Release of unverified plaintext

In a previous article I showed how to build an authenticated encryption mode that is resistant to nonce reuse:

Decipher oracle DSIV requires that the plaintext be computed before verification can take place. This opens up the possibility of the mode leaking plaintext before authentication has happened. Leaking unverified plaintext from this mode results in a distinguisher; namely:

This distinguisher is a result of the fact that the keystream is a function of the tag. By plugging in an identical tag across two different decipherments, keystream is reused and so the sum of the plaintexts equals the sum of the ciphertexts. Can we design a mode that is resistant to the release of unverified plaintext (RUP)?

Eliminating the distinguisher

There are three important things to note about decipher oracle DSIV. First is that the keystream is computed as a pseudorandom function of the tag; second is that the adversary has direct control over the tag being input into the oracle; third is that the distinguisher requires distinct ciphertexts paired with an identical tag. What we can do is blind the tag as a pseudorandom function of the ciphertext:

With decipher oracle DRIV, it is easy to see that the distinguisher no longer applies. The tag is effectively encrypted by a pseudorandom function of the ciphertext, which results in two uncorrelated tags given two distinct ciphertexts.

Session support

Similar to the SIV mode, we can add session support to the RIV mode as well:

Bonus material

The mode described here can be viewed as a special case Feistel network: