Abstract
In this work we present the COLM authenticated encryption (AE) scheme which is the second of the two winners in the defense in depth category of the CAESAR competition. COLM realizes a nonce-based authenticated encryption with associated data and uses the popular AES blockcipher as its underlying primitive. We propose two possible blockcipher instantiations (with key of length 128 or 256 bits). We also define two COLM modes of operation variants: a primary COLM\(_0\) mode for general purpose applications, and a COLM\(_{\tau }\) variant with intermediate tag generation/verification geared to support low-end devices and applications where frequent verification is required. COLM is designed with security, simplicity, and efficiency in mind. The main design goal of COLM is high security: a primary feature of the defense in depth CAESAR category. COLM provides security beyond the traditional AE security. First, COLM is secure against nonce misuse, namely, it enables security in adversarial settings where the nonce inputs to the AE scheme repeat. In contrast to standardized and popular AE algorithms, such as GCM and OCB1-3 modes, whose AE security trivially breaks down when the nonce is repeated, COLM ensures both confidentiality and authenticity (AE) security with repeated nonces. Second, our COLM\(_{\tau }\) variant enables increased security levels in situations where release of unverified ciphertext (RUP) occurs due to its ability to limit a potential leakage by frequent verifications. In this work we prove COLM secure with respect to both confidentiality and authenticity (AE) security under nonce misuse in the well-known provable security framework. Our proofs show that COLM maintains n/2-bit security levels for block sizes of n bits. Furthermore, due to the inherent parallelism on both mode and primitive levels, our software performance results show that the price paid for enhanced security does come at the cost of minimal efficiency losses. More concretely, we implement GCM, COLM, and Deoxys-II on the Kaby Lake and Coffee lake Intel platforms. Compared to the other winner in the defense in depth category Deoxys-II, our AE design COLM\(_0\) performs 10–20% faster for the 128-bit key version. Regarding the 256-bit key versions COLM\(_0\) is around 5% faster for short and 2% slower than Deoxys-II for the longer messages.
Similar content being viewed by others
Notes
By a non-trivial decryption query, we mean a query which is not the prefix of an encryption query.
By remaining, we mean all the \(MM^-_i\) values that have not been set trivially due to the query pattern.
By non-trivial partial decryption query, we mean a partial decryption query which is not prefix of an encryption query.
References
E. Andreeva, A. Bogdanov, N. Datta, A. Luykx, B. Mennink, M. Nandi, E. Tischhauser, K. Yasuda, COLM (2014), submission to CAESAR competition
E. Andreeva, A. Bogdanov, A. Luykx, B. Mennink, N. Mouha, K. Yasuda, How to securely release unverified plaintext in authenticated encryption, in Sarkar, P., Iwata, T. (eds.) Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7–11, 2014. Proceedings, Part I. Lecture Notes in Computer Science, vol. 8873 (Springer, 2014), pp. 105–125. https://doi.org/10.1007/978-3-662-45611-8_6
E. Andreeva, A. Bogdanov, A. Luykx, B. Mennink, E. Tischhauser, K. Yasuda, Parallelizable and authenticated online ciphers, in Sako, K., Sarkar, P. (eds.) Advances in Cryptology - ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1–5, 2013, Proceedings, Part I. Lecture Notes in Computer Science, vol. 8269 (Springer, 2013), pp. 424–443. https://doi.org/10.1007/978-3-642-42033-7_22
M. Bellare, A. Boldyreva, L.R. Knudsen, C. Namprempre, Online ciphers and the hash-cbc construction, in Kilian, J. (ed.) Advances in Cryptology - CRYPTO 2001, 21st Annual International Cryptology Conference, Santa Barbara, California, USA, August 19–23, 2001, Proceedings. Lecture Notes in Computer Science, vol. 2139 (Springer, 2001), pp. 292–309. https://doi.org/10.1007/3-540-44647-8_18
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, R. Van Keer, Keyak v1 (2014), submission to CAESAR competition
H. Böck, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic, Nonce-disrespecting adversaries: Practical forgery attacks on GCM in TLS, in: Silvanovich, N., Traynor, P. (eds.) 10th USENIX Workshop on Offensive Technologies, WOOT 16, Austin, TX, USA, August 8–9, 2016 (USENIX Association, 2016), https://www.usenix.org/conference/woot16/workshop-program/presentation/bock
CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness (May 2014), http://competitions.cr.yp.to/caesar.html
J. Daemen, V. Rijmen, The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography (Springer, 2002), https://doi.org/10.1007/978-3-662-04722-4
N. Datta, A. Luykx, B. Mennink, M. Nandi, Understanding RUP integrity of COLM. IACR Trans. Symmetric Cryptol. 2017(2), 143–161 (2017), https://doi.org/10.13154/tosc.v2017.i2.143-161
N. Datta, M. Nandi, ELmD v1.0 (2014), submission to CAESAR competition
G. Endignoux, D. Vizár, Linking online misuse-resistant authenticated encryption and blockwise attack models. IACR Trans. Symmetric Cryptol. 2016(2), 125–144 (2016), https://doi.org/10.13154/tosc.v2016.i2.125-144
E. Fleischmann, C. Forler, S. Lucks, McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes, in Canteaut, A. (ed.) Fast Software Encryption - 19th International Workshop, FSE 2012, Washington, DC, USA, March 19-21, 2012. Revised Selected Papers. Lecture Notes in Computer Science, vol. 7549 (Springer, 2012), pp. 196–215, https://doi.org/10.1007/978-3-642-34047-5_12
S. Halevi, P. Rogaway, A parallelizable enciphering mode. In: Okamoto, T. (ed.) Topics in Cryptology - CT-RSA 2004, The Cryptographers’ Track at the RSA Conference 2004, San Francisco, CA, USA, February 23-27, 2004, Proceedings. Lecture Notes in Computer Science, vol. 2964 (Springer, 2004), pp. 292–304, https://doi.org/10.1007/978-3-540-24660-2_23
V.T. Hoang, T. Krovetz, P. Rogaway, AEZ (2014), submission to CAESAR competition
J. Jean, I. Nikolić, T. Peyrin, Y. Seurin, Deoxys-II (2014), submission to CAESAR competition
J. Patarin, The "coefficients h" technique, in Avanzi, R.M., Keliher, L., Sica, F. (eds.) Selected Areas in Cryptography, 15th International Workshop, SAC 2008, Sackville, New Brunswick, Canada, August 14-15, Revised Selected Papers. Lecture Notes in Computer Science, vol. 5381 (Springer, 2008), pp. 328–345, https://doi.org/10.1007/978-3-642-04159-4_21
P. Rogaway, Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC, in Lee, P.J. (ed.) Advances in Cryptology - ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, December 5-9, 2004, Proceedings. Lecture Notes in Computer Science, vol. 3329 (Springer, 2004), pp. 16–31, https://doi.org/10.1007/978-3-540-30539-2_2
M. Vanhoef, F. Piessens, Key reinstallation attacks: Forcing nonce reuse in WPA2. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017 (ACM, 2017), pp. 1313–1328, https://doi.org/10.1145/3133956.3134027
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Tetsu Iwata.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Andreeva, E., Bogdanov, A., Datta, N. et al. The COLM Authenticated Encryption Scheme. J Cryptol 37, 15 (2024). https://doi.org/10.1007/s00145-024-09492-8
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s00145-024-09492-8