Re: enc and auth scheme with tiny cryptograms

Alexander Bernauer wrote:
The receiver discards authentication failures.

Why does this matter?

Only in that it affects the number of forgery attempts an attacker
can make. The attacker's overall success probability is related to
the probability that any particular forgery attempt is successful
(which is basically 1/2^T, for a T-bit message authentication tag)
times the number of forgery attempts the attacker can make. If you
can reduce the latter quantity, then you might be able to shorten the
tag and maintain the same level of security.

If the receiver discards authentication failures, the number of
forgery attempts the attacker can make is basically related to the
maximum channel throughput (the number of packets that can be sent
to the receiver per second) times the expected lifetime of the system.