Keywords

1 Introduction

Authenticated Encryption (AE) schemes (such as EAX [8], GCM [31], OCB [28], etc.) perform an authentication check on the entire ciphertext before they output a decrypted message. This practice is inherent in the idea of authenticated encryption and part of its strength. However, it is incompatible with settings that pose demanding performance requirements (e.g., high speed, low latency, long messages).

One example for such settings are Optical Transport Networks (OTNs) [24], in which the links between multiple network channels must be capable of transmitting, multiplexing, and switching between immense data streams in a fast and secure manner. OTNs are characterized by high throughput rates of up to 100 Gbps, low latencies in the order of a few clock cycles, and large message frames of up to 64 kB. At that size, a mode of operation of a 128-bit block cipher would require over 4,096 clock cycles to complete a decryption—which exceeds the allowed latency in OTN systems by far.

In such uses of AE, implementations have to pass along (part of) a decrypted message before validating its authenticity; if the message later turns out to be invalid, this fact will be discovered and reported, but only after some information has been leaked. The literature calls this practice decryption misuse [19], and describes severe vulnerabilities for conventional AE schemes. A chosen-ciphertext adversary can exploit it to determine unknown plaintexts, or to introduce forged message fragments that may get passed to the application and are processed before the authentication check is completed. As a consequence, common existing AE schemes do not suit well in this environment. To overcome this issue, this work considers authenticated encryption schemes that provide robustness against decryption misuse through on-line chosen-ciphertext security (OPRP-CCA) [5]. Implementations of AE schemes that allow decryption misuse abound, even when latency is not a consideration. For example, many software libraries provide access to encryption and decryption operations through a stream-oriented interface that consists of functions for initialization, updating, and finalization. In these interfaces the decrypt-update function can be called multiple times.Footnote 1 Every invocation of this function performs decryption misuse, because it releases the would-be plaintext before completing the authentication check. This type of interface is incompatible with existing authenticated encryption schemes. But its use is widespread, well-established and will not easily go away.

Decryption-Misuse Resistance. An encryption scheme is called non-malleable if any change to a ciphertext causes its entire post-decryption plaintext to be pseudorandom [18]. We call such a scheme decryption-misuse-resistant since the decryption of manipulated ciphertext results in uncontrollable random noise. Unfortunately, non-malleability and on-line encryption are mutually exclusive: if an adversary manipulates the \(i\)-th block of a ciphertext, an on-line encryption scheme leaves the previous \((i-1)\) blocks unchanged. But OPRP-CCA-security is the strongest form of non-malleability and decryption-misuse resistance an on-line cipher can provide: if an adversary manipulates the \(i\)-th block, all plaintext blocks starting from the \(i\)-th one will become pseudorandom.

The concept of decryption-misuse-resistant AE schemes is controversial. During the Dagstuhl Seminar on Symmetric Cryptography in January 2014 some researchers were worried about the risk of advertising decryption-misuse resistance as a feature for AE schemes since it could invite application programmers to improperly implement authenticated decryption. Of course, misuse must be avoided where possible, e.g., by user education. Nevertheless, decryption misuse is common in practice,Footnote 2 as our example of OTNs illustrates. The choice for the cryptograph is to either deal with decryption misuse, or to abandon AE completely.

Support for Intermediate Tags. Beyond limiting the harm of decryption misuse OPRP-CCA-secure on-line ciphers allow another desirable feature: Intermediate tags [9] allow the receiver to early detect if parts of a decrypted message are invalid—which is handy when authenticating large messages. They can be integrated easily into an OPRP-CCA-secure on-line cipher by adding some form of well-formed redundancy (e.g., fixed constants or non- cryptographic checksums) to the plaintexts. For example, the headers of IP, TCP, or UDP [3638] packets already contain a 16-bit checksum each, which is verified by the receiver and/or network routers. In OTNs, a single 64-kB message frame consists of multiple IP packets. Due to the low-latency constraints, receiving routers cannot buffer incoming messages until the authentication check has finished and must forward the first packets to their destination. However, they can test the packets’ checksums to detect forgery attempts early. Hence, OPRP-CCA-security ensures that false TCP/IP packets only pass with probability of at most \(2^{-16}\).

Previous Work and Contributions. An ideal on-line cipher should be both IND-CCA-secure and non- sequential, i.e., parallelizable or pipelineable.Footnote 3 Already in 1978 Campbell published an early on-line cipher, called Infinite Garble Extension (IGE), which is far from complying with current security goals. In 2000 Knudsen [26] proposed his Accumulated Block Chaining (ABC) mode. In their landmark paper from 2001 Bellare et al.  [5] coined the term of and security notions for on-line ciphers, and presented two instances, HCBC-1 and HCBC-2, based on the combination of a block cipher and a keyed hash function. Both constructions are inheritly sequential—HCBC-2 was slightly slower than HCBC-1, but provided additional IND-CCA-security. In 2002 Rivest, Liskov and Wagner [29, 30] presented a non-sequential, tweakable on-line cipher, called TIE. However, TIE could not provide CCA-security due to a counter-based tweak input. In 2003 Halevi and Rogaway [22] proposed the EME approach (encryption-mix-encryption), which has inspired several on-line cipher designs since then. EME is a symmetric design concept that consists of five layers: an initial whitening step, an ECB layer, a linear mixing, a second ECB layer, and a final whitening. In 2004 Boldyrea and Taseombut [11] proposed security notions for on-line authenthentication ciphers, and the HPCBC mode as an instantiation. In 2007 and 2008 Nandi proposed further on-line ciphers similar to that of Bellare et al.  [32, 33]. In the same year the IEEE standardized the XTS [23] mode of operation for disk encryption; however, which also lacked CCA-security. In 2011 Rogaway and Zhang [41] described methods to construct secure on-line ciphers from tweakable block ciphers. However, it is easy to see that all mentioned schemes until here are either inherently sequential or CCA-insecure. Table 1 shows a summarized classification.

Table 1. Classification of on-line encryption schemes.
Full size table

Contribution. This paper introduces the Pipelineable On-line Encryption (POE, hereafter) family of on-line ciphers, which consists of an ECB layer that is wrapped by two chaining layers of a keyed family of \(\epsilon \)-AXU hash functions. The resulting construction is provably IND-CCA-secure and pipelineable, i.e., POE allows to process neighboring input blocks efficiently. To address different platforms, this work proposes three instantiations of POE, based on the AES as cipher and different families of universal hash functions. Furthermore, we show that POE can be easily transformed into an OPRP-CCA-secure, robust on-line AE (OAE) scheme, called Pipelineable On-line Encryption with Tag (POET hereafter), using well-studied methods from [19].

Recent Related Work. To the best of our knowledge, only four nonce-misuse-resistant OAE schemes were published prior to this work:Footnote 4 (1) McOE  [19], (2) APE(X) [4], (3) COPA [3], and (4) ELmE [15]. McOE is a TC3-like design that was introduced at FSE 2012, and pioneered nonce-misuse resistance as a considerable feature for OAE schemes; APE(X), COPA, and ELmE are recent designs, where APE(X) bases on the Sponge, and COPA as well as ELmE on the EME design. McOE and APE(X) provide OPRP-CCA-security, but work inherently sequential, COPA and ELmE are parallelizable, and may outperform POET when running on high- end hardware or multi-core systems. However, the EME structure implies that both require two block-cipher calls for each message block, whereas POE and POET employ only a single cipher and two hash-function calls. Hence, we expect POET to perform better than EME-based designs on medium- and low-end systems with few cores and no native AES instructions. Moreover, we illustrate in Appendix A that EME- based designs lose the OPRP-CCA-security in the decryption-misuse setting, which disqualifies COPA and ELmE for the OTN application scenario. More generally, Datta and Nandi [16] showed recently that EME constructions with linear mixing can not provide IND-CCA-security. Therefore, POET represents the first non-sequential OAE scheme with resistance against both nonce and decryption misuse.

Outline. The remainder of this work is structured as follows. Section 2 recalls the preliminary information about universal hash functions, on-line ciphers, and AE schemes that is necessary for this work. In Sect. 3, we propose the POE family of on-line ciphers and prove its security against chosen-plaintext and chosen-ciphertext attacks. Thereupon, Sect. 4, introduces POET, and provides a proof for the security against chosen-ciphertext attacks. Section 5 proposes three practical instantiations for POE and POET. Finally, we draw a conclusion in Sect. 6.

2 Preliminaries

This section revisits the well- known definitions of universal hash-function families from Carter and Wegman [13, 43], as well as notions for on-line ciphers from Bellare et al. [5, 6]. Prior, Table 2 summarizes the general notions.

Table 2. Notions used throughout this paper.
Full size table

2.1 Notions for Universal Hash Functions

Definition 1

( \(\varvec{\epsilon }\) -Almost-(XOR-)Universal Hash Functions). Let \(m, n \ge 1\) be integers. Let \(\mathcal {H} = \lbrace H: \{0,1\}^{m} \rightarrow \{0,1\}^{n} \rbrace \) be a family of hash functions. We call \(\mathcal {H} \) \(\epsilon \) -almost-universal (\(\epsilon \)-AU) if for all \(X, X' \in \{0,1\}^{m}\), \(X \ne X'\):

$$ \mathop {\mathrm{Pr}}\limits _{H}[H \xleftarrow {\$} \mathcal {H} :\ H(X) = H(X')] \le \epsilon . $$

We call \(\mathcal {H} \) \(\epsilon \) -almost-XOR-universal (\(\epsilon \)-AXU) if for all \(X, X' \in \{0,1\}^{m}\), \(Y \in \{0,1\}^{n}\), \(X \ne X'\):

$$ \mathop {\mathrm{Pr}}\limits _{H}[H \xleftarrow {\$} \mathcal {H} :\ H(X) \oplus H(X') = Y] \le \epsilon . $$

Boesgaard et al.  [10] showed that an \(\epsilon \)-AXU family of hash functions can be reduced to a family of \(\epsilon \)-AU hash functions by the following theorem:

Theorem 1

(Theorem 3 from [10]). Let \(m, n \ge 1\) be integers. Let \(\mathcal {H} = \lbrace H: \{0,1\}^{m} \rightarrow \{0,1\}^{n} \rbrace \) be a family of \(\epsilon \)-AXU hash functions. Then, the familiy \(\mathcal {H} ' = \lbrace H': \{0,1\}^{m} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n} \rbrace \) with \(H'(X, Y) = H(X) \oplus Y\) is \(\epsilon \)-AU.

2.2 Notions for On-line Ciphers

Block Ciphers. A block cipher is a keyed family of \(n \)-bit permutations \(E {:} \{0,1\}^{k} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) which takes a \(k \)-bit key \(K\) and an \(n \)-bit message \(M\) and outputs an \(n\)-bit ciphertext \(C\). We define \({\mathtt{Block}}(k, n)\) as the set of all \((k, n)\)-bit block ciphers for \(n > 0\). For any \(E \in {\mathtt{Block}}(k, n) \) and a fixed key \(K \in \{0,1\}^{k}\), the encryption of a message \(M\) is defined by \(E _{K}(M)\), and the decryption is defined as the inverse function, i.e., \(E ^{-1}_{K}(M)\). For any key \(K \in \{0,1\}^{k}\), it applies that \(E ^{-1}_K (E _K (M)) = M \).

Definition 2

(On-line Cipher). Let \(k, n \ge 1\) be integers and let \(\varGamma : \{0,1\}^{k} \times \left( \{0,1\}^{n}\right) ^* \rightarrow \left( \{0,1\}^{n}\right) ^*\) be a keyed family of \(n \)-bit permutations which takes a \(k \)-bit key \(K\) and a message \(M\) of an arbitrary number of \(n \)-bit blocks, and outputs a ciphertext \(C\) consisting of the same number of \(n \)-bit blocks as \(M\). We call \(\varGamma \) an on-line cipher iff the encryption of message block \(M _i\), for all \(i \in [1, |M |/n ]\), depends only on the blocks \(M _{1}\), ..., \(M _{i}\).

A secure cipher should behave like a random permutation. It is easy to see that on-line ciphers cannot guarantee this property since the encryption of message block \(M _i\) does not depend on \(M _{i + 1}\). The on-line behavior implies that two messages \(M, M '\) that share an \(m\)-block common prefix are always encrypted to two ciphertexts \(C, C '\) that also share an \(m\)-block common prefix. Hence, an on-line cipher \(\varGamma \) is called secure iff no ciphertext reveals any further information about a plaintext than its length and the longest common prefix with previous messages. For a formal definition of the longest common prefix of two messages, we refer to  [19].

Definition 3

(On-line Permutation). Let \(i, j, \ell , n \ge 1\) be integers. Let \(F_i: \left( \{0,1\}^{n}\right) ^i \rightarrow \{0,1\}^{n}\) be a family of indexed \(n \)-bit permutations, i.e., for a fixed index \(j \in \left( \{0,1\}^{n}\right) ^{i - 1}\) it applies that \(F_i(j, \cdot )\) is a permutation. We define an \(n \)-bit on-line permutation \(P: \left( \{0,1\}^{n}\right) ^\ell \rightarrow \left( \{0,1\}^{n}\right) ^\ell \) as a composition of \(\ell \) permutations \(F_1 \cup F_2 \cup \ldots \cup F_\ell \). An \(\ell \)-block message \(M = (M _1, \ldots , M _\ell )\) is mapped to an \(\ell \)-block output \(C = (C _1, \ldots , C _\ell )\) by

$$ C _i = F_i(M _1 \ ||\ \ldots \ ||\ M _{i-1}, M _i), \quad \forall i \in [1, \ell ]. $$

Remark 1

For any two \(\ell \)-block inputs \(M, M '\), with \(M \ne M '\), that share an exactly \(m\)-block common prefix \(M _1 \ ||\ \ldots \ ||\ M _m\), the corresponding outputs \(C = P (M), C ' = P (M ')\) satisfy \(C _i = C '_i\) for all \(i \in [1, m]\) and \(m \le \ell \). However, it applies that \(C _{m+1} \ne C '_{m+1}\), and all further blocks \(C _i, C '_i\), with \(i \in [m + 2, \ell ]\), are likely to be different.

In the following, we denote by \(\mathsf{OPerm }_{n}\) the set of all \(n \)-bit on-line permutations. Furthermore, we denote by \(P \xleftarrow {\$} \mathsf{OPerm }_{n} \) that \(P\) is chosen as a random on-line permutation. Note that a random on-line permutation can be efficiently implemented by lazy-sampling.

On-line Authenticated Encryption Scheme (With Associated Data). An authenticated encryption scheme is a triple \(\varPi = (\mathcal {K}, \mathcal {E}, \mathcal {D})\). \(\mathcal {K}\) denotes a key-generation procedure that returns a randomly chosen key \(K\); the encryption algorithm \(\mathcal {E} _\mathcal {K} (H, M)\) and its inverse decryption algorithm \(\mathcal {D} _\mathcal {K} (H, C, T)\) are deterministic algorithms, where \(H\) denotes the header, \(M\) the message, \(T\) the authentication tag, and \(C\) the ciphertext, with \(H, M, C \in \left( \{0,1\}^{n}\right) ^{*}\) and \(T \in \{0,1\}^{n}\). We define that the final header block is a nonce. \(\mathcal {E}\) always outputs a ciphertext \(C\), and \(\mathcal {D}\) outputs either the plaintext \(M\) that corresponds to \(C\), or \(\bot \) if the authentication tag \(T\) is invalid. Note that we call an authenticated encryption scheme \(\varPi = (\mathcal {K}, \mathcal {E}, \mathcal {D})\) on-line if \(\mathcal {E} \) is an on-line cipher and \(\mathcal {D} \) is its inverse operation.

3 The On-line Cipher POE

This section introduces the POE family of on-line ciphers and shows that it is secure against chosen-plaintext and chosen-ciphertext attacks.

3.1 Definition of POE

Definition 4

( POE ). Let \(k, n \ge 1\) be integers, \(E\): \(\{0,1\}^{k} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) a block cipher, and \(F: \{0,1\}^{k} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) a family of keyed \(\epsilon \)-AXU hash functions. Furthermore, let \(F_i : \{0,1\}^{ni} \rightarrow \{0,1\}^{n}\) be \(i\epsilon \)-AXU family of hash functions defined as follows:

$$ F _0 = F (1); \quad F _i(M) = F (F _{i-1}(M _1, \ldots , M _{i-1}) \oplus M _i) \qquad i \in \mathbb {N^+}. $$

Let \(K, K _1, K _2 \in \{0,1\}^k \) denote three pair-wise independent keys. Then, we define the encryption of POE and its inverse as shown in Algorithm 1.

A schematic illustration of the encryption algorithm is given in Fig. 1.

Fig. 1.
figure 1

The encryption process for an \(m\)-block message \(M\) with POE.

Full size image
figure a

3.2 Security Notions for On-line Ciphers

The IND-SPRP-security of a block cipher \(E\) is defined by the success probability of an adversary \(\mathcal {A}\) to distinguish the output of \(E, E ^{-1}\) from that of an \(n\)-bit random permutation \(\pi \).

Definition 5

( IND-SPRP -Security). Let \(E \in {\mathtt{Block}}(k, n) \) denote a block cipher and \(E ^{-1}\) its inverse. Let \(\mathsf{Perm }_{n}\) be the set of all \(n\)-bit permutations. The IND-SPRP advantage of \(\mathcal {A}\) against \(E\) is then defined by

$$ \mathbf {{Adv}}^{\mathsf{IND-SPRP }}_{E,E ^{-1}}(\mathcal {A}) \,\le \, \left| \Pr \left[ \mathcal {A} ^{E (\cdot ), E ^{-1}(\cdot )} \Rightarrow 1\right] - \Pr \left[ \mathcal {A} ^{\pi (\cdot ), \pi ^{-1}(\cdot )} \Rightarrow 1\right] \right| \!, $$

where the probabilities are taken over \(K \xleftarrow {\$} \{0,1\}^{k} \) and \(\pi \xleftarrow {\$} \mathsf{Perm }_{n} \). We define \(\mathbf {{Adv}}^{\mathsf{IND-SPRP }}_{E,E ^{-1}}(q, t)\) as the maximum advantage over all IND-SPRP-adversaries \(\mathcal {A}\) on \(E\) that run in time at most \(t\) and make at most \(q\) queries to the available oracles.

We borrow the OPRP-CCA notion from Bellare et al. [5, 6]. The OPRP-CCA-security specifies the maximal advantage of an adversary \(\mathcal {A}\) with access to an encryption and decryption oracle to distinguish the outputs of a on-line cipher \(\varGamma \) under a randomly chosen key \(K\) from that of a random permutation.

Definition 6

( OPRP-CCA -Security). Let \(K \) a \(k\)-bit key, \(P\) a random on-line permutation, and \(\varGamma \): \(\{0,1\}^{k} \times \left( \{0,1\}^{n}\right) ^* \rightarrow \left( \{0,1\}^{n}\right) ^*\) be an on-line cipher. Then, we define the OPRP-CCA-advantage of an adversary \(\mathcal {A}\) by

$$\begin{aligned} \mathbf {{Adv}}^\mathsf{OPRP-CCA }_{\varGamma }(\mathcal {A}) = \left| \Pr \left[ \mathcal {A} ^{\varGamma _K (\cdot ),\varGamma ^{-1}_K (\cdot )} \Rightarrow 1\right] - \Pr \left[ \mathcal {A} ^{P (\cdot ), P ^{-1}(\cdot )} \Rightarrow 1\right] \right| , \end{aligned}$$
(1)

where the probabilities are taken over \(K \xleftarrow {\$} \mathcal {K} \) and \(P \xleftarrow {\$} \mathsf{OPerm }_{n} \). Further, we define \(\mathbf {{Adv}}^\mathsf{OPRP-CCA }_{\varGamma }(q, \ell , t)\) as the maximum advantage over all adversaries \(\mathcal {A}\) that run in time at most \(t\), and make at most \(q\) queries of total length of at most \(\ell \) blocks to the available oracles.

Bellare and Namprempre showed in [7] that IND-CCA-security implies non-malleable chosen-ciphertext-security (NM-CCA). Hence, OPRP-CCA implies weak non-malleability, i.e., an adversary that manipulates the \(i\)-th ciphertext block cannot distinguish the \((i+1)\)-th, \((i+2)\)-th,...ciphertext blocks of \(\varGamma \) from random.

3.3 OPRP-CCA-Security of POE

Theorem 2

Let E: \(\{0,1\}^{k} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) be a block cipher and \(E ^{-1}\) its inverse operation. Let \(\pi \xleftarrow {\$} \mathsf{Perm }_{n} \) denote an \(n \)-bit random permutation that was chosen uniformly from random, and let \(\pi ^{-1}\) denote its inverse. Then, it holds that

$$\begin{aligned} \mathbf {{Adv}}^\mathsf{OPRP-CCA }_{\mathsf{POE } _{E,E ^{-1}}} (q, \ell , t) \,\le \, \ell ^2\epsilon + \frac{\ell ^2}{2^n-\ell } + \mathbf {{Adv}}^{\mathsf{IND-SPRP }}_{E,E ^{-1}}(\ell , \text {O}(t)). \end{aligned}$$
(2)

Proof

Let \(\mathcal {A}\) be an OPRP-CCA-adversary with access to an oracle \(\mathcal {O} \), which responds either with real encryption/decryptions using \(\mathsf{POE } _{E _K, E _K ^{-1}}\) or a random on-line permutation \(P\), as given in Definition 6. We say that \(\mathcal {A}\) collects its queries and the corresponding oracle response as tuples \((M, C)\) in a query history \(\mathcal {Q}\). Wlog., we assume that \(\mathcal {A}\) will not make queries to which it already knows the answer.

It is easy to see that we can rewrite Eq. (1) as (cf. [19], Sect. 4):

$$\begin{aligned} \mathbf {{Adv}}^\mathsf{OPRP-CCA }_{\mathsf{POE } _{E,E^{-1}}}(\mathcal {A}) \le&\left| \Pr \left[ \mathcal {A} ^{\mathsf{POE }_{E},\mathsf{POE }^{-1}_{E^{-1}}} \Rightarrow 1\right] - \Pr \left[ \mathcal {A} ^{\mathsf{POE }_{\pi },\mathsf{POE }^{-1}_{\pi ^{-1}}} \Rightarrow 1\right] \right| \end{aligned}$$
(3)
$$\begin{aligned}&+ \left| \Pr \left[ \mathcal {A} ^{\mathsf{POE }_{\pi },\mathsf{POE }^{-1}_{\pi ^{-1}}} \Rightarrow 1\right] - \Pr \left[ \mathcal {A} ^{P (\cdot ), P ^{-1}(\cdot )} \Rightarrow 1\right] \right| \!. \end{aligned}$$
(4)

It is easy to see that Eq. (3) can be upper bounded by

$$ \mathbf {{Adv}}^{\mathsf{IND-SPRP }}_{E,E ^{-1}}(\ell , \text {O}(t)). $$

It remains to study the difference in (4), which refers to the advantage of \(\mathcal {A}\) to distinguish POE instantiated with an \(n\)-bit random permutation \(\pi \) from \(P\). We can identify two cases from the structure of POE: (1) collisions between internal values of POE occur (COLL), or (2) no collisions occur (NOCOLL). From the law of total probability follows that we can rewrite (4) as

$$\begin{aligned}&\left| \Pr \left[ \mathcal {A} ^{\mathsf{POE }_{\pi },\mathsf{POE }^{-1}_{\pi ^{-1}}} \Rightarrow 1\right] - \Pr \left[ \mathcal {A} ^{P (\cdot ), P ^{-1}(\cdot )} \Rightarrow 1\right] \right| \\ \,\le \,&\Pr \left[ \text {COLL} \right] \cdot \Pr \left[ \text {COLLWIN} \right] + \Pr \left[ \lnot \,\text {COLL} \right] \cdot \Pr \left[ \text {NOCOLLWIN} \right] , \end{aligned}$$

with

$$\begin{aligned} \Pr \left[ \text {COLLWIN} \right]&= \left| \Pr \left[ \mathcal {A} ^{\mathsf{POE }_{\pi },\mathsf{POE }^{-1}_{\pi ^{-1}}} \Rightarrow 1\,|\,\text {COLL} \right] - \Pr \left[ \mathcal {A} ^{P (\cdot ), P ^{-1}(\cdot )} \Rightarrow 1\right] \right| \!, \\ \Pr \left[ \text {NOCOLLWIN} \right]&\!=\! \left| \Pr \left[ \mathcal {A} ^{\mathsf{POE }_{\pi },\mathsf{POE }^{-1}_{\pi ^{-1}}} \Rightarrow 1\,|\,\lnot \,\text {COLL} \right] \!-\! \Pr \left[ \mathcal {A} ^{P (\cdot ), P ^{-1}(\cdot )} \Rightarrow 1\right] \right| \!. \end{aligned}$$

For the sake of simplicity, we upper bound \(\Pr \left[ \text {COLLWIN} \right] \) and \(\Pr \left[ \lnot \,\text {COLL} \right] \) by 1. Thus, we only have to look at \(\Pr \left[ \text {COLL} \right] \) and \(\Pr \left[ \text {NOCOLLWIN} \right] \).

Case 1: \(\mathbf {COLL}\) . In this case, \(\mathcal {A}\) tries to distinguish POE from random by exploiting some collision between internal values. Since \(\pi \) is a random permutation, any fresh (i.e., not previously queried) input to \(\pi (\cdot )\) or \(\pi ^{-1}(\cdot )\) produces a random output and therefore:

  1. 1.

    For any fresh \(X_i\), the result of \(\pi (X_i) \oplus F _{K _2}(Y_{i-1})\) will be random.

  2. 2.

    For any fresh \(Y_i\), the result of \(\pi ^{-1}(Y_i) \oplus F _{K _1}(X_{i-1})\) will be random.

We obtain two possible subcases: a collision between internal values in the top row occurred (\(\text {COLL}_\mathrm{top} \)), or a collision between in internal values in the bottom row occurred (\(\text {COLL}_\mathrm{bot} \)). COLL then represents the event that either (or both) subcases occurred.

$$ \text {COLL} \,=\, \text {COLL}_\mathrm{top} \,\vee \, \text {COLL}_\mathrm{bot}. $$

Subcase 1.1: \(\mathbf {COLL_{top}}\) . By an internal collision in the top row, we refer to the event that \(X_i = X'_j\) for two distinct tuples \((X_{i-1}, M _i)\) and \((X'_{j-1}, M '_j)\), with \(i,j \ge 1\):

$$ X_i = F _{K _1}(X_{i-1}) \oplus M _i, \quad \text {and} \quad X'_j = F _{K _1}(X'_{j-1}) \oplus M '_j. $$

Since \(F\) is an \(\epsilon \)-AXU family of hash functions, the family \(F '\) of hash functions

$$ F '_{K _1}(X_{i-1}, M _i) \,:=\, F _{K _1}(X_{i-1}) \oplus M _i $$

is \(\epsilon \)-AU (cf. Theorem 1). Thus, the probability of a top-row collision for at most \(\ell \) queried message blocks can be upper bounded by

$$ \Pr \left[ \text {COLL}_\mathrm{top} \right] \,=\, \frac{\ell (\ell - 1)}{2} \cdot \epsilon \,\le \, \frac{\ell ^2}{2}\epsilon . $$

Subcase 1.2: \(\mathbf {COLL_{bot}}\) . We define a bottom-row collision as the event that two distinct tuples \((Y_{i-1}, C _i)\) and \((Y'_{j-1}, C'_j)\) produce the same values \(Y_i = Y'_j\), with

$$ Y_i = F _{K _2}(Y_{i-1}) \oplus E _K (X_i), \quad \text {and} \quad Y'_j = F _{K _2}(Y'_{j-1}) \oplus E _K (X'_j). $$

Due to the symmetric structure of POE, the analysis for bottom-row collisions is similar to that of top-row collisions. Thus, the probability for this event can also be upper bounded by

$$ \Pr \left[ \text {COLL}_\mathrm{bot} \right] = \frac{\ell (\ell - 1)}{2} \cdot \epsilon \,\le \, \frac{\ell ^2}{2}\epsilon . $$

Hence, we can upper bound \(\Pr \left[ \text {COLL} \right] \,\le \, \Pr \left[ \text {COLL}_\mathrm{top} \right] + \Pr \left[ \text {COLL}_\mathrm{top} \right] \le \ell ^{2}\epsilon .\)

Case 2: \(\mathbf {NOCOLLWIN}\) . Next, we regard the case that \(\mathcal {A}\) shall distinguish \((\mathsf{POE }_{\pi }, \mathsf{POE }^{-1}_{\pi ^{-1}})\) from \((P (\cdot ), P ^{-1}(\cdot ))\) when no internal collisions occur. We can generalize that each pair of tuples \((M, C),(M ', C ')\in \mathcal {Q} \) shares a common prefix of 0 to \(\min (|M |, |M '|)/n \) blocks. Wlog., say that the pair \(M, M ' \in \mathcal {Q} \) shares an \(i\)-block common prefix, i.e., \(M _j = M '_j\), \(\forall j \in [1,i]\), and \(M _{i+1} \ne M '_{i+1}\). In the following, we study the difference in the behavior of POE and \(P\) for three subcases: (2.1) for the message blocks in the common prefix, \(M _1,\ldots ,M _i\), (2.2) for the \((i+1)\)-th block, or (2.3) for the message blocks after the \((i+1)\)-th one.

Subcase 2.1: Common Prefix. Since an OPERM is deterministic, input and output behaviors of \((\mathsf{POE }_{\pi }, \mathsf{POE }^{-1}_{\pi ^{-1}})\) and \((P {\cdot }, P ^{-1}(\cdot ))\) are identical for the common prefix. Hence, the advantage for \(\mathcal {A}\) in this subcase is 0.

Subcase 2.2: Directly After the Common Prefix. Since \(M_j = M '_j\), \(\forall j \in [1,i]\), it must hold in the real case that \(Y_i = Y'_i\) and \(X_i = X'_i\). From \(M _{i+1} \ne M '_{i+1}\) follows

$$ C _{i+1} \,=\, \pi (F _{K _1}(X_{i}) \oplus M _{i+1}) \oplus F _{K _2}(Y_i) \,\ne \, \pi (F _{K _1}(X'_{i}) \oplus M '_{i+1}) \oplus F _{K _2}(Y'_i) \,=\, C '_{i+1}. $$

Since \(\pi \) is a random permutation, \(C _{i+1}\), \(C '_{i+1}\) are chosen uniformly at random in the real case. In the random case \(P \) is used with two different prefixes \(M _1\ ||\ \ldots \ ||\ M _{i+1}\) and \(M '_1\ ||\ \ldots \ ||\ M '_{i+1}\). Since \(P \) is an OPERM, \(C _{i+1} \ne C '_{i+1}\) also must hold in this case. Hence, the advantage for \(\mathcal {A}\) in this subcase is also 0.

Subcase 2.3: After the \((i+1)\)-th Message Block. In the random case, each query output is chosen uniformly at random from \(\{0,1\}^{n}\). However, in the real world each output of either an encryption or a decryption query is chosen uniformly at random from the set \(\{0,1\}^{n} \setminus \mathcal {Q}\). This means that in the real case POE loses randomness with every query. We can upper bound the success probability of an adversar to distinguish POE from a random OPERM by

$$ \frac{\ell ^2}{2^n-\ell }. $$

Our claim in Eq. (2) follows from summing up the individual terms.     \(\square \)

4 The On-line AE Scheme POET

For McOE, Fleischmann et al.  [19] showed that an OPRP-CCA-secure on-line cipher can be easily transformed into an on-line AEAD scheme that is resistant against nonce and decryption misuse. This section shows how to apply their approach to transform POE into a nonce- misuse-resistant AE scheme for messages whose lengths are a multiple of the block length.

4.1 Definition of POET

Definition 7

( POET ). Let \(k, n \ge 1\) be integers. Let \(\mathsf{POET } = (\mathcal {K}, \mathcal {E}, \mathcal {D})\) be an AE scheme, E: \(\{0,1\}^{k} \times \{0,1\}^{*} \rightarrow \{0,1\}^{*}\) a block cipher, and F: \(\{0,1\}^{n} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) a family of keyed \(\epsilon \)-AXU hash functions. Furthermore, let \(F_i\): \(\{0,1\}^{ni} \rightarrow \{0,1\}^{n}\) be \(i\epsilon \)-AXU family of hash functions defined as follows:

$$ F_0= F(1); \quad F _i(M) = F (F _{i-1}(M _1,\ldots ,M _{i-1}) \oplus M _i) \qquad i \in \mathbb {N^+}.$$

Let \(H\) be the header (including the nonce as its final block), \(M\) the message, \(T\) the authentication tag, and \(C\) the ciphertext, with \(H, M, C \in \left( \{0,1\}^{n}\right) ^{*}\) and \(T \in \{0,1\}^{n}\). Then, we define encryption and decryption algorithms of POET as shown in Algorithm 2.

figure b

A schematic illustration of the encryption algorithm is given in Fig. 2.

Remark 2

POET uses the common 10*-padding for headers \(|H |\) whose length is not a multiple of \(n\). As a result, \(H\) consists of at least a single block, and the entire header can be seen as a nonce. For messages whose length is not a multiple of the block size, POET borrows the provably secure tag-splitting approach from McOE  [19]. Therefore, it is sufficient to prove the OCCA3-security only for messages whose length is a multiple of the block size.

Fig. 2.
figure 2

The encryption process for an \(m\)-block message \(M\) of POET.

Full size image

4.2 Security Notions for On-line AE Schemes

We define an on-line authenticated encryption scheme \(\varPi \) to be OCCA3-secure iff it provides both OPRP-CPA and INT-CTXT security. Note that we explicitly regard nonce-ignoring adversaries which are allowed to use a nonce multiple times, similar to the security notions of integrity for authenticated encryption schemes in [19]. In the next part, we briefly revisit the formal definitions of INT-CTXT and OCCA3.

The INT-CTXT-advantage of an adversary \(\mathcal {A}\) is given by the success probability of winning the game \(G _{\mathsf{INT-CTXT }}\) that is defined in Fig. 3. Thus, we obtain

$$\begin{aligned} \mathbf {{Adv}}^{\mathsf{INT-CTXT }}_{\varPi }(\mathcal {A}) \,\le \, \Pr \left[ \mathcal {A} ^{G _{\mathsf{INT-CTXT }}} \Rightarrow 1\right] , \end{aligned}$$
(5)

where \(\mathbf {{Adv}}^{\mathsf{INT-CTXT }}_{\varPi }(q, \ell , t)\) is the maximum advantage over all INT-CTXT adversaries \(\mathcal {A}\) that run in time at most \(t\), and make at most \(q\) queries with a total length of at most \(\ell \) blocks to the available oracles.

Fig. 3.
figure 3

The \(G _{\mathsf{INT-CTXT }}\) game for an authenticated encryption scheme \(\varPi = (\mathcal {K}, \mathcal {E}, \mathcal {D})\).

Full size image

Definition 8

( OCCA3 -Security). Let \(\varPi = (\mathcal {K}, \mathcal {E}, \mathcal {D})\) be an on-line authenticated encryption scheme. Then, the OCCA3-advantage of an adversary \(\mathcal {A}\) is upper bounded by

$$\begin{aligned} \mathbf {{Adv}}^{\mathsf{OCCA3 }}_{\varPi }(\mathcal {A}) \,\le \, \mathbf {{Adv}}^\mathsf{OPRP-CPA }_{\varPi }(q, \ell , t) + \mathbf {{Adv}}^{\mathsf{INT-CTXT }}_{\varPi }(q, \ell , t). \end{aligned}$$
(6)

The OCCA3-advantage of \(\varPi \), \(\mathbf {{Adv}}^{\mathsf{OCCA3 }}_{\varPi }(q, \ell , t)\), is then defined by the maximum advantage of all adversaries \(\mathcal {A}\) that run in time at most \(t\), and make at most \(q\) queries of a total length of at most \(\ell \) blocks to the available oracles.

Note that an OPRP-CPA-adversary \(\mathcal {A}\) on some encryption scheme \(\varGamma \) can always be used by an OPRP-CCA-adversary \(\mathcal {A}\) ’ on \(\varGamma \) that inherits the advantage of \(\mathcal {A}\). In reverse direction, an upper bound for the OPRP-CCA-advantage of \(\varGamma \) is always an upper bound for the OPRP-CPA-advantage of \(\varGamma \).

4.3 OCCA3-Security of POET

Theorem 3

Let \(\varPi = (\mathcal {K}, \mathcal {E}, \mathcal {D})\) be a POET scheme as defined in Definition 7. Then, it applies that

$$ \mathbf {{Adv}}^{\mathsf{OCCA3 }}_{\varPi } (q, \ell , t) \,\le \, 2\left( \ell + 2q \right) ^2 \epsilon + \frac{\left( \ell + 2q \right) ^2 + q}{2^{n} - \left( \ell + 2q \right) } + 2\mathbf {{Adv}}^{\mathsf{IND-SPRP }}_{E, E ^{-1}} (\ell + 2q, \text {O}(t)). $$

Proof

The proof follows from Theorem 2 and the bound for the INT-CTXT-security of POET. Due to the lack of space we omit the proof for the latter in this version and refer the reader to Lemma 1 in the full version of this paper [2]. Since Theorem 2 yields an upper bound for the OPRP-CCA-advantage on POE, it also provides an upper bound for the OPRP-CPA-advantage on POET. Though, \(\ell \) (the number of encrypted message and header blocks from Theorem 2) must be replaced by (\(\ell + 2q \)) since the tag-generation process of POET includes two additional block-cipher calls per query.     \(\square \)

5 Key Derivation and Instantiations

5.1 Key Derivation

POE and POET require three internal keys: one key \(K\) for the block cipher, and two keys \(K _1\) and \(K _2\) for the two instances of \(F\). Since our goal was to put no further restrictions on the used hash function families, we borrowed the idea from [25] to obtain pair-wise independent keys. At setup, the user supplies a \(k \)-bit secret key \(L\). The further keys are then derived from \(L\) by encrypting three distinct constants \(const_0\), \(const_1\), \(const_2\) with \(E\):

$$ K \leftarrow E _L (const_0), \qquad K _1 \leftarrow E _L (const_1), \qquad K _2 \leftarrow E _L (const_2). $$

For simplicity, we recommend \(const_0 = 1, const_1 = 2, const_2 = 3\). Therefore, under the assumption that \(E\) is a PRP-secure block cipher, we can ensure to obtain independent keys for the block-cipher and hash-function calls.

5.2 \(\epsilon \)-AXU Hash Functions

We recommend to instantiate POE/POET with AES-128 as block cipher. For the \(\epsilon \)-AXU families of hash functions \(F\), we propose three suitable instantiations in the following.

POE/POET with Four-Round AES. When trying to minimize the implementation footprint, it may be desirable to have an encryption scheme based on only a single primitive. Furthermore, maximizing the throughput is often critical. Therefore, POE/POET with the first four rounds of the AES as a family of keyed hash functions may be an excellent choice for restricted devices and/or devices with support for AES native instructions. The drawback of this solution would be a slightly lower number than the common \(2^{64}\) message blocks that can be processed under the same key. As shown by Daemen et al. in [14], four-round AES is a family of \(\epsilon \)-AXU hash functions—under the reasonable assumption that all used round keys are independent—with

$$ \epsilon \,\le \, 1.88 \cdot 2^{-114} \approx 2^{-113}. $$

This implies that at most \(\ll 2^{56}\) message blocks can be encrypted or decrypted under the same key.

POE/POET with Full-Round AES. As a more conservative variant we propose the full AES-128 for the family of hash functions. Under the common PRF assumption—where we assume that AES is indistinguishable from a random 128-bit permutation, this constructions yields \(\epsilon \approx 2^{-128}\).

POE/POET with Galois-Field Multiplications. In addition, one can use a multiplication in \(GF(2^{128})\), similar to that in AES-GCM [31], as a universal hash function. This approach yields an \(\epsilon \approx 2^{-128}\). Moreover, POE and POET can be fully parallelized with Galois-Field multiplications. For instance, consider a message of at least four blocks, \(M _1 \ ||\ \ldots \ ||\ M _4\). Using Galois- Field multiplications, the input for the second block-cipher call is \(K ^2 + K M _1 + M _2\). Instead of sequentially multiplying with \(K \), adding \(M _3\), multiplying with \(K \) and adding \(M _4\), one can compute in parallel:

  • For the third block-cipher call: \(K \cdot (K ^2 + K M _1 + M _2) + M _3\).

  • For the fourth block-cipher call: \(K ^2 \cdot (K ^2 + K M _1 + M _2) + K M _3 + M _4\).

This approach increases the total number of multiplications, but decreases the latency. Given \(c\) cores, and \(c\) subsequent message blocks to process, this approach reduces the latency from \(c\) hash-function calls to \(O(\log {c})\). This approach is used, e.g., in carry-lookahead adders, GCM [31], or CWC [27].

When using multiplications in \(GF(2^{128})\), one has to consider the risk of weak keys and forgery polynomials. At FSE’12 Saarinen [42] pointed out that, since \(2^{128} - 1\) is not prime and produces \(2^9\) smooth- order multiplicative groups, one can obtain a weak key with probability \(2^{-96}\) that allows to efficiently construct a forgery. Saarinen’s observation was generalized by Procter and Cid at FSE’13 [39] who showed that an adversary can choose an arbitrary message as a polynomial \(q(x)\) with a preferably high degree and no repeated roots. Then, it can create two messages \(M, M'\) that collide with \(p = \frac{\#\text {roots of }q(x)}{2^{128}}\). As a result of their work, any key can be considered potentially weak. After the FSE’14, Abdelraheem et al. [1] applied the observations of Procter and Cid to the version of POET that was submitted to the CAESAR competition, and showed that one could build forgeries for POET with Galois-Field multiplication with success probability between \(2^{-96}\) and \(2^{-66}\). Therefore, we recommend to use (round-reduced) AES for hashing in POET in favor to a Galois-Field multiplication.

6 Conclusion

This paper presented POE, the first family of on-line ciphers which is both non-sequential and provably OPRP-CCA-secure. Its design combines two layers of \(\epsilon \)-AXU hashing and a wrapped layer of ECB encryption.

Most on-line AE schemes have a significant latency since they must buffer a would-be plaintext until the tag has been been verified. The latency can be significantly decreased when the would-be plaintext is passed beforehand – however, this approach raises security issues when applied to AE schemes that lack OPRP-CCA-security, i.e., an adversary could obtain partial control about the would-be plaintext, even when these include additional checksums. On the other hand, previous OPRP-CCA-secure encryption schemes were inherently sequential. POE is well-suited for high-speed networks that require performant, low-latency encryption of large message frames, especially when classical authenticated decryption would increase latency significantly. Our application scenario targets optical transport networks (OTNs), but the latency imposed by authenticated decryption is an issue for other applications as well. In general, POE is an option for such applications.

We proposed three instantiations, where we recommended the AES as block cipher and either four-round AES, full AES, or a multiplication in \(GF(2^{128})\) as \(\epsilon \)-AXU families of hash functions. Additionally, we presented POET, a state-of-the-art on-line authenticated encryption scheme, which inherits the chosen-ciphertext-security and pipelineability from POE. Concluding, POET combines pipelineability with misuse-resistance in a novel way, at the cost of only a single block-cipher and two additional hash-function calls per message block.