Somewhat recently I learned that there's a separation between an encryption scheme being CCA2 secure and being AE secure, namely PRPs.
So if we would use AES as an encryption scheme for fixed-size messages it would be CCA2 secure but not AE secure as an adversary can simply query any ciphertext and not get $\perp$ back but some random value instead distinguishing the decryption oracle from the always-$\perp$-oracle.
Now I know of two constructions that given a PRP $P:\{0,1\}^k\times\{0,1\}^n\to\{0,1\}^n$ construct a larger domain PRP:
- The Feistel construction yielding a PRP $F_P:\{0,1\}^k\times\{0,1\}^{2n}\to\{0,1\}^{2n}$
- The EME construction yielding a PRP $E_P:\{0,1\}^k\times\{0,1\}^{mn}\to\{0,1\}^{mn}$ for $1\leq m\leq n$.
Using clever stacking of each individual of the two above constructions one can reach a scheme that is CCA2 secure but not AE secure for arbitrary input sizes. But there's a catch: The Feistel construction requires on average ~1/3 of the message size as additional padding as its permutation size only grows exponentially and EME also needs a non-constant (logarithmic?) amount of padding .
My question is now:
Is there a known construction that takes a (s)PRP and constructs a larger-domain (s)PRP such that both large inputs (several GB) are supported and the overhead / required padding for the construction is bounded by a constant independent of the message size?
Note: This is not intended for any practical application.
