Security of Online AE Schemes in RUP Setting

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10052)


Authenticated encryption (AE) combines privacy with data integrity, and in the process of decryption, the plaintext is always kept until successful verification. But in applications with insufficient memory or with realtime requirement, release of unverified plaintext is unavoidable. Furthermore most of present online AE schemes claim to keep the unverified plaintext, leading to online encryption but offline decryption, which seems unreasonable for online applications. Thus, security of the releasing unverified plaintext (RUP) setting, especially for online AE scheme need to be taken seriously. The notion of plaintext awareness (PA) together with IND-CPA have been formalized to achieve privacy in RUP setting by Andreeva et al. in 2014. But notion of PA is too strong and conflicts to online property, namely no online AE scheme can be PA secure according to their results, leading PA to lose its practical significance. In this paper, we define a similar security notion OPA and combine OPA with OPRP-CPA (IND-CPA) to achieve privacy of online AE scheme in RUP setting, which solves the conflicts between PA and online property. And we analysis the relation between OPA and some other notions. Then we study OPA security of existing online AE schemes, and show OPA insecurity of Stream Structure and structures with the property of “controll ciphertext to jump between two plaintexts" (CCJP), which are adopted by most of schemes in the ongoing CAESAR competition. At last, combining the property CCJP with the simple tag-producing process, we look upon the INT-RUP insecurity of existing schemes from new different angle.


Online authenticated encryption Releasing unverified plaintext Plaintext extractor INT-RUP CAESAR competition 


  1. 1.
    Cryptographic competitions: Caesar.
  2. 2.
    Abed, F., Fluhrer, S., Forler, C., List, E., Lucks, S., McGrew, D., Wenzel, J.: Pipelineable on-line encryption. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 205–223. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46706-0_11 Google Scholar
  3. 3.
    Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: APE: authenticated permutation-based encryption for lightweight cryptography. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 168–186. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46706-0_9 Google Scholar
  4. 4.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 105–125. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45611-8_6 Google Scholar
  5. 5.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Boldyreva, A., Knudsen, L.R., Namprempre, C.: Online ciphers and the hash-CBC construction. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 292–309. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Micciancio, D.: A new paradigm for collision-free hashing: incrementality at reduced cost. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 163–192. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  9. 9.
    Biryukov, A., Khovratovich, D.: Paeq (2014).
  10. 10.
    Bogdanov, A., Mendel, F., Regazzoni, F., Rijmen, V., Tischhauser, E.: ALE: AES-based lightweight authenticated encryption. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 447–466. Springer, Heidelberg (2014). doi:10.1007/978-3-662-43933-3_23 Google Scholar
  11. 11.
    Chakraborti, A., Datta, N., Nandi, M.: Int-rup analysis of block-cipher based authenticated encryption schemes (2015).
  12. 12.
    Datta, N., Nandi, M.: Elmd (2014).
  13. 13.
    Dobraunig, C., Eichlseder, M., Mendel, F., Schlaffer, M.: Ascon (2014).
  14. 14.
    Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  15. 15.
    Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. 16.
    Hoang, V.T., Reyhanitabar, R., Rogaway, P., Vizár, D.: Online authenticated-encryption and its nonce-reuse misuse-resistance. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 493–517. Springer, Heidelberg (2015). doi:10.1007/978-3-662-47989-6_24 CrossRefGoogle Scholar
  17. 17.
    Hosseini, H., Khazaei, S.: Cba (2014).
  18. 18.
    Iwata, T., Yasuda, K.: BTM: a single-key, inverse-cipher-free mode for deterministic authenticated encryption. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 313–330. Springer, Heidelberg (2009). doi:10.1007/978-3-642-05445-7_20 CrossRefGoogle Scholar
  19. 19.
    Iwata, T., Yasuda, K.: HBS: a single-key mode of operation for deterministic authenticated encryption. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 394–415. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  20. 20.
    McGrew, D., Viega, J.: The galois/counter mode of operation (gcm) (2004).
  21. 21.
    Montes, M., Penazzi, D.: Cpfb (2014).
  22. 22.
    Rogaway, P., Bellare, M., Black, J.: OCB: a block-cipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur. (TISSEC) 6(3), 365–403 (2003)CrossRefGoogle Scholar
  23. 23.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). doi:10.1007/11761679_23 CrossRefGoogle Scholar
  24. 24.
    Tsang, P.P., Smith, S.W.: Secure cryptographic precomputation with insecure memory. In: Chen, L., Mu, Y., Susilo, W. (eds.) ISPEC 2008. LNCS, vol. 4991, pp. 146–160. Springer, Heidelberg (2008). doi:10.1007/978-3-540-79104-1_11 CrossRefGoogle Scholar
  25. 25.
    Whiting, D., Ferguson, N., Housley, R.: Counter with cbc-mac (ccm). Submission to NIST Modes of Operation Process (2012)Google Scholar
  26. 26.
    Wu, H., Preneel, B.: AEGIS: a fast authenticated encryption algorithm. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 185–201. Springer, Heidelberg (2014). doi:10.1007/978-3-662-43414-7_10 CrossRefGoogle Scholar
  27. 27.
    Zhang, J., Wu, W.: Security of online AE schemes in RUP setting (full version) (2016).
  28. 28.
    Zhang, L., Wu, W., Sui, H., Wang, P.: ifeed (2014).

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Institute of SoftwareChinese Academy of SciencesBeijingChina
  2. 2.State Key Laboratory of CryptologyBeijingChina

Personalised recommendations