Rate-One AE with Security Under RUP

  • Shoichi Hirose
  • Yu Sasaki
  • Kan Yasuda
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10599)


This paper investigates what sort of security can be retained by the most efficient (namely, rate-one) AE schemes like OCB under the release of unverified plaintext (RUP). At CT-RSA 2016, Chakraborti et al. have presented an impossibility result, which says that any rate-one AE scheme cannot ensure INT-RUP, a strong integrity requirement under RUP. In this paper we show that any rate-one AE scheme cannot satisfy PA2 (plaintext awareness 2) either, a strong privacy requirement under RUP introduced by Andreeva et al. at Asiacrypt 2014. Given these impossibility results, we relax the security requirements and identify new notions of tag-PA and tag-INT. The new notions are strictly weaker than PA2 and INT-RUP yet have considerable significance in the practical sense. In particular, tag-PA is strictly stronger than PA1 defined by Andreeva et al. at Asiacrypt 2014. Unfortunately, OCB is neither tag-PA nor tag-INT. We present a new rate-one AE scheme which is both tag-PA and tag-INT. The new scheme is essentially as efficient as OCB, consuming just one extra call to a block cipher.


AE Decryption misuse RUP Rate-one Tag feedback OCB 

Supplementary material


  1. 1.
    Abed, F., Forler, C., List, E., Lucks, S., Wenzel, J.: RIV for robust authenticated encryption. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 23–42. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-52993-5_2 CrossRefGoogle Scholar
  2. 2.
    Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: APE: authenticated permutation-based encryption for lightweight cryptography. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 168–186. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46706-0_9 Google Scholar
  3. 3.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 105–125. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45611-8_6 Google Scholar
  4. 4.
    Bernstein, D.: CAESAR Competition (2013).
  5. 5.
    Bernstein, D.: Re: secret message numbers. Posted to CAESAR Mailing List (2013).!topic/crypto-competitions/n5ECGwYr6Vk
  6. 6.
    Chakraborti, A., Datta, N., Nandi, M.: INT-RUP analysis of block-cipher based authenticated encryption schemes. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 39–54. Springer, Cham (2016). doi: 10.1007/978-3-319-29485-8_3 CrossRefGoogle Scholar
  7. 7.
    Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_2 Google Scholar
  8. 8.
    Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-21702-9_18 CrossRefGoogle Scholar
  9. 9.
    McGrew, D.A., Viega, J.: The security and performance of the Galois/counter mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30556-9_27 CrossRefGoogle Scholar
  10. 10.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 2002, pp. 98–107. ACM (2002)Google Scholar
  11. 11.
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30539-2_2 CrossRefGoogle Scholar
  12. 12.
    Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-25937-4_22 CrossRefGoogle Scholar
  13. 13.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: Reiter, M.K., Samarati, P. (eds.) ACM CCS 2001, pp. 196–205. ACM (2001)Google Scholar
  14. 14.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). doi: 10.1007/11761679_23 CrossRefGoogle Scholar
  15. 15.
    Shrimpton, T., Terashima, R.S.: A modular framework for building variable-input-length tweakable ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 405–423. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-42033-7_21 CrossRefGoogle Scholar
  16. 16.
    Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). Internet Engineering Task Force (IETF), RFC 3610 (2003)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.University of FukuiFukuiJapan
  2. 2.NTT Secure Platform LaboratoriesTokyoJapan

Personalised recommendations