Blockcipher-Based Authenticated Encryption: How Small Can We Go?

  • Avik ChakrabortiEmail author
  • Tetsu Iwata
  • Kazuhiko Minematsu
  • Mridul Nandi


This paper presents a lightweight blockcipher-based authenticated encryption mode mainly focusing on minimizing the implementation size, i.e., hardware gates or working memory on software. The mode is called \(\textsf {COFB}\), for COmbined FeedBack. \(\textsf {COFB}\) uses an n-bit blockcipher as the underlying primitive and relies on the use of a nonce for security. In addition to the state required for executing the underlying blockcipher, \(\textsf {COFB}\) needs only n / 2 bits state as a mask. Till date, for all existing constructions in which masks have been applied, at least n bit masks have been used. Thus, we have shown the possibility of reducing the size of a mask without degrading the security level much. Moreover, it requires one blockcipher call to process one input block. We show \(\textsf {COFB}\) is provably secure up to \(O(2^{n/2}/n)\) queries which is almost up to the standard birthday bound. We first present an idealized mode \(\textsf {iCOFB}\) along with the details of its provable security analysis. Next, we extend the construction to the practical mode COFB. We instantiate COFB with two 128-bit blockciphers, AES-128 and GIFT-128, and present their implementation results on FPGAs. We present two implementations, with and without CAESAR hardware API. When instantiated with AES-128 and implemented without CAESAR hardware API, COFB achieves only a few more than 1000 Look-Up-Tables (LUTs) while maintaining almost the same level of provable security as standard AES-based AE, such as GCM. When instantiated with GIFT-128, COFB performs much better in hardware area. It consumes less than 1000 LUTs while maintaining the same security level. However, when implemented with CAESAR hardware API, there are significant overheads both in hardware area and in throughput. COFB with AES-128 achieves about 1475 LUTs. COFB with GIFT-128 achieves a few more than 1000 LUTs. Though there are overheads, still both these figures show competitive implementation results compared to other authenticated encryption constructions.


COFB AES GIFT Authenticated encryption Blockcipher 



  1. 1.
    ATHENa: Automated Tool for Hardware Evaluation.
  2. 2.
  3. 3.
    CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness.
  4. 4.
    Recommendation for Block Cipher Modes of Operation: Methods and Techniques. NIST Special Publication 800-38A, 2001. National Institute of Standards and Technology.Google Scholar
  5. 5.
    Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality . NIST Special Publication 800-38C, 2004. National Institute of Standards and Technology.Google Scholar
  6. 6.
    Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication. NIST Special Publication 800-38B, 2005. National Institute of Standards and Technology.Google Scholar
  7. 7.
  8. 8.
    NIST FIPS 197. Advanced Encryption Standard (AES). Federal Information Processing Standards Publication, 197, 2001.Google Scholar
  9. 9.
    Elena Andreeva, Begül Bilgin, Andrey Bogdanov, Atul Luykx, Florian Mendel, Bart Mennink, Nicky Mouha, Qingju Wang, and Kan Yasuda. PRIMATEs v1.02. Submission to CAESAR. 2016.
  10. 10.
    Elena Andreeva, Andrey Bogdanov, Atul Luykx, Bart Mennink, Elmar Tischhauser, and Kan Yasuda. Parallelizable and authenticated online ciphers. In ASIACRYPT (1), volume 8269 of LNCS, pages 424–443. Springer, 2013.Google Scholar
  11. 11.
    Elena Andreeva, Andrey Bogdanov, Atul Luykx, Bart Mennink, Elmar Tischhauser, and Kan Yasuda. AES-COPA v.2. Submission to CAESAR, 2015.
  12. 12.
    Jean-Philippe Aumasson, Philipp Jovanovic, and Samuel Neves. NORX v3.0. Submission to CAESAR, 2016.
  13. 13.
    Subhadeep Banik, Andrey Bogdanov, and Kazuhiko Minematsu. Low-Area Hardware Implementations of CLOC, SILC and AES-OTR. DIAC, 2015.Google Scholar
  14. 14.
    Subhadeep Banik, Avik Chakraborti, Tetsu Iwata, Kazuhiko Minematsu, Mridul Nandi, Thomas Peyrin, Yu Sasaki, Siang Meng Sim, and Yosuke Todo. GIFT-COFB v1.0.
  15. 15.
    Subhadeep Banik, Sumit Kumar Pandey, Thomas Peyrin, Yu Sasaki, Siang Meng Sim, and Yosuke Todo. GIFT: A small present—towards reaching the limit of lightweight encryption. In Fischer and Homma [33], pages 321–345.Google Scholar
  16. 16.
    Subhadeep Banik, Sumit Kumar Pandey, Thomas Peyrin, Siang Meng Sim, Yosuke Todo, and Yu Sasaki. GIFT: A small present. IACR Cryptol ePrint Arch., 2017:622, 2017.Google Scholar
  17. 17.
    Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, and Louis Wingers. The SIMON and SPECK lightweight block ciphers. In Proceedings of the 52nd Annual Design Automation Conference, San Francisco, CA, USA, June 7–11, 2015, pages 175:1–175:6. ACM, 2015.Google Scholar
  18. 18.
    Christof Beierle, Jérémy Jean, Stefan Kölbl, Gregor Leander, Amir Moradi, Thomas Peyrin, Yu Sasaki, Pascal Sasdrich, and Siang Meng Sim. The SKINNY family of block ciphers and its low-latency variant MANTIS. In Matthew Robshaw and Jonathan Katz, editors, Advances in Cryptology—CRYPTO 2016—-36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14–18, 2016, Proceedings, Part II, volume 9815 of Lecture Notes in Computer Science, pages 123–153. Springer, 2016.Google Scholar
  19. 19.
    Mihir Bellare, Joe Kilian, and Phillip Rogaway. The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci., 61(3):362–399, 2000.MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Guido Bertoni, Michaël Peeters Joan Daemen, Gilles Van Assche, and Ronny Van Keer. Ketje v2. Submission to CAESAR. 2016.
  21. 21.
    Andrey Bogdanov, Lars R. Knudsen, Gregor Leander, Christof Paar, Axel Poschmann, Matthew J. B. Robshaw, Yannick Seurin, and C. Vikkelsoe. PRESENT: an ultra-lightweight block cipher. In CHES 2007, pages 450–466, 2007.Google Scholar
  22. 22.
    Andrey Bogdanov, Florian Mendel, Francesco Regazzoni, Vincent Rijmen, and Elmar Tischhauser. ALE: AES-based lightweight authenticated encryption. In FSE 2013, pages 447–466, 2013.Google Scholar
  23. 23.
    Julia Borghoff, Anne Canteaut, Tim Güneysu, Elif Bilge Kavun, Miroslav Knezevic, Lars R. Knudsen, Gregor Leander, Ventzislav Nikov, Christof Paar, Christian Rechberger, Peter Rombouts, Søren S. Thomsen, and Tolga Yalçin. PRINCE—a low-latency block cipher for pervasive computing applications—extended abstract. In ASIACRYPT 2012, pages 208–225, 2012.Google Scholar
  24. 24.
    Christophe De Cannière, Orr Dunkelman, and Miroslav Knezevic. KATAN and KTANTAN—a family of small and efficient hardware-oriented block ciphers. In Christophe Clavier and Kris Gaj, editors, Cryptographic Hardware and Embedded Systems - CHES 2009, 11th International Workshop, Lausanne, Switzerland, September 6–9, 2009, Proceedings, volume 5747 of Lecture Notes in Computer Science, pages 272–288. Springer, 2009.Google Scholar
  25. 25.
    Avik Chakraborti, Tetsu Iwata, Kazuhiko Minematsu, and Mridul Nandi. Blockcipher-based authenticated encryption: how small can we go? In Fischer and Homma [33], pages 277–298.Google Scholar
  26. 26.
    Avik Chakraborti, Tetsu Iwata, Kazuhiko Minematsu, and Mridul Nandi. Blockcipher-based authenticated encryption: how small can we go? IACR Cryptol. ePrint Arch., 2017:649, 2017.Google Scholar
  27. 27.
    Avik Chakraborti and Mridul Nandi. TriviA-ck-v2. Submission to CAESAR. 2015.
  28. 28.
    Nilanjan Datta and Mridul Nandi. Proposal of ELmD v2.1. Submission to CAESAR, 2015.
  29. 29.
    Prakash Dey, Raghvendra Singh Rohit, and Avishek Adhikari. (2016) Full key recovery of ACORN with a single fault. J. Inf. Sec. Appl., 29,57–64Google Scholar
  30. 30.
    Christoph Dobraunig, Maria Eichlseder, Florian Mendel, and Martin Schläffer. Ascon v1.2. Submission to CAESAR, 2016.
  31. 31.
    Morris Dworkin. Recommendation for block cipher modes of operation: Galois/counter mode (GCM) and GMAC. NIST Special Publication 800-38D, 2011. Scholar
  32. 32.
    Farnoud Farahmand, William Diehl, Abubakr Abdulgadir, Jens-Peter Kaps, and Kris Gaj. Improved lightweight implementations of CAESAR authenticated ciphers. IACR Cryptol. ePrint Arch., 2018:573, 2018.Google Scholar
  33. 33.
    Wieland Fischer and Naofumi Homma, editors. Cryptographic Hardware and Embedded Systems—CHES 2017—19th International Conference, Taipei, Taiwan, September 25–28, 2017, Proceedings, volume 10529 of Lecture Notes in Computer Science. Springer, 2017.Google Scholar
  34. 34.
    Ewan Fleischmann, Christian Forler, and Stefan Lucks. McOE: a family of almost foolproof on-line authenticated encryption schemes. In FSE 2012, pages 196–215, 2012.Google Scholar
  35. 35.
    Vincent Grosso, Gaëtan Leurent, Francois-Xavier Standaert, Kerem Varici, Anthony Journault, Francois Durvaux, Lubos Gaspar, and Stéphanie Kerckhof. SCREAM Side-Channel Resistant Authenticated Encryption with Masking. Submission to CAESAR, 2015.
  36. 36.
    Jian Guo, Thomas Peyrin, Axel Poschmann, and Matthew J. B. Robshaw. The LED block cipher. In CHES 2011, pages 326–341, 2011.Google Scholar
  37. 37.
    Viet Tung Hoang, Ted Krovetz, and Philip Rogaway. AEZ v4.2: Authenticated Encryption by Enciphering. Submission to CAESAR, 2016.
  38. 38.
    Tetsu Iwata and Kaoru Kurosawa. OMAC: One-key CBC MAC. In FSE, pages 129–153, 2003.Google Scholar
  39. 39.
    Tetsu Iwata, Kazuhiko Minematsu, Jian Guo, and Sumio Morioka. CLOC: authenticated encryption for short input. In FSE 2014, pages 149–167, 2014.Google Scholar
  40. 40.
    Tetsu Iwata, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi. CLOC and SILC. Submission to CAESAR, 2016.
  41. 41.
    Jérémy Jean, Ivica Nikolić, and Thomas Peyrin. Joltik v1.3. Submission to CAESAR, 2015.
  42. 42.
    Jérémy Jean, Ivica Nikolić, and Thomas Peyrin. Deoxys v1.41. Submission to CAESAR, 2016.
  43. 43.
    Ted Krovetz and Phillip Rogaway. The software performance of authenticated-encryption modes. In FSE, pages 306–327, 2011.Google Scholar
  44. 44.
    Ted Krovetz and Phillip Rogaway. OCB(v1.1). Submission to CAESAR, 2016.
  45. 45.
    Sachin Kumar, Jawad Haj-Yihia, Mustafa Khairallah, and Anupam Chattopadhyay. A comprehensive performance analysis of hardware implementations of CAESAR candidates. IACR Cryptol. ePrint Arch., 2017:1261, 2017.Google Scholar
  46. 46.
    Frédéric Lafitte, Liran Lerman, Olivier Markowitch, and Dirk Van Heule. SAT-based cryptanalysis of ACORN. IACR Cryptol. ePrint Arch., 2016:521, 2016.Google Scholar
  47. 47.
    Moses Liskov, Ronald L. Rivest, and David A. Wagner. Tweakable block ciphers. In Moti Yung, editor, Advances in Cryptology—CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18-22, 2002, Proceedings, volume 2442 of Lecture Notes in Computer Science, pages 31–46. Springer, 2002.Google Scholar
  48. 48.
    Kerry A. McKay, Larry Bassham, Meltem Snmez Turan, and Nicky Mouha. Report on Lightweight Cryptography, 2017.
  49. 49.
    Kazuhiko Minematsu. Parallelizable rate-1 authenticated encryption from pseudorandom functions. In EUROCRYPT, volume 8441 of LNCS, pages 275–292. Springer, 2014.Google Scholar
  50. 50.
    Kazuhiko Minematsu. AES-OTR v3.1. Submission to CAESAR, 2016.
  51. 51.
    Amir Moradi, Axel Poschmann, San Ling, Christof Paar, and Huaxiong Wang. Pushing the limits: a very compact and a threshold implementation of AES. In EUROCRYPT 2011, pages 69–88, 2011.Google Scholar
  52. 52.
    Ivica Nikolić. Tiaoxin – 346. Submission to CAESAR. 2016.
  53. 53.
    J. Patarin. Etude des Générateurs de Permutations Basés sur le Schéma du D.E.S. Ph.d. Thèsis de Doctorat de l’Université de Paris 6, 1991.Google Scholar
  54. 54.
    Thomas Peyrin, Siang Meng Sim, Lei Wang, and Guoyan Zhang. Cryptanalysis of JAMBU. In FSE 2015, pages 264–281, 2015.Google Scholar
  55. 55.
    Phillip Rogaway. Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In Pil Joong Lee, editor, Advances in Cryptology - ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, December 5–9, 2004, Proceedings, volume 3329 of Lecture Notes in Computer Science, pages 16–31. Springer, 2004.Google Scholar
  56. 56.
    Phillip Rogaway, Mihir Bellare, and John Black. OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur., 6(3):365–403, 2003.CrossRefGoogle Scholar
  57. 57.
    Phillip Rogaway and Thomas Shrimpton. A provable-security treatment of the key-wrap problem. In EUROCRYPT, pages 373–390, 2006.Google Scholar
  58. 58.
    Md. Iftekhar Salam, Harry Bartlett, Ed Dawson, Josef Pieprzyk, Leonie Simpson, and Kenneth Koon-Ho Wong. Investigating cube attacks on the authenticated encryption stream cipher ACORN. In ATIS 2016, pages 15–26, 2016.Google Scholar
  59. 59.
    Md. Iftekhar Salam, Kenneth Koon-Ho Wong, Harry Bartlett, Leonie Ruth Simpson, Ed Dawson, and Josef Pieprzyk. Finding state collisions in the authenticated encryption stream cipher ACORN. In Proceedings of the Australasian Computer Science Week Multiconference, page 36, 2016.Google Scholar
  60. 60.
    Yu Sasaki, Yosuke Todo, Kazumaro Aoki, Yusuke Naito, Takeshi Sugawara, Yumiko Murakami, Mitsuru Matsui, and Shoichi Hirose. Minalpher v1.1. Submission to CAESAR, 2015.
  61. 61.
    Willem Schroé, Bart Mennink, Elena Andreeva, and Bart Preneel. Forgery and Subkey recovery on CAESAR candidate iFeed. In SAC, volume 9566 of LNCS, pages 197–204. Springer, 2015.Google Scholar
  62. 62.
    Kyoji Shibutani, Takanori Isobe, Harunaga Hiwatari, Atsushi Mitsuda, Toru Akishita, and Taizo Shirai. Piccolo: an ultra-lightweight blockcipher. In CHES 2011, pages 342–357, 2011.Google Scholar
  63. 63.
    Tomoyasu Suzaki, Kazuhiko Minematsu, Sumio Morioka, and Eita Kobayashi. TWINE: a lightweight block cipher for multiple platforms. In SAC 2012, pages 339–354, 2012.Google Scholar
  64. 64.
    Serge Vaudenay. Decorrelation: a theory for block cipher security. J. Cryptol., 16(4):249–286, 2003.MathSciNetCrossRefzbMATHGoogle Scholar
  65. 65.
    Hongjun Wu. ACORN: A Lightweight Authenticated Cipher (v3). Submission to CAESAR, 2016.
  66. 66.
    Hongjun Wu and Tao Huang. The JAMBU Lightweight Authentication Encryption Mode (v2.1). Submission to CAESAR, 2016.
  67. 67.
    Hongjun Wu and Bart Preneel. AEGIS: A Fast Authenticated Encryption Algorithm (v1.1). Submission to CAESAR, 2016.
  68. 68.
    Panasayya Yalla and Jens-Peter Kaps. Evaluation of the CAESAR hardware API for lightweight implementations. In International Conference on ReConFigurable Computing and FPGAs, ReConFig 2017, Cancun, Mexico, December 4–6, 2017, pages 1–6. IEEE, 2017.Google Scholar
  69. 69.
    Liting Zhang, Wenling Wu, Han Sui, and Peng Wang. iFeed[AES] v1. Submission to CAESAR, 2014.

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Avik Chakraborti
    • 1
    Email author
  • Tetsu Iwata
    • 2
  • Kazuhiko Minematsu
    • 3
  • Mridul Nandi
    • 4
  1. 1.NTT Secure Platform LaboratoriesTokyoJapan
  2. 2.Nagoya UniversityNagoyaJapan
  3. 3.NEC CorporationTokyoJapan
  4. 4.Applied Statistics UnitIndian Statistical InstituteKolkataIndia

Personalised recommendations