Blockcipher-Based Authenticated Encryption: How Small Can We Go?

  • Avik Chakraborti
  • Tetsu Iwata
  • Kazuhiko Minematsu
  • Mridul Nandi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10529)


This paper presents a design of authenticated encryption (AE) focusing on minimizing the implementation size, i.e., hardware gates or working memory on software. The scheme is called \(\textsf {COFB}\), for COmbined FeedBack. \(\textsf {COFB}\) uses an n-bit blockcipher as the underlying primitive, and relies on the use of a nonce for security. In addition to the state required for executing the underlying blockcipher, \(\textsf {COFB}\) needs only n / 2 bits state as a mask. Till date, for all existing constructions in which masks have been applied, at least n bit masks have been used. Thus, we have shown the possibility of reducing the size of a mask without degrading the security level much. Moreover, it requires one blockcipher call to process one input block. We show \(\textsf {COFB}\) is provably secure up to \(O(2^{n/2}/n)\) queries which is almost up to the standard birthday bound. We also present our hardware implementation results. Experimental implementation results suggest that our proposal has a good performance and the smallest footprint among all known blockcipher-based AE.


COFB AES Authenticated encryption Blockcipher 



The authors thank the anonymous reviewers for helpful feedback. The work by Tetsu Iwata was supported in part by JSPS KAKENHI, Grant-in-Aid for Scientific Research (B), Grant Number 26280045, and was partially carried out while visiting Nanyang Technological University, Singapore.


  1. 1.
    ATHENa: Automated Tool for Hardware Evaluation.
  2. 2.
  3. 3.
    CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness.
  4. 4.
    Recommendation for Block Cipher Modes of Operation: Methods and Techniques. NIST Special Publication 800–38A. National Institute of Standards and Technology (2001)Google Scholar
  5. 5.
    Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality. NIST Special Publication 800–38C. National Institute of Standards and Technology (2004)Google Scholar
  6. 6.
    Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication. NIST Special Publication 800–38B. National Institute of Standards and Technology (2005)Google Scholar
  7. 7.
    NIST FIPS 197. Advanced Encryption Standard (AES). Federal Information Processing Standards Publication, 197 (2001)Google Scholar
  8. 8.
    Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mendel, F., Mennink, B., Mouha, N., Wang, Q., Yasuda, K.: PRIMATEs v1.02. Submission to CAESAR (2016).
  9. 9.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-42033-7_22 CrossRefGoogle Scholar
  10. 10.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: AES-COPA v. 2. Submission to CAESAR (2015).
  11. 11.
    Aumasson, J.-P., Jovanovic, P., Neves, S.: NORX v3.0. Submission to CAESAR (2016).
  12. 12.
    Banik, S., Bogdanov, A., Minematsu, K.: Low-area hardware implementations of CLOC, SILC and AES-OTR. In: DIAC (2015)Google Scholar
  13. 13.
    Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Bertoni, G., Daemen, M.P.J., Van Assche, G., Van Keer, R.: Ketje v2. Submission to CAESAR (2016).
  15. 15.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74735-2_31 CrossRefGoogle Scholar
  16. 16.
    Bogdanov, A., Mendel, F., Regazzoni, F., Rijmen, V., Tischhauser, E.: ALE: AES-based lightweight authenticated encryption. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 447–466. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43933-3_23 Google Scholar
  17. 17.
    Borghoff, J., et al.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34961-4_14 CrossRefGoogle Scholar
  18. 18.
    Chakraborti, A., Nandi, M.: TriviA-ck-v2. Submission to CAESAR (2015).
  19. 19.
    Datta, N., Nandi, M.: Proposal of ELmD v2.1. Submission to CAESAR (2015).
  20. 20.
    Dey, P., Rohit, R.S., Adhikari, A.: Full key recovery of ACORN with a single fault. J. Inf. Sec. Appl. 29, 57–64 (2016)Google Scholar
  21. 21.
    Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1.2. Submission to CAESAR (2016).
  22. 22.
    Dworkin, M.: Recommendation for block cipher modes of operation: Galois/counter mode (GCM) and GMAC. NIST Special Publication 800–38D (2011).
  23. 23.
    Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34047-5_12 CrossRefGoogle Scholar
  24. 24.
    Grosso, V., Leurent, G., Standaert, F.-X., Varici, K., Journault, A., Durvaux, F., Gaspar, L., Kerckhof, S.: SCREAM Side-Channel Resistant Authenticated Encryption with Masking. Submission to CAESAR (2015).
  25. 25.
    Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23951-9_22 CrossRefGoogle Scholar
  26. 26.
    Hoang, V.T., Krovetz, T., Rogaway, P.: AEZ v4.2: Authenticated Encryption by Enciphering. Submission to CAESAR (2016).
  27. 27.
    Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-39887-5_11 CrossRefGoogle Scholar
  28. 28.
    Iwata, T., Minematsu, K., Guo, J., Morioka, S.: CLOC: authenticated encryption for short input. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 149–167. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46706-0_8 Google Scholar
  29. 29.
    Iwata, T., Minematsu, K., Guo, J., Morioka, S., Kobayashi, E.: CLOC and SILC. Submission to CAESAR (2016)
  30. 30.
    Jean, J., Nikolić, I., Peyrin, T.: Joltik v1.3. Submission to CAESAR (2015).
  31. 31.
    Jean, J., Nikolić, I., Peyrin, T.: Deoxys v1.41. Submission to CAESAR (2016).
  32. 32.
    Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-21702-9_18 CrossRefGoogle Scholar
  33. 33.
    Krovetz, T., Rogaway, P.: OCB(v1.1). Submission to CAESAR (2016).
  34. 34.
    Lafitte, F., Lerman, L., Markowitch, O., Van Heule, D.: SAT-based cryptanalysis of ACORN. IACR Cryptology ePrint Archive 2016:521 (2016)Google Scholar
  35. 35.
    Minematsu, K.: Parallelizable rate-1 authenticated encryption from pseudorandom functions. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 275–292. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-55220-5_16 CrossRefGoogle Scholar
  36. 36.
    Minematsu, K.: AES-OTR v3.1. Submission to CAESAR (2016).
  37. 37.
    Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.: Pushing the limits: a very compact and a threshold implementation of AES. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 69–88. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-20465-4_6 CrossRefGoogle Scholar
  38. 38.
    Nikolić, I.: Tiaoxin - 346. Submission to CAESAR (2016).
  39. 39.
    Patarin, J.: Etude des Générateurs de Permutations Basés sur le Schéma du D.E.S. Phd Thèsis de Doctorat de l’Université de Paris 6 (1991)Google Scholar
  40. 40.
    Peyrin, T., Sim, S.M., Wang, L., Zhang, G.: Cryptanalysis of JAMBU. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 264–281. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48116-5_13 CrossRefGoogle Scholar
  41. 41.
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30539-2_2 CrossRefGoogle Scholar
  42. 42.
    Rogaway, P., Bellare, M., Black, J.: OCB: a block-cipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur. 6(3), 365–403 (2003)CrossRefGoogle Scholar
  43. 43.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). doi: 10.1007/11761679_23 CrossRefGoogle Scholar
  44. 44.
    Salam, M.I., Bartlett, H., Dawson, E., Pieprzyk, J., Simpson, L., Wong, K.K.-H.: Investigating cube attacks on the authenticated encryption stream cipher ACORN. In: Batten, L., Li, G. (eds.) ATIS 2016. CCIS, vol. 651, pp. 15–26. Springer, Singapore (2016). doi: 10.1007/978-981-10-2741-3_2 Google Scholar
  45. 45.
    Salam, Md.I., Wong, K.K.-H., Bartlett, H., Simpson, L.R., Dawson, Ed., Pieprzyk, J.: Finding state collisions in the authenticated encryption stream cipher ACORN. In: Proceedings of the Australasian Computer Science Week Multiconference, p. 36 (2016)Google Scholar
  46. 46.
    Sasaki, Y., Todo, Y., Aoki, K., Naito, Y., Sugawara, T., Murakami, Y., Matsui, M., Hirose, S.: Minalpher v1.1. Submission to CAESAR (2015).
  47. 47.
    Schroé, W., Mennink, B., Andreeva, E., Preneel, B.: Forgery and subkey recovery on CAESAR candidate iFeed. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 197–204. Springer, Cham (2016). doi: 10.1007/978-3-319-31301-6_11 CrossRefGoogle Scholar
  48. 48.
    Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23951-9_23 CrossRefGoogle Scholar
  49. 49.
    Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: a lightweight block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-35999-6_22 CrossRefGoogle Scholar
  50. 50.
    Vaudenay, S.: Decorrelation: a theory for block cipher security. J. Cryptol. 16(4), 249–286 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  51. 51.
    Wu, H.: ACORN: A Lightweight Authenticated Cipher (v3). Submission to CAESAR (2016).
  52. 52.
    Wu, H., Huang, T.: The JAMBU Lightweight Authentication Encryption Mode (v2.1). Submission to CAESAR (2016).
  53. 53.
    Wu, H., Preneel, B.: AEGIS: A Fast Authenticated Encryption Algorithm (v1.1). Submission to CAESAR (2016).
  54. 54.
    Zhang, L., Wu, W., Sui, H., Wang, P.: iFeed[AES] v1. Submission to CAESAR (2014).

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Avik Chakraborti
    • 1
  • Tetsu Iwata
    • 2
  • Kazuhiko Minematsu
    • 3
  • Mridul Nandi
    • 4
  1. 1.NTT Secure Platform LaboratoriesTokyoJapan
  2. 2.Nagoya UniversityNagoyaJapan
  3. 3.NEC CorporationTokyoJapan
  4. 4.Applied Statistics UnitIndian Statistical InstituteKolkataIndia

Personalised recommendations