Revisiting the Security of COMET Authenticated Encryption Scheme.

COMETv1, by Gueron, Jha and Nandi, is a mode of operation for noncebased authenticated encryption with associated data functionality. It is one of the second round candidates in the ongoing NIST Lightweight Cryptography Standardization Process. In this paper, we study a generalized version of COMETv1, that we call gCOMET, from provable security perspective. First, we present a comprehensive and complete security proof for gCOMET in the ideal cipher model. Second, we view COMET, the underlying mode of operation in COMETv1, as an instantiation of gCOMET, and derive its concrete security bounds. Finally, we propose another instantiation of gCOMET, that we call COMETv2, and show that this version achieves better security guarantees as well as memory-efficient implementations as compared to COMETv1.