Abstract
Authentication encryption \(\left( \text {AE}\right) \) is a procedure that satisfies both privacy and authenticity on the data. It has many applications in the field of secure data communication such as digital signatures, ip-security, data-authentication, e-mail security, and security of pervasive computing. Additionally, the AE is a potential primitive of security solution for IoT-end device, RfID, and constrained device. Though there are many constructions of AE, but the most important argument is whether the AE is secure under nonce-reuse or nonce-respect. As far our understanding, the McOE is the pioneer construction of nonce-reuse AE. Following that, many schemes have been proposed such as APE, PoE, TC, COPA, ElmE, ElmD, COBRA, and Minalphar. However, Hoang et al. \(\left( \text {OAE}1\right) \) claimed that the concept of nonce-reuse in the AE is not secure and proper. Hence, a door is re-opened for the nonce-respect AE. Moreover, the construction of AE should satisfies the properties of efficiency and upper security bound due to limitation of power and memory for the constrained device. Therefore, we propose a blockcipher based AE that satisfies upper privacy security bound \(\left( \text {Priv}=O\left( 2^{2n/3}\right) \right) \) and it operates in parallel mode. It doesn’t need decryption oracle in the symmetric encryption module of the AE. The proposed construction satisfies padding free encryption. Furthermore, the efficiency-rate of the proposed scheme is 1.
This work is partially supported by the Grant-in-Aid for Scientific Research (C)(15K00183) and (15K00189) and Japan Science and Technology Agency, CREST and Infrastructure Development for Promoting International S&T Cooperation.
C. Su — JSPS Grant-in-Aid for Young Scientists (15K16005).
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Authentication encryption \(\left( \text {AE}\right) \) is a procedure, where a sender sends data to a receiver in such a way that the receiver can identify whether the data is altered or not [1–3]. Additionally, the AE checks the originality of the sender including message. There are many applications of AE in the field of secure communication such as digital signatures, ip-security, data-authentication, e-mail security, and IoT [18–21]. Furthermore, the AE is a potential primitive of cryptographic solutions for resource constrained device, and IoT-end device [36–38]. For example, there are numerous bunch of senders and receivers in the domain of data communication [4–8]. Hence, it is infeasible and expensive to establish private network for all parties [2, 3, 6–8]. Under this circumstance, the only way is to implement such a security solution under public network that ensures the privacy and authenticity of the data. Generally, the AE has two components such as symmetric encryption \(\left( SE\right) \) and message authentication code \(\left( MAC\right) \) [1–3, 7]. The grammar of SE is \(SE\left( {K,M} \right) \rightarrow C\), where K, M, and C means key, message and ciphertext respectively [2, 3, 9, 10, 30]. Moreover, the MAC inherits tag \(\left( T\right) \) and verification such as \(MAC\left( {K,C} \right) \rightarrow T\) and \(\mathsf {Verf}\left( {K,C,T} \right) \rightarrow M{\text { or }} \bot \). Usually, the symmetric encryption ensures the privacy of data. In addition, the authenticity of the data is preserved by MAC [2, 3, 30]. For example, a doctor \(\mathcal {D}_1\) needs to send medical report of a patient \(\left( \mathcal {P}\right) \) to doctor \(\mathcal {D}_2\) for consulting (Fig. 1). Under this circumstance, it is mandatory to protect the confidentiality of the patient’s report and record. Moreover, the originality of doctor \(\mathcal {D}_1\) is also needed to verify as a valid sender. The combined form of the two different components of AE can achieve both the goals. Therefore, the summery of the functions of AE are:
-
receiver can perceive the altered data
-
infeasible for adversary to get success in forgery
-
infeasible for adversary to retrieve the entire message
The AE is constructed through a scratch or blockcipher [2, 3, 16–19]. Usually, the blockcipher based AE is more suitable than the scratch based AE because of direct implementation of blockcipher rather than the encryption function [20–23]. Now-a-days, the applications of IoT-end device, RfID, and resource constrained device are increasing exponentially [11–15]. However, these devices have certain drawbacks of limited memory, power, and processor [7, 12, 12, 20, 21]. Therefore, the blockcipher based AE is more relevant due to light operation [21, 24, 36, 37]. On the contrary, there are certain ISO standards of cryptographic primitive for IoT-end device or resource constrained device such as ISO/IEC29192-1, ISO/IEC29192-2, ISO/IEC29192-3, ISO/IEC29192-4 [31–33]. In addition, the ISO standard of ISO/IEC29192-2 directs the blockcipher as a core cryptographic primitive for low-resource devices. Furthermore, a certain size of blockciphers, security parameters, and resource utilizations have been emphasized according to the above standardizations. Later, the standard of ISO/IEC 29192-5 emphasized the encrypted length as 80, 128, 160, 256 bits for IoT-end device and resource constrained device [32, 33]. Usually, the traditional blockcipher and lightweight-cipher satisfies the above encryption size [31–33]. Thus, an efficient and upper security bounded construction of blockcipher based authentication encryption is required.
1.1 Motivation
There are many schemes of authentication encryption \(\left( \text {AE}\right) \) such as McOE, OCB, OTR, COPE, PoE, OAE1,2, COBRA, CLOC, and SILC [18–24, 34–37]. Among these, the OCB is one of the pioneer construction. It is based on blockcipher also [22]. The strong features of the OCB are parallel and efficiency \(\left( r=1\right) \). The privacy security of this scheme is bounded by \(O\left( 2^{n/2}\right) \). However, the OCB needs decryption oracle which increases the overhead-cost of authentication encryption process [38]. Hence, the actual efficiency of the OCB has been decreased [38]. On the evaluation of OCB, Minematsu proposed a scheme of OTR [38] that overcomes the above drawback \(\left( \text {decryption oracle}\right) \) of the OCB. Furthermore, the OTR satisfies an upper efficiency-rate \(\left( r=1\right) \) including a reasonable privacy security bound \(\left( \text {Priv}=O\left( 2^{n/2}\right) \right) \). In addition, the OCB and OTR follows none-respecting construction. On the other hand, the McOE scheme brings a breakthrough in the domain of nonce reusing AE [21]. Thereafter, a bunch of schemes have been proposed based on the properties of the McOE such as COPA, PoE, APE, and ELmE [20, 35]. However, Hoang et al. showed that the concept of nonce reusing is no more secure for any online authentication scheme [35]. In addition, Hoang et al. claimed that the online characteristic is a parameter of efficiency [35]. Therefore, a window is re-opened for off-line and nonce respecting AE. Furthermore, the McOE needs decryption oracle and it’s privacy security is bounded by \(O\left( 2^{n/2}\right) \). Most recently, there are two more proposals such as CLOC and SILK [36, 37]. The constructions of CLOC and SILK are good for short message. Additionally, these two schemes are free of decryption oracle. However, the operation mode of CLOC and SILK is serial.
According to Table 1 and the above discussions, the most of the authentication scheme’s privacy security are bounded by \(O\left( 2^{n/2}\right) \). Furthermore, many schemes need decryption oracle. Additionally, a padding mechanism is necessary for symmetric encryption module of AE when message and blocklength is not equal. However, the padding technology itself has certain dis-advantages [2, 3]. Usually, there is a common attack that is called length extension attack [2, 3, 26, 27]. Therefore, we outline our motivations in the following way:
-
higher efficiency and upper security bound
-
competitive mode
-
free of decryption oracle in encryption and decryption module
-
allowed flexible size of message encryption
-
no padding
-
minimization of blockcipher calling
-
efficient and low-cost primitive
1.2 Contribution
In this paper, we present a construction of authentication encryption. Our proposed scheme is based on blockcipher based compression function. Furthermore, our scheme is nonce respecting authentication encryption including associate data. The symmetric encryption module of the proposed scheme is a variant of OCB. Furthermore, the module of MAC follows a variant of PMAC plus. The achievements of the proposed scheme are listed below:
-
\(\blacktriangleright \) \(\text {efficiency-rate}=1\)
-
\(\blacktriangleright \) parallel mode
-
\(\blacktriangleright \) free of decryption oracle in encryption and decryption module
-
\(\blacktriangleright \) allowed flexible size of message encryption \(\left( \text {FME}\right) \)
-
\(\blacktriangleright \) no padding
-
\(\blacktriangleright \) \(\text {Priv}=O\left( 2^{2n/3}\right) \)
-
\(\blacktriangleright \) supports less call of blockcipher calling
-
\(\blacktriangleright \) blockcipher based compression function
-
\(\blacktriangleright \) nonce respecting including associate data
1.3 Organization
We define preliminaries in Sect. 2. The propose scheme’s definition and corresponding security notions are available in Sect. 3. We mention the security proof of the proposed construction in Sect. 4. Furthermore, the summaries are given in Sect. 5.
2 Preliminaries Including Security Notions
2.1 Fundamental Notations
Let X and Y are finite length of strings under the set of \(\mathcal {X}\) and \(\mathcal {Y}\). Additionally, \(\mathcal {C, T}\) are set of uniform distribution for the strings of ciphertext \(\left( C\right) \) and MAC \(\left( T: \text {tag}\right) \). Let N, AD, and \(\mathcal {M}\) direct the space for Nonce, Associate data, and Message. Furthermore, K and n means key and block-length. In addition, there are certain operators used in the proposed authentication encryption such as \(\oplus \) \(\left( \text {XOR}\right) \). Additionally, we use a defined function operator \(CS\left( \cdot \right) \) in encryption and decryption module. The operation of \(CS\left( \cdot \right) \) is complement including bitwise left-shift. For example, we generate \(\alpha \) and \(\beta \) before encryption or decryption (Fig. 2). The value of \(\alpha \) and \(\beta \) need to use in each iteration of encryption or decryption module. Furthermore, these values should be different in every iteration for tight security bound [18, 19, 22, 38]. Thus, it can be used as counter or unique nonce and associate data. Literally, the function operator of \(CS\left( \cdot \right) \) takes the value of \(\alpha \) and returns one bit left-shift after complement when \(i=1|i:\text {number of iteration}\). If i increases then left-shift also will be increased bitwise according to the value of i. In each iteration, the output of \(CS_i\left( \alpha \right) \) and \(CS_i\left( \beta \right) \) are defined as \(p_i\) and \(q_i\), where \(i \le l\) (Fig. 2). Our defined another parameter is \(\tau \), which is created as a by-product of encryption/decryption module. Generally, the \(\tau _i\) is created in each iteration. Thereafter, the XOR values of all \(\tau _i\) are used for tag generation (Fig. 3).
2.2 Blockcipher
A blockcipher \(\left( {n, k}\right) \) consists of a pair of algorithm such as \(E = {\left\{ {0,1} \right\} ^{n}} \times {\left\{ {0,1} \right\} ^{k}} \rightarrow {\left\{ {0,1} \right\} ^{n}}\) and \({{{E}}^{-1}} = {\left\{ {0,1} \right\} ^{n}} \times {\left\{ {0,1} \right\} ^{k}} \rightarrow {\left\{ {0,1} \right\} ^{n}} ( n, k: \text {block and} \text {key length})\). Usually, query of blockcipher is \(\left( m, k\right) \) and output is c, where key is randomly permuted. Hence, a triplet is the combine form of m, k, and c as \(\left( m, k, c\right) \). Additionally, the blockcipher oracle doesn’t permit for similar query or triplet in principle. For example, if \(\left( m_1, k_1\right) =c_1\) is queried to oracle then \(\left( c_1, k_1\right) =m_1\) is not permitted for asking to oracle. Let \(\mathsf {block} \left( {n}, {k} \right) \) is the set of all blockciphers of \(\left( n, k\right) \) according to the ICM [28, 29]. Generally, adversary \(\mathcal {A}\) tries to explore encrypted plaintext under a given key. However, to retrieve the information of the desire plaintext using different key set is infeasible for adversary. Moreover, to find an actual plaintext or message is infeasible for \(\mathcal {A}\) if blockcipher changes [28–30]. Usually, a PRP security comes from the property of blockcipher [22–24]. Hence, the PRP-security of a blockcipher \(\mathsf {block}\left( n, k\right) \) is defined as the success probability of adversary, where \(\mathcal {A}\) tries to distinguish between the output of blockcipher oracle and random permutation oracle [22–24, 28–30].
2.3 Authentication Encryption
The authentication encryption is noted as \(\text {AE}\). Generally, there are two algorithms of encryption and decryption \(\left( \text {MAC included for both the algorithms}\right) \) under the \(\text {AE}\). Furthermore, Algorithm 1 is noted as \(\mathcal {E}\text {-AE}\) and \(\mathcal {E}\text {-DE}\). In addition, the algorithm of \(\mathcal {E}\text {-AE}\) consists of nonce and associate data including message and returns ciphertext. Moreover, the message exploration and tag verification process are executed under the module of \(\mathcal {D}\text {-AE}\). If verification process is valid then return message or \(\bot \). In this section, we define the basic encryption and decryption module only. Later, the modified version of \(\mathcal {E}\text {-AE}\) and \(\mathcal {D}\text {-AE}\) (Algorithm 1) will be used in symmetric encryption module of the proposed construction.
2.4 PRF Security
Let \({F_K}:K \times X \rightarrow Y\) be a pseudo-random function \(\left( \text {keyed}\right) \), where \(K{ \rightarrow ^\$ }{\left\{ {0,1} \right\} ^k}\) is a secret key space. On the contrary, a random function is defined as \({F_R}\), which is chosen randomly and uniquely from all functions of \(X \rightarrow Y\) according to the similar domain-range of \(F_{{K}}\). The PRF security is defined as the success probability of distinguishing between \(F_{{K}}\) and \(F_{{R}}\). For example, there is a distinguish-er \(\mathsf {Dt}\) that can can interplay with both the oracle of \(F_{{K}}\) and \(F_{{R}}\). Hence, the advantage of PRF security of \(F_{{K}}\) over \(F_{{R}}\) is defined as follows:
The first probability of \(\left( 1\right) \) is based on \(K{ \rightarrow ^\$ }{\left\{ {0,1} \right\} ^k}\) and the second probability is taken over \({F_R}:X{ \rightarrow ^\$ }Y\). Thus, \(F_{{K}}\) is PRF secure iff the advantage of \(\mathsf {Dt}\) is small. Moreover, \(F_{{K}}\) and \(F_{{R}}\) are respectively considered as real and ideal world.
2.5 PRP Security
Let blockcipher \(\mathsf {block} \left( n, k\right) \) is a pseudo-random permutation, where \(E = {\left\{ {0,1} \right\} ^k} \times {\left\{ {0,1} \right\} ^n} \rightarrow {\left\{ {0,1} \right\} ^n}\). Furthermore, \({\left\{ {0,1} \right\} ^k}{ \leftarrow ^\$ }{K_E}\) is a keyed and ideal permutation of blockcipher. On the other hand, there is a random permutation RP s. t. \({RP{ \leftarrow ^\$ }\mathrm{{Pm}}\left( n \right) }\) \(|\mathrm{{Pm}}:{\text {Permutation}}\). Therefore, the PRP security means the winning probability of differentiating between \(\mathsf {block} \left( n, k\right) \) and RP. We assume that \(\mathsf {dT}\) is a distinguish-er that can interact with the oracle of \(\mathsf {block} \left( n, k\right) \) and RP. Thus, the advantage of PRP security is defined as follows:
The first probability depends on \({\left\{ {0,1} \right\} ^k}{ \leftarrow ^\$ }{K_E}\) and later one is based on \(RP{ \leftarrow ^\$ }\mathrm{{Pm}}\left( n \right) \).
3 Proposed Authentication Encryption Scheme
We define our proposed construction of blockcipher based authentication encryption as \(\mathrm{{AE}}_T^{\mathrm{{P}}}\) \(\left( \text {P: parallel, } T: \text {tag}\right) \). The proposed \(\mathrm{{AE}}_T^{\mathrm{{p}}}\) has three modules of \(\mathsf {M}_1\), \(\mathsf {M}_2\), and \(\mathsf {M}_3\). The informal definition of \(\mathsf {M}_1\), \(\mathsf {M}_2\), and \(\mathsf {M}_3\) are respectively initialization of nonce and associate data, encryption including tag generation, and decryption including verification. Formally, the proposed scheme looks \(\mathrm{{AE}}_T^\mathrm{{p}} = \left( \mathsf {M}_1|\text { Initialization}, {\mathcal{E}{\text {-AE}}_T^\mathrm{{p}},\mathcal{D}{\text {-AE}}_T^\mathrm{{p}}} \right) \). Furthermore, the key, nonce, associate data, message, ciphertext, and tag are respectively come from the spaces of \({K_{\mathrm{{AE}}_T^\mathrm{{p}}}},{N_{\mathrm{{AE}}_T^\mathrm{{p}}}}A{D_{\mathrm{{AE}}_T^\mathrm{{p}}}},{M_{\mathrm{{AE}}_T^\mathrm{{p}}}},{C_{\mathrm{{AE}}_T^\mathrm{{p}}}},\text { and }{T_{\mathrm{{AE}}_T^\mathrm{{p}}}}\). On the contrary, our scheme is a variant of OCB, where symmetric key encryption module follows CTR mode using unique nonce and AD. Moreover, the tag generation or MAC function follows the variation of a PMAC plus construction.
We use three Algorithms of 2, 3, and 4 for the formal definition of \(\mathsf {M}_1\), \(\mathsf {M}_2\), and \(\mathsf {M}_3\). Additionally, the basic of encryption and decryption module comes from the Algorithm 1. In addition, we use two key sets of \(K_1\) and \(K_2\) for encryption and decryption module. Thereafter, \(K_3\) and \(K_4\) key sets are used in tag generation and verification process. Though, the decryption oracle doesn’t need in the entire procedure of the proposed AE, but it needs for verification process of re-tag generation only.
3.1 Privacy Notion of \(\mathrm{{AE}}_T^{\mathrm{{p}}}\)
The privacy notion is based on \(\mathrm{{AE}}_T^\mathrm{{p}} = \left( {\mathcal {E}{\text {-AE}}_T^\mathrm{{p}},{\text { }}\mathcal {D}{\text {-AE}}_T^\mathrm{{p}}} \right) \). We assume an adversary \(\mathcal {A}\) is unique nonce, AD based game and it has access to the encryption oracle and decryption oracle of \(\mathrm{{AE}}_T^\mathrm{{p}}\). On the contrary, adversary \(\mathcal {A}\) is inclusively bounded for encryption oracle \(\left( {\mathcal{E}{\text {-AE}}_T^\mathrm{{p}}}\right) \) and random-bits oracle. Thus the encryption oracle takes input as \(\left( {N,A,M} \right) \in {N_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times A{D_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times {M_{\mathrm{{AE}}_T^\mathrm{{p}}}}\) and returns \(\left( {C,T} \right) \leftarrow \mathcal{E}{\text {-AE}}_T^\mathrm{{p}}\left( {N,A,M} \right) \). The random-bits oracle and \(\$\) oracle inherit \(\left( {N,A,M} \right) \in {N_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times A{D_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times {M_{\mathrm{{AE}}_T^\mathrm{{p}}}}\), where the output is \(\left( {C,T} \right) { \leftarrow ^\$ }{\left\{ {0,1} \right\} ^{|M| + T}}\). Therefore, the privacy advantage is defined as follows:
where the first probability comes from \(K{ \leftarrow ^\$ }{K_{\mathrm{{AE}}_T^\mathrm{{p}}}}\) and second one is based on random-bits oracle including randomness of \(\mathcal {A}\). Furthermore, adversary is based on unique nonce and associate data. In principle, adversary can’t make duplicate query.
3.2 Authenticity Notion of \(\mathrm{{AE}}_T^{\mathrm{{p}}}\)
The authenticity notion is based on \(\mathrm{{AE}}_T^\mathrm{{p}} = \left( {\mathcal {E}{\text {-AE}}_T^\mathrm{{p}},{\text { }}\mathcal {D}{\text {-AE}}_T^\mathrm{{p}}} \right) \). Let adversary \(\mathcal {A}\) has access on encryption and decryption oracle of \({\mathcal{E}{\text {-AE}}_T^\mathrm{{p}}}\) and \({\mathcal{D}{\text {-AE}}_T^\mathrm{{p}}}\). The input of encryption oracle is \(\left( {N,A,M} \right) \in {N_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times A{D_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times {M_{\mathrm{{AE}}_T^\mathrm{{p}}}}\). Thus the output is \(\left( {C,T} \right) \leftarrow \mathcal{E}{\text {-AE}}_T^\mathrm{{p}}\left( {N,A,M} \right) \). Furthermore, the decryption oracle invokes \(\left( {N,A,C,T} \right) \in {N_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times A{D_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times {C_{\mathrm{{AE}}_T^\mathrm{{p}}}} \times {T_{\mathrm{{AE}}_T^\mathrm{{p}}}}\). Hence, the feedback is \(M \leftarrow \mathrm{{AE}}_T^\mathrm{{p}}\left( {N,A,C,T} \right) \) or \(\bot \). The advantage of authenticity is defined as follows:
where the probability is taken from \(K{ \leftarrow ^\$ }{K_{\mathrm{{AE}}_T^\mathrm{{p}}}}\) and randomness of \(\mathcal {A}\). Furthermore, \(\mathcal {A}\) forges if decryption oracle returns message strings for a query \(\left( N, A, C, T\right) \), when \(\left( C, T\right) \) didn’t part of encryption oracle. More specifically, adversary gets success for the condition of \(\left( {{N_i},{A_i},{C_i},{T_i}} \right) \ne \left( {{N_j},{A_j},{C_j},{T_j}} \right) \). In principle, adversary doesn’t make query \(\left( {N',A',C',T'} \right) \) to decryption oracle if \(\left( {C',T'} \right) \leftarrow \left( {N',A',M'} \right) \) was feedback of encryption oracle. Additionally, adversary is based on unique nonce and AD.
4 Security Analysis
4.1 Privacy Security Analysis
Privacy of \({\text {AE}}_T^{{\text {p}}}\) is defined as the success probability of distinguish between the ciphertext and uniform distribution of string by adversary \(\mathcal {A}\). Furthermore, \(\mathcal {A}\) is based on unique nonce and associated data. The privacy security is formalized through a set of games. Thereafter, we take a pair of games for each segment. Gradually, we forward by taking pair of games and find the success probability of distinguish between two games. Thus we will show that the difference between two oracles are nominal. Let \(\mathcal {A}\) be an adversary that makes q queries such as \(\left( N_1, A_1, M_1 \right) \) \(\, \text {. .}\,\) \(\left( N_l, A_l, M_l \right) \). Moreover, \(\mathcal {A}\) is nonce-respecting and unique AD based adversary. The total length of message is \(\sigma _{2l}\), where l is the number of iteration \(\left( \text {two blocks message/iteration}\right) \). In principle, we follow the proof technique of [22–24, 39] according to our scheme properties.
Theorem 1
Let \(\mathrm{{AE}}_T^{{\text {p}}}\) be the proposed authenticated encryption including encryption algorithm \({\mathcal {E}\text {-}\mathrm{{AE}}_T^{\mathrm{{p}}}}\), where \(n \ge 1\). An adversary \(\mathcal {A}\) is allowed to access random-bits oracle and \({\mathcal {E}\text {-}\mathrm{{AE}}_T^{\mathrm{{p}}}}\). Furthermore, adversary \(\mathcal {A}\) can query upto q. The total message length is \(\sigma _{2l}\). Thus the advantage of \(\mathcal {A}\) is to distinguish between \({\mathcal {E}\text {-}\mathrm{{AE}}_T^{\mathrm{{p}}}}\) from random oracle-bits and \(\$\). Hence, the advantage is of adversary is bounded as follows:
Proof
We use certain sequential games that have different targets and goals. In addition, the final goal is to locate the advantage of adversary for privacy of the proposed AE. Our approach is very simple such as to implement a game \(\mathcal {G}_{\mathcal {A}}\), which performs the proposed scheme \(\mathrm{{AE}}_T^\mathrm{{p}}\). Moreover, our final game is \(\mathcal {G}_\mathrm{{E}}\). The task of \(\mathcal {G}_\mathrm{{E}}\) is to inherit random oracle. We move forward by taking pair of consecutive games. Our target is to distinguish the pair of games. The success probability of distinguishing the two consecutive games is defined as the advantage of adversary. In this way, we reach into the final game of \(\mathcal {G}_\mathrm{{E}}\). Thus, we show that the adversarial advantage of distinguishing the most recent game and the last game is nominal. Moreover, we take the all probability values of success. Thereafter, we calculate the union bound of these values and get the provable privacy security bound of the proposed scheme.
Our construction is based on blockcipher compression function. Therefore, the output of each iteration including input should be unique. If current output collides with previous entry then the adversary wins. Furthermore, an event is created as \(\mathcal {WIN}\) in the aspect of adversarial win. Moreover, the new and fresh value comes from the random oracle if \(\mathcal {WIN}\) occurs. In addition, the collide data/value needs to eliminate from the oracle of the proposed scheme \(\mathrm{{AE}}_T^\mathrm{{p}}\). Thereafter, the success probability of the event \(\left( \mathcal {WIN}\right) \) indicates the advantage of adversary for distinguishing the consecutive pair of games. Additionally, we use PRF/PRP switch method in the given security proof [34].
On the contrary, we use a variant of PMAC-plus for MAC generation [23]. Therefore, two blockciphers are used to generate a tag \(\left( T\right) \). For better security, we actually use two sets of key under two blockciphers. The generation of MAC depends on the ex-or values of all ciphertext \(\left( C_i\right) \) and XOR values of all \(\tau _{i}\). Actually, these two are used as input of blockcipher. Thereafter, the output \(\left( \text {size: } 2n\text {-bits}\right) \) is produced and XOR with the most recent values of \(CS\left( \cdot \right) \). Thus, the security can be achieved better than the birthday bound. Generally, the collision resistance of blockcipher is defined as to find a similar output for different two input is infeasible for adversary [1–3]. Under this section, we play with the games through pairwise. Furthermore, the success probability of the adversary is given by the event of \(\mathcal {WIN}\). At first, we take the proposed scheme and game \(\mathcal {G}_{\mathcal {A}}\).
GAME \(\mathcal {G}_{\mathcal {A}}\). \(\mathcal {G}_{\mathcal {A}}\) inherits the proposed scheme \(\mathrm{{AE}}_T^\mathrm{{p}}\). Moreover, \(\mathcal {G}_{\mathcal {A}}\) invokes N, A, M as parameter of input. Thus, the corresponding responses are C, T. On the contrary, the queries of \(\mathrm{{AE}}_T^\mathrm{{p}}\) uses random function. Therefore,
GAME \(\mathcal {G}_{\mathcal {B}}\). Let the queries of RP belongs to random function. Thus, the game \(\mathcal {G}_{\mathcal {B}}\) provides random output. However, the uniqueness of output can’t be confirmed due to random function. Furthermore, if any collision occurs with previous any response then an event \(\mathcal {WIN}\) is called. Therefore, the advantage of adversary is to distinguish between the game \(\mathcal {G}_{\mathcal {B}}\) and \(\mathcal {G}_{\mathcal {A}}\). The success probability of the event \(\mathcal {WIN}\) is the advantage of adversary. All queries of RP for \(\mathrm{{AE}}_T^\mathrm{{p}}\) are stored in the database of \({D_{\mathrm{{AE}}_T^\mathrm{{p}}}}\), where RP is queried by \(\sigma \) times by \(\mathrm{{AE}}_T^\mathrm{{p}}\). Therefore, the advantage of adversary is:
GAME \(\mathcal {G}_{\mathcal {C}}\). In this section, the proposed scheme \(\mathrm{{AE}}_T^\mathrm{{p}}\) inherits random function. Furthermore, the database \({D_{\mathrm{{AE}}_T^\mathrm{{p}}}}\) is updated and synchronized. Therefore, the game \(\mathcal {G}_{\mathcal {C}}\) and \(\mathcal {G}_{\mathcal {B}}\) are in-distinguishable in the aspect of adversary. As a result, the advantage of adversary is as follows:
GAME \(\mathcal {G}_{\mathcal {D}}\). We will use PRF/PRP switch theme [34] in this section. The ciphertext should be indistinguishable in respect of random oracle. According to our AE construction definition, the ciphertext is created by the ex-or values of blockcipher compression output and message. Though, adversary can control message, but it can’t control the output of blockcipher output. In addition, the nonce and associate data are unique. Therefore, there are four cases for collision occurred (Figs. 4 and 5). If collision occurs then an event \(\left( \mathcal {WIN}\right) \) is re-called in the respect of adversary.
-
\(\blacktriangleright \) Case-1. In this section, we evaluate the probability of collision under blockcipher output. For example, the pair of output is \(X_i\) and \(Y_i\) \(\left( i \le l\right) \). Thus, two types of collision can be occurred such as query of double and single query.
-
SubCase-1 \(\left( \text {query of double}\right) \). The requirements of collision under this SubCase are two different queries for the iteration of i, j \(\left( i \ge j\right) \) and similar output for input of any two queries. For example, the output are \(X_i\) and \(Y_i\) for the iteration of i. In addition, \(X_j\) and \(Y_j\) are the output of j-th iteration. Thus, there is a chance to collide with \(X_i=X_j, Y_j\) or \(Y_i=X_j, Y_j\) (Fig. 4). If collision occurs then an event is called. Moreover, the random and uniform values come from the set of \(\mathcal {X}\) and \(\mathcal {Y}\). Thereafter, these new values are replaced by collide values. The success probability of the event \(\mathcal {WIN}\) is:
$$\begin{aligned} \begin{array}{*{20}{l}} {\Pr \left[ {\mathcal{W}\mathcal{I}\mathcal{N}} \right] = \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_1} \vee \mathcal{W}\mathcal{I}{\mathcal{N}_2} \vee \mathrm{{. }}\mathrm{{. }}\mathrm{{.}}\mathcal{W}\mathcal{I}{\mathcal{N}_\sigma }} \right] }\\ { \le \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_1}} \right] + \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_2}} \right] + ...\Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_\sigma }} \right] }\\ { \le {{\sigma \left( {\sigma - 1} \right) }{/}{{2^{2n}}}}\mathrm{{ }}} \end{array} \end{aligned}$$(6)
-
SubCase-2 \(\left( \text {single query}\right) \). The output of i-th iteration are \(X_i\) and \(Y_i\). Therefore, there is a chance to make a collision between \(X_i = Y_i\). Thereafter, an event \(\mathcal {WIN}\) is called in the aspect of adversarial success. Moreover, the collide values are replaced by the random and uniform values (Fig. 4). For example, \({X_i} \leftarrow \mathcal {X},\, \mathrm{{ }}{Y_i} \leftarrow \mathcal {Y}\). The success probability of \(\mathcal {WIN}\) under this SubCase is:
$$\begin{aligned} \begin{array}{*{20}{l}} {\Pr \left[ {\mathcal{W}\mathcal{I}\mathcal{N}} \right] = \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_1} \vee \mathcal{W}\mathcal{I}{\mathcal{N}_2} \vee \mathrm{{. }}\mathrm{{. }}\mathrm{{.}}\mathcal{W}\mathcal{I}{\mathcal{N}_\sigma }} \right] }\\ { \le \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_1}} \right] + \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_2}} \right] + ...\Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_\sigma }} \right] }\\ { \le \sigma \cdot \left( {{1{/}{{2^n}}}} \right) } \end{array} \end{aligned}$$(7)
-
-
\(\blacktriangleright \) Case-2. According to our construction definition, the nonce is unique for each iteration. Thus, the ex-or values blockcipher output and nonce is random. However, there is a chance to occur collision such as \(\tau _i^1 = \tau _j^1,\tau _j^2 \text { and } \tau _i^2 = \tau _j^1,\tau _j^2\). The event \(\mathcal {WIN}\) is defined if collision occurs. Thereafter, the collide values are replaced by random and uniform distribution of \(\mathcal {U}\left( \tau \right) \) (Fig. 4). So, the success probability of the event \(\mathcal {WIN}\) is:
$$\begin{aligned} \begin{array}{*{20}{l}} {\Pr \left[ {\mathcal{W}\mathcal{I}\mathcal{N}} \right] = \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_1} \vee \mathcal{W}\mathcal{I}{\mathcal{N}_2} \vee \mathrm{{. }}\mathrm{{. }}\mathrm{{.}}\mathcal{W}\mathcal{I}{\mathcal{N}_\sigma }} \right] }\\ { \le \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_1}} \right] + \Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_2}} \right] + ...\Pr \left[ {\mathcal{W}\mathcal{I}{\mathcal{N}_\sigma }} \right] }\\ { \le {{2\sigma }{/}{{2^{2n}}}}} \end{array} \end{aligned}$$(8)
-
\(\blacktriangleright \) Case-3. This section is responsible for evaluation of tag collision. Generally, two different blockciphers including two unique key sets are used to generate tag. For example, the random value of ciphertext \(\left( \mathcal {C}\right) \) and most recent \(CS\left( \cdot \right) \) value are used to generate tag. Therefore, there is a chance to collide between \(t_1\) and \(t_2\) (Fig. 5). If collision occurs then an event is defined as \(\mathcal {WIN}\). The advantage of adversary is to find the probability of the event \(\mathcal {WIN}\). Therefore, the advantage is:
$$\begin{aligned} \Pr \left[ {\mathcal{W}\mathcal{I}\mathcal{N}} \right] = {2{/}{{2^n}}} \end{aligned}$$(9)
-
\(\blacktriangleright \) Case-4. The final tag is produced by the ex-or values of \(t_1\), \(t_2\) and \(\left( {\alpha \oplus \beta } \right) \). If \(t_1\) and \(t_2\) are random then the ex-or output of T is also random. However, there is a chance to make collision such as \(T = T'\). Hence, the probability of the event \(\mathcal {WIN}\) is:
$$\begin{aligned} \Pr \left[ {\mathcal{W}\mathcal{I}\mathcal{N}} \right] = {1{/}{{2^n}}} \end{aligned}$$(10)
Adding the value of 6, 7, 8. 9 and 10, we get the advantage of distinguishing the game of \(\mathcal {G}_{\mathcal {C}}\) and \(\mathcal {G}_{\mathcal {D}}\).
GAME \(\mathcal {G}_\mathrm{{E}}\). The \(\mathcal {G}_\mathrm{{E}}\) simulates the random oracle model. The database \({D_{\mathrm{{AE}}_T^\mathrm{{p}}}}\) is updated and synchronized after the operation of game \(\mathcal {G}_{\mathcal {D}}\). Therefore, the current all entries are random and uniformly distributed. Hence, the game of \(\mathcal {G}_{\mathcal {D}}\) and \(\mathcal {G}_\mathrm{{E}}\) are identical in the aspect of adversary. So, the advantage of the adversary to distinguish the game of \(\mathcal {G}_\mathrm{{E}}\) and \(\mathcal {G}_{\mathcal {D}}\) is:
Therefore, taking the union bound of 4, 6, 7, 8, 9, and 10, Theorem 1 satisfies.
4.2 Authenticity Security Analysis
The authenticity of \({\text {AE}}_T^{{\text {p}}}\) scheme is based on both oracle of encryption and decryption. The authenticity is said to be broken when adversary can inject under the condition of \(N', A', C', T'\) \(\left( N', A', C', T'\right) \ne \left( N, A, C, T\right) \). For example, encryption queries are \(\left( {{N_1},{A_1},{M_1}} \right) ,\,.\,.\) \(\,.\,.,\left( {{N_q},{A_q},{M_q}} \right) \). Moreover, list of decryption queries are \(( {{N'}_1},{{A'}_1},\) \({{C'}_1},{{T'}_1} )\,.\,.\,.\) \(\left( {{{N'}_q},{{A'}_q},{{C'}_q},{{T'}_q}} \right) \). The total length of message for encryption and decryption are respectively \({\sigma ^{2l}}\) and \({\sigma ^{2l'}}\). Let there is an experiment \(\mathcal {EXP}_{{\text {auth}}}^{{\text {p}}}\), which outputs 1 iff the adversary successfully forges \(N', A', C', T'\) for \(M'|M \ne M'\). Therefore,
Theorem 2
Let \(\mathrm{{AE}}_T^{sim}\) be the proposed authenticated encryption, where \({\mathcal {E}\text {-}\mathrm{{AE}}_T^{\mathrm{{sim}}}}\) and \({\mathcal {D}\text {-}\mathrm{{AE}}_T^{\mathrm{{sim}}}}\) be the encryption and decryption algorithm. Furthermore, adversary \(\mathcal {A}\) is allowed to access both the oracles. Thus the advantage of \(\mathcal {A}\) is success probability of injecting false data instead of valid data through the defined experiment \(\mathcal {EXP}\). Therefore, the advantage of adversary is bounded as follows:
5 Conclusion
In this paper, we have studied the familiar constructions of authentication encryption \(\left( \mathrm {AE}\right) \). Moreover, the applications of \(\mathrm {AE}\) have been evaluated. Recently, the AE has been considered as an important cryptographic tool/primitive for the security solution of IoT-end device, RfID, and resource constrained device. Thus, the AE should satisfies the properties of efficiency and better security. Though there are many constructions such as OCB, OTR, CLOC, SILK, APE, McOE, PoE, COPA, and COBRA but most of the scheme’s privacy security are bounded by \(O\left( 2^{n/2}\right) \). Moreover, decryption oracle is necessary for all constructions except the OCB, OTR, CLOC, and SILK. Therefore, we have presented a blockcipher based AE that satisfies upper privacy security bound \(\left( \text {Priv}=O\left( 2^{n/2}\right) \right) \). Our proposed scheme operates without decryption oracle in the module of encryption and decryption. Furthermore, the efficiency-rate is 1 and the operation mode is parallel. Moreover, the proposed construction can support flexible message encryption without padding. Our proposed scheme is a variant of OCB. More specifically, the symmetric encryption module follows the CTR mode and the MAC module follows the PMAC Plus construction. However, the proposed scheme can’t support small domain encryption including format preserving encryption. Furthermore, decryption module is not online. Therefore, our target is to overcoming these limitations in future.
References
Rogaway, P.: Evaluation of Some Blockcipher Modes of Operation (2011). http://web.cs.ucdavis.edu/rogaway/papers/modes.pdf
Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography, 5th edn. CRC Press, Boca Raton (2001)
Stallings, W.: Data & Computer Communications, 10th edn. Pearson, Boston (2013)
Hanaoka, G., Zheng, Y., Imai, H.: LITESET: a light-weight secure electronic transaction protocol. In: Boyd, C., Dawson, E. (eds.) ACISP 1998. LNCS, vol. 1438, pp. 215–226. Springer, Heidelberg (1998)
Kim, H., Kim, T.: Design on mobile secure electronic transaction protocol with component based development. In: Laganá, A., Gavrilova, M.L., Kumar, V., Mun, Y., Tan, C.J.K., Gervasi, O. (eds.) ICCSA 2004. LNCS, vol. 3043, pp. 461–470. Springer, Heidelberg (2004)
Cao, L.-C.: Improving security of SET protocol based on ECC. In: Gong, Z., Luo, X., Chen, J., Lei, J., Wang, F.L. (eds.) WISM 2011, Part I. LNCS, vol. 6987, pp. 234–241. Springer, Heidelberg (2011)
Lorenz, M.: Authentication and transaction security in e-business. In: Fischer-Hübner, S., Duquenoy, P., Zuccato, A., Martucci, L. (eds.) The Future of Identity in the Information Society, vol. 262, pp. 175–197. Springer, Heidelberg (2008)
Bailey, D.V., Brainard, J., Rohde, S., Paar, C.: Wireless authentication and transaction-confirmation token. In: Obaidat, M.S., Filipe, J. (eds.) ICETE 2009. CCIS, vol. 130, pp. 186–198. Springer, Heidelberg (2011)
Subpratatsavee, P., Kuacharoen, P.: Transaction authentication using HMAC-based one-time password and QR code. In: Park, J.J.J.H., Stojmenovic, I., Jeong, H.Y., Yi, G. (eds.) Computer Science and Its Applications. LNEE, vol. 330, pp. 93–98. Springer, Heidelberg (2015)
Zhang, L., Wu, W., Wang, P.: Extended models for message authentication. In: Lee, P.J., Cheon, J.H. (eds.) ICISC 2008. LNCS, vol. 5461, pp. 286–301. Springer, Heidelberg (2009)
Atzori, L., Iera, A., Morabito, G.: The internet of things: a survey. Comput. Netw. 54(15), 2787–2805 (2010). Elsevier
Zhou, Z., Tsang, K.F., Zhao, Z., Gaalou, W.: Data intelligence on the Internet of Things. Pers. Ubiquit. Comput. 20, 277–281 (2016). doi:10.1007/s00779-016-0912_1. Springer
Coppola, P., Mea, V.D., Gaspero, L.D., Lomuscio, R., Mischis, D., Mizzaro, S., Nazzi, E., Scagnetto, I., Vassena, L.: AI techniques in a context-aware ubiquitous environment. In: Hassanien, A.E., Abawajy, J.H., Abraham, A., Hagras, H. (eds.) Pervasive Computing. Computer Communications and Networks. Springer, Heidelberg (2009)
Zhao, K., Ge, L.: A survey on the internet of things security. In: 9th CIS, pp. 663–667. IEEE (2013). ISBN 978-1-4799-2548-3
Mennink, B.: Embedded security for internet of things. In: 2nd NCETACS, pp. 1–6. IEEE (2011). ISBN 978-1-4244-9578-8
Zanella, A., Bui, N., Castellani, A., Vangelista, L., Zorzi, M.: Internet of things for smart cities. IEEE Internet Things J. 1(1), 22–32 (2014)
Özen, O., Stam, M.: Another glance at double-length hashing. In: Parker, M.G. (ed.) Cryptography and Coding 2009. LNCS, vol. 5921, pp. 176–201. Springer, Heidelberg (2009)
Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013)
Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: APE: authenticated permutation-based encryption for lightweight cryptography. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 168–186. Springer, Heidelberg (2015)
Abed, F., Fluhrer, S., Forler, C., List, E., Lucks, S., McGrew, D., Wenzel, J.: Pipelineable on-line encryption. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 205–223. Springer, Heidelberg (2015)
Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012)
Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004)
Yasuda, K.: A new variant of PMAC: beyond the birthday bound. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 596–609. Springer, Heidelberg (2011)
Naito, Y.: Full PRF-secure message authentication code based on tweakable block cipher. In: Chakraborty, S. (ed.) ProvSec 2015. LNCS, vol. 9451, pp. 167–182. Springer, Heidelberg (2015). doi:10.1007/978-3-319-26059-4_9
Yau, A.K.L., Paterson, K.G., Mitchell, C.J.: Padding Oracle attacks on CBC-mode encryption with secret and random IVs. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 299–319. Springer, Heidelberg (2005)
Lee, T., Kim, J.-S., Lee, C.-H., Sung, J., Lee, S.-J., Hong, D.: Padding oracle attacks on multiple modes of operation. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 343–351. Springer, Heidelberg (2005)
Paterson, K.G., Yau, A.K.L.: Padding oracle attacks on the ISO CBC mode encryption standard. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 305–323. Springer, Heidelberg (2004)
Black, J.A., Rogaway, P., Shrimpton, T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002)
Black, J.A., Rogaway, P., Shrimpton, T., Stam, M.: An analysis of the blockcipher-based hash functions from PGV. J. Cryptol. 23, 519–545 (2010)
Miyaji, A., Mazumder, R.: A new (n, 2n) double block length hash function based on single key scheduling. In: AINA, pp. 564–570. IEEE (2015)
Hirose, S., Ideguchi, K., Kuwakado, H., Owada, T., Preneel, B., Yoshida, H.: A lightweight 256-bit hash function for hardware and low-end devices: lesamnta-LW. In: Rhee, K.-H., Nyang, D.H. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 151–168. Springer, Heidelberg (2011)
Shirai, Taizo, Shibutani, Kyoji, Akishita, Toru, Moriai, Shiho, Iwata, Tetsu: The 128-bit blockcipher CLEFIA (Extended Abstract). In: Biryukov, Alex (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007). IACR archive, https://www.iacr.org/archive/fse2007/45930182/45930182.pdf
Yoshida, H.: On the standardization of cryptographic application techniques for IoT devices in ITU techniques for IoT devices in ITU-T and ISO/IEC JTC 1 T and ISO/IEC JTC1 (2015). https://www.ietf.org/proceedings/94/slides/slides-94-saag-2.pdf,
Bellare, M., Rogaway, P.: The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006)
Hoang, V.T., Reyhanitabar, R., Rogaway, P., Damian, V.: Online authenticated-encryption and its nonce-reuse misuse-resistance. In: Gennaro, R., Robshaw, M. (eds.) Advances in Cryptology – CRYPTO 2015. LNCS, vol. 9215, pp. 493–517. Springer, Heidelberg (2015)
Iwata, T., Minematsu, K., Guo, J., Morioka, S.: CLOC: authenticated encryption for short input. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 149–167. Springer, Heidelberg (2015)
Iwata, T., Minematsu, K., Guo, J., Morioka, S., Kobayashi, E.: SILC: SImple Lightweight CFB. DIAC Competitions. https://competitions.cr.yp.to/round2/silcv2.pdf
Minematsu, K.: Parallelizable rate-1 authenticated encryption from pseudorandom functions. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 275–292. Springer, Heidelberg (2014)
Chang, D., R., S.M., Sanadhya, S.K.: PPAE: practical parazoa authenticated encryption family. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 198–211. Springer, Heidelberg (2015). doi:10.1007/978-3-319-26059-4_11
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 IFIP International Federation for Information Processing
About this paper
Cite this paper
Mazumder, R., Miyaji, A., Su, C. (2016). A Blockcipher Based Authentication Encryption. In: Buccafurri, F., Holzinger, A., Kieseberg, P., Tjoa, A., Weippl, E. (eds) Availability, Reliability, and Security in Information Systems. CD-ARES 2016. Lecture Notes in Computer Science(), vol 9817. Springer, Cham. https://doi.org/10.1007/978-3-319-45507-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-45507-5_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45506-8
Online ISBN: 978-3-319-45507-5
eBook Packages: Computer ScienceComputer Science (R0)