Keywords

1 Introduction

An authenticated encryption (AE) scheme delivers on two complementary data security goals: confidentiality (privacy) and integrity (authenticity). Historically, these goals were achieved by combining two separate cryptographic primitives, an encryption scheme to ensure privacy and a message authentication code (MAC) to guarantee authenticity [4, 5]. This generic composition paradigm is neither most efficient (for instance, it requires processing the input stream at least twice) nor most robust to implementation errors [8, 21, 27]. The notion of AE, as a desirable primitive in its own right, was originally formalized in [4, 6, 17] (as a probabilistic algorithm) and later developed to include notions of nonce-based AE [25], nonce-based AE with associated data (AEAD) [22, 24], deterministic AE (DAE) [26] (providing a solution to nonce-misuse resistance) and online DAE (online nonce-misuse resistant AE) [11].

Importance of useable AE to practice, and to some extent, difficulty of getting it right, is evident from the number of standards that were developed over the years, specifying different methods; for instance, the CCM method is specified in IEEE 802.11i, IPsec ESP and IKEv2 and NIST SP 800-38C; the GCM method is specified in NIST SP 800-38D; the EAX method is specified in ANSI C12.22; and ISO/IEC 19772:2009 defines six methods including five dedicated AE designs and one generic composition method, namely Encrypt-then-MAC. Surprisingly, the way that the latter generic method is specified in ISO/IEC 19772:2009 was very recently shown to be flawed, opening way for incorrect and insecure implementations [21].

AE schemes have been studied for over a decade, yet the topic remains a highly active and interesting area of research as evidenced by the recently initiated CAESAR competition by the cryptographic community. The competition aims to boost public discussions towards a better understanding of AE designs and to identify a portfolio of efficient and secure AE schemes by mid-December 2017 [7].

In this paper, we present a new nonce-based AEAD, called Offset Merkle-Damgård (OMD), offering several attractive features. Unlike the mainstream schemes which are either blockcipher-based or permutation-based schemes, OMD is designed as a mode of operation for a compression function. The motivation for this is manifold: (1) the cryptographic community has spent more than two decades on public research and standardization activities on hash functions resulting to development of a rich source of secure and efficient compression functions; (2) the standard SHA family of algorithms is heavily employed in many of the most common cryptographic applications and one can easily use off-the-shelf highly optimized implementations of these functions [12, 13]; (3) Intel has recently introduced new instructions that support performance acceleration of SHA-1 and SHA-256 on next-generation processors [14]; (4) we believe that having a diverse set of AE schemes based on different primitives can be interesting from a practical viewpoint, providing the opportunity to choose among the AE algorithms based on what primitives have already been available and implemented and to reuse them.

Some of the interesting features of OMD, and its instantiations OMD-SHA256 and OMD-SHA512, are as follows:

Provable Security in the Standard Model. OMD achieves its security goals (privacy and authenticity) provably, based on the standard assumption that its underlying keyed compression function is PRF, an assumption which is among the most well-known and widely-used assumptions [2]. From a theoretical point of view, this is an advantage compared to permutation-based AE schemes whose security proofs rely on the ideal permutation assumption.

High Quantitative Security Level. When implemented with an off-the-shelf compression function such as those of the standard SHA family [1], OMD can achieve much higher security level compare to AES-based schemes. For example, the proven security of OMD-SHA256 and OMD-SHA512 falls off in about \(\frac{\sigma ^2}{2^{256}}\) and \(\frac{\sigma ^2}{2^{512}}\), respectively, where \(\sigma \) is the total number of calls to the compression function. In comparison, for the same key size and tag size, the proven security of all the standardized blockcipher-based AE schemes using AES (e.g. all five dedicated schemes specified in ISO/IEC 19772:2009) falls off in about \(\frac{\sigma '^2}{2^{128}}\) where \(\sigma '\) is the total number of calls to AES. We note that it is possible to get blockcipher-based AE schemes with (high) beyond birthday-bound security, but the existing schemes with beyond birthday-bound security have a degraded efficiency [15, 16, 19, 20].

Online. OMD encryption is online; that is, it outputs a stream of ciphertext as a stream of plaintext arrives with a constant latency and using constant memory. After receiving an indication that the plaintext is over, the final part of ciphertext together with the tag is output. OMD decryption is internally online: one can generate a stream of plaintext bits as the stream of ciphertext bits comes in, but no part of the plaintext stream will be returned before the whole ciphertext stream is decrypted and the tag is verified to be correct.

Flexible Parameters. OMD-SHA256 can support any key length up to 256 bits, tag length up to 256 bits, and nonce length up to 255 bits. OMD-SHA512 can support any key length up to 512 bits, tag length up to 512 bits, and nonce length up to 511 bits. These upper bounds on the parameters’ length will satisfy the required security level of almost any imaginable application today and well beyond. The lower bounds on the parameters’ lengths should be selected based on the specific security level sought by an application; for instance, most applications would not use keys shorter than 128 bits, tags shorter than 32 bits and nonce shorter than 64 bits.

Organization of the paper. Notations and preliminary concepts are presented in Sect. 2. Security goals are defined in Sect. 3. Section 4 provides the specification of the OMD mode of operation. In Sect. 5, we provide the security analysis of OMD. Section 6 describes our recommended instantiations OMD-SHA256 and OMD-SHA512.

2 Preliminaries

Notations. If \(\mathcal {S}\) is a finite set, \(x\mathop {\leftarrow }\limits ^{\$}S\) means that \(x\) is chosen from \(S\) uniformly at random. \(X \leftarrow Y\) is used for denoting the assignment statement where the value of \(Y\) is assigned to \(X\). The set of all binary strings of length \(n\) bits (for some positive integer \(n\)) is denoted as \(\left\{ 0,1\right\} ^{n}\), the set of all binary strings whose lengths are variable but upper-bounded by \(L\) is denoted by \(\left\{ 0,1\right\} ^{\le L}\) and the set of all binary strings of arbitrary but finite length is denoted by \(\left\{ 0,1\right\} ^{*}\). For two strings \(X\) and \(Y\) we use \(X||Y\) and \(XY\) analogously to denote the string obtained by concatenating \(Y\) to \(X\). For an \(m\)-bit binary string \(X=X_{m-1} \cdots X_0\) we denote the left-most bit by \(\mathsf{msb }(X)=X_{m-1}\) and the right-most bit by \(\mathsf{lsb }(X)=X_0\); let \(X[i \cdots j]=X_i \cdots X_j\) denote a substring of X, for \(0 \le j \le i \le (m-1)\). Let \(1^{n}0^{m}\) denote concatenation of \(n\) ones by \(m\) zeros. For a non-negative integer \(i\) let \(\left\langle i\right\rangle _m\) denote binary representation of \(i\) by an \(m\)-bit string.

For a binary string \(X=X_{m-1} \cdots X_0\), let \(X \ll n\) denote the left-shift operation, where the \(n\) left-most bits are discarded and the \(n\) vacated right bits are set to 0. We let \(X \gg n\) denote the (unsigned) right-shift operation where the \(n\) right-most bits are discarded and the \(n\) vacated left bits are set to 0. We let \(X \gg _s n\) denote the signed right-shift operation where the \(n\) right-most bits are discarded and the \(n\) vacated left bits are filled with the left-most bit (which is considered as the sign bit); for example, \(1001100\gg _s 3=1111001\). If the left-most bit of \(X\) is 0 then we have \(X \gg _s n=X \gg n\). Let \(\mathtt{ntz }(i)\) denote the number of trailing zeros (i.e. the number of rightmost bits that are zero) in the binary representation of a positive integer \(i\).

The special symbol \(\bot \) means that the value of a variable is undefined; we also overload this symbol and use it to signify an error. Let \(|Z|\) denote the number of elements of \(Z\) if \(Z\) is a set, and the length of \(Z\) in bits if \(Z\) is a binary string. For \(X \in \left\{ 0, 1\right\} ^{*}\) let \(X\)[1]\(||X\)[2] \(\cdots ||X[m] \mathop {\leftarrow }\limits ^{b}X\) denote partitioning \(X\) into blocks \(X[i]\) such that \(|X[i]|=b\) for \(1 \le i \le m-1\) and \(|X[m]| \le b\); let \(m=|X|_b\) denote length of \(X\) in \(b\)-bit blocks.

For two binary strings \(X=X_{m-1} \cdots X_0\) and \(Y=Y_{n-1} \cdots Y_0\), the notation \(X \oplus Y\) denotes bitwise xor of \(X_{m-1} \cdots X_{m-1-\ell }\) and \(Y_{n-1} \cdots Y_{n-1-\ell }\) where \(\ell =min\left\{ m-1, n-1\right\} \). Clearly, if \(X\) and \(Y\) have the same length then \(X \oplus Y\) simply means their usual bitwise xor. The empty string is denoted by \(\varepsilon \) and we let \(|\varepsilon |=0\). For any string \(X\), define \(X \oplus \varepsilon =\varepsilon \oplus X=\varepsilon \).

The Finite Field with \(2^{n}\) Points. Let \((GF(2^n), \oplus , \cdot )\) denote the Galois Field with \(2^n\) points. When considering a point \(\alpha \) in \(GF(2^n)\) it can be represented in any of the following equivalent ways: (1) as an integer between 0 and \(2^{n}\), (2) as a binary string \(\alpha _{n-1} \cdots \alpha _{0} \in \left\{ 0, 1\right\} ^{n}\), or (3) as a formal polynomial \(\alpha (X)=\alpha _{n-1}X^{n-1}+ \cdots +\alpha _{1}X+\alpha _{0}\) with binary coefficients. The addition “\(\oplus \)” and multiplication “\(\cdot \)” of two field elements in \(GF(2^n)\) are defined as usual (e.g., see [25]). For \(GF(2^{256})\) we use \(P_{256}(X)=X^{256}+X^{10}+X^5+X^2+1\), and for \(GF(2^{512})\) we use \(P_{512}(X)=X^{512}+X^8+X^5+X^2+1\) as the irreducible polynomials used in the field multiplications. It is easy to multiply an arbitrary field element \(\alpha \) by the element 2 (i.e. \(X\)). For example, in \(GF(2^{256})\) using \(P_{256}(X)\) the doubling operation can be described as follows:

$$\begin{aligned} 2 \cdot \alpha&={\left\{ \begin{array}{ll} \alpha \ll 1 &{} \;\; \mathrm{if }~\mathsf{msb }~(\alpha )=0\\ (\alpha \ll 1)\oplus 0^{245}10000100101 &{} \;\; \mathrm{if }~\mathsf{msb }~(\alpha )=1 \end{array} \right. }\end{aligned}$$
(1)
$$\begin{aligned}&= (\alpha \ll 1) \oplus ((\alpha \gg _s 255) \wedge 0^{245}10000100101) \end{aligned}$$
(2)

We note that the results computed in (1) and (2) are the same but an implementation using (2) will not be susceptible to the timing attacks unlike one which uses (1).

3 Definitions and Security Goals

As usual in the concrete-security definitions, we measure the insecurity of a scheme \(\varPi \) using the resource parametrized function \(\mathbf{{Adv}}^{\mathsf{xxx}}_{\varPi }(\mathbf {r})\), denoting the maximal value of the adversarial advantage, \(\mathbf{{Adv}}^{\mathsf{xxx}}_{\varPi }(\mathbf r )= max_{\varvec{A}}\left\{ \mathbf{{Adv}}^{\mathsf{xxx}}_{\varPi }(\varvec{A})\right\} \), over all adversaries \(\varvec{A}\), against the xxx property of a primitive or scheme \(\varPi \), that use resources bounded by \(\mathbf r \). Let \(\varvec{A}\) be an adversary that returns a binary value; by \(\varvec{A}^{f(.)}(X) \Rightarrow 1\) we refer to the event that \(\varvec{A}\) on input \(X\) and access to an oracle function \(f(.)\) returns 1.

Pseudorandom Functions (PRFs) and Tweakable PRFs. Let \(\mathrm{Func }(m, n)\) be the set of all functions from \(m\)-bit strings to \(n\)-bit strings; i.e., \(\mathrm{Func }(m, n)=\left\{ f: \left\{ 0, 1\right\} ^{m} \rightarrow \right. \) \(\left. \left\{ 0, 1\right\} ^{n}\right\} \). A random function (RF) \(R\) with \(m\)-bit input and \(n\)-bit output is a function selected uniformly at random from \(\mathrm{Func }(m, n)\). We denote this by \(R \mathop {\leftarrow }\limits ^{\$} \mathrm{Func }(m, n)\).

Let \(\mathrm{Func }^{\mathcal {T}}(m, n)\) be the set of all functions \(\left\{ \widetilde{f}: \mathcal {T} \times \left\{ 0, 1\right\} ^{m} \rightarrow \left\{ 0, 1\right\} ^{n}\right\} \), where \(\mathcal {T}\) is a set of tweaks. A tweakable RF with the tweak space \(\mathcal {T}\), \(m\)-bit input and \(n\)-bit output is a map \(\widetilde{R}: \mathcal {T} \times \left\{ 0, 1\right\} ^{m} \rightarrow \left\{ 0, 1\right\} ^{n}\) selected uniformly at random from \(\mathrm{Func }^{\mathcal {T}}(m, n)\); i.e. \(\widetilde{R} \mathop {\leftarrow }\limits ^{\$} \mathrm{Func }^{\mathcal {T}}(m, n)\). Clearly, if \(\mathcal {T}=\left\{ 0, 1\right\} ^{t}\) then \(|\mathrm{Func }^{\mathcal {T}}(m, n)|=|\mathrm{Func }(m+t, n)|\), and hence, \(\widetilde{R}\) can be instantiated using a random function \(R\) with \((m+t)\)-bit input and \(n\)-bit output. We use \(\widetilde{R}^{\left\langle T \right\rangle }(.)\) and \(\widetilde{R}(T, .)\) interchangeably, for every \(T \in \mathcal {T}\). Notice that each tweak \(T\) names a random function \(\widetilde{R}^{\left\langle T \right\rangle }: \left\{ 0, 1\right\} ^{m} \rightarrow \left\{ 0, 1\right\} ^{n}\) and distinct tweaks name distinct (independent) random functions.

Let \(F:\mathcal {K} \times \left\{ 0, 1\right\} ^{m} \rightarrow \left\{ 0, 1\right\} ^{n}\) be a keyed function and let \(\widetilde{F}:\mathcal {K} \times \mathcal {T} \times \left\{ 0, 1\right\} ^{m} \rightarrow \left\{ 0, 1\right\} ^{n}\) be a keyed and tweakable function, where the key space \(\mathcal {K}\) is some nonempty set. Let \(F_{K}(.)=F(K, .)\) and \(\widetilde{F}^{\left\langle T \right\rangle }_{K}(.)=\widetilde{F}(K, T, .)\). Let \(\varvec{A}\) be an adversary. Then:

$$\begin{aligned} \mathrm{\mathbf {Adv} }^{\mathrm {prf}}_{F}(\varvec{A})&= \mathrm{Pr }\left[ K \mathop {\leftarrow }\limits ^{\$} \mathcal {K}: \varvec{A}^{F_{K}(.)} \Rightarrow 1 \right] - \mathrm{Pr }\left[ R \mathop {\leftarrow }\limits ^{\$} \mathrm{Func }(m, n): \varvec{A}^{R(.)} \Rightarrow 1 \right] \\ \mathrm{\mathbf {Adv} }^{\widetilde{\mathrm {prf}}}_{\widetilde{F}}(\varvec{A})&= \mathrm{Pr }\left[ K \mathop {\leftarrow }\limits ^{\$} \mathcal {K}: \varvec{A}^{\widetilde{F}^{\left\langle .\right\rangle }_{K}(.)} \Rightarrow 1 \right] - \mathrm{Pr }\left[ \widetilde{R} \mathop {\leftarrow }\limits ^{\$} \mathrm{Func }^{\mathcal {T}}(m, n): \varvec{A}^{\widetilde{R}^{\left\langle . \right\rangle }(.)} \Rightarrow 1 \right] \\ \end{aligned}$$

The resource parametrized advantage functions are defined accordingly, considering that the adversarial resources of interest here are the time complexity (\(t\)) of the adversary and the total number of queries (\(q\)) asked by the adversary (note that we just consider fixed-input-length functions, so the lengths of queries are fixed and known). We say that \(F\) is \((t, q; \epsilon )\)-PRF if \(\mathrm{\mathbf {Adv} }^{\mathrm {prf}}_{F}(t, q) \le \epsilon \). We say that \(\widetilde{F}\) is \((t, q; \epsilon )\)-tweakable PRF if \(\mathrm{\mathbf {Adv} }^{\widetilde{\mathrm {prf}}}_{\widetilde{F}}(t, q) \le \epsilon \).

Syntax of an AEAD Scheme. A nonce-based authenticated encryption with associated data, AEAD for short, is a symmetric key scheme \(\varPi =(\mathcal {K}, \mathcal {E}, \mathcal {D})\). The key space \(\mathcal {K}\) is some non-empty finite set. The encryption algorithm \(\mathcal {E}: \mathcal {K} \times \mathcal {N} \times \mathcal {A} \times \mathcal {M} \rightarrow \mathcal {C} \cup \left\{ \bot \right\} \) takes four arguments, a secret key \(K \in \mathcal {K}\), a nonce \(N \in \mathcal {N}\), an associated data (a.k.a. header data) \(A \in \mathcal {A}\) and a message \(M \in \mathcal {M}\), and returns either a ciphertext \(\mathbb {C} \in \mathcal {C}\) or a special symbol \(\bot \) indicating an error. The decryption algorithm \(\mathcal {D}: \mathcal {K} \times \mathcal {N} \times \mathcal {A} \times \mathcal {C} \rightarrow \mathcal {M} \cup \left\{ \bot \right\} \) takes four arguments \((K, N, A, \mathbb {C})\) and either outputs a message \(M \in \mathcal {M}\) or an error indicator \(\bot \).

For correctness of the scheme, it is required that \(\mathcal {D}(K, N, A, \mathbb {C})=M\) for any \(\mathbb {C}\) such that \(\mathbb {C}=\mathcal {E} (K, N, A, M)\). It is also assumed that if algorithms \(\mathcal {E}\) and \(\mathcal {D}\) receive parameter not belonging to their specified domain of arguments they will output \(\bot \). We write \(\mathcal {E}_{K}(N, A, M)=\mathcal {E}(K, N, A, M)\) and similarly \(\mathcal {D}_{K}(N, A, \mathbb {C})=\mathcal {D}(K, N, A, \mathbb {C})\).

We assume that the message and associated data can be any binary string of arbitrary but finite length; i.e. \(\mathcal {M}=\left\{ 0, 1\right\} ^{*}\) and \(\mathcal {A}=\left\{ 0, 1\right\} ^{*}\), but the key and nonce are some fixed-length binary strings, i.e. \(\mathcal {N}=\left\{ 0, 1\right\} ^{|N|}\) and \(\mathcal {K}=\left\{ 0, 1\right\} ^{k}\), where the positive integers \(|N|\) and \(k\) are respectively the nonce length and the key length of the scheme in bits. We assume that \(|\mathcal {E}_{K}(N, A, M)|=|M|+\tau \) for some positive fixed constant \(\tau \); that is, we will have \(\mathbb {C}=C||\mathsf{Tag }\) where \(|C|=|M|\) and \(|\mathsf{Tag }|=\tau \). We call \(C\) the core ciphertext and \(\mathsf{Tag }\) the tag.

Nonce Respecting Adversaries. Let \(\varvec{A}\) be an adversary. We say that \(\varvec{A}\) is nonce-respecting if it never repeats a nonce in its encryption queries. That is, if \(\varvec{A}\) queries the encryption oracle \(\mathcal {E}_K (\cdot , \cdot , \cdot )\) on \((N^1, A^1, M^1) \cdots (N^q, A^q, M^q)\) then \(N^1, \cdots , N^q\) must be distinct.

Privacy of AEAD Schemes. Let \(\varPi =(\mathcal {K}, \mathcal {E}, \mathcal {D})\) be a nonce-based AEAD scheme. Let \(\varvec{A}\) be a nonce-respecting adversary. \(\varvec{A}\) is provided with an oracle which can be either a real encryption oracle \(\mathcal {E}_K(\cdot , \cdot , \cdot )\) such that on input \((N, A, M)\) returns \(\mathbb {C}=\mathcal {E}_K(N, A, M)\), or a fake encryption oracle \(\$(\cdot ,\cdot , \cdot )\) which on any input \((N, A, M)\) returns \(|\mathbb {C}|\) fresh random bits. The advantage of \(\varvec{A}\) in mounting a chosen plaintext attack (CPA) against the privacy property of \(\varPi \) is measured as follows:

$$ \mathrm{\mathbf {Adv} }_{\varPi }^{\mathrm {priv}}(\varvec{A}) = \text {Pr}[K \xleftarrow {\$} \mathcal {K}: \varvec{A}^{\mathcal {E}_K(\cdot ,\cdot , \cdot )} \Rightarrow 1] - \text {Pr}[\varvec{A}^{\$(\cdot ,\cdot , \cdot )} \Rightarrow 1]. $$

This privacy notion, also called indistinguishability of ciphertext from random bits under CPA (IND$-CPA), is defined originally in [25] and is a stronger variant of the classical IND-CPA notion [3, 4] for conventional symmetric-key encryption schemes.

Authenticity of AEAD Schemes. Let \(\varPi =(\mathcal {K}, \mathcal {E}, \mathcal {D})\) be a nonce-based AEAD scheme. Let \(\varvec{A}\) be a nonce-respecting adversary. We stress that nonce-respecting is only regarded for the encryption queries; that is, \(\varvec{A}\) can repeat nonces during its decryption queries and it can also ask an encryption query with a nonce that was already used in a decryption query. Let \(\mathcal {A}\) be provided with the encryption oracle \(\mathcal {E}_K(\cdot , \cdot , \cdot )\) and the decryption oracle \(\mathcal {D}_K(\cdot , \cdot , \cdot )\); that is, we consider adversaries that can mount chosen ciphertext attacks (CCA). We say that \(\varvec{A}\) forges if it makes a decryption query \((N, A, \mathbb {C})\) such that \(\mathcal {D}_K(N, A, \mathbb {C}) \ne \bot \) and no previous encryption query \(\mathcal {E}_K(N, A, M)\) returned \(\mathbb {C}\).

$$ \mathrm{\mathbf {Adv} }_{\varPi }^{\mathrm {auth}}(\varvec{A}) = \text {Pr}[K \xleftarrow {\$} \mathcal {K}: \varvec{A}^{\mathcal {E}_K(\cdot ,\cdot , \cdot ), \; \mathcal {D}_K(\cdot ,\cdot , \cdot )} \text { forges}]. $$

This authenticity notion, also called integrity of ciphertext (INT-CTXT) under CCA attacks, is defined originally in [4].

Resource parameters for the adversary. Let an adversary \(\varvec{A}\) make encryption queries \((N^1, A^1, M^1) \cdots (N^{q_e}, A^{q_e}, M^{q_e})\) and decryption queries \(({N'}^1, {A'}^1, {\mathbb {C}'}^1) \cdots ({N'}^{q_v}, {A'}^{q_v}, {\mathbb {C}'}^{q_v})\). We define the resource parameters of \(\varvec{A}\) as \((t, q_e, q_v, \sigma _A, \sigma _M, \sigma _{A'}, \sigma _{\mathbb {C}'}, L_{max})\), where \(t\) is the time complexity, \(q_e\) and \(q_v\) are respectively the total number of encryption queries and decryption queries, \(L_{max}\) is the maximum length of each query in bits, \(\sigma _A=\sum _{i=1}^{q_e}|A^i|\), \(\sigma _{M}=\sum _{i=1}^{q_e}|M^i|\), \(\sigma _{A'}=\sum _{i=1}^{q_v}|{A'}^i|\) and \(\sigma _{\mathbb {C}'}=\sum _{i=1}^{q_v}(|{\mathbb {C}'}^i|-\tau )\).

We remind that absence of a resource parameter means that the parameter is irrelevant in the context and hence omitted.

The use of the aforementioned privacy (IND$-CPA) and authenticity (INT-CTXT) goals to define security of AE schemes dates back to [4] where it was shown that if an AE scheme satisfies the combination of IND-CPA and INT-CTXT properties then it will also fulfill indistinguishability under the strongest form of chosen-ciphertext attack (IND-CCA) which, in turn, is equivalent to non-malleability under chosen-ciphertext attack (NM-CCA).

4 The OMD Mode of Operation

To use OMD one must specify a keyed compression function \(F: \mathcal {K} \times (\left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m}) \rightarrow \left\{ 0, 1\right\} ^{n}\) and fix a tag length \(\tau \le n\); where the key space \(\mathcal {K}=\left\{ 0, 1\right\} ^{k}\) and \(m \le n\). We let OMD[\(F, \tau \)] denote the OMD mode of operation using the keyed compression function \(F_K\) and the fixed tag length \(\tau \).

At first glance, imposing \(m \le n\) may look a bit odd as usually a compression function has a larger input block length than its output length, but we note that in practice, the compression function of standard hash functions (e.g. SHA-1 or the SHA-2 family) are keyless, therefore one will need to use \(k\) bits of their \(b\)-bit message block to get a keyed function. So, there will be no waste in each call to the compression function if \(m=n\) and \(b=n+k\); for example, when the key length is 256 bits and the compression function of SHA-256 is used.

Figure 1 depicts the encryption algorithm of OMD[\(F, \tau \)]. The construction of the decryption algorithm is straightforward and almost the same as the encryption algorithm except a tag comparison (verification) at the end of the decryption process. An algorithmic description of OMD[\(F, \tau \)] is provided in Fig. 2.

Fig. 1.
figure 1

The encryption process of OMD[\(F, \tau \)] using a keyed compression function \(F_K: (\left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m}) \rightarrow \left\{ 0, 1\right\} ^{n}\) and a fixed tag length \(\tau \).

Full size image

The encryption algorithm of OMD[\(F, \tau \)] inputs four arguments (secret key \(K \in \left\{ 0, 1\right\} ^{k}\), nonce \(N\in \left\{ 0, 1\right\} ^{|N|}\), associated data \(A \in \left\{ 0, 1\right\} ^*\), message \(M \in \left\{ 0, 1\right\} ^*\)) and outputs \(\mathbb {C}=C||\mathsf{Tag }\in \left\{ 0, 1\right\} ^{|M|+\tau }\). The decryption algorithm of OMD[\(F, \tau \)] inputs four arguments (secret key \(K \in \left\{ 0, 1\right\} ^{k}\), nonce \(N\in \left\{ 0, 1\right\} ^{|N|}\), associated data \(A \in \left\{ 0, 1\right\} ^*\), ciphertext \(C||\mathsf{Tag }\in \left\{ 0, 1\right\} ^*\)) and either outputs the whole \(M \in \left\{ 0, 1\right\} ^{|C|-\tau }\) at once or an error message (\(\bot \)). Note that we have either \(C=C_1 \cdots C_\ell \) or \(C=C_1 \cdots C_{\ell -1}C_*\) depending on whether the message length in bits is a multiple of the block length \(m\) or not, respectively.

Computing the masking values. As seen from the description of OMD in Fig. 1, before each call to the underlying keyed compression function we xor a masking value denoted as \(\varDelta _{N, i, j}\) (the top and middle parts of Fig. 1) and \(\bar{\varDelta }_{i, j}\) (the bottom part of Fig. 1). In the following, we describe how these masks are generated.

There are different ways to compute the masking values to satisfy both the security and efficiency criteria; for example, we refer to [9, 18, 23]. We use the method proposed in [18]. In the following, all multiplications (denoted by “\(\cdot \)”) are in \(GF(2^{n})\).

Initialization:

\(\varDelta _{N, 0, 0}=F_{K}(N||10^{n-1-|N|}, 0^m)\); \(\bar{\varDelta }_{0, 0}=0^n\); \(L_*=F_{K}(0^n, 0^m)\); \(L(0)=4 \cdot L_*\), and \(L(i)=2 \cdot L(i-1)\) for \(i \ge 1\). We note that the values \(L(i)\) can be preprocessed and stored (for a fast implementation) in a table for \(0 \le i \le \left\lceil \log _2 (\ell _{max}) \right\rceil \), where \(\ell _{max}\) is the bound on the maximum number of blocks in any input that can be encrypted or decrypted. Alternatively, (if there is a memory restriction) they can be computed on-the-fly for \(i \ge 1\). It is also possible to precompute and store some values and then compute the others as needed on-the-fly.

Masking sequence for processing the message:

For \(i \ge 1\): \(\varDelta _{N, i, 0}=\varDelta _{N, i-1, 0}\oplus L(\mathtt{ntz }(i))\); \(\varDelta _{N, i, 1}=\varDelta _{N, i, 0}\oplus 2 \cdot L_*\); and \(\varDelta _{N, i, 2}=\varDelta _{N, i, 0}\oplus 3 \cdot L_*\).

Masking sequence for processing the associated data:

\(\bar{\varDelta }_{i, 0}=\bar{\varDelta }_{i-1, 0}\oplus L(\mathtt{ntz }(i))\) for \(i \ge 1\); and \(\bar{\varDelta }_{i, 1}=\bar{\varDelta }_{i, 0}\oplus L_*\) for \(i \ge 0\).

Fig. 2.
figure 2

Definition of OMD[\(F, \tau \)]. The function \(F: \mathcal {K} \times (\left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m}) \rightarrow \left\{ 0, 1\right\} ^{n}\) is a keyed compression function with \(\mathcal {K}=\left\{ 0, 1\right\} ^{k}\) and \(m \le n\). The tag length is \(\tau \in \left\{ 0, 1, \cdots , n\right\} \). Algorithms \(\mathcal {E}\) and \(\mathcal {D}\) can be called with arguments \(K \in \mathcal {K}\), \(N \in \left\{ 0, 1\right\} ^{\le n-1}\), and \(A, M, \mathbb {C} \in \left\{ 0, 1\right\} ^{*}\). \(\ell _{max}\) is the bound on the maximum number of blocks in any input to the encryption or decryption algorithms.

Full size image

5 Security Analysis

Theorem 1 provides the security bounds of OMD.

Theorem 1

Fix \(n\ge 1\) and \(\tau \in \left\{ 0, 1, \cdots , n\right\} \). Let \(F: \mathcal {K} \times (\left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m}) \rightarrow \left\{ 0, 1\right\} ^{n}\) be a PRF, where the key space \(\mathcal {K}=\left\{ 0, 1\right\} ^{k}\) for \(k \ge 1\) and \(1 \le m \le n\). Then

$$\begin{aligned} \mathrm{\mathbf {Adv} }_{\mathrm {OMD}[F, \tau ]}^{\mathrm {priv}}(t, q_e, \sigma _e, \ell _{max})&\le \mathrm{\mathbf {Adv} }_{F}^{\mathrm {prf}}(t', 2\sigma _e)+\frac{3 \sigma _{e}^2}{2^n} \\ \mathrm{\mathbf {Adv} }_{\mathrm {OMD}[F, \tau ]}^{\mathrm {auth}}(t, q_e, q_v, \sigma , \ell _{max})&\le \mathrm{\mathbf {Adv} }_{F}^{\mathrm {prf}}(t', 2\sigma )+\frac{3 \sigma ^2}{2^n}+\frac{q_v \ell _{max}}{2^n}+\frac{q_v}{2^{\tau }}\\ \end{aligned}$$

where \(q_e\) and \(q_v\) are, respectively, the number of encryption and decryption queries, \(\ell _{max}\) denotes the maximum number of \(m\)-bit blocks in an encryption or decryption query, \(t'=t+cn\sigma \) for some constant \(c\), and \(\sigma _e\) and \(\sigma \) are the total number of calls to the underlying compression function \(F\) in all queries asked by the CPA and CCA adversaries against the privacy and authenticity of the scheme, respectively.

The proof is obtained by combing Lemma 1 in Subsect. 5.1 with Lemmas 2 and 3 in Subsect. 5.2.

Remark 1

Referring to Subsect. 3 for definitions of the resource parameters, it can be seen that: \(\sigma _e=\left\lceil \sigma _M/m\right\rceil +\left\lceil \sigma _A/(n+m)\right\rceil +2q_e\); \(\sigma =\left\lceil (\sigma _M+\sigma _{\mathbb {C}'})/m\right\rceil +\left\lceil (\sigma _A+\sigma _{A'})/(n+m)\right\rceil +2q\) ; and \(\ell _{max}=\left\lceil L_{max}/m\right\rceil \).

5.1 Generalized OMD Using a Tweakable Random Function

Figure 3 shows the \(\mathrm{G-OMD }[\widetilde{R}, \tau ]\) scheme which is a generalization of \(\mathrm{OMD }[F, \tau ]\) using a tweakable random function \(\widetilde{R}: \mathcal {T} \times (\left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m}) \rightarrow \left\{ 0, 1\right\} ^{n}\). The tweak space \(\mathcal {T}\) consists of five mutually exclusive sets of tweaks; namely, \(\mathcal {T}=\mathcal {N} \times \mathbb {N}\times \left\{ 0\right\} \; \cup \; \mathcal {N} \times \mathbb {N}\times \left\{ 1\right\} \; \cup \; \mathcal {N} \times \mathbb {N}\times \left\{ 2\right\} \; \cup \; \mathbb {N}\times \left\{ 0\right\} \; \cup \; \mathbb {N} \times \left\{ 1\right\} \), where \(\mathcal {N}=\left\{ 0, 1\right\} ^{|N|}\) is the set of nonces and \(\mathbb {N}\) is the set of positive integers.

Fig. 3.
figure 3

The \(\mathrm{G-OMD }[\widetilde{R}, \tau ]\) scheme using a tweakable random function \(\widetilde{R}: \mathcal {T} \times (\left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m}) \rightarrow \left\{ 0, 1\right\} ^{n}\) (i.e. \(\widetilde{R} \mathop {\leftarrow }\limits ^{\$} \mathrm{Func }^{\mathcal {T}}(n+m, n)\)).

Full size image

Lemma 1

Let \(\mathrm{G-OMD }[\widetilde{R}, \tau ]\) be the scheme shown in Fig. 3. Then

$$\begin{aligned} \mathrm{\mathbf {Adv} }_{\mathrm{G-OMD }[\widetilde{R}, \tau ]}^{\mathrm {priv}}(q_e, \sigma _e, \ell _{max})&= 0 \\ \mathrm{\mathbf {Adv} }_{\mathrm{G-OMD }[\widetilde{R}, \tau ]}^{\mathrm {auth}}(q_e, q_v, \sigma , \ell _{max})&\le \frac{q_v \ell _{max}}{2^n}+\frac{q_v}{2^{\tau }}\\ \end{aligned}$$

where \(q_e\) and \(q_v\) are, respectively, the number of encryption and decryption queries, \(\ell _{max}\) denotes the maximum number of \(m\)-bit blocks in an encryption or decryption query, and \(\sigma _e\) and \(\sigma \) are the total number of calls to the underlying tweakable random function \(\widetilde{R}\) in all queries asked by the CPA and CCA adversaries against the privacy and authenticity of the scheme, respectively.

The proof is provided in the full version of this paper [10].

5.2 Instantiating Tweakable RFs with PRFs

Step 1.Replace the tweakable RF \(\widetilde{R}: \mathcal {T} \times (\left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m}) \rightarrow \left\{ 0, 1\right\} ^{n}\) in \(\mathrm{G-OMD }\) with a tweakable PRF \(\widetilde{F}: \mathcal {K} \times \mathcal {T} \times (\left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m}) \rightarrow \left\{ 0, 1\right\} ^{n}\), where \(\mathcal {K}=\left\{ 0, 1\right\} ^{k}\). The following lemma states the classical bound on the security loss induced by this replacement step. The proof is a straightforward reduction and omitted here.

Lemma 2

Let \(\widetilde{R}: \mathcal {T} \times (\left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m}) \rightarrow \left\{ 0, 1\right\} ^{n}\) be a tweakable RF and \(\widetilde{F}:\mathcal {K} \times \mathcal {T} \times (\left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m}) \rightarrow \left\{ 0, 1\right\} ^{n}\) be a tweakable PRF. Then

$$\begin{aligned} \mathrm{\mathbf {Adv} }_{\mathrm{G-OMD }[\widetilde{F}, \tau ]}^{\mathrm {priv}}(t, q_e, \sigma _e, \ell _{max})&\le \mathrm{\mathbf {Adv} }_{\mathrm{G-OMD }[\widetilde{R}, \tau ]}^{\mathrm {priv}}(q_e, \sigma _e, \ell _{max}) +\mathrm{\mathbf {Adv} }^{\widetilde{\mathrm {prf}}}_{\widetilde{F}}(t', \sigma _e) \\ \mathrm{\mathbf {Adv} }_{\mathrm{G-OMD }[\widetilde{F}, \tau ]}^{\mathrm {auth}}(t, q_e, q_v, \sigma , \ell _{max})&\le \mathrm{\mathbf {Adv} }_{\mathrm{G-OMD }[\widetilde{R}, \tau ]}^{\mathrm {auth}}(q_e, q_v, \sigma , \ell _{max})+\mathrm{\mathbf {Adv} }^{\widetilde{\mathrm {prf}}}_{\widetilde{F}}(t'', \sigma )\\ \end{aligned}$$

where \(q_e\) and \(q_v\) are, respectively, the number of encryption and decryption queries, \(q=q_e+q_v\), \(\ell _{max}\) denotes the maximum number of \(m\)-bit blocks in an encryption or decryption query, \(t'=t+cn\sigma _e\) and \(t''=t+c'n\sigma \) for some constants \(c, c'\), and \(\sigma _e\) and \(\sigma \) are the total number of calls to the underlying compression function \(F\) in all queries asked by the CPA and CCA adversaries against the privacy and authenticity of the scheme, respectively.

Step 2. We instantiate a tweakable PRF using a PRF by means of XORing (part of) the input by a mask generated as a function of the key and tweak as shown in Fig. 4. This method to tweak a PRF is (essentially) the XE method of [23]. In OMD the tweaks are of the form \(T=(\alpha , i, j)\) where \(\alpha \in \mathcal {N} \cup \left\{ \varepsilon \right\} \), \(1 \le i \le 2^{n-8}\) and \(j \in \left\{ 0, 1, 2\right\} \). We note that not all combinations are used; for example, if \(\alpha =\varepsilon \) (empty) which corresponds to processing of the associate data in Fig. 1 then \(j\ne 2\). The masking function \(\varDelta _K(T)= \varDelta _K(\alpha , i, j)\) outputs an \(n\)-bit mask such that the following two properties hold for any fixed string \(H \in \left\{ 0, 1\right\} ^{n}\):

  1. 1.

    \(\mathrm{Pr }[\varDelta _K(\alpha , i, j)=H] \le 2^{-n}\) for any \((\alpha , i, j)\)

  2. 2.

    \(\mathrm{Pr } [\varDelta _K(\alpha , i, j) \oplus \varDelta _K(\alpha ', i', j')=H] \le 2^{-n}\) for \((\alpha , i, j)\ne (\alpha ', i', j')\)

where the probabilities are taken over random selection of the key.

It is easy to verify that these two properties are satisfied by the specific masking scheme of OMD as described in Sect. 4.

Fig. 4.
figure 4

Building a tweakable PRF \(\widetilde{F}^{\left\langle T\right\rangle }_{K}: \left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m} \rightarrow \left\{ 0, 1\right\} ^{n}\) using a PRF \(F_K:\left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m} \rightarrow \left\{ 0, 1\right\} ^{n}\). There are several efficient ways to define the masking function \(\varDelta _K(T)\) [9, 18, 23]; we use the method of [18].

Full size image

Lemma 3

Let \(F: \mathcal {K} \times (\left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m}) \rightarrow \left\{ 0, 1\right\} ^{n}\) be a function family with key space \(\mathcal {K}\). Let \(\widetilde{F}: \mathcal {K} \times \mathcal {T} \times (\left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m}) \rightarrow \left\{ 0, 1\right\} ^{n}\) be defined by \(\widetilde{F}^{\left\langle T\right\rangle }_K (X, Y)=F_K((X \oplus \varDelta _K(T)), Y)\) for every \(T\in \mathcal {T}, K\in \mathcal {K}\), \(X\in \left\{ 0, 1\right\} ^n, Y\in \left\{ 0, 1\right\} ^m\) and \(\varDelta _K(T)\) is the masking function of OMD as defined in Sect. 4. If \(F\) is PRF then \(\widetilde{F}\) is tweakable PRF; more precisely

$$ \mathrm{\mathbf {Adv} }^{\widetilde{\mathrm {prf}}}_{\widetilde{F}}(t, q) \le \mathrm{\mathbf {Adv} }^{\mathrm {prf}}_{F}(t^\prime , 2q)+\frac{3 q^{2}}{2^{n}} \, . $$

The proof is a simple adaptation of a similar result on the security of the XE construction (to tweak a blockcipher) in [18]. As we use a PRF rather than PRP, our bound has two main terms. The first term is a single birthday bound loss of \(\frac{0.5 q^{2}}{2^{n}}\) to take care of the case that a collision might happen when computing the initial mask \(\varDelta _{N, 0, 0}=F_{K}(N||10^{n-1-|N|}, 0^m)\) using a PRF (\(F\)) rather than a PRP (as in [18]). The analysis of the remaining term (i.e. \(\frac{2.5q^2}{2^{n}}\)) is essentially the same as the similar part in [18], but we note that in the context of our construction as we are directly dealing with PRFs unlike [18] in which PRPs are used, the bound obtained here does not have any loss terms caused by the switching (PRF–PRP) lemma. Therefore, instead of the \(\frac{6q^2}{2^n}\) bound in [18] (from which \(\frac{3.5q^2}{2^n}\) is due to using the switching lemma) our bound has only \(\frac{2.5q^2}{2^n}\).

6 Instantiations

6.1 OMD-SHA256

Our primary recommendation to instantiate OMD, called OMD-SHA256, uses the underlying compression function of SHA-256 [1]. This is intended to be the appropriate choice for next-generation processors supporting Intel SHA Extensions.

The compression function of SHA-256 is a map \(\mathrm{SHA\hbox {-}256 }: \left\{ 0, 1\right\} ^{256} \times \left\{ 0, 1\right\} ^{512} \rightarrow \left\{ 0, 1\right\} ^{256}\). On input a 256-bit chaining block \(X\) and a 512-bit message block \(Y\), it outputs a 256-bit digest \(Z\), i.e. let \(Z=\mathrm{SHA\hbox {-}256 }(X, Y)\).

To use OMD with SHA-256, we use the first 256-bit argument \(X\) for chaining values as usual. We use the 512-bit argument \(Y\) (the message block in SHA-256) to input both a 256-bit message block and the key \(K\) which can be of any length \(k \le 256\) bits. If \(k < 256\) then let the key be \(K||0^{256-k}\). That is, we define the keyed compression function \(F_K: \left\{ 0, 1\right\} ^{256} \times \left\{ 0, 1\right\} ^{256} \rightarrow \left\{ 0, 1\right\} ^{256}\) needed in OMD as \(F_{K}(H, M)=\mathrm{SHA\hbox {-}256 }(H, K||0^{256-k}||M)\).

The parameters of OMD-SHA256 are as follows:

  • The message block length in bits is \(m=256\); i.e. \(|M_{i}|=256\). If needed, we pad the final block of the message with \(10^*\) (i.e., a single 1 followed by the minimal number of 0’s needed) to make its length exactly 256 bits.

  • The key length in bits can be \(80 \le k \le 256\); but \(k <128\) is not recommended. If needed, we pad the key \(K\) with \(0^{256-k}\) to make its length exactly 256 bits.

  • The nonce (public message number) length in bits can be \(96 \le |N| \le 255\). We always pad the nonce with \(10^{255-|N|}\) to make its length exactly 256 bits.

  • The secret message number length in bits is 0; that is, our scheme does not support secret message numbers.

  • The associated data block length in bits is \(2n=512\); i.e. \(|A_i|=512\). If needed, we pad the final block of the associated data with \(10^*\) (i.e., a single 1 followed by the minimal number of 0’s needed) to make its length exactly 512 bits.

  • The tag length in bits can be \(32 \le \tau \le 256\); but it must be noted that the selection of the tag length directly affects the security level.

6.2 OMD-SHA512

Our second recommendation to instantiate OMD, called OMD-SHA512, uses the underlying compression function of SHA-512 [1]. This is intended to be the appropriate choice for implementations on 64-bit machines.

The compression function of SHA-512 is a map \(\mathrm{SHA\hbox {-}512 }: \left\{ 0, 1\right\} ^{512} \times \left\{ 0, 1\right\} ^{1024}\;\) \( \rightarrow \left\{ 0, 1\right\} ^{512}\). On input a 512-bit chaining block \(X\) and a 1024-bit message block \(Y\), it outputs a 512-bit digest \(Z\), i.e. let \(Z=\mathrm{SHA\hbox {-}512 }(X, Y)\).

To use OMD with SHA-512, we use the first 512-bit argument \(X\) for chaining values as usual. In our notation (see Fig. 1) this means that \(n=512\). We use the 1024-bit argument \(Y\) (the message block in SHA-512) to input both a 512-bit message block and the key \(K\) which can be of any length \(k \le 512\) bits. If \(k < 512\) then let the key be \(K||0^{512-k}\). That is, we define the keyed compression function \(F_K: \left\{ 0, 1\right\} ^{512} \times \left\{ 0, 1\right\} ^{512} \rightarrow \left\{ 0, 1\right\} ^{512}\) needed in OMD as \(F_{K}(H, M)=\mathrm{SHA\hbox {-}512 }(H, K||0^{512-k}||M)\).

The parameters of OMD-SHA512 are set as follows:

  • The message block length in bits is \(m=512\); i.e. \(|M_{i}|=512\). If needed, we pad the final block of the message with \(10^*\) (i.e., a single 1 followed by the minimal number of 0’s needed) to make its length exactly 512 bits.

  • The key length in bits can be \(80 \le k \le 512\); but \(k <128\) is not recommended. If needed, we pad the key \(K\) with \(0^{512-k}\) to make its length exactly 512 bits.

  • The nonce (public message number) length in bits can be \(96 \le |N| \le 511\). We always pad the nonce with \(10^{511-|N|}\) to make its length exactly 512 bits.

  • The secret message number length in bits is 0; that is, our scheme does not support secret message numbers.

  • The associated data block length in bits is \(2n=1024\); i.e. \(|A_i|=1024\). If needed, we pad the final block of the associated data with \(10^*\) (i.e., a single 1 followed by the minimal number of 0’s needed) to make its length exactly 1024 bits.

  • The tag length in bits can be \(32 \le \tau \le 512\).

6.3 Instantiating G-OMD with a Native Tweakable PRF

Considering the proof steps of Theorem 1, it can be seen that the security bound for the core of OMD, called G-OMD (Fig. 3), is free from the quadratic degradation (birthday term) in the total number of blocks in queries; namely, \(\frac{3 \sigma ^2}{2^n}\). This term is introduced only in Lemma 3, when we instantiated a tweakable PRF \(\widetilde{F}: \mathcal {K} \times \mathcal {T} \times (\left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m}) \rightarrow \left\{ 0, 1\right\} ^{n}\) from a PRF \(F: \mathcal {K} \times (\left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m}) \rightarrow \left\{ 0, 1\right\} ^{n}\) using the XE masking method; i.e., \(\widetilde{F}^{\left\langle T\right\rangle }_K (X, Y)=F_K(X \oplus \varDelta _K(T), Y)\). This instantiation aimed to provide a large range for the allowed key length and the nonce length in instantiations of OMD using practical compression functions, regarding that most practical compression functions (e.g. those of the SHA family) do not have a dedicated key input and must be keyed by allocating some part of their input for the key.

To avoid such a degradation in the security bound, caused by the XE method, one can directly instantiate the tweakable PRF \(\widetilde{F}\) from a PRF \(F^\prime : \mathcal {K} \times (\left\{ 0, 1\right\} ^{n} \times \left\{ 0, 1\right\} ^{m^\prime }) \rightarrow \left\{ 0, 1\right\} ^{n}\), where \(m^\prime =m+|T|\), by defining \(\widetilde{F}^{\left\langle T\right\rangle }_K (X, Y)=F^\prime _K(X, T||Y)\). In practice, using an off-the-shelf (keyless) compression function with fixed input and output sizes, this will imply supporting a more restricted range of parameters’ sizes (key length and nonce length) compared to OMD. Fortunately, the allowed parameter sizes for would be still large enough for most of applications today, if one simply use the compression functions of SHA-256 or SHA-512. Let’s call the G-OMD instantiated with these compression functions, G-OMD-SHA256 and G-OMD-SHA512, respectively.

For G-OMD-SHA256 and G-OMD-SHA512, we can define the tweakable function \(\widetilde{F}^{\left\langle T\right\rangle }_K (X, Y)\) by \(\widetilde{F}^{\left\langle T\right\rangle }_K (X, Y)=\mathrm{SHA\hbox {-}256 }(X, K||T||0^{256-k-|T|}||M)\) and \(\widetilde{F}^{\left\langle T\right\rangle }_K (X, Y)=\mathrm{SHA\hbox {-}512 }(X, K||T||0^{512-k-|T|}||M)\), respectively. Considering that \(T=(N, i, j)\), where \(N\) is the nonce, \(i\) is the block number, and \(j \in \left\{ 0, 1, 2\right\} \), G-OMD-SHA256 and G-OMD-SHA512 will allow \(k\)-bit keys, \(|N|\)-bit nonce, \(\ell \)-block messages and \(a\)-block associated data, subject to the constraints \(k+|N|+max(\log \ell , \log a)+2 \le 256\) and \(k+|N|+max(\log \ell , \log a)+2 \le 512\), respectively.