Pipelineable Online Encryption
Abstract
Correct authenticated decryption requires the receiver to buffer the decrypted message until the authenticity check has been performed. In highspeed networks, which must handle large message frames at low latency, this behavior becomes practically infeasible. This paper proposes CCAsecure online ciphers as a practical alternative to AE schemes since the former provide some defense against malicious message modifications. Unfortunately, all published online ciphers so far are either inherently sequential, or lack a CCAsecurity proof.
This paper introduces POE, a family of online ciphers that combines provable security against chosenciphertext attacks with pipelineability to support efficient implementations. POE combines a block cipher and an \(\epsilon \)AXU family of hash functions. Different instantiations of POE are given, based on different universal hash functions and suitable for different platforms. Moreover, this paper introduces POET, a provably secure online AE scheme, which inherits pipelineability and chosenciphertextsecurity from POE and provides additional resistance against noncemisuse attacks.
Keywords
Online cipher Chosenciphertext security Authenticated encryption1 Introduction
Authenticated Encryption (AE) schemes (such as EAX [8], GCM [31], OCB [28], etc.) perform an authentication check on the entire ciphertext before they output a decrypted message. This practice is inherent in the idea of authenticated encryption and part of its strength. However, it is incompatible with settings that pose demanding performance requirements (e.g., high speed, low latency, long messages).
One example for such settings are Optical Transport Networks (OTNs) [24], in which the links between multiple network channels must be capable of transmitting, multiplexing, and switching between immense data streams in a fast and secure manner. OTNs are characterized by high throughput rates of up to 100 Gbps, low latencies in the order of a few clock cycles, and large message frames of up to 64 kB. At that size, a mode of operation of a 128bit block cipher would require over 4,096 clock cycles to complete a decryption—which exceeds the allowed latency in OTN systems by far.
In such uses of AE, implementations have to pass along (part of) a decrypted message before validating its authenticity; if the message later turns out to be invalid, this fact will be discovered and reported, but only after some information has been leaked. The literature calls this practice decryption misuse [19], and describes severe vulnerabilities for conventional AE schemes. A chosenciphertext adversary can exploit it to determine unknown plaintexts, or to introduce forged message fragments that may get passed to the application and are processed before the authentication check is completed. As a consequence, common existing AE schemes do not suit well in this environment. To overcome this issue, this work considers authenticated encryption schemes that provide robustness against decryption misuse through online chosenciphertext security (OPRPCCA) [5]. Implementations of AE schemes that allow decryption misuse abound, even when latency is not a consideration. For example, many software libraries provide access to encryption and decryption operations through a streamoriented interface that consists of functions for initialization, updating, and finalization. In these interfaces the decryptupdate function can be called multiple times.^{1} Every invocation of this function performs decryption misuse, because it releases the wouldbe plaintext before completing the authentication check. This type of interface is incompatible with existing authenticated encryption schemes. But its use is widespread, wellestablished and will not easily go away.
DecryptionMisuse Resistance. An encryption scheme is called nonmalleable if any change to a ciphertext causes its entire postdecryption plaintext to be pseudorandom [18]. We call such a scheme decryptionmisuseresistant since the decryption of manipulated ciphertext results in uncontrollable random noise. Unfortunately, nonmalleability and online encryption are mutually exclusive: if an adversary manipulates the \(i\)th block of a ciphertext, an online encryption scheme leaves the previous \((i1)\) blocks unchanged. But OPRPCCAsecurity is the strongest form of nonmalleability and decryptionmisuse resistance an online cipher can provide: if an adversary manipulates the \(i\)th block, all plaintext blocks starting from the \(i\)th one will become pseudorandom.
The concept of decryptionmisuseresistant AE schemes is controversial. During the Dagstuhl Seminar on Symmetric Cryptography in January 2014 some researchers were worried about the risk of advertising decryptionmisuse resistance as a feature for AE schemes since it could invite application programmers to improperly implement authenticated decryption. Of course, misuse must be avoided where possible, e.g., by user education. Nevertheless, decryption misuse is common in practice,^{2} as our example of OTNs illustrates. The choice for the cryptograph is to either deal with decryption misuse, or to abandon AE completely.
Support for Intermediate Tags. Beyond limiting the harm of decryption misuse OPRPCCAsecure online ciphers allow another desirable feature: Intermediate tags [9] allow the receiver to early detect if parts of a decrypted message are invalid—which is handy when authenticating large messages. They can be integrated easily into an OPRPCCAsecure online cipher by adding some form of wellformed redundancy (e.g., fixed constants or non cryptographic checksums) to the plaintexts. For example, the headers of IP, TCP, or UDP [36, 37, 38] packets already contain a 16bit checksum each, which is verified by the receiver and/or network routers. In OTNs, a single 64kB message frame consists of multiple IP packets. Due to the lowlatency constraints, receiving routers cannot buffer incoming messages until the authentication check has finished and must forward the first packets to their destination. However, they can test the packets’ checksums to detect forgery attempts early. Hence, OPRPCCAsecurity ensures that false TCP/IP packets only pass with probability of at most \(2^{16}\).
Classification of online encryption schemes.
Contribution. This paper introduces the Pipelineable Online Encryption (POE, hereafter) family of online ciphers, which consists of an ECB layer that is wrapped by two chaining layers of a keyed family of \(\epsilon \)AXU hash functions. The resulting construction is provably INDCCAsecure and pipelineable, i.e., POE allows to process neighboring input blocks efficiently. To address different platforms, this work proposes three instantiations of POE, based on the AES as cipher and different families of universal hash functions. Furthermore, we show that POE can be easily transformed into an OPRPCCAsecure, robust online AE (OAE) scheme, called Pipelineable Online Encryption with Tag (POET hereafter), using wellstudied methods from [19].
Recent Related Work. To the best of our knowledge, only four noncemisuseresistant OAE schemes were published prior to this work:^{4} (1) McOE [19], (2) APE(X) [4], (3) COPA [3], and (4) ELmE [15]. McOE is a TC3like design that was introduced at FSE 2012, and pioneered noncemisuse resistance as a considerable feature for OAE schemes; APE(X), COPA, and ELmE are recent designs, where APE(X) bases on the Sponge, and COPA as well as ELmE on the EME design. McOE and APE(X) provide OPRPCCAsecurity, but work inherently sequential, COPA and ELmE are parallelizable, and may outperform POET when running on high end hardware or multicore systems. However, the EME structure implies that both require two blockcipher calls for each message block, whereas POE and POET employ only a single cipher and two hashfunction calls. Hence, we expect POET to perform better than EMEbased designs on medium and lowend systems with few cores and no native AES instructions. Moreover, we illustrate in Appendix A that EME based designs lose the OPRPCCAsecurity in the decryptionmisuse setting, which disqualifies COPA and ELmE for the OTN application scenario. More generally, Datta and Nandi [16] showed recently that EME constructions with linear mixing can not provide INDCCAsecurity. Therefore, POET represents the first nonsequential OAE scheme with resistance against both nonce and decryption misuse.
Outline. The remainder of this work is structured as follows. Section 2 recalls the preliminary information about universal hash functions, online ciphers, and AE schemes that is necessary for this work. In Sect. 3, we propose the POE family of online ciphers and prove its security against chosenplaintext and chosenciphertext attacks. Thereupon, Sect. 4, introduces POET, and provides a proof for the security against chosenciphertext attacks. Section 5 proposes three practical instantiations for POE and POET. Finally, we draw a conclusion in Sect. 6.
2 Preliminaries
Notions used throughout this paper.
\(N\)  Nonce (initial value) 
\(M\)  Plaintext message 
\(C\)  Ciphertext 
\(K\)  Usergiven secret key 
\(X\)  Length of \(X\) in bits 
\(n \)  Block length in bits 
\(k \)  Key length in bits 
\(X_i\)  \(i\)th block of a value \(X\) 
\(X \ \ Y\)  Concatenation of two values \(X\) and \(Y\) 
\(\mathcal {X} \)  Set \(X\) 
\(X \xleftarrow {\$} \mathcal {X} \)  \(X\) is a uniformly at random chosen sample from \(\mathcal {X}\). 
2.1 Notions for Universal Hash Functions
Definition 1
Boesgaard et al. [10] showed that an \(\epsilon \)AXU family of hash functions can be reduced to a family of \(\epsilon \)AU hash functions by the following theorem:
Theorem 1
(Theorem 3 from [10]). Let \(m, n \ge 1\) be integers. Let \(\mathcal {H} = \lbrace H: \{0,1\}^{m} \rightarrow \{0,1\}^{n} \rbrace \) be a family of \(\epsilon \)AXU hash functions. Then, the familiy \(\mathcal {H} ' = \lbrace H': \{0,1\}^{m} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n} \rbrace \) with \(H'(X, Y) = H(X) \oplus Y\) is \(\epsilon \)AU.
2.2 Notions for Online Ciphers
Block Ciphers. A block cipher is a keyed family of \(n \)bit permutations \(E {:} \{0,1\}^{k} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) which takes a \(k \)bit key \(K\) and an \(n \)bit message \(M\) and outputs an \(n\)bit ciphertext \(C\). We define \({\mathtt{Block}}(k, n)\) as the set of all \((k, n)\)bit block ciphers for \(n > 0\). For any \(E \in {\mathtt{Block}}(k, n) \) and a fixed key \(K \in \{0,1\}^{k}\), the encryption of a message \(M\) is defined by \(E _{K}(M)\), and the decryption is defined as the inverse function, i.e., \(E ^{1}_{K}(M)\). For any key \(K \in \{0,1\}^{k}\), it applies that \(E ^{1}_K (E _K (M)) = M \).
Definition 2
(Online Cipher). Let \(k, n \ge 1\) be integers and let \(\varGamma : \{0,1\}^{k} \times \left( \{0,1\}^{n}\right) ^* \rightarrow \left( \{0,1\}^{n}\right) ^*\) be a keyed family of \(n \)bit permutations which takes a \(k \)bit key \(K\) and a message \(M\) of an arbitrary number of \(n \)bit blocks, and outputs a ciphertext \(C\) consisting of the same number of \(n \)bit blocks as \(M\). We call \(\varGamma \) an online cipher iff the encryption of message block \(M _i\), for all \(i \in [1, M /n ]\), depends only on the blocks \(M _{1}\), ..., \(M _{i}\).
A secure cipher should behave like a random permutation. It is easy to see that online ciphers cannot guarantee this property since the encryption of message block \(M _i\) does not depend on \(M _{i + 1}\). The online behavior implies that two messages \(M, M '\) that share an \(m\)block common prefix are always encrypted to two ciphertexts \(C, C '\) that also share an \(m\)block common prefix. Hence, an online cipher \(\varGamma \) is called secure iff no ciphertext reveals any further information about a plaintext than its length and the longest common prefix with previous messages. For a formal definition of the longest common prefix of two messages, we refer to [19].
Definition 3
Remark 1
For any two \(\ell \)block inputs \(M, M '\), with \(M \ne M '\), that share an exactly \(m\)block common prefix \(M _1 \ \ \ldots \ \ M _m\), the corresponding outputs \(C = P (M), C ' = P (M ')\) satisfy \(C _i = C '_i\) for all \(i \in [1, m]\) and \(m \le \ell \). However, it applies that \(C _{m+1} \ne C '_{m+1}\), and all further blocks \(C _i, C '_i\), with \(i \in [m + 2, \ell ]\), are likely to be different.
In the following, we denote by \(\mathsf{OPerm }_{n}\) the set of all \(n \)bit online permutations. Furthermore, we denote by \(P \xleftarrow {\$} \mathsf{OPerm }_{n} \) that \(P\) is chosen as a random online permutation. Note that a random online permutation can be efficiently implemented by lazysampling.
Online Authenticated Encryption Scheme (With Associated Data). An authenticated encryption scheme is a triple \(\varPi = (\mathcal {K}, \mathcal {E}, \mathcal {D})\). \(\mathcal {K}\) denotes a keygeneration procedure that returns a randomly chosen key \(K\); the encryption algorithm \(\mathcal {E} _\mathcal {K} (H, M)\) and its inverse decryption algorithm \(\mathcal {D} _\mathcal {K} (H, C, T)\) are deterministic algorithms, where \(H\) denotes the header, \(M\) the message, \(T\) the authentication tag, and \(C\) the ciphertext, with \(H, M, C \in \left( \{0,1\}^{n}\right) ^{*}\) and \(T \in \{0,1\}^{n}\). We define that the final header block is a nonce. \(\mathcal {E}\) always outputs a ciphertext \(C\), and \(\mathcal {D}\) outputs either the plaintext \(M\) that corresponds to \(C\), or \(\bot \) if the authentication tag \(T\) is invalid. Note that we call an authenticated encryption scheme \(\varPi = (\mathcal {K}, \mathcal {E}, \mathcal {D})\) online if \(\mathcal {E} \) is an online cipher and \(\mathcal {D} \) is its inverse operation.
3 The Online Cipher POE
This section introduces the POE family of online ciphers and shows that it is secure against chosenplaintext and chosenciphertext attacks.
3.1 Definition of POE
Definition 4
3.2 Security Notions for Online Ciphers
The INDSPRPsecurity of a block cipher \(E\) is defined by the success probability of an adversary \(\mathcal {A}\) to distinguish the output of \(E, E ^{1}\) from that of an \(n\)bit random permutation \(\pi \).
Definition 5
We borrow the OPRPCCA notion from Bellare et al. [5, 6]. The OPRPCCAsecurity specifies the maximal advantage of an adversary \(\mathcal {A}\) with access to an encryption and decryption oracle to distinguish the outputs of a online cipher \(\varGamma \) under a randomly chosen key \(K\) from that of a random permutation.
Definition 6
Bellare and Namprempre showed in [7] that INDCCAsecurity implies nonmalleable chosenciphertextsecurity (NMCCA). Hence, OPRPCCA implies weak nonmalleability, i.e., an adversary that manipulates the \(i\)th ciphertext block cannot distinguish the \((i+1)\)th, \((i+2)\)th,...ciphertext blocks of \(\varGamma \) from random.
3.3 OPRPCCASecurity of POE
Theorem 2
Proof
Let \(\mathcal {A}\) be an OPRPCCAadversary with access to an oracle \(\mathcal {O} \), which responds either with real encryption/decryptions using \(\mathsf{POE } _{E _K, E _K ^{1}}\) or a random online permutation \(P\), as given in Definition 6. We say that \(\mathcal {A}\) collects its queries and the corresponding oracle response as tuples \((M, C)\) in a query history \(\mathcal {Q}\). Wlog., we assume that \(\mathcal {A}\) will not make queries to which it already knows the answer.
 1.
For any fresh \(X_i\), the result of \(\pi (X_i) \oplus F _{K _2}(Y_{i1})\) will be random.
 2.
For any fresh \(Y_i\), the result of \(\pi ^{1}(Y_i) \oplus F _{K _1}(X_{i1})\) will be random.
Case 2: \(\mathbf {NOCOLLWIN}\) . Next, we regard the case that \(\mathcal {A}\) shall distinguish \((\mathsf{POE }_{\pi }, \mathsf{POE }^{1}_{\pi ^{1}})\) from \((P (\cdot ), P ^{1}(\cdot ))\) when no internal collisions occur. We can generalize that each pair of tuples \((M, C),(M ', C ')\in \mathcal {Q} \) shares a common prefix of 0 to \(\min (M , M ')/n \) blocks. Wlog., say that the pair \(M, M ' \in \mathcal {Q} \) shares an \(i\)block common prefix, i.e., \(M _j = M '_j\), \(\forall j \in [1,i]\), and \(M _{i+1} \ne M '_{i+1}\). In the following, we study the difference in the behavior of POE and \(P\) for three subcases: (2.1) for the message blocks in the common prefix, \(M _1,\ldots ,M _i\), (2.2) for the \((i+1)\)th block, or (2.3) for the message blocks after the \((i+1)\)th one.
Subcase 2.1: Common Prefix. Since an OPERM is deterministic, input and output behaviors of \((\mathsf{POE }_{\pi }, \mathsf{POE }^{1}_{\pi ^{1}})\) and \((P {\cdot }, P ^{1}(\cdot ))\) are identical for the common prefix. Hence, the advantage for \(\mathcal {A}\) in this subcase is 0.
4 The Online AE Scheme POET
For McOE, Fleischmann et al. [19] showed that an OPRPCCAsecure online cipher can be easily transformed into an online AEAD scheme that is resistant against nonce and decryption misuse. This section shows how to apply their approach to transform POE into a nonce misuseresistant AE scheme for messages whose lengths are a multiple of the block length.
4.1 Definition of POET
Definition 7
A schematic illustration of the encryption algorithm is given in Fig. 2.
Remark 2
POET uses the common 10*padding for headers \(H \) whose length is not a multiple of \(n\). As a result, \(H\) consists of at least a single block, and the entire header can be seen as a nonce. For messages whose length is not a multiple of the block size, POET borrows the provably secure tagsplitting approach from McOE [19]. Therefore, it is sufficient to prove the OCCA3security only for messages whose length is a multiple of the block size.
4.2 Security Notions for Online AE Schemes
We define an online authenticated encryption scheme \(\varPi \) to be OCCA3secure iff it provides both OPRPCPA and INTCTXT security. Note that we explicitly regard nonceignoring adversaries which are allowed to use a nonce multiple times, similar to the security notions of integrity for authenticated encryption schemes in [19]. In the next part, we briefly revisit the formal definitions of INTCTXT and OCCA3.
Definition 8
Note that an OPRPCPAadversary \(\mathcal {A}\) on some encryption scheme \(\varGamma \) can always be used by an OPRPCCAadversary \(\mathcal {A}\) ’ on \(\varGamma \) that inherits the advantage of \(\mathcal {A}\). In reverse direction, an upper bound for the OPRPCCAadvantage of \(\varGamma \) is always an upper bound for the OPRPCPAadvantage of \(\varGamma \).
4.3 OCCA3Security of POET
Theorem 3
Proof
The proof follows from Theorem 2 and the bound for the INTCTXTsecurity of POET. Due to the lack of space we omit the proof for the latter in this version and refer the reader to Lemma 1 in the full version of this paper [2]. Since Theorem 2 yields an upper bound for the OPRPCCAadvantage on POE, it also provides an upper bound for the OPRPCPAadvantage on POET. Though, \(\ell \) (the number of encrypted message and header blocks from Theorem 2) must be replaced by (\(\ell + 2q \)) since the taggeneration process of POET includes two additional blockcipher calls per query. \(\square \)
5 Key Derivation and Instantiations
5.1 Key Derivation
5.2 \(\epsilon \)AXU Hash Functions
We recommend to instantiate POE/POET with AES128 as block cipher. For the \(\epsilon \)AXU families of hash functions \(F\), we propose three suitable instantiations in the following.
POE/POET with FullRound AES. As a more conservative variant we propose the full AES128 for the family of hash functions. Under the common PRF assumption—where we assume that AES is indistinguishable from a random 128bit permutation, this constructions yields \(\epsilon \approx 2^{128}\).

For the third blockcipher call: \(K \cdot (K ^2 + K M _1 + M _2) + M _3\).

For the fourth blockcipher call: \(K ^2 \cdot (K ^2 + K M _1 + M _2) + K M _3 + M _4\).
This approach increases the total number of multiplications, but decreases the latency. Given \(c\) cores, and \(c\) subsequent message blocks to process, this approach reduces the latency from \(c\) hashfunction calls to \(O(\log {c})\). This approach is used, e.g., in carrylookahead adders, GCM [31], or CWC [27].
When using multiplications in \(GF(2^{128})\), one has to consider the risk of weak keys and forgery polynomials. At FSE’12 Saarinen [42] pointed out that, since \(2^{128}  1\) is not prime and produces \(2^9\) smooth order multiplicative groups, one can obtain a weak key with probability \(2^{96}\) that allows to efficiently construct a forgery. Saarinen’s observation was generalized by Procter and Cid at FSE’13 [39] who showed that an adversary can choose an arbitrary message as a polynomial \(q(x)\) with a preferably high degree and no repeated roots. Then, it can create two messages \(M, M'\) that collide with \(p = \frac{\#\text {roots of }q(x)}{2^{128}}\). As a result of their work, any key can be considered potentially weak. After the FSE’14, Abdelraheem et al. [1] applied the observations of Procter and Cid to the version of POET that was submitted to the CAESAR competition, and showed that one could build forgeries for POET with GaloisField multiplication with success probability between \(2^{96}\) and \(2^{66}\). Therefore, we recommend to use (roundreduced) AES for hashing in POET in favor to a GaloisField multiplication.
6 Conclusion
This paper presented POE, the first family of online ciphers which is both nonsequential and provably OPRPCCAsecure. Its design combines two layers of \(\epsilon \)AXU hashing and a wrapped layer of ECB encryption.
Most online AE schemes have a significant latency since they must buffer a wouldbe plaintext until the tag has been been verified. The latency can be significantly decreased when the wouldbe plaintext is passed beforehand – however, this approach raises security issues when applied to AE schemes that lack OPRPCCAsecurity, i.e., an adversary could obtain partial control about the wouldbe plaintext, even when these include additional checksums. On the other hand, previous OPRPCCAsecure encryption schemes were inherently sequential. POE is wellsuited for highspeed networks that require performant, lowlatency encryption of large message frames, especially when classical authenticated decryption would increase latency significantly. Our application scenario targets optical transport networks (OTNs), but the latency imposed by authenticated decryption is an issue for other applications as well. In general, POE is an option for such applications.
We proposed three instantiations, where we recommended the AES as block cipher and either fourround AES, full AES, or a multiplication in \(GF(2^{128})\) as \(\epsilon \)AXU families of hash functions. Additionally, we presented POET, a stateoftheart online authenticated encryption scheme, which inherits the chosenciphertextsecurity and pipelineability from POE. Concluding, POET combines pipelineability with misuseresistance in a novel way, at the cost of only a single blockcipher and two additional hashfunction calls per message block.
Footnotes
 1.
For example, see the OpenSSL EVP_DecryptUpdate function [44].
 2.
As is nonce misuse: considering security under noncemisuse has been a novelty a few years ago [40], but has become an established design goal nowadays.
 3.
We call an operation \(f\) pipelineable if it can be split into multiple parts \(f = f_2 \circ f_1\), s.t. \(f_1\) can process the \((i+1)\)th input block before \(f_2\) has finished processing the \(i\)th block.
 4.
Regarding the state before the CAESAR submission deadline. The research inspired by the CAESAR competition brought multiple further constructions that can be added to this list, including but not limited to COBRA, ELmD, or AEZ.
Notes
Acknowledgments
We thank all reviewers of the FSE 2014 for their helpful comments and Daniel J. Bernstein and Tetsu Iwata for fruitful discussions. Finally, we thank Jian Guo, Jérémy Jean, Thomas Peyrin, and Lei Wang who pointed out a mismatch between the specified and the analyzed version of POET in the preproceedings version [20].
Supplementary material
References
 1.Abdelraheem, M.A., Bogdanov, A., Tischhauser, E.: Weakkey analysis of POET. Cryptology ePrint Archive, Report 2014/226 (2014). http://eprint.iacr.org/
 2.Abed, F., Fluhrer, S., Forler, C., List, E., Lucks, S., McGrew, D., Wenzel, J.: Pipelineable online encryption. Cryptology ePrint Archive, Report 2014/297 (2014). http://eprint.iacr.org/
 3.Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 4.Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: APE(X): authenticated permutationbased encryption with extended security features. In: Directions in Authenticated Ciphers (2013)Google Scholar
 5.Bellare, M., Boldyreva, A., Knudsen, L.R., Namprempre, C.: Online ciphers and the hashCBC construction. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 292–309. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 6.Bellare, M., Boldyreva, A., Knudsen, L.R., Namprempre, C.: Online ciphers and the hashCBC constructions. J. Cryptol. 25(4), 640–679 (2012)CrossRefzbMATHMathSciNetGoogle Scholar
 7.Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000) CrossRefGoogle Scholar
 8.Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 9.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: singlepass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 10.Boesgaard, M., Christensen, T., Zenner, E.: Badger—a fast and provably secure MAC. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 176–191. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 11.Boldyreva, A.,Taesombut, N.: Online encryption schemes: new security notions and constructions. In: Okamoto [35], pp. 1–14Google Scholar
 12.Campbell, C.: Design and specification of cryptographic capabilities. In: Proceedings of the Conference on Computer Security and the Data Encryption Standard Held at the National Bureau of Standards in Gaithersburg, NBS Special Publication, Gaithersburg, Md., February 1978. U.S. National Bureau of StandardsGoogle Scholar
 13.Carter, L., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979)CrossRefzbMATHMathSciNetGoogle Scholar
 14.Daemen, J., Lamberger, M., Pramstaller, N., Rijmen, V., Vercauteren, F.: Computational aspects of the expected differential probability of 4round AES and AESlike ciphers. Computing 85(1–2), 85–104 (2009)CrossRefzbMATHMathSciNetGoogle Scholar
 15.Datta, N., Nandi, M.: Misuse resistant parallel authenticated encryptions. Cryptology ePrint Archive, Report 2013/767 (2013). http://eprint.iacr.org/
 16.Datta, N., Nandi, M.: Characterization of EME with linear mixing. Cryptology ePrint Archive, Report 2014/009 (2014). http://eprint.iacr.org/
 17.Diffie, W., Hellman, M.E.: Privacy and authentication: an introduction to cryptography. Proc. IEEE 67, 397–427 (1979). (Invited Paper)CrossRefGoogle Scholar
 18.Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)CrossRefzbMATHMathSciNetGoogle Scholar
 19.Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof online authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 20.Guo, J., Jean, J., Peyrin, T., Lei, W.: Breaking POET authentication with a single query. Cryptology ePrint Archive, Report 2014/197 (2014). http://eprint.iacr.org/
 21.Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 22.Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto [35], pp. 292–304Google Scholar
 23.IEEE. IEEE Standard for Cryptographic Protection of Data on BlockOriented Storage Devices. IEEE Std. 1619–2007, pp. c1–32 (2008)Google Scholar
 24.ITUT. Interfaces for the Optical Transport Network (OTN). Recommendation G.709/Y.1331, International Telecommunication Union, Geneva, December 2009Google Scholar
 25.Iwata, T., Kurosawa, K.: OMAC: onekey CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 26.Knudsen, L.R.: Block chaining modes of operation. In: SymmetricKey BlockCipher Modes of Operation Workshop, October 2000Google Scholar
 27.Kohno, T., Viega, J., Whiting, D.: CWC: a highperformance conventional authenticated encryption mode. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 408–426. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 28.Krovetz, T., Rogaway, P.: The software performance of authenticatedencryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 29.Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 30.Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011)CrossRefzbMATHMathSciNetGoogle Scholar
 31.McGrew, D., Viega, J.: The Galois/Counter Mode of Operation (GCM). Submission to NIST (2004). http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/gcm/gcmspec.pdf
 32.Nandi, M.: A Simple Security Analysis of HashCBC and a New Efficient OneKey Online Cipher. Cryptology ePrint Archive, Report 2007/158 (2007). http://eprint.iacr.org/
 33.Nandi, M.: Two New efficient CCAsecure online ciphers: MHCBC and MCBC. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 350–362. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 34.US Department of Commerce. DES Modes of Operation. Technical report FIPS PUB 81, US Department of Commerce/National Bureau of Standards, December 1998Google Scholar
 35.Okamoto, T. (ed.): CTRSA 2004. LNCS, vol. 2964. Springer, Heidelberg (2004) zbMATHGoogle Scholar
 36.Postel, J.: User Datagram Protocol. RFC 768 (INTERNET STANDARD), August 1980Google Scholar
 37.Postel, J.: Internet Protocol. RFC 791 (INTERNET STANDARD), September 1981. (Updated by RFCs 1349, 2474, 6864)Google Scholar
 38.Postel, J.: Transmission Control Protocol. RFC 793 (INTERNET STANDARD), September 1981. (Updated by RFCs 1122, 3168, 6093, 6528)Google Scholar
 39.Procter, G., Cid, C.: On weak keys and forgery attacks against polynomialbased MAC schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 40.Rogaway, P., Shrimpton, T.: A provablesecurity treatment of the keywrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 41.Rogaway, P., Zhang, H.: Online ciphers from tweakable blockciphers. In: Kiayias, A. (ed.) CTRSA 2011. LNCS, vol. 6558, pp. 237–249. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 42.Saarinen, M.J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 43.Wegman, M.N., Carter, J.L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)CrossRefzbMATHMathSciNetGoogle Scholar
 44.Young, E.A., Hudson, T.J.: OpenSSL: The Open Source toolkit for SSL/TLS, September 2011. http://www.openssl.org/