Symbol | Description |
---|---|

n | AEAD block length (in bits) |

k | AEAD key length (in bits) |

r | AEAD nonce length (in bits) |

t | Size of the authentication tag (in bits) |

l | Length of each message (in blocks) |

s | Total plaintext length in all messages (in blocks) |

q | Number of protected messages (AEAD encryption invocations) |

v | Number of attacker forgery attempts (failed AEAD decryption invocations) |

p | Adversary attack probability |

o | Offline adversary work (in number of encryption and decryption queries; multi-user setting only) |

u | Number of users or keys (multi-user setting only) |

B | Maximum number of blocks encrypted by any user or key (multi-user setting only) |

- Confidentiality advantage (CA): The probability of a passive attacker succeeding in breaking the confidentiality properties (IND-CPA) of the AEAD scheme. In this document, the definition of confidentiality advantage roughly is the probability that an attacker successfully distinguishes the ciphertext outputs of the AEAD scheme from the outputs of a random function.
- Integrity advantage (IA): The probability of a active attacker succeeding in breaking the integrity properties (INT-CTXT) of the AEAD scheme. In this document, the definition of integrity advantage roughly is the probability that an attacker is able to forge a ciphertext that will be accepted as valid.
- Authenticated Encryption advantage (AEA): The probability of a active attacker succeeding in breaking the authenticated-encryption properties of the AEAD scheme. In this document, the definition of authenticated encryption advantage roughly is the probability that an attacker successfully distinguishes the ciphertext outputs of the AEAD scheme from the outputs of a random function or is able to forge a ciphertext that will be accepted as valid.

- Confidentiality limit (CL): The number of messages an application can encrypt before giving the adversary a confidentiality advantage higher than CA.
- Integrity limit (IL): The number ciphertexts an application can decrypt, either successfully or not, before giving the adversary an integrity advantage higher than IA.
- Authenticated encryption limit (AEL): The combined number of messages and number of ciphertexts an application can encrypt or decrypt before giving the adversary an authenticated encryption advantage higher than AEA.