The State of the Authenticated Encryption

Vizár, Damian

doi:10.1515/tmmp-2016-0038

Abstract

Ensuring confidentiality and integrity of communication remains among the most important goals of cryptography. The notion of authenticated encryption marries these two security goals in a single symmetric-key, cryptographic primitive. A lot of effort has been invested in authenticated encryption during the fifteen years of its existence. The recent Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) has boosted the research activity in this area even more. As a result, the area of authenticated encryption boasts numerous results, both theoretically and practically oriented, and perhaps even greater number of constructions of authenticated encryption schemes.

We explore the current landscape of results on authenticated encryption. We review the CEASAR competition and its candidates, the most popular construction principles, and various design goals for authenticated encryption, many of which appeared during the CAESAR competition. We also take a closer look at the candidate Offset Merkle-Damgård (OMD).

References

[1] Crypto-competitions google group, https://groups.google.com/forum/#!topic/crypto-competitions/upaRX2jdVCQ
Search in Google Scholar Back to article
[2] Cryptographic competitions: CAESAR submissions, http://competitions.cr.yp.to/caesar-submissions.html
Search in Google Scholar Back to article
[3] Secure hash standard,http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
Search in Google Scholar Back to article
[4] ABED, F.—FLUHRER, S.—FOLEY, J.—FORLER, C.—LIST, E.—LUCKS, S.–MCGREW, D.—WENZEL, J.: Poet,https://competitions.cr.yp.to/round2/poetv20.pdf
Search in Google Scholar Back to article
[5] ABED, F.—FORLER, C.—LIST, E.—LUCKS, S.—WENZEL, J.: Don’t panic! The cryptographer’s guide to robust (on-line) encryption: draft, https://www.uni-weimar.de/fileadmin/user/fak/medien/professuren/Mediensicherheit/Research/Drafts/nonce-misuse-oae.pdf
Search in Google Scholar Back to article
[6] ABED, F.—FORLER, C.—LUCKS, S.: General overview of the authenticated schemes for the first round of the CAESAR competition, IACR Cryptology ePrint Archive 2014, http://eprint.iacr.org/2014/792
Search in Google Scholar Back to article
[7] ABED, F.—KÖLBL, S.—LAURIDSEN, M. M.—RECHBERGER, C.—TIESSEN, T.: Authenticated encryption Zoo, https://aezoo.compute.dtu.dk/
Search in Google Scholar Back to article
[8] ANDREEVA, E.—BILGIN, B.—BOGDANOV, A.—LUYKX, A.—MENDEL, F.–MENNINK, B.—MOUHA, N.—WANG, Q.—YASUDA, K.: Primates,https://competitions.cr.yp.to/round2/primatesv102.pdf
Search in Google Scholar Back to article
[9] ANDREEVA, E.—BOGDANOV, A.—LUYKX, A.—MENNINK, B.—MOUHA, N.–YASUDA, K.: How to securely release unverified Plaintext in authenticated encryption, in: Advances in Cryptology—ASIACRYPT ’14 (P. Sarkar, T. Iwata, eds.), 20th Internat. Conf. on the Theory and Appl. of Cryptology and Inform. Security Kaoshiung, Taiwan, 2014, Lecture Notes in Comput. Sci., Vol. 8873, Springer, Berlin, 2014, pp. 105–125.
Search in Google Scholar Back to article
[10] ANDREEVA, E.–BOGDANOV, A.–LUYKX, A.–MENNINK, B.–TISCHHAUSER, E.–YASUDA, K.: Aes-copa.https://competitions.cr.yp.to/round2/aescopav2.pdf
Search in Google Scholar Back to article
[11] ANDREEVA, E.–BOGDANOV, A.–LUYKX, A.–MENNINK, B.–TISCHHAUSER, E.–YASUDA, K.: Parallelizable and authenticated online ciphers. in: Advances in Cryptology—ASIACRYPT ’13, 19th Internat. Conf. on the Theory and Appl. of Cryptology and Inform. Security, Bengaluru, India, 2013, Lecture Notes in Comput. Sci., Vol. 8269, Springer, Berlin, 2013, pp. 424–443.
Search in Google Scholar Back to article
[12] AUMASSON, J. P.—JOVANOVIC, P.—NEVES, S.: Norx,https://competitions.cr.yp.to/round2/norxv20.pdf
Search in Google Scholar Back to article
[13] BELLARE, M.—DESAI, A.—JOKIPII, E.—ROGAWAY, P.: A concrete security treatment of symmetric encryption, in: 54th Annual Symp. on Found. of Comput. Sci.–FOCS ’97, Miami Beach, FL, 1997, IEEE Comput. Soc., 1997, pp. 394–403.
Search in Google Scholar Back to article
[14] BELLARE, M.—KILIAN, J.—ROGAWAY, P.: The security of the cipher block chaining message authentication code, J. Comput. Syst. Sci. 61 (2000), 362–399.10.1006/jcss.1999.1694
Search in Google Scholar Back to article
[15] BELLARE, M.—NAMPREMPRE, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm, in: Advances in Cryptology–ASIACRYPT ’00 (T. Okamoto, ed.), 6th Internat. Conf. on the Theory and Appl. of Cryptology and Inform. Security, Kyoto, Japan, Lecture Notes in Comput. Sci., Vol. 1976, Springer, Berlin, 2000, pp. 531–545.
Search in Google Scholar Back to article
[16] BELLARE, M.—ROGAWAY, P.: Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography, in: Advances in Cryptology—ASIACRYPT ’00 (T. Okamoto, ed.), 6th Internat. Conf. on the Theory and Appl. of Cryptology and Inform. Security, Kyoto, Japan, Lecture Notes in Comput. Sci., Vol. 1976, Springer, Berlin, 2000, pp. 317–330.
Search in Google Scholar Back to article
[17] BERNSTEIN, D. J.: Cryptographic competitions: CAESAR, http://competitions.cr.yp.to
Search in Google Scholar Back to article
[18] BERNSTEIN, D. J.: Cryptographic competitions: Disasters, https://competitions.cr.yp.to/disasters.html
Search in Google Scholar Back to article
[19] BERNSTEIN, D. J.: Cryptographic competitions: Features of various secret-key primitives,https://competitions.cr.yp.to/features.html
Search in Google Scholar Back to article
[20] BERTONI, G.—DAEMEN, J.—PEETERS, M.—ASSCHE, G. V.—KEER, R. V.: Ketje,https://competitions.cr.yp.to/round1/ketjev11.pdf
Search in Google Scholar Back to article
[21] BERTONI, G.—DAEMEN, J.—PEETERS, M.—ASSCHE, G. V.—KEER, R. V.: Keyak,https://competitions.cr.yp.to/round2/keyakv2.pdf
Search in Google Scholar Back to article
[22] BIRYUKOV, A.—KHOVRATOVICH, D.: Paeq,https://competitions.cr.yp.to/round1/paeqv1.pdf
Search in Google Scholar Back to article
[23] BOGDANOV, A.—LAURIDSEN, M. M.—TISCHHAUSER, E.: Aes-based authenticated encryption modes in parallel high-performance software, DIAC presentation, 2014.10.1007/978-3-662-43933-3_23
Search in Google Scholar Back to article
[24] BOLDYREVA, A.—DEGABRIELE, J. P.—PATERSON, K. G.—STAM, M.: Security of symmetric encryption in the presence of ciphertext fragmentation, in: Advances in Cryptology—EUROCRYPT ’12, 31st Annual Internat. Conf. on the Theory and Appl. of Cryptographic Techniques, Cambridge, UK, 2012, Lecture Notes in Comput. Sci., Vol. 7237, Springer, Berlin, 2012, pp. 682–699.
Search in Google Scholar Back to article
[25] CHAKRABORTI, A.—NANDI, M.: Trivia-ck,https://competitions.cr.yp.to/round2/triviackv2.pdf
Search in Google Scholar Back to article
[26] COGLIANI, S.—MAIMUT, D.—NACCACHE, D.—DO CANTO, R. P.—REYHANITABAR, R.—VAUDENAY, S.—VIZÁR, D.: OMD: a compression function mode of operation for authenticated encryption, in: Selected Areas in Cryptography—SAC ’14, 21st Internat. Conf., Montreal, QC, Canada, 2014 (A. Joux, A. Youssef, eds.), Lecture Notes in Comput. Sci., Vol. 8781, Springer, Berlin, 2014, pp. 112–128.
Search in Google Scholar Back to article
[27] COGLIANI, S.—ŞTEFANIA MAIMUŢ, D.—NACCACHE, D.—DO CANTO, R. P.–REYHANITABAR, R.—VAUDENAY, S.—VIZÁR, D.: Offset Merkle-Damgård,https://competitions.cr.yp.to/round2/omdv20.pdf
Search in Google Scholar Back to article
[28] DATTA, N.—NANDI, M.: Elmd,https://competitions.cr.yp.to/round2/elmdv20.pdf
Search in Google Scholar Back to article
[29] DOBRAUNIG, C.—EICHLSEDER, M.—MENDEL, F.: Forgery attacks on round-reduced icepole-128, Cryptology ePrint Archive, Report 2015/392, http://eprint.iacr.org/10.1007/978-3-319-31301-6_27
Search in Google Scholar Back to article
[30] DOBRAUNIG, C.—EICHLSEDER, M.—MENDEL, F.—SCHLAFFER, M.: Ascon,https://competitions.cr.yp.to/round2/asconv11.pdf
Search in Google Scholar Back to article
[31] DWORKIN, M.: Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality. NIST Special Publication 800-38C, Gaithersburg, 2004.10.6028/NIST.SP.800-38b-2005
Search in Google Scholar Back to article
[32] FERGUSON, N.: Authentication weaknesses in gcm, Comments submitted to NIST Modes of Operation Process, 2005.
Search in Google Scholar Back to article
[33] FISCHLIN, M.—GÜNTHER, F.—MARSON, G. A.—PATERSON, K. G.: Data is a stream: Security of stream-based channels, in: Advances in Cryptology—CRYPTO ’15 (R. Gennaro, M. Robshaw, eds.), 35th Annual Cryptology Conf., Santa Barbara, CA, 2015, Lecture Notes in Comput. Sci., Vol. 9216, Springer, Berlin, 2015, pp. 545–564.
Search in Google Scholar Back to article
[34] FLEISCHMANN, E.—FORLER, C.—LUCKS, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes, in: Fast Software Encryption—FSE ’12, 19th Internat. Workshop, Washington, DC, USA (A. Canteaut, ed.), Lecture Notes in Comput. Sci., Vol. 7549, Springer, Berlin, 2012, pp. 196–215.
Search in Google Scholar Back to article
[35] GLIGOROSKI, D. – MIHAJLOSKA, H. – SAMARDJISKA, S. – JACOBSEN, H. – EL-HADEDY, M.–JENSEN, R.E.–OTTE, D.: π-cipher,https://competitions.cr.yp.to/round2/picipherv20.pdf
Search in Google Scholar Back to article
[36] GROSSO, V. – LEURENT, G. – STANDAERT, F. X. – VARICI, K. – JOURNAULT, A. – DURVAUX, F. – GASPAR, L. – KERCKHOF, S.: Scream,https://competitions.cr.yp.to/round2/screamv3.pdf
Search in Google Scholar Back to article
[37] GUO, J.: Marble specification version 1.0., DIAC presentation, 2014.
Search in Google Scholar Back to article
[38] HALEVI, S.—ROGAWAY, P.: A parallelizable enciphering mode, in: Topics in Cryptology—CT-RSA ’04 (T. Okamoto, ed.), The Cryptographers’ Track at the RSA Conf., San Francisco, CA, USA, 2004, Lecture Notes in Comput. Sci., Vol. 2964, Springer, Berlin, 2004, pp. 292–304.
Search in Google Scholar Back to article
[39] HOANG, V. T.—KROVETZ, T.—ROGAWAY, P.: Aez,https://competitions.cr.yp.to/round2/aezv4.pdf
Search in Google Scholar Back to article
[40] HOANG, V. T.—KROVETZ, T.—ROGAWAY, P.: Robust authenticated-encryption AEZ and the problem that it solves, in: Advances in Cryptology—EUROCRYPT ’15 (E. Oswald et al., eds.), 34th Ann. Internat. Conf. on the Theory and Appl. of Cryptographic Tech., Sofia, Bulgaria, 2015, Lecture Notes in Comput. Sci., Vol. 9056, Springer, Berlin, 2015, pp. 15–44.
Search in Google Scholar Back to article
[41] HOANG, V. T.—REYHANITABAR, R.—ROGAWAY, P.—VIZÁR, D.: Online authenticated-encryption and its nonce-reuse misuse-resistance, in: Advances in Cryptology–CRYPTO ’15 (R. Gennaro, M. Robshaw, eds.), 35th Ann. Cryptology Conf., Santa Barbara, CA, USA, 2015, Lecture Notes in Comput. Sci., Vol. 9215, Springer, Berlin, 2015, pp. 493–517.
Search in Google Scholar Back to article
[42] IWATA, T.—MINEMATSU, K.—GUO, J.—MORIOKA, S.—KOBAYASHI, E.: Cloc and silc,https://competitions.cr.yp.to/round2/silcv2.pdf
Search in Google Scholar Back to article
[43] JEAN, J.—NIKOLIC, I.—PEYRIN, T.: Tweaks and keys for block ciphers: The TWEAKEY framework, in: Advances in Cryptology—ASIACRYPT ’14 (P. Sarkar et al., eds.), 20th Internat. Conf. on the Theory and Appl. of Cryptology and Inform. Security, Kaoshiung, Taiwan, R.O.C., 2014, Lecture Notes in Comput. Sci., Vol. 8874, Springer, Berlin, 2014, pp. 274–288.
Search in Google Scholar Back to article
[44] JEAN, J.—NIKOLIĆ, I.—PEYRIN, T.: Deoxys,https://competitions.cr.yp.to/round2/deoxysv13.pdf
Search in Google Scholar Back to article
[45] JEAN, J.—NIKOLIĆ, I.—PEYRIN, T.: Joltik,https://competitions.cr.yp.to/round2/joltikv13.pdf
Search in Google Scholar Back to article
[46] KATZ, J.—YUNG, M.: Unforgeable encryption and chosen ciphertext secure modes of operation, in: Fast Software Encryption—FSE ’00 (Schneier, B. ed.), 7th Internat. Workshop—FSE ’00, New York, NY, USA, 2000, Lecture Notes in Comput. Sci., Vol. 1978, Springer, Berlin, 2001, pp. 284–299.
Search in Google Scholar Back to article
[47] KROVETZ, T.: Hs1-siv,https://competitions.cr.yp.to/round2/hs1sivv2.pdf
Search in Google Scholar Back to article
[48] KROVETZ, T.—ROGAWAY, P.: Ocb,https://competitions.cr.yp.to/round1/ocbv1.pdf
Search in Google Scholar Back to article
[49] LEURENT, G.: Aez bbb, Rump session talk at Eurocrypt ’15.
Search in Google Scholar Back to article
[50] LISKOV, M.—RIVEST, R. L.—WAGNER, D.: Tweakable block ciphers, in: Advances in Cryptology—CRYPTO ’02 (M. Yung, ed.), 22nd Ann. Internat. Cryptology Conf., Santa Barbara, CA, USA, 2002, Lecture Notes in Comput. Sci., Vol. 2442, Springer, Berlin, 2002, pp. 31–46.
Search in Google Scholar Back to article
[51] MCGREW, D. A.—VIEGA, J.: The security and performance of the galois/counter mode (GCM) of operation, in: Progress in Cryptology—INDOCRYPT ’04 (A. Canteaut et al., eds.), 5th Internat. Conf. on Cryptology in India, Chennai, India, 2004, Lecture Notes in Comput. Sci., Vol. 3348, Springer, Berlin, 2004, pp. 343–355.
Search in Google Scholar Back to article
[52] MENNINK, B.—REYHANITABAR, R.—VIZÁR, D.: Security of full-state keyed Sponge and Duplex: applications to authenticated encryption, in: Adv. in Cryptology—ASIACRYPT ’15 (T. Iwata et al., eds.), 21st Internat. Conf. on the Theory and Appl. of Cryptology and Inform. Security, Auckland, New Zealand, 2015, Lecture Notes in Comput. Sci., Vol. 9453, Springer, Berlin, 2015, pp. 465–489.
Search in Google Scholar Back to article
[53] MINEMATSU, K.: Aes-otr,https://competitions.cr.yp.to/round2/aesotrv2.pdf
Search in Google Scholar Back to article
[54] MORAWIECKI, P.—GAJ, K.—HOMSIRIKAMOL, E.—MATUSIEWICZ, K.—PIEPRZYK, J.—ROGAWSKI, M.—SREBRNY, M.—WÓJCIK, M.: Icepole,https://competitions.cr.yp.to/round2/icepolev2.pdf
Search in Google Scholar Back to article
[55] NAMPREMPRE, C.—ROGAWAY, P.—SHRIMPTON, T.: AE5 security notions: definitions implicit in the CAESAR call, IACR Cryptology ePrint Archive, 2013, 242.
Search in Google Scholar Back to article
[56] NANDI, M.: On the minimum number of multiplications necessary for universal hash functions, in: Fast Software Encryption—FSE ’14, 21st Internat. Workshop, London, UK, 2014, Lecture Notes in Comput. Sci., Vol. 8540, Springer, Berlin, 2015, pp. 489–508.
Search in Google Scholar Back to article
[57] NIKOLIĆ, I.: Tiaoxin,https://competitions.cr.yp.to/round2/tiaoxinv2.pdf
Search in Google Scholar Back to article
[58] NIWA, Y.—OHASHI, K.—MINEMATSU, K.—IWATA, T.: GCM security bounds reconsidered. in: Fast Software Encryption—FSE ’15 (G. Leander, G. ed.), 22nd Internat. Workshop, Istanbul, Turkey, 2015, Lecture Notes in Comput. Sci., Vol. 9054, Springer, Berlin, 2015, pp. 385–407.
Search in Google Scholar Back to article
[59] REYHANITABAR, R.: OMD version 2: a tweak for the 2nd round, crypto-competitions mailing list, August 27, 2015.
Search in Google Scholar Back to article
[60] REYHANITABAR, R.—VAUDENAY, S.—VIZÁR, D.: Misuse-resistant variants of the OMD authenticated encryption mode, in: Provable Security—ProvSec ’14 (S.S.M. Chow et al., eds.), 8th Internat. Conf., Hong Kong, China, 2014, Lecture Notes in Comput. Sci., Vol. 8782, Springer, Berlin, 2014, pp. 55–70.
Search in Google Scholar Back to article
[61] REYHANITABAR, R.—VAUDENAY, S.—VIZÁR, D.: Boosting OMD for almost free authentication of associated data, in: Fast Software Encryption—FSE ’15 (G. Leander, ed.), 22nd Internat. Workshop, Istanbul, Turkey, 2015, Lecture Notes in Comput. Sci., Vol. 9054, Springer, Berlin, 2015, pp. 411–427.
Search in Google Scholar Back to article
[62] REYHANITABAR, R.—VAUDENAY, S.—VIZÁR, D.: Authenticated encryption with variable stretch, Cryptology ePrint Archive, Report 2016/463, http://eprint.iacr.org/10.1007/978-3-662-53887-6_15
Search in Google Scholar Back to article
[63] RISTENPART, T.—ROGAWAY, P.: How to enrich the message space of a cipher, in: Fast Software Encryption—FSE ’07, 14th Internat. Workshop, Luxembourg, 2007, Lecture Notes in Comput. Sci., Vol. 4593, Springer, Berlin, 2007, pp. 101–118.
Search in Google Scholar Back to article
[64] ROGAWAY, P.: Authenticated-encryption with associated-data, in: Proc. of the 9th ACM Conf. on Computer and Comm. Security ACM—CCS ’02, Washington, DC, USA, 2002, ACM New York, NY, USA, 2002, pp. 98–107.10.1145/586110.586125
Search in Google Scholar Back to article
[65] ROGAWAY, P.—BELLARE, M.—BLACK, J.—KROVETZ, T.: OCB: A block-cipher mode of operation for efficient authenticated encryption, in: Proc. of the 8th ACM Conf. on Computer and Comm. Security ACM—CCS ’01, ACM New York, NY, USA, 2001, pp. 196–205.10.1145/501983.502011
Search in Google Scholar Back to article
[66] ROGAWAY, P.—SHRIMPTON, T.: A provable-security treatment of the key-wrap problem, in: Advances in Cryptology—EUROCRYPT ’06 (S. Vaudenay, ed.), 25th Ann. Internat. Conf. on the Theory and Appl. of Cryptographic Tech., St. Petersburg, Russia, 2006, Lecture Notes in Comput. Sci., Vol. 4004, Springer, Berlin, 2006, pp. 373–390.
Search in Google Scholar Back to article
[67] SAARINEN, M. J. O.—BRUMLEY, B. B.: Stribob,https://competitions.cr.yp.to/round2/stribobr2.pdf
Search in Google Scholar Back to article
[68] SAARINEN, M. O.: Cycling attacks on gcm, GHASH and other polynomial macs and hashes, in: Fast Software Encryption—FSE ’12 (A. Canteau, ed.), 19th Internat. Workshop, Washington, DC, USA, 2012, Lecture Notes in Comput. Sci., Vol. 7549, Springer, Berlin, 2012, pp. 216–225.
Search in Google Scholar Back to article
[69] SASAKI, Y.–TODO, Y.–AOKI, K.–NAITO, Y.–SUGAWARA, T.–MURAKAMI, Y.–MATSUI, M. – HIROSE, S.: Minalpher,https://competitions.cr.yp.to/round2/minalpherv11.pdf
Search in Google Scholar Back to article
[70] VAUDENAY, S.: Security flaws induced by CBC padding – applications to SSL, IPSEC, WTLS ... in: Advances in Cryptology—EUROCRYPT ’02 (L. R. Knudsen, ed.), 21st Internat. Conf. on the Theory and Appl. of Cryptographic Tech., Amsterdam, Netherlands, 2002, Lecture Notes in Comput. Sci., Vol. 2332, Springer, Berlin, 2002, pp. 534–546.
Search in Google Scholar Back to article
[71] WANG, L.: Shell,https://competitions.cr.yp.to/round2/shellv20.pdf
Search in Google Scholar Back to article
[72] WHITING, D.—HOUSLEY, R.—FERGUSON, N.: Counter with CBC-MAC (CCM). IETF RFC 3610 (Inform.), Sep. 2003, http://www.ietf.org/rfc/rfc3610.txt10.17487/rfc3610
Search in Google Scholar Back to article
[73] WU, H.: Acorn,https://competitions.cr.yp.to/round2/acornv2.pdf
Search in Google Scholar Back to article
[74] WU, H.—HUANG, T.: Aes-jambu,https://competitions.cr.yp.to/round2/aesjambuv2.pdf
Search in Google Scholar Back to article
[75] WU, H.—HUANG, T.: Morus,https://competitions.cr.yp.to/round2/morusv11.pdf
Search in Google Scholar Back to article
[76] WU, H.—PRENEEL, B.: Aegis,https://competitions.cr.yp.to/round1/aegisv1.pdf
Search in Google Scholar Back to article

The State of the Authenticated Encryption

Abstract

Paradigm

My account