Keywords

1 Introduction

Authentication encryption \(\left( \text {AE}\right) \) is a procedure, where a sender sends data to a receiver in such a way that the receiver can identify whether the data is altered or not [1–3]. Additionally, the AE checks the originality of the sender including message. There are many applications of AE in the field of secure communication such as digital signatures, ip-security, data-authentication, e-mail security, and IoT [18–21]. Furthermore, the AE is a potential primitive of cryptographic solutions for resource constrained device, and IoT-end device [36–38]. For example, there are numerous bunch of senders and receivers in the domain of data communication [4–8]. Hence, it is infeasible and expensive to establish private network for all parties [2, 3, 6–8]. Under this circumstance, the only way is to implement such a security solution under public network that ensures the privacy and authenticity of the data. Generally, the AE has two components such as symmetric encryption \(\left( SE\right) \) and message authentication code \(\left( MAC\right) \) [1–3, 7]. The grammar of SE is \(SE\left( {K,M} \right) \rightarrow C\), where K, M, and C means key, message and ciphertext respectively [2, 3, 9, 10, 30]. Moreover, the MAC inherits tag \(\left( T\right) \) and verification such as \(MAC\left( {K,C} \right) \rightarrow T\) and \(\mathsf {Verf}\left( {K,C,T} \right) \rightarrow M{\text { or }} \bot \). Usually, the symmetric encryption ensures the privacy of data. In addition, the authenticity of the data is preserved by MAC [2, 3, 30]. For example, a doctor \(\mathcal {D}_1\) needs to send medical report of a patient \(\left( \mathcal {P}\right) \) to doctor \(\mathcal {D}_2\) for consulting (Fig. 1). Under this circumstance, it is mandatory to protect the confidentiality of the patient’s report and record. Moreover, the originality of doctor \(\mathcal {D}_1\) is also needed to verify as a valid sender. The combined form of the two different components of AE can achieve both the goals. Therefore, the summery of the functions of AE are:

  • receiver can perceive the altered data

  • infeasible for adversary to get success in forgery

  • infeasible for adversary to retrieve the entire message

Fig. 1.
figure 1

Simple concept of AE

Full size image

The AE is constructed through a scratch or blockcipher [2, 3, 16–19]. Usually, the blockcipher based AE is more suitable than the scratch based AE because of direct implementation of blockcipher rather than the encryption function [20–23]. Now-a-days, the applications of IoT-end device, RfID, and resource constrained device are increasing exponentially [11–15]. However, these devices have certain drawbacks of limited memory, power, and processor [7, 12, 12, 20, 21]. Therefore, the blockcipher based AE is more relevant due to light operation [21, 24, 36, 37]. On the contrary, there are certain ISO standards of cryptographic primitive for IoT-end device or resource constrained device such as ISO/IEC29192-1, ISO/IEC29192-2, ISO/IEC29192-3, ISO/IEC29192-4 [31–33]. In addition, the ISO standard of ISO/IEC29192-2 directs the blockcipher as a core cryptographic primitive for low-resource devices. Furthermore, a certain size of blockciphers, security parameters, and resource utilizations have been emphasized according to the above standardizations. Later, the standard of ISO/IEC 29192-5 emphasized the encrypted length as 80, 128, 160, 256 bits for IoT-end device and resource constrained device [32, 33]. Usually, the traditional blockcipher and lightweight-cipher satisfies the above encryption size [31–33]. Thus, an efficient and upper security bounded construction of blockcipher based authentication encryption is required.

Table 1. Comparison study of the proposed scheme and others [18–26, 35–38]
Full size table

1.1 Motivation

There are many schemes of authentication encryption \(\left( \text {AE}\right) \) such as McOE, OCB, OTR, COPE, PoE, OAE1,2, COBRA, CLOC, and SILC [18–24, 34–37]. Among these, the OCB is one of the pioneer construction. It is based on blockcipher also [22]. The strong features of the OCB are parallel and efficiency \(\left( r=1\right) \). The privacy security of this scheme is bounded by \(O\left( 2^{n/2}\right) \). However, the OCB needs decryption oracle which increases the overhead-cost of authentication encryption process [38]. Hence, the actual efficiency of the OCB has been decreased [38]. On the evaluation of OCB, Minematsu proposed a scheme of OTR [38] that overcomes the above drawback \(\left( \text {decryption oracle}\right) \) of the OCB. Furthermore, the OTR satisfies an upper efficiency-rate \(\left( r=1\right) \) including a reasonable privacy security bound \(\left( \text {Priv}=O\left( 2^{n/2}\right) \right) \). In addition, the OCB and OTR follows none-respecting construction. On the other hand, the McOE scheme brings a breakthrough in the domain of nonce reusing AE [21]. Thereafter, a bunch of schemes have been proposed based on the properties of the McOE such as COPA, PoE, APE, and ELmE [20, 35]. However, Hoang et al. showed that the concept of nonce reusing is no more secure for any online authentication scheme [35]. In addition, Hoang et al. claimed that the online characteristic is a parameter of efficiency [35]. Therefore, a window is re-opened for off-line and nonce respecting AE. Furthermore, the McOE needs decryption oracle and it’s privacy security is bounded by \(O\left( 2^{n/2}\right) \). Most recently, there are two more proposals such as CLOC and SILK [36, 37]. The constructions of CLOC and SILK are good for short message. Additionally, these two schemes are free of decryption oracle. However, the operation mode of CLOC and SILK is serial.

According to Table 1 and the above discussions, the most of the authentication scheme’s privacy security are bounded by \(O\left( 2^{n/2}\right) \). Furthermore, many schemes need decryption oracle. Additionally, a padding mechanism is necessary for symmetric encryption module of AE when message and blocklength is not equal. However, the padding technology itself has certain dis-advantages [2, 3]. Usually, there is a common attack that is called length extension attack [2, 3, 26, 27]. Therefore, we outline our motivations in the following way:

  • higher efficiency and upper security bound

  • competitive mode

  • free of decryption oracle in encryption and decryption module

  • allowed flexible size of message encryption

  • no padding

  • minimization of blockcipher calling

  • efficient and low-cost primitive

1.2 Contribution

In this paper, we present a construction of authentication encryption. Our proposed scheme is based on blockcipher based compression function. Furthermore, our scheme is nonce respecting authentication encryption including associate data. The symmetric encryption module of the proposed scheme is a variant of OCB. Furthermore, the module of MAC follows a variant of PMAC plus. The achievements of the proposed scheme are listed below:

  • \(\blacktriangleright \) \(\text {efficiency-rate}=1\)

  • \(\blacktriangleright \) parallel mode

  • \(\blacktriangleright \) free of decryption oracle in encryption and decryption module

  • \(\blacktriangleright \) allowed flexible size of message encryption \(\left( \text {FME}\right) \)

  • \(\blacktriangleright \) no padding

  • \(\blacktriangleright \) \(\text {Priv}=O\left( 2^{2n/3}\right) \)

  • \(\blacktriangleright \) supports less call of blockcipher calling

  • \(\blacktriangleright \) blockcipher based compression function

  • \(\blacktriangleright \) nonce respecting including associate data

1.3 Organization

We define preliminaries in Sect. 2. The propose scheme’s definition and corresponding security notions are available in Sect. 3. We mention the security proof of the proposed construction in Sect. 4. Furthermore, the summaries are given in Sect. 5.

2 Preliminaries Including Security Notions

2.1 Fundamental Notations

Let X and Y are finite length of strings under the set of \(\mathcal {X}\) and \(\mathcal {Y}\). Additionally, \(\mathcal {C, T}\) are set of uniform distribution for the strings of ciphertext \(\left( C\right) \) and MAC \(\left( T: \text {tag}\right) \). Let N, AD, and \(\mathcal {M}\) direct the space for Nonce, Associate data, and Message. Furthermore, K and n means key and block-length. In addition, there are certain operators used in the proposed authentication encryption such as \(\oplus \) \(\left( \text {XOR}\right) \). Additionally, we use a defined function operator \(CS\left( \cdot \right) \) in encryption and decryption module. The operation of \(CS\left( \cdot \right) \) is complement including bitwise left-shift. For example, we generate \(\alpha \) and \(\beta \) before encryption or decryption (Fig. 2). The value of \(\alpha \) and \(\beta \) need to use in each iteration of encryption or decryption module. Furthermore, these values should be different in every iteration for tight security bound [18, 19, 22, 38]. Thus, it can be used as counter or unique nonce and associate data. Literally, the function operator of \(CS\left( \cdot \right) \) takes the value of \(\alpha \) and returns one bit left-shift after complement when \(i=1|i:\text {number of iteration}\). If i increases then left-shift also will be increased bitwise according to the value of i. In each iteration, the output of \(CS_i\left( \alpha \right) \) and \(CS_i\left( \beta \right) \) are defined as \(p_i\) and \(q_i\), where \(i \le l\) (Fig. 2). Our defined another parameter is \(\tau \), which is created as a by-product of encryption/decryption module. Generally, the \(\tau _i\) is created in each iteration. Thereafter, the XOR values of all \(\tau _i\) are used for tag generation (Fig. 3).

2.2 Blockcipher

A blockcipher \(\left( {n, k}\right) \) consists of a pair of algorithm such as \(E = {\left\{ {0,1} \right\} ^{n}} \times {\left\{ {0,1} \right\} ^{k}} \rightarrow {\left\{ {0,1} \right\} ^{n}}\) and \({{{E}}^{-1}} = {\left\{ {0,1} \right\} ^{n}} \times {\left\{ {0,1} \right\} ^{k}} \rightarrow {\left\{ {0,1} \right\} ^{n}} ( n, k: \text {block and} \text {key length})\). Usually, query of blockcipher is \(\left( m, k\right) \) and output is c, where key is randomly permuted. Hence, a triplet is the combine form of m, k, and c as \(\left( m, k, c\right) \). Additionally, the blockcipher oracle doesn’t permit for similar query or triplet in principle. For example, if \(\left( m_1, k_1\right) =c_1\) is queried to oracle then \(\left( c_1, k_1\right) =m_1\) is not permitted for asking to oracle. Let \(\mathsf {block} \left( {n}, {k} \right) \) is the set of all blockciphers of \(\left( n, k\right) \) according to the ICM [28, 29]. Generally, adversary \(\mathcal {A}\) tries to explore encrypted plaintext under a given key. However, to retrieve the information of the desire plaintext using different key set is infeasible for adversary. Moreover, to find an actual plaintext or message is infeasible for \(\mathcal {A}\) if blockcipher changes [28–30]. Usually, a PRP security comes from the property of blockcipher [22–24]. Hence, the PRP-security of a blockcipher \(\mathsf {block}\left( n, k\right) \) is defined as the success probability of adversary, where \(\mathcal {A}\) tries to distinguish between the output of blockcipher oracle and random permutation oracle [22–24, 28–30].

2.3 Authentication Encryption

The authentication encryption is noted as \(\text {AE}\). Generally, there are two algorithms of encryption and decryption \(\left( \text {MAC included for both the algorithms}\right) \) under the \(\text {AE}\). Furthermore, Algorithm 1 is noted as \(\mathcal {E}\text {-AE}\) and \(\mathcal {E}\text {-DE}\). In addition, the algorithm of \(\mathcal {E}\text {-AE}\) consists of nonce and associate data including message and returns ciphertext. Moreover, the message exploration and tag verification process are executed under the module of \(\mathcal {D}\text {-AE}\). If verification process is valid then return message or \(\bot \). In this section, we define the basic encryption and decryption module only. Later, the modified version of \(\mathcal {E}\text {-AE}\) and \(\mathcal {D}\text {-AE}\) (Algorithm 1) will be used in symmetric encryption module of the proposed construction.

Fig. 2.
figure 2

Encryption procedure of \(\text {AE}\)

Full size image
figure a

2.4 PRF Security

Let \({F_K}:K \times X \rightarrow Y\) be a pseudo-random function \(\left( \text {keyed}\right) \), where \(K{ \rightarrow ^\$ }{\left\{ {0,1} \right\} ^k}\) is a secret key space. On the contrary, a random function is defined as \({F_R}\), which is chosen randomly and uniquely from all functions of \(X \rightarrow Y\) according to the similar domain-range of \(F_{{K}}\). The PRF security is defined as the success probability of distinguishing between \(F_{{K}}\) and \(F_{{R}}\). For example, there is a distinguish-er \(\mathsf {Dt}\) that can can interplay with both the oracle of \(F_{{K}}\) and \(F_{{R}}\). Hence, the advantage of PRF security of \(F_{{K}}\) over \(F_{{R}}\) is defined as follows:

$$\begin{aligned} {\text {Ad}}{\mathrm{{v}}_{{\text {PRF}}}}\left[ {\mathsf {Dt}} \right] = \Pr \left[ {\mathsf {D}{{\mathsf {t}}^{{F_K}}} \Rightarrow 1} \right] - \Pr \left[ {\mathsf {D}{{\mathsf {t}}^{{F_R}}} \Rightarrow 1} \right] \end{aligned}$$
(1)

The first probability of \(\left( 1\right) \) is based on \(K{ \rightarrow ^\$ }{\left\{ {0,1} \right\} ^k}\) and the second probability is taken over \({F_R}:X{ \rightarrow ^\$ }Y\). Thus, \(F_{{K}}\) is PRF secure iff the advantage of \(\mathsf {Dt}\) is small. Moreover, \(F_{{K}}\) and \(F_{{R}}\) are respectively considered as real and ideal world.

2.5 PRP Security

Let blockcipher \(\mathsf {block} \left( n, k\right) \) is a pseudo-random permutation, where \(E = {\left\{ {0,1} \right\} ^k} \times {\left\{ {0,1} \right\} ^n} \rightarrow {\left\{ {0,1} \right\} ^n}\). Furthermore, \({\left\{ {0,1} \right\} ^k}{ \leftarrow ^\$ }{K_E}\) is a keyed and ideal permutation of blockcipher. On the other hand, there is a random permutation RP s. t. \({RP{ \leftarrow ^\$ }\mathrm{{Pm}}\left( n \right) }\) \(|\mathrm{{Pm}}:{\text {Permutation}}\). Therefore, the PRP security means the winning probability of differentiating between \(\mathsf {block} \left( n, k\right) \) and RP. We assume that \(\mathsf {dT}\) is a distinguish-er that can interact with the oracle of \(\mathsf {block} \left( n, k\right) \) and RP. Thus, the advantage of PRP security is defined as follows:

$$\begin{aligned} \mathrm{{Ad}}{\mathrm{{v}}_{\mathrm{{PRP}}}}\left[ {{\mathsf {dT}}} \right] = \Pr \left[ {{\mathsf {d}}{{\mathsf {T}}^{E\left( \cdot \right) }} \Rightarrow 1} \right] - \Pr \left[ {{\mathsf {d}}{{\mathsf {T}}^{RP\left( \cdot \right) }} \Rightarrow 1} \right] \end{aligned}$$
(2)

The first probability depends on \({\left\{ {0,1} \right\} ^k}{ \leftarrow ^\$ }{K_E}\) and later one is based on \(RP{ \leftarrow ^\$ }\mathrm{{Pm}}\left( n \right) \).

3 Proposed Authentication Encryption Scheme

We define our proposed construction of blockcipher based authentication encryption as \(\mathrm{{AE}}_T^{\mathrm{{P}}}\) \(\left( \text {P: parallel, } T: \text {tag}\right) \). The proposed \(\mathrm{{AE}}_T^{\mathrm{{p}}}\) has three modules of \(\mathsf {M}_1\), \(\mathsf {M}_2\), and \(\mathsf {M}_3\). The informal definition of \(\mathsf {M}_1\), \(\mathsf {M}_2\), and \(\mathsf {M}_3\) are respectively initialization of nonce and associate data, encryption including tag generation, and decryption including verification. Formally, the proposed scheme looks \(\mathrm{{AE}}_T^\mathrm{{p}} = \left( \mathsf {M}_1|\text { Initialization}, {\mathcal{E}{\text {-AE}}_T^\mathrm{{p}},\mathcal{D}{\text {-AE}}_T^\mathrm{{p}}} \right) \). Furthermore, the key, nonce, associate data, message, ciphertext, and tag are respectively come from the spaces of \({K_{\mathrm{{AE}}_T^\mathrm{{p}}}},{N_{\mathrm{{AE}}_T^\mathrm{{p}}}}A{D_{\mathrm{{AE}}_T^\mathrm{{p}}}},{M_{\mathrm{{AE}}_T^\mathrm{{p}}}},{C_{\mathrm{{AE}}_T^\mathrm{{p}}}},\text { and }{T_{\mathrm{{AE}}_T^\mathrm{{p}}}}\). On the contrary, our scheme is a variant of OCB, where symmetric key encryption module follows CTR mode using unique nonce and AD. Moreover, the tag generation or MAC function follows the variation of a PMAC plus construction.

We use three Algorithms of 2, 3, and 4 for the formal definition of \(\mathsf {M}_1\), \(\mathsf {M}_2\), and \(\mathsf {M}_3\). Additionally, the basic of encryption and decryption module comes from the Algorithm 1. In addition, we use two key sets of \(K_1\) and \(K_2\) for encryption and decryption module. Thereafter, \(K_3\) and \(K_4\) key sets are used in tag generation and verification process. Though, the decryption oracle doesn’t need in the entire procedure of the proposed AE, but it needs for verification process of re-tag generation only.

Fig. 3.
figure 3

Proposed construction of \({\text {AE}}_T^{{\text {p}}}\)

Full size image
figure b
figure c
figure d

3.1 Privacy Notion of \(\mathrm{{AE}}_T^{\mathrm{{p}}}\)

The privacy notion is based on \(\mathrm{{AE}}_T^\mathrm{{p}} = \left( {\mathcal {E}{\text {-AE}}_T^\mathrm{{p}},{\text { }}\mathcal {D}{\text {-AE}}_T^\mathrm{{p}}} \right) \). We assume an adversary \(\mathcal {A}\) is unique nonce, AD based game and it has access to the encryption oracle and decryption oracle of \(\mathrm{{AE}}_T^\mathrm{{p}}\). On the contrary, adversary \(\mathcal {A}\) is inclusively bounded for encryption oracle \(\left( {\mathcal{E}{\text {-AE}}_T^\mathrm{{p}}}\right) \) and random-bits oracle. Thus the encryption oracle takes input as \(\left( {N,A,M} \right) \in {N_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times A{D_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times {M_{\mathrm{{AE}}_T^\mathrm{{p}}}}\) and returns \(\left( {C,T} \right) \leftarrow \mathcal{E}{\text {-AE}}_T^\mathrm{{p}}\left( {N,A,M} \right) \). The random-bits oracle and \(\$\) oracle inherit \(\left( {N,A,M} \right) \in {N_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times A{D_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times {M_{\mathrm{{AE}}_T^\mathrm{{p}}}}\), where the output is \(\left( {C,T} \right) { \leftarrow ^\$ }{\left\{ {0,1} \right\} ^{|M| + T}}\). Therefore, the privacy advantage is defined as follows:

$$\begin{aligned} \mathrm{{Adv}}_{\mathrm{{AE}}_T^\mathrm{{p}}}^{\mathrm{{priv}}}\left( \mathcal{A} \right) = \Pr \left[ {{\mathcal{A}^{\mathcal{E}{\text {-AE}}_T^\mathrm{{p}}\left( {.,.,.} \right) }} = 1} \right] - \Pr \left[ {{\mathcal{A}^{\$ \left( {.,.,.} \right) }} = 1} \right] , \end{aligned}$$

where the first probability comes from \(K{ \leftarrow ^\$ }{K_{\mathrm{{AE}}_T^\mathrm{{p}}}}\) and second one is based on random-bits oracle including randomness of \(\mathcal {A}\). Furthermore, adversary is based on unique nonce and associate data. In principle, adversary can’t make duplicate query.

3.2 Authenticity Notion of \(\mathrm{{AE}}_T^{\mathrm{{p}}}\)

The authenticity notion is based on \(\mathrm{{AE}}_T^\mathrm{{p}} = \left( {\mathcal {E}{\text {-AE}}_T^\mathrm{{p}},{\text { }}\mathcal {D}{\text {-AE}}_T^\mathrm{{p}}} \right) \). Let adversary \(\mathcal {A}\) has access on encryption and decryption oracle of \({\mathcal{E}{\text {-AE}}_T^\mathrm{{p}}}\) and \({\mathcal{D}{\text {-AE}}_T^\mathrm{{p}}}\). The input of encryption oracle is \(\left( {N,A,M} \right) \in {N_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times A{D_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times {M_{\mathrm{{AE}}_T^\mathrm{{p}}}}\). Thus the output is \(\left( {C,T} \right) \leftarrow \mathcal{E}{\text {-AE}}_T^\mathrm{{p}}\left( {N,A,M} \right) \). Furthermore, the decryption oracle invokes \(\left( {N,A,C,T} \right) \in {N_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times A{D_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times {C_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times {T_{\mathrm{{AE}}_T^\mathrm{{p}}}}\). Hence, the feedback is \(M \leftarrow \mathrm{{AE}}_T^\mathrm{{p}}\left( {N,A,C,T} \right) \) or \(\bot \). The advantage of authenticity is defined as follows:

$$\begin{aligned} \mathrm{{Adv}}_{\mathrm{{AE}}_T^\mathrm{{p}}}^{\mathrm{{auth}}}\left( \mathcal {A} \right) = \Pr \left[ {{{\mathcal {A}}^{\mathcal{E}{\text {-AE}}_T^\mathrm{{p}},\mathcal{D}{\text {-AE}}_T^\mathrm{{p}}}}{\text { forges}}} \right] , \end{aligned}$$

where the probability is taken from \(K{ \leftarrow ^\$ }{K_{\mathrm{{AE}}_T^\mathrm{{p}}}}\) and randomness of \(\mathcal {A}\). Furthermore, \(\mathcal {A}\) forges if decryption oracle returns message strings for a query \(\left( N, A, C, T\right) \), when \(\left( C, T\right) \) didn’t part of encryption oracle. More specifically, adversary gets success for the condition of \(\left( {{N_i},{A_i},{C_i},{T_i}} \right) \ne \left( {{N_j},{A_j},{C_j},{T_j}} \right) \). In principle, adversary doesn’t make query \(\left( {N',A',C',T'} \right) \) to decryption oracle if \(\left( {C',T'} \right) \leftarrow \left( {N',A',M'} \right) \) was feedback of encryption oracle. Additionally, adversary is based on unique nonce and AD.

4 Security Analysis

4.1 Privacy Security Analysis

Privacy of \({\text {AE}}_T^{{\text {p}}}\) is defined as the success probability of distinguish between the ciphertext and uniform distribution of string by adversary \(\mathcal {A}\). Furthermore, \(\mathcal {A}\) is based on unique nonce and associated data. The privacy security is formalized through a set of games. Thereafter, we take a pair of games for each segment. Gradually, we forward by taking pair of games and find the success probability of distinguish between two games. Thus we will show that the difference between two oracles are nominal. Let \(\mathcal {A}\) be an adversary that makes q queries such as \(\left( N_1, A_1, M_1 \right) \) \(\, \text {. .}\,\) \(\left( N_l, A_l, M_l \right) \). Moreover, \(\mathcal {A}\) is nonce-respecting and unique AD based adversary. The total length of message is \(\sigma _{2l}\), where l is the number of iteration \(\left( \text {two blocks message/iteration}\right) \). In principle, we follow the proof technique of [22–24, 39] according to our scheme properties.

Theorem 1

Let \(\mathrm{{AE}}_T^{{\text {p}}}\) be the proposed authenticated encryption including encryption algorithm \({\mathcal {E}\text {-}\mathrm{{AE}}_T^{\mathrm{{p}}}}\), where \(n \ge 1\). An adversary \(\mathcal {A}\) is allowed to access random-bits oracle and \({\mathcal {E}\text {-}\mathrm{{AE}}_T^{\mathrm{{p}}}}\). Furthermore, adversary \(\mathcal {A}\) can query upto q. The total message length is \(\sigma _{2l}\). Thus the advantage of \(\mathcal {A}\) is to distinguish between \({\mathcal {E}\text {-}\mathrm{{AE}}_T^{\mathrm{{p}}}}\) from random oracle-bits and \(\$\). Hence, the advantage is of adversary is bounded as follows:

$$\begin{aligned} {{\mathrm{{Adv}}_{\mathrm{{AE}}_T^\mathrm{{p}}}^{\mathrm{{priv}}}\left( \mathcal{A} \right) \le \sigma \left( {\sigma + 1} \right) } \Big / {{2^{2n}} + }}{3{/}{{2^n}}} \end{aligned}$$

Proof

We use certain sequential games that have different targets and goals. In addition, the final goal is to locate the advantage of adversary for privacy of the proposed AE. Our approach is very simple such as to implement a game \(\mathcal {G}_{\mathcal {A}}\), which performs the proposed scheme \(\mathrm{{AE}}_T^\mathrm{{p}}\). Moreover, our final game is \(\mathcal {G}_\mathrm{{E}}\). The task of \(\mathcal {G}_\mathrm{{E}}\) is to inherit random oracle. We move forward by taking pair of consecutive games. Our target is to distinguish the pair of games. The success probability of distinguishing the two consecutive games is defined as the advantage of adversary. In this way, we reach into the final game of \(\mathcal {G}_\mathrm{{E}}\). Thus, we show that the adversarial advantage of distinguishing the most recent game and the last game is nominal. Moreover, we take the all probability values of success. Thereafter, we calculate the union bound of these values and get the provable privacy security bound of the proposed scheme.

Our construction is based on blockcipher compression function. Therefore, the output of each iteration including input should be unique. If current output collides with previous entry then the adversary wins. Furthermore, an event is created as \(\mathcal {WIN}\) in the aspect of adversarial win. Moreover, the new and fresh value comes from the random oracle if \(\mathcal {WIN}\) occurs. In addition, the collide data/value needs to eliminate from the oracle of the proposed scheme \(\mathrm{{AE}}_T^\mathrm{{p}}\). Thereafter, the success probability of the event \(\left( \mathcal {WIN}\right) \) indicates the advantage of adversary for distinguishing the consecutive pair of games. Additionally, we use PRF/PRP switch method in the given security proof [34].

On the contrary, we use a variant of PMAC-plus for MAC generation [23]. Therefore, two blockciphers are used to generate a tag \(\left( T\right) \). For better security, we actually use two sets of key under two blockciphers. The generation of MAC depends on the ex-or values of all ciphertext \(\left( C_i\right) \) and XOR values of all \(\tau _{i}\). Actually, these two are used as input of blockcipher. Thereafter, the output \(\left( \text {size: } 2n\text {-bits}\right) \) is produced and XOR with the most recent values of \(CS\left( \cdot \right) \). Thus, the security can be achieved better than the birthday bound. Generally, the collision resistance of blockcipher is defined as to find a similar output for different two input is infeasible for adversary [1–3]. Under this section, we play with the games through pairwise. Furthermore, the success probability of the adversary is given by the event of \(\mathcal {WIN}\). At first, we take the proposed scheme and game \(\mathcal {G}_{\mathcal {A}}\).

GAME \(\mathcal {G}_{\mathcal {A}}\). \(\mathcal {G}_{\mathcal {A}}\) inherits the proposed scheme \(\mathrm{{AE}}_T^\mathrm{{p}}\). Moreover, \(\mathcal {G}_{\mathcal {A}}\) invokes N, A, M as parameter of input. Thus, the corresponding responses are C, T. On the contrary, the queries of \(\mathrm{{AE}}_T^\mathrm{{p}}\) uses random function. Therefore,

$$\begin{aligned} \Pr \left[ {\mathcal{A}_{RP}^{\mathrm{{AE}}_T^\mathrm{{p}}} = 1} \right] = \Pr \left[ {{\mathcal{A}^{{\mathcal{G}_\mathcal{A}}}} = 1} \right] \end{aligned}$$
(3)

GAME \(\mathcal {G}_{\mathcal {B}}\). Let the queries of RP belongs to random function. Thus, the game \(\mathcal {G}_{\mathcal {B}}\) provides random output. However, the uniqueness of output can’t be confirmed due to random function. Furthermore, if any collision occurs with previous any response then an event \(\mathcal {WIN}\) is called. Therefore, the advantage of adversary is to distinguish between the game \(\mathcal {G}_{\mathcal {B}}\) and \(\mathcal {G}_{\mathcal {A}}\). The success probability of the event \(\mathcal {WIN}\) is the advantage of adversary. All queries of RP for \(\mathrm{{AE}}_T^\mathrm{{p}}\) are stored in the database of \({D_{\mathrm{{AE}}_T^\mathrm{{p}}}}\), where RP is queried by \(\sigma \) times by \(\mathrm{{AE}}_T^\mathrm{{p}}\). Therefore, the advantage of adversary is:

(4)

GAME \(\mathcal {G}_{\mathcal {C}}\). In this section, the proposed scheme \(\mathrm{{AE}}_T^\mathrm{{p}}\) inherits random function. Furthermore, the database \({D_{\mathrm{{AE}}_T^\mathrm{{p}}}}\) is updated and synchronized. Therefore, the game \(\mathcal {G}_{\mathcal {C}}\) and \(\mathcal {G}_{\mathcal {B}}\) are in-distinguishable in the aspect of adversary. As a result, the advantage of adversary is as follows:

$$\begin{aligned} \Pr \left[ {{\mathcal {A}^{{\mathcal {G}_{\mathcal {C}}}}} = 1} \right] = \Pr \left[ {{\mathcal {A}^{{\mathcal {G}_{\mathcal {B}}}}} = 1} \right] \end{aligned}$$
(5)

GAME \(\mathcal {G}_{\mathcal {D}}\). We will use PRF/PRP switch theme [34] in this section. The ciphertext should be indistinguishable in respect of random oracle. According to our AE construction definition, the ciphertext is created by the ex-or values of blockcipher compression output and message. Though, adversary can control message, but it can’t control the output of blockcipher output. In addition, the nonce and associate data are unique. Therefore, there are four cases for collision occurred (Figs. 4 and 5). If collision occurs then an event \(\left( \mathcal {WIN}\right) \) is re-called in the respect of adversary.

Fig. 4.
figure 4

Under the game \(\mathcal {G}_{\mathcal {D}}\)

Full size image

  • \(\blacktriangleright \) Case-1. In this section, we evaluate the probability of collision under blockcipher output. For example, the pair of output is \(X_i\) and \(Y_i\) \(\left( i \le l\right) \). Thus, two types of collision can be occurred such as query of double and single query.

    • SubCase-1 \(\left( \text {query of double}\right) \). The requirements of collision under this SubCase are two different queries for the iteration of i, j \(\left( i \ge j\right) \) and similar output for input of any two queries. For example, the output are \(X_i\) and \(Y_i\) for the iteration of i. In addition, \(X_j\) and \(Y_j\) are the output of j-th iteration. Thus, there is a chance to collide with \(X_i=X_j, Y_j\) or \(Y_i=X_j, Y_j\) (Fig. 4). If collision occurs then an event is called. Moreover, the random and uniform values come from the set of \(\mathcal {X}\) and \(\mathcal {Y}\). Thereafter, these new values are replaced by collide values. The success probability of the event \(\mathcal {WIN}\) is:

      $$\begin{aligned} \begin{array}{*{20}{l}} {\Pr \left[ {\mathcal{W}\mathcal{I}\mathcal{N}} \right] = \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_1} \vee \mathcal{W}\mathcal{I}{\mathcal{N}_2} \vee \mathrm{{. }}\mathrm{{. }}\mathrm{{.}}\mathcal{W}\mathcal{I}{\mathcal{N}_\sigma }} \right] }\\ { \le \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_1}} \right] + \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_2}} \right] + ...\Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_\sigma }} \right] }\\ { \le {{\sigma \left( {\sigma - 1} \right) }{/}{{2^{2n}}}}\mathrm{{ }}} \end{array} \end{aligned}$$
      (6)

    • SubCase-2 \(\left( \text {single query}\right) \). The output of i-th iteration are \(X_i\) and \(Y_i\). Therefore, there is a chance to make a collision between \(X_i = Y_i\). Thereafter, an event \(\mathcal {WIN}\) is called in the aspect of adversarial success. Moreover, the collide values are replaced by the random and uniform values (Fig. 4). For example, \({X_i} \leftarrow \mathcal {X},\, \mathrm{{ }}{Y_i} \leftarrow \mathcal {Y}\). The success probability of \(\mathcal {WIN}\) under this SubCase is:

      $$\begin{aligned} \begin{array}{*{20}{l}} {\Pr \left[ {\mathcal{W}\mathcal{I}\mathcal{N}} \right] = \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_1} \vee \mathcal{W}\mathcal{I}{\mathcal{N}_2} \vee \mathrm{{. }}\mathrm{{. }}\mathrm{{.}}\mathcal{W}\mathcal{I}{\mathcal{N}_\sigma }} \right] }\\ { \le \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_1}} \right] + \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_2}} \right] + ...\Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_\sigma }} \right] }\\ { \le \sigma \cdot \left( {{1{/}{{2^n}}}} \right) } \end{array} \end{aligned}$$
      (7)

  • \(\blacktriangleright \) Case-2. According to our construction definition, the nonce is unique for each iteration. Thus, the ex-or values blockcipher output and nonce is random. However, there is a chance to occur collision such as \(\tau _i^1 = \tau _j^1,\tau _j^2 \text { and } \tau _i^2 = \tau _j^1,\tau _j^2\). The event \(\mathcal {WIN}\) is defined if collision occurs. Thereafter, the collide values are replaced by random and uniform distribution of \(\mathcal {U}\left( \tau \right) \) (Fig. 4). So, the success probability of the event \(\mathcal {WIN}\) is:

    $$\begin{aligned} \begin{array}{*{20}{l}} {\Pr \left[ {\mathcal{W}\mathcal{I}\mathcal{N}} \right] = \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_1} \vee \mathcal{W}\mathcal{I}{\mathcal{N}_2} \vee \mathrm{{. }}\mathrm{{. }}\mathrm{{.}}\mathcal{W}\mathcal{I}{\mathcal{N}_\sigma }} \right] }\\ { \le \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_1}} \right] + \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_2}} \right] + ...\Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_\sigma }} \right] }\\ { \le {{2\sigma }{/}{{2^{2n}}}}} \end{array} \end{aligned}$$
    (8)
Fig. 5.
figure 5

Under the game \(\mathcal {G}_{\mathcal {D}}\)

Full size image

  • \(\blacktriangleright \) Case-3. This section is responsible for evaluation of tag collision. Generally, two different blockciphers including two unique key sets are used to generate tag. For example, the random value of ciphertext \(\left( \mathcal {C}\right) \) and most recent \(CS\left( \cdot \right) \) value are used to generate tag. Therefore, there is a chance to collide between \(t_1\) and \(t_2\) (Fig. 5). If collision occurs then an event is defined as \(\mathcal {WIN}\). The advantage of adversary is to find the probability of the event \(\mathcal {WIN}\). Therefore, the advantage is:

    $$\begin{aligned} \Pr \left[ {\mathcal{W}\mathcal{I}\mathcal{N}} \right] = {2{/}{{2^n}}} \end{aligned}$$
    (9)

  • \(\blacktriangleright \) Case-4. The final tag is produced by the ex-or values of \(t_1\), \(t_2\) and \(\left( {\alpha \oplus \beta } \right) \). If \(t_1\) and \(t_2\) are random then the ex-or output of T is also random. However, there is a chance to make collision such as \(T = T'\). Hence, the probability of the event \(\mathcal {WIN}\) is:

    $$\begin{aligned} \Pr \left[ {\mathcal{W}\mathcal{I}\mathcal{N}} \right] = {1{/}{{2^n}}} \end{aligned}$$
    (10)

Adding the value of 6, 7, 8. 9 and 10, we get the advantage of distinguishing the game of \(\mathcal {G}_{\mathcal {C}}\) and \(\mathcal {G}_{\mathcal {D}}\).

GAME \(\mathcal {G}_\mathrm{{E}}\). The \(\mathcal {G}_\mathrm{{E}}\) simulates the random oracle model. The database \({D_{\mathrm{{AE}}_T^\mathrm{{p}}}}\) is updated and synchronized after the operation of game \(\mathcal {G}_{\mathcal {D}}\). Therefore, the current all entries are random and uniformly distributed. Hence, the game of \(\mathcal {G}_{\mathcal {D}}\) and \(\mathcal {G}_\mathrm{{E}}\) are identical in the aspect of adversary. So, the advantage of the adversary to distinguish the game of \(\mathcal {G}_\mathrm{{E}}\) and \(\mathcal {G}_{\mathcal {D}}\) is:

$$\begin{aligned} \Pr \left[ {{\mathcal {A}^{{\mathcal {G}_\mathrm{{E}}}}} = 1} \right] = \Pr \left[ {{\mathcal {A}^{{\mathcal {G}_{\mathcal {D}}}}} = 1} \right] \end{aligned}$$
(11)

Therefore, taking the union bound of 4, 6, 7, 8, 9, and 10, Theorem 1 satisfies.

4.2 Authenticity Security Analysis

The authenticity of \({\text {AE}}_T^{{\text {p}}}\) scheme is based on both oracle of encryption and decryption. The authenticity is said to be broken when adversary can inject under the condition of \(N', A', C', T'\) \(\left( N', A', C', T'\right) \ne \left( N, A, C, T\right) \). For example, encryption queries are \(\left( {{N_1},{A_1},{M_1}} \right) ,\,.\,.\) \(\,.\,.,\left( {{N_q},{A_q},{M_q}} \right) \). Moreover, list of decryption queries are \(( {{N'}_1},{{A'}_1},\) \({{C'}_1},{{T'}_1} )\,.\,.\,.\) \(\left( {{{N'}_q},{{A'}_q},{{C'}_q},{{T'}_q}} \right) \). The total length of message for encryption and decryption are respectively \({\sigma ^{2l}}\) and \({\sigma ^{2l'}}\). Let there is an experiment \(\mathcal {EXP}_{{\text {auth}}}^{{\text {p}}}\), which outputs 1 iff the adversary successfully forges \(N', A', C', T'\) for \(M'|M \ne M'\). Therefore,

$$\begin{aligned} \mathrm{{Adv}}_{\mathrm{{AE}}_T^{\mathrm{{p}}}}^{\mathrm{{auth}}}\left( {\mathcal A} \right) = \Pr \left[ {\mathcal {EXP}_{\mathrm{{auth}}}^{\mathrm{{p}}}\left( \mathcal{A} \right) = 1} \right] \end{aligned}$$
(12)

Theorem 2

Let \(\mathrm{{AE}}_T^{sim}\) be the proposed authenticated encryption, where \({\mathcal {E}\text {-}\mathrm{{AE}}_T^{\mathrm{{sim}}}}\) and \({\mathcal {D}\text {-}\mathrm{{AE}}_T^{\mathrm{{sim}}}}\) be the encryption and decryption algorithm. Furthermore, adversary \(\mathcal {A}\) is allowed to access both the oracles. Thus the advantage of \(\mathcal {A}\) is success probability of injecting false data instead of valid data through the defined experiment \(\mathcal {EXP}\). Therefore, the advantage of adversary is bounded as follows:

$$\begin{aligned} {{\mathrm{{Adv}}_{\mathrm{{AE}}_T^\mathrm{{p}}}^{\mathrm{{auth}}}\left( \mathcal{A} \right) \le \sigma \left( {\sigma + 1} \right) }\Big /{{2^{2n}} + }}{5{/}{{2^n} + {{{\sigma ^2}}{/}{{2^{n + 1}}}}}} \end{aligned}$$

5 Conclusion

In this paper, we have studied the familiar constructions of authentication encryption \(\left( \mathrm {AE}\right) \). Moreover, the applications of \(\mathrm {AE}\) have been evaluated. Recently, the AE has been considered as an important cryptographic tool/primitive for the security solution of IoT-end device, RfID, and resource constrained device. Thus, the AE should satisfies the properties of efficiency and better security. Though there are many constructions such as OCB, OTR, CLOC, SILK, APE, McOE, PoE, COPA, and COBRA but most of the scheme’s privacy security are bounded by \(O\left( 2^{n/2}\right) \). Moreover, decryption oracle is necessary for all constructions except the OCB, OTR, CLOC, and SILK. Therefore, we have presented a blockcipher based AE that satisfies upper privacy security bound \(\left( \text {Priv}=O\left( 2^{n/2}\right) \right) \). Our proposed scheme operates without decryption oracle in the module of encryption and decryption. Furthermore, the efficiency-rate is 1 and the operation mode is parallel. Moreover, the proposed construction can support flexible message encryption without padding. Our proposed scheme is a variant of OCB. More specifically, the symmetric encryption module follows the CTR mode and the MAC module follows the PMAC Plus construction. However, the proposed scheme can’t support small domain encryption including format preserving encryption. Furthermore, decryption module is not online. Therefore, our target is to overcoming these limitations in future.