Pipelineable On-line Encryption

  • Farzaneh Abed
  • Scott Fluhrer
  • Christian ForlerEmail author
  • Eik List
  • Stefan Lucks
  • David McGrew
  • Jakob Wenzel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8540)


Correct authenticated decryption requires the receiver to buffer the decrypted message until the authenticity check has been performed. In high-speed networks, which must handle large message frames at low latency, this behavior becomes practically infeasible. This paper proposes CCA-secure on-line ciphers as a practical alternative to AE schemes since the former provide some defense against malicious message modifications. Unfortunately, all published on-line ciphers so far are either inherently sequential, or lack a CCA-security proof.

This paper introduces POE, a family of on-line ciphers that combines provable security against chosen-ciphertext attacks with pipelineability to support efficient implementations. POE combines a block cipher and an \(\epsilon \)-AXU family of hash functions. Different instantiations of POE are given, based on different universal hash functions and suitable for different platforms. Moreover, this paper introduces POET, a provably secure on-line AE scheme, which inherits pipelineability and chosen-ciphertext-security from POE and provides additional resistance against nonce-misuse attacks.


On-line cipher Chosen-ciphertext security Authenticated encryption 



We thank all reviewers of the FSE 2014 for their helpful comments and Daniel J. Bernstein and Tetsu Iwata for fruitful discussions. Finally, we thank Jian Guo, Jérémy Jean, Thomas Peyrin, and Lei Wang who pointed out a mismatch between the specified and the analyzed version of POET in the pre-proceedings version [20].

Supplementary material


  1. 1.
    Abdelraheem, M.A., Bogdanov, A., Tischhauser, E.: Weak-key analysis of POET. Cryptology ePrint Archive, Report 2014/226 (2014).
  2. 2.
    Abed, F., Fluhrer, S., Forler, C., List, E., Lucks, S., McGrew, D., Wenzel, J.: Pipelineable on-line encryption. Cryptology ePrint Archive, Report 2014/297 (2014).
  3. 3.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  4. 4.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: APE(X): authenticated permutation-based encryption with extended security features. In: Directions in Authenticated Ciphers (2013)Google Scholar
  5. 5.
    Bellare, M., Boldyreva, A., Knudsen, L.R., Namprempre, C.: Online ciphers and the hash-CBC construction. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 292–309. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Boldyreva, A., Knudsen, L.R., Namprempre, C.: On-line ciphers and the hash-CBC constructions. J. Cryptol. 25(4), 640–679 (2012)CrossRefzbMATHMathSciNetGoogle Scholar
  7. 7.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  10. 10.
    Boesgaard, M., Christensen, T., Zenner, E.: Badger—a fast and provably secure MAC. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 176–191. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  11. 11.
    Boldyreva, A.,Taesombut, N.: Online encryption schemes: new security notions and constructions. In: Okamoto [35], pp. 1–14Google Scholar
  12. 12.
    Campbell, C.: Design and specification of cryptographic capabilities. In: Proceedings of the Conference on Computer Security and the Data Encryption Standard Held at the National Bureau of Standards in Gaithersburg, NBS Special Publication, Gaithersburg, Md., February 1978. U.S. National Bureau of StandardsGoogle Scholar
  13. 13.
    Carter, L., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979)CrossRefzbMATHMathSciNetGoogle Scholar
  14. 14.
    Daemen, J., Lamberger, M., Pramstaller, N., Rijmen, V., Vercauteren, F.: Computational aspects of the expected differential probability of 4-round AES and AES-like ciphers. Computing 85(1–2), 85–104 (2009)CrossRefzbMATHMathSciNetGoogle Scholar
  15. 15.
    Datta, N., Nandi, M.: Misuse resistant parallel authenticated encryptions. Cryptology ePrint Archive, Report 2013/767 (2013).
  16. 16.
    Datta, N., Nandi, M.: Characterization of EME with linear mixing. Cryptology ePrint Archive, Report 2014/009 (2014).
  17. 17.
    Diffie, W., Hellman, M.E.: Privacy and authentication: an introduction to cryptography. Proc. IEEE 67, 397–427 (1979). (Invited Paper)CrossRefGoogle Scholar
  18. 18.
    Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)CrossRefzbMATHMathSciNetGoogle Scholar
  19. 19.
    Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  20. 20.
    Guo, J., Jean, J., Peyrin, T., Lei, W.: Breaking POET authentication with a single query. Cryptology ePrint Archive, Report 2014/197 (2014).
  21. 21.
    Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  22. 22.
    Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto [35], pp. 292–304Google Scholar
  23. 23.
    IEEE. IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices. IEEE Std. 1619–2007, pp. c1–32 (2008)Google Scholar
  24. 24.
    ITU-T. Interfaces for the Optical Transport Network (OTN). Recommendation G.709/Y.1331, International Telecommunication Union, Geneva, December 2009Google Scholar
  25. 25.
    Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  26. 26.
    Knudsen, L.R.: Block chaining modes of operation. In: Symmetric-Key Block-Cipher Modes of Operation Workshop, October 2000Google Scholar
  27. 27.
    Kohno, T., Viega, J., Whiting, D.: CWC: a high-performance conventional authenticated encryption mode. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 408–426. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  28. 28.
    Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  29. 29.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  30. 30.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011)CrossRefzbMATHMathSciNetGoogle Scholar
  31. 31.
    McGrew, D., Viega, J.: The Galois/Counter Mode of Operation (GCM). Submission to NIST (2004).
  32. 32.
    Nandi, M.: A Simple Security Analysis of Hash-CBC and a New Efficient One-Key Online Cipher. Cryptology ePrint Archive, Report 2007/158 (2007).
  33. 33.
    Nandi, M.: Two New efficient CCA-secure online ciphers: MHCBC and MCBC. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 350–362. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  34. 34.
    US Department of Commerce. DES Modes of Operation. Technical report FIPS PUB 81, US Department of Commerce/National Bureau of Standards, December 1998Google Scholar
  35. 35.
    Okamoto, T. (ed.): CT-RSA 2004. LNCS, vol. 2964. Springer, Heidelberg (2004) zbMATHGoogle Scholar
  36. 36.
    Postel, J.: User Datagram Protocol. RFC 768 (INTERNET STANDARD), August 1980Google Scholar
  37. 37.
    Postel, J.: Internet Protocol. RFC 791 (INTERNET STANDARD), September 1981. (Updated by RFCs 1349, 2474, 6864)Google Scholar
  38. 38.
    Postel, J.: Transmission Control Protocol. RFC 793 (INTERNET STANDARD), September 1981. (Updated by RFCs 1122, 3168, 6093, 6528)Google Scholar
  39. 39.
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  40. 40.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  41. 41.
    Rogaway, P., Zhang, H.: Online ciphers from tweakable blockciphers. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 237–249. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  42. 42.
    Saarinen, M.-J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  43. 43.
    Wegman, M.N., Carter, J.L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)CrossRefzbMATHMathSciNetGoogle Scholar
  44. 44.
    Young, E.A., Hudson, T.J.: OpenSSL: The Open Source toolkit for SSL/TLS, September 2011.

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Farzaneh Abed
    • 1
  • Scott Fluhrer
    • 2
  • Christian Forler
    • 1
    Email author
  • Eik List
    • 1
  • Stefan Lucks
    • 1
  • David McGrew
    • 2
  • Jakob Wenzel
    • 1
  1. 1.Bauhaus-Universität WeimarWeimarGermany
  2. 2.Cisco SystemsSan JoseUSA

Personalised recommendations