Advertisement

Pipelineable On-line Encryption

  • Farzaneh Abed
  • Scott Fluhrer
  • Christian ForlerEmail author
  • Eik List
  • Stefan Lucks
  • David McGrew
  • Jakob Wenzel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8540)

Abstract

Correct authenticated decryption requires the receiver to buffer the decrypted message until the authenticity check has been performed. In high-speed networks, which must handle large message frames at low latency, this behavior becomes practically infeasible. This paper proposes CCA-secure on-line ciphers as a practical alternative to AE schemes since the former provide some defense against malicious message modifications. Unfortunately, all published on-line ciphers so far are either inherently sequential, or lack a CCA-security proof.

This paper introduces POE, a family of on-line ciphers that combines provable security against chosen-ciphertext attacks with pipelineability to support efficient implementations. POE combines a block cipher and an \(\epsilon \)-AXU family of hash functions. Different instantiations of POE are given, based on different universal hash functions and suitable for different platforms. Moreover, this paper introduces POET, a provably secure on-line AE scheme, which inherits pipelineability and chosen-ciphertext-security from POE and provides additional resistance against nonce-misuse attacks.

Keywords

On-line cipher Chosen-ciphertext security Authenticated encryption 

1 Introduction

Authenticated Encryption (AE) schemes (such as EAX [8], GCM [31], OCB [28], etc.) perform an authentication check on the entire ciphertext before they output a decrypted message. This practice is inherent in the idea of authenticated encryption and part of its strength. However, it is incompatible with settings that pose demanding performance requirements (e.g., high speed, low latency, long messages).

One example for such settings are Optical Transport Networks (OTNs) [24], in which the links between multiple network channels must be capable of transmitting, multiplexing, and switching between immense data streams in a fast and secure manner. OTNs are characterized by high throughput rates of up to 100 Gbps, low latencies in the order of a few clock cycles, and large message frames of up to 64 kB. At that size, a mode of operation of a 128-bit block cipher would require over 4,096 clock cycles to complete a decryption—which exceeds the allowed latency in OTN systems by far.

In such uses of AE, implementations have to pass along (part of) a decrypted message before validating its authenticity; if the message later turns out to be invalid, this fact will be discovered and reported, but only after some information has been leaked. The literature calls this practice decryption misuse [19], and describes severe vulnerabilities for conventional AE schemes. A chosen-ciphertext adversary can exploit it to determine unknown plaintexts, or to introduce forged message fragments that may get passed to the application and are processed before the authentication check is completed. As a consequence, common existing AE schemes do not suit well in this environment. To overcome this issue, this work considers authenticated encryption schemes that provide robustness against decryption misuse through on-line chosen-ciphertext security (OPRP-CCA) [5]. Implementations of AE schemes that allow decryption misuse abound, even when latency is not a consideration. For example, many software libraries provide access to encryption and decryption operations through a stream-oriented interface that consists of functions for initialization, updating, and finalization. In these interfaces the decrypt-update function can be called multiple times.1 Every invocation of this function performs decryption misuse, because it releases the would-be plaintext before completing the authentication check. This type of interface is incompatible with existing authenticated encryption schemes. But its use is widespread, well-established and will not easily go away.

Decryption-Misuse Resistance. An encryption scheme is called non-malleable if any change to a ciphertext causes its entire post-decryption plaintext to be pseudorandom [18]. We call such a scheme decryption-misuse-resistant since the decryption of manipulated ciphertext results in uncontrollable random noise. Unfortunately, non-malleability and on-line encryption are mutually exclusive: if an adversary manipulates the \(i\)-th block of a ciphertext, an on-line encryption scheme leaves the previous \((i-1)\) blocks unchanged. But OPRP-CCA-security is the strongest form of non-malleability and decryption-misuse resistance an on-line cipher can provide: if an adversary manipulates the \(i\)-th block, all plaintext blocks starting from the \(i\)-th one will become pseudorandom.

The concept of decryption-misuse-resistant AE schemes is controversial. During the Dagstuhl Seminar on Symmetric Cryptography in January 2014 some researchers were worried about the risk of advertising decryption-misuse resistance as a feature for AE schemes since it could invite application programmers to improperly implement authenticated decryption. Of course, misuse must be avoided where possible, e.g., by user education. Nevertheless, decryption misuse is common in practice,2 as our example of OTNs illustrates. The choice for the cryptograph is to either deal with decryption misuse, or to abandon AE completely.

Support for Intermediate Tags. Beyond limiting the harm of decryption misuse OPRP-CCA-secure on-line ciphers allow another desirable feature: Intermediate tags [9] allow the receiver to early detect if parts of a decrypted message are invalid—which is handy when authenticating large messages. They can be integrated easily into an OPRP-CCA-secure on-line cipher by adding some form of well-formed redundancy (e.g., fixed constants or non- cryptographic checksums) to the plaintexts. For example, the headers of IP, TCP, or UDP [36, 37, 38] packets already contain a 16-bit checksum each, which is verified by the receiver and/or network routers. In OTNs, a single 64-kB message frame consists of multiple IP packets. Due to the low-latency constraints, receiving routers cannot buffer incoming messages until the authentication check has finished and must forward the first packets to their destination. However, they can test the packets’ checksums to detect forgery attempts early. Hence, OPRP-CCA-security ensures that false TCP/IP packets only pass with probability of at most \(2^{-16}\).

Previous Work and Contributions. An ideal on-line cipher should be both IND-CCA-secure and non- sequential, i.e., parallelizable or pipelineable.3 Already in 1978 Campbell published an early on-line cipher, called Infinite Garble Extension (IGE), which is far from complying with current security goals. In 2000 Knudsen [26] proposed his Accumulated Block Chaining (ABC) mode. In their landmark paper from 2001 Bellare et al.  [5] coined the term of and security notions for on-line ciphers, and presented two instances, HCBC-1 and HCBC-2, based on the combination of a block cipher and a keyed hash function. Both constructions are inheritly sequential—HCBC-2 was slightly slower than HCBC-1, but provided additional IND-CCA-security. In 2002 Rivest, Liskov and Wagner [29, 30] presented a non-sequential, tweakable on-line cipher, called TIE. However, TIE could not provide CCA-security due to a counter-based tweak input. In 2003 Halevi and Rogaway [22] proposed the EME approach (encryption-mix-encryption), which has inspired several on-line cipher designs since then. EME is a symmetric design concept that consists of five layers: an initial whitening step, an ECB layer, a linear mixing, a second ECB layer, and a final whitening. In 2004 Boldyrea and Taseombut [11] proposed security notions for on-line authenthentication ciphers, and the HPCBC mode as an instantiation. In 2007 and 2008 Nandi proposed further on-line ciphers similar to that of Bellare et al.  [32, 33]. In the same year the IEEE standardized the XTS [23] mode of operation for disk encryption; however, which also lacked CCA-security. In 2011 Rogaway and Zhang [41] described methods to construct secure on-line ciphers from tweakable block ciphers. However, it is easy to see that all mentioned schemes until here are either inherently sequential or CCA-insecure. Table 1 shows a summarized classification.
Table 1.

Classification of on-line encryption schemes.

 

Sequential

Non-sequential

CCA-insecure

ABC [26], CBC [34], CFB [34], HCBC-1 [5], IGE [12], OFB [34], TC [30], TC1 [41]

COPE [3], CTR [17], ECB [34], TIE [30], XTS [23]

CCA-secure

APE(X) [4], CMC [21], HCBC-2 [5], MCBC [33], McOE  [19], MHCBC [33], TC2/3 [41]

POE

Contribution. This paper introduces the Pipelineable On-line Encryption (POE, hereafter) family of on-line ciphers, which consists of an ECB layer that is wrapped by two chaining layers of a keyed family of \(\epsilon \)-AXU hash functions. The resulting construction is provably IND-CCA-secure and pipelineable, i.e., POE allows to process neighboring input blocks efficiently. To address different platforms, this work proposes three instantiations of POE, based on the AES as cipher and different families of universal hash functions. Furthermore, we show that POE can be easily transformed into an OPRP-CCA-secure, robust on-line AE (OAE) scheme, called Pipelineable On-line Encryption with Tag (POET hereafter), using well-studied methods from [19].

Recent Related Work. To the best of our knowledge, only four nonce-misuse-resistant OAE schemes were published prior to this work:4 (1) McOE  [19], (2) APE(X) [4], (3) COPA [3], and (4) ELmE [15]. McOE is a TC3-like design that was introduced at FSE 2012, and pioneered nonce-misuse resistance as a considerable feature for OAE schemes; APE(X), COPA, and ELmE are recent designs, where APE(X) bases on the Sponge, and COPA as well as ELmE on the EME design. McOE and APE(X) provide OPRP-CCA-security, but work inherently sequential, COPA and ELmE are parallelizable, and may outperform POET when running on high- end hardware or multi-core systems. However, the EME structure implies that both require two block-cipher calls for each message block, whereas POE and POET employ only a single cipher and two hash-function calls. Hence, we expect POET to perform better than EME-based designs on medium- and low-end systems with few cores and no native AES instructions. Moreover, we illustrate in Appendix A that EME- based designs lose the OPRP-CCA-security in the decryption-misuse setting, which disqualifies COPA and ELmE for the OTN application scenario. More generally, Datta and Nandi [16] showed recently that EME constructions with linear mixing can not provide IND-CCA-security. Therefore, POET represents the first non-sequential OAE scheme with resistance against both nonce and decryption misuse.

Outline. The remainder of this work is structured as follows. Section 2 recalls the preliminary information about universal hash functions, on-line ciphers, and AE schemes that is necessary for this work. In Sect. 3, we propose the POE family of on-line ciphers and prove its security against chosen-plaintext and chosen-ciphertext attacks. Thereupon, Sect. 4, introduces POET, and provides a proof for the security against chosen-ciphertext attacks. Section 5 proposes three practical instantiations for POE and POET. Finally, we draw a conclusion in Sect. 6.

2 Preliminaries

This section revisits the well- known definitions of universal hash-function families from Carter and Wegman [13, 43], as well as notions for on-line ciphers from Bellare et al. [5, 6]. Prior, Table 2 summarizes the general notions.
Table 2.

Notions used throughout this paper.

\(N\)

Nonce (initial value)

\(M\)

Plaintext message

\(C\)

Ciphertext

\(K\)

User-given secret key

\(|X|\)

Length of \(X\) in bits

\(n \)

Block length in bits

\(k \)

Key length in bits

\(X_i\)

\(i\)-th block of a value \(X\)

\(X \ ||\ Y\)

Concatenation of two values \(X\) and \(Y\)

\(\mathcal {X} \)

Set \(X\)

\(X \xleftarrow {\$} \mathcal {X} \)

\(X\) is a uniformly at random chosen sample from \(\mathcal {X}\).

2.1 Notions for Universal Hash Functions

Definition 1

( \(\varvec{\epsilon }\) -Almost-(XOR-)Universal Hash Functions). Let \(m, n \ge 1\) be integers. Let \(\mathcal {H} = \lbrace H: \{0,1\}^{m} \rightarrow \{0,1\}^{n} \rbrace \) be a family of hash functions. We call \(\mathcal {H} \) \(\epsilon \) -almost-universal (\(\epsilon \)-AU) if for all \(X, X' \in \{0,1\}^{m}\), \(X \ne X'\):
$$ \mathop {\mathrm{Pr}}\limits _{H}[H \xleftarrow {\$} \mathcal {H} :\ H(X) = H(X')] \le \epsilon . $$
We call \(\mathcal {H} \) \(\epsilon \) -almost-XOR-universal (\(\epsilon \)-AXU) if for all \(X, X' \in \{0,1\}^{m}\), \(Y \in \{0,1\}^{n}\), \(X \ne X'\):
$$ \mathop {\mathrm{Pr}}\limits _{H}[H \xleftarrow {\$} \mathcal {H} :\ H(X) \oplus H(X') = Y] \le \epsilon . $$

Boesgaard et al.  [10] showed that an \(\epsilon \)-AXU family of hash functions can be reduced to a family of \(\epsilon \)-AU hash functions by the following theorem:

Theorem 1

(Theorem 3 from [10]). Let \(m, n \ge 1\) be integers. Let \(\mathcal {H} = \lbrace H: \{0,1\}^{m} \rightarrow \{0,1\}^{n} \rbrace \) be a family of \(\epsilon \)-AXU hash functions. Then, the familiy \(\mathcal {H} ' = \lbrace H': \{0,1\}^{m} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n} \rbrace \) with \(H'(X, Y) = H(X) \oplus Y\) is \(\epsilon \)-AU.

2.2 Notions for On-line Ciphers

Block Ciphers. A block cipher is a keyed family of \(n \)-bit permutations \(E {:} \{0,1\}^{k} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) which takes a \(k \)-bit key \(K\) and an \(n \)-bit message \(M\) and outputs an \(n\)-bit ciphertext \(C\). We define \({\mathtt{Block}}(k, n)\) as the set of all \((k, n)\)-bit block ciphers for \(n > 0\). For any \(E \in {\mathtt{Block}}(k, n) \) and a fixed key \(K \in \{0,1\}^{k}\), the encryption of a message \(M\) is defined by \(E _{K}(M)\), and the decryption is defined as the inverse function, i.e., \(E ^{-1}_{K}(M)\). For any key \(K \in \{0,1\}^{k}\), it applies that \(E ^{-1}_K (E _K (M)) = M \).

Definition 2

(On-line Cipher). Let \(k, n \ge 1\) be integers and let \(\varGamma : \{0,1\}^{k} \times \left( \{0,1\}^{n}\right) ^* \rightarrow \left( \{0,1\}^{n}\right) ^*\) be a keyed family of \(n \)-bit permutations which takes a \(k \)-bit key \(K\) and a message \(M\) of an arbitrary number of \(n \)-bit blocks, and outputs a ciphertext \(C\) consisting of the same number of \(n \)-bit blocks as \(M\). We call \(\varGamma \) an on-line cipher iff the encryption of message block \(M _i\), for all \(i \in [1, |M |/n ]\), depends only on the blocks \(M _{1}\), ..., \(M _{i}\).

A secure cipher should behave like a random permutation. It is easy to see that on-line ciphers cannot guarantee this property since the encryption of message block \(M _i\) does not depend on \(M _{i + 1}\). The on-line behavior implies that two messages \(M, M '\) that share an \(m\)-block common prefix are always encrypted to two ciphertexts \(C, C '\) that also share an \(m\)-block common prefix. Hence, an on-line cipher \(\varGamma \) is called secure iff no ciphertext reveals any further information about a plaintext than its length and the longest common prefix with previous messages. For a formal definition of the longest common prefix of two messages, we refer to  [19].

Definition 3

(On-line Permutation). Let \(i, j, \ell , n \ge 1\) be integers. Let \(F_i: \left( \{0,1\}^{n}\right) ^i \rightarrow \{0,1\}^{n}\) be a family of indexed \(n \)-bit permutations, i.e., for a fixed index \(j \in \left( \{0,1\}^{n}\right) ^{i - 1}\) it applies that \(F_i(j, \cdot )\) is a permutation. We define an \(n \)-bit on-line permutation \(P: \left( \{0,1\}^{n}\right) ^\ell \rightarrow \left( \{0,1\}^{n}\right) ^\ell \) as a composition of \(\ell \) permutations \(F_1 \cup F_2 \cup \ldots \cup F_\ell \). An \(\ell \)-block message \(M = (M _1, \ldots , M _\ell )\) is mapped to an \(\ell \)-block output \(C = (C _1, \ldots , C _\ell )\) by
$$ C _i = F_i(M _1 \ ||\ \ldots \ ||\ M _{i-1}, M _i), \quad \forall i \in [1, \ell ]. $$

Remark 1

For any two \(\ell \)-block inputs \(M, M '\), with \(M \ne M '\), that share an exactly \(m\)-block common prefix \(M _1 \ ||\ \ldots \ ||\ M _m\), the corresponding outputs \(C = P (M), C ' = P (M ')\) satisfy \(C _i = C '_i\) for all \(i \in [1, m]\) and \(m \le \ell \). However, it applies that \(C _{m+1} \ne C '_{m+1}\), and all further blocks \(C _i, C '_i\), with \(i \in [m + 2, \ell ]\), are likely to be different.

In the following, we denote by \(\mathsf{OPerm }_{n}\) the set of all \(n \)-bit on-line permutations. Furthermore, we denote by \(P \xleftarrow {\$} \mathsf{OPerm }_{n} \) that \(P\) is chosen as a random on-line permutation. Note that a random on-line permutation can be efficiently implemented by lazy-sampling.

On-line Authenticated Encryption Scheme (With Associated Data). An authenticated encryption scheme is a triple \(\varPi = (\mathcal {K}, \mathcal {E}, \mathcal {D})\). \(\mathcal {K}\) denotes a key-generation procedure that returns a randomly chosen key \(K\); the encryption algorithm \(\mathcal {E} _\mathcal {K} (H, M)\) and its inverse decryption algorithm \(\mathcal {D} _\mathcal {K} (H, C, T)\) are deterministic algorithms, where \(H\) denotes the header, \(M\) the message, \(T\) the authentication tag, and \(C\) the ciphertext, with \(H, M, C \in \left( \{0,1\}^{n}\right) ^{*}\) and \(T \in \{0,1\}^{n}\). We define that the final header block is a nonce. \(\mathcal {E}\) always outputs a ciphertext \(C\), and \(\mathcal {D}\) outputs either the plaintext \(M\) that corresponds to \(C\), or \(\bot \) if the authentication tag \(T\) is invalid. Note that we call an authenticated encryption scheme \(\varPi = (\mathcal {K}, \mathcal {E}, \mathcal {D})\) on-line if \(\mathcal {E} \) is an on-line cipher and \(\mathcal {D} \) is its inverse operation.

3 The On-line Cipher POE

This section introduces the POE family of on-line ciphers and shows that it is secure against chosen-plaintext and chosen-ciphertext attacks.

3.1 Definition of POE

Definition 4

( POE ). Let \(k, n \ge 1\) be integers, \(E\): \(\{0,1\}^{k} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) a block cipher, and \(F: \{0,1\}^{k} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) a family of keyed \(\epsilon \)-AXU hash functions. Furthermore, let \(F_i : \{0,1\}^{ni} \rightarrow \{0,1\}^{n}\) be \(i\epsilon \)-AXU family of hash functions defined as follows:
$$ F _0 = F (1); \quad F _i(M) = F (F _{i-1}(M _1, \ldots , M _{i-1}) \oplus M _i) \qquad i \in \mathbb {N^+}. $$
Let \(K, K _1, K _2 \in \{0,1\}^k \) denote three pair-wise independent keys. Then, we define the encryption of POE and its inverse as shown in Algorithm 1.
A schematic illustration of the encryption algorithm is given in Fig. 1.
Fig. 1.

The encryption process for an \(m\)-block message \(M\) with POE.

3.2 Security Notions for On-line Ciphers

The IND-SPRP-security of a block cipher \(E\) is defined by the success probability of an adversary \(\mathcal {A}\) to distinguish the output of \(E, E ^{-1}\) from that of an \(n\)-bit random permutation \(\pi \).

Definition 5

( IND-SPRP -Security). Let \(E \in {\mathtt{Block}}(k, n) \) denote a block cipher and \(E ^{-1}\) its inverse. Let \(\mathsf{Perm }_{n}\) be the set of all \(n\)-bit permutations. The IND-SPRP advantage of \(\mathcal {A}\) against \(E\) is then defined by
$$ \mathbf {{Adv}}^{\mathsf{IND-SPRP }}_{E,E ^{-1}}(\mathcal {A}) \,\le \, \left| \Pr \left[ \mathcal {A} ^{E (\cdot ), E ^{-1}(\cdot )} \Rightarrow 1\right] - \Pr \left[ \mathcal {A} ^{\pi (\cdot ), \pi ^{-1}(\cdot )} \Rightarrow 1\right] \right| \!, $$
where the probabilities are taken over \(K \xleftarrow {\$} \{0,1\}^{k} \) and \(\pi \xleftarrow {\$} \mathsf{Perm }_{n} \). We define \(\mathbf {{Adv}}^{\mathsf{IND-SPRP }}_{E,E ^{-1}}(q, t)\) as the maximum advantage over all IND-SPRP-adversaries \(\mathcal {A}\) on \(E\) that run in time at most \(t\) and make at most \(q\) queries to the available oracles.

We borrow the OPRP-CCA notion from Bellare et al. [5, 6]. The OPRP-CCA-security specifies the maximal advantage of an adversary \(\mathcal {A}\) with access to an encryption and decryption oracle to distinguish the outputs of a on-line cipher \(\varGamma \) under a randomly chosen key \(K\) from that of a random permutation.

Definition 6

( OPRP-CCA -Security). Let \(K \) a \(k\)-bit key, \(P\) a random on-line permutation, and \(\varGamma \): \(\{0,1\}^{k} \times \left( \{0,1\}^{n}\right) ^* \rightarrow \left( \{0,1\}^{n}\right) ^*\) be an on-line cipher. Then, we define the OPRP-CCA-advantage of an adversary \(\mathcal {A}\) by
$$\begin{aligned} \mathbf {{Adv}}^\mathsf{OPRP-CCA }_{\varGamma }(\mathcal {A}) = \left| \Pr \left[ \mathcal {A} ^{\varGamma _K (\cdot ),\varGamma ^{-1}_K (\cdot )} \Rightarrow 1\right] - \Pr \left[ \mathcal {A} ^{P (\cdot ), P ^{-1}(\cdot )} \Rightarrow 1\right] \right| , \end{aligned}$$
(1)
where the probabilities are taken over \(K \xleftarrow {\$} \mathcal {K} \) and \(P \xleftarrow {\$} \mathsf{OPerm }_{n} \). Further, we define \(\mathbf {{Adv}}^\mathsf{OPRP-CCA }_{\varGamma }(q, \ell , t)\) as the maximum advantage over all adversaries \(\mathcal {A}\) that run in time at most \(t\), and make at most \(q\) queries of total length of at most \(\ell \) blocks to the available oracles.

Bellare and Namprempre showed in [7] that IND-CCA-security implies non-malleable chosen-ciphertext-security (NM-CCA). Hence, OPRP-CCA implies weak non-malleability, i.e., an adversary that manipulates the \(i\)-th ciphertext block cannot distinguish the \((i+1)\)-th, \((i+2)\)-th,...ciphertext blocks of \(\varGamma \) from random.

3.3 OPRP-CCA-Security of POE

Theorem 2

Let E: \(\{0,1\}^{k} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) be a block cipher and \(E ^{-1}\) its inverse operation. Let \(\pi \xleftarrow {\$} \mathsf{Perm }_{n} \) denote an \(n \)-bit random permutation that was chosen uniformly from random, and let \(\pi ^{-1}\) denote its inverse. Then, it holds that
$$\begin{aligned} \mathbf {{Adv}}^\mathsf{OPRP-CCA }_{\mathsf{POE } _{E,E ^{-1}}} (q, \ell , t) \,\le \, \ell ^2\epsilon + \frac{\ell ^2}{2^n-\ell } + \mathbf {{Adv}}^{\mathsf{IND-SPRP }}_{E,E ^{-1}}(\ell , \text {O}(t)). \end{aligned}$$
(2)

Proof

Let \(\mathcal {A}\) be an OPRP-CCA-adversary with access to an oracle \(\mathcal {O} \), which responds either with real encryption/decryptions using \(\mathsf{POE } _{E _K, E _K ^{-1}}\) or a random on-line permutation \(P\), as given in Definition 6. We say that \(\mathcal {A}\) collects its queries and the corresponding oracle response as tuples \((M, C)\) in a query history \(\mathcal {Q}\). Wlog., we assume that \(\mathcal {A}\) will not make queries to which it already knows the answer.

It is easy to see that we can rewrite Eq. (1) as (cf. [19], Sect. 4):
$$\begin{aligned} \mathbf {{Adv}}^\mathsf{OPRP-CCA }_{\mathsf{POE } _{E,E^{-1}}}(\mathcal {A}) \le&\left| \Pr \left[ \mathcal {A} ^{\mathsf{POE }_{E},\mathsf{POE }^{-1}_{E^{-1}}} \Rightarrow 1\right] - \Pr \left[ \mathcal {A} ^{\mathsf{POE }_{\pi },\mathsf{POE }^{-1}_{\pi ^{-1}}} \Rightarrow 1\right] \right| \end{aligned}$$
(3)
$$\begin{aligned}&+ \left| \Pr \left[ \mathcal {A} ^{\mathsf{POE }_{\pi },\mathsf{POE }^{-1}_{\pi ^{-1}}} \Rightarrow 1\right] - \Pr \left[ \mathcal {A} ^{P (\cdot ), P ^{-1}(\cdot )} \Rightarrow 1\right] \right| \!. \end{aligned}$$
(4)
It is easy to see that Eq. (3) can be upper bounded by
$$ \mathbf {{Adv}}^{\mathsf{IND-SPRP }}_{E,E ^{-1}}(\ell , \text {O}(t)). $$
It remains to study the difference in (4), which refers to the advantage of \(\mathcal {A}\) to distinguish POE instantiated with an \(n\)-bit random permutation \(\pi \) from \(P\). We can identify two cases from the structure of POE: (1) collisions between internal values of POE occur (COLL), or (2) no collisions occur (NOCOLL). From the law of total probability follows that we can rewrite (4) as
$$\begin{aligned}&\left| \Pr \left[ \mathcal {A} ^{\mathsf{POE }_{\pi },\mathsf{POE }^{-1}_{\pi ^{-1}}} \Rightarrow 1\right] - \Pr \left[ \mathcal {A} ^{P (\cdot ), P ^{-1}(\cdot )} \Rightarrow 1\right] \right| \\ \,\le \,&\Pr \left[ \text {COLL} \right] \cdot \Pr \left[ \text {COLLWIN} \right] + \Pr \left[ \lnot \,\text {COLL} \right] \cdot \Pr \left[ \text {NOCOLLWIN} \right] , \end{aligned}$$
with
$$\begin{aligned} \Pr \left[ \text {COLLWIN} \right]&= \left| \Pr \left[ \mathcal {A} ^{\mathsf{POE }_{\pi },\mathsf{POE }^{-1}_{\pi ^{-1}}} \Rightarrow 1\,|\,\text {COLL} \right] - \Pr \left[ \mathcal {A} ^{P (\cdot ), P ^{-1}(\cdot )} \Rightarrow 1\right] \right| \!, \\ \Pr \left[ \text {NOCOLLWIN} \right]&\!=\! \left| \Pr \left[ \mathcal {A} ^{\mathsf{POE }_{\pi },\mathsf{POE }^{-1}_{\pi ^{-1}}} \Rightarrow 1\,|\,\lnot \,\text {COLL} \right] \!-\! \Pr \left[ \mathcal {A} ^{P (\cdot ), P ^{-1}(\cdot )} \Rightarrow 1\right] \right| \!. \end{aligned}$$
For the sake of simplicity, we upper bound \(\Pr \left[ \text {COLLWIN} \right] \) and \(\Pr \left[ \lnot \,\text {COLL} \right] \) by 1. Thus, we only have to look at \(\Pr \left[ \text {COLL} \right] \) and \(\Pr \left[ \text {NOCOLLWIN} \right] \).
Case 1: \(\mathbf {COLL}\) . In this case, \(\mathcal {A}\) tries to distinguish POE from random by exploiting some collision between internal values. Since \(\pi \) is a random permutation, any fresh (i.e., not previously queried) input to \(\pi (\cdot )\) or \(\pi ^{-1}(\cdot )\) produces a random output and therefore:
  1. 1.

    For any fresh \(X_i\), the result of \(\pi (X_i) \oplus F _{K _2}(Y_{i-1})\) will be random.

     
  2. 2.

    For any fresh \(Y_i\), the result of \(\pi ^{-1}(Y_i) \oplus F _{K _1}(X_{i-1})\) will be random.

     
We obtain two possible subcases: a collision between internal values in the top row occurred (\(\text {COLL}_\mathrm{top} \)), or a collision between in internal values in the bottom row occurred (\(\text {COLL}_\mathrm{bot} \)). COLL then represents the event that either (or both) subcases occurred.
$$ \text {COLL} \,=\, \text {COLL}_\mathrm{top} \,\vee \, \text {COLL}_\mathrm{bot}. $$
Subcase 1.1: \(\mathbf {COLL_{top}}\) . By an internal collision in the top row, we refer to the event that \(X_i = X'_j\) for two distinct tuples \((X_{i-1}, M _i)\) and \((X'_{j-1}, M '_j)\), with \(i,j \ge 1\):
$$ X_i = F _{K _1}(X_{i-1}) \oplus M _i, \quad \text {and} \quad X'_j = F _{K _1}(X'_{j-1}) \oplus M '_j. $$
Since \(F\) is an \(\epsilon \)-AXU family of hash functions, the family \(F '\) of hash functions
$$ F '_{K _1}(X_{i-1}, M _i) \,:=\, F _{K _1}(X_{i-1}) \oplus M _i $$
is \(\epsilon \)-AU (cf. Theorem 1). Thus, the probability of a top-row collision for at most \(\ell \) queried message blocks can be upper bounded by
$$ \Pr \left[ \text {COLL}_\mathrm{top} \right] \,=\, \frac{\ell (\ell - 1)}{2} \cdot \epsilon \,\le \, \frac{\ell ^2}{2}\epsilon . $$
Subcase 1.2: \(\mathbf {COLL_{bot}}\) . We define a bottom-row collision as the event that two distinct tuples \((Y_{i-1}, C _i)\) and \((Y'_{j-1}, C'_j)\) produce the same values \(Y_i = Y'_j\), with
$$ Y_i = F _{K _2}(Y_{i-1}) \oplus E _K (X_i), \quad \text {and} \quad Y'_j = F _{K _2}(Y'_{j-1}) \oplus E _K (X'_j). $$
Due to the symmetric structure of POE, the analysis for bottom-row collisions is similar to that of top-row collisions. Thus, the probability for this event can also be upper bounded by
$$ \Pr \left[ \text {COLL}_\mathrm{bot} \right] = \frac{\ell (\ell - 1)}{2} \cdot \epsilon \,\le \, \frac{\ell ^2}{2}\epsilon . $$
Hence, we can upper bound \(\Pr \left[ \text {COLL} \right] \,\le \, \Pr \left[ \text {COLL}_\mathrm{top} \right] + \Pr \left[ \text {COLL}_\mathrm{top} \right] \le \ell ^{2}\epsilon .\)

Case 2: \(\mathbf {NOCOLLWIN}\) . Next, we regard the case that \(\mathcal {A}\) shall distinguish \((\mathsf{POE }_{\pi }, \mathsf{POE }^{-1}_{\pi ^{-1}})\) from \((P (\cdot ), P ^{-1}(\cdot ))\) when no internal collisions occur. We can generalize that each pair of tuples \((M, C),(M ', C ')\in \mathcal {Q} \) shares a common prefix of 0 to \(\min (|M |, |M '|)/n \) blocks. Wlog., say that the pair \(M, M ' \in \mathcal {Q} \) shares an \(i\)-block common prefix, i.e., \(M _j = M '_j\), \(\forall j \in [1,i]\), and \(M _{i+1} \ne M '_{i+1}\). In the following, we study the difference in the behavior of POE and \(P\) for three subcases: (2.1) for the message blocks in the common prefix, \(M _1,\ldots ,M _i\), (2.2) for the \((i+1)\)-th block, or (2.3) for the message blocks after the \((i+1)\)-th one.

Subcase 2.1: Common Prefix. Since an OPERM is deterministic, input and output behaviors of \((\mathsf{POE }_{\pi }, \mathsf{POE }^{-1}_{\pi ^{-1}})\) and \((P {\cdot }, P ^{-1}(\cdot ))\) are identical for the common prefix. Hence, the advantage for \(\mathcal {A}\) in this subcase is 0.

Subcase 2.2: Directly After the Common Prefix. Since \(M_j = M '_j\), \(\forall j \in [1,i]\), it must hold in the real case that \(Y_i = Y'_i\) and \(X_i = X'_i\). From \(M _{i+1} \ne M '_{i+1}\) follows
$$ C _{i+1} \,=\, \pi (F _{K _1}(X_{i}) \oplus M _{i+1}) \oplus F _{K _2}(Y_i) \,\ne \, \pi (F _{K _1}(X'_{i}) \oplus M '_{i+1}) \oplus F _{K _2}(Y'_i) \,=\, C '_{i+1}. $$
Since \(\pi \) is a random permutation, \(C _{i+1}\), \(C '_{i+1}\) are chosen uniformly at random in the real case. In the random case \(P \) is used with two different prefixes \(M _1\ ||\ \ldots \ ||\ M _{i+1}\) and \(M '_1\ ||\ \ldots \ ||\ M '_{i+1}\). Since \(P \) is an OPERM, \(C _{i+1} \ne C '_{i+1}\) also must hold in this case. Hence, the advantage for \(\mathcal {A}\) in this subcase is also 0.
Subcase 2.3: After the \((i+1)\)-th Message Block. In the random case, each query output is chosen uniformly at random from \(\{0,1\}^{n}\). However, in the real world each output of either an encryption or a decryption query is chosen uniformly at random from the set \(\{0,1\}^{n} \setminus \mathcal {Q}\). This means that in the real case POE loses randomness with every query. We can upper bound the success probability of an adversar to distinguish POE from a random OPERM by
$$ \frac{\ell ^2}{2^n-\ell }. $$
Our claim in Eq. (2) follows from summing up the individual terms.     \(\square \)

4 The On-line AE Scheme POET

For McOE, Fleischmann et al.  [19] showed that an OPRP-CCA-secure on-line cipher can be easily transformed into an on-line AEAD scheme that is resistant against nonce and decryption misuse. This section shows how to apply their approach to transform POE into a nonce- misuse-resistant AE scheme for messages whose lengths are a multiple of the block length.

4.1 Definition of POET

Definition 7

( POET ). Let \(k, n \ge 1\) be integers. Let \(\mathsf{POET } = (\mathcal {K}, \mathcal {E}, \mathcal {D})\) be an AE scheme, E: \(\{0,1\}^{k} \times \{0,1\}^{*} \rightarrow \{0,1\}^{*}\) a block cipher, and F: \(\{0,1\}^{n} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) a family of keyed \(\epsilon \)-AXU hash functions. Furthermore, let \(F_i\): \(\{0,1\}^{ni} \rightarrow \{0,1\}^{n}\) be \(i\epsilon \)-AXU family of hash functions defined as follows:
$$ F_0= F(1); \quad F _i(M) = F (F _{i-1}(M _1,\ldots ,M _{i-1}) \oplus M _i) \qquad i \in \mathbb {N^+}.$$
Let \(H\) be the header (including the nonce as its final block), \(M\) the message, \(T\) the authentication tag, and \(C\) the ciphertext, with \(H, M, C \in \left( \{0,1\}^{n}\right) ^{*}\) and \(T \in \{0,1\}^{n}\). Then, we define encryption and decryption algorithms of POET as shown in Algorithm 2.

A schematic illustration of the encryption algorithm is given in Fig. 2.

Remark 2

POET uses the common 10*-padding for headers \(|H |\) whose length is not a multiple of \(n\). As a result, \(H\) consists of at least a single block, and the entire header can be seen as a nonce. For messages whose length is not a multiple of the block size, POET borrows the provably secure tag-splitting approach from McOE  [19]. Therefore, it is sufficient to prove the OCCA3-security only for messages whose length is a multiple of the block size.

Fig. 2.

The encryption process for an \(m\)-block message \(M\) of POET.

4.2 Security Notions for On-line AE Schemes

We define an on-line authenticated encryption scheme \(\varPi \) to be OCCA3-secure iff it provides both OPRP-CPA and INT-CTXT security. Note that we explicitly regard nonce-ignoring adversaries which are allowed to use a nonce multiple times, similar to the security notions of integrity for authenticated encryption schemes in [19]. In the next part, we briefly revisit the formal definitions of INT-CTXT and OCCA3.

The INT-CTXT-advantage of an adversary \(\mathcal {A}\) is given by the success probability of winning the game \(G _{\mathsf{INT-CTXT }}\) that is defined in Fig. 3. Thus, we obtain
$$\begin{aligned} \mathbf {{Adv}}^{\mathsf{INT-CTXT }}_{\varPi }(\mathcal {A}) \,\le \, \Pr \left[ \mathcal {A} ^{G _{\mathsf{INT-CTXT }}} \Rightarrow 1\right] , \end{aligned}$$
(5)
where \(\mathbf {{Adv}}^{\mathsf{INT-CTXT }}_{\varPi }(q, \ell , t)\) is the maximum advantage over all INT-CTXT adversaries \(\mathcal {A}\) that run in time at most \(t\), and make at most \(q\) queries with a total length of at most \(\ell \) blocks to the available oracles.
Fig. 3.

The \(G _{\mathsf{INT-CTXT }}\) game for an authenticated encryption scheme \(\varPi = (\mathcal {K}, \mathcal {E}, \mathcal {D})\).

Definition 8

( OCCA3 -Security). Let \(\varPi = (\mathcal {K}, \mathcal {E}, \mathcal {D})\) be an on-line authenticated encryption scheme. Then, the OCCA3-advantage of an adversary \(\mathcal {A}\) is upper bounded by
$$\begin{aligned} \mathbf {{Adv}}^{\mathsf{OCCA3 }}_{\varPi }(\mathcal {A}) \,\le \, \mathbf {{Adv}}^\mathsf{OPRP-CPA }_{\varPi }(q, \ell , t) + \mathbf {{Adv}}^{\mathsf{INT-CTXT }}_{\varPi }(q, \ell , t). \end{aligned}$$
(6)
The OCCA3-advantage of \(\varPi \), \(\mathbf {{Adv}}^{\mathsf{OCCA3 }}_{\varPi }(q, \ell , t)\), is then defined by the maximum advantage of all adversaries \(\mathcal {A}\) that run in time at most \(t\), and make at most \(q\) queries of a total length of at most \(\ell \) blocks to the available oracles.

Note that an OPRP-CPA-adversary \(\mathcal {A}\) on some encryption scheme \(\varGamma \) can always be used by an OPRP-CCA-adversary \(\mathcal {A}\) ’ on \(\varGamma \) that inherits the advantage of \(\mathcal {A}\). In reverse direction, an upper bound for the OPRP-CCA-advantage of \(\varGamma \) is always an upper bound for the OPRP-CPA-advantage of \(\varGamma \).

4.3 OCCA3-Security of POET

Theorem 3

Let \(\varPi = (\mathcal {K}, \mathcal {E}, \mathcal {D})\) be a POET scheme as defined in Definition 7. Then, it applies that
$$ \mathbf {{Adv}}^{\mathsf{OCCA3 }}_{\varPi } (q, \ell , t) \,\le \, 2\left( \ell + 2q \right) ^2 \epsilon + \frac{\left( \ell + 2q \right) ^2 + q}{2^{n} - \left( \ell + 2q \right) } + 2\mathbf {{Adv}}^{\mathsf{IND-SPRP }}_{E, E ^{-1}} (\ell + 2q, \text {O}(t)). $$

Proof

The proof follows from Theorem 2 and the bound for the INT-CTXT-security of POET. Due to the lack of space we omit the proof for the latter in this version and refer the reader to Lemma 1 in the full version of this paper [2]. Since Theorem 2 yields an upper bound for the OPRP-CCA-advantage on POE, it also provides an upper bound for the OPRP-CPA-advantage on POET. Though, \(\ell \) (the number of encrypted message and header blocks from Theorem 2) must be replaced by (\(\ell + 2q \)) since the tag-generation process of POET includes two additional block-cipher calls per query.     \(\square \)

5 Key Derivation and Instantiations

5.1 Key Derivation

POE and POET require three internal keys: one key \(K\) for the block cipher, and two keys \(K _1\) and \(K _2\) for the two instances of \(F\). Since our goal was to put no further restrictions on the used hash function families, we borrowed the idea from [25] to obtain pair-wise independent keys. At setup, the user supplies a \(k \)-bit secret key \(L\). The further keys are then derived from \(L\) by encrypting three distinct constants \(const_0\), \(const_1\), \(const_2\) with \(E\):
$$ K \leftarrow E _L (const_0), \qquad K _1 \leftarrow E _L (const_1), \qquad K _2 \leftarrow E _L (const_2). $$
For simplicity, we recommend \(const_0 = 1, const_1 = 2, const_2 = 3\). Therefore, under the assumption that \(E\) is a PRP-secure block cipher, we can ensure to obtain independent keys for the block-cipher and hash-function calls.

5.2 \(\epsilon \)-AXU Hash Functions

We recommend to instantiate POE/POET with AES-128 as block cipher. For the \(\epsilon \)-AXU families of hash functions \(F\), we propose three suitable instantiations in the following.

POE/POET with Four-Round AES. When trying to minimize the implementation footprint, it may be desirable to have an encryption scheme based on only a single primitive. Furthermore, maximizing the throughput is often critical. Therefore, POE/POET with the first four rounds of the AES as a family of keyed hash functions may be an excellent choice for restricted devices and/or devices with support for AES native instructions. The drawback of this solution would be a slightly lower number than the common \(2^{64}\) message blocks that can be processed under the same key. As shown by Daemen et al. in [14], four-round AES is a family of \(\epsilon \)-AXU hash functions—under the reasonable assumption that all used round keys are independent—with
$$ \epsilon \,\le \, 1.88 \cdot 2^{-114} \approx 2^{-113}. $$
This implies that at most \(\ll 2^{56}\) message blocks can be encrypted or decrypted under the same key.

POE/POET with Full-Round AES. As a more conservative variant we propose the full AES-128 for the family of hash functions. Under the common PRF assumption—where we assume that AES is indistinguishable from a random 128-bit permutation, this constructions yields \(\epsilon \approx 2^{-128}\).

POE/POET with Galois-Field Multiplications. In addition, one can use a multiplication in \(GF(2^{128})\), similar to that in AES-GCM [31], as a universal hash function. This approach yields an \(\epsilon \approx 2^{-128}\). Moreover, POE and POET can be fully parallelized with Galois-Field multiplications. For instance, consider a message of at least four blocks, \(M _1 \ ||\ \ldots \ ||\ M _4\). Using Galois- Field multiplications, the input for the second block-cipher call is \(K ^2 + K M _1 + M _2\). Instead of sequentially multiplying with \(K \), adding \(M _3\), multiplying with \(K \) and adding \(M _4\), one can compute in parallel:
  • For the third block-cipher call: \(K \cdot (K ^2 + K M _1 + M _2) + M _3\).

  • For the fourth block-cipher call: \(K ^2 \cdot (K ^2 + K M _1 + M _2) + K M _3 + M _4\).

This approach increases the total number of multiplications, but decreases the latency. Given \(c\) cores, and \(c\) subsequent message blocks to process, this approach reduces the latency from \(c\) hash-function calls to \(O(\log {c})\). This approach is used, e.g., in carry-lookahead adders, GCM [31], or CWC [27].

When using multiplications in \(GF(2^{128})\), one has to consider the risk of weak keys and forgery polynomials. At FSE’12 Saarinen [42] pointed out that, since \(2^{128} - 1\) is not prime and produces \(2^9\) smooth- order multiplicative groups, one can obtain a weak key with probability \(2^{-96}\) that allows to efficiently construct a forgery. Saarinen’s observation was generalized by Procter and Cid at FSE’13 [39] who showed that an adversary can choose an arbitrary message as a polynomial \(q(x)\) with a preferably high degree and no repeated roots. Then, it can create two messages \(M, M'\) that collide with \(p = \frac{\#\text {roots of }q(x)}{2^{128}}\). As a result of their work, any key can be considered potentially weak. After the FSE’14, Abdelraheem et al. [1] applied the observations of Procter and Cid to the version of POET that was submitted to the CAESAR competition, and showed that one could build forgeries for POET with Galois-Field multiplication with success probability between \(2^{-96}\) and \(2^{-66}\). Therefore, we recommend to use (round-reduced) AES for hashing in POET in favor to a Galois-Field multiplication.

6 Conclusion

This paper presented POE, the first family of on-line ciphers which is both non-sequential and provably OPRP-CCA-secure. Its design combines two layers of \(\epsilon \)-AXU hashing and a wrapped layer of ECB encryption.

Most on-line AE schemes have a significant latency since they must buffer a would-be plaintext until the tag has been been verified. The latency can be significantly decreased when the would-be plaintext is passed beforehand – however, this approach raises security issues when applied to AE schemes that lack OPRP-CCA-security, i.e., an adversary could obtain partial control about the would-be plaintext, even when these include additional checksums. On the other hand, previous OPRP-CCA-secure encryption schemes were inherently sequential. POE is well-suited for high-speed networks that require performant, low-latency encryption of large message frames, especially when classical authenticated decryption would increase latency significantly. Our application scenario targets optical transport networks (OTNs), but the latency imposed by authenticated decryption is an issue for other applications as well. In general, POE is an option for such applications.

We proposed three instantiations, where we recommended the AES as block cipher and either four-round AES, full AES, or a multiplication in \(GF(2^{128})\) as \(\epsilon \)-AXU families of hash functions. Additionally, we presented POET, a state-of-the-art on-line authenticated encryption scheme, which inherits the chosen-ciphertext-security and pipelineability from POE. Concluding, POET combines pipelineability with misuse-resistance in a novel way, at the cost of only a single block-cipher and two additional hash-function calls per message block.

Footnotes

  1. 1.

    For example, see the OpenSSL EVP_DecryptUpdate function [44].

  2. 2.

    As is nonce misuse: considering security under nonce-misuse has been a novelty a few years ago [40], but has become an established design goal nowadays.

  3. 3.

    We call an operation \(f\) pipelineable if it can be split into multiple parts \(f = f_2 \circ f_1\), s.t. \(f_1\) can process the \((i+1)\)-th input block before \(f_2\) has finished processing the \(i\)-th block.

  4. 4.

    Regarding the state before the CAESAR submission deadline. The research inspired by the CAESAR competition brought multiple further constructions that can be added to this list, including but not limited to COBRA, ELmD, or AEZ.

Notes

Acknowledgments

We thank all reviewers of the FSE 2014 for their helpful comments and Daniel J. Bernstein and Tetsu Iwata for fruitful discussions. Finally, we thank Jian Guo, Jérémy Jean, Thomas Peyrin, and Lei Wang who pointed out a mismatch between the specified and the analyzed version of POET in the pre-proceedings version [20].

Supplementary material

References

  1. 1.
    Abdelraheem, M.A., Bogdanov, A., Tischhauser, E.: Weak-key analysis of POET. Cryptology ePrint Archive, Report 2014/226 (2014). http://eprint.iacr.org/
  2. 2.
    Abed, F., Fluhrer, S., Forler, C., List, E., Lucks, S., McGrew, D., Wenzel, J.: Pipelineable on-line encryption. Cryptology ePrint Archive, Report 2014/297 (2014). http://eprint.iacr.org/
  3. 3.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  4. 4.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: APE(X): authenticated permutation-based encryption with extended security features. In: Directions in Authenticated Ciphers (2013)Google Scholar
  5. 5.
    Bellare, M., Boldyreva, A., Knudsen, L.R., Namprempre, C.: Online ciphers and the hash-CBC construction. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 292–309. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Boldyreva, A., Knudsen, L.R., Namprempre, C.: On-line ciphers and the hash-CBC constructions. J. Cryptol. 25(4), 640–679 (2012)CrossRefzbMATHMathSciNetGoogle Scholar
  7. 7.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  10. 10.
    Boesgaard, M., Christensen, T., Zenner, E.: Badger—a fast and provably secure MAC. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 176–191. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  11. 11.
    Boldyreva, A.,Taesombut, N.: Online encryption schemes: new security notions and constructions. In: Okamoto [35], pp. 1–14Google Scholar
  12. 12.
    Campbell, C.: Design and specification of cryptographic capabilities. In: Proceedings of the Conference on Computer Security and the Data Encryption Standard Held at the National Bureau of Standards in Gaithersburg, NBS Special Publication, Gaithersburg, Md., February 1978. U.S. National Bureau of StandardsGoogle Scholar
  13. 13.
    Carter, L., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979)CrossRefzbMATHMathSciNetGoogle Scholar
  14. 14.
    Daemen, J., Lamberger, M., Pramstaller, N., Rijmen, V., Vercauteren, F.: Computational aspects of the expected differential probability of 4-round AES and AES-like ciphers. Computing 85(1–2), 85–104 (2009)CrossRefzbMATHMathSciNetGoogle Scholar
  15. 15.
    Datta, N., Nandi, M.: Misuse resistant parallel authenticated encryptions. Cryptology ePrint Archive, Report 2013/767 (2013). http://eprint.iacr.org/
  16. 16.
    Datta, N., Nandi, M.: Characterization of EME with linear mixing. Cryptology ePrint Archive, Report 2014/009 (2014). http://eprint.iacr.org/
  17. 17.
    Diffie, W., Hellman, M.E.: Privacy and authentication: an introduction to cryptography. Proc. IEEE 67, 397–427 (1979). (Invited Paper)CrossRefGoogle Scholar
  18. 18.
    Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)CrossRefzbMATHMathSciNetGoogle Scholar
  19. 19.
    Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  20. 20.
    Guo, J., Jean, J., Peyrin, T., Lei, W.: Breaking POET authentication with a single query. Cryptology ePrint Archive, Report 2014/197 (2014). http://eprint.iacr.org/
  21. 21.
    Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  22. 22.
    Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto [35], pp. 292–304Google Scholar
  23. 23.
    IEEE. IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices. IEEE Std. 1619–2007, pp. c1–32 (2008)Google Scholar
  24. 24.
    ITU-T. Interfaces for the Optical Transport Network (OTN). Recommendation G.709/Y.1331, International Telecommunication Union, Geneva, December 2009Google Scholar
  25. 25.
    Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  26. 26.
    Knudsen, L.R.: Block chaining modes of operation. In: Symmetric-Key Block-Cipher Modes of Operation Workshop, October 2000Google Scholar
  27. 27.
    Kohno, T., Viega, J., Whiting, D.: CWC: a high-performance conventional authenticated encryption mode. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 408–426. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  28. 28.
    Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  29. 29.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  30. 30.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011)CrossRefzbMATHMathSciNetGoogle Scholar
  31. 31.
    McGrew, D., Viega, J.: The Galois/Counter Mode of Operation (GCM). Submission to NIST (2004). http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/gcm/gcm-spec.pdf
  32. 32.
    Nandi, M.: A Simple Security Analysis of Hash-CBC and a New Efficient One-Key Online Cipher. Cryptology ePrint Archive, Report 2007/158 (2007). http://eprint.iacr.org/
  33. 33.
    Nandi, M.: Two New efficient CCA-secure online ciphers: MHCBC and MCBC. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 350–362. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  34. 34.
    US Department of Commerce. DES Modes of Operation. Technical report FIPS PUB 81, US Department of Commerce/National Bureau of Standards, December 1998Google Scholar
  35. 35.
    Okamoto, T. (ed.): CT-RSA 2004. LNCS, vol. 2964. Springer, Heidelberg (2004) zbMATHGoogle Scholar
  36. 36.
    Postel, J.: User Datagram Protocol. RFC 768 (INTERNET STANDARD), August 1980Google Scholar
  37. 37.
    Postel, J.: Internet Protocol. RFC 791 (INTERNET STANDARD), September 1981. (Updated by RFCs 1349, 2474, 6864)Google Scholar
  38. 38.
    Postel, J.: Transmission Control Protocol. RFC 793 (INTERNET STANDARD), September 1981. (Updated by RFCs 1122, 3168, 6093, 6528)Google Scholar
  39. 39.
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  40. 40.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  41. 41.
    Rogaway, P., Zhang, H.: Online ciphers from tweakable blockciphers. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 237–249. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  42. 42.
    Saarinen, M.-J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  43. 43.
    Wegman, M.N., Carter, J.L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)CrossRefzbMATHMathSciNetGoogle Scholar
  44. 44.
    Young, E.A., Hudson, T.J.: OpenSSL: The Open Source toolkit for SSL/TLS, September 2011. http://www.openssl.org/

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Farzaneh Abed
    • 1
  • Scott Fluhrer
    • 2
  • Christian Forler
    • 1
    Email author
  • Eik List
    • 1
  • Stefan Lucks
    • 1
  • David McGrew
    • 2
  • Jakob Wenzel
    • 1
  1. 1.Bauhaus-Universität WeimarWeimarGermany
  2. 2.Cisco SystemsSan JoseUSA

Personalised recommendations