Skip to main content
SpringerLink
Log in

The COLM Authenticated Encryption Scheme

  • Research Article
  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

In this work we present the COLM authenticated encryption (AE) scheme which is the second of the two winners in the defense in depth category of the CAESAR competition. COLM realizes a nonce-based authenticated encryption with associated data and uses the popular AES blockcipher as its underlying primitive. We propose two possible blockcipher instantiations (with key of length 128 or 256 bits). We also define two COLM modes of operation variants: a primary COLM\(_0\) mode for general purpose applications, and a COLM\(_{\tau }\) variant with intermediate tag generation/verification geared to support low-end devices and applications where frequent verification is required. COLM is designed with security, simplicity, and efficiency in mind. The main design goal of COLM is high security: a primary feature of the defense in depth CAESAR category. COLM provides security beyond the traditional AE security. First, COLM is secure against nonce misuse, namely, it enables security in adversarial settings where the nonce inputs to the AE scheme repeat. In contrast to standardized and popular AE algorithms, such as GCM and OCB1-3 modes, whose AE security trivially breaks down when the nonce is repeated, COLM ensures both confidentiality and authenticity (AE) security with repeated nonces. Second, our COLM\(_{\tau }\) variant enables increased security levels in situations where release of unverified ciphertext (RUP) occurs due to its ability to limit a potential leakage by frequent verifications. In this work we prove COLM secure with respect to both confidentiality and authenticity (AE) security under nonce misuse in the well-known provable security framework. Our proofs show that COLM maintains n/2-bit security levels for block sizes of n bits. Furthermore, due to the inherent parallelism on both mode and primitive levels, our software performance results show that the price paid for enhanced security does come at the cost of minimal efficiency losses. More concretely, we implement GCM, COLM, and Deoxys-II on the Kaby Lake and Coffee lake Intel platforms. Compared to the other winner in the defense in depth category Deoxys-II, our AE design COLM\(_0\) performs 10–20% faster for the 128-bit key version. Regarding the 256-bit key versions COLM\(_0\) is around 5% faster for short and 2% slower than Deoxys-II for the longer messages.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Notes

  1. By a non-trivial decryption query, we mean a query which is not the prefix of an encryption query.

  2. By remaining, we mean all the \(MM^-_i\) values that have not been set trivially due to the query pattern.

  3. By non-trivial partial decryption query, we mean a partial decryption query which is not prefix of an encryption query.

References

  1. E. Andreeva, A. Bogdanov, N. Datta, A. Luykx, B. Mennink, M. Nandi, E. Tischhauser, K. Yasuda, COLM (2014), submission to CAESAR competition

  2. E. Andreeva, A. Bogdanov, A. Luykx, B. Mennink, N. Mouha, K. Yasuda, How to securely release unverified plaintext in authenticated encryption, in Sarkar, P., Iwata, T. (eds.) Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7–11, 2014. Proceedings, Part I. Lecture Notes in Computer Science, vol. 8873 (Springer, 2014), pp. 105–125. https://doi.org/10.1007/978-3-662-45611-8_6

  3. E. Andreeva, A. Bogdanov, A. Luykx, B. Mennink, E. Tischhauser, K. Yasuda, Parallelizable and authenticated online ciphers, in Sako, K., Sarkar, P. (eds.) Advances in Cryptology - ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1–5, 2013, Proceedings, Part I. Lecture Notes in Computer Science, vol. 8269 (Springer, 2013), pp. 424–443. https://doi.org/10.1007/978-3-642-42033-7_22

  4. M. Bellare, A. Boldyreva, L.R. Knudsen, C. Namprempre, Online ciphers and the hash-cbc construction, in Kilian, J. (ed.) Advances in Cryptology - CRYPTO 2001, 21st Annual International Cryptology Conference, Santa Barbara, California, USA, August 19–23, 2001, Proceedings. Lecture Notes in Computer Science, vol. 2139 (Springer, 2001), pp. 292–309. https://doi.org/10.1007/3-540-44647-8_18

  5. G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, R. Van Keer, Keyak v1 (2014), submission to CAESAR competition

  6. H. Böck, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic, Nonce-disrespecting adversaries: Practical forgery attacks on GCM in TLS, in: Silvanovich, N., Traynor, P. (eds.) 10th USENIX Workshop on Offensive Technologies, WOOT 16, Austin, TX, USA, August 8–9, 2016 (USENIX Association, 2016), https://www.usenix.org/conference/woot16/workshop-program/presentation/bock

  7. CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness (May 2014), http://competitions.cr.yp.to/caesar.html

  8. J. Daemen, V. Rijmen, The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography (Springer, 2002), https://doi.org/10.1007/978-3-662-04722-4

  9. N. Datta, A. Luykx, B. Mennink, M. Nandi, Understanding RUP integrity of COLM. IACR Trans. Symmetric Cryptol. 2017(2), 143–161 (2017), https://doi.org/10.13154/tosc.v2017.i2.143-161

  10. N. Datta, M. Nandi, ELmD v1.0 (2014), submission to CAESAR competition

  11. G. Endignoux, D. Vizár, Linking online misuse-resistant authenticated encryption and blockwise attack models. IACR Trans. Symmetric Cryptol. 2016(2), 125–144 (2016), https://doi.org/10.13154/tosc.v2016.i2.125-144

  12. E. Fleischmann, C. Forler, S. Lucks, McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes, in Canteaut, A. (ed.) Fast Software Encryption - 19th International Workshop, FSE 2012, Washington, DC, USA, March 19-21, 2012. Revised Selected Papers. Lecture Notes in Computer Science, vol. 7549 (Springer, 2012), pp. 196–215, https://doi.org/10.1007/978-3-642-34047-5_12

  13. S. Halevi, P. Rogaway, A parallelizable enciphering mode. In: Okamoto, T. (ed.) Topics in Cryptology - CT-RSA 2004, The Cryptographers’ Track at the RSA Conference 2004, San Francisco, CA, USA, February 23-27, 2004, Proceedings. Lecture Notes in Computer Science, vol. 2964 (Springer, 2004), pp. 292–304, https://doi.org/10.1007/978-3-540-24660-2_23

  14. V.T. Hoang, T. Krovetz, P. Rogaway, AEZ (2014), submission to CAESAR competition

  15. J. Jean, I. Nikolić, T. Peyrin, Y. Seurin, Deoxys-II (2014), submission to CAESAR competition

  16. J. Patarin, The "coefficients h" technique, in Avanzi, R.M., Keliher, L., Sica, F. (eds.) Selected Areas in Cryptography, 15th International Workshop, SAC 2008, Sackville, New Brunswick, Canada, August 14-15, Revised Selected Papers. Lecture Notes in Computer Science, vol. 5381 (Springer, 2008), pp. 328–345, https://doi.org/10.1007/978-3-642-04159-4_21

  17. P. Rogaway, Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC, in Lee, P.J. (ed.) Advances in Cryptology - ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, December 5-9, 2004, Proceedings. Lecture Notes in Computer Science, vol. 3329 (Springer, 2004), pp. 16–31, https://doi.org/10.1007/978-3-540-30539-2_2

  18. M. Vanhoef, F. Piessens, Key reinstallation attacks: Forcing nonce reuse in WPA2. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017 (ACM, 2017), pp. 1313–1328, https://doi.org/10.1145/3133956.3134027

Download references

Author information

Authors and Affiliations

  1. TU Wien, Vienna, Austria

    Elena Andreeva

  2. DTU Compute, Technical University of Denmark, Lyngby, Denmark

    Andrey Bogdanov & Elmar Tischhauser

  3. Institute for Advancing Intelligence, TCG CREST, Kolkata, India

    Nilanjan Datta

  4. Google, Mountain View, CA, USA

    Atul Luykx

  5. Digital Security Group, Radboud University, Nijmegen, The Netherlands

    Bart Mennink

  6. Indian Statistical Institute, Kolkata, India

    Mridul Nandi

  7. NTT Secure Platform Laboratories, Tokyo, Japan

    Kan Yasuda

Authors
  1. Elena Andreeva
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andrey Bogdanov
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nilanjan Datta
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Atul Luykx
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Bart Mennink
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Mridul Nandi
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Elmar Tischhauser
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Kan Yasuda
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Atul Luykx.

Additional information

Communicated by Tetsu Iwata.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Andreeva, E., Bogdanov, A., Datta, N. et al. The COLM Authenticated Encryption Scheme. J Cryptol 37, 15 (2024). https://doi.org/10.1007/s00145-024-09492-8

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-024-09492-8

Keywords

Search

Navigation