# COBRA: A Parallelizable Authenticated Online Cipher Without Block Cipher Inverse

## Abstract

We present a new, misuse-resistant scheme for online authenticated encryption, following the framework set forth by Fleischmann et al. (FSE 2012). Our scheme, COBRA, is roughly as efficient as the GCM mode of operation for nonce-based authenticated encryption, performing one block cipher call plus one finite field multiplication per message block in a parallelizable way. The major difference from GCM is that COBRA preserves privacy up to prefix under nonce repetition. However, COBRA only provides authenticity against nonce-respecting adversaries. As compared to COPA (ASIACRYPT 2013), our new scheme requires no block cipher inverse and hence enjoys provable security under a weaker assumption about the underlying block cipher. In addition, COBRA can possibly perform better than COPA on platforms where finite field multiplication can be implemented faster than the block cipher in use, since COBRA essentially replaces half of the block cipher calls in COPA with finite field multiplications.

## Keywords

COPA OTR GCM Feistel network ManTiCore Authenticated online cipher Deterministic Finite-field multiplication## 1 Introduction

Authenticated encryption (AE) schemes target the security goals of privacy and integrity. The field of AE has received more interest in the light of the recently announced CAESAR competition [9]. In the target scope of the competition fall secure and efficient AE algorithms for specific or possibly multiple environments.

While AE can securely be achieved by combining a probabilistic encryption scheme and a message authentication code using Bellare and Namprempre’s generic composition [6], this approach comes at the cost of using two keys, one for encryption and one for authentication. This and further efficiency optimization reasons have led to the development of many dedicated nonce-based AE solutions such as CCM [33], CWC [20], EAX [7], GCM [23], IACBC [18], IAPM [18], OCB1-3 [21, 27, 29], and OTR [24].

Of these schemes, today GCM is the most widely deployed. GCM has been standardized by many organizations including ANSI, IEEE, ISO/IEC, and NIST. GCM has also been adopted by major cryptographic protocols such as IPsec, SSH, and TLS/SSL.

One advantage of GCM is that it performs well on Intel CPUs. According to Gladman [13], GCM outperforms CCM, CWC, and EAX on Intel P3/P4 and AMD 64(32/64) processors, if a 64 K table is used with GCM. This is mostly due to the fact that finite-field multiplication over \(\mathrm {GF}(2^{128})\) can be implemented efficiently on these platforms so that it runs faster than serial AES or hashing modulo \(2^{127}-1\).

There are several ways of parallelizing the polynomial hashing in GCM [14]. For example, instead of performing finite-field multiplications sequentially by Horner’s rule as \(\bigl (\bigl (\bigl (X[1]L\oplus X[2]\bigr )L\oplus X[3]\bigr )L\oplus X[4]\bigr )L\), one precomputes \(L^2\), \(L^3\) and \(L^4\), stores them in a table, and then computes the hash in a parallelizable way as \(X[1]L^4+X[2]L^3+X[3]L^2+X[4]L\). Here \(L\) denotes the key of polynomial hashing and \(X[i]\) the data blocks.

On more recent Intel CPUs such as Nehalem and Sandy Bridge, finite-field multiplication runs slower than AES [21]. Note that these processors are equipped with dedicated instruction sets, PCLMULQDQ for finite-field multiplication and AES-NI for AES block cipher computation. However, according to the latest report by Gueron [15] PCLMULQDQ is now more efficient on the latest Haswell processor, making finite-field multiplication over \(\mathrm {GF}(2^{128})\) faster than AES block cipher computation. This also makes GCM still attractive for use on Intel platforms.

Another advantage of GCM is the fact that it does not require the block cipher inverse. This contrasts sharply with schemes like OCB, where the cipher inverse is necessary for decryption. Besides the extra cost to implement the inverse algorithm, the problem is that the security proof needs to rely on a stronger assumption about the underlying block cipher if its inverse is used by the scheme. This issue has been discussed for OCB [5] and has led to the invention of OTR [24].

Given these features and its wide-spread use, GCM is often considered as a reference AE mode of operation. In fact, the call for submissions of the CAESAR competition [9] requires that authors “must explain, in particular, why users should prefer this cipher over AES-GCM.”

All of the above-mentioned dedicated schemes are proven secure in a nonce-respecting model — formalism proposed by Rogaway [28] — where an adversary is limited to making encryption queries only with non-repeating nonce values. For the cases when nonce values do repeat, none of these AE schemes provides any formal security guarantees. Indeed, all of these schemes, including the latest OTR, can be “attacked” under nonce repetition, as described by Fleischmann et al. [12].

Nonce repetition can, however, occur in practice due to the fact that the nonce is chosen by the application programmer rather than the scheme itself as discussed by Fleishmann et al. [12]. Examples of nonce repetition are flawed implementations [8, 10, 19, 22, 34], bad management of nonces by the user, and backup resets or virtual machine clones when the nonce is stored as a counter.

One way to address these situations is to design AE schemes which provide misuse resistance in a model where the adversary can perform queries with repeating nonces. Such schemes include the deterministic AE solutions SIV [30], BTM [16], and HBS [17], and also the authenticated online ciphers McOE-G [12], APE [2], and COPA [3]. The latter schemes are more efficient (need to process the message just once), even though the security under nonce repetition is limited to indistinguishability up to a common prefix.

We note that we are missing a “GCM-like” authenticated online cipher. McOE-G makes one block cipher call plus one finite-field multiplication per message block, but it is inherently sequential and not parallelizable like GCM. APE is permutation-based and sequential. COPA is parallelizable, but it makes two block cipher calls per message block. Moreover, all of these schemes require the inverse primitive calls for decryption. In this paper, therefore, we set out to propose a new authenticated online cipher whose efficiency is comparable to that of GCM.

**Our Results.** We present a secure and efficient solution for AE, which we name COBRA. A formal description of COBRA for integral message blocks is given in Sect. 3, and it is depicted in Figs. 2 and 3. (A description of COBRA for arbitrary-length messages is given in Appendix A).

*Design.* At first glance our design may seem to combine characteristics of the COPA [3] and OTR [24] designs. Indeed, to ensure misuse-resistance we include features from COPA and then substitute the parallelization procedures with the two-round balanced Feistel structure as proposed by Minematsu [24] in OTR. The latter design decision enables the use of just a single type of primitive, namely a block cipher in the forward encryption direction, without losing parallelizability, for efficiently authenticating and encrypting at the same time using polynomial hashing. It also allows for a scheme that does not need the inverse of the block cipher in decryption.

However, the construction of COBRA is *not* motivated by the mere combination of the two designs. Indeed, the employment of the Feistel network seems *necessary* for efficiently authenticating and encrypting at the same time using polynomial hashing. It also allows for a scheme that does not need the inverse of the block cipher in decryption. In order to achieve integrity of COBRA, we utilize the checksum of intermediate state values of the Feistel structure, which is similar to a technique proposed by Anderson et al. in their ManTiCore design [1].

*Security.* In Sect. 4, we prove that COBRA is secure against chosen-plaintext attacks (CPA) and against forgery up to approximately \(2^{n/2}\) queries, where \(n\) is the block length of the underlying cipher. Our result for privacy covers nonce-repeating attackers. This contrasts sharply with GCM whose security collapses once the nonce is repeated. Note that authenticity of COBRA requires nonce-respecting attackers.

Our new scheme requires no block cipher inverse and hence enjoys provable security under the pseudo-random permutation (PRP) assumption about the underlying block cipher. This is not the case for COPA, whose security proof relies on a stronger assumption about the block cipher.

Our proof itself is simplified by decomposing COBRA into smaller parts which are dealt with individually. The main idea here is to turn a call to the block cipher into a call to a tweakable cipher which we instantiate with Rogaway’s XE [27] construction. COBRA utilizes universal hashing (finite-field multiplication) and produces the tag using intermediate values of the Feistel networks. These differences make COBRA’s proof slightly simpler than that of COPA.

*Efficiency.* The efficiency of COBRA is comparable to that GCM. That is, they both perform one block cipher call plus one finite field multiplication per message block in a parallelizable way.

As compared to COPA, COBRA saves the cost of implementing the inverse of the underlying block cipher. COBRA performs potentially better than COPA on platforms where the finite-field multiplication runs faster than the underlying block cipher call. Such CPUs include Intel’s latest Haswell processor, where a 128-bit multiplication using the PCLMULQDQ instruction set runs faster than one AES call even using the AES-NI instruction set, hence essentially faster than any other block cipher implemented.

**Attack on Previous Scheme.** In the period between acceptance and publication of this paper, Nandi found an attack on the authenticity of the scheme using a nonce-repeating adversary [25]. As a result we have reduced the security claim of authenticity from being secure against nonce-repeating adversaries to being secure against nonce-respecting adversaries and we have made a small adjustment in the processing of the nonce to accomplish this security level: instead of multiplying the nonce with the message blocks, we use it in the block cipher call to create the secret value \(L\). This does not change the privacy proof and authenticity is achieved for the same reason that authenticity is achieved in OTR.

## 2 Preliminaries

By \((\{0,1\}^n)^+\) we denote the set of strings whose length is a positive multiple of \(n\) bits. Given two strings \(A\) and \(B\), we use \(A\parallel B\) and \(AB\) interchangeably to denote the concatenation of \(A\) and \(B\). For \(A\in \{0,1\}^*\), by \(A10^*\) we denote the string with a \(1\) appended, and then padded with zeros until its length is a multiple of \(n\). If \(X\) is a string with length a multiple of \(n\), by \(X[i]\) we denote the \(i\)th \(n\)-bit block of \(X\). The length of a string \(X\) is denoted by \(|X|\).

A block cipher \(E:\mathcal {K}\times \{0,1\}^n\rightarrow \{0,1\}^n\) is a function that takes as input a key \(k\in \mathcal {K}\) and a plaintext \(M\in \{0,1\}^n\), and produces a ciphertext \(C=E(k,M)\). We sometimes write \(E_k(\cdot )=E(k,\cdot )\). For a fixed key \(k\), a block cipher is a permutation on \(n\) bits.

We can view the set \(\{0,1\}^n\) of bit strings as the finite field \(\mathrm {GF}(2^n)\) consisting of \(2^n\) elements. To this end, we represent an element of \(\mathrm {GF}(2^n)\) as a polynomial over the field \(\mathrm {GF}(2)\) of degree less than \(n\), and a string \(a_{n-1}a_{n-2}\cdots a_1a_0\in \{0,1\}^n\) corresponds to the polynomial \(a_{n-1}\mathtt {x}^{n-1}+ a_{n-2}\mathtt {x}^{n-2}+\cdots + a_1\mathtt {x}+ a_0\in \mathrm {GF}(2^n)\). The addition in the field is simply addition of polynomials over \(\mathrm {GF}(2)\) (i.e., bitwise XOR, denoted by \(\oplus \)). To define multiplication in the field, we fix an irreducible polynomial \(f(\mathtt {x})\) of degree \(n\) over the field \(\mathrm {GF}(2)\). For \(a(\mathtt {x}),b(\mathtt {x})\in \mathrm {GF}(2^n)\), their product is defined as \(a(\mathtt {x}) b(\mathtt {x}) \mod f(\mathtt {x})\) — polynomial multiplication over the field \(\mathrm {GF}(2)\) reduced modulo \(f(\mathtt {x})\). We simply write \(a(\mathtt {x})b(\mathtt {x})\) and \(a(\mathtt {x})\cdot b(\mathtt {x})\) to mean the product in the field \(\mathrm {GF}(2^n)\), and denote the multiplication by \(\otimes \).

The set \(\{0,1\}^n\) can alternatively be regarded as a set of integers ranging from \(0\) through \(2^n-1\), where a string \(a_{n-1}a_{n-2}\cdots a_1a_0\in \{0,1\}^n\) corresponds to the integer \(a_{n-1}2^{n-1}+ a_{n-2}2^{n-2}+\cdots + a_12+ a_0\in [0,2^n-1]\). Based on these conversions, we often simply write elements of \(\mathrm {GF}(2^n)\) as integers. For example, “\(2\)” means \(\mathtt {x}\) and “\(3\)” means \(\mathtt {x}+1\). When we write multiplications such as \(2\cdot 3\), we mean those in the field \(\mathrm {GF}(2^n)\).

## 3 Specification

In this section we give the specification of our scheme COBRA. Here we define COBRA for messages whose length is a positive multiple of \(2n\), where \(n\) denotes the block length of the underlying block cipher. The case of fractional messages is given in Appendix A.

## 4 Security

We briefly settle some notation for the security analysis in Sect. 4.1. In Sect. 4.2, we introduce some preliminary results related to COBRA. Confidentiality of COBRA is then proven in Sect. 4.3, and integrity in Sect. 4.4.

### 4.1 Notation

When writing \(x\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}X\) for some finite set \(X\) we mean that \(x\) is sampled uniformly from \(X\). We write \(\Pr \bigl [\varvec{\mathsf {A}}\bigm |\varvec{\mathsf {B}}\big ]\) to denote the probability of event \(\varvec{\mathsf {A}}\) given \(\varvec{\mathsf {B}}\).

Say that \(M\in \{0,1\}^{2n\ell }\). We write \(M[1]M[2]\cdots M[2\ell ]\xleftarrow {n} M\) to denote the *blocks* that make up \(M\), and \(\hat{M}[1]\hat{M}[2]\cdots \hat{M}[\ell ]\xleftarrow {2n} M\) to denote the *fragments* that make up \(M\). Note that a fragment is made of two blocks: \(\hat{M}[i] = M[2i-1]\parallel M[2i]\).

A uniform random function (URF) from \(m\) bits to \(n\) bits is a uniformly distributed random variable over the set of all functions from \(\{0,1\}^m\) to \(\{0,1\}^n\). A uniform random permutation (URP) on \(n\) bits is a uniformly distributed random variable over the set of all permutations on \(n\) bits.

### **Definition 1**

### 4.2 Preliminary Results

### **Lemma 1**

**(**[24, 27]

**).**Let \(\mathcal {T}\) denote some set of indices such that \(\tau \rightarrow \mu _\tau \) maps all indices to all tweaks injectively. The permutations \(\{E_{k}(\mu _\tau \oplus \cdot )\}_{\tau \in \mathcal {T}}\) are indistinguishable from independent URFs \(\bigl \{\varphi _{\tau }\bigr \}_{\tau \in \mathcal {T}}\). Specifically, let \(\mathbf {D}\) be a distinguisher running in time \(t\) and making at most \(q\) queries, then

In Fig. 4 one can see a description of COBRA where the XE constructions are replaced with URFs, where the URFs are labeled \(\alpha \) (replacing the XE construction in ProcessAD), \(\beta _i^N,\gamma _i^N\) for \(i\ge 1\) and all \(N\) (replacing them in COBRA-Encrypt and COBRA-Decrypt), and \(\delta _1^N,\delta _2^N\) for all \(N\) (replacing them in ComputeTag). Throughout, we will denote this scheme by \(\mathcal {E}'\).

We can describe \(\mathcal {E}'\) as a sequence of functions each computing one ciphertext fragment, a function computing the tag, and a function processing the associated data. More formally:

### **Definition 2**

Say that \(\mathcal {E}'\) maps \((N,A,M)\) to \((C,T)\). Define \(f_i:\{0,1\}^n\times \{0,1\}^{2ni}\rightarrow \{0,1\}^{2n}\) to be the function mapping \((N, \hat{M}[1]\cdots \hat{M}[i])\) to \(\hat{C}[i]\), \(h:\{0,1\}^*\rightarrow \{0,1\}^n\) the function mapping \(A\) to \(U\) (where \(U\) is as shown in Fig. 4), and \(f':\{0,1\}^n\times \{0,1\}^*\times (\{0,1\}^{2n})^+\rightarrow \{0,1\}^n\) the function mapping \((N,A,M)\) to \(T\).

As a second step, we replace the associated data computation \(h\) in \(\mathcal {E}'\) with a URF \(\varOmega \):

### **Lemma 2**

### *Proof*

The URF \(\alpha \) generates independent, uniformly distributed values as long as its inputs are unique. The only issue is when two different \(A\)’s map to the same input to \(\alpha \), which itself reduces to finding zeros of a polynomial in \(J\) of degree at most \(l\). Since \(J\) is an independent, uniformly distributed value generated using a URP, and polynomials of degree \(l\) have at most \(l\) distinct zeroes, the probability that a pair of plaintexts collides is \(l/2^n\). By allowing the adversary to make \(q\) queries we get our desired bound. \(\quad \square \)

### **Proposition 1**

### *Proof*

We first apply Lemma 1, where we note that one query by \(\mathbf {D}\) leads to at most \(2\ell +2\) block cipher calls, and then Lemma 2 to get the desired result. \(\quad \square \)

Using Proposition 1, we will prove confidentiality of COBRA in Sect. 4.3 and integrity in Sect. 4.4. For the proof of confidentiality, we present an additional elementary lemma:

### **Lemma 3**

### 4.3 Confidentiality

We adopt the definitions of security given in [3], yet rather than comparing our scheme to a random variable over the set of all online permutations, we explicitly describe an ideal online function in terms of URFs.

### **Definition 3**

**(Ideal Online Function).**Let \(g_{i}:\{0,1\}^n\times \{0,1\}^{2ni}\rightarrow \{0,1\}^{2n}\) be URFs and let \(g':\{0,1\}^n\times \{0,1\}^*\times (\{0,1\}^{2n})^+\rightarrow \{0,1\}^{n}\) be a URF. We define \(\$:\{0,1\}^n\times \{0,1\}^*\times (\{0,1\}^{2n})^+\rightarrow (\{0,1\}^{2n})^+\times \{0,1\}^n\) as

### **Definition 4**

**(IND-CPA).**Let \(\mathcal {E}\) be an encryption scheme. The IND-CPA advantage of a distinguisher \(\mathbf {D}\) relative to \(\mathcal {E}\) is given by

### **Theorem 1**

### *Proof*

### **Lemma 4**

### *Proof*

The proof is similar to that of Lemma 2. We use that the inputs to the URFs are polynomials of degree at most \(2i+1\), and that \(f_i\) consists of two URFs \(\beta _i^N\) and \(\gamma _i^N\). \(\quad \square \)

### **Lemma 5**

### *Proof*

Without loss of generality, we may assume that the distinguisher does not make repeat queries. Say that \(\{(N_1, A_1, M_1), \ldots , (N_{i}, A_{i}, M_{i})\}\) is the query history. We consider what happens on query \((N^*, A^*, M^*)\).

- 1.
If \(A^* \ne A_j\) then \(U^*\) is independent of \(U_j\oplus \delta _1^{N_j}(\varSigma _j)\oplus \delta _1^{N^*}(\varSigma ^*)\oplus N^*\oplus N_j\), hence the probability that Eq. (6) is satisfied is not more than \(1/2^n\).

- 2.If \(A^* = A_j\), then \(U^* = U_j\) and we focus on the probability that$$\begin{aligned} \delta _1^{N^*}(\varSigma ^*)\oplus N^* = \delta _1^{N_j}(\varSigma _j)\oplus N_j. \end{aligned}$$(7)
- (a)
If \(M^* = M_j\), then \(\varSigma ^*=\varSigma _j\) and Eq. (7) reduces to \(\delta _1^{N^*}(\varSigma ^*)\oplus \delta _1^{N_j}(\varSigma ^*) = N^*\oplus N_j\). Since we do not allow repeat queries \(N^*\ne N_j\), and so this occurs with probability \(1/2^n\).

- (b)
Say that \(M^* \ne M_j\), and let \(\rho ^*\) and \(\rho _j\) denote the output of the last call to \(\beta \) made when processing \(M^*\) and \(M_j\), respectively. If \(\rho ^*\) and \(\rho _j\) are independent, then \(\varSigma ^* = \varSigma _j\) with probability \(1/2^n\). If \(\varSigma ^*\ne \varSigma _j\), then \(\delta _1^{N^*}(\varSigma ^*)\) and \(\delta _1^{N_j}(\varSigma _j)\) are independent (and also independent of \(N^*\) and \(N_j\)), hence the probability of Eq. (7) being true is upper bounded by \(2/2^n\). The probability that \(\rho ^*\) and \(\rho _j\) are not independent is upper bounded by the probability of having a collision in the inputs to the last \(\beta \) call (and only if \(M^*\) and \(M_j\) are the same length), which is \((2\ell +1)/2^n\).

- (a)

### 4.4 Integrity

### **Definition 5**

### **Theorem 2**

### *Proof*

As with the proof of confidentiality, we use Proposition 1 to switch to \(\mathbb {E}.\)

- 1.
If \(A^* \ne A_i\), then \(U^*\) is uniformly distributed and independent of \(U_i\), hence the probability that Eq. (11) is satisfied is bounded above by \(1/2^n\).

- 2.If \(A^* = A_i\), then \(U^* = U_i\) and we focus on the probability that$$\begin{aligned} \delta _1^{N^*}(\varSigma ^*)\oplus N^* = \delta _1^{N_i}(\varSigma _i)\oplus N_i. \end{aligned}$$(12)
- (a)If \(C^* = C_j\), Eq. (12) reduces toSince \(A^* = A_j\), then either \(N^*\ne N_i\), in which case we only get a successful forgery with probability \(1/2^n\), or \(N^* = N_j\) and \(T^*\ne T_j\), in which case we get a failed forgery attempt as well.$$\begin{aligned} \delta _1^{N^*}(\varSigma ^*)\oplus N^* = \delta _1^{N_i}(\varSigma ^*)\oplus N_i. \end{aligned}$$(13)
- (b)
Say that \(C^*\ne C_j\), and that they differ at the \(m\)th fragment, i.e. \(\hat{C}^*[m]\ne \hat{C}_j[m]\). We also assume that \(N^* = N_j\), because if \(N^*\ne N_j\) then the tags are independent of each other since they are produced by independent URFs \(\delta _2^{N^*}\) and \(\delta _2^{N_j}\).

Since \(N^* = N_j\), and \(N_j\) does not equal any of the other \(N_i\), \(\varSigma ^*\) is independent of all \(\varSigma _i\) for \(i\ne j\). If \(C^*[2m-1] = C_j[2m-1]\), then \(C^*[2m] \ne C_j[2m]\), hence the inputs to \(\beta _m^{N^*}\) for \(C^*\) and \(C_j\) are different. This means that \(\varSigma ^* = \varSigma _j\) with probability at most \(1/2^n\), hence \(\delta _1(\varSigma ^*) = \delta _1(\varSigma _j)\) with probability at most \(2/2^n\). If \(\delta _1^{N^*}(\varSigma ^*)\ne \delta _1^{N_j}(\varSigma _j)\), then Eq. (12) is satisfied with probability at most \(1/2^n\) since \(N^*\) and \(N_i\) are independent of the outputs of \(\delta _1\). If \(C^*[2m-1]\ne C_j[2m-1]\), we can apply the same reasoning.

- (a)

Putting the above results together, we get that the probability of Eq. (11) being satisfied is bounded above by \(3/2^n\). Hence, the probability that there exists an \(i\) satisfying (11) is bounded above by \(3q/2^n\). The probability that the forgery is successful is thus bounded above by \(3q/2^n + 1/2^n\).

Generalizing to adversaries which can make up to \(q_f\) forgery queries as explained in Andreeva et al. [4], we have our desired bound. \(\quad \square \)

## 5 Future Work

We shall implement COBRA and compare its software performance with GCM and COPA. It is interesting to see how much of an overhead COBRA actually has over GCM on a specific platform, possibly due to the Feistel network, larger state, extra mask generation, and the reverse order of multplication and block cipher call.

## Notes

### Acknowledgments

The authors would like to thank FSE 2014 reviewers for their valuable comments. This work has been funded in part by the IAP Program P6/26 BCRYPT of the Belgian State (Belgian Science Policy), in part by the European Commission through the ICT program under contract ICT-2007-216676 ECRYPT II, in part by the Research Council KU Leuven: GOA TENSE, and in part by the Research Fund KU Leuven, OT/08/027. Elena Andreeva is supported by a Postdoctoral Fellowship from the Flemish Research Foundation (FWO-Vlaanderen). Bart Mennink and Atul Luykx are supported by Ph.D. Fellowships from the Institute for the Promotion of Innovation through Science and Technology in Flanders (IWT-Vlaanderen).

## Supplementary material

## References

- 1.Anderson, E., Beaver, C.L., Draelos, T., Schroeppel, R., Torgerson, M.: ManTiCore: encryption with joint cipher-state authentication. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 440–453. Springer, Heidelberg (2004) CrossRefGoogle Scholar
- 2.Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: APE: authenticated permutation-based encryption for lightweight cryptography. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 168–186. Springer, Heidelberg (2014)Google Scholar
- 3.Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013) CrossRefGoogle Scholar
- 4.Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. Cryptology ePrint Archive (2013). (full version of this paper)Google Scholar
- 5.Aoki, K., Yasuda, K.: The security of the OCB mode of operation without the SPRP assumption. In: Susilo, W., Reyhanitabar, R. (eds.) ProvSec 2013. LNCS, vol. 8209, pp. 202–220. Springer, Heidelberg (2013) CrossRefGoogle Scholar
- 6.Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000) CrossRefGoogle Scholar
- 7.Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy and Meier [32], pp. 389–407Google Scholar
- 8.Borisov, N., Goldberg, I., Wagner, D.: Intercepting mobile communications: the insecurity of 802.11. In: Rose, C. (ed.) MOBICOM, pp. 180–189. ACM (2001)Google Scholar
- 9.CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness (April 2013). http://competitions.cr.yp.to/caesar.html
- 10.Cantero, H.M., Peter, S., Bushing, Segher: Console hacking 2010 - PS3 epic fail. In: 27th Chaos Communication Congress, December 2010Google Scholar
- 11.Chakraborty, D., Sarkar, P.: Hch: a new tweakable enciphering scheme using the hash-counter-hash approach. IEEE Trans. Inf. Theory
**54**(4), 1683–1699 (2008)CrossRefzbMATHMathSciNetGoogle Scholar - 12.Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012) CrossRefGoogle Scholar
- 13.Gladman, B.: AES and combined encryption/authentication modes (2006). http://www.gladman.me.uk/
- 14.Gopal, V., Ozturk, E., Feghali, W., Guilford, J., Wolrich, G., Dixon, M.: Optimized Galois-Counter-Mode implementation on Intel architecture processors. Intel Corporation White Paper (2010)Google Scholar
- 15.Gueron, S.: AES-GCM software performance on the current high end CPUs as a performance baseline for CAESAR competition. In: Directions in Authenticated Ciphers (DIAC) (2013)Google Scholar
- 16.Iwata, T., Yasuda, K.: BTM: a single-key, inverse-cipher-free mode for deterministic authenticated encryption. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 313–330. Springer, Heidelberg (2009) CrossRefGoogle Scholar
- 17.Iwata, T., Yasuda, K.: HBS: a single-key mode of operation for deterministic authenticated encryption. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 394–415. Springer, Heidelberg (2009) CrossRefGoogle Scholar
- 18.Jutla, C.S.: Encryption modes with almost free message integrity. J. Cryptology
**21**(4), 547–578 (2008)CrossRefzbMATHMathSciNetGoogle Scholar - 19.Kohno, T.: Attacking and repairing the WinZip encryption scheme. In: Atluri, V., Pfitzmann, B., McDaniel, P.D. (eds.) ACM Conference on Computer and Communications Security, pp. 72–81. ACM (2004)Google Scholar
- 20.Kohno, T., Viega, J., Whiting, D.: CWC: a high-performance conventional authenticated encryption mode. In: Roy and Meier [32], pp. 408–426Google Scholar
- 21.Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011) CrossRefGoogle Scholar
- 22.Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Public keys. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 626–642. Springer, Heidelberg (2012) CrossRefGoogle Scholar
- 23.McGrew, D.A., Viega, J.: The security and performance of the galois/counter mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004) CrossRefGoogle Scholar
- 24.Minematsu, K.: Parallelizable rate-1 authenticated encryption from pseudorandom functions. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 275–292. Springer, Heidelberg (2014) CrossRefGoogle Scholar
- 25.Nandi, M.: Forging Attack on COBRA. Cryptographic Competitions Google Group (2014). https://groups.google.com/d/msg/crypto-competitions/nhqcgEThcPc/ryvKY7lfMhMJ
- 26.Ristenpart, T., Rogaway, P.: How to enrich the message space of a cipher. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 101–118. Springer, Heidelberg (2007) CrossRefGoogle Scholar
- 27.Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004) CrossRefGoogle Scholar
- 28.Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–359. Springer, Heidelberg (2004) CrossRefGoogle Scholar
- 29.Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: Reiter, M.K., Samarati, P. (eds.) ACM Conference on Computer and Communications Security, pp. 196–205. ACM (2001)Google Scholar
- 30.Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006) CrossRefGoogle Scholar
- 31.Rogaway, P., Wooding, M., Zhang, H.: The security of ciphertext stealing. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 180–195. Springer, Heidelberg (2012) CrossRefGoogle Scholar
- 32.Roy, B., Meier, W. (eds.): FSE 2004. LNCS, vol. 3017. Springer, Heidelberg (2004) zbMATHGoogle Scholar
- 33.Whiting, D., Housley, R., Ferguson, N.: AES encryption and authentication using CTR mode and CBC-MAC. IEEE 802.11-02/001r2 (2002)Google Scholar
- 34.Wu, H.: The Misuse of RC4 in Microsoft Word and Excel. Cryptology ePrint Archive, Report 2005/007 (2005)Google Scholar