Robust Authenticated-Encryption AEZ and the Problem That It Solves

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9056)


With a scheme for robust authenticated-encryption a user can select an arbitrary value \(\lambda \!\ge 0\) and then encrypt a plaintext of any length into a ciphertext that’s \(\lambda \) characters longer. The scheme must provide all the privacy and authenticity possible for the requested \(\lambda \). We formalize and investigate this idea, and construct a well-optimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCB-AES or CTR-AES (on Haswell, AEZ has a peak speed of about 0.7 cpb). To accomplish this we employ an approach we call prove-then-prune: prove security and then instantiate with a scaled-down primitive (e.g., reducing rounds for blockcipher calls).


AEZ Authenticated encryption CAESAR competition Misuse resistance Modes of operation Nonce reuse Prove-then-prune Robust AE 


  1. 1.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. Cryptology ePrint report 2014/144, February 25, 2014Google Scholar
  2. 2.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Boldyreva, A., Knudsen, L.R., Namprempre, C.: Online ciphers and the hash-CBC construction. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 292–309. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: On the construction of variable-input-length ciphers. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 231–244. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P., Spies, T.: The FFX mode of operation for format-preserving encryption. Draft 1.1. Submission to NIST, February 20, 2010Google Scholar
  7. 7.
    Bernstein, D.: Cryptographic competitions: CAESAR call for submissions, final, January 27, 2014.
  8. 8.
    Black, J., Cochran, M.: MAC reforgeability. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 345–362. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  9. 9.
    Black, J.A., Rogaway, P.: Ciphers with arbitrary finite domains. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  10. 10.
    Boldyreva, A., Degabriele, J., Paterson, K., Stam, M.: On symmetric encryption with distinguishable decryption failures. Cryptology ePrint Report 2013/433 (2013)Google Scholar
  11. 11.
    Chakraborty, D., Nandi, M.: An improved security bound for HCTR. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 289–302. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  12. 12.
    Chakraborty, D., Sarkar, P.: HCH: A new tweakable enciphering scheme using the hash-encrypt-hash approach. IEEE Transactions on Information Theory 54(4), 1683–1699 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  13. 13.
    Chakraborty, D., Sarkar, P.: A new mode of encryption providing a tweakable strong pseudo-random permutation. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 293–309. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  14. 14.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer-Verlag, Heidelberg (2002) CrossRefGoogle Scholar
  15. 15.
    Daemen, J., Rijmen, V.: A new MAC construction ALRED and a specific instance ALPHA-MAC. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 1–17. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  16. 16.
    Daemen, J., Rijmen, V.: The Pelican MAC function. Cryptology ePrint report 2005/088 (2005)Google Scholar
  17. 17.
    Dworkin, M.: Recommendation for block cipher modes of operation: methods for format-preserving encryption. NIST Special Publication 800–38G: Draft, July 2013Google Scholar
  18. 18.
    Ferguson, N.: Authentication weaknesses in GCM. Manuscript, May 20, 2005Google Scholar
  19. 19.
    Fisher, R., Yates, F.: Statistical tables for biological, agricultural and medical research. Oliver & Boyd, London (1938)zbMATHGoogle Scholar
  20. 20.
    Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  21. 21.
    Fouque, P., Joux, A., Martinet, G., Valette, F.: Authenticated on-line encryption. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 145–159. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  22. 22.
    Halevi, S.: EME*: extending EME to handle arbitrary-length messages with associated data. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 315–327. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  23. 23.
    Halevi, S.: Invertible universal hashing and the TET encryption mode. Cryptology ePrint report 2007/014Google Scholar
  24. 24.
    Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  25. 25.
    Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  26. 26.
    Hoang, V.T., Krovetz, T., Rogaway, P.: AEZ v3: authenticated encryption by enciphering. CAESAR submission (2014)Google Scholar
  27. 27.
    Katz, J., Yung, M.: Unforgeable encryption and chosen ciphertext secure modes of operation. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  28. 28.
    Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption: AEZ and the problem that it solves. Cryptology ePrint report 2014/793, January 2015 (Full version of this paper)Google Scholar
  29. 29.
    IEEE. 1619.2-2010 - IEEE standard for wide-block encryption for shared storage media. IEEE press (2010)Google Scholar
  30. 30.
    Kaliski Jr., B.S., Rivest, R.L., Sherman, A.T.: Is DES a Pure Cipher? (Results of more cycling experiments on DES). In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 212–226. Springer, Heidelberg (1986) Google Scholar
  31. 31.
    Keliher, L., Sui, J.: Exact maximum expected differential and linear probability for two-round Advanced Encryption Standard. IET Information Security 1(2), 53–57 (2007)CrossRefGoogle Scholar
  32. 32.
    Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  33. 33.
    Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  34. 34.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  35. 35.
    McGrew, D.A., Fluhrer, S.R.: The security of the extended codebook (XCB) mode of operation. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 311–327. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  36. 36.
    Minematsu, K.: Parallelizable rate-1 authenticated encryption from pseudorandom functions. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 275–292. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  37. 37.
    Minematsu, K., Tsunoo, Y.: Provably secure MACs from differentially-uniform permutations and AES-based implementations. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 226–241. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  38. 38.
    Nandi, M.: Improving upon HCTR and matching attacks for Hash-Counter-Hash approach. Cryptology ePrint report 2008/090, February 28, 2008Google Scholar
  39. 39.
    Naor, M., Reingold, O.: On the construction of pseudo-random permutations: Luby-Rackoff revisited. Journal of Cryptology 12(1), 29–66 (1999)CrossRefzbMATHMathSciNetGoogle Scholar
  40. 40.
    Naor, M., Reingold, O.: The NR mode of operation. Undated manuscript realizing the mechanism of [39]Google Scholar
  41. 41.
    Patarin, J.: Generic attacks on feistel schemes. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 222–238. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  42. 42.
    Patel, S., Ramzan, Z., Sundaram, G.S.: Efficient constructions of variable-input-length block ciphers. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 326–340. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  43. 43.
    Patarin, J.: Security of balanced and unbalanced Feistel schemes with linear non equalities. Cryptology ePrint report 2010/293, May 2010Google Scholar
  44. 44.
    Patarin, J.: Security of random feistel schemes with 5 or more rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  45. 45.
    Patarin, J., Gittins, B., Treger, J.: Increasing block sizes using feistel networks: the example of the AES. In: Naccache, D. (ed.) Cryphtography and Security: From Theory to Applications. LNCS, vol. 6805, pp. 67–82. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  46. 46.
    Percival, C.: Stronger key derivation via sequential memory-hard functions. The BSD Conference (BSDCan), May 2009Google Scholar
  47. 47.
    Reyhanitabar, R., Vizár, D.: Careful with misuse resistance of online AEAD. Unpublished manuscript distributed on the crypto-competitions mailing list. August 24, 2014Google Scholar
  48. 48.
    Rogaway, P.: Authenticated-encryption with associated-data. In: ACM CCS 2002, pp. 98–107. ACM Press (2002)Google Scholar
  49. 49.
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  50. 50.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: A block-cipher mode of operation for efficient authenticated encryption. In: ACM CCS, pp. 196–205 (2001)Google Scholar
  51. 51.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  52. 52.
    Sarkar, P.: Efficient tweakable enciphering schemes from (block-wise) universal hash functions. Cryptology ePrint report 2008/004Google Scholar
  53. 53.
    Sarkar, P.: Improving upon the TET mode of operation. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 180–192. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  54. 54.
    Sarkar, P.: Tweakable enciphering schemes using only the encryption function of a block cipher. Cryptology ePrint report 2009/216Google Scholar
  55. 55.
    Schroeppel, R.: Hasty Pudding Cipher Specification. AES candidate submitted to NIST, June 1998. (revised May 1999)
  56. 56.
    Shrimpton, T., Terashima, R.S.: A modular framework for building variable-input-length tweakable ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 405–423. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  57. 57.
    Simplício, M., Barbuda, P., Barreto, P., Carvalho, T., Margi, C.: The MARVIN message authentication code and the LETTERSOUP authenticated encryption scheme. Security and Communications Networks 2(2), 165–180 (2009)CrossRefGoogle Scholar
  58. 58.
    Struik, R.: AEAD ciphers for highly constrained networks. DIAC 2013 presentation, August 13, 2013Google Scholar
  59. 59.
    Wang, P., Feng, D., Lin, C., Wu, W.: Security of truncated MACs. In: Yung, M., Liu, P., Lin, D. (eds.) Inscrypt 2008. LNCS, vol. 5487, pp. 96–114. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  60. 60.
    Wang, P., Feng, D., Wu, W.: HCTR: a variable-input-length enciphering mode. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 175–188. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  61. 61.
    Yao, F., Yin, Y.L.: Design and analysis of password-based key derivation functions. IEEE Trans. on Information Theory 51(9), 3292–3297 (2005)CrossRefzbMATHMathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of MarylandCollege ParkUSA
  2. 2.Department of Computer ScienceGeorgetown UniversityWashington DCUSA
  3. 3.Department of Computer ScienceCalifornia State UniversitySacramentoUSA
  4. 4.Department of Computer ScienceUniversity of CaliforniaDavisUSA

Personalised recommendations