] speaks about a weaker property that applies to determinstic AE. I'm not familiar with the second reference.
Formally, "Security" here refers to the standard Authenticated Encryption security --- indistinguishability from random ciphertexts and unforgeability, but even for plaintexts encrypted with repeated nonces. In the higher-level draft notions, it corresponds to "Confidentiality" and "Data integrity" for such messages.
[RS06] primarily addresses deterministic AE. However, it also introduces the Misuse Resistant Authenticated Encryption security notion in Section 7, Definition 5.