Symbol | Description |
---|---|

n | Number of bits per block |

k | Size of the AEAD key (in bits) |

t | Size of the authentication tag (in bits) |

l | Length of each message (in blocks) |

s | Total plaintext length in all messages (in blocks) |

q | Number of user encryption attempts |

v | Number of attacker forgery attempts |

p | Adversary attack probability |

o | Offline adversary work (in number of encryption and decryption queries; multi-user setting only) |

u | Number of users or keys (multi-user setting only) |

- Confidentiality advantage (CA): The advantage of an attacker succeeding in breaking the confidentiality properties of the AEAD. In this document, the definition of confidentiality advantage is the increase in the probability that an attacker is able to successfully distinguish an AEAD ciphertext from the output of a random function.
- Integrity advantage (IA): The probability of an attacker succeeding in breaking the integrity properties of the AEAD. In this document, the definition of integrity advantage is the probability that an attacker is able to forge a ciphertext that will be accepted as valid.

- Confidentiality limit (CL): The number of bytes of plaintext and maybe authenticated additional data (AAD) an application can encrypt before giving the adversary a non-negligible CA.
- Integrity limit (IL): The number of bytes of ciphertext and maybe authenticated additional data (AAD) an application can process, either successfully or not, before giving the adversary a non-negligible IA.